Category filter

How to use pre-configured policy template in Hexnode UEM for easy policy deployment

Hexnode UEM Policy Template is a set of pre-configured policies that you can use to create new policies and associate them to required target devices. Apart from the default policy templates, you can also create new templates in the Hexnode portal.
To associate a policy template to a target device, you have to first copy it to My Policies. You can either use the copied template directly, or you can modify the template policy to attach it to the devices. With Hexnode, you can create more than one policy using the same policy template. So, to create multiple policies with the same configuration, you just have to create one template and make its copy.
Hexnode’s Pre-defined Policy Templates include:

Note:


Instead of creating large number of same policies by individually configuring each, you can create a policy template in Hexnode with the required configurations. And this single template can be reproduced to policies as many times as required.

Pre-configured templates in Hexnode:

Android Website kiosk

A pre-configured policy template to lockdown Android devices to a couple of web apps in multi-app kiosk mode.

Template name: Android Website Kiosk

Description: Lock down Android devices to a handful of websites.

Template Configuration:

Kiosk Lockdown > Android Kiosk Lockdown > Multi App: Amazon feedback & Amazon affiliates.

BitLocker Security Policy

A policy that is pre-configured to provide the basic industrial standard BitLocker encryption along with Windows password security.

Template name: BitLocker Security Policy

Description: Enable BitLocker encryption for industry-standard security.

Template Configuration:

  • Windows > Password
  • Password settings Configuration
    Allow simple value Disabled
    Password type Users can choose
    Minimum Password length 8
    Minimum complex characters Digits only
    Minimum passcode age (in days) 0
    Auto-Lock (in minutes) 0
    Passcode history 0
    Failed attempt before wipe 0
  • Windows > Security > BitLocker
  • BitLocker Settings Configuration
    Prompt to encrypt storage card Enabled
    Prompt for device encryption Enabled
    Configure encryption method for disk drives Select default value
    Configure authentication when computer starts up Enable
    Allow BitLocker without a Trusted Platform Module (TPM) Select default value
    Authenticate with TPM startup key Disallow
    Authenticate with TPM startup pin Disallow
    Authenticate with TPM startup key and PIN Disallow
    Enable TPM during startup Disallow
    Minimum length for BitLocker startup PIN 6
    Configure pre-boot recovery message Show default recovery message and URL
    Configure recovery options for system drives Disabled
    Configure recovery options for fixed drives Disabled
    Fixed drives require encryption Enabled
    Removable drives require encryption Enabled

BYOD Policy for Corporate Data Containerization

A policy template to protect the corporate data in any iOS and Android BYOD device.

Template name: BYOD Policy for Corporate Data Containerization

Description: A common policy for iOS & Android devices to safeguard the corporate data in Managed apps and Work containers.

Template Configuration:

  • iOS > Restrictions
  • Restrictions Configuration
    Allow Device Functionality  Camera  Enabled 
    FaceTime  Enabled 
    Screen capture  Enabled 
    Touch ID  Enabled 
    Siri  Enabled 
    Allow Siri while device is locked  Enabled 
    Voice dialing  Enabled 
    Automatic sync while roaming  Enabled 
    Allow Application Settings  Show App Store on the device  Enabled 
    iTunes Store  Enabled 
    Force user to enter iTunes store password for each purchase  Enabled 
    In-app purchases  Enabled 
    Trust enterprise app  Enabled 
    Users can modify enterprise app trust  Enabled 
    Backup enterprise-deployed iBooks  Enabled 
    Sync managed app data with iCloud  Disabled 
    YouTube  Enabled 
    Safari  Enabled 
    Autofill  Enabled 
    Fraud warning  Disabled 
    JavaScript  Enabled 
    Block pop-ups  Enabled 
    Accept cookies  Always 
    Access Passbook when the device is locked  Disabled 
    Add friends in Game Center  Enabled 
    Allow iCloud Settings Backup Enabled
    Sync documents Enabled
    Photo Stream (Disallowing might cause data loss) Enabled
    Share photo streams Enabled
    iCloud photo library Enabled
    Sync enterprise book metadata across devices Enabled
    Allow Security and Privacy Settings Lock screen notifications Enabled
    Today View on lock screen Enabled
    Control Centeron lock screen Enabled
    Over the air PKI updates Enabled
    Limit ad tracking Disabled
    Send diagnostic data to Apple Enabled
    Accept untrusted TLS certificate Enabled
    Force encrypted backup Disabled
    Show notification on Apple Watch if worn Disabled
    Allow Explicit Content  Explicit music, podcasts and iTunes U services  Enabled 
    iBooks store erotica  Disabled 
    Rating region  United States 
    Content rating
    Movies Allow All Movies 
    TV Shows  Allow All TV Shows 
    Apps  Allow All Apps 
  • iOS > Advanced Restrictions
  • Restrictions Configuration
    Allow Device Functionality AirDrop Enabled
    Apps can modify cellular data usage Enabled
    Add or remove Touch ID/Face ID Enabled
    iMessage Enabled
    Game Center Enabled
    Multiplayer gaming Enabled
    Pair with iTunes Enabled
    Install configuration profile Enabled
    Definition lookup Enabled
    Predictive keyboard Enabled
    Auto-correct words Enabled
    Suggest words on misspellings Enabled
    Keyboard shortcuts Enabled
    Pair with Apple Watch Enabled
    Modify diagnostic data submission settings Enabled
    Modify Bluetooth settings Enabled
    Use voice to type Enabled
    Connect to MDM-configured Wi-Fi networks only Disabled
    Users can modify Personal Hotspot settings Enabled
    Create VPN configuration Enabled
    AirPrint Enabled
    Connect with iBeacon Enabled
    Store AirPrint credentials in Keychain Enabled
    Use trusted certificates for secure printing Disabled
    Allow App Settings Install app from App Store Enabled
    Remove apps Enabled
    Remove system apps Enabled
    iBooks store Enabled
    Apple Music Enabled
    iTunes Radio Enabled
    News Enabled
    Podcasts Enabled
    Download all purchased apps automatically Enabled
    Allow Security and Privacy Settings Activation Lock Disabled
    Modify an account Enabled
    Erase content and settings Enabled
    Siri can access user-generated content Enabled
    Modify Find My Friends Enabled
    Use profanity filter Disabled
    Show web results using Spotlight Search Enabled
    Modify Restrictions/Screen Time Enabled
    Modify passcode Enabled
    Modify device name Enabled
    Modify wallpaper Enabled
    Users can turn notifications on/off Enabled
    Force Automatic Date and Time Disabled
    Autofill Passwords Enabled
    Request passwords from nearby devices Enabled
    Share passwords via Airdrop Passwords feature Enabled
  • iOS > Security > Business Container
  • Settings Configuration
    Open documents from managed apps in unmanaged apps Disabled
    Open documents from unmanaged apps in managed apps Disabled
    Managed apps can write to Unmanaged Contact Accounts Disabled
    Unmanaged apps can read from Managed Contact Accounts Disabled
    Block Sharing Managed Document using AirDrop Disabled
  • Android > Advanced Restrictions
  • Restrictions Configuration
    Allow device functionality Microphone Enabled
    Screen capture Disabled
    Clipboard Enabled
    Copy contents between normal and work profiles Enabled
    Share via other apps Enabled
    Users can adjust volume Enabled
    Make a call Enabled
    Display Settings Hide System bars Disabled
    Hide Status Bar Disabled
    Hide Navigation Bar Disabled
    Split-screen mode Enabled
    Display dialogs/windows Enabled
    Allow Connectivity Options NFC Enabled
    Android Beam Enabled
    Beam from the device Enabled
    Transfer data via Bluetooth Enabled
    Configure Bluetooth Enabled
    Configure cell broadcast Enabled
    Configure cellular network Enabled
    Users can reset network settings Enabled
    Configure Wi-Fi Enabled
    Configure hotspot and tethering Enabled
    Security Options Minimum Wi-Fi Security Level Open
    Allow Sync Settings Sync data in background Enabled
    Sync data with Google account Enabled
    Allow Account Settings SMS Enabled
    Receive messages Enabled
    Send messages Enabled
    Modify Accounts/Users Enabled
    Add Users Enabled
    Remove Users Enabled
    Configure user credentials Enabled
    Allow Settings Developer mode Enabled
    USB debugging Enabled
    Modify settings Enabled
    Power saving mode Enabled
    Users can enable location sharing Enabled
    Factory reset Enabled
    Read any connected physical external media Enabled
    Update date and time automatically Enabled
    Set time zone automatically Enabled
    Disable screen lock if the screen was turned off Disabled
    Configure VPN Enabled
    Allow App Settings Install apps Enabled
    Uninstall apps Enabled
    Control apps Enabled
    Google Play Store Enabled
    Verify apps before install Disabled
    Install apps from unknown sources Disabled
    App Runtime Permissions Default permissions
    Parent profile app linking Enabled
    Factory Reset Protection (Google Account Verification) Default

