Mac Policy

Mac policies in NinjaOne refer to the specific guidelines and configurations applied to Apple devices running the macOS operating system. These policies are essential for ensuring that Mac devices are managed and secured according to Apple’s standards, while also meeting your organization’s specific requirements.

Mac policies in NinjaOne let you control your Apple devices. You can manage app distribution, network access, and data encryption. This helps keep your devices secure and compliant with your company’s rules. You can also automate tasks and monitor your devices easily. This makes it easier for your employees to use their Apple devices and keeps your company safe.

How to configure macOS policy in NinjaOne?

How to Create or Edit a NinjaOne Mac Policy

These instructions will help you create a new policy or modify an existing one using NinjaOne’s policy management:

Click Administration in the left navigation pane and select Policies. The Agent Policies page displays by default.
Select type of policy (Agent, NMS or VM Policy).
Click the Create New Policy button.

Click on “Agent Policies” from the list of policy categories. This will display the list of all existing agent policies on the right-hand side.
Then, to create a new Mac policy, click on the “Create New Policy” button located at the top-right corner of the Agent Policies page.
Lastly, to edit an existing Mac policy, locate the desired policy from the list and click on it.

Create a Compound Condition

To create a new compound condition, perform the following steps:

In the NinjaOne console, navigate to Administration → Policies. Click the policy name and then open the Compound Conditions
Click Add.

The Add a compound condition modal displays.

The Conditions* section of the modal is open by default. Click Add condition and then select an option from the drop-down menu.

Depending on the condition type you select, your configuration options will vary. Refer to this compound conditions to find instructions specific to your compound condition type.

Creating New Scheduled Automations

To create a new scheduled automation, perform the following steps:

In NinjaOne, click Administration in the left navigation menu, then select Policies from the expanded options.
Select the policy type in the Policies drop-down menu, then click the agent policy.
Click Scheduled Automations, then click Add a Scheduled Automation.

Give your new scheduled automation a name, an optional description, and a schedule. Move your cursor over the Schedule tooltip to learn more about schedule options.
To receive notifications when this scheduled automation runs on a device, you can attach a notification channel and configure the action to send notifications. Once enabled, you can also assign the severity and priority for the notification. Refer to Notification Channels to learn more.
If you have a PSA integration configured, you can also create a ticket whenever this scheduled script runs. The option you see for this field depends on which PSA you integrated with NinjaOne, if any. If NinjaOne Ticketing is enabled, use the Ticketing Rule drop-down menu options to create a ticket.

Enable and Configure MacOS Patch Management

Navigate to the editor for a Mac policy (Administration > Policies) under which macOS patching should be enabled, and then select OS Patching in the left navigation pane.
Ensure the Enabled toggle switch is activated.
Configure the Scan Schedule and Update Schedule to desired parameters.

Select Reboot Options and configure desired settings. There are two reboot options, and they include:
- Not Logged in User Reboot Options
  - Reboot immediately—the device will reboot immediately.
  - Attempt to reboot until successful—select a daily, interval, or weekly schedule at which you’d like the device to attempt to reboot.
- Logged In User Reboot Options
  - Prompt to reboot until accepted—the end user will be prompted every ‘X’ number of minutes/hours/days until the reboot is accepted. There is also an option to force a reboot after x number of prompts.
  - Notify user then reboot—the end user will be notified that their device will reboot, and then proceed to reboot after ‘X’ number of minutes/hours/days.
  - Set a custom Reboot Dialog—For the two actions listed above, a custom message prompt can be created for users when a reboot is required after a patch cycle.
  - Automatically reboot—the device will automatically reboot after ‘X’ number of minutes/hours/days.

Important Note: There is no ‘Do nothing’ reboot option for macOS Patching. This is by design, because macOS does not stage OS updates. A macOS patch cannot begin installing until the reboot.

Set up the policy schedule:
- There are two schedule types: Scan Schedule and Update Schedule.
  - Scan Schedule: The time the scan for available patches starts.
  - Update Schedule: The time when the available patches are downloaded and then applied to the endpoint(s).

If you’d like the devices under this policy to correct a missed scan or update upon coming online, activate the applicable checkbox below the respective schedule.

Important Note: The default scan start time is 8am local time for the scan schedule so that it is different from the default update schedule time (5pm local). This only affects new policies.

- You can choose from five options when setting the schedule:
  - Daily
  - Weekly
  - Monthly, Day of Month
  - Custom (select the month and then day of the week)
  - None

The first four schedule types can be configured with an optional duration limit. This allows you to set a limit on how long the scan/update actions will run before they are terminated.

- Under Days, you can select one or more days for the Weekly schedule, with a minimum of one being selected to a maximum of all seven. Devices will be patched only on the days selected. If no days are selected, an error message displays until the minimum requirement is met.

- The None scheduling option allows you to add a duration for running ad-hoc scans.
- Schedules can be set to run immediately, if missed. Simply activate the checkbox next to the setting you would like to enable. This option is not available if the schedule is set to None.

Next, configure the approval option for Critical and Unassigned patch types. These categories (Critical or Unassigned) are determined by how Apple classifies a patch.
Hover your mouse pointer over the information icon near the Approvals This provides more information on Critical and Unassigned patch types.

Click Save at the top of the screen.

