Category filter
How to use pre-configured policy template in Hexnode UEM for easy policy deployment
Hexnode UEM Policy Template is a set of pre-configured policies that you can use to create new policies and associate them to required target devices. Apart from the default policy templates, you can also create new templates in the Hexnode portal.
To associate a policy template to a target device, you have to first copy it to My Policies. You can either use the copied template directly, or you can modify the template policy to attach it to the devices. With Hexnode, you can create more than one policy using the same policy template. So, to create multiple policies with the same configuration, you just have to create one template and make its copy.
Hexnode’s Pre-defined Policy Templates include:
- Android Website kiosk
- BitLocker Security Policy
- BYOD Policy for Corporate Data Containerization
- Expense Management Policy
- HIPAA Compliance Policy
- iOS Single App Kiosk Policy
- Location Policy
- Samsung Knox Policy
- Standard DLP Policy
- CIS Benchmark Compliance Level 1 – macOS
- CIS Benchmark Compliance Level 2 – macOS
- CIS Benchmark Compliance – Windows
- POS Device Policy
- Website Kiosk for Android TV
- Kiosk Lockdown for Android TV
- Android TV Security Settings
Pre-configured templates in Hexnode:
A pre-configured policy template to lockdown Android devices to a couple of web apps in multi-app kiosk mode.
Template name: Android Website Kiosk
Description: Lock down Android devices to a handful of websites.
Template Configuration:
Kiosk Lockdown > Android Kiosk Lockdown > Multi App: Amazon feedback & Amazon affiliates.
A policy that is pre-configured to provide the basic industrial standard BitLocker encryption along with Windows password security.
Template name: BitLocker Security Policy
Description: Enable BitLocker encryption for industry-standard security.
Template Configuration:
- Windows > Password
- Windows > Security > BitLocker
Password settings | Configuration |
---|---|
Allow simple value | Disabled |
Password type | Users can choose |
Minimum Password length | 8 |
Minimum complex characters | Digits only |
Minimum passcode age (in days) | 0 |
Auto-Lock (in minutes) | 0 |
Passcode history | 0 |
Failed attempt before wipe | 0 |
BitLocker Settings | Configuration |
---|---|
Prompt to encrypt storage card | Enabled |
Prompt for device encryption | Enabled |
Configure encryption method for disk drives | Select default value |
Configure authentication when computer starts up | Enable |
Allow BitLocker without a Trusted Platform Module (TPM) | Select default value |
Authenticate with TPM startup key | Disallow |
Authenticate with TPM startup pin | Disallow |
Authenticate with TPM startup key and PIN | Disallow |
Enable TPM during startup | Disallow |
Minimum length for BitLocker startup PIN | 6 |
Configure pre-boot recovery message | Show default recovery message and URL |
Configure recovery options for system drives | Disabled |
Configure recovery options for fixed drives | Disabled |
Fixed drives require encryption | Enabled |
Removable drives require encryption | Enabled |
A policy template to protect the corporate data in any iOS and Android BYOD device.
Template name: BYOD Policy for Corporate Data Containerization
Description: A common policy for iOS & Android devices to safeguard the corporate data in Managed apps and Work containers.
