Group Policy For Mac

Posted : admin On 1/15/2022

Group policies define a list of rules, restrictions, and other settings, that can be applied to devices in order to change how they are treated by the network. Group policies can be used on wireless and security appliance networks and can be applied through several manual and automated methods. This article will describe the options available, how to create policies, and how those policies are applied to clients.

Best Price Group Policy Vpn Mac Junos And How To Setup Windows Vpn On Mac Ebook d. The Centrify administrative template for Mac OS X (centrifymacsettings.xml or centrifymacsettings.admx) provides group policies that can be applied to control the behavior of Mac OS X computers running supported versions of the Mac OS X operating system, and the configuration settings for the users who log on to those computers.By adding the administrative template for Mac OS X to a Group. How to Block USB or Removable Devices using Group Policy This scenario will demonstrate the way to completely block USB or removable devices in client PC. The client PC is running Windows 10 and joined to a domain named, where the Domain Controller is installed on Windows Server 2012 R2. When a group policy is applied to a VLAN, that policy becomes the new 'network default' for any other group policies applied to clients in that VLAN. Since this policy is the new 'network default', the client devices will still show a 'normal' policy applied under Network-wide Monitor Clients. 5 Ways to Access Local Group Policy Editor on Windows 10. You can access the Local Group Policy Editor (see the following picture) on your Windows 10 computer with the help of Run, Search, Start Menu, Command Prompt and Windows PowerShell. For more info, please keep on reading. If you usually use Local Group Policy Editor, I recommend you create Local Group Policy Editor Shortcut on Desktop.

Note: There is a limit of 3000 clients that can have any group policy applied (combined) per network.

Creating Group Policies

Available Options

The following table describes what rules, restrictions, and other settings can be controlled via group policy on each platform. Only features that are available for the network will be displayed when configuring a group policy.

MR Access PointsMX or Z1 with Enterprise LicenseMX with Advanced Security License
Per-client bandwidth limit
Hostname visibility
VLAN tag
Splash page authorization
Layer 3 firewall rules
Layer 7 firewall rules
Traffic shaping rules
Security filtering
Content filtering

Note: If using a group policy with Content Filtering, please reference our documentation regarding Content Filtering rule priority to understand how certain filtering rules supersede each other.

Note: Source IP addresses on Layer 3 firewall rules are only configurable on MX devices when Active Directory integration is enabled.

Creating a Group Policy

  1. Navigate to Network-wide > Configure > Group policies
  2. Click Add a group to create a new policy.
  3. Provide a Name for the group policy. Generally, this will describe its purpose, or the users it will be applied to.
    Ex. 'Guests', 'Throttled users', 'Executives', etc.
  4. Modify the available options as desired. Unless changed, all options will use the existing network settings.
  5. When done, click Save Changes.

The group policy listed will now be displayed on the Group policies page and made available for use. Remember that a group policy has no effect until it is applied.

Example Group Policies

The following examples outline two common use cases, and how group policies can be used to provide a custom network experience:

Group Policy Machine Inactivity Limit

Guests on a Security Appliance

The following example is meant to demonstrate how a group policy could be configured on a Security Appliance network to limit the access and speed of guest clients. This policy would accomplish the following:

  • Limit client bandwidth to 2Mbps up/down.
  • Deny access to the internal network (which uses the address space).
  • Block all peer-to-peer sharing applications.
  • All other settings would be inherited from network defaults (such as security and content filtering settings).

It is not possible to enter multiple comma-separated ports in Group Policy custom Layer 3 firewall rules. Ports must be in the range of 1-65535, or 'any'.

Executive Users on Wireless

This example demonstrates how a group policy could be used on a wireless network to provide executive users with more freedom and special treatment over other users. This policy would accomplish the following:

  • Remove any bandwidth restrictions.
  • Disable hostname visibility.
  • Remove any layer 3/7 firewall rules.
  • Provide QoS tagging for Voice and Video conferencing traffic.
  • Remove the splash page requirement.
  • All other settings would be inherited from network defaults.