Expense Management Policy

An Android policy to set data and Wi-Fi restrictions and notifications to have control over expenses.

Template name: Expense Management Policy

Description: Data/Wi-Fi usage warning & restrictions for an arbitrary monthly limit.

Template Configuration:
Android > Mobile Data Management
Data Usage Restrictions:

Restriction Configuration
Enable data usage tracking Enabled
Enable network & data usage restrictions Enabled
Network Restrictions No Restrictions
Data Usage Notifications Notify both User and Admin, Monthly when Mobile data exceeds 0.5 GB
Data Usage Restrictions Restrict and notify all, Monthly when Mobile Data exceeds 1 GB
Reset Data Tracking Daily at 18:30 (UTC +00:00) GMT Standard Time, Monthly on day 1 of each month

HIPAA Compliance Policy

A policy with iOS and Android passcode and restriction along with Mac and Windows encryption configurations to set standards of confidentiality and integrity to protect ePHI.

Template name: HIPAA Compliance Policy

Description: Workstation and Device Security policies to protect ePHI.

Template Configuration:

  • iOS > Passcode
  • Policy Configuration
    Allow simple value Disabled
    Require alpha numeric value Enabled
    Minimum Passcode Length 8
    Minimum complex characters 1
    Minimum passcode age in days (0-730 days) 30
    Auto Lock 1 Minute
    Passcode History (1-50 passcodes) 5
    Grace period for device lock Immediately
    Failed attempts (After the specified number of failed attempts, the device data will be wiped automatically) 10
  • iOS > Advanced Restrictions
  • Restrictions Configuration
    Allow Device Functionality AirDrop Enabled
    Apps can modify cellular data usage Enabled
    Add or remove Touch ID/Face ID Enabled
    iMessage Enabled
    Game Center Enabled
    Multiplayer gaming Enabled
    Pair with iTunes Enabled
    Install configuration profile Enabled
    Definition lookup Enabled
    Predictive keyboard Enabled
    Auto-correct words Enabled
    Suggest words on misspellings Enabled
    Keyboard shortcuts Enabled
    Pair with Apple Watch Enabled
    Modify diagnostic data submission settings Enabled
    Modify Bluetooth settings Enabled
    Use voice to type Enabled
    Connect to MDM-configured Wi-Fi networks only Disabled
    Users can modify Personal Hotspot settings Enabled
    Create VPN configuration Enabled
    AirPrint Enabled
    Connect with iBeacon Enabled
    Store AirPrint credentials in Keychain Enabled
    Use trusted certificates for secure printing Disabled
    Allow App Settings Install app from App Store Enabled
    Remove apps Enabled
    Remove system apps Enabled
    iBooks store Enabled
    Apple Music Enabled
    iTunes Radio Enabled
    News Enabled
    Podcasts Enabled
    Download all purchased apps automatically Enabled
    Allow Security and Privacy Settings Activation Lock Disabled
    Modify an account Enabled
    Erase content and settings Enabled
    Siri can access user-generated content Enabled
    Modify Find My Friends Enabled
    Use profanity filter Disabled
    Show web results using Spotlight Search Enabled
    Modify Restrictions/Screen Time Enabled
    Modify passcode Enabled
    Modify device name Enabled
    Modify wallpaper Enabled
    Users can turn notifications on/off Enabled
    Force Automatic Date and Time Disabled
    Autofill Passwords Enabled
    Request passwords from nearby devices Enabled
    Share passwords via Airdrop Passwords feature Enabled
  • iOS > Security > Business Container
  • Settings Configuration
    Open documents from managed apps in unmanaged apps Enabled
    Open documents from unmanaged apps in managed apps Enabled
    Managed apps can write to Unmanaged Contact Accounts Disabled
    Unmanaged apps can read from Managed Contact Accounts Disabled
    Block Sharing Managed Document using AirDrop Disabled
  • Android > Advanced Restrictions
  • Restrictions Configuration
    Allow device functionality Microphone Enabled
    Screen capture Enabled
    Clipboard Enabled
    Copy contents between normal and work profiles Disabled
    Share via other apps Enabled
    Users can adjust volume Enabled
    Make a call Enabled
    Display Settings Hide System bars Disabled
    Hide Status Bar Disabled
    Hide Navigation Bar Disabled
    Split-screen mode Enabled
    Display dialogs/windows Enabled
    Allow Connectivity Options NFC Enabled
    Android Beam Enabled
    Beam from the device Enabled
    Transfer data via Bluetooth Enabled
    Configure Bluetooth Enabled
    Configure cell broadcast Enabled
    Configure cellular network Enabled
    Users can reset network settings Enabled
    Configure Wi-Fi Enabled
    Configure hotspot and tethering Enabled
    Security Options Minimum Wi-Fi Security Level Open
    Allow Sync Settings Sync data in background Enabled
    Sync data with Google account Enabled
    Allow Account Settings SMS Enabled
    Receive messages Enabled
    Send messages Enabled
    Modify Accounts/Users Enabled
    Add Users Enabled
    Remove Users Enabled
    Configure user credentials Enabled
    Allow Settings Developer mode Disabled
    USB debugging Disabled
    Modify settings Enabled
    Power saving mode Enabled
    Users can enable location sharing Enabled
    Factory reset Enabled
    Read any connected physical external media Enabled
    Update date and time automatically Enabled
    Set time zone automatically Enabled
    Disable screen lock if the screen was turned off Disabled
    Configure VPN Enabled
    Allow App Settings Install apps Enabled
    Uninstall apps Enabled
    Control apps Enabled
    Google Play Store Enabled
    Verify apps before install Disabled
    Install apps from unknown sources Disabled
    App Runtime Permissions Default permissions
    Parent profile app linking Enabled
    Factory Reset Protection (Google Account Verification) Default
  • Windows > Security > BitLocker
  • BitLocker Settings Configuration
    Prompt to encrypt storage card Enabled
    Prompt for device encryption Enabled
    Configure encryption method for disk drives Select default value
    Configure authentication when computer starts up Select default value
    Minimum length for BitLocker startup PIN 6
    Configure pre-boot recovery message Select default value
    Configure recovery options for system drives Disabled
    Configure recovery options for fixed drives Disabled
    Fixed drives require encryption Enabled
    Removable drives require encryption Enabled
  • macOS > Security > FileVault
  • Policy Settings Configuration
    Enable FileVault Enabled
    Encrypt using Institutional and Personal Recovery Key
    Encryption certificate HexnodeMDM FileVault Certificate
    Show Personal Recovery Key to user Enabled
    Skip enabling FileVault at user login Disabled

iOS Single App Kiosk Policy

A preconfigured policy to restrict an iOS device to a single app in kiosk mode.

Template name: iOS Single App Kiosk Policy

Description: Lock down iOS devices to a single app

Template Configuration:

Kiosk Lockdown > iOS Kiosk Lockdown > Single App

Uber Technologies Inc. is added as the app in single app kiosk.

