Best Practices Recommended Standard Teacher MDM Profile This guide provides a recommended baseline configuration for teacher and staff Apple devices managed through Mosyle MDM . The goal is to create a balanced standard that protects school data, reduces classroom distractions, and keeps devices consistent without overly limiting teachers from doing their work. Recommended Profile Name: Staff / Teacher – Standard Security & Classroom Use Purpose This profile should be applied to school-owned teacher and staff devices such as MacBooks, iPads, and other Apple devices assigned to employees. This profile should be less restrictive than a student device profile, but more controlled than a personal unmanaged device. Protect school data Reduce security risks Limit classroom distractions Keep device settings consistent Allow teachers to use approved instructional tools Recommended Mosyle Profile Naming Examples Staff - macOS - Teacher Baseline Staff - iPadOS - Teacher Baseline Staff - Standard Restrictions Staff - Security Baseline Staff - Web Filtering Recommended Baseline Settings 1. USB Storage / External Drives Recommendation: Restrict USB storage where possible, or allow only by documented exception. Setting Recommendation USB storage access Allow only if needed Unknown USB accessories Restrict when device is locked External drive writing Restrict where possible External drive reading Allow only for approved workflows USB drives are one of the easiest ways for school data to leave a device. They can also introduce malware or create data-loss concerns. Teachers may have legitimate reasons to use external storage, but the standard should be to use approved cloud storage instead whenever possible. Suggested policy language: Teachers should avoid using personal USB drives for school data. Approved school cloud storage should be used whenever possible to reduce the risk of data loss, malware, or unauthorized transfer of sensitive information. 2. Siri Recommendation: Disable Siri on school-owned teacher devices unless there is an accessibility need. Setting Recommendation Siri Disabled Siri while locked Disabled Dictation Allowed only if needed for accessibility Siri is usually not required for classroom instruction or staff productivity. Disabling Siri reduces privacy concerns, prevents accidental voice activation, and removes unnecessary lock-screen access. 3. AirDrop Recommendation: Disable AirDrop by default. Allow only by exception for approved instructional use. Setting Recommendation AirDrop Disabled by default AirDrop from Everyone Not allowed Password sharing through AirDrop Disabled AirDrop can be useful, but in a school setting it can also be abused for distractions, inappropriate file sharing, or accidental exposure of sensitive information. Possible exception groups: Art teachers Media teachers STEM teachers Yearbook staff Technology staff 4. Apple ID and iCloud Recommendation: Restrict personal Apple ID use on school-owned devices. Setting Recommendation Personal Apple ID Not allowed on school-owned devices Managed Apple ID Preferred iCloud Drive Disabled unless approved iCloud Photos Disabled iCloud Keychain Disabled School-owned devices should not become tied to personal Apple IDs. This can create problems with Activation Lock, app ownership, data ownership, privacy, and long-term device support. 5. App Store and App Installation Recommendation: Apps should be deployed through Mosyle using Apple School Manager Apps and Books. Setting Recommendation App Store Restricted User app installation Disabled or limited Managed apps Required method Removing managed apps Disabled 6. Classroom Distraction Controls Feature Recommendation Game Center Disabled Messages Disabled unless approved FaceTime Disabled unless approved Camera Allowed Microphone Allowed Screen Recording Allowed for teachers Teachers should have access to instructional tools such as the camera, microphone, screen recording, printing, and approved classroom applications. Consumer features that do not support instruction should be limited. 7. Privacy and Security Recommendation: Enforce security settings on all school-owned teacher devices. Security Item Recommendation Password / Passcode Required Auto-lock Required FileVault on macOS Enabled Firewall on macOS Enabled Gatekeeper Enabled Local admin rights Standard user preferred 8. Web Filtering and Content Protection Teacher devices should still have web filtering enabled, but the teacher policy should be less restrictive than the student policy. Teachers may need access to broader educational content, research tools, media, and administrative websites. Category Recommendation Adult content Blocked Malware / phishing Blocked Risky categories Blocked YouTube Allowed with staff-level filtering Social media Allow or limit based on school policy Suggested Mosyle Profile Structure Instead of placing every setting into one large profile, it is better to split the configuration into smaller Mosyle profiles. This makes troubleshooting easier and allows IT to update one area without affecting everything else. Recommended Profiles Profile Name Purpose Staff - Restrictions AirDrop, Siri, Game Center, App Store, iCloud, sharing controls Staff - Security Password, FileVault, firewall, auto-lock, Gatekeeper Staff - Wi-Fi School Wi-Fi, certificates, auto-join settings Staff - Apps Required apps, classroom tools, security agents, print clients Staff - Web Filtering Staff-level filtering policy, malware protection, content protection Recommended Final Standard Category Recommended Setting USB storage Restricted / exception only Siri Disabled Siri while locked Disabled AirDrop Disabled Personal Apple ID Not allowed iCloud Photos Disabled iCloud Keychain Disabled App installs Mosyle-managed only Game Center Disabled Camera Allowed Microphone Allowed Screen Recording Allowed for teachers Printing Allowed FileVault Enabled Firewall Enabled Password / Passcode Required Auto-lock Required Web filtering Enabled Admin rights Standard user preferred Recommended Exception Process Some teachers may need exceptions based on their role or instructional workflow. Exceptions should be intentional, approved, and documented. Example Exceptions Art teacher needs AirDrop for media workflow STEM teacher needs USB storage for robotics equipment Music teacher needs external audio devices Media teacher needs camera, microphone, and screen recording access Administrator needs broader website access Exception Documentation Should Include User or group name Device serial number Requested exception Business or instructional reason Approval person Review date Recommended Standard Student MDM Profile This guide provides a recommended baseline configuration for student Apple devices managed through Mosyle MDM . Student devices should be configured with stronger restrictions than teacher or staff devices because they are used in a classroom environment, may be shared or assigned to minors, and must support school safety, security, and compliance requirements. Recommended Profile Name: Students – Standard Restrictions and Security Purpose This profile should be applied to school-owned student iPads, MacBooks, and other Apple devices. The goal is to keep the device focused on learning, reduce distractions, protect students, prevent unauthorized changes, and maintain consistent device behavior across the school. Keep devices focused on instructional use Reduce classroom distractions Prevent inappropriate sharing or communication Protect student data and school-owned equipment Support web filtering and school compliance requirements Prevent students from bypassing school controls Recommended Mosyle Profile Naming Examples Students - iPadOS - Standard Restrictions Students - macOS - Standard Restrictions Students - Security Baseline Students - Web Filtering Students - App Controls Students - Shared Device Restrictions Recommended Baseline Settings 1. USB Storage / External Drives Recommendation: Block USB storage and external drives for students unless there is a documented instructional exception. Setting Recommendation USB storage access Blocked External drives Blocked unless approved Unknown USB accessories Restricted File transfer to removable media Not allowed Students should not be able to copy school files, screenshots, assignments, or sensitive information to removable storage without approval. External storage also increases the risk of malware, inappropriate files, and data loss. 2. Siri and Dictation Recommendation: Disable Siri and restrict Dictation unless required for accessibility. Setting Recommendation Siri Disabled Siri while locked Disabled Siri Suggestions Disabled Dictation Disabled unless required for accessibility Siri is not normally required for student learning devices and can create privacy concerns, classroom distractions, or unintended lock-screen access. 3. AirDrop Recommendation: Disable AirDrop for all student devices. Setting Recommendation AirDrop Disabled AirDrop receiving from Everyone Not allowed Password sharing through AirDrop Disabled AirDrop should be disabled for students because it can be used for inappropriate file sharing, classroom disruption, bullying, image sharing, or bypassing normal communication controls. 4. Apple ID and iCloud Recommendation: Block personal Apple ID use and limit iCloud services. Setting Recommendation Personal Apple ID Blocked Managed Apple ID Allowed if school-managed iCloud Drive Disabled unless required iCloud Photos Disabled iCloud Keychain Disabled iCloud Backup Disabled unless school-approved Student devices should not be tied to personal Apple IDs. Personal accounts can create privacy issues, app ownership problems, Activation Lock concerns, and support issues when the device needs to be reassigned. 5. App Store and App Installation Recommendation: Students should not install apps directly. Apps should be deployed through Mosyle. Setting Recommendation App Store Disabled or restricted Install apps Not allowed by students Remove apps Not allowed for managed apps In-app purchases Disabled Untrusted enterprise apps Blocked Required apps should be assigned through Mosyle and Apple School Manager Apps and Books. This keeps app licensing, installation, updates, and removal under school control. 