Applying Group Policies

Group policies can be applied to client devices in a variety of ways, dependent on the platform being used. The table below illustrates what options are available for each platform. The rest of this section explains how to use each method.

Note: Only one policy can be active on a client at a time.

MR Access PointsMX or Z1 with Enterprise LicenseMX with Advanced Security License
By client
By device type
By Sentry Policy
By Active Directory Group
By RADIUS Attribute

By Client

Group policies can be manually applied to clients from the Network-wide > Monitor > Clients page.

  1. Check the box next to the desired client(s) in the list.
  2. Click the Policy button at the top of the list.
  3. Select Group policy and then choose the specific policy in the dropdown.
  4. Click Apply policy.
Group policy update command line

Alternatively, on wireless and combined networks different group policies can be applied dependent on the SSID the client is associated to. This is applied from the same page as the previous steps.

  1. Check the box next to the desired client(s) in the list.
  2. Click the Policy button at the top of the list.
  3. Select Different policies by [connection or] SSID.
  4. For each SSID, select the desired group policy, built-in policy, or leave as Normal.
  5. Click Apply policy.

Policies can also be applied to individual clients by clicking on the client in the clients list and then choosing a Device policy under the Policy section.

By Device Type

In wireless networks, group policies can be automatically applied to devices by type when they first connect to an SSID and make an HTTP request.

  1. Navigate to Wireless > Configure > Access control.
  2. Select the desired SSID.
  3. Set Assign group policies by device type to 'Enabled'.
  4. Click Add group policy for a device type.
  5. Select the desired Device type and the Group policy that should be applied to it.
  6. Repeat steps 4-5 as needed to assign policies to all desired devices.
  7. Click Save changes.

Keep in mind that this only occurs when a device first connects to the SSID and persists until it is manually overridden. Thus, some previously connected clients may need to have policies manually assigned. It is also possible for a client to be mis-classified based on the initial HTTP request, dependent on how it is generated by the device. If this occurs, manually assign the desired policy.

For more info on applying group policies by device type, please refer to our documentation.


On security appliance networks, group policies can be automatically applied to all devices that connect to a particular VLAN. From the Security appliance > Configure > Addressing & VLANs page:

  1. Ensure that VLANs is 'Enabled'.
  2. Click on the desired Local VLAN.
  3. Select the desired Group policy.
  4. Click Update.
  5. Click Save Changes.
Gpupdate force command for mac

Any clients that are placed in this VLAN will now be given the desired Group policy.

When a group policy is applied to a VLAN, that policy becomes the new 'network default' for any other group policies applied to clients in that VLAN. Since this policy is the new 'network default', the client devices will still show a 'normal' policy applied under Network-wide > Monitor > Clients.

For example, a group policy named 'Guest Network' with more restrictive Layer 3 firewall rules than the network-wide configuration is applied to the Guest VLAN, and a second group policy 'Low Bandwidth' has a custom bandwidth limit, but is set to Use network firewall & shaping rules. If the Low Bandwidth group policy is applied to a client on the Guest VLAN, the client will use the Layer 3 firewall rules configured on the Guest Network group policy, not the network-wide Layer 3 firewall rules configured on the Security & SD-WAN > Configure > Firewall page.

By Active Directory Group

Security appliance networks with Advanced Security licensing can use Active Directory groups to assign policies to clients. Refer to the article on Configuring AD-based Group Policy for more information.

By RADIUS Attribute

Wireless networks that are using RADIUS to authenticate clients can be configured to assign group policies via RADIUS attributes. Refer to the article on Configuring Group Policies with RADIUS Attributes for more information.


Group policies can be scheduled, using the Schedule option. This allows the policy to only be active (or inactive) during the times specified.

When enabled, elements of the policy that are subject to schedule will be indicated with a small clock icon, as shown below. Options without this icon will always be in effect, regardless of time.


