How to Set up a Fully Managed Personal Mac

Learn how to set up a fully managed personal Mac computer to gain remote control over advanced device restrictions

Ben

Updated September 23, 2025

If you've ever worked for a company that issued you a Macbook for work use only, you might have noticed that it was configured so that the IT department could manage it remotely. This is referred to as Mobile Device Management where devices are set up as fully managed devices (not just a work profile). Full Device management gives you the most control over setting up restrictions on a Mac computer.

Although managed mode is typically used for businesses, I've gone through the process of setting up my own Macbook as a fully managed device. It's not straightforward at all, so I've created this guide to help others get access to elevated restrictions for personal Apple devices (bring your own devices).

Why Adults Might Consider a Fully Managed Personal mac

If you are setting up restrictions on your own Mac computer, or for someone else in your household, and that person needs to have an Admin account on that Mac, then Full Device Management gives you a higher level of control above what an admin user on the Mac can configure. Basically, you can set restrictions that even an Admin can't override.

If you are trying to block porn on a Mac , full device management gives you the most restrictive control over a Mac.

Mobile Device Management unlocks remote management of your Mac computer, which means you can update device settings, install apps, etc., without having physical access to the Mac computer.

Here are some of the main reasons why you can manage a MacOS device:

Set restrictions that are enforced even if the user account is an Administrator
Install, delete, or block apps
Block or hide access to settings
Disable multiple user accounts and guest mode
Force the usage of the built-in content filter
Force DNS settings on any network
Manage browsers like Google chrome to force the usage of browser extensions and block unauthorized browser extensions.
Enforce Parental Controls (screen time) and block access to changing parental control settings (even as an Administrator)

If you're interested in an alternative that has the same capabilities without remote management, consider using an Apple Config Generator instead. Tech Lockdown's Config Generator doesn't require device management, and Config Files can be installed on standard Mac computers.

This guide can't be completed in one sitting

Device Management requires an approval process from Apple that can take weeks to be verified and completed.

Prerequisites

Enabling Managed Mode on your Mac is an intensive process that requires an Apple Business Manager account, which can take several weeks to be approved for. You will also need to completely reset your Mac.

(1) An Apple Business Manager Account is Required

Managing a Mac device requires the use of two types of services:

Apple Business Manager (ABM). This is a must for Apple devices.
A Mobile Device Manager (MDM). This is required to push updates to your Mac remotely after it is managed by ABM.

This guide uses a free mobile device manager.

(2) Prepare for Factory Resetting Your Mac

You will need to hard reset your MacOS device in order to manage it. This will delete all files on your Mac computer. You can sign in to iCloud after resetting the device to get access to anything you sync to iCloud. Otherwise, you'll need to use an external hard drive to back up/restore files.

Note

This guide does not currently show how to back up/restore using a second hard drive.

(3) Use the Apple Configurator App on an iPhone

Adding a MacBook to a mobile device manager also requires the use of an iOS device running iOS 16 (or later). This iPhone or iPad needs to be able to download and run the Apple Configurator app from the App Store.

Download Apple Configurator from either the iPhone or iPad App Store and make sure your second device can run it.

Apple requires the use of an Apple Business Management (ABM) account in order to use a Mobile Device Manager (MDM). You need to use both ABM and an MDM to remotely manage your Mac. This is unfortunate, but it's a requirement imposed by Apple.

Getting approved for Apple Business Manager can take some time

ABM has an approval process, and verification is required to be approved. This step can take a few weeks.

Do I need a Business in order to create an Apple Business Manager account?

I've gone through the process of applying as an individual and talked with the ABM support team to get advice for home users who don't have an official business.

You need a DUNS number to get an Apple Business Manager account.

There are two main ways to get a DUNS number:

Apply as a business.
Pay for one as a developer.

Option 1: Get a free DUNS number by applying as a business

You can obtain a free DUNS number by applying as a business. If you already have a business, this process should be relatively straightforward.

However, you don't actually need a serious business with multiple employees to qualify for an ABM account. A sole proprietorship is an unincorporated business owned and run by one individual. There is no distinction between the business and you (the owner). You don't actually need to create a business or sign any documents to be a sole proprietor.

