When you deploy Unbound through your MDM, enforcement is installed as managed settings — administrator-level configuration that standard users can’t change or remove. This keeps Unbound active on every device, even if a user tries to turn it off, and it works the same way on macOS and Windows. This page covers why managed settings are tamper-resistant, how to keep them in place with a daily schedule, and how to spot devices where enforcement has drifted.Documentation Index
Fetch the complete documentation index at: https://docs.getunbound.ai/llms.txt
Use this file to discover all available pages before exploring further.
Why managed settings are tamper-resistant
Deploying through MDM is different from a per-user install. Instead of writing configuration into each user’s personal settings — which that user can edit — Unbound is installed into the device’s managed settings, owned by the administrator.Standard users can't remove it
Managed settings live in an administrator-owned, protected location. A standard (non-admin) user can’t modify or delete them.
It takes precedence
Managed settings override personal settings, so a user can’t disable enforcement by changing their own configuration.
Managed deployment must be run with administrator privileges. See Deploy AI Tools via MDM for the per-tool install commands.
Reapply on a daily schedule
Schedule the MDM deployment to run once a day on each device. A daily run keeps enforcement resilient: if a setting is ever changed or removed, the next run restores it automatically — so any gap closes within 24 hours without manual intervention.Deploy via MDM
Push the MDM install command for each AI tool to your managed devices.
Run it daily
Configure your MDM platform to re-run the same command on a daily schedule. Re-running is safe — it reapplies the managed settings and changes nothing on devices that are already correct.
Confirm on the Devices page
Review the Devices page to confirm enforcement is active across your fleet.
Keep an eye on your fleet
The Devices page gives you a fleet-wide view of where Unbound is active and when each device last reported in. Use it to confirm coverage: a device that hasn’t reported recently, or that an administrator knows was reinstalled, is worth a closer look. When a device needs attention, an administrator can re-run the MDM deployment on it at any time to restore enforcement immediately, and the daily schedule does this automatically.macOS and Windows
Managed settings are administrator-protected on both platforms, so the tamper-resistance guarantees are the same:| Platform | Who can change enforcement |
|---|---|
| macOS | Only an administrator. Standard users can’t edit or remove the managed settings. |
| Windows | Only an administrator. Standard users can’t edit or remove the managed settings. |
If users on a device have local administrator rights, they can change administrator-level settings. To keep enforcement fully tamper-resistant, limit local admin rights and rely on the daily schedule and Devices-page review to catch any changes.
Best practices
Deploy through MDM
Use managed deployment rather than per-user setup so enforcement is administrator-owned from the start.
Run daily
A daily schedule restores any removed or changed settings within 24 hours.
Limit local admin rights
Standard users can’t touch managed settings — keeping admin rights scarce keeps enforcement intact.
Review the Devices page
Check in regularly to confirm every device is still reporting and enforcement is active.
Questions? Reach us in Slack or email support@unboundsecurity.ai.