macOS policies

Last updated November 19th, 2025

This page describes the policies you can configure for Macs.

System

Policy	Description	Supported system
Camera	Allows the device user to use the camera.	macOS 10.11 and higher
Screen capture	Allows use of the default screen capture function.	macOS 10.14.4 and higher
Manual installation for profile	Allows manual installation of the Apple Configuration Profile.	macOS 13 and higher
Factory reset	Allows the device user to reset the Mac.	macOS 12 and higher
App Adoption by Users	Allows the device user to update default apps from the App Store.	macOS 10.10 and higher
USB restriction mode	Allows the device user to connect to USB accessories while locked.	macOS 13 and higher

Security

Policy	Description	Supported system
Passcode policies	Set to apply the passcode policy when the screen is locked.	macOS 13 and higher
> Passcode strength	Set the passcode strength on the screen. None — Set the passcode with a four digit number. Numeric — Set the passcode using numbers. Must be alphanumeric — Set the passcode using alphanumeric characters. Must include special characters — Set it so that the passcodes must include alphanumeric and special characters.	macOS 10.7 and higher
> Maximum Failed Login Attempts	Set the maximum number of passcode attempts. Upon exceeding this limit, the Mac locks. The value can be between 0 – 10 times.	macOS 10.7 and higher
>> Delay After failed Login Attempts	Set in minutes the time after which sign-in information is reset, when a device user exceeds maximum allowed sign-in attempts.	macOS 10.7 and higher
> Minimum length	Set the minimum length of the passcode. The value can be between 0 – 16 characters.	macOS 10.7 and higher
> Passcode Expiration Timeout (Days)	Set the maximum number of days before the passcode must be reset. The value can be between 0 – 730 days.	macOS 10.7 and higher
> Manage passcode history (Times)	Set the minimum number of new passcodes that must be used before a user can reuse the previous passcode. The value can be between 0 – 50 times.	macOS 10.7 and higher
> Screenlock Auto-Lock Time (Min)	Set the maximum inactive time before the screen of the Mac is locked.	macOS 10.7 and higher
> Screenlock Grace Period (Min)	Set the time duration for device lock after turning off a device screen without entering the passcode. Set to 0 to lock the Mac as soon as the screen turns off.	macOS 10.7 and higher
> Force Passcode Change	Allows the device user to add, change, or remove their account's passcode.	macOS 10.13 and higher
> Passcode Modification	Allows the device user to add, change, or remove their account's passcode.	macOS 10.13 and higher
Screen Unlock with Touch ID	Allows the device user to use Touch ID or Face ID authentication methods to sign in to their account.	macOS 10.12.4 and higher
Touch ID Timeout (Min)	Sets in minutes the time after which fingerprint unlock requires a password to authenticate.	macOS 12 and higher

iCloud

Policy	Description	Supported system
Private Relay	Allows iCloud Private Relay for user privacy.	macOS 12 and higher
Document Synchronization	Allows files on the Mac to sync with iCloud.	macOS 10.11 and higher

Wi-Fi

Configures Wi-Fi settings, such as SSID, security type, and proxy.

Click add to add a configuration.

You can add or edit up to 20 configurations when you save the profile.

