Recommended Standard Teacher MDM Profile
This guide provides a recommended baseline configuration for teacher and staff Apple devices managed through Mosyle MDM. The goal is to create a balanced standard that protects school data, reduces classroom distractions, and keeps devices consistent without overly limiting teachers from doing their work.
Staff / Teacher – Standard Security & Classroom UsePurpose
This profile should be applied to school-owned teacher and staff devices such as MacBooks, iPads, and other Apple devices assigned to employees. This profile should be less restrictive than a student device profile, but more controlled than a personal unmanaged device.
- Protect school data
- Reduce security risks
- Limit classroom distractions
- Keep device settings consistent
- Allow teachers to use approved instructional tools
Recommended Mosyle Profile Naming Examples
Staff - macOS - Teacher Baseline
Staff - iPadOS - Teacher Baseline
Staff - Standard Restrictions
Staff - Security Baseline
Staff - Web FilteringRecommended Baseline Settings
1. USB Storage / External Drives
| Setting | Recommendation |
|---|---|
| USB storage access | Allow only if needed |
| Unknown USB accessories | Restrict when device is locked |
| External drive writing | Restrict where possible |
| External drive reading | Allow only for approved workflows |
USB drives are one of the easiest ways for school data to leave a device. They can also introduce malware or create data-loss concerns. Teachers may have legitimate reasons to use external storage, but the standard should be to use approved cloud storage instead whenever possible.
Suggested policy language:
Teachers should avoid using personal USB drives for school data. Approved school cloud storage should be used whenever possible to reduce the risk of data loss, malware, or unauthorized transfer of sensitive information.
2. Siri
| Setting | Recommendation |
|---|---|
| Siri | Disabled |
| Siri while locked | Disabled |
| Dictation | Allowed only if needed for accessibility |
Siri is usually not required for classroom instruction or staff productivity. Disabling Siri reduces privacy concerns, prevents accidental voice activation, and removes unnecessary lock-screen access.
3. AirDrop
| Setting | Recommendation |
|---|---|
| AirDrop | Disabled by default |
| AirDrop from Everyone | Not allowed |
| Password sharing through AirDrop | Disabled |
AirDrop can be useful, but in a school setting it can also be abused for distractions, inappropriate file sharing, or accidental exposure of sensitive information.
Possible exception groups:
- Art teachers
- Media teachers
- STEM teachers
- Yearbook staff
- Technology staff
4. Apple ID and iCloud
| Setting | Recommendation |
|---|---|
| Personal Apple ID | Not allowed on school-owned devices |
| Managed Apple ID | Preferred |
| iCloud Drive | Disabled unless approved |
| iCloud Photos | Disabled |
| iCloud Keychain | Disabled |
School-owned devices should not become tied to personal Apple IDs. This can create problems with Activation Lock, app ownership, data ownership, privacy, and long-term device support.
5. App Store and App Installation
| Setting | Recommendation |
|---|---|
| App Store | Restricted |
| User app installation | Disabled or limited |
| Managed apps | Required method |
| Removing managed apps | Disabled |
6. Classroom Distraction Controls
| Feature | Recommendation |
|---|---|
| Game Center | Disabled |
| Messages | Disabled unless approved |
| FaceTime | Disabled unless approved |
| Camera | Allowed |
| Microphone | Allowed |
| Screen Recording | Allowed for teachers |
Teachers should have access to instructional tools such as the camera, microphone, screen recording, printing, and approved classroom applications. Consumer features that do not support instruction should be limited.
7. Privacy and Security
| Security Item | Recommendation |
|---|---|
| Password / Passcode | Required |
| Auto-lock | Required |
| FileVault on macOS | Enabled |
| Firewall on macOS | Enabled |
| Gatekeeper | Enabled |
| Local admin rights | Standard user preferred |
8. Web Filtering and Content Protection
Teacher devices should still have web filtering enabled, but the teacher policy should be less restrictive than the student policy. Teachers may need access to broader educational content, research tools, media, and administrative websites.
| Category | Recommendation |
|---|---|
| Adult content | Blocked |
| Malware / phishing | Blocked |
| Risky categories | Blocked |
| YouTube | Allowed with staff-level filtering |
| Social media | Allow or limit based on school policy |
Suggested Mosyle Profile Structure
Instead of placing every setting into one large profile, it is better to split the configuration into smaller Mosyle profiles. This makes troubleshooting easier and allows IT to update one area without affecting everything else.
Recommended Profiles
| Profile Name | Purpose |
|---|---|
| Staff - Restrictions | AirDrop, Siri, Game Center, App Store, iCloud, sharing controls |
| Staff - Security | Password, FileVault, firewall, auto-lock, Gatekeeper |
| Staff - Wi-Fi | School Wi-Fi, certificates, auto-join settings |
| Staff - Apps | Required apps, classroom tools, security agents, print clients |
| Staff - Web Filtering | Staff-level filtering policy, malware protection, content protection |
Recommended Final Standard
| Category | Recommended Setting |
|---|---|
| USB storage | Restricted / exception only |
| Siri | Disabled |
| Siri while locked | Disabled |
| AirDrop | Disabled |
| Personal Apple ID | Not allowed |
| iCloud Photos | Disabled |
| iCloud Keychain | Disabled |
| App installs | Mosyle-managed only |
| Game Center | Disabled |
| Camera | Allowed |
| Microphone | Allowed |
| Screen Recording | Allowed for teachers |
| Printing | Allowed |
| FileVault | Enabled |
| Firewall | Enabled |
| Password / Passcode | Required |
| Auto-lock | Required |
| Web filtering | Enabled |
| Admin rights | Standard user preferred |
Recommended Exception Process
Some teachers may need exceptions based on their role or instructional workflow. Exceptions should be intentional, approved, and documented.
Example Exceptions
- Art teacher needs AirDrop for media workflow
- STEM teacher needs USB storage for robotics equipment
- Music teacher needs external audio devices
- Media teacher needs camera, microphone, and screen recording access
- Administrator needs broader website access
Exception Documentation Should Include
- User or group name
- Device serial number
- Requested exception
- Business or instructional reason
- Approval person
- Review date
No comments to display
No comments to display