macOS Policies

Category Filter

The password dictionary can contain the following keys:

Argument	Type	Description	Default value
allow_simple	Boolean	Optional.	true
require_alphanumeric	Boolean	Optional.	false
change_at_next_auth	Boolean	Optional. The option to enforce password change in the next login.	false
min_length	Integer	Optional. Values can be from 1 to 16.
min_complex_chars	Integer	Optional. Values can be from 1 to 4.
max_pinage_in_days	Integer	Optional. Values can be from 0 to 730. Specifies the maximum number of days the passcode can be used before expiration
max_inactivity	String	Optional.Specifies the maximum period of inactivity before the device locks. Values can be never, 1_mintue, 2_minutes, 3_minutes, 4_minutes, 5_minutes, 10_minutes, or 15_minutes.	never
pin_history	Integer	Optional. Values can be from 0 to 50.	0
max_grace_period	String	Optional. Values can be none, immediately,1_minute, 5_minutes, 15_minutes, 1_hour, or 4_hours.	none

The wifi dictionary contains the following keys:

Argument	Type	Description	Default value
service_set_identifier	String	Required.
autojoin	Boolean	Optional.	true
hidden_network	Boolean	Optional.	false
security_type	String	Optional. The possible values are none, WEP, WPA/WPA2, *Any(Personal), WEP_Enterprise, WPA/WPA2_Enterprise, or Any(Enterprise)*.	Any*(Personal)
password	String	Required if WEP, WPA/WPA2 or Any*(Personal) is set.
proxy_type	String	Optional. The possible values are None, Manual or Automatic.	None

If the proxy_type field is set to Manual or Automatic, the following fields must also be provided:

Argument	Type	Description
proxyserver	String	Required when proxy_type is Manual. The proxy server’s network address.
proxy_server_port	Integer	Required when proxy_type is Manual. The proxy server’s port number.
proxy_user_name	String	Required when proxy_type is Manual. Username for proxy authentication.
proxy_password	String	Required when proxy_type is Manual. Password for proxy authentication.
proxy_pac_url	String	Required when proxy_type is Automatic. The URL of the Proxy Auto Configuration (PAC) file.

If the security_type field is set to Enterprise network options namely WEP_Enterprise, WPA/WPA2_Enterprise, or Any*(Enterprise), the following fields must also be provided:

Argument	Type	Description	Default value
tls	Boolean	Optional.	false
leap	Boolean	Optional.	false
eap_fast	Boolean	Optional.	false
user_password	String	The user password for authentication.
outer_identity	String	The outer identity for authentication.
inner_authentication	String	Available if eap_fast is enabled. The inner authentication method for EAP. Values can be PAP, CHAP, MSCHAP, or MSCHAPv2	PAP
identity_cert_id	String	The ID of the identity certificate for authentication.
provision_pac	Boolean	Available if eap_fast is enabled.	true
provision_pac_anonymously	Boolean	Available if eap_fast is enabled.	false
user_name	String	The username for authentication.
ttls	Boolean	Optional.	true
peap	Boolean	Optional.	false
eap_sim	Boolean	Optional.	false
use_per_connection_pwd	Boolean	Optional.	false
use_pac	Boolean	Optional.	true