Template Configuration:
- iOS > Restrictions
- iOS > Advanced Restrictions
- iOS > Security > Business Container
- Android > Advanced Restrictions
Restrictions | Configuration | |
---|---|---|
Allow Device Functionality | Camera | Enabled |
FaceTime | Enabled | |
Screen capture | Enabled | |
Touch ID | Enabled | |
Siri | Enabled | |
Allow Siri while device is locked | Enabled | |
Voice dialing | Enabled | |
Automatic sync while roaming | Enabled | |
Allow Application Settings | Show App Store on the device | Enabled |
iTunes Store | Enabled | |
Force user to enter iTunes store password for each purchase | Enabled | |
In-app purchases | Enabled | |
Trust enterprise app | Enabled | |
Users can modify enterprise app trust | Enabled | |
Backup enterprise-deployed iBooks | Enabled | |
Sync managed app data with iCloud | Disabled | |
YouTube | Enabled | |
Safari | Enabled | |
Autofill | Enabled | |
Fraud warning | Disabled | |
JavaScript | Enabled | |
Block pop-ups | Enabled | |
Accept cookies | Always | |
Access Passbook when the device is locked | Disabled | |
Add friends in Game Center | Enabled | |
Allow iCloud Settings | Backup | Enabled |
Sync documents | Enabled | |
Photo Stream (Disallowing might cause data loss) | Enabled | |
Share photo streams | Enabled | |
iCloud photo library | Enabled | |
Sync enterprise book metadata across devices | Enabled | |
Allow Security and Privacy Settings | Lock screen notifications | Enabled |
Today View on lock screen | Enabled | |
Control Centeron lock screen | Enabled | |
Over the air PKI updates | Enabled | |
Limit ad tracking | Disabled | |
Send diagnostic data to Apple | Enabled | |
Accept untrusted TLS certificate | Enabled | |
Force encrypted backup | Disabled | |
Show notification on Apple Watch if worn | Disabled | |
Allow Explicit Content | Explicit music, podcasts and iTunes U services | Enabled |
iBooks store erotica | Disabled | |
Rating region | United States | |
Content rating | ||
Movies | Allow All Movies | |
TV Shows | Allow All TV Shows | |
Apps | Allow All Apps |
Restrictions | Configuration | |
---|---|---|
Allow Device Functionality | AirDrop | Enabled |
Apps can modify cellular data usage | Enabled | |
Add or remove Touch ID/Face ID | Enabled | |
iMessage | Enabled | |
Game Center | Enabled | |
Multiplayer gaming | Enabled | |
Pair with iTunes | Enabled | |
Install configuration profile | Enabled | |
Definition lookup | Enabled | |
Predictive keyboard | Enabled | |
Auto-correct words | Enabled | |
Suggest words on misspellings | Enabled | |
Keyboard shortcuts | Enabled | |
Pair with Apple Watch | Enabled | |
Modify diagnostic data submission settings | Enabled | |
Modify Bluetooth settings | Enabled | |
Use voice to type | Enabled | |
Connect to MDM-configured Wi-Fi networks only | Disabled | |
Users can modify Personal Hotspot settings | Enabled | |
Create VPN configuration | Enabled | |
AirPrint | Enabled | |
Connect with iBeacon | Enabled | |
Store AirPrint credentials in Keychain | Enabled | |
Use trusted certificates for secure printing | Disabled | |
Allow App Settings | Install app from App Store | Enabled |
Remove apps | Enabled | |
Remove system apps | Enabled | |
iBooks store | Enabled | |
Apple Music | Enabled | |
iTunes Radio | Enabled | |
News | Enabled | |
Podcasts | Enabled | |
Download all purchased apps automatically | Enabled | |
Allow Security and Privacy Settings | Activation Lock | Disabled |
Modify an account | Enabled | |
Erase content and settings | Enabled | |
Siri can access user-generated content | Enabled | |
Modify Find My Friends | Enabled | |
Use profanity filter | Disabled | |
Show web results using Spotlight Search | Enabled | |
Modify Restrictions/Screen Time | Enabled | |
Modify passcode | Enabled | |
Modify device name | Enabled | |
Modify wallpaper | Enabled | |
Users can turn notifications on/off | Enabled | |
Force Automatic Date and Time | Disabled | |
Autofill Passwords | Enabled | |
Request passwords from nearby devices | Enabled | |
Share passwords via Airdrop Passwords feature | Enabled |
Settings | Configuration |
---|---|
Open documents from managed apps in unmanaged apps | Disabled |
Open documents from unmanaged apps in managed apps | Disabled |
Managed apps can write to Unmanaged Contact Accounts | Disabled |
Unmanaged apps can read from Managed Contact Accounts | Disabled |
Block Sharing Managed Document using AirDrop | Disabled |
Restrictions | Configuration | |
---|---|---|
Allow device functionality | Microphone | Enabled |
Screen capture | Disabled | |