Feature Configuration
Advanced Kiosk Settings Disable touch Disabled
Disable device screen rotation Disabled
Disable volume buttons Disabled
Disable ringer switch Enabled
Disable sleep wake button Disabled
Disable auto lock Disabled
Enable VoiceOver Disabled
Enable Zoom Disabled
Enable invert colors Disabled
Enable AssistiveTouch Disabled
Enable speak selection Disabled
User Enabled Options VoiceOver Enabled
Zoom Enabled
Invert colors Disabled
AssistiveTouch Disabled

Location Policy

A pre-configured location tracking policy that tracks the devices’ location in specific time intervals.

Template name: Location Policy

Description: Enable Location Tracking on target devices.

Template Configuration:
General Settings > Location Tracking

Policy Description
Enable Location Tracking Enabled
Location Update Interval 1 Hrs

Samsung Knox Policy

A policy template for Samsung Knox device security.

Template name: Samsung Knox Policy

Description: With advanced restrictions exclusively available for Samsung devices.

Template Configuration:

  • Android > Password > Device Password
  • Password Settings Configuration
    Password Requirement Alphanumeric
    Minimum Passcode Length 8
    Password age (in days) _
    Auto-lock after _
    Password History (1-50 passcodes) _
    Failed attempts (After the specified number of failed attempts, the device data will be wiped automatically) _
  • Android > Advanced Restrictions
  • Restrictions Configuration
    Allow device functionality Microphone Enabled
    Screen capture Disabled
    Clipboard Disabled
    Copy contents between normal and work profiles Disabled
    Share via other apps Disabled
    Users can adjust volume Enabled
    Make a call Enabled
    Display Settings Hide System bars Disabled
    Hide Status Bar Disabled
    Hide Navigation Bar Disabled
    Split-screen mode Enabled
    Display dialogs/windows Enabled
    Allow Connectivity Options NFC Enabled
    Android Beam Enabled
    Beam from the device Enabled
    Transfer data via Bluetooth Enabled
    Configure Bluetooth Enabled
    Configure cell broadcast Enabled
    Configure cellular network Enabled
    Users can reset network settings Enabled
    Configure Wi-Fi Enabled
    Configure hotspot and tethering Enabled
    Security Options Minimum Wi-Fi Security Level Open
    Allow Sync Settings Sync data in background Enabled
    Sync data with Google account Enabled
    Allow Account Settings SMS Enabled
    Receive messages Enabled
    Send messages Enabled
    Modify Accounts/Users Enabled
    Add Users Enabled
    Remove Users Enabled
    Configure user credentials Enabled
    Allow Settings Developer mode Disabled
    USB debugging Disabled
    Modify settings Enabled
    Power saving mode Enabled
    Users can enable location sharing Enabled
    Factory reset Enabled
    Read any connected physical external media Enabled
    Update date and time automatically Enabled
    Set time zone automatically Enabled
    Disable screen lock if the screen was turned off Disabled
    Configure VPN Enabled
    Allow App Settings Install apps Enabled
    Uninstall apps Enabled
    Control apps Enabled
    Google Play Store Enabled
    Verify apps before install Disabled
    Install apps from unknown sources Disabled
    App Runtime Permissions Default permissions
    Parent profile app linking Enabled
    Factory Reset Protection (Google Account Verification) Default

Standard DLP Policy

A standard data loss prevention policy for iOS, Android, Windows, and macOS devices.

Template name: Standard DLP Policy

Description: Standard Data Loss Prevention policies for optimal security.

Template Configuration:

  • iOS > Passcode
  • Policy Configuration
    Allow simple value Disabled
    Require alpha numeric value Enabled
    Minimum Passcode Length 8
    Minimum complex characters 1
    Minimum passcode age in days (0-730 days) 30
    Auto Lock 1 Minute
    Passcode History (1-50 passcodes) 5
    Grace period for device lock Immediately
    Failed attempts (After the specified number of failed attempts, the device data will be wiped automatically) 10
  • iOS > Advanced Restrictions
  • Restrictions Configuration
    Allow Device Functionality AirDrop Enabled
    Apps can modify cellular data usage Enabled
    Add or remove Touch ID/Face ID Enabled
    iMessage Enabled
    Game Center Enabled
    Multiplayer gaming Enabled
    Pair with iTunes Enabled
    Install configuration profile Enabled
    Definition lookup Enabled
    Predictive keyboard Enabled
    Auto-correct words Enabled
    Suggest words on misspellings Enabled
    Keyboard shortcuts Enabled
    Pair with Apple Watch Enabled
    Modify diagnostic data submission settings Enabled
    Modify Bluetooth settings Enabled
    Use voice to type Enabled
    Connect to MDM-configured Wi-Fi networks only Disabled
    Users can modify Personal Hotspot settings Enabled
    Create VPN configuration Enabled
    AirPrint Enabled
    Connect with iBeacon Enabled
    Store AirPrint credentials in Keychain Enabled
    Use trusted certificates for secure printing Disabled
    Allow App Settings Install app from App Store Enabled
    Remove apps Enabled
    Remove system apps Enabled
    iBooks store Enabled
    Apple Music Enabled
    iTunes Radio Enabled
    News Enabled
    Podcasts Enabled
    Download all purchased apps automatically Enabled
    Allow Security and Privacy Settings Activation Lock Disabled
    Modify an account Enabled
    Erase content and settings Enabled
    Siri can access user-generated content Enabled
    Modify Find My Friends Enabled
    Use profanity filter Disabled
    Show web results using Spotlight Search Enabled
    Modify Restrictions/Screen Time Enabled
    Modify passcode Enabled
    Modify device name Enabled
    Modify wallpaper Enabled
    Users can turn notifications on/off Enabled
    Force Automatic Date and Time Disabled
    Autofill Passwords Enabled
    Request passwords from nearby devices Enabled
    Share passwords via Airdrop Passwords feature Enabled
  • Android > Advanced Restrictions
  • Restrictions Configuration
    Allow device functionality Microphone Enabled
    Screen capture Enabled
    Clipboard Enabled
    Copy contents between normal and work profiles Disabled
    Share via other apps Enabled
    Users can adjust volume Enabled
    Make a call Enabled
    Display Settings Hide System bars Disabled
    Hide Status Bar Disabled
    Hide Navigation Bar Disabled
    Split-screen mode Enabled
    Display dialogs/windows Enabled
    Allow Connectivity Options NFC Enabled
    Android Beam Enabled
    Beam from the device Enabled
    Transfer data via Bluetooth Enabled
    Configure Bluetooth Enabled
    Configure cell broadcast Enabled
    Configure cellular network Enabled
    Users can reset network settings Enabled
    Configure Wi-Fi Enabled
    Configure hotspot and tethering Enabled
    Security Options Minimum Wi-Fi Security Level Open
    Allow Sync Settings Sync data in background Enabled
    Sync data with Google account Enabled
    Allow Account Settings SMS Enabled
    Receive messages Enabled
    Send messages Enabled
    Modify Accounts/Users Enabled
    Add Users Enabled
    Remove Users Enabled
    Configure user credentials Enabled
    Allow Settings Developer mode Disabled
    USB debugging Disabled
    Modify settings Enabled
    Power saving mode Enabled
    Users can enable location sharing Enabled
    Factory reset Enabled
    Read any connected physical external media Enabled
    Update date and time automatically Enabled
    Set time zone automatically Enabled
    Disable screen lock if the screen was turned off Disabled
    Configure VPN Enabled
    Allow App Settings Install apps Enabled
    Uninstall apps Enabled
    Control apps Enabled
    Google Play Store Enabled
    Verify apps before install Disabled
    Install apps from unknown sources Disabled
    App Runtime Permissions Default permissions
    Parent profile app linking Enabled
    Factory Reset Protection (Google Account Verification) Default
  • Windows > Security > BitLocker
  • BitLocker Settings Configuration
    Prompt to encrypt storage card Enabled
    Prompt for device encryption Enabled
    Configure encryption method for disk drives Select default value
    Configure authentication when computer starts up Select default value
    Minimum length for BitLocker startup PIN 6
    Configure pre-boot recovery message Show default recovery message and URL
    Configure recovery options for system drives Disabled
    Configure recovery options for fixed drives Disabled
    Fixed drives require encryption Enabled
    Removable drives require encryption Enabled
  • macOS > Security > FileVault
  • Policy Settings Configuration
    Enable FileVault Enabled
    Encrypt using Institutional and Personal Recovery Key
    Encryption certificate HexnodeMDM FileVault Certificate
    Show Personal Recovery Key to user Enabled
    Skip enabling FileVault at user login Disabled

