On macOS systems, users (Admin and Standard) can customize the System Preferences based on their macOS role scope. System Preferences has been renamed to System Settings in macOS Ventura. Details about macOS-based customizations via System Preferences can be found at https://support.apple.com/guide/mac-help/change-system-preferences-mh15217/mac.
With Privilege Manager, you can implement policies that provide application control to deny execution of all preference panes. Elevation policies are only supported and recommended for management of the following preference panes:
The following rules apply for policy managed preference panes:
When a particular preference pane opens in the System Preferences application, the XPC bundles for that preference pane open. The XPC bundles remain open until the System Preferences application closes completely.
This behavior can result in failed policy evaluations. Opening a preference pane that previously has been opened and evaluated without closing the System Preferences application following the initial opening, results in the policy evaluation not triggering again for that preference pane because the XPC bundle remains open.
For example, if you have a policy that requires approval of Date & Time preference pane changes (and the notification dialog is canceled and Date & Time is re-opened), the notification dialog is not presented to the user again. Instead, a sheet dialog indicates that the preference pane cannot be loaded. To re-trigger policy evaluation, System Preferences must be closed then reopened.
The same thing applies for macOS Ventura, but XPC bundles are no longer used; extensions are used instead. If the notification dialog is canceled, it won�t pop up again when trying to change the setting until System Settings is closed and reopened.
Without an active policy, preference panes appear locked, and standard users are unable to make changes. The exception is the Date & Time preference pane. Standard users are allowed to edit the clock appearance. Any changes here are specific to the user's session and can be modified without clicking the locked padlock icon, despite the message implication next to the icon.
With an active policy, depending on its action, the following occurs:
The following preference panes require admin credentials to make changes and should not be managed with an elevation policy that triggers a user dialog for justification or approvals:
Local admin users should not be managed by any policies requiring user interaction when the policy is triggered. For macOS endpoints, the only policy type would be one that demotes administrative rights for a particular preference pane by simply denying access.
The Energy Saver Preference Pane is on desktops and the Battery Preference Pane is on laptops.
Beginning with Big Sur, macOS introduced a new preference pane for managing energy-related system preferences for laptop hardware devices. Monterey introduced a new Energy Saver preference pane different from Big Sur and earlier. Additionally, in macOS Ventura, what used to be the Energy Saver Preference Pane on desktops and the Battery Preference Pane on laptops are now split up into the Energy Saver or Battery Preference Pane and the Lock Screen Preference Pane. Because the Energy Saver, Battery, and Lock Screen panes use the same system extension in macOS Ventura, they must be targeted together.
Privilege Manager supports both preference panes with the following filters:
Note: Support for the new Energy Saver/Battery/Lock Screen, Network, and Date & Time Preference panes are available in Privilege Manager agent 11.4.0.
The following default policy is available for direct use. Alternatively, you can duplicate the policy, using it as a template to include an Advanced Message action.
The policy is configured to elevate without user interaction for the above Battery and Energy Saver preference pane filters such that it is applicable to all macOS versions.
Note: If you have an existing policy that targets Energy Saver and you have macOS Ventura endpoints, you must modify the policy to include the Energy Saver/Battery/Lock Screen Preference Panes (macOS) - Ventura filter. In addition, you must update the Privilege Manager agent on your macOS Ventura endpoints to the latest version.