Back to top

macOS policies

Last updated May 8th, 2023

This page describes the policies you can configure for Macs.

System

Policy Description Supported system
Camera Allows the device user to use the camera. macOS 10.11 and higher
Screen capture Allows use of the default screen capture function. macOS 10.14.4 and higher
Manual installation for profile Allows manual installation of the Apple Configuration Profile. macOS 13 and higher
Factory reset Allows the device user to reset the Mac. macOS 12 and higher
Delay Software Update

Pauses firmware and App Store from updating for a defined period. After the period elapses, the firmware or app updates.

If set to Apply, you can set delays for app and macOS updates.

Software update notifications on the Mac are postponed and display after the specified delay period.

macOS 11.3 and higher
> Delay App Update Allows app updates to be delayed.
>> Delayed Period (Days) Specifies the period to delay app updates, in days.
> Delay Minor OS Update Delays minor macOS updates. Minor updates are the second numeral in the version scheme, such as macOS 13.1 and macOS 13.2.
>> Delayed Period (Days) Specifies the period to delay minor macOS updates, in days.
> Delay Major OS Update Delays major macOS updates. Major updates are the first numerial in the version scheme, such as from macOS 13.1 and macOS 14.1.
>> Delayed Period (Days) Specifies the period to delay major macOS updates, in days.
Software Update Notification Enables notifications related to software updates on the Mac. macOS 10.10 and higher
App Adoption by Users Allows the device user to update default apps from the App Store. macOS 10.10 and higher
USB restriction mode Allows the device user to connect to USB accessories while locked. macOS 13 and higher

Security

Policy Description Supported system
Passcode policies Set to apply the passcode policy when the screen is locked. macOS 13 and higher
> Passcode strength

Set the passcode strength on the screen.

  • None — Set the passcode with a four digit number.
  • Numeric — Set the passcode using numbers.
  • Must be alphanumeric — Set the passcode using alphanumeric characters.
  • Must include special characters — Set it so that the passcodes must include alphanumeric and special characters.
macOS 10.7 and higher
> Maximum Failed Login Attempts

Set the maximum number of passcode attempts. Upon exceeding this limit, the Mac locks.

The value can be between 0 – 10 times.

macOS 10.7 and higher
>> Delay After failed Login Attempts Set in minutes the time after which sign-in information is reset, when a device user exceeds maximum allowed sign-in attempts. macOS 10.7 and higher
> Minimum length

Set the minimum length of the passcode.

The value can be between 0 – 16 characters.

macOS 10.7 and higher
> Passcode Expiration Timeout (Days)

Set the maximum number of days before the passcode must be reset.

The value can be between 0 – 730 days.

macOS 10.7 and higher
> Manage passcode history (Times)

Set the minimum number of new passcodes that must be used before a user can reuse the previous passcode.

The value can be between 0 – 50 times.

macOS 10.7 and higher
> Screenlock Auto-Lock Time (Min) Set the maximum inactive time before the screen of the Mac is locked. macOS 10.7 and higher
> Screenlock Grace Period (Min)

Set the time duration for device lock after turning off a device screen without entering the passcode.

Set to 0 to lock the Mac as soon as the screen turns off.

macOS 10.7 and higher
> Force Passcode Change Allows the device user to add, change, or remove their account's passcode. macOS 10.13 and higher
> Passcode Modification Allows the device user to add, change, or remove their account's passcode. macOS 10.13 and higher
Screen Unlock with Touch ID Allows the device user to use Touch ID or Face ID authentication methods to sign in to their account. macOS 10.12.4 and higher
Touch ID Timeout (Min) Sets in minutes the time after which fingerprint unlock requires a password to authenticate. macOS 12 and higher

iCloud

Policy Description Supported system
Private Relay Allows iCloud Private Relay for user privacy. macOS 12 and higher
Document Synchronization Allows files on the Mac to sync with iCloud. macOS 10.11 and higher

Wi-Fi

Configures Wi-Fi settings, such as SSID, security type, and proxy.

Click add to add a configuration.

You can add or edit up to 20 configurations when you save the profile.

Policy Description
Configuration ID Assign a unique ID for each Wi-Fi setting.
Description Enter a description for each Wi-Fi setting.
Network name (SSID)

Enter the identifier of a wireless router to connect to.

You can also click Lookup to open the reference items list and select an item from it. The reference value is automatically entered.

Security Type

Specifies the access protocol used and whether certificates are required.

Values

  • WEP
  • WPA/WPA2
  • WPA2/WPA3
  • WPA3
  • For all individuals
  • Enterprise WEP
  • Enterprise WPA/WPA2
  • Enterprise WPA2/WPA3
  • Enterprise WPA3
  • For all enterprises

> WEP

> WPA/WPA2

> WPA2/WPA3

> WPA3

> For all individuals

Set a password.

> Enterprise WEP

> Enterprise WPA/WPA2

> Enterprise WPA2/WPA3

> Enterprise WPA3

> For all enterprises

Configure the following items:

  • Protocol:

    • Permitted EAP Type — Select the EAP types to permit. You can select multiple types.
    • EAP-FAST — Configure the EAP-FAST options. Enable the next options by clicking the previous one.
    • A dynamic trust decision by the use — Select whether to use the option.
    • Allow direct connection (Proxy URL) — Select whether to use the option.
  • Authentication:

    • One-time password for connection — Check to enable.
    • Manual Input — Enter the user ID and Password for the Wi-Fi connection.
    • You can also click Lookup to open the reference items list and select an item from it. The reference value is automatically entered.
    • Connector interworking — Choose a connector from the User information Connector.
  • Trust:

    • Root Certificate — Select a Root Certificate to use.
Disable MAC Randomization Randomizes the device's MAC address when connected to the Wi-Fi network.
Hotspot Availability Check to enable Hotspot usage and configure its settings. If this policy is enabled, the Mac is connected to Wi-Fi access points that support Hotspot 2.0.
> Hotspot Domain Name Assign an identifier to the Wi-Fi hotspot service displayed on the Mac.
> Operator Name Assign the name of the network provider shown on the Mac.
> Roaming Consortium OI Add a Roaming Consortium organization ID to connect to.
> Network Access ID Add an ID to authenticate network access.
> Hotspot Operator Code Add both the Mobile Country Code (MCC) and the Mobile Network Code (MNC).
Hidden Network Turn on to hide the network from the list of available networks on the Mac. The SSID does not broadcast.
Auto Connect Turn on to use an automatic Wi-Fi connection.
Proxy Select a proxy server settings method.
> Manual

Configure the proxy server manually.

  • Proxy IP Address and Port — Enter the IP address of the proxy server and the port number used by the proxy server.
  • User name — Enter the username for the proxy server.
  • Proxy Authenticated User Password — Enter the password for the proxy server.
> Auto

Configure the proxy server automatically.

  • Proxy Server URL — Enter the URL of the proxy server.
QoS Marking Policy Configure QoS Marking to manage Wi-Fi network traffic.

Values

  • Use
  • Do Not Use
> QoS Marking Select to enable QoS Marking on the Wi-Fi network.
> Apple Audio & Video Calls Select to manage Apple audio and video calls with QoS marking.
> Allowlisted Apps Define an allowlist for apps that can use the Wi-Fi network. Click Add and select applications from the Select Application dialog.

Certificate

Allows using new certificate authority (CA) certificates and configuring the certificate settings.

Click add to add a configuration.

Policy Description
Configuration ID Assign a unique ID for each certificate setting.
Description Enter a description for each certificate setting.
Certificate category

Select a certification category.

  • CA Certificate — Select a certificate to use from the CA certificate list. Among the certificates registered in Advanced > Certificate > External Certificate, those with the Purpose set as CA Cert and the Type set as Root are included on the list.
  • User certificate — Select a certificate to use from the User Certificate list. Among the certificates registered in Advanced > Certificate > External Certificate, those with the Purpose set as CA Cert and the Type set as User are included on the list.
CA Certificate Select a certificate. Certificates in the DER format are not supported.

Global HTTP Proxy

Configures a global HTTP proxy to direct all HTTP traffic through a designated proxy server.

Click add to add a configuration.

You can add or edit only one configuration when you save the profile.

Policy Description
Configuration ID Specifies the unique ID for the proxy configuration.
Description Specifies the description for the proxy configuration.
Proxy Type Specifies whether the proxy access parameters are defined automatically from a PAC file, or manually.
Proxy Server and Port

Defines the proxy server and port. Only available if the Proxy Type policy is set to Manual.

Values

Enter the server URI and port number. The port number must be between 0 and 65535.

Username

Defines the username parameter. Only available if the Proxy Type policy is set to Manual.

Values

Enter the username.

Password

Defines the password parameter. Only available if the Proxy Type policy is set to Manual.

Values

Enter the password.

Proxy PAC URL

Specifies the URI of the proxy PAC file. Only available if the Proxy Type policy is set to Auto.

Values

Enter the URL of the PAC file.

Proxy PAC Fallback

Controls whether to use a proxy fallback if the PAC file is unreachable. Only available if the Proxy Type policy is set to Auto.

Values

  • Enabled
  • Disabled (default)
Proxy Captive Login Allowed

On captive networks, allows the Mac to bypass the proxy server and display the sign-in page.

Values

  • Enabled
  • Disabled (default)

Software Update

Configures how software updates on the Mac. This configuration overrides the System Preference > Software Update settings on macOS.

Policy Description
Configuration ID Specifies the unique ID for the software update configuration.
Description Specifies the description for the software update configuration.
Automatic Check for Updates Allows the Mac to automatically check for software updates.
Automatic App Updates Installation Allows the Mac to automatically install app updates.
Automatic macOS Updates Installation Allows the Mac to automatically install firmware updates.
Automatic New Updates Download Allows the Mac to automatically download software updates.
Automatic Critical Updates Installation Allows the Mac to automatically install critical software updates.
Pre-release Software Installation Allows the Mac to automatically install software that is in early access.
Automatic Configuration Data Installation Allows the Mac to automatically install configuration data.
Restrict App Installations to Admin Users Prevents non-admin user accounts from installing apps.

Is this page helpful?