CIS Benchmark Compliance Level 1 - macOS

The CIS (Center for Internet Security) benchmarks are a set of security configuration guidelines for various operating systems, applications, and network devices. They provide a standardized framework for strengthening system security, helping organizations to reduce their exposure to attacks and improve their overall security posture. These benchmarks are developed through a community consensus process and are widely recognized as a best practice for securing devices across all supported platforms. Hexnode supports making devices partially CIS Benchmark compliant.

Template name: CIS Benchmark Compliance Level 1 – macOS

Description: Apply this template to get one step closer to CIS compliance on your macOS devices.

Note: Not all rules mentioned in CIS Benchmark are configurable via Hexnode.

Template Configuration:

  • macOS > Passcode
  • Settings Configuration
    Allow simple value Enabled
    Require alphanumeric value Enabled
    Change password at next login Disabled
    Minimum passcode length 15
    Minimum complex characters
    Maximum passcode age in days 1
    Auto lock
    Passcode history 15
    Grace period for device to lock
    Maximum failed attempts 5
    Custom regular expression Disabled
  • macOS > Restrictions
  • Restrictions Configuration
    Allow Device Functionality Auto-unlock with Apple Watch in proximity Enabled
    Touch ID Enabled
    Definition lookup Enabled
    Enforce on-device-only dictation Disabled
    Universal control Enabled
    USB restricted mode Enabled
    Incoming Airplay requests Disabled
    Allow personalized ads from Apple Disabled
    Install configuration profiles Enabled
    Users can turn VPN on/off Enabled
    Allow App Settings Stream using Music app Enabled
    Camera Enabled
    Game Center
    • Add friends in Game Center
    • Game Center account modifications
    • Multiplayer gaming
    Disabled
    App Store Allow software update notifications only Disabled
    Finder Settings Burn data to disk Enabled
    Connect to local servers or on the internet Enabled
    Eject mounted volumes Enabled
    Go to Folder Enabled
    Show external hard disks on desktop Enabled
    Show hard disk on desktop Disabled
    Show mounted file servers on desktop Disabled
    Show removable media items on desktop Enabled
    Warn the user before emptying the trash Enabled
    Security Ask for password when removing the policy Disabled
    Timeout for Fingerprint 48 hour(s)
    Send diagnostics Disabled
    Allow iCloud Options Back to My Mac Disabled
    Find My Mac Enabled
    iCloud Mail Enabled
    Calendar Enabled
    Reminder Enabled
    Address Book Enabled
    Notes Enabled
    Auto-upload files in Desktop and Documents Enabled
    Sync bookmarks with iCloud Enabled
    Document and key-value sync Enabled
    Sync passwords across devices Enabled
    Photo library Enabled
    Freeform services Enabled
  • macOS > Advanced Restrictions
  • Restrictions Configuration
    Device Functionality and Personalization Screen Capture
    Remote Screen Observation Enabled
    AirDrop Disabled
    Wallpaper Modification Enabled
    Dictation Enabled
    Handoff Enabled
    iTunes or Finder File Sharing Enabled
    Show Web Results in Spotlight Search Enabled
    iPhone mirroring Enabled
    Show Wi-Fi status in menu bar Enabled
    Show Bluetooth status in menu bar Enabled
    Security and Privacy Activation Lock Enabled
    Content caching Let user choose
    Erase all content and settings Enabled
    Passcode Modification Enabled
    Autofill Passwords Enabled
    Safari AutoFill Enabled
    Request passwords from nearby devices Enabled
    Share passwords via Airdrop Passwords feature Enabled
    Users can modify File Sharing settings Disabled
    Users can modify Bluetooth Sharing settings Disabled
    Users can modify Printer Sharing settings Disabled
    Users can modify Internet Sharing settings Disabled
    Users can modify Remote Management Sharing settings Disabled
    Users can modify Remote Apple Events Sharing settings Disabled
    Users can modify an account Enabled
    Users can modify Device Name Enabled
    Users can create local user accounts Enabled
    Users can add or remove Touch ID/Face ID Enabled
    Users can modify Time Machine settings Enabled
    Users can modify Startup Disk settings Enabled
    Guest Account Disabled
    keyboard entry for Terminal app Enabled
    Software update deferment 15
    Users can modify Media Sharing settings Enabled
    Bypass screen capture alert Disabled
    App Installation From Mac App Store and Identified Developers
    App Store Restrict app installations to admin users Disabled
    Restrict App Store to Software Updates Only Disabled
    Disable App Store app adoption Disabled
    Restrict App Store to apps installed via MDM and software updates only Disabled
    Secure Wi-Fi Settings Enforce admin authorization when switching between Wi-Fi networks Disabled
    Enforce admin authorization to enable IBSS Disabled
    Enforce admin authorization to turn Wi-Fi on/off Disabled
    Allow Apple Intelligence Image playground Enabled
    Writing tools Enabled
    ChatGPT integration Enabled
    ChatGPT user account sign-in Enabled
  • macOS > Security > Firewall
  • Restrictions Configuration
    Firewall Enable Firewall Enabled
    Enable stealth mode Enabled
    Enable logging Disabled
    Logging level Throttled
    Block all incoming connections Disabled
    Allow incoming connections to built-in software Enabled
    Allow incoming connections to downloaded signed software Enabled
    Applications Allow/block incoming connections to the following apps Allow incoming connections
  • macOS > Security > FileVault
  • Settings Configuration
    Prevent FileVault from being disabled Disabled
    Prevent FileVault from being enabled Disabled
    Enable FileVault Enabled
    Encrypt using Institutional and Personal Recovery Key
    Encryption certificate
    Escrow Personal Recovery Key Disabled
    Show Personal Recovery Key to user Enabled
    Skip enabling FileVault at user login Disabled
    Require user to unlock FileVault after hibernation Disabled
  • macOS > Security > Login Window Preferences
  • Settings Configuration
    Display login window as Name and password
    Hide Shut Down button Disabled
    Hide Restart button Disabled
    Hide Sleep button Disabled
    Disable login items bypass Disabled
    Disable Console Access from Login Screen Disabled
    Disable Shut Down while user is logged in Disabled
    Disable Restart while user is logged in Disabled
    Disable Power Off while user is logged in Disabled
    Disable Log Out while user is logged in Disabled
    Disable Immediate Screen Lock options Disabled
    Password hints Disabled
    Automatic login Disabled
    Show text to display in the Login Window* Welcome
    Show Admin Host Info
  • macOS > Patches & Updates > Software Update Preferences
  • Restrictions Configuration
    Software Update Preferences Automatically check for new updates Enable
    Automatically download new updates Enable
    Automatically install macOS updates Enable
    Automatically install app updates Enable
    Automatically install critical updates Enable
    Automatically install configuration data Enable
    Install pre-release software Not Configured
    Force admin privilege requirement for software updates Not Configured
    Install Rapid Security Responses Not Configured
    Allow removal of Rapid Security Responses Not Configured
    Defer Software Updates Defer major upgrades Not Configured
    Defer minor upgrades Not Configured
    Defer app upgrades Not Configured
  • macOS > Configurations > Setup Assistant
  • Settings Configuration
    Skip Privacy setup Disabled
    Skip signing in with Apple ID Disabled
    Skip iCloud Storage setup Disabled
    Skip Siri setup Disabled
    Skip Choose Your Look setup Disabled
  • macOS > Configurations > Screensaver
  • Settings Configuration
    Enable Screensaver Enabled
    Login window screensaver idle time 1 min
    Screensaver idle time 20 min
    Require Password to unlock screen Enabled
    Set delay for password prompt 5 sec
  • macOS > Configurations > Energy Saver
  • Restrictions Configuration
    Desktop Automatically startup on power loss Disabled
    Idle timeout for system sleep 0 mins
    Idle timeout for display sleep 0 mins
    Wake for network access Disabled
    Laptop on AC Power Automatically startup on power loss Disabled
    Idle timeout for system sleep 0 mins
    Idle timeout for display sleep 0 mins
    Wake for network access Disabled
    Laptop on Battery Power Automatically startup on power loss Disabled
    Idle timeout for system sleep 0 mins
    Idle timeout for display sleep 0 mins
    Wake for network access Disabled
    General Settings Prevent temporary FileVault key storage during standby Disabled
    Disable device sleep Disabled

