Back to top

macOS policies

Last updated December 6th, 2023

This page describes the policies you can configure for Macs.

System

Policy Description Supported system
Camera Allows the use of device camera. macOS 10.11 and higher
Screen capture Allows use of the default screen capture function. macOS 10.14.4 and higher
Manual installation for profile Allows manual installation of the Apple Configuration Profile. macOS 13 and higher
Factory reset Allows a device to erase all content and settings. macOS 12 and higher
USB restriction mode Allows device to connect to USB accessories while locked. macOS 13 and higher

Security

Policy Description Supported system
Passcode policies Set to apply the passcode policy when the screen is locked. macOS 13 and higher
> Passcode strength

Set the passcode strength on the screen.

  • None — Set the passcode with a four digit number.
  • Numeric — Set the passcode using numbers.
  • Must be alphanumeric — Set the passcode using alphanumeric characters.
  • Must include special characters — Set it so that the passcodes must include alphanumeric and special characters.
macOS 10.7 and higher
> Maximum Failed Login Attempts

Set the maximum number of incorrect passcode attempts allowed. On exceeding this limit, the device is locked.

The value can be between 0 – 10 times.

macOS 10.7 and higher
>> Delay After failed Login Attempts Set in minutes the time after which sign-in information is reset, when a device user exceeds maximum allowed sign-in attempts. macOS 10.7 and higher
> Minimum length

Set the minimum length of the passcode.

The value can be between 0 – 16 characters.

macOS 10.7 and higher
> Passcode Expiration Timeout (Days)

Set the maximum number of days before the passcode must be reset.

The value can be between 0 – 730 days.

macOS 10.7 and higher
> Manage passcode history (Times)

Set the minimum number of new passcodes that must be used before a user can reuse the previous passcode.

The value can be between 0 – 50 times.

macOS 10.7 and higher
> Screenlock Auto-Lock Time (Min) Set the maximum inactive time before the screen of the device is locked. The maximum allowed time varies by device-type. macOS 10.7 and higher
> Screenlock Grace Period (Min)

Set the time duration for device lock after turning off a device screen without entering the passcode.

Note

Select 0 to lock the device immediately.

macOS 10.7 and higher
> Force Passcode Change Allows users to add, change, or remove the device passcode. macOS 10.13 and higher
> Passcode Modification Allows device users to add, change, or remove their device passcode. macOS 10.13 and higher
Screen Unlock with Touch ID Allows device users to use Touch ID or Face ID authentication methods to sign in to their device. macOS 10.12.4 and higher
Touch ID Timeout (Min) Sets in minutes the time after which fingerprint unlock requires a password to authenticate. macOS 12 and higher

iCloud

Policy Description Supported system
Private Relay Allows iCloud Private Relay for user privacy. macOS 12 and higher
Document Synchronization Allows the synchronization of documents on the device to iCloud. macOS 10.11 and higher

Wi-Fi

Configures Wi-Fi settings, such as SSID, security type, and proxy.

Click add to add a configuration.

You can add or edit up to 20 configurations when you save the profile.

Policy Description
Configuration ID Assign a unique ID for each Wi-Fi setting.
Description Enter a description for each Wi-Fi setting.
Network name (SSID)

Enter the identifier of a wireless router to connect to.

You can also click Lookup to open the reference items list and select an item from it. The reference value is automatically entered.

Security Type

Specifies the access protocol used and whether certificates are required.

Values

  • WEP
  • WPA/WPA2
  • WPA2/WPA3
  • WPA3
  • For all individuals
  • Enterprise WEP
  • Enterprise WPA/WPA2
  • Enterprise WPA2/WPA3
  • Enterprise WPA3
  • For all enterprises

> WEP

> WPA/WPA2

> WPA2/WPA3

> WPA3

> For all individuals

Set a password.

> Enterprise WEP

> Enterprise WPA/WPA2

> Enterprise WPA2/WPA3

> Enterprise WPA3

> For all enterprises

Configure the following items:

  • Protocol:

    • Permitted EAP Type — Select the EAP types to permit. You can select multiple types.
    • EAP-FAST — Configure the EAP-FAST options. Enable the next options by clicking the previous one.
    • A dynamic trust decision by the use — Select whether to use the option.
    • Allow direct connection (Proxy URL) — Select whether to use the option.
  • Authentication:

    • One-time password for connection — Check to enable.
    • Manual Input — Enter the user ID and Password for the Wi-Fi connection.
    • You can also click Lookup to open the reference items list and select an item from it. The reference value is automatically entered.
    • Connector interworking — Choose a connector from the User information Connector.
  • Trust:

    • Root Certificate — Select a Root Certificate to use.
Disable MAC Randomization Randomizes the device's MAC address when connected to the Wi-Fi network.
Hotspot Availability Check to enable Hotspot usage and configure its settings. If this policy is enabled, the device is connected to Wi-Fi access points that support Hotspot 2.0.
> Hotspot Domain Name Assign an identifier to the Wi-Fi hotspot service displayed on a device.
> Operator Name Assign the name of the network provider shown on the device.
> Roaming Consortium OI Add a Roaming Consortium organization ID to connect to.
> Network Access ID Add an ID to authenticate network access.
> Hotspot Operator Code Add both the Mobile Country Code (MCC) and the Mobile Network Code (MNC).
Hidden Network Check the check box to hide the network from the list of available networks on the device. The SSID does not broadcast.
Auto Connect Check the check box to use an automatic Wi-Fi connection.
Proxy Select a proxy server settings method.
> Manual

Configure the proxy server manually.

  • Proxy IP Address and Port — Enter the IP address of the proxy server and the port number used by the proxy server.
  • User name — Enter the username for the proxy server.
  • Proxy Authenticated User Password — Enter the password for the proxy server.
> Auto

Configure the proxy server automatically.

  • Proxy Server URL — Enter the URL of the proxy server.
QoS Marking Policy Configure QoS Marking to manage Wi-Fi network traffic.

Values

  • Use
  • Do Not Use
> QoS Marking Select to enable QoS Marking on the Wi-Fi network.
> Apple Audio & Video Calls Select to manage Apple audio and video calls with QoS marking.
> Allowlisted Apps Define an allowlist for apps that can use the Wi-Fi network. Click Add and select applications from the Select Application dialog.

Certificate

Allows using new certificate authority (CA) certificates and configuring the certificate settings.

Click add to add a configuration.

Policy Description
Configuration ID Assign a unique ID for each certificate setting.
Description Enter a description for each certificate setting.
Certificate category

Select a certification category.

  • CA Certificate — Select a certificate to use from the CA certificate list. Among the certificates registered in Advanced > Certificate > External Certificate, those with the Purpose set as CA Cert and the Type set as Root are included on the list.
  • User certificate — Select a certificate to use from the User Certificate list. Among the certificates registered in Advanced > Certificate > External Certificate, those with the Purpose set as CA Cert and the Type set as User are included on the list.
CA Certificate Select a certificate. Certificates in the DER format are not supported.

Is this page helpful?