In the Workspace ONE UEM console:

1. Select Devices
2. Select Profiles & Resources
3. Select Profiles
4. Select Add
5. Select Add Profile

Click macOS.

Click Device Profile.

1. Select General if it is not already selected.
2. Enter macOS Security Privacy for the profile name.
3. Select Auto for the Assignment Type.
4. Scroll down to view the Smart Groups field, and click in the search box. This will pop-up the list of created Smart Groups. Enter All Devices and select the All Devices ([email protected]) group.

1. Enter Security in the Profile search bar.
2. Select Security & Privacy.
3. Click Configure.

1. Select the Delay Updates check box
2. Set the delay to 90 days
3. Select Mac App Store and Identified developers
4. Check the box for Do not allow user to override Gatekeeper setting
5. Click SAVE AND PUBLISH

Note: The delay starts from the day the update is released. For example, if Apple publishes an update and the device is offline for the first 30 days the update is released, a 90-day update delay period would end 60 days later (even though technically the device has only known about the update for 60 days).  

Click Publish.

Return to the enrolled macOS device:

1. Click the Apple logo
2. Click System Preferences
3. Click Security & Privacy

1. Click General
2. Click the lock to make changes
3. Enter the user's password on the device. If this is a VMworld provided device, enter VMware1! as the administrator password
4. Click Unlock
5. Note you're still unable to make changes to the Gatekeeper settings as these are controlled by Workspace ONE UEM.