CIS Benchmark Compliance Level 2 - macOS

Template name: CIS Benchmark Compliance Level 2 – macOS

Template Configuration:

  • macOS > Passcode
  • Settings Configuration
    Allow simple value Enabled
    Require alphanumeric value Enabled
    Change password at next login Disabled
    Minimum passcode length 15
    Minimum complex characters 1
    Maximum passcode age in days 1
    Auto lock
    Passcode history 15
    Grace period for device to lock
    Maximum failed attempts 5
    Custom regular expression Disabled
  • macOS > Restrictions
  • Restrictions Configuration
    Allow Device Functionality Auto-unlock with Apple Watch in proximity Enabled
    Touch ID Enabled
    Definition lookup Enabled
    Enforce on-device-only dictation Disabled
    Universal control Enabled
    USB restricted mode Enabled
    Incoming Airplay requests Disabled
    Allow personalized ads from Apple Disabled
    Install configuration profiles Enabled
    Allow App Settings Stream using Music app Enabled
    Camera Enabled
    Game Center
    • Add friends in Game Center
    • Game Center account modifications
    • Multiplayer gaming
    Disabled
    App Store Allow software update notifications only Disabled
    Finder Settings Burn data to disk Enabled
    Connect to local servers or on the internet Enabled
    Eject mounted volumes Enabled
    Go to Folder Enabled
    Show external hard disks on desktop Enabled
    Show hard disk on desktop Disabled
    Show mounted file servers on desktop Disabled
    Show removable media items on desktop Enabled
    Warn the user before emptying the trash Enabled
    Security Ask for password when removing the policy Disabled
    Timeout for Fingerprint 48 hour(s)
    Send diagnostics Disabled
    Allow iCloud Options Back to My Mac Enabled
    Find My Mac Enabled
    iCloud Mail Enabled
    Calendar Enabled
    Reminder Enabled
    Address Book Enabled
    Notes Enabled
    Auto-upload files in Desktop and Documents Disabled
    Sync bookmarks with iCloud Enabled
    Document and key-value sync Enabled
    Sync passwords across devices Enabled
    Photo library Enabled
    Freeform services Enabled
  • macOS > Advanced Restrictions
  • Restrictions Configuration
    Device Functionality and Personalization Screen Capture
    • Remote Screen Observation
    Enabled
    AirDrop Disabled
    Wallpaper Modification Enabled
    Dictation Enabled
    Handoff Enabled
    iTunes or Finder File Sharing Enabled
    Show Web Results in Spotlight Search Enabled
    iPhone mirroring Enabled
    Show Wi-Fi status in menu bar Disabled
    Show Bluetooth status in menu bar Disabled
    Security and Privacy Activation Lock Enabled
    Content caching Restrict
    Erase all content and settings Enabled
    Passcode Modification Enabled
    Autofill Passwords Enabled
    Safari AutoFill Enabled
    Request passwords from nearby devices Enabled
    Share passwords via Airdrop Passwords feature Enabled
    Users can modify File Sharing settings Disabled
    Users can modify Bluetooth Sharing settings Disabled
    Users can modify Printer Sharing settings Disabled
    Users can modify Internet Sharing settings Disabled
    Users can modify Remote Management Sharing settings Disabled
    Users can modify Remote Apple Events Sharing settings Disabled
    Users can modify an account Enabled
    Users can modify Device Name Enabled
    Users can create local user accounts Enabled
    Users can add or remove Touch ID/Face ID Enabled
    Users can modify Time Machine settings Enabled
    Users can modify Startup Disk settings Enabled
    Guest Account Disabled
    keyboard entry for Terminal app Disabled
    Software update deferment 15
    Users can modify Media Sharing settings Disabled
    Bypass screen capture alert Disabled
    App Installation From Mac App Store and Identified Developers
    App Store Restrict app installations to admin users Disabled
    Restrict App Store to Software Updates Only Disabled
    Disable App Store app adoption Disabled
    Restrict App Store to apps installed via MDM and software updates only Disabled
    Secure Wi-Fi Settings Enforce admin authorization when switching between Wi-Fi networks Disabled
    Enforce admin authorization to enable IBSS Disabled
    Enforce admin authorization to turn Wi-Fi on/off Disabled
    Allow Apple Intelligence Image playground Enabled
    Writing tools Enabled
    ChatGPT integration Enabled
    ChatGPT user account sign-in Enabled
  • macOS > Security > Firewall
  • Restrictions Configuration
    Firewall Enable Firewall Enabled
    Enable stealth mode Enabled
    Enable logging Disabled
    Logging level Throttled
    Block all incoming connections Disabled
    Allow incoming connections to built-in software Enabled
    Allow incoming connections to downloaded signed software Enabled
    Applications Allow/block incoming connections to the following apps Allow incoming connections
  • macOS > Security > FileVault
  • Settings Configuration
    Prevent FileVault from being disabled Disabled
    Prevent FileVault from being enabled Disabled
    Enable FileVault Enabled
    Encrypt using Institutional and Personal Recovery Key
    Encryption certificate
    Escrow Personal Recovery Key Disabled
    Show Personal Recovery Key to user Enabled
    Skip enabling FileVault at user login Disabled
    Require user to unlock FileVault after hibernation Disabled
  • macOS > Security > Login Window Preferences
  • Settings Configuration
    Display login window as Name and password
    Hide Shut Down button Disabled
    Hide Restart button Disabled
    Hide Sleep button Disabled
    Disable login items bypass Disabled
    Disable Console Access from Login Screen Disabled
    Disable Shut Down while user is logged in Disabled
    Disable Restart while user is logged in Disabled
    Disable Power Off while user is logged in Disabled
    Disable Log Out while user is logged in Disabled
    Disable Immediate Screen Lock options Disabled
    Password hints Disabled
    Automatic login Disabled
    Show text to display in the Login Window* Welcome
    Show Admin Host Info
  • macOS > Patches & Updates > Software Update Preferences
  • Restrictions Configuration
    Software Update Preferences Automatically check for new updates Enable
    Automatically download new updates Enable
    Automatically install macOS updates Enable
    Automatically install app updates Enable
    Automatically install critical updates Enable
    Automatically install configuration data Enable
    Install pre-release software Not Configured
    Force admin privilege requirement for software updates Not Configured
    Install Rapid Security Responses Not Configured
    Allow removal of Rapid Security Responses Not Configured
    Defer Software Updates Defer major upgrades Not Configured
    Defer minor upgrades Not Configured
    Defer app upgrades Not Configured
  • macOS > Configurations > Setup Assistant
  • Settings Configuration
    Skip Privacy setup Disabled
    Skip signing in with Apple ID Disabled
    Skip iCloud Storage setup Disabled
    Skip Siri setup Disabled
    Skip Choose Your Look setup Disabled
  • macOS > Configurations > Screensaver
  • Settings Configuration
    Enable Screensaver Enabled
    Login window screensaver idle time 1 min
    Screensaver idle time 20 min
    Require Password to unlock screen Enabled
    Set delay for password prompt 5 sec
  • macOS > Configurations > Energy Saver
  • Restrictions Configuration
    Desktop Automatically startup on power loss Disabled
    Idle timeout for system sleep 0 mins
    Idle timeout for display sleep 0 mins
    Wake for network access Disabled
    Laptop on AC Power Automatically startup on power loss Disabled
    Idle timeout for system sleep 0 mins
    Idle timeout for display sleep 0 mins
    Wake for network access Disabled
    Laptop on Battery Power Automatically startup on power loss Disabled
    Idle timeout for system sleep 0 mins
    Idle timeout for display sleep 0 mins
    Wake for network access Disabled
    General Settings Prevent temporary FileVault key storage during standby Disabled
    Disable device sleep Disabled