Please keep in mind that this advice might not apply to you depending on your region.

Option 2: Pay for a DUNS number using the Apple Developer Program

If you can't get a DUNS number applying as a business, your alternative is to pay for Apple Developer Program access. You'll get a DUNS through this process.

Apply for a DUNS Number

Apply here and enroll as an individual.

Select your region here . Since I'm US-based, this tutorial will use the US-Canada DNB website .

Select one of the "I have a Business" options (based on your region). If you have an Apple Developer account for some reason, you could use that option instead.

Fill out accurate personal information required during the registration process. If a Tax ID number/EIN is required, you would use your SSN.

In my case, I had to follow-up with personal information to verify residency. You may not have to do this.

After several days, I received an email with my DUNS number:

Notice that the business name is just my name. This is common for sole-proprietorships.

Once you've applied for a DUNS number, you will be able to use the DUNS number to apply for an Apple Business Manager Account.

Enroll in ABM

Use your personal information as the verification contact. If the verification contact email must be different, use another email account for that verification information.

Enter accurate personal information.

A representative from Apple will actually check the website URL that you provide. To avoid any issues, I recommend using a professional social media website, like your LinkedIn profile, if you don't have a personal website. You could also create a free, simple about.me page with a basic online resume.

Enter the verification contact information (you should be both contacts). The verification contact's first name must be unique to submit the form, so I use the shorter version of my first name. The email must also be unique. Both emails should be valid.

The verification contact first name must be unique in order to submit the form, so I use the shorter version of my first name. The email must also be unique. Both emails should be valid.

After you submit your ABM application, you can expect to receive a phone call from an Apple representative within 1 week.

They will call you from an 800 number, so do not ignore any calls over the next 7 days.

Verification

Here's what to do when you talk to the Apple representative.

The ABM representatives are very flexible, but are mainly trying to work directly with businesses or individuals who are interested in using ABM for professional reasons.

State that you are starting out as a freelancer/independent contractor, and you need to set up a managed device for better security. You can use your current full-time profession as the type of service you plan to provide. Alternatively, you could just come up with a service that seems interesting to you. Examples: IT consulting, graphic design, website development, video editing.

You can use your current full-time profession as the type of service you plan to provide. Alternatively, you could just come up with a service that seems interesting to you. Examples: IT consulting, graphic design, website development, video editing.

During my phone call, I literally told the representative:

"I need to lock down my mobile devices for better security and to limit distractions since I work from home".

They might suggest that you use Apple Family Sharing, but you should insist that you are only interested in full device management.

They will ask you why the verification contact is obviously the same person. Explain that you are a sole proprietorship. It's ok to not have a unique verification contact in this case.

After the phone call, you should receive a notification that your account was approved.

Step 2: Set Up an MDM (ManageEngine)

This setup guide uses the Mobile Device Manager called Manage Engine, which is a Mobile Device Manager that you can use to enforce profiles on your Mac. ManageEngine lets you manage devices on its free tier, which is perfect for home use.

The interface is a bit rough, but usable.

Go to the ManageEngine MDM free trial page

Signup for a cloud account

Note

When the 30 day free trial expires, you do not need to pay. Your account will transfer to the free tier and the free tier is limited to 50 devices but has the same functionality.

Unfortunately, it's not possible to fully manage or remotely sync restrictions with Apple Business Manager alone; you'll need to associate a third-party Mobile Device Manager (MDM) with ABM. In our case, ManageEngine is perfect if you're an individual.

Using Apple Business Manager, you can specify an MDM server for a device you've added using Apple Business Manager.

Add ManageEngine to Apple Business Manager

Once you add Manage Engine to Apple Business Manager, you'll have the option to assign Manage Engine to a device.

In Manage Engine, navigate to Enrollment > APNs certificate and click Get Started

Download the Vendor Signed CSR

Click Sign In

Create a certificate

Open the Vendor Signed CSR you downloaded from ManageEngine previously

Upload the file you selected

Download the final certificate

Go back to ManageEngine and click "next"

Click the upload box and open the certificate you downloaded from the Apple website.

