Create read-only policy for Mac endpoints

  1. In the Management Center, go to Policies.
  2. Right-click Policy Items, then click New and then File Encryption.
  3. Enter a name for the new policy and click OK.
  4. On the File encryption tab, select Location-based from the Encryption type drop-down list.
    The list to specify the paths for location-based encryption is displayed.
  5. Specify the following paths and exclude them from encryption.
    1. Network shares: Use the <Network Shares> placeholderĀ to point to the root folders of all Mac OS X network shares.
    2. Removable media: Use the <Removables> placeholder to point to the root folders of all Mac OS X removable media.
    3. Cloud provider synchronization folder(s): Enter the folder(s) that will be synchronized with a cloud service. Only local paths are supported.
    4. Note: The following path is only needed if Microsoft Outlook for Mac 2011 is used.
      <User Profile>\Library\Caches\TemporaryItems\Outlook Temp\
    5. Note: The following path is only needed if Microsoft Outlook for Mac 2016 is used.
      <%TMPDIR%>\com.microsoft.Outlook\Outlook Temp\
    6. Note: The following paths are only needed if Apple Mail is used:
      <User Profile>\Library\Containers\com.apple.mail\Data\Library\Mail Downloads\
      <%TMPDIR%>\com.apple.mail\com.apple.mail\
  6. Make sure all paths are excluded from encryption: Exclude is selected in the Mode column for each path.
  7. When you leave the File encryption tab, the system prompts you to save your changes.
  8. Click Yes.
  9. Go to Users and Computers and assign the new policy to the Mac endpoints users who should be able to read encrypted data but not encrypt data.