Scheduling Examples

8am-5pm weekdays (Business hours)

In the example below, a policy has been scheduled to only be active from 8am-5pm on weekdays:

From one day to the next

If it is required to have a policy applied from one day to another, the example below can be followed. Note that the policy is being disabled from 8am-5pm and on Layer 3 firewall section, all traffic is being blocked. This means that:

  • The policy will be disabled from 8am-5pm, not enforcing the configured the Layer 3 firewall, allowing the traffic
  • The policy will be enabled from 5pm-8am (next day), enforcing the configured the Layer 3 firewall, blocking the traffic

This article describes how to configure Microsoft Edge on macOS using a property list (.plist) file. You'll learn how to create this file and then deploy it to Microsoft Intune.

For more information, see About Information Property List Files (Apple's website) and Custom payload settings.


This article applies to Microsoft Edge version 77 or later.

Configure Microsoft Edge policies on macOS

The first step is to create your plist. You can create the plist file with any text editor or you can use Terminal to create the configuration profile. However, it's easier to create and edit a plist file using a tool that formats the XML code for you. Xcode is a free integrated development environment that you can get from one of the following locations:

For a list of supported policies and their preference key names, see Microsoft Edge browser policies reference. In the policy templates file, which can be downloaded from the Microsoft Edge Enterprise landing page, there's an example plist (itadminexample.plist) in the examples folder. The example file contains all supported data types that you can customize to define your policy settings.

The next step after you create the contents of your plist, is to name it using the Microsoft Edge preference domain, The name is case sensitive and should not include the channel you are targeting because it applies to all Microsoft Edge channels. The plist file name must be


Starting with build, all Microsoft Edge channels on macOS read from the preference domain. All prior releases read from a channel specific domain, such as for Dev channel.

The last step is to deploy your plist to your users' Mac devices using your preferred MDM provider, such as Microsoft Intune. For instructions see Deploy your plist.

Create a configuration profile using Terminal

  1. In Terminal, use the following command to create a plist for Microsoft Edge on your desktop with your preferred settings:

  2. Convert the plist from binary to plain text format:

After converting the file verify that your policy data is correct and contains the settings you want for your configuration profile.


Only key value pairs should be in the contents of the plist or xml file. Prior to uploading your file into Intune remove all the <plist> and <dict> values, and xml headers from your file. The file should only contain key value pairs.

Deploy your plist

For Microsoft Intune create a new device configuration profile targeting the macOS platform and select the Preference file profile type. Target as the preference domain name and upload your plist. For more information see Add a property list file to macOS devices using Microsoft Intune.

For Jamf upload the .plist file as a Custom Settings payload.

Frequently Asked Questions

Can Microsoft Edge be configured to use master preferences?

Yes, you can configure Microsoft Edge to use a master preferences file.

A master preferences file lets you configure default settings for a browser user profile when Microsoft Edge is deployed. You can also use a master preferences file to apply settings on computers that aren't managed by a device management system. These settings are applied to the user’s profile the first time the user runs the browser. After the user runs the browser, changes to the master preferences file aren’t applied. A user can change settings from the master preferences in the browser. If you want to make a setting mandatory or change a setting after the first run of the browser, you must use a policy.

Group Policy For Mac High Sierra

A master preferences file lets you to customize many different settings and preferences for the browser, including those shared with other Chromium based browsers and specific to Microsoft Edge. Policy related preferences can be configured using the master preferences file. In cases where a policy is set and there’s a corresponding master preference set, the policy setting takes precedence.



All the available preferences might not be consistent with Microsoft Edge terminology and naming conventions. There’s no guarantee that these preferences will continue to work as expected in future releases. Preferences might be changed or ignored in later versions.

A master preferences file is a text file that’s formatted using JSON markup. This file needs to be added to the same directory as the msedge.exe executable. For system wide enterprise deployments on macOS this is typically: “~/Library/Application Support/Microsoft/Microsoft Edge Master Preferences' or '/Library/Application Support/Microsoft/Microsoft Edge Master Preferences”.

See also