The vpn dictionary payload can contain the following keys

Argument	Type	Description	Default value
certificate_id	String	Required when machine_authentication is a certificate.
account	String	Optional. The username for the connection.
connection_name	String	Optional.
connection_type	String	Optional. Values can be L2TP, PPTP, IPSec(Cisco), Cisco_AnyConnect, Juniper_SSL, F5_SSL, SonicWALL_Mobile_Connect, Aruba_VIA, Check_Point_Mobile_VPN and Open_VPN.	L2TP
encryption_level	String	Available when the connection type is PPTP. Values can be None, Automatic, or Maximum(128_bit).	None
group	String	Specifies group information. Available when the connection type is Cisco_AnyConnect.
identifier	String	Optional. Specifies the identifier for the connection.
include_user_pin	Boolean	Optional.	false
ipsec_account	String	Optional. The IPSec account information.
ipsec_auth_password	String	Optional. The password for IPSec authentication.
ipsec_certificate_id	String	Optional. The ID of the IPSec certificate.
ipsec_group_name	String	Optional.
ipsec_shared_secret	String	Optional.
l2tp_account	String	Optional. The L2TP account information.
l2tp_password	String	Optional.	false
l2tp_server	String	Optional.	false
l2tp_shared_secret	String	Optional.	false
l2tp_user_authentication	String	The authentication method for an L2TP user. Values can be‘RSA_SecureID’, or ‘Password’.	‘RSA_SecureID’
l2tp_user_authentication_method	Integer	Optional.	1
login_group	String	Required when the connection type is SONIC_WALL_Mobile_Connect. Specifies the login group information.
machine_authentication	String	Required when the connection type is IPSec(Cisco). The type of machine authentication. Values can be certificate, or shared_secret/group_name	shared_secret/group_name.
password	String	Optional. The password for authentication.
prompt_for_password	String	Optional.
proxy_pac_url	String	Required when proxy_type is Automatic
proxy_password	String	Available when proxy_type is Manual
proxy_server_port	Integer	Required when proxy_type is Manual
proxy_type	String	Values can be ‘None’, ‘Manual’ or ‘Automatic’.	‘None’
proxy_user_name	String	Available when proxy_type is Manual. Specifies the username for proxy authentication
proxyserver	String	Required when proxy_type is Manual. The server address of proxy.
realm	String	Optional. Specifies the realm information.
remote_address	String	Optional. Specifies the remote address for the connection.
role	String	Optional.Specifies the role information
send_all_traffic	Boolean	Optional. The option to enable sending of all traffic through the connection.	false
server	String	Optional. Specifies the server information.
use_hybrid_authentication	Boolean	Optional.	false
user_authentication_type	String	Optional. Values can be ‘password’ or ‘certificate’.
enable_vpn_ondemand	Integer	Optional.	0
http_enable	Integer	Optional.	0
https_enable	Integer	Optional.	0
proxy_autoconfig	String	Optional.
https_proxyserver	String	Optional. Specifies the server address of the HTTPS proxy server.
https_proxy_server_port	Integer	Optional. Specifies the port number of the HTTPS proxy server.
connection_sub_type	String	Optional.
auth_protocol	Boolean	Optional. The option to enable authentication protocol.	false
auth_plugins	Boolean	Optional. The option to enable authentication plugins.	false
token_key	Boolean	Optional.	false
ipsec_auth_enabled	Integer	Optional.	1
local_identifier_type	String	Optional.

The firewall dictionary payload can contain the following keys

Argument	Type	Description	Default value
firewall_enabled	String	Optional. Values can be allow_incoming_connections or block_incoming_connections	allow_incoming_connections
Enable_Firewall	Boolean	Optional.	false
Block_AllIncoming	Boolean	Optional.	false
Enable_StealthMode	Boolean	Optional.	false
application	Array	Optional. The application details to be included in Firewall. The details should be in the following format [{app_name:”, app_id:”, identifier:”}].

The filevault dictionary payload can contain the following keys

Argument	Type	Description	Default value
preventfromdisabled	Boolean	Optional. The option to prevent users from turning off FileVault encryption on the device.	false
escrow_recovery_key	Boolean	Optional. The option to encrypt the key with a certificate and escrow it to Hexnode for safekeeping.	false
preventfromenabled	Boolean	Optional. The option to prevent users from turning on FileVault encryption on the device.	false
escrow_encryption-key_manual	Boolean	Optional. The possible value is allow_hexnode_to_automatically_to_encrypt_and_decrypt_the_recovery_key.	allow_hexnode_to_automatically_to_encrypt_and_decrypt_the_recovery_key
unlock_hibernation	Boolean	Optional.The option to enforce the use of the device password for unlocking FileVault after hibernation and for restoring the disk to its most recent saved state.	false
max_bypass_attempt	Integer	Optional.	0
enable_bypassing	Boolean	Optional.	false
encryption_type	String	Optional. The possible values are institutional_recovery_key, personal_recovery_key, or institutional_and_personal_recovery_key.	institutional_and_personal_recovery_key
escrow_local_desc	String	Optional.The description for escrow local.
show_recovery_key	Boolean	Optional.	true
selected_cert_id	Integer	Optional.	2
escrow_message	String	Optional.
enable_filevault	Boolean	Optional.	true
escrow_encrypt_key_cert	String	Optional.	None
enter_missing_info	Boolean	Optional.	true
ask_at_logout	Boolean	Optional. The option to define the maximum number of times a user can bypass the prompt to enable FileVault when logging into the device.	true