Running a macOS Patch Cycle on Demand

You can run a patch scan and installation cycle on a macOS device with patch management enabled at the policy level at any time by following these steps:

In NinjaOne, click Devices, then locate and click your device name in the Devices search grid.

Place your cursor over the action (play) icon, then use the drop-down menus to navigate to OS Update → Scan or OS Update → Apply.

Setting Warranty Tracking Schedules and Notifications

You can configure device policies to set warranty expiration notification schedules, manage notification channels, and create ticketing rules.

In NinjaOne, navigate to Administration → Policies → Agent policies, then select a policy from the Agent policies list.

Policy configuration options will open. Click the Warranty Tracking tab, then configure the Schedule and Notifications settings to your needs. Place your cursor over the tooltip icons for explanations of key settings.

Warranty Tracking Settings

The table below explains the various warranty tracking settings.

Setting	Description
Activity setting	Activate this toggle to activate warranty tracking.
Schedule	Use these settings to specify the time setting for your warranty alerts. You can specify the following: Threshold: The alert activates once the warranty expiration time period exceeds this value. Type: Choose Before warranty expires or After warranty starts. NinjaOne will only send notifications if a warranty start and end date exists on this device. Frequency: Select how often NinjaOne sends the alert. Using the schedule settings in Figure 6 above, NinjaOne would send a notification only once, 90 days before the warranty expires.
Notifications	These options control how and to whom NinjaOne sends notifications when warranty conditions exceed the schedule parameters. Channels: Select the channels to which you want notifications sent. For more information, refer to our Notification Channels article. Severity: Define the level to which warranty expiration affects the device. Choose from Critical, Major, Minor, Moderate, or None. Priority: Specify the order with which the warranty expiration should be addressed in relation to other events. Select from High, Medium, Low, or None. Ticketing Rule: State whether NinjaOne should automatically create a ticket and, if so, what ticketing rules it should use. Refer to NinjaOne Ticketing: Automation to learn more.

Policy Settings for macOS and MDM

After a macOS device is enrolled in NinjaOne MDM, you can use the traditional agent policy to configure both agent-derived and MDM-derived settings. To view these settings, create or edit any agent policy where the assigned device role is “Mac Desktops and Laptops” or “Mac Servers.”

MDM configuration for macOS works similarly to an iOS MDM policy in NinjaOne, with a few differences outlined in this section. The policy’s functionality only shows macOS-supported tools and apps.

When editing or configuring a policy, you will see an MDM subsection on the left-hand menu.

You can configure the following payloads for any MDM-enrolled macOS devices:

Payload	Description
Passcode	Define minimum passcode requirements for your devices.
Restrictions	Restrict access to specific device functionality as required by your organization.
Applications	Deploy App Store apps that have been synced into NinjaOne via an integrated Apps and Books content token.
Network	Define managed Wi-Fi networks that devices can automatically connect to, as well as global proxy settings.
OS Updates	Define default behavior for handling OS updates. Technicians can also manually approve specific OS updates for the policy and deploy them to devices with a defined enforcement deadline.
Privacy Preferences	Define and pre-approve any permissions required by third-party apps, such as access to all files or access to Accessibility APIs, bypassing end-user prompts upon app installation.
System Extensions	Define and pre-approve any system extensions required by third-party apps, bypassing end-user prompts upon app installation.
Custom Payloads	Define a custom mobileconfig payload that can be used to deploy any MDM-configured or Managed App Preference configuration to devices.

Options you can customize for NinjaOne Mac policy conditions

When configuring a condition within a NinjaOne Mac Policy, the following options are available:

Condition: Choose the exact system metric or event that will activate the condition, like CPU usage, disk space limits, or other important factors.
Name: Give an optional descriptive name to the condition so you can easily identify it within the policy.
Severity: Select the severity level associated with this condition, ranging from none to high. This setting helps classify the urgency and potential effect of the condition.
Priority: Set the priority level, which indicates the importance of the condition relative to others, guiding how quickly it should be addressed.
Reset Interval: Set the time interval after which the condition will be reset if it is no longer true.
Channel(s): Select one or more communication channels (e.g., email, SMS) where notifications will be sent if the condition is triggered.
Notify Technicians: Choose if you want to send notifications to technicians when the condition happens. This option can be adjusted to match your notification preferences.
Ticketing Rule: Specify whether a ticket should be automatically generated when the condition is met. This can be set off if no ticket creation is required.
Automations: You can configure specific automations to execute automatically when the condition is triggered. These automations might include running scripts, restarting services, or performing other predefined actions to remediate or respond to the condition. Automations are configured by clicking “Add” in the “Automations” section, where you can define the exact response actions tied to the condition.

Benefits, Strategies and Best Practices for Mac Policy with NinjaOne.

Improved Efficiency: Use NinjaOne to do things like update software and change settings automatically. This can help you deploy new software quickly and fix problems before they affect your users.
Enhanced Security: Manage your Mac devices centrally. Protect sensitive data and adhere to industry best practices and regulatory compliance requirements.
Leverage Automation: Use NinjaOne to automate tasks. This can help you manage your devices more easily and efficiently.
Continuously Review and Update: Keep your policies updated. Check them regularly and make changes as needed.
Strategic Implementation: Set up your Mac policies in NinjaOne. Test them to make sure they work correctly. Check if your devices follow these policies and take action if they don’t.
Enforced Monitoring: Check if your devices follow the rules. Use the data to find ways to improve your policies.