Enter your Apple Business Manager account email in the Apple ID field, then any personal email address in the email notification field.

Step 3: Prepare Devices

Once you've done the difficult steps of getting approved for an ABM account and linking ABM to ManageEngine, you can now add your Mac to device management.

Setup will need to be done on both the Mac device you'd like to manage and a separate iPhone that will be used to manage your Mac.

Backup Mac Computer

Adding the Mac device to a MDM requires you to erase content & settings in order to get access to the enrollment screen. After you enroll the device, you can restore your backup.

Cloud Storage (iCloud, Google Drive)
External hard drive

Time Machine backups stored on the computer cannot be restored

Even if you partition your Mac's hard drive, erasing content & settings will also delete the time machine backups so you can't restore them.

Download Apple Configurator on the iPhone

Apple Configurator is needed to enable remote management on your Mac. Download it from the App Store .

Step 4: Enroll Your Mac

Use Apple Configurator for iPhone to add your Mac device to your Apple Business Manager account.

(1) Hard Reset Your Mac

Open System Preferences and select Erase All Content and Settings from the top bar. See Apple's support article about erasing content and settings if you need more help with this.

When your Mac reboots, connect to WiFi when prompted. You'll be notified that your Mac has been activated and that you need to restart again.

Once you reboot again, select your language and press the arrow to continue to the next step.

Proceed to the step where you select your Country/Region

Important

Do not press continue. Otherwise, you'll have to repeat this process again.

(2) Assign Mac to Your Organization

While you are on the setup step where you select your country, open Apple Configurator on your iPhone and select the scanner

Note

The "Assign this Mac to Your Organization" screen only appears when your Apple Configurator is open on your phone when you are on the country selection step.

Scan the blue globe. After a few seconds it should say the Mac is Assigned

(3) Allow ManageEngine in Apple Business Manager

In ABM go to Devices > select the device > edit MDM server

Select Manage Engine

Note

You might need to wait a few minutes and refresh the page if it doesn't let you assign to your MDM

In manage engine, go to enrollment > ABM > Sync Devices. It should say waiting for assignment

(4) Assign Your User Account to Your Mac

Once the device appears, click Assign User and select your user account

Restart Macbook and complete the first-time setup process.

Open Profiles in System Preferences.

You should see the Manage Engine profile.

Troubleshooting

What to do if you don't see the profile

Do the following steps if you don't see the profile

Open Terminal

Enter the following command and enter your Mac's admin password when prompted

sudo profiles renew -type enrollment

Click the enrollment notification popup. Click Allow when it asks to "Allow Device Enrollment?"

Then it should show the mac is supervised

Step 5: Create Group In ManageEngine

Create a group and associated your newly enrolled Mac device with that group.

(1) Create Group

In Manage Engine, navigate to Device Mgmt > Groups & Devices then click the Create Group dropdown and select Device Group

(2) Add Your Mac to Your Group

Enter the information about the group and click Add Device

Select the Mac device you recently enrolled and click Add to Group

(3) Confirm Group

Click Create Group

Step 6: Create Profile with iMazing

iMazing is a config generator available on Windows and Mac. We will use it to customize the managed Mac device. We will generate config files with iMazing and then distribute them to the managed Mac device using Manage Engine profiles.

(1) Downloading iMazing

Click here to download iMazing Profile Editor on either a Mac or Windows device.

It's also available in the App Store.

Follow these guidelines when creating a profile.

(2) Create Config Files in iMazing

We will create config files using iMazing profile editor, then upload the config files to the associated Manage Engine Profile.

Note

It's recommended to create a profile and iMazing config for each type of restriction. For example, you would create a dedicated profile & iMazing config for enforcing DNS settings.

When creating profiles with iMazing, select the macOS filter at the top and use the search bar to quickly find settings.

(3) Update Your Profile

Create a new profile in iMazing

Select a payload scope of System to apply the profile to all users on the Mac

If you are using iMazing on the managed Mac device, select Profile Signing: MDM-IDENTITY. Either way, select Prevent users from removing this profile.

