The Apple Application and Service Control Policy lets you centrally manage key Apple services that can impact security, privacy, and device discoverability on managed macOS devices.
Use this policy to:
Reduce network attack surface (e.g., by disabling Bonjour)
Limit cross‑device data flow (e.g., Handoff)
Enforce privacy requirements (e.g., Siri)
Policy overview
Display name: Apple Application and Service Control Policy
Purpose: Manage application and service‑level settings on Apple devices, with a focus on device discoverability and assistant features.
Supported platforms: macOS
Minimum OS: macOS 10.12+, iOS 5+, and iPadOS 8+ (individual settings may require newer versions; see each field below)
Ownership: Company‑managed devices
This policy currently controls:
Activity Continuation / Handoff (cross‑device continuity)
Siri (Apple’s voice assistant)
Bonjour / mDNS (local network discovery)
When to use this policy
Apply this policy if your organization needs to:
Prevent devices from advertising themselves on local networks
Stop users from using Siri on managed Macs
Disable cross‑device activity sharing (Handoff / activity continuation) for data containment or regulatory reasons
You can scope this policy to specific device groups, departments, or security profiles as required.
Configuration fields
1. Activity Continuation (Handoff)
Field name (internal): Allow Activity Continuation
Display name: (Activity Continuation / Handoff control)
Type: Boolean (On/Off)
Minimum OS:
macOS 14.12+
iOS 5+
iPadOS 8+
What it does
Controls activity continuation, which underpins Handoff and related cross‑device features. When disabled, the device will not participate in activity continuation with other Apple devices.
Vendor note: Support for this restriction on unsupervised devices and with Managed Apple Accounts is deprecated. In a future release, this restriction will begin requiring supervision and will apply to personal Apple Accounts only.
Recommended use
Set to
false(disabled) in high‑security environments or where data must not move between personal and corporate Apple devices.Set to
true(enabled) if your organization explicitly allows Handoff and related features for productivity.
Effective behavior
false – Activity continuation (Handoff) is disabled. Users cannot continue activities started on other Apple devices.
true – Activity continuation is allowed (subject to Apple and device support).
2. Siri
Field name (internal): Allow Assistant
Display name: (Siri control)
Type: Boolean (On/Off)
Minimum OS:
macOS 14.0+
iOS 5+
iPadOS 5+
What it does
Controls whether Siri is available on the device. Disabling Siri helps organizations meet privacy and compliance requirements where sending voice data to Apple’s servers is not permitted.
Recommended use
Set to
false(disabled) for most corporate‑managed Macs handling sensitive, regulated, or internal‑only data.Set to
true(enabled) only if:Your organization permits Siri,
You have documented this in your data protection policies, and
You accept the associated data processing by Apple.
Effective behavior
false – Siri is disabled system‑wide. Users cannot activate Siri via keyboard, menu bar, or voice.
true – Siri is allowed, and users can enable or configure Siri (subject to OS settings and other policies).
3. Bonjour (mDNS) / Device Discoverability
Field name (internal): No Multicast Advertisements
Display name: Disable Bonjour
Type: Boolean (On/Off)
Default: false (Bonjour enabled)
Minimum OS: macOS 12+
What it does
Controls whether the device sends Bonjour (mDNS) multicast advertisements on the local network. Bonjour is used for:
Device and service discovery
AirPrint
Other local network‑based discovery features
When disabled, the device stops broadcasting its presence, which is a common requirement in hardened security baselines and reduces local network attack surface.
Recommended use
Set to
true(Disable Bonjour) for:Highly secured networks (SOC, PCI zones, production environments)
Environments where unneeded service discovery is not allowed
Keep
false(Default / Bonjour enabled) if:You rely on AirPrint or other Bonjour‑based workflows
Usability for local peer‑to‑peer services is important
Effective behavior
true – Bonjour multicast advertising is disabled. Device and some services (e.g., AirPrint) become harder/impossible to discover automatically on the local network.
false – Bonjour operates normally; devices and services can be discovered via mDNS.
Best practices
Start with a high‑security default:
Disable Siri (
Allow Assistant = false)Disable Activity Continuation / Handoff where sensitive data is involved (
Allow Activity Continuation = false)Disable Bonjour where local discovery is not needed (
No MulticastA dvertisements = true)
Scope by risk:
Apply stricter settings to:Production systems
Admin / engineering devices with privileged access
Devices in regulated environments (PCI, HIPAA, FedRAMP, etc.)
Test before broad rollout:
Validate Bonjour changes in lab networks to understand impacts on printing, file sharing, and local collaboration tools.
Confirm user‑facing impacts of disabling Handoff and Siri and update internal documentation.
Document exceptions:
If specific teams need Handoff or Siri for workflow reasons, document:
Which groups are allowed
Why they are exempt
How their devices are monitored/compensated controls applied
Troubleshooting & verification
After applying the Apple Application and Service Control Policy to a device group:
Confirm policy application in Swif
Check the device or group in Swif to see that the policy is listed as applied and compliant.
Validate on macOS devices
Handoff / Activity Continuation:
Try starting an activity (e.g., Safari tab, Mail draft) on another Apple device and confirm it does not appear on the managed Mac when disabled.
Siri:
Attempt to invoke Siri via keyboard or menu bar. It should be unavailable or blocked when disabled.
Bonjour:
Test AirPrint and other mDNS‑based discovery. They should no longer auto‑discover services when Bonjour is disabled.
Review logs / security tooling
Confirm that Apache (if previously used) is not listening on default ports, and that there are no unexpected local discovery events when Bonjour is disabled.