CIS Benchmark Compliance - Windows

The CIS Benchmarks are compliance guidelines for securely configuring IT systems. They provide best practices to reduce vulnerabilities and enhance security, covering areas such as password policies, account management, and system services. Adhering to these guidelines helps improve security and ensure regulatory compliance. Currently, Hexnode supports making Windows devices partially CIS Benchmark compliant.

Template name: CIS Benchmark Compliance – Windows

Description: Apply this template to get one step closer to CIS compliance on your Windows devices. 

Note: Not all rules mentioned in CIS Benchmark are configurable via Hexnode.

Template Configuration:

  • Windows > Password
  • Password settings Configuration
    Allow simple value Disabled
    Password type Alphanumeric password
    Minimum password length 14
    Password Complexity Digits, lowercase and uppercase letters
    Minimum password age (in days) 365
    Auto-lock (in minutes) 15
    Password history 24
    Failed attempt before wipe 0
  • Windows > Restrictions
  • Restrictions Configuration
    Allow device functionality Camera Disabled
    Cortana voice assistant Enabled
    Use Cortana if device is locked Enabled
    Use storage card and USB drives Disabled
    Telemetry Disallow
    Location services Force Location Off
    Change language Enabled
    Users can enable/disable Workplace Enabled
    Users can change AutoPlay settings Enabled
    Allow App Settings Sync Settings Enabled
    Allow SignIn Options Enabled
    Allow News and Interests Disabled
    Allow Network Settings Wi-Fi Enabled
    Bluetooth Enabled
    Discover device over Bluetooth Enabled
    Users can turn VPN on/off Enabled
    Connect to VPN if on mobile network Enabled
    Connect to VPN if roaming Enabled
    Cellular data roaming Enabled
    Allow Security and Privacy Settings Manual MDM administration removal Enabled
    Show toast notification on lock screen Disable
    Account Settings OneDrive file sync Disabled
  • Windows > Advanced Restrictions
  • Restrictions Configuration
    Allow device functionality Users can reset the device Enabled
    Users can change date and time Disabled
    Users can change power and sleep settings Enabled
    Allow Embedded Mode Disabled
    Allow Region Enabled
    Allow App Settings Unlock developer options Not Configured
    Search can use user location Disabled
    Allow Network Settings Internet Sharing Enabled
    Connect to Wi-Fi Sense automatically Disabled
    Connect to external Wi-Fi networks manually Enabled
    Wi-Fi Direct Enabled
    Allow Security and Privacy Settings Install provisioning package Enabled
    Mandate signed certificate for provisioning package Disabled
    Remove provisioning package Enabled
    Receive advertisements over Bluetooth Disabled
    Pair with other devices automatically Disabled
    Users can download Windows beta updates Disallow
    Windows AI AI Data Analysis Not Configured
    Customize Start Menu Documents folder Not enforced
    Downloads folder Not enforced
    File Explorer Not enforced
    Home group Not enforced
    Music folder Not enforced
    Networks Not enforced
    Personal folder Not enforced
    Pictures folder Not enforced
    Settings Not enforced
    Videos folder Not enforced
    Account Settings Block Microsoft accounts Not Configured
    Users can change account settings Enabled
    Users can add non-Microsoft accounts Enabled
    Users can connect using Microsoft accounts Enabled
  • Windows > Threat Management > Microsoft Defender
  • Policy Settings Configuration
    Microsoft Defender Application Guard Microsoft Defender Application Guard Enabled
    Clipboard behavior Turn On clipboard operation from an isolated session to the host
    Clipboard settings Allow copying texts
    Print behavior None
    Block non-enterprise content Disabled
    Data persistence Disabled
    Virtual GPU Disabled
    Save files to host Disabled
    Certificate Thumbprints Not configured
    Access Camera and Microphone Disabled
    Windows Defender Security Center Enable account protection UI Enabled
    Enable app and browser protection UI Enabled
    Disallow exploit protection override Enabled
    Enable Device security UI Enabled
    Disable TPM Firmware update warning Disabled
    Show the Security processor (TPM) troubleshooting area Enabled
    Disable Clear TPM button Disabled
    Hide the Secure boot area Disabled
    Notifications Display all notifications
    Enable family UI Enabled
    Enable health UI Enabled
    Enable network UI Enabled
    Enable virus UI Enabled
    Hide the Ransomware data recovery area Disabled
    Enable customized toasts Disabled
    Enable in-app customization Disabled
    Company name Not configured
    Email address Not configured
    Phone number/Skype ID Not configured
    Help portal URL Not configured
    Hide Windows Security notification area control Disabled
  • Windows > Security > BitLocker
  • BitLocker Settings Configuration
    Require encryption for OS and fixed data drives Enabled
    Hide warning about existing third-party encryption Disabled
    Recovery Password rotation Not Configured
    Escrow recovery password to Hexnode UEM Enabled
    OS Drive Settings
    Configure BitLocker OS drive policy Enabled
    Configure encryption method Disabled
    Configure additional startup authentication settings Enabled
    Allow BitLocker to be activated on devices without a compatible TPM Disabled
    Configure advanced authentication options for devices with compatible TPM Required Options: Startup PIN
    Minimum PIN length 6
    Configure pre-boot recovery message and URL Disabled
    Users must generate a recovery key or password Recovery Key, Password or both
    Save BitLocker recovery information to Active Directory Domain Services (AD DS) Password and Key
    Block certificate-based data recovery agent Enabled
    Hide recovery options on the device Enabled
    Do not enable BitLocker until recovery information is stored in AD DS Enabled
    Fixed Drive Settings
    Configure BitLocker fixed drive policy Enabled
    Configure encryption method Disabled
    Block access to drives not protected by BitLocker Disabled
    Configure recovery options Enabled
    Users must generate a recovery key or password Recovery Key, Password or both
    Save BitLocker recovery information to Active Directory Domain Services (AD DS) Disable
    Block certificate-based data recovery agent Disabled
    Hide recovery options on the device Disabled
    Do not enable BitLocker until recovery information is stored in AD DS Disabled
    Removable Drive Settings
    Configure BitLocker removable drive policy Enabled
    Configure encryption method Disabled
    Block access to drives not protected by BitLocker Enabled
  • Windows > Configurations > Screensaver
  • Screensaver Settings Configuration
    Enable Screensaver Enabled
    Select Screensaver Blank
    Require Password to unlock screen Enabled
    Start screensaver after _ minutes of inactivity 15
    Prevent user from accessing screensaver settings on device Disabled
  • Windows > Patches & Updates > Windows Update Preferences
  • Settings Configuration
    Update drivers Disabled
    Optional Updates Not Configured
    Download updates over metered network Not Configured
    Ignore download limits for app updates Not Configured
    Ignore download limits for OS updates Not Configured
    Automatic wake up for maintenance Enabled
    Disable WUfB Safeguards Disabled
    Target product Not Configured
    Target version Not Configured
    Feature update uninstall period 10 day(s)
    Pre-release builds Not Configured
    Update channel Semi-annual
    Update Deferral
    Defer Quality Updates Enabled
    Deferral period (Defer Quality Updates) 0 day(s)
    Defer Feature Updates Enabled
    Deferral period (Defer Feature Updates) 0 day(s)
  • Windows > Patches & Updates > Windows Update Experience
  • Settings Configuration
    Microsoft App Update Service Disabled
    Automatic update behavior Auto install updates and notify users to restart if required
    Active hours Start time: 8:00 AM
    End time: 5:00 PM
    Maximum range of active hours 18 hours
    Skip restart checks Disabled
    Disable pause updates Enabled
    Disallow users to check for updates Disabled
    Notifications
    Update notification level Default Windows Notification
    Notifications during Active Hours Not Configured
    Auto-restart notifications Not Configured
    Deadlines
    Configure update deadlines Disabled
    Configure restart deadlines Disabled
    Configure engaged restart deadlines Disabled