The systemextension dictionary payload can contain the following keys

Argument	Type	Description	Default value
allow_system_user_overrides	Boolean	Optional	false
allowed_system_teamids	Array	Optional. The team identifiers should be specified within []
allowed_system_extensions	Object	Optional. The system extensions should be specified within {}.
allowed_system_extension_type	Object	Optional. The system extension types should be specified within {}.

The kernelextension dictionary payload can contain the following keys

Argument	Type	Description	Default value
allow_user_overrides	Boolean	Optional	false
allowed_kernel_extensions	Object	Optional. The kernel extensions should be specified within {}.
allowed_teamids	String	Optional. The team identifiers should be specified within [].

curl

POST https://.hexnodemdm.com/api/v1/policy/ 
headers:- 
Authorization:  
Content-Type: application/json 
Sample Post Data:- 
[{ 
"name": "Sales Team Policy", 
"description": "", 
"macos": { 
"passwordcode": { 
"allow_simple": true, 
"require_alphanumeric": false, 
"change_at_next_auth": false, 
"min_length": 1, 
"min_complex_chars": 2, 
"max_pinage_in_days": 30, 
"max_inactivity": never, 
"pin_history": 4, 
“max_grace_period” : none, 
“force_pin”: true 
}, 

"wifi": null, 
"vpn": null, 
"schedule_os_updates": null, 
"firewall": null, 
"filevault": null, 
"Systemextension": null, 
"Kernelextension": null, 
} 

"policy_targets": { 
"devices": [2,4], 
"devicegroups": [], 
"users": [], 
"usergroups": [] 
} 
}]

POST https://.hexnodemdm.com/api/v1/policy/

headers:-

Authorization:

Content-Type: application/json

Sample Post Data:-

[{

"name": "Sales Team Policy",

"description": "",

"macos": {

"passwordcode": {

"allow_simple": true,

"require_alphanumeric": false,

"change_at_next_auth": false,

"min_length": 1,

"min_complex_chars": 2,

"max_pinage_in_days": 30,

"max_inactivity": never,

"pin_history": 4,

“max_grace_period” : none,

“force_pin”: true

"wifi": null,

"vpn": null,

"schedule_os_updates": null,

"firewall": null,

"filevault": null,

"Systemextension": null,

"Kernelextension": null,

}

"policy_targets": {

"devices": [2,4],

"devicegroups": [],

"users": [],

"usergroups": []

}

}]

Shell Command

curl -H "Authorization:  " -H "Content-Type: application/json" -d '{"name": "Sales Team Policy", "description": "", "macos": {"password": {"allow_simple": true, "require_alphanumeric": false, "change_at_next_auth": false, "min_length": 1, "min_complex_chars": 2, "max_pinage_in_days": 30, "max_inactivity": "never", "pin_history": 4, "force_pin": true}}, "policy_targets": {"devices": [4002], "devicegroups": [], "users": [], "usergroups": []}}' https://.hexnodemdm.com/api/v1/policy/ -X POST

curl -H "Authorization: " -H "Content-Type: application/json" -d '{"name": "Sales Team Policy", "description": "", "macos": {"password": {"allow_simple": true, "require_alphanumeric": false, "change_at_next_auth": false, "min_length": 1, "min_complex_chars": 2, "max_pinage_in_days": 30, "max_inactivity": "never", "pin_history": 4, "force_pin": true}}, "policy_targets": {"devices": [4002], "devicegroups": [], "users": [], "usergroups": []}}' https://.hexnodemdm.com/api/v1/policy/ -X POST