Click file > Save

If you are using iMazing on the Mac that you are managing, it should give you the option to Sign profile with MDM-IDENTITY. Select this option if you have it. Otherwise, don't sign.

(4) Upload Profile to ManageEngine

In Manage Engine, go to Device Mgmt > Profiles click the Create Profile dropdown and select macOS.

Add a title and description for your future reference and click continue

Go to the Custom Configuration section

Click Browse

Find the config file you saved using iMazing and click upload

Click save and the publish

Note

When you save and publish changes to a profile, your devices are not automatically updated with the changes. Every time you save a profile, a new version is created and must be distributed via "upgrading"

Right now, this profile isn't associated with a device. Before changes can be saved to your Mac, you'll need to associate it with the profile you just published.

Go to Device Mgmt > Groups & Devices, select the group you created for MacOS devices, click the Action dropdown, then select Associate Profile

Select the MacOS profile you created and click Associate

On your Mac device, open System Preferences > Profiles and you should see the profile

Remember, in order for changes to apply, you'll need to upgrade the profile after you publish it.

(5) Syncing Profile Updates to Your Mac

When making changes to a profile, updates aren't automatically published to devices in your group. Here's how to update profiles so that devices are synced with the latest changes.

First, make sure that your profile has it's most recent changes saved and published:

Once the profile is saved/published and you are directed back to the screen that lists all of the profiles, open up the profile again and click the Upgrade All link under the Devices with older version section

Here is another method for upgrading a changed profile:

Navigate to Device Mgmt > Groups & Devices then select the group associated with your profile and click the Profiles tab.

Select the profile you updated and click Upgrade Profile

Your devices should sync with the profile changes.

Configure Features on Your Manage Mac

Once your Mac has been managed, there are several settings that we recommend you change. These changes will help you:

Ensure that only one account can sign into your Mac.
Add another layer of protection on your Mac
Prevent Bypass on your Browsers

Customize System Features

Within your profile, there are several settings that we strongly recommend enabling. These settings will help you by disabling different features that can enable bypass.

Disable Guest Mode Accounts on Your Mac

Guest mode is a common bypass technique, so it should be disabled using the MDM.

Search for "guest" in the search bar to quickly navigate to Energy Saver, FileVault, Time Saver.... Select the Guest Account tab and check Disable Guest Account.

Disable Users & Groups on Your Mac

Although Mobile Device Management settings apply to all user accounts, it's recommended that you restrict the ability to create new user accounts.

Navigate to System Preferences in iMazing, select the Disabled tab, then add Users & Groups to the Disabled Preferences Panes table.

After you distribute this profile, you'll notice the Users & Groups section in System Preferences is greyed out.

If you try to navigate to Users & Groups from the search bar you'll get an error.

Disable Profiles on Your Mac

Within the first 30 days of managing a device, the profiles panel will allow you to remove the initial MDM profile to revoke device management. If you want to prevent this, add Profiles to the Disabled Preference Panes table in iMazing > System Preferences > Disabled.

Built-in Content Filtering

Built-in content filtering allows you to block content even when a VPN is enabled. A Content Filter will filter content before it is processed by a DNS Filter, so it's a great extra blocking layer.

In iMazing, navigate to Parental Controls: Web Content Filter and select Limit access to websites and Use built in content filter. This will toggle-on the built-in Adult content filter

Add any additional websites to the blocklist

Once the profile is distributed, the content filter should start blocking websites.

Note

In the above screenshot, it seems like you can click "Add Website" to quickly unblock a website. However, I've found that this doesn't actually work. If, for some reason, you can easily unblock a website, restrict access to Screen Time by following the Customize System Features section of this guide.

Configure Browsers

A useful feature of Mobile Device Managers is the ability to manage browsers. Ideally, you would restrict the user to only using a managed browser where you can enforce settings, block extensions used to bypass filtering and prevent deletion of browser extensions that block content.

Consider Creating a Custom Profile Just for Browsers

You can manage other web browsers as well, but this tutorial will focus on Google Chrome. The management process is the same for the other browsers, and the features are similar.

