The Apple Tracking Policy allows administrators to monitor and manage critical device tracking events on macOS systems.
This policy enhances visibility into device actions such as USB connection activity, device lock events, device wipe actions, and App block tracking, helping IT teams maintain better audit trails and compliance oversight.
Overview
The Apple Tracking Policy can be configured from the Swif Admin Console → Policies → Create New Policy section.
It supports macOS 12.0 and later and can be applied to individual devices or device groups.
Policy Description
This policy is used to manage device tracking activity on Apple endpoints. Administrators can choose to enable or disable tracking for USB devices, lock events, and wipe actions.
These settings are particularly useful for security audits, compliance monitoring, and forensic analysis in case of data incidents.
Requirements
Minimum OS version: macOS 12.0+
Device Enrollment: Managed via Swif.ai MDM
Permissions: Admin-level access to the Swif console
Configurable Settings
Setting | Description | Events Report | Minimum Requirement |
USB Tracking | When enabled, logs USB device connection activity (e.g., external drives or peripherals). Useful for auditing data access and identifying unauthorized connections. | View reports at Device Management > Event Logs | macOS 12.0+ |
Device Lock Tracking | When enabled, records lock events to help monitor device inactivity and user session behavior. | View reports at Device Management > Event Logs | macOS 10.0+ |
Device Wipe Tracking | When enabled, logs any system wipe actions, including remote wipes issued through MDM. This ensures accountability and post-wipe audit verification. | View reports at Device Management > Event Logs | macOS 10.0+ |
Location Tracking | When enabled, the device will request location information during periodic compliance checks throughout the day. | View reports at Device Management > Device Detail > Tracking | macOS 12.0+ |
Application Block Tracking | Controls whether Swif logs tracking events related to blocked applications on macOS devices. This includes when a user attempts to open a blocked app, and Swif denies execution, and that event is sent to Swif via the sync server callback. | View reports at Device Management → Event Logs and relevant security/endpoint reports. | macOS |
Best Practices
Enable USB Tracking in high-security environments where removable media usage must be monitored.
Use Device Lock Tracking to correlate inactivity patterns with compliance and security rules.
Keep Device Wipe Tracking enabled for audit logging in case of stolen, decommissioned, or offboarded devices.
Enable Application block tracking
Track app blocking events when combined with Apple Application Block Policy, which blocks apps. Learn more →
How to Apply
Navigate to the Swif Admin Console → Policies.
Click Create New Policy → Apple Tracking Policy.
Configure desired tracking settings (USB, Lock, Wipe).
Assign the policy to selected devices or device groups.
Review and confirm to apply the policy.
Once enforced, tracking data becomes available through Device → History → Actions in the Swif dashboard.
Compliance and Security Benefits
Provides visibility into data movement through external devices.
Helps identify potential policy violations or data exfiltration risks.
Supports audit readiness for frameworks like SOC 2, ISO 27001, and HIPAA.
References
Tips:
Combine this policy with the Apple USB Policy for a complete endpoint tracking and control strategy.
Combine with Apple Application Block Policy, which blocks apps to track blocking events.