Back to top
Home / Knox Manage / Configure / Profile / Configure profile policies /

macOS policies

Last updated March 21st, 2023

This page describes the policies you can configure for Macs.

System

Policy Description Supported system
Camera Allows the use of device camera. macOS 10.11 and higher
Screen capture Allows use of the default screen capture function. macOS 10.14.4 and higher
Manual installation for profile Allows manual installation of the Apple Configuration Profile. macOS 13 and higher
Factory reset Allows a device to erase all content and settings. macOS 12 and higher
Delay Software Update

Enable to delay software updates on macOS devices.

If set to Apply, you can set delays for app updates and minor and major OS updates.

Software update notifications on devices are postponed and display after the specified delay period.

 macOS 11.3 and higher
> Delay App Update Allow app updates to be delayed on macOS devices.
>> Delayed Period (Days) Enter the number of days to delay app updates.
> Delay Minor OS Update Allow minor OS updates, such as from macOS 13.1 to macOS 13.2, to be delayed on macOS devices.
>> Delayed Period (Days) Enter the number of days to delay minor OS updates.
> Delay Major OS Update Allow major OS updates, such as from macOS 13 to macOS 14, to be delayed on macOS devices.
>> Delayed Period (Days) Enter the number of days to delay major OS updates.
Software Update Notification Enable notifications related to software updates on the macOS devices. macOS 10.10 and higher
App Adoption by Users Allow device users to update default macOS apps from App Store. macOS 10.10 and higher
USB restriction mode Allows device to connect to USB accessories while locked. macOS 13 and higher

Security

Policy Description Supported system
Passcode policies Set to apply the passcode policy when the screen is locked. macOS 13 and higher
> Passcode strength

Set the passcode strength on the screen.

  • None — Set the passcode with a four digit number.
  • Numeric — Set the passcode using numbers.
  • Must be alphanumeric — Set the passcode using alphanumeric characters.
  • Must include special characters — Set it so that the passcodes must include alphanumeric and special characters.
 macOS 10.7 and higher
> Maximum Failed Login Attempts

Set the maximum number of incorrect passcode attempts allowed. On exceeding this limit, the device is locked.

The value can be between 0 – 10 times.

 macOS 10.7 and higher
>> Delay After failed Login Attempts Set in minutes the time after which sign-in information is reset, when a device user exceeds maximum allowed sign-in attempts. macOS 10.7 and higher
> Minimum length

Set the minimum length of the passcode.

The value can be between 0 – 16 characters.

 macOS 10.7 and higher
> Passcode Expiration Timeout (Days)

Set the maximum number of days before the passcode must be reset.

The value can be between 0 – 730 days.

 macOS 10.7 and higher
> Manage passcode history (Times)

Set the minimum number of new passcodes that must be used before a user can reuse the previous passcode.

The value can be between 0 – 50 times.

 macOS 10.7 and higher
> Screenlock Auto-Lock Time (Min) Set the maximum inactive time before the screen of the device is locked. The maximum allowed time varies by device-type. macOS 10.7 and higher
> Screenlock Grace Period (Min)

Set the time duration for device lock after turning off a device screen without entering the passcode.

Select 0 to lock the device immediately.

 macOS 10.7 and higher
> Force Passcode Change Allows users to add, change, or remove the device passcode. macOS 10.13 and higher
> Passcode Modification Allows device users to add, change, or remove their device passcode. macOS 10.13 and higher
Screen Unlock with Touch ID Allows device users to use Touch ID or Face ID authentication methods to sign in to their device. macOS 10.12.4 and higher
Touch ID Timeout (Min) Sets in minutes the time after which fingerprint unlock requires a password to authenticate. macOS 12 and higher

iCloud

Policy Description Supported system
Private Relay Allows iCloud Private Relay for user privacy. macOS 12 and higher
Document Synchronization Allows the synchronization of documents on the device to iCloud. macOS 10.11 and higher

Wi-Fi

Configures Wi-Fi settings, such as SSID, security type, and proxy.

Click add to add a configuration.

You can add or edit up to 20 configurations when you save the profile.

Policy Description
Configuration ID Assign a unique ID for each Wi-Fi setting.
Description Enter a description for each Wi-Fi setting.
Network name (SSID)

Enter the identifier of a wireless router to connect to.

You can also click Lookup to open the reference items list and select an item from it. The reference value is automatically entered.
Security Type

Specifies the access protocol used and whether certificates are required.

Values

  • WEP
  • WPA/WPA2
  • WPA2/WPA3
  • WPA3
  • For all individuals
  • Enterprise WEP
  • Enterprise WPA/WPA2
  • Enterprise WPA2/WPA3
  • Enterprise WPA3
  • For all enterprises

> WEP

> WPA/WPA2

> WPA2/WPA3

> WPA3

> For all individuals

 Set a password.