As I recommended in the section about creating a profile, create a dedicated Manage Engine profile that will handle Managed Browser settings.

Also, create a dedicated iMazing config file for managed browser settings.

Ensure you follow my recommended profile creation settings (prevent users from removing the profile and make it system-wide).

Reminder

As mentioned in the Update Profile section, you'll need to restart Google Chrome each time you push an updated Managed Browser profile to the Mac device. Otherwise, you won't see the changes.

Set Chrome as the Default Browser

If you haven't already, install the Google Chrome browser on the Mac device

In iMazing, use the search bar to filter the sidebar for the word "browser" and then select Google Chrome (or whatever browser you want to manage) and select add configuration payload.

In General Settings, set Chrome as the default browser

Browser Profile Options

These are the settings you should change on your profile to prevent bypass on your Mac.

Block Images

You can choose to block images on all websites. Alternatively, you can block images on selective websites.

Select the Content Settings tab

If you want to block images on a specific website, enter [*.] followed by the domain name you want to block. For example, [*.]reddit.com will block all images on the entire reddit.com website. You can optionally specify specific page URLs, like [*.]reddit.com/r/news

If you want to block all images on all websites (other than those on your allowlist), use the Default images setting dropdown.

Disable Proxy

Disable the ability to set a proxy to avoid common filter bypass techniques.

Select the Networking tab

Select Choose how to specify proxy server settings: Never use a proxy.

Guest Mode & User Accounts

Guest mode can allow a user to bypass common blocking techniques, so it's advised to disable it entirely.

Navigate to the Misc tab

Disable Guest Mode by unchecking both of the highlighted boxes

Safesearch & Youtube Restrictions

Toggle safesearch for search engines that have a safesearch mode (including Google search).

In the Misc tab, force safesearch by enabling both of the highlighted boxes

Consider setting a Youtube restriction level

Prevent Deleting Browsing History & Incognito Mode

Add a higher level of accountability by removing the ability to delete browser history or use incognito/private browsing mode.

In the Misc tab, scroll down to the Enable Incognito and Incognito mode availability fields and disable them.

Scroll down and uncheck Enable deleting browser and download history

How to Set up a Fully Managed Personal Mac

Why Adults Might Consider a Fully Managed Personal mac

Prerequisites

(1) An Apple Business Manager Account is Required

(2) Prepare for Factory Resetting Your Mac

(3) Use the Apple Configurator App on an iPhone

Step 1: Sign Up For Apple Business Manager

Do I need a Business in order to create an Apple Business Manager account?

Option 1: Get a free DUNS number by applying as a business

Option 2: Pay for a DUNS number using the Apple Developer Program

Apply for a DUNS Number

Enroll in ABM

Verification

Step 2: Set Up an MDM (ManageEngine)

Signup for ManageEngine

Add ManageEngine to Apple Business Manager

Step 3: Prepare Devices

Backup Mac Computer

Download Apple Configurator on the iPhone

Step 4: Enroll Your Mac

(1) Hard Reset Your Mac

(2) Assign Mac to Your Organization

(3) Allow ManageEngine in Apple Business Manager

(4) Assign Your User Account to Your Mac

Troubleshooting

Step 5: Create Group In ManageEngine

(1) Create Group

(2) Add Your Mac to Your Group

(3) Confirm Group

Step 6: Create Profile with iMazing

(1) Downloading iMazing

(2) Create Config Files in iMazing

(3) Update Your Profile

(4) Upload Profile to ManageEngine

(5) Syncing Profile Updates to Your Mac

Configure Features on Your Manage Mac

Customize System Features

Disable Guest Mode Accounts on Your Mac

Disable Users & Groups on Your Mac

Disable Profiles on Your Mac

Built-in Content Filtering

Configure Browsers

Consider Creating a Custom Profile Just for Browsers

Set Chrome as the Default Browser

Browser Profile Options

Block Images

Disable Proxy

Guest Mode & User Accounts

Safesearch & Youtube Restrictions

Prevent Deleting Browsing History & Incognito Mode