Recommended Standard Teacher MDM Profile This guide provides a recommended baseline configuration for teacher and staff Apple devices managed through Mosyle MDM . The goal is to create a balanced standard that protects school data, reduces classroom distractions, and keeps devices consistent without overly limiting teachers from doing their work. Recommended Profile Name: Staff / Teacher – Standard Security & Classroom Use Purpose This profile should be applied to school-owned teacher and staff devices such as MacBooks, iPads, and other Apple devices assigned to employees. This profile should be less restrictive than a student device profile, but more controlled than a personal unmanaged device. Protect school data Reduce security risks Limit classroom distractions Keep device settings consistent Allow teachers to use approved instructional tools Recommended Mosyle Profile Naming Examples Staff - macOS - Teacher Baseline Staff - iPadOS - Teacher Baseline Staff - Standard Restrictions Staff - Security Baseline Staff - Web Filtering Recommended Baseline Settings 1. USB Storage / External Drives Recommendation: Restrict USB storage where possible, or allow only by documented exception. Setting Recommendation USB storage access Allow only if needed Unknown USB accessories Restrict when device is locked External drive writing Restrict where possible External drive reading Allow only for approved workflows USB drives are one of the easiest ways for school data to leave a device. They can also introduce malware or create data-loss concerns. Teachers may have legitimate reasons to use external storage, but the standard should be to use approved cloud storage instead whenever possible. Suggested policy language: Teachers should avoid using personal USB drives for school data. Approved school cloud storage should be used whenever possible to reduce the risk of data loss, malware, or unauthorized transfer of sensitive information. 2. Siri Recommendation: Disable Siri on school-owned teacher devices unless there is an accessibility need. Setting Recommendation Siri Disabled Siri while locked Disabled Dictation Allowed only if needed for accessibility Siri is usually not required for classroom instruction or staff productivity. Disabling Siri reduces privacy concerns, prevents accidental voice activation, and removes unnecessary lock-screen access. 3. AirDrop Recommendation: Disable AirDrop by default. Allow only by exception for approved instructional use. Setting Recommendation AirDrop Disabled by default AirDrop from Everyone Not allowed Password sharing through AirDrop Disabled AirDrop can be useful, but in a school setting it can also be abused for distractions, inappropriate file sharing, or accidental exposure of sensitive information. Possible exception groups: Art teachers Media teachers STEM teachers Yearbook staff Technology staff 4. Apple ID and iCloud Recommendation: Restrict personal Apple ID use on school-owned devices. Setting Recommendation Personal Apple ID Not allowed on school-owned devices Managed Apple ID Preferred iCloud Drive Disabled unless approved iCloud Photos Disabled iCloud Keychain Disabled School-owned devices should not become tied to personal Apple IDs. This can create problems with Activation Lock, app ownership, data ownership, privacy, and long-term device support. 5. App Store and App Installation Recommendation: Apps should be deployed through Mosyle using Apple School Manager Apps and Books. Setting Recommendation App Store Restricted User app installation Disabled or limited Managed apps Required method Removing managed apps Disabled 6. Classroom Distraction Controls Feature Recommendation Game Center Disabled Messages Disabled unless approved FaceTime Disabled unless approved Camera Allowed Microphone Allowed Screen Recording Allowed for teachers Teachers should have access to instructional tools such as the camera, microphone, screen recording, printing, and approved classroom applications. Consumer features that do not support instruction should be limited. 7. Privacy and Security Recommendation: Enforce security settings on all school-owned teacher devices. Security Item Recommendation Password / Passcode Required Auto-lock Required FileVault on macOS Enabled Firewall on macOS Enabled Gatekeeper Enabled Local admin rights Standard user preferred 8. Web Filtering and Content Protection Teacher devices should still have web filtering enabled, but the teacher policy should be less restrictive than the student policy. Teachers may need access to broader educational content, research tools, media, and administrative websites. Category Recommendation Adult content Blocked Malware / phishing Blocked Risky categories Blocked YouTube Allowed with staff-level filtering Social media Allow or limit based on school policy Suggested Mosyle Profile Structure Instead of placing every setting into one large profile, it is better to split the configuration into smaller Mosyle profiles. This makes troubleshooting easier and allows IT to update one area without affecting everything else. Recommended Profiles Profile Name Purpose Staff - Restrictions AirDrop, Siri, Game Center, App Store, iCloud, sharing controls Staff - Security Password, FileVault, firewall, auto-lock, Gatekeeper Staff - Wi-Fi School Wi-Fi, certificates, auto-join settings Staff - Apps Required apps, classroom tools, security agents, print clients Staff - Web Filtering Staff-level filtering policy, malware protection, content protection Recommended Final Standard Category Recommended Setting USB storage Restricted / exception only Siri Disabled Siri while locked Disabled AirDrop Disabled Personal Apple ID Not allowed iCloud Photos Disabled iCloud Keychain Disabled App installs Mosyle-managed only Game Center Disabled Camera Allowed Microphone Allowed Screen Recording Allowed for teachers Printing Allowed FileVault Enabled Firewall Enabled Password / Passcode Required Auto-lock Required Web filtering Enabled Admin rights Standard user preferred Recommended Exception Process Some teachers may need exceptions based on their role or instructional workflow. Exceptions should be intentional, approved, and documented. Example Exceptions Art teacher needs AirDrop for media workflow STEM teacher needs USB storage for robotics equipment Music teacher needs external audio devices Media teacher needs camera, microphone, and screen recording access Administrator needs broader website access Exception Documentation Should Include User or group name Device serial number Requested exception Business or instructional reason Approval person Review date