POS Device Policy

A pre-configured policy template for securing point-of-sale (POS) devices with the necessary security configurations and restrictions.

Template name: POS Device Policy

Description: Secure POS devices by enforcing pre-configured security configurations.

Template Configuration:

  • iOS > Basic Restrictions
  • Restrictions Configuration
    Allow Device Functionality Camera Enabled
    FaceTime Enabled
    Screen capture Enabled
    Allow Remote Screen Observation Enabled
    Touch ID Enabled
    Siri Enabled
    Allow Siri while device is locked Enabled
    Voice dialing Enabled
    Automatic sync while roaming Enabled
    Allow Application Settings Install apps Disabled
    iTunes Store Enabled
    Force user to enter iTunes store password for each purchase Enabled
    In-app purchases Enabled;
    Trust enterprise app Enabled
    Users can modify enterprise app trust Enabled
    Backup enterprise-deployed iBooks Enabled
    Sync managed app data with iCloud Disabled
    YouTube Enabled
    Safari Enabled
    Autofill Enabled
    Fraud warning Disabled
    JavaScript Enabled
    Block pop-ups Enabled
    Accept cookies Always
    Access Passbook when the device is locked Disabled
    Add friends in Game Center Enabled
    Allow iCloud Settings Backup Enabled
    Sync documents Enabled
    Photo Stream Enabled
    Share photo streams Enabled
    iCloud photo library Enabled
    Sync enterprise book metadata across devices Enabled
    Allow Security and Privacy Settings Lock screen notifications Enabled
    Today View on lock screen Enabled
    Control Center on lock screen Enabled
    Over the air PKI updates Enabled
    Limit ad tracking Disabled
    Send diagnostic data to Apple Enabled
    Accept untrusted TLS certificate Enabled
    Force encrypted backup Disabled
    Show notification on Apple Watch if worn Disabled
    Allow Explicit Content Explicit music, podcasts and iTunes services Enabled
    iBooks store erotica Disabled
    Rating region United States
    Movies Allow All Movies
    TV Shows Allow All TV Shows
    Apps Allow All Apps
  • iOS > Advanced Restrictions
  • Restrictions Configuration
    Allow Device Functionality AirDrop Enabled
    Apps can modify cellular data usage Enabled
    Add or remove Touch ID/Face ID Enabled
    iMessage Enabled
    RCS messaging Enabled
    Game Center Enabled
    Multiplayer gaming Enabled
    Install configuration profile Enabled
    Handoff Enabled
    Definition lookup Enabled
    Predictive keyboard Enabled
    Auto-correct words Enabled
    Suggest words on misspellings Enabled
    QuickPath Keyboard Enabled
    Keyboard shortcuts Enabled
    USB Drive Access in Files App Enabled
    Network Drive Access in Files App Enabled
    Pair with Apple Watch Enabled
    Modify diagnostic data submission settings Enabled
    Modify Bluetooth settings Enabled
    Use voice to type Enabled
    Force Wi-Fi ON Enabled
    Connect to MDM-configured Wi-Fi networks only Disabled
    Users can modify Personal Hotspot settings Enabled
    Create VPN configuration Enabled
    AirPrint Enabled
    Connect with iBeacon Enabled
    Store AirPrint credentials in Keychain Enabled
    Use trusted certificates for secure printing Disabled
    Modify cellular plan settings Enabled
    eSIM Modification Enabled
    Outgoing eSIM transfer Enabled
    Live Voicemail Enabled
    Force preserve eSIM on erase Disabled
    Auto dimming Enabled
    iPhone mirroring Enabled
    Call recording Enabled
    Allow App Settings Install app from App Store Disabled
    Install apps from third-party app marketplaces Enabled
    Install apps from web Enabled
    Remove apps Disabled
    Remove system apps Enabled
    iBooks store Enabled
    Apple Music Enabled
    iTunes Radio Enabled
    News Enabled
    Podcasts Enabled
    Download all purchased apps automatically Enabled
    Lock apps Enabled
    Hide apps Enabled
    Allow Security and Privacy Settings Activation Lock Disabled
    Modify an account Enabled
    Erase content and settings Enabled
    Siri can access user-generated content Enabled
    Find My Friends Enabled
    Find My Device Enabled
    Modify Find My Friends Enabled
    Use profanity filter Disabled
    Show web results using Spotlight Search Enabled
    Modify Restrictions/Screen Time Enabled
    Modify passcode Enabled
    Modify device name Enabled
    Users can modify default browser Enabled
    Modify wallpaper Enabled
    Users can turn notifications on/off Enabled
    Force Automatic Date and Time Disabled
    Autofill Passwords Enabled
    Request passwords from nearby devices Enabled
    Share passwords via Airdrop Passwords feature Enabled
    Allow USB accessories when locked Disabled
    Prevent pairing with non-Configurator hosts Disabled
    Shared iPad temporary session Enabled
    Allow Apple Intelligence Genmoji Enabled
    Image Playground Enabled
    Image Wand Enabled
    Personalized Handwriting Results Enabled
    Writing Tools Enabled
    Mail Summary Enabled
    ChatGPT integration Enabled
    ChatGPT user account sign-in Enabled
  • iOS > App Management > Blocklist/Allowlist
    Policy Setting Apps
    Allowlist Settings Phone FaceTime
  • Android > Basic Restrictions
    Policy Settings Configuration
    Allow Device Functionality Camera Enabled
    USB Mass Storage Enabled
    USB file transfer Disabled
    Home button Enabled
    Power Off Disabled
    Safe mode Enabled
    Airplane mode Enabled
    Lock screen shortcuts Enabled
    Widgets on lock screen Enabled
    Screen Orientation Allow user to choose
    Screen Timeout Keep Current Settings
    Allow Network Settings Wi-Fi Enabled
    Force Wi-Fi Enabled
    Bluetooth Enabled
    Force Bluetooth Disabled
    Mobile data/td> Enabled
    Tethering Enabled
    USB tethering Enabled
    Bluetooth tethering Enabled
    Portable Wi-Fi hotspot Users can choose
    Data roaming Enabled
    Connect to 2G network Enabled
    Allow Location Settings Mock location Enabled
    GPS Enabled
    Force GPS to fetch location Enabled
    Allow Sync Settings Backup service Disabled
    Security Options Allow MDM Administration removal Disabled
  • Android > Advanced Restrictions
  • Policy Setting Configuration
    Allow Device functionality Microphone Enabled
    Screen capture Disabled
    Clipboard Disabled
    Share via other apps Enabled
    Users can adjust volume Enabled
    Make a call Enabled
    Receive calls Enabled
    USB Host Storage Enabled
    Allow input methods Enabled
    Allow Settings Developer mode Enabled
    USB debugging Enabled
    Modify settings Enabled
    Power saving mode Enabled
    Users can enable location sharing Enabled
    Factory Reset Enabled
    Advanced Factory Reset Enabled
    Read any connected physical external media Enabled
    Disable screen lock if the screen was turned off Disabled
    Configure VPN Enabled
    Automatically power off a device when power cable is detached Disabled
    Automatically power on a device when power cable is connected Disabled
    Date and Time Settings Set date and time automatically Enabled
    Set time zone automatically Enabled
    Allow users to modify date, time and time zone Enabled
    Time format Keep Current Settings
    Lock Screen Customizations Lock Screen Camera Enabled
    Trust Agents for Smart Lock Enabled
    Lock Screen Notifications Enabled
    Fingerprint Unlock Enabled
    Iris Scanner Enabled
    Face Unlock Enabled
    Unredacted Notifications Enabled
    Allow App Settings Install apps Enabled
    Uninstall apps Enabled
    Control apps Enabled
    Google Play Store Enabled
    Verify apps before install Disabled
    Install apps from unknown sources Enabled
    App Runtime Permissions Default
    Parent profile app linking Enabled
    Allow cross-profile app communication Disabled
    Factory Reset Protection (Google Account Verification) Default
    Accessibility Settings Accessibility services Enabled
    Accessibility services Disabled
  • Kiosk Lockdown > iOS Kiosk Lockdown > Multi App
    Apps added in kiosk: Settings, Phone, FaceTime
  • Kiosk Lockdown > Android Kiosk Lockdown > Multi App
    Apps added in kiosk: Google Chrome
  • Kiosk Lockdown > Android Kiosk Lockdown > Peripheral Settings
    Policy Setting Configuration
    Users can turn Wi-Fi on/off Disabled
    Connect to and switch between saved Wi-Fi networks Disabled
    Add hidden Wi-Fi networks Disabled
    Users can delete Wi-Fi networks Disabled
    Users can disconnect from currently connected network Disabled
    Show all available Wi-Fi networks Disabled
    Auto-exit Wi-Fi settings page in Disabled
    Wi-Fi Hotspot Disabled
    Users can configure Wi-Fi hotspot Disabled
    Users can turn mobile data on/off Disabled
    Users can choose preferred network type Disabled
    Allow users to turn Bluetooth on/off Disabled
    Airplane mode Disabled
    Users can enable accessibility settings Disabled
    Display Disable system bars Disabled
    Enable status bar Disabled
    Keep screen On Enabled
    Brightness Keep current brightness
    Hardware/software buttons Users can turn device Off Enabled
    Disable volume button Disabled
    Enable Recent apps button Disabled
    Advanced Lock Lock task mode Disabled
    System Info Disabled
    Home button Disabled
    Notifications Disabled
    Recent apps button Disabled
    Global actions Disabled
    Activate Lock task mode on reboot while the device is locked Disabled
    Hexnode MDM Settings Show option to manually exit kiosk lockdown Disabled
    Grant Hexnode MDM any newer permissions manually Disabled
    Sync device with MDM Disabled
    Show device and server information Disabled
    App Settings Access app catalogs in kiosk Disabled
    Show blocked package name on the device Enabled
    Disable app crash reporting Disabled
    Clear apps from background when user leaves the app Disabled
    Enable required app installation in kiosk Disabled
    Location Users can add location notes Disabled
    Messenger View messages sent by admin Disabled
    Other options Allow users to turn flashlight on/off Disabled
    Allow users to modify device password Disabled
    Floating icon Disabled
    Tap & Swipe gesture Disabled
    Triple tap on the top-right corner of the screen to show device and server details option Disabled
    Triple tap on the top-right corner of the screen to show peripheral settings Disabled
  • Kiosk Lockdown > Android Kiosk Lockdown > Kiosk Exit Settings
    Policy Settings Configuration
    Allow manually exiting kiosk mode Enabled
    Number of taps to display the popup to enter the exit passcode 10
    Exit manually from kiosk mode while an app is open Disabled
    Reboot and tap to exit from kiosk mode Enabled
    Relaunch app 20 seconds after reboot
    Auto-enable kiosk mode Disabled