> Enterprise WEP

> Enterprise WPA/WPA2

> Enterprise WPA2/WPA3

> Enterprise WPA3

> For all enterprises

Configure the following items:

  • Protocol:

    • Permitted EAP Type — Select the EAP types to permit. You can select multiple types.
    • EAP-FAST — Configure the EAP-FAST options. Enable the next options by clicking the previous one.
    • A dynamic trust decision by the use — Select whether to use the option.
    • Allow direct connection (Proxy URL) — Select whether to use the option.

  • Authentication:

    • One-time password for connection — Check to enable.
    • Manual Input — Enter the user ID and Password for the Wi-Fi connection.
    • You can also click Lookup to open the reference items list and select an item from it. The reference value is automatically entered.
    • Connector interworking — Choose a connector from the User information Connector.

  • Trust:

    • Root Certificate — Select a Root Certificate to use.
Disable MAC Randomization Randomizes the device's MAC address when connected to the Wi-Fi network.
Hotspot Availability Check to enable Hotspot usage and configure its settings. If this policy is enabled, the device is connected to Wi-Fi access points that support Hotspot 2.0.
> Hotspot Domain Name Assign an identifier to the Wi-Fi hotspot service displayed on a device.
> Operator Name Assign the name of the network provider shown on the device.
> Roaming Consortium OI Add a Roaming Consortium organization ID to connect to.
> Network Access ID Add an ID to authenticate network access.
> Hotspot Operator Code Add both the Mobile Country Code (MCC) and the Mobile Network Code (MNC).
Hidden Network Check the check box to hide the network from the list of available networks on the device. The SSID does not broadcast.
Auto Connect Check the check box to use an automatic Wi-Fi connection.
Proxy Select a proxy server settings method.
> Manual

Configure the proxy server manually.

  • Proxy IP Address and Port — Enter the IP address of the proxy server and the port number used by the proxy server.
  • User name — Enter the username for the proxy server.
  • Proxy Authenticated User Password — Enter the password for the proxy server.
> Auto

Configure the proxy server automatically.

  • Proxy Server URL — Enter the URL of the proxy server.
QoS Marking Policy Configure QoS Marking to manage Wi-Fi network traffic.

Values

  • Use
  • Do Not Use
> QoS Marking Select to enable QoS Marking on the Wi-Fi network.
> Apple Audio & Video Calls Select to manage Apple audio and video calls with QoS marking.
> Allowlisted Apps Define an allowlist for apps that can use the Wi-Fi network. Click Add and select applications from the Select Application dialog.

Certificate

Allows using new certificate authority (CA) certificates and configuring the certificate settings.

Click add to add a configuration.

Policy Description
Configuration ID Assign a unique ID for each certificate setting.
Description Enter a description for each certificate setting.
Certificate category

Select a certification category.

  • CA Certificate — Select a certificate to use from the CA certificate list. Among the certificates registered in Advanced > Certificate > External Certificate, those with the Purpose set as CA Cert and the Type set as Root are included on the list.
  • User certificate — Select a certificate to use from the User Certificate list. Among the certificates registered in Advanced > Certificate > External Certificate, those with the Purpose set as CA Cert and the Type set as User are included on the list.
CA Certificate Select a certificate. Certificates in the DER format are not supported.

Global HTTP Proxy

Configures a global HTTP proxy to direct all HTTP traffic through a designated proxy server.

Click add to add a configuration.

You can add or edit only one configuration when you save the profile.

Policy Description
Configuration ID Assign a unique ID for each global HTTP proxy setting.
Description Enter a description for each global HTTP proxy setting.
Proxy Type Select and enter the corresponding items depending on the proxy type.
> Manual
  • Proxy Server and Port — Enter the IP address of a proxy server and the port number of the proxy server.
  • Username — Enter the username for user authentication
  • Password — Enter the password for user authentication.
> Auto
  • Proxy PAC URL — Enter the URL of the PAC file that defines the proxy configuration.
  • Proxy PAC Fallback — Select to allow a direct connection from the user device if the PAC connection fails.
Proxy Captive Login Allowed Select to allow the device to bypass the proxy server to display the login page for captive networks.

Software Update

Configure how to update software on macOS devices. This configuration overrides the System Preference > Software Update settings on a macOS device.

Policy Description
Configuration ID Assign a unique ID for the software update setting.
Description Enter a description for the software update setting.
Automatic Check for Updates Allow automated checks for software updates.
Automatic App Updates Installation Allow automatic installation of app updates.
Automatic macOS Updates Installation Allow automatic installation of macOS updates.
Automatic New Updates Download Allow automatic download of updates.
Automatic Critical Updates Installation Allow automatic installation of critical updates.
Pre-release Software Installation Allow installation of preview software that is available prior to public release.
Automatic Configuration Data Installation Allow automatic installation of configuration data.
Restrict App Installations to Admin Users Allow app installation by admins only.

On this page

Is this page helpful?