macOS
      Back to home
      1. Help Center
      2. macOS

      Securing Microsoft Office for macOS

      Overview

      This knowledge base article provides information on the Office for Mac preference settings that control and enforce the level of access to the local Mac for Visual Basic macros in Office documents.

      Note: Some of these settings may adversely affect the functionality of 3rd party addins that make use of Visual Basic. To exclude the particular settings that impact 3rd party addins, or to prevent your Mac users from installing and running Office add-ins altogether, reach out to us at support@devicie.com

      Setting Name Setting Summary Recommended Value

      Prevent Visual Basic macros from using legacy MacScript

      DisableVisualBasicMacScript

      		 Determines if macros are allowed to invoke the MacScript() Visual Basic API. This API allows macros to execute arbitrary processes via AppleScript by including “do shell script ...” in the AppleScript code. When this setting is set to true, macros that attempt to use MacScript will fail with an error at the point where MacScript is invoked.

      true

      Prevent all Visual Basic macros from executing

      VisualBasicEntirelyDisabled

      		 Preference to completely disable VBA.

      true

      Setting to true may impact 3rd party addins

      Allow Visual Basic macros to use system APIs

      AllowVisualBasicToBindToSystem

      		 Determines if macros are allowed to use a DECLARE to bind to the system()
      OS API. This API allows macros to execute arbitrary external processes and pass them arbitrary data on the command line.
      The default value for this setting disallows the binding, as the system() API should not be used. When this setting is set to false, macros that attempt to use system() will fail with an error at the point where system() is invoked.      		 false

      Prevent Visual Basic macros from using external dynamic libraries

       

      DisableVisualBasicExternalDylibs

      		 Determines if macros are allowed to use a
      DECLARE statement to bind a Visual Basic symbol name to an external procedure in the local OS. The
      default value for this setting is to allow binding to external dylibs because many legitimate 3rd party
      addin vendors use this feature of Visual Basic to add and extend features in Office for Mac. When this setting is set to true, macros that attempt to use a DECLARE statement will fail with an error at the point where the external procedure is invoked.

      true

      Setting to true may impact 3rd party addins

      Visual Basic macro policy

      VisualBasicMacroExecutionState

      Sets the VisualBasic Macro security level. Valid values:

      • DisabledWithoutWarnings (most secure) The alert is suppressed, and macros are not allowed to run

      • DisabledWithWarnings (default) The alert is shown, and the user makes the choice to enable or disable macros in that one file

      • EnabledWithoutWarnings (least secure) The alert is suppressed, and macros are allowed to run

      DisabledWithoutWarnings

      Prevent Visual Basic macros from using pipes to communicate

      DisableVisualBasicToBindToPopen

      		 Determines if macros are allowed to use a DECLARE to bind to the popen() OS API. This API allows macros to execute arbitrary external processes and pass them arbitrary data on the command line.

      true

      Setting to true may impact 3rd party addins

      Allow macros to modify VB projects (Office 2019 only)

      VBAObjectModelIsTrusted

       

      		 Determines if macros are allowed to modify the VB project itself, through the VBA object model. When this setting is set to NO, macros that attempt to invoke any method in the VB object model will fail with an error at that point in the code. false