Clipboard | Enabled | |
Copy contents between normal and work profiles | Enabled | |
Share via other apps | Enabled | |
Users can adjust volume | Enabled | |
Make a call | Enabled | |
Display Settings | Hide System bars | Disabled |
Hide Status Bar | Disabled | |
Hide Navigation Bar | Disabled | |
Split-screen mode | Enabled | |
Display dialogs/windows | Enabled | |
Allow Connectivity Options | NFC | Enabled |
Android Beam | Enabled | |
Beam from the device | Enabled | |
Transfer data via Bluetooth | Enabled | |
Configure Bluetooth | Enabled | |
Configure cell broadcast | Enabled | |
Configure cellular network | Enabled | |
Users can reset network settings | Enabled | |
Configure Wi-Fi | Enabled | |
Configure hotspot and tethering | Enabled | |
Security Options | Minimum Wi-Fi Security Level | Open |
Allow Sync Settings | Sync data in background | Enabled |
Sync data with Google account | Enabled | |
Allow Account Settings | SMS | Enabled |
Receive messages | Enabled | |
Send messages | Enabled | |
Modify Accounts/Users | Enabled | |
Add Users | Enabled | |
Remove Users | Enabled | |
Configure user credentials | Enabled | |
Allow Settings | Developer mode | Enabled |
USB debugging | Enabled | |
Modify settings | Enabled | |
Power saving mode | Enabled | |
Users can enable location sharing | Enabled | |
Factory reset | Enabled | |
Read any connected physical external media | Enabled | |
Update date and time automatically | Enabled | |
Set time zone automatically | Enabled | |
Disable screen lock if the screen was turned off | Disabled | |
Configure VPN | Enabled | |
Allow App Settings | Install apps | Enabled |
Uninstall apps | Enabled | |
Control apps | Enabled | |
Google Play Store | Enabled | |
Verify apps before install | Disabled | |
Install apps from unknown sources | Disabled | |
App Runtime Permissions | Default permissions | |
Parent profile app linking | Enabled | |
Factory Reset Protection (Google Account Verification) | Default |
An Android policy to set data and Wi-Fi restrictions and notifications to have control over expenses.
Template name: Expense Management Policy
Description: Data/Wi-Fi usage warning & restrictions for an arbitrary monthly limit.
Template Configuration:
Android > Mobile Data Management
Data Usage Restrictions:
Restriction | Configuration |
---|---|
Enable data usage tracking | Enabled |
Enable network & data usage restrictions | Enabled |
Network Restrictions | No Restrictions |
Data Usage Notifications | Notify both User and Admin, Monthly when Mobile data exceeds 0.5 GB |
Data Usage Restrictions | Restrict and notify all, Monthly when Mobile Data exceeds 1 GB |
Reset Data Tracking | Daily at 18:30 (UTC +00:00) GMT Standard Time, Monthly on day 1 of each month |
A policy with iOS and Android passcode and restriction along with Mac and Windows encryption configurations to set standards of confidentiality and integrity to protect ePHI.
Template name: HIPAA Compliance Policy
Description: Workstation and Device Security policies to protect ePHI.
Template Configuration:
- iOS > Passcode
- iOS > Advanced Restrictions
- iOS > Security > Business Container
- Android > Advanced Restrictions
- Windows > Security > BitLocker
- macOS > Security > FileVault
Policy | Configuration |
---|---|
Allow simple value | Disabled |
Require alpha numeric value | Enabled |
Minimum Passcode Length | 8 |
Minimum complex characters | 1 |
Minimum passcode age in days (0-730 days) | 30 |
Auto Lock | 1 Minute |
Passcode History (1-50 passcodes) | 5 |
Grace period for device lock | Immediately |
Failed attempts (After the specified number of failed attempts, the device data will be wiped automatically) | 10 |
Restrictions | Configuration | |
---|---|---|
Allow Device Functionality | AirDrop | Enabled |
Apps can modify cellular data usage | Enabled | |
Add or remove Touch ID/Face ID | Enabled | |
iMessage | Enabled | |
Game Center | Enabled | |
Multiplayer gaming | Enabled | |
Pair with iTunes | Enabled | |
Install configuration profile | Enabled | |
Definition lookup | Enabled | |
Predictive keyboard | Enabled | |
Auto-correct words | Enabled | |
Suggest words on misspellings | Enabled | |
Keyboard shortcuts | Enabled | |
Pair with Apple Watch | Enabled | |
Modify diagnostic data submission settings | Enabled | |
Modify Bluetooth settings | Enabled | |
Use voice to type | Enabled | |
Connect to MDM-configured Wi-Fi networks only | Disabled | |
Users can modify Personal Hotspot settings | Enabled | |
Create VPN configuration | Enabled | |
AirPrint | Enabled | |
Connect with iBeacon | Enabled | |
Store AirPrint credentials in Keychain | Enabled | |
Use trusted certificates for secure printing | Disabled | |
Allow App Settings | Install app from App Store | Enabled |
Remove apps | Enabled | |
Remove system apps | Enabled | |
iBooks store | Enabled | |
Apple Music | Enabled | |
iTunes Radio | Enabled | |
News | Enabled | |
Podcasts | Enabled | |
Download all purchased apps automatically | Enabled | |
Allow Security and Privacy Settings | Activation Lock | Disabled |
Modify an account | Enabled | |
Erase content and settings | Enabled | |
Siri can access user-generated content | Enabled | |
Modify Find My Friends | Enabled | |
Use profanity filter | Disabled | |
Show web results using Spotlight Search | Enabled | |
Modify Restrictions/Screen Time | Enabled | |
Modify passcode | Enabled | |
Modify device name | Enabled | |
Modify wallpaper | Enabled | |
Users can turn notifications on/off | Enabled | |
Force Automatic Date and Time | Disabled | |
Autofill Passwords | Enabled | |
Request passwords from nearby devices | Enabled | |
Share passwords via Airdrop Passwords feature | Enabled |
Settings | Configuration |
---|---|
Open documents from managed apps in unmanaged apps | Enabled |
Open documents from unmanaged apps in managed apps | Enabled |
Managed apps can write to Unmanaged Contact Accounts | Disabled |
Unmanaged apps can read from Managed Contact Accounts | Disabled |
Block Sharing Managed Document using AirDrop | Disabled |
Restrictions | Configuration | |
---|---|---|
Allow device functionality | Microphone | Enabled |
Screen capture | Enabled | |
Clipboard | Enabled | |
Copy contents between normal and work profiles | Disabled | |
Share via other apps | Enabled | |
Users can adjust volume | Enabled | |
Make a call | Enabled | |
Display Settings | Hide System bars | Disabled |
Hide Status Bar | Disabled | |
Hide Navigation Bar | Disabled | |
Split-screen mode | Enabled | |
Display dialogs/windows | Enabled | |
Allow Connectivity Options | NFC | Enabled |
Android Beam | Enabled | |
Beam from the device | Enabled | |
Transfer data via Bluetooth | Enabled | |
Configure Bluetooth | Enabled | |
Configure cell broadcast | Enabled | |
Configure cellular network | Enabled | |
Users can reset network settings | Enabled | |
Configure Wi-Fi | Enabled | |
Configure hotspot and tethering | Enabled | |
Security Options | Minimum Wi-Fi Security Level | Open |
Allow Sync Settings | Sync data in background | Enabled |
Sync data with Google account | Enabled | |
Allow Account Settings | SMS | Enabled |
Receive messages | Enabled | |
Send messages | Enabled | |
Modify Accounts/Users | Enabled | |
Add Users | Enabled | |
Remove Users | Enabled | |
Configure user credentials | Enabled | |
Allow Settings | Developer mode | Disabled |
USB debugging | Disabled | |
Modify settings | Enabled | |
Power saving mode | Enabled | |
Users can enable location sharing | Enabled | |
Factory reset | Enabled | |
Read any connected physical external media | Enabled | |
Update date and time automatically | Enabled | |
Set time zone automatically | Enabled | |
Disable screen lock if the screen was turned off | Disabled | |
Configure VPN | Enabled | |
Allow App Settings | Install apps | Enabled |
Uninstall apps | Enabled | |
Control apps | Enabled | |
Google Play Store | Enabled | |
Verify apps before install | Disabled | |
Install apps from unknown sources | Disabled | |
App Runtime Permissions | Default permissions | |
Parent profile app linking | Enabled | |
Factory Reset Protection (Google Account Verification) | Default |
BitLocker Settings | Configuration |
---|---|
Prompt to encrypt storage card | Enabled |
Prompt for device encryption | Enabled |
Configure encryption method for disk drives | Select default value |
Configure authentication when computer starts up | Select default value |
Minimum length for BitLocker startup PIN | 6 |
Configure pre-boot recovery message | Select default value |
Configure recovery options for system drives | Disabled |
Configure recovery options for fixed drives | Disabled |
Fixed drives require encryption | Enabled |
Removable drives require encryption | Enabled |
Policy Settings | Configuration |
---|---|
Enable FileVault | Enabled |
Encrypt using | Institutional and Personal Recovery Key |
Encryption certificate | HexnodeMDM FileVault Certificate |
Show Personal Recovery Key to user | Enabled |
Skip enabling FileVault at user login | Disabled |
A preconfigured policy to restrict an iOS device to a single app in kiosk mode.
Template name: iOS Single App Kiosk Policy
Description: Lock down iOS devices to a single app
Template Configuration:
Kiosk Lockdown > iOS Kiosk Lockdown > Single App
Uber Technologies Inc. is added as the app in single app kiosk.
Feature | Configuration | |
---|---|---|
Advanced Kiosk Settings | Disable touch | Disabled |
Disable device screen rotation | Disabled | |
Disable volume buttons | Disabled | |
Disable ringer switch | Enabled | |
Disable sleep wake button | Disabled | |
Disable auto lock | Disabled | |
Enable VoiceOver | Disabled | |
Enable Zoom | Disabled | |
Enable invert colors | Disabled | |
Enable AssistiveTouch | Disabled | |
Enable speak selection | Disabled | |
User Enabled Options | VoiceOver | Enabled |
Zoom | Enabled | |
Invert colors | Disabled | |
AssistiveTouch | Disabled |
A pre-configured location tracking policy that tracks the devices’ location in specific time intervals.
Template name: Location Policy
Description: Enable Location Tracking on target devices.
Template Configuration:
General Settings > Location Tracking
Policy | Description |
---|---|
Enable Location Tracking | Enabled |
Location Update Interval | 1 Hrs |
A policy template for Samsung Knox device security.
Template name: Samsung Knox Policy
Description: With advanced restrictions exclusively available for Samsung devices.
Template Configuration:
- Android > Password > Device Password
- Android > Advanced Restrictions
Password Settings | Configuration |
---|---|
Password Requirement | Alphanumeric |
Minimum Passcode Length | 8 |
Password age (in days) | _ |
Auto-lock after | _ |
Password History (1-50 passcodes) | _ |
Failed attempts (After the specified number of failed attempts, the device data will be wiped automatically) | _ |
Restrictions | Configuration | |
---|---|---|
Allow device functionality | Microphone | Enabled |
Screen capture | Disabled | |
Clipboard | Disabled | |
Copy contents between normal and work profiles | Disabled | |
Share via other apps | Disabled | |
Users can adjust volume | Enabled | |
Make a call | Enabled | |
Display Settings | Hide System bars | Disabled |
Hide Status Bar | Disabled | |
Hide Navigation Bar | Disabled | |
Split-screen mode | Enabled | |
Display dialogs/windows | Enabled | |
Allow Connectivity Options | NFC | Enabled |
Android Beam | Enabled | |
Beam from the device | Enabled | |
Transfer data via Bluetooth | Enabled | |
Configure Bluetooth | Enabled | |
Configure cell broadcast | Enabled | |
Configure cellular network | Enabled | |
Users can reset network settings | Enabled | |
Configure Wi-Fi | Enabled | |
Configure hotspot and tethering | Enabled | |
Security Options | Minimum Wi-Fi Security Level | Open |
Allow Sync Settings | Sync data in background | Enabled |
Sync data with Google account | Enabled | |
Allow Account Settings | SMS | Enabled |
Receive messages | Enabled | |
Send messages | Enabled | |
Modify Accounts/Users | Enabled | |
Add Users | Enabled | |
Remove Users | Enabled | |
Configure user credentials | Enabled | |
Allow Settings | Developer mode | Disabled |
USB debugging | Disabled | |
Modify settings | Enabled | |
Power saving mode | Enabled | |
Users can enable location sharing | Enabled | |
Factory reset | Enabled | |
Read any connected