Safari Extensions
The Safari Extensions payload allows IT administrators to configure the extension settings on Safari browser for users of a Mac that enrolled via device management. These settings help to configure the Safari Extensions using Declarative Device Management (DDM). Supported on macOS 15.0 onwards.
Note: This profile is available only for Device Enrollment and applicable only on User Profile.
Steps to Configure Safari Extensions Profile
On the SureMDM Web Console, navigate to Profiles > macOS > Add > Device Enrollment > Enable User Profile toggle > Safari Extensions > Configure
Enter a Profile Name.
In the Configure Safari Extensions screen, configure the required options under the available accordions.
Global Extension Configuration
| Setting | Description |
|---|---|
| Enable Global Extension Configuration | If enabled, extension behavior can be configured globally across all extensions. |
| Extension Behaviour | Specify the browsing extension behaviour. Allowed Info: The user can turn On or Off the extension. Always On Info: The extension is always “On” on the device and cannot be turned “Off”. Always Off Info: The extension is always “Off” on the device and cannot be turned “On”. |
| Private Extension Behaviour | Specify the private browsing extension behaviour. Allowed Info: The user can turn On or Off the extension in Private Browsing. Always On Info: The extension is always “On” for Private Browsing and cannot be turned “Off”. Always Off Info: The extension will never be “On” in Private Browsing and cannot be turned “On”. |
Specific Extension Behaviour
In the Specific Extension Behaviour accordion, configure the required options under the available accordions.
| Setting | Description |
|---|---|
| Enable Specific Extension Configuration | If enabled, extension behavior can be configured for a specific extension and its bundle ID. |
| Bundle ID | Enter the Bundle ID of the specified extension. |
| Team ID | Enter the Team ID of the specified extension. |
| Extension Behaviour | Specify the browsing extension behaviour. Allowed Info: The user can turn On or Off the extension. Always On Info: The extension is always “On” on the device and cannot be turned “Off”. Always Off Info: The extension is always “Off” on the device and cannot be turned “On”. |
| Private Extension Behaviour | Specify the private browsing extension behaviour. Allowed Info: The user can turn On or Off the extension in Private Browsing. Always On Info: The extension is always “On” for Private Browsing and cannot be turned “Off”. Always Off Info: The extension will never be “On” in Private Browsing and cannot be turned “On”. |
| Allowed Domains | Controls the domains and sub-domains the extension is granted access to. Any non-prefixed domains take precedence over prefixed domains. |
| Denied Domains | Controls the domains and sub-domains the extension isn’t allowed to access. Any non-prefixed domains take precedence over prefixed domains. |
Note
To retrieve the Bundle ID and Team ID, follow these steps:
- Navigate to the Applications folder and locate the desired extension.
- Right-click the extension and select Show Package Contents.
- Open the Plugins folder.
- Drag and drop the .appex file(s) into the Terminal after the command: codesign -dv
Example: codesign -dv /Applications/Grammarly\ for\ Safari.app/Contents/PlugIns/Grammarly\ for\ Safari\ Extension.appex
- The
*wildcard can be used under Allowed or Denied domains to Allow or Block all domains. - If specific domains are added under Allowed or Denied domains, any domains not listed can be configured by the user.
The added configuration will reflect in the table section.
Click Save.
The newly created profile will be listed in the Profiles section.
Go back to the Home tab and select the macOS device(s) or group(s).
Click Apply to launch Apply Job/Profile To Device prompt.
In the Apply Job/Profile To Device prompt, select the created profile and click Apply.
Examples on Configuring Allowed Domains and Denied Domains
| Scenario | Description | Configuration Example |
|---|---|---|
| Allow only specific domains and block all others | Grants the extension access only to example.com and its subdomains while blocking all other domains. | Allowed Domains - *example.comDenied Domains - * |
| Allow specific domains, user controls others | Allows access to example.com and its subdomains. The user can manually control access for other domains since none are explicitly denied. | Allowed Domains - *example.com |
| Allow one domain but deny specific subdomains | Permits access to example.com and its subdomains except private.example.com, which is explicitly denied. All other domains are also blocked. | Allowed Domains *example.com Denied Domains private.example.com, * |
| Allow a specific subdomain and deny the rest | Allows access only to public.example.com and blocks example.com and all its other subdomains. | Allowed Domains - public.example.comDenied Domains - *example.com |