Website Kiosk for Android TV

A pre-configured policy to set up a website kiosk on Android TVs.

Template name: Website Kiosk for Android TV

Description: Lock down your Android TVs to a specific website using website kiosk mode.

Template Configuration:

  • Kiosk Lockdown > Android Kiosk Lockdown > Single App
    Apps added: Hexnode MDM Portal (Web App)
  • Kiosk Lockdown > Android Kiosk Lockdown > Launcher
    Policy Settings Configuration
    Auto-Launch Select app Hexnode MDM Portal
    App auto-launch delay 20 seconds
    Customizations Customize kiosk launcher Disabled
    Icon size Medium
    Font size Small
    Title bar height 10 % of screen height
    Logo height 50 % of title bar height
    Logo width 25 % of screen width
    Title font Helvetica
    Title height 50 % of title bar height
    Title color Default
    Title bar background color Default
    Logo-title alignment Left
  • Kiosk Lockdown > Android Kiosk Lockdown > Kiosk Exit Settings
    Policy Settings Configuration
    Allow manually exiting kiosk mode Enabled
    Number of taps to display the popup to enter the exit passcode 10
    Exit manually from kiosk mode while an app is open Disabled
    Reboot and tap to exit from kiosk mode Enabled
    Relaunch app 20 seconds after reboot
    Auto-enable kiosk mode Disabled

Kiosk Lockdown for Android TV

A policy template to lock down Android TV to a set of apps using pre-configured kiosk configurations.

Template name: Kiosk Lockdown for Android TV

Description: Lock down your Android TV to a handful of applications.
Template Configuration:

Android TV Security Settings

A policy template to secure Android TV using password policies and restrictions.

Template name: Android TV Security Settings

Description: Secure Android TV by enforcing password rules and restrictions.

Template Configuration:

  • Android > Password > Device Password
    Policy Settings Configuration
    Minimum password complexity None
    Customize password complexity Enabled
    Password Complexity Alphanumeric
    Minimum Passcode Length 8
    Auto-lock after 5
  • Android > Restrictions > Basic
    Policy Settings Configuration
    Allow Device Functionality Camera Enabled
    USB Mass Storage Enabled
    USB file transfer Disabled
    Home button Enabled
    Power Off Disabled
    Safe mode Enabled
    Airplane mode Enabled
    Lock screen shortcuts Enabled
    Widgets on lock screen Enabled
    Screen Orientation Allow user to choose
    Screen Timeout Keep Current Settings
    Allow Network Settings Wi-Fi Enabled
    Force Wi-Fi Enabled
    Bluetooth Disabled
    Force Bluetooth Disabled
    Mobile data Enabled
    Tethering Enabled
    USB tethering Enabled
    Bluetooth tethering Enabled
    Portable Wi-Fi hotspot Users can choose
    Data roaming Enabled
    Connect to 2G network Enabled
    Allow Location Settings Mock location Enabled
    GPS Enabled
    Force GPS to fetch location Enabled
    Allow Sync Settings Backup service Enabled
    Security Options Allow MDM Administration removal Enabled

To create a policy from the template,

To create a policy from the template, you can either copy the template to My Policies, or else you can choose the template directly while creating a new policy.

To choose the template directly while creating a policy,

  1. In the Hexnode portal, go to Policies.
  2. Click on New Policy and select the template that you want to use.
  3. Go to Policy Targets > +Add Devices > choose the devices to which the policy has to be associated.
  4. Click on Ok > Save.

To copy the template to My Policies,

  1. In the Hexnode portal, go to Policies > Templates.
  2. Select the template that you want to copy and click on Manage.
  3. Click on Copy to My Policies.
  4. Go to Policy Targets > +Add Devices > choose the devices to which the policy has to be associated.
  5. Click on Ok > Save.

Apart from devices, you can also associate the policy to Device Groups, Users, User Groups and Domains.

  • Configurations