Skip to main content

Apple Safari Extension Policy (macOS)

Updated today

The Apple Safari Extension Policy in Swif lets you centrally manage Safari browser extensions on macOS devices. You can:

  • Enforce installation of specific Safari extensions (including, but not limited to, the Swif Safari Extension)

  • Block unwanted or unsafe Safari extensions

  • Control whether the Swif Safari Extension is enabled for managed users

This article explains requirements, behavior, and each policy field so you can safely roll this out in production.

1. Policy overview

Policy name: Apple Safari Extension Policy
Description: Manage Safari browser extensions on macOS devices.
BYOD compatibility: macOS BYOD and company-owned devices
Minimum system requirements:

  • macOS 15 or later

  • Latest version of Safari on macOS 15+ (for Swif Safari Extension behavior, see article above)

Supported platforms:

  • macOS only

Ownership types supported:

  • Company-owned devices

  • BYOD macOS devices (via the Swif agent installer/regular enrollment)

This policy is primarily used in Secure Hive Mac policy management to ensure your Safari extension posture is consistent and compliant across devices.

2. What this policy can do

When configured and assigned to macOS devices, the Apple Safari Extension Policy allows you to:

Enable or disable the Swif Safari Extension

  • Force the Swif Safari Extension to be present and enabled (where supported by enrollment type)

  • Optionally disable it for specific user groups or devices

  • For a functional overview and manual install steps for Swif’s own Safari extension, see:
    Swif Safari Extension: Installation & Overview

Silently install approved Safari extensions

  • Provide a list of Safari extension identifiers that should be installed for the user

  • Works for any compatible Safari extension, not just Swif’s own extensions

Block specific Safari extensions

  • Prevent installation or usage of certain extensions by identifier

  • Use this for risky, non-compliant, or unapproved extensions

Note: Actual installation and approval behavior differs slightly by enrollment type (SSO, DEP/ADE, regular Swif enrollment, BYOD via agent, etc.).

3. Policy fields

Below is a breakdown of each field available in the Apple Safari Extension Policy, how it works, and when to use it.

3.1 Enable Swif Safari Extension

  • Display name: Enable Swif Safari Extension

  • Type: Boolean (true / false)

  • Default: true

  • Minimum macOS: 15+

  • Description:
    Turn the Swif Safari Extension on or off for users in your managed environment.

When set to true, Swif will try to:

  • Install or enforce the Swif Safari Extension on supported macOS 15+ devices

  • Keep the extension available and enabled according to the device’s enrollment method

  • For a functional overview and manual install steps for Swif’s own Safari extension, see:
    Swif Safari Extension: Installation & Overview

When to set true:

  • You want the Swif Safari Extension present on all target macOS 15+ devices

  • You rely on Swif’s Safari extension for:

    • Shadow IT detection and AI usage monitoring

    • Web governance, blocklists/allowlists, and compliance reporting

    • Safari-based telemetry feeding into the Shadow IT dashboard

When to set false:

  • You are testing or rolling out alternative Safari controls

  • You want to manage only third-party Safari extensions with this policy, not Swif’s

For detailed feature behavior of the Swif Safari Extension (Shadow IT, AI usage tracking, etc.), see: Swif Safari Extension: Installation & Overview

3.2 Install Extensions

  • Display name: Install Extensions

  • Type: Array of strings

  • Minimum macOS: 15+

  • Description:
    A list of managed Safari extension identifiers that Swif should install for the user.

  • Expected format per item:
    BundleID (TeamID)
    Example:
    com.razorlabs.night-eye (2TZ44U8P5A)

You can add any Safari extension that is compatible with macOS 15+ and supports managed installation. This is not limited to Swif’s own extensions.

Use cases:

  • Standardize a set of approved Safari extensions (e.g., security, productivity, compliance tools) across all managed Macs.

  • Automatically push required extensions for specific teams or departments.

  • Ensure certain privacy or monitoring tools are always present in secure environments.

3.3 Block Extensions (blockExtensions)

  • Display name: Block Extensions

  • Type: Array of strings

  • Minimum macOS: 15+

  • Description:
    A list of Safari extension identifiers you want to block or prevent from being used.

  • Expected format per item:
    BundleID (TeamID)
    Example:
    com.example.unapproved-extension (WXYZ9999)

Behavior:

  • Extensions listed here should not be installable or usable on devices targeted by the policy (subject to OS and MDM capabilities).

  • Use this to enforce a negative list of risky, shadow IT, or non-compliant Safari extensions.

Use cases:

  • Block consumer-grade or risky extensions that collect excessive data.

  • Prevent employees from installing extensions that violate corporate policies or compliance standards.

  • Align browser extension posture with your security baselines and acceptable-use policies.

4. Requirements & compatibility

  • macOS:

    • Policy is designed for macOS 15+ only

    • On macOS < 15, Safari extension policy enforcement is not supported

  • Ownership & enrollment:

  • Safari:

    • Latest version of Safari on macOS 15+

    • Users may still be prompted to approve extensions in Safari depending on enrollment type

5. Best practices

1. Start with a pilot group

  • Assign the Apple Safari Extension Policy to a small test group first.

  • Include:

    • enableSwifSafariExt = true

    • A short installExtensions list of critical extensions

    • An initial blockExtensions list for obvious high-risk extensions

2. Use precise identifiers

  • Always use the correct BundleID (TeamID) format.

  • Verify extension identifiers from trusted sources (e.g., developer documentation or App Store listing).

3. Keep macOS versions in mind

  • Only target macOS 15+ for this policy.

  • If you have mixed OS versions, segment policies by OS where possible.

4. Pair with Swif’s Shadow IT insights

  • Combine this policy with data from Swif’s Shadow IT/AI dashboards (as described here: Swif Safari Extension: Installation & Overview

  • Promote frequently used safe tools into installExtensions, and push risky tools into blockExtensions.

6. Troubleshooting

If a Safari extension does not behave as expected:

  1. Check OS and enrollment method

    • Confirm the device is on macOS 15+

    • Verify how it was enrolled (SSO vs DEP/ADE vs regular Swif enrollment vs BYOD agent)

  2. Verify identifiers

    • Confirm the exact Bundle ID and Team ID match the extension.

    • Ensure each entry is formatted as:
      BundleID (TeamID)

  3. Review policy assignment

    • Confirm the device or user is actually targeted by the Safari Extension Policy.

    • Check for conflicting or overlapping policies.

  4. Check Safari

    • Ensure Safari is up-to-date.

    • Ask the user to open Safari > Settings/Preferences > Extensions and verify whether:

      • The extension appears

      • The extension is checked/approved

  5. Consult Swif Safari Extension doc (for Swif’s own extension)

Related Articles
How to add (enroll) a macOS device
BYOD Limitation (Apple, Windows)
Managing BYOD Enrollment for macOS in Swif
Swif Safari Extension: Installation & Overview
Apple Firefox Extension Policy
Did this answer your question?