6. Classroom Distraction Controls Recommendation: Disable non-instructional features that create distractions or safety concerns. Feature Recommendation Game Center Disabled Messages Disabled unless required FaceTime Disabled unless required Music / Apple Music Disabled or restricted Podcasts Disabled or restricted News Disabled or restricted Screen recording Restricted unless needed for instruction 7. Camera, Microphone, and Screen Recording Recommendation: Allow only when instructionally needed. Feature Recommendation Camera Allowed if needed for instruction Microphone Allowed if needed for instruction Screen recording Restricted unless approved Screenshots Restrict if supported and appropriate For many classrooms, the camera and microphone may be required for projects, testing, accessibility, video assignments, and teacher-approved activities. These should not be blocked globally unless the school has a specific reason. 8. Web Filtering and Content Protection Recommendation: Student web filtering should be required on all student devices. Category Recommendation Adult content Blocked Malware / phishing Blocked Proxy / VPN bypass sites Blocked Gambling Blocked Violence / weapons Blocked according to school policy Social media Blocked or limited by grade level YouTube Restricted or education-filtered AI tools Controlled by school policy Student filtering should apply both on-campus and off-campus when possible. Students should not be able to bypass filtering by using VPN apps, proxy sites, alternative browsers, private relay services, or unauthorized DNS settings. 9. Browser and Search Settings Setting Recommendation Safari Allowed only with filtering Private Browsing Disabled where possible Browser extensions Restricted SafeSearch Enforced YouTube Restricted Mode Enforced where applicable 10. VPN, DNS, and Network Changes Recommendation: Students should not be allowed to install VPNs, modify DNS, or bypass network controls. Setting Recommendation VPN apps Blocked unless school-managed DNS changes Restricted Proxy configuration Restricted Private Relay Disabled 11. Privacy and Security Recommendation: Enforce security settings on all student devices. Security Item Recommendation Password / Passcode Required based on grade level and device type Auto-lock Required FileVault on macOS Enabled for assigned MacBooks Firewall on macOS Enabled Gatekeeper Enabled Local admin rights Not allowed 12. Account and Settings Restrictions Setting Recommendation Account changes Restricted Erase all content and settings Blocked Device name changes Restricted Wallpaper changes Optional: restrict for shared devices Bluetooth changes Restricted if not needed MDM profile removal Blocked Suggested Mosyle Profile Structure Student settings should be split into multiple Mosyle profiles instead of one large profile. This makes management, troubleshooting, and grade-level customization much easier. Profile Name Purpose Students - Restrictions AirDrop, Siri, App Store, iCloud, Game Center, account changes, device changes Students - Security Passcode, auto-lock, FileVault, firewall, Gatekeeper, profile removal protection Students - Wi-Fi Student Wi-Fi, certificates, auto-join, network restrictions Students - Apps Required apps, blocked apps, approved learning tools, app removal restrictions Students - Web Filtering CIPA-aligned filtering, malware protection, category restrictions, bypass prevention Students - Testing Mode Assessment restrictions, app lock, browser lock, testing-specific controls Recommended Final Student Standard Category Recommended Setting USB storage Blocked Siri Disabled Siri while locked Disabled AirDrop Disabled Personal Apple ID Blocked iCloud Photos Disabled iCloud Keychain Disabled App installs Mosyle-managed only Removing managed apps Blocked Game Center Disabled Messages Disabled unless required FaceTime Disabled unless required Camera Allowed if needed for instruction Microphone Allowed if needed for instruction Screen recording Restricted unless approved VPN apps Blocked unless school-managed DNS / proxy changes Restricted Private browsing Disabled where possible Web filtering Required SafeSearch Enforced YouTube Restricted Mode Enforced where applicable Password / Passcode Required based on grade/device type Auto-lock Required Admin rights Not allowed MDM profile removal Blocked Recommended Grade-Level Approach Not all students need the same level of restriction. The school may want to separate student profiles by grade band. Grade Level Recommended Approach K–2 Most restrictive; only required apps; very limited settings access 3–5 Highly restricted; allow only approved learning apps and websites 6–8 Restricted with some flexibility for projects, research, and classroom tools 9–12 Controlled but more flexible; still block bypass tools, unmanaged apps, and risky content Recommended Exception Process Student exceptions should be limited and documented. Exceptions should normally be tied to a class, grade level, accessibility requirement, testing requirement, or approved instructional activity. Example Exceptions STEM class needs Bluetooth or USB access for robotics Media class needs camera and microphone access Testing group needs a special locked-down testing profile Student requires Dictation or accessibility tools High school course requires access to specific approved websites Exception Documentation Should Include Student name or group Grade level Device serial number or assigned device group Requested exception Instructional or accessibility reason Approving staff member Expiration or review date