On macOS systems, users (Admin and Standard) can customize the System Preferences based on their macOS role scope. System Preferences has been renamed to System Settings in macOS Ventura. Details about macOS-based customizations via System Preferences can be found at https://support.apple.com/guide/mac-help/change-system-preferences-mh15217/mac.
With Privilege Manager, you can implement policies that provide application control to deny execution of all preference panes. Elevation policies are only supported and recommended for management of the following preference panes:
The following rules apply for policy managed preference panes:
- If there is no policy for a given preference pane, the authorization aligns with its system default.
- A preference pane's default authorization is restored when an associated policy is disabled/deleted.
- Managed preference pane defaults are restored during an uninstall.
When a particular preference pane opens in the System Preferences application, the XPC bundles for that preference pane open. The XPC bundles remain open until the System Preferences application closes completely.
This behavior can result in failed policy evaluations. Opening a preference pane that previously has been opened and evaluated without closing the System Preferences application following the initial opening, results in the policy evaluation not triggering again for that preference pane because the XPC bundle remains open.
For example, if you have a policy that requires approval of Date & Time preference pane changes (and the notification dialog is canceled and Date & Time is re-opened), the notification dialog is not presented to the user again. Instead, a sheet dialog indicates that the preference pane cannot be loaded. To re-trigger policy evaluation, System Preferences must be closed then reopened.
The same thing applies for macOS Ventura, but XPC bundles are no longer used; extensions are used instead. If the notification dialog is canceled, it won�t pop up again when trying to change the setting until System Settings is closed and reopened.
Without an active policy, preference panes appear locked, and standard users are unable to make changes. The exception is the Date & Time preference pane. Standard users are allowed to edit the clock appearance. Any changes here are specific to the user's session and can be modified without clicking the locked padlock icon, despite the message implication next to the icon.
With an active policy, depending on its action, the following occurs:
- Deny Execute | Deny Execute Message | Application Denied � The system presents users with a dialog indicating they are denied running the preference pane. Depending on the usage of the Deny Execute Message versus the Application Denied Message coupled with the macOS version, each may appear twice.
- Application Justification � The system presents users with the justification dialog. Once users enter a justification and click Continue, the system enables all controls on the pane and saves changes. When users click Cancel, macOS displays an error sheet in System Preferences indicating there was an error loading the preference pane.
- Application Warning � The system presents users with the warning dialog. When users click Cancel, macOS displays an error sheet in System Preferences indicating there was an error loading the preference pane. When users click Continue, the system enables all controls on the pane and saves changes.
Application Approval Request � The system presents users with the approval dialog. When users click Cancel, macOS displays an error sheet in System Preferences indicating there was an error loading the preference pane. Once users enter a reason and click Continue, the system displays the dialog for waiting for approval. If users click Cancel in the waiting dialog, macOS displays an error sheet in System Preferences indicating there was an error loading the preference pane. Depending on the Approval action (Allow or Deny), the following action occurs:
- Allow � The system enables all controls on the pane and saves changes.
- Deny � macOS displays an error sheet in System Preferences indicating there was an error loading the preference pane.
The following preference panes require admin credentials to make changes and should not be managed with an elevation policy that triggers a user dialog for justification or approvals:
- Parental Controls
- Printers & Scanners
- Security & Privacy
- Time Machine
- Users & Groups
Local admin users should not be managed by any policies requiring user interaction when the policy is triggered. For macOS endpoints, the only policy type would be one that demotes administrative rights for a particular preference pane by simply denying access.
The Energy Saver Preference Pane is on desktops and the Battery Preference Pane is on laptops.
Beginning with Big Sur, macOS introduced a new preference pane for managing energy-related system preferences for laptop hardware devices. Monterey introduced a new Energy Saver preference pane different from Big Sur and earlier. Additionally, in macOS Ventura, what used to be the Energy Saver Preference Pane on desktops and the Battery Preference Pane on laptops are now split up into the Energy Saver or Battery Preference Pane and the Lock Screen Preference Pane. Because the Energy Saver, Battery, and Lock Screen panes use the same system extension in Ventura and later macOS versions, they must be targeted together.
Privilege Manager supports both preference panes with the following filters:
- Battery Preference Pane (macOS) � Big Sur and later
- Energy Saver Preference Pane (macOS) - Big Sur and earlier
- Energy Saver Preference Pane (macOS) � Monterey
- Energy Saver/Battery/Lock Screen Preference Pane (macOS) - Ventura and later
Support for the new Energy Saver/Battery/Lock Screen, Network, and Date & Time Preference panes are available in Privilege Manager agent 11.4.0.
The following default policy is available for direct use. Alternatively, you can duplicate the policy, using it as a template to include an Advanced Message action.
- Elevate Energy Saver and Battery Preference Panes
The policy is configured to elevate without user interaction for the above Battery and Energy Saver preference pane filters such that it is applicable to all macOS versions.
If you have an existing policy that targets Energy Saver and you have macOS Ventura or later endpoints, you must modify the policy to include the Energy Saver/Battery/Lock Screen Preference Panes (macOS) - Ventura and later filter. In addition, you must update the Privilege Manager agent on your macOS Ventura and later endpoints to the latest version.