Policy	Description
Configuration ID	Assign a unique ID for each Wi-Fi setting.
Description	Enter a description for each Wi-Fi setting.
Network name (SSID)	Enter the identifier of a wireless router to connect to. You can also click Lookup to open the reference items list and select an item from it. The reference value is automatically entered.
Security Type	Specifies the access protocol used and whether certificates are required. Values WEP WPA/WPA2 WPA2/WPA3 WPA3 For all individuals Enterprise WEP Enterprise WPA/WPA2 Enterprise WPA2/WPA3 Enterprise WPA3 For all enterprises
> WEP > WPA/WPA2 > WPA2/WPA3 > WPA3 > For all individuals	Set a password.
> Enterprise WEP > Enterprise WPA/WPA2 > Enterprise WPA2/WPA3 > Enterprise WPA3 > For all enterprises	Configure the following items: Protocol: Permitted EAP Type — Select the EAP types to permit. You can select multiple types. EAP-FAST — Configure the EAP-FAST options. Enable the next options by clicking the previous one. A dynamic trust decision by the use — Select whether to use the option. Allow direct connection (Proxy URL) — Select whether to use the option. Authentication: One-time password for connection — Check to enable. Manual Input — Enter the user ID and Password for the Wi-Fi connection. You can also click Lookup to open the reference items list and select an item from it. The reference value is automatically entered. Connector interworking — Choose a connector from the User information Connector. Trust: Root Certificate — Select a Root Certificate to use.
Disable MAC Randomization	Randomizes the device's MAC address when connected to the Wi-Fi network.
Hotspot Availability	Check to enable Hotspot usage and configure its settings. If this policy is enabled, the Mac is connected to Wi-Fi access points that support Hotspot 2.0.
> Hotspot Domain Name	Assign an identifier to the Wi-Fi hotspot service displayed on the Mac.
> Operator Name	Assign the name of the network provider shown on the Mac.
> Roaming Consortium OI	Add a Roaming Consortium organization ID to connect to.
> Network Access ID	Add an ID to authenticate network access.
> Hotspot Operator Code	Add both the Mobile Country Code (MCC) and the Mobile Network Code (MNC).
Hidden Network	Turn on to hide the network from the list of available networks on the Mac. The SSID does not broadcast.
Auto Connect	Turn on to use an automatic Wi-Fi connection.
Proxy	Select a proxy server settings method.
> Manual	Configure the proxy server manually. Proxy IP Address and Port — Enter the IP address of the proxy server and the port number used by the proxy server. User name — Enter the username for the proxy server. Proxy Authenticated User Password — Enter the password for the proxy server.
> Auto	Configure the proxy server automatically. Proxy Server URL — Enter the URL of the proxy server.
QoS Marking Policy	Configure QoS Marking to manage Wi-Fi network traffic. Values Use Do Not Use
> QoS Marking	Select to enable QoS Marking on the Wi-Fi network.
> Apple Audio & Video Calls	Select to manage Apple audio and video calls with QoS marking.
> Allowlisted Apps	Define an allowlist for apps that can use the Wi-Fi network. Click Add and select applications from the Select Application dialog.

Certificate

Allows using new certificate authority (CA) certificates and configuring the certificate settings.

Click add to add a configuration.

Policy	Description
Configuration ID	Assign a unique ID for each certificate setting.
Description	Enter a description for each certificate setting.
Certificate category	Select a certification category. CA Certificate — Select a certificate to use from the CA certificate list. Among the certificates registered in Advanced > Certificate > External Certificate, those with the Purpose set as CA Cert and the Type set as Root are included on the list. User certificate — Select a certificate to use from the User Certificate list. Among the certificates registered in Advanced > Certificate > External Certificate, those with the Purpose set as CA Cert and the Type set as User are included on the list.
CA Certificate	Select a certificate. Certificates in the DER format are not supported.

Global HTTP Proxy

Configures a global HTTP proxy to direct all HTTP traffic through a designated proxy server.

Click add to add a configuration.

You can add or edit only one configuration when you save the profile.

Policy	Description
Configuration ID	Specifies the unique ID for the proxy configuration.
Description	Specifies the description for the proxy configuration.
Proxy Type	Specifies whether the proxy access parameters are defined automatically from a PAC file, or manually.
Proxy Server and Port	Defines the proxy server and port. Only available if the Proxy Type policy is set to Manual. Values Enter the server URI and port number. The port number must be between 0 and 65535.
Username	Defines the username parameter. Only available if the Proxy Type policy is set to Manual. Values Enter the username.
Password	Defines the password parameter. Only available if the Proxy Type policy is set to Manual. Values Enter the password.
Proxy PAC URL	Specifies the URI of the proxy PAC file. Only available if the Proxy Type policy is set to Auto. Values Enter the URL of the PAC file.
Proxy PAC Fallback	Controls whether to use a proxy fallback if the PAC file is unreachable. Only available if the Proxy Type policy is set to Auto. Values Enabled Disabled (default)
Proxy Captive Login Allowed	On captive networks, allows the Mac to bypass the proxy server and display the sign-in page. Values Enabled Disabled (default)

Software Update

Configures how software updates on the Mac. This configuration overrides the System Preference > Software Update settings on macOS.

Policy	Description
Configuration ID	Specifies the unique ID for the software update configuration.
Description	Specifies the description for the software update configuration.
Automatic Check for Updates	Allows the Mac to automatically check for software updates.
Automatic App Updates Installation	Allows the Mac to automatically install app updates.
Automatic macOS Updates Installation	Allows the Mac to automatically install firmware updates.
Automatic New Updates Download	Allows the Mac to automatically download software updates.
Automatic Critical Updates Installation	Allows the Mac to automatically install critical software updates.
Pre-release Software Installation	Allows the Mac to automatically install software that is in early access.
Automatic Configuration Data Installation	Allows the Mac to automatically install configuration data.
Restrict App Installations to Admin Users	Prevents non-admin user accounts from installing apps.

macOS policies

System

Security

iCloud

Wi-Fi

Values

Values

Certificate

Global HTTP Proxy

Values

Values

Values

Values

Values

Values

Software Update

On this page