HTTP Response:

HTTP/1.1 201 Created 
{ 
"id": 5, 
"name": "Sales Team Policy", 
"description": "", 
"version": 1, 
"ios_configured": false, 
"android_configured": false, 
"windows_configured": false, 
"macos_configured": true, 
"created_time": "2023-11-08T05:06:53.782500Z", 
"modified_time": "2023-11-08T05:06:53.782312Z", 
"ios": { 
"password": null, 
"restrictions": null, 
"advanced_restrictions": null, 
"web_content_filter": null, 
"wifi": null, 
"vpn": null, 
"email": null, 
"activesync": null, 
"ldap": null, 
"caldav": null, 
"subscribe_calendar": null, 
"carddav": null, 
"webclip": null, 
"access_point": null, 
"applock": null, 
"wallpaper": null, 
"globalproxy": null, 
"lock_screen_msg": null 
}, 

"android": { 
"password": null, 
"restrictions": null, 
"wifi": [], 
"email": null, 
"activesync": null, 
"applock": null, 
"wallpaper": null, 
"android_web_content_filter": null 
}, 

"windows": null, 
"macos": { 
"password": { 
"allow_simple": true, 
"require_alphanumeric": true, 
"change_at_next_auth": true, 
"min_length": 6, 
"min_complex_chars": 3, 
"max_pinage_in_days": 4, 
"max_inactivity": "5_minutes", 
"pin_history": null, 
"max_grace_period": "15_minutes" 
}, 

"wifi": null, 
"vpn": null, 
"firewall": null, 
"filevault": null, 
"systemextension": null, 
"kernelextension": null 
}, 

"app_management": { 
"whitelist_apps": { 
"app": [], 
"group": [] 
}, 

"blacklist_apps": { 
"app": [], 
"group": [] 
}, 

"mandatory_apps": { 
"app": [], 
"group": [] 
}, 

"catalogues": [] 
}, 

"general_settings": { 
"location_settings": { 
"tracking_disabled": true, 
"interval_minutes": 60, 
"location_configured": false 
} 
}, 

"policy_targets": { 
"devices": [2,4] 
"devicegroups": [], 
"users": [], 
"usergroups": [] 
} 
}

100

HTTP/1.1 201 Created

{

"id": 5,

"name": "Sales Team Policy",

"description": "",

"version": 1,

"ios_configured": false,

"android_configured": false,

"windows_configured": false,

"macos_configured": true,

"created_time": "2023-11-08T05:06:53.782500Z",

"modified_time": "2023-11-08T05:06:53.782312Z",

"ios": {

"password": null,

"restrictions": null,

"advanced_restrictions": null,

"web_content_filter": null,

"wifi": null,

"vpn": null,

"email": null,

"activesync": null,

"ldap": null,

"caldav": null,

"subscribe_calendar": null,

"carddav": null,

"webclip": null,

"access_point": null,

"applock": null,

"wallpaper": null,

"globalproxy": null,

"lock_screen_msg": null

"android": {

"password": null,

"restrictions": null,

"wifi": [],

"email": null,

"activesync": null,

"applock": null,

"wallpaper": null,

"android_web_content_filter": null

"windows": null,

"macos": {

"password": {

"allow_simple": true,

"require_alphanumeric": true,

"change_at_next_auth": true,

"min_length": 6,

"min_complex_chars": 3,

"max_pinage_in_days": 4,

"max_inactivity": "5_minutes",

"pin_history": null,

"max_grace_period": "15_minutes"

"wifi": null,

"vpn": null,

"firewall": null,

"filevault": null,

"systemextension": null,

"kernelextension": null

"app_management": {

"whitelist_apps": {

"app": [],

"group": []

"blacklist_apps": {

"app": [],

"group": []

"mandatory_apps": {

"app": [],

"group": []

"catalogues": []

"general_settings": {

"location_settings": {

"tracking_disabled": true,

"interval_minutes": 60,

"location_configured": false

}

"policy_targets": {

"devices": [2,4]

"devicegroups": [],

"users": [],

"usergroups": []

}