# Recommended Standard Teacher MDM Profile # This guide provides a recommended baseline configuration for **teacher and staff Apple devices** managed through **Mosyle MDM**. The goal is to create a balanced standard that protects school data, reduces classroom distractions, and keeps devices consistent without overly limiting teachers from doing their work.

**Recommended Profile Name:** `Staff / Teacher – Standard Security & Classroom Use`

## Purpose This profile should be applied to school-owned teacher and staff devices such as MacBooks, iPads, and other Apple devices assigned to employees. This profile should be less restrictive than a student device profile, but more controlled than a personal unmanaged device.

- Protect school data - Reduce security risks - Limit classroom distractions - Keep device settings consistent - Allow teachers to use approved instructional tools

## Recommended Mosyle Profile Naming Examples ``` Staff - macOS - Teacher Baseline Staff - iPadOS - Teacher Baseline Staff - Standard Restrictions Staff - Security Baseline Staff - Web Filtering ``` ## Recommended Baseline Settings ### 1. USB Storage / External Drives

**Recommendation:** Restrict USB storage where possible, or allow only by documented exception.

Setting	Recommendation
USB storage access	Allow only if needed
Unknown USB accessories	Restrict when device is locked
External drive writing	Restrict where possible
External drive reading	Allow only for approved workflows

USB drives are one of the easiest ways for school data to leave a device. They can also introduce malware or create data-loss concerns. Teachers may have legitimate reasons to use external storage, but the standard should be to use approved cloud storage instead whenever possible. **Suggested policy language:** > Teachers should avoid using personal USB drives for school data. Approved school cloud storage should be used whenever possible to reduce the risk of data loss, malware, or unauthorized transfer of sensitive information. ### 2. Siri

**Recommendation:** Disable Siri on school-owned teacher devices unless there is an accessibility need.

Setting	Recommendation
Siri	Disabled
Siri while locked	Disabled
Dictation	Allowed only if needed for accessibility

Siri is usually not required for classroom instruction or staff productivity. Disabling Siri reduces privacy concerns, prevents accidental voice activation, and removes unnecessary lock-screen access. ### 3. AirDrop

**Recommendation:** Disable AirDrop by default. Allow only by exception for approved instructional use.

Setting	Recommendation
AirDrop	Disabled by default
AirDrop from Everyone	Not allowed
Password sharing through AirDrop	Disabled

AirDrop can be useful, but in a school setting it can also be abused for distractions, inappropriate file sharing, or accidental exposure of sensitive information. **Possible exception groups:**

- Art teachers - Media teachers - STEM teachers - Yearbook staff - Technology staff

### 4. Apple ID and iCloud

**Recommendation:** Restrict personal Apple ID use on school-owned devices.

Setting	Recommendation
Personal Apple ID	Not allowed on school-owned devices
Managed Apple ID	Preferred
iCloud Drive	Disabled unless approved
iCloud Photos	Disabled
iCloud Keychain	Disabled

School-owned devices should not become tied to personal Apple IDs. This can create problems with Activation Lock, app ownership, data ownership, privacy, and long-term device support. ### 5. App Store and App Installation

**Recommendation:** Apps should be deployed through Mosyle using Apple School Manager Apps and Books.

Setting	Recommendation
App Store	Restricted
User app installation	Disabled or limited
Managed apps	Required method
Removing managed apps	Disabled

### 6. Classroom Distraction Controls

Feature	Recommendation
Game Center	Disabled
Messages	Disabled unless approved
FaceTime	Disabled unless approved
Camera	Allowed
Microphone	Allowed
Screen Recording	Allowed for teachers

Teachers should have access to instructional tools such as the camera, microphone, screen recording, printing, and approved classroom applications. Consumer features that do not support instruction should be limited. ### 7. Privacy and Security

**Recommendation:** Enforce security settings on all school-owned teacher devices.

Security Item	Recommendation
Password / Passcode	Required
Auto-lock	Required
FileVault on macOS	Enabled
Firewall on macOS	Enabled
Gatekeeper	Enabled
Local admin rights	Standard user preferred

### 8. Web Filtering and Content Protection Teacher devices should still have web filtering enabled, but the teacher policy should be less restrictive than the student policy. Teachers may need access to broader educational content, research tools, media, and administrative websites.

Category	Recommendation
Adult content	Blocked
Malware / phishing	Blocked
Risky categories	Blocked
YouTube	Allowed with staff-level filtering
Social media	Allow or limit based on school policy

## Suggested Mosyle Profile Structure Instead of placing every setting into one large profile, it is better to split the configuration into smaller Mosyle profiles. This makes troubleshooting easier and allows IT to update one area without affecting everything else. ### Recommended Profiles

Profile Name	Purpose
Staff - Restrictions	AirDrop, Siri, Game Center, App Store, iCloud, sharing controls
Staff - Security	Password, FileVault, firewall, auto-lock, Gatekeeper
Staff - Wi-Fi	School Wi-Fi, certificates, auto-join settings
Staff - Apps	Required apps, classroom tools, security agents, print clients
Staff - Web Filtering	Staff-level filtering policy, malware protection, content protection

## Recommended Final Standard

Category	Recommended Setting
USB storage	Restricted / exception only
Siri	Disabled
Siri while locked	Disabled
AirDrop	Disabled
Personal Apple ID	Not allowed
iCloud Photos	Disabled
iCloud Keychain	Disabled
App installs	Mosyle-managed only
Game Center	Disabled
Camera	Allowed
Microphone	Allowed
Screen Recording	Allowed for teachers
Printing	Allowed
FileVault	Enabled
Firewall	Enabled
Password / Passcode	Required
Auto-lock	Required
Web filtering	Enabled
Admin rights	Standard user preferred

## Recommended Exception Process Some teachers may need exceptions based on their role or instructional workflow. Exceptions should be intentional, approved, and documented. ### Example Exceptions

- Art teacher needs AirDrop for media workflow - STEM teacher needs USB storage for robotics equipment - Music teacher needs external audio devices - Media teacher needs camera, microphone, and screen recording access - Administrator needs broader website access

### Exception Documentation Should Include

- User or group name - Device serial number - Requested exception - Business or instructional reason - Approval person - Review date