macOS policies
Last updated March 21st, 2023
This page describes the policies you can configure for Macs.
System
Policy | Description | Supported system |
---|---|---|
Camera | Allows the use of device camera. | macOS 10.11 and higher |
Screen capture | Allows use of the default screen capture function. | macOS 10.14.4 and higher |
Manual installation for profile | Allows manual installation of the Apple Configuration Profile. | macOS 13 and higher |
Factory reset | Allows a device to erase all content and settings. | macOS 12 and higher |
Delay Software Update | Enable to delay software updates on macOS devices. If set to Apply, you can set delays for app updates and minor and major OS updates. Software update notifications on devices are postponed and display after the specified delay period. |
macOS 11.3 and higher |
> Delay App Update | Allow app updates to be delayed on macOS devices. | |
>> Delayed Period (Days) | Enter the number of days to delay app updates. | |
> Delay Minor OS Update | Allow minor OS updates, such as from macOS 13.1 to macOS 13.2, to be delayed on macOS devices. | |
>> Delayed Period (Days) | Enter the number of days to delay minor OS updates. | |
> Delay Major OS Update | Allow major OS updates, such as from macOS 13 to macOS 14, to be delayed on macOS devices. | |
>> Delayed Period (Days) | Enter the number of days to delay major OS updates. | |
Software Update Notification | Enable notifications related to software updates on the macOS devices. | macOS 10.10 and higher |
App Adoption by Users | Allow device users to update default macOS apps from App Store. | macOS 10.10 and higher |
USB restriction mode | Allows device to connect to USB accessories while locked. | macOS 13 and higher |
Security
Policy | Description | Supported system |
---|---|---|
Passcode policies | Set to apply the passcode policy when the screen is locked. | macOS 13 and higher |
> Passcode strength |
Set the passcode strength on the screen.
|
macOS 10.7 and higher |
> Maximum Failed Login Attempts |
Set the maximum number of incorrect passcode attempts allowed. On exceeding this limit, the device is locked. The value can be between 0 – 10 times. |
macOS 10.7 and higher |
>> Delay After failed Login Attempts | Set in minutes the time after which sign-in information is reset, when a device user exceeds maximum allowed sign-in attempts. | macOS 10.7 and higher |
> Minimum length |
Set the minimum length of the passcode. The value can be between 0 – 16 characters. |
macOS 10.7 and higher |
> Passcode Expiration Timeout (Days) |
Set the maximum number of days before the passcode must be reset. The value can be between 0 – 730 days. |
macOS 10.7 and higher |
> Manage passcode history (Times) |
Set the minimum number of new passcodes that must be used before a user can reuse the previous passcode. The value can be between 0 – 50 times. |
macOS 10.7 and higher |
> Screenlock Auto-Lock Time (Min) | Set the maximum inactive time before the screen of the device is locked. The maximum allowed time varies by device-type. | macOS 10.7 and higher |
> Screenlock Grace Period (Min) |
Set the time duration for device lock after turning off a device screen without entering the passcode.
Select 0 to lock the device immediately. |
macOS 10.7 and higher |
> Force Passcode Change | Allows users to add, change, or remove the device passcode. | macOS 10.13 and higher |
> Passcode Modification | Allows device users to add, change, or remove their device passcode. | macOS 10.13 and higher |
Screen Unlock with Touch ID | Allows device users to use Touch ID or Face ID authentication methods to sign in to their device. | macOS 10.12.4 and higher |
Touch ID Timeout (Min) | Sets in minutes the time after which fingerprint unlock requires a password to authenticate. | macOS 12 and higher |
iCloud
Policy | Description | Supported system |
---|---|---|
Private Relay | Allows iCloud Private Relay for user privacy. | macOS 12 and higher |
Document Synchronization | Allows the synchronization of documents on the device to iCloud. | macOS 10.11 and higher |
Wi-Fi
Configures Wi-Fi settings, such as SSID, security type, and proxy.
Click to add a configuration.
You can add or edit up to 20 configurations when you save the profile.
Policy | Description |
---|---|
Configuration ID | Assign a unique ID for each Wi-Fi setting. |
Description | Enter a description for each Wi-Fi setting. |
Network name (SSID) |
Enter the identifier of a wireless router to connect to. You can also click Lookup to open the reference items list and select an item from it. The reference value is automatically entered. |
Security Type |
Specifies the access protocol used and whether certificates are required. Values
|
> WEP > WPA/WPA2 > WPA2/WPA3 > WPA3 > For all individuals |
Set a password. |
> Enterprise WEP > Enterprise WPA/WPA2 > Enterprise WPA2/WPA3 > Enterprise WPA3 > For all enterprises |
Configure the following items:
|
Disable MAC Randomization | Randomizes the device's MAC address when connected to the Wi-Fi network. |
Hotspot Availability | Check to enable Hotspot usage and configure its settings. If this policy is enabled, the device is connected to Wi-Fi access points that support Hotspot 2.0. |
> Hotspot Domain Name | Assign an identifier to the Wi-Fi hotspot service displayed on a device. |
> Operator Name | Assign the name of the network provider shown on the device. |
> Roaming Consortium OI | Add a Roaming Consortium organization ID to connect to. |
> Network Access ID | Add an ID to authenticate network access. |
> Hotspot Operator Code | Add both the Mobile Country Code (MCC) and the Mobile Network Code (MNC). |
Check the check box to hide the network from the list of available networks on the device. The SSID does not broadcast. | |
Auto Connect | Check the check box to use an automatic Wi-Fi connection. |
Proxy | Select a proxy server settings method. |
> Manual |
Configure the proxy server manually.
|
> Auto |
Configure the proxy server automatically.
|
QoS Marking Policy | Configure QoS Marking to manage Wi-Fi network traffic.
Values
|
> QoS Marking | Select to enable QoS Marking on the Wi-Fi network. |
> Apple Audio & Video Calls | Select to manage Apple audio and video calls with QoS marking. |
> Allowlisted Apps | Define an allowlist for apps that can use the Wi-Fi network. Click Add and select applications from the Select Application dialog. |
Certificate
Allows using new certificate authority (CA) certificates and configuring the certificate settings.
Click to add a configuration.
Policy | Description |
---|---|
Configuration ID | Assign a unique ID for each certificate setting. |
Description | Enter a description for each certificate setting. |
Certificate category |
Select a certification category.
|
CA Certificate | Select a certificate. Certificates in the DER format are not supported. |
Global HTTP Proxy
Configures a global HTTP proxy to direct all HTTP traffic through a designated proxy server.
Click to add a configuration.
You can add or edit only one configuration when you save the profile.
Policy | Description |
---|---|
Configuration ID | Assign a unique ID for each global HTTP proxy setting. |
Description | Enter a description for each global HTTP proxy setting. |
Proxy Type | Select and enter the corresponding items depending on the proxy type. |
> Manual |
|
> Auto |
|
Proxy Captive Login Allowed | Select to allow the device to bypass the proxy server to display the login page for captive networks. |
Software Update
Configure how to update software on macOS devices. This configuration overrides the System Preference > Software Update settings on a macOS device.
Policy | Description |
---|---|
Configuration ID | Assign a unique ID for the software update setting. |
Description | Enter a description for the software update setting. |
Automatic Check for Updates | Allow automated checks for software updates. |
Automatic App Updates Installation | Allow automatic installation of app updates. |
Automatic macOS Updates Installation | Allow automatic installation of macOS updates. |
Automatic New Updates Download | Allow automatic download of updates. |
Automatic Critical Updates Installation | Allow automatic installation of critical updates. |
Pre-release Software Installation | Allow installation of preview software that is available prior to public release. |
Automatic Configuration Data Installation | Allow automatic installation of configuration data. |
Restrict App Installations to Admin Users | Allow app installation by admins only. |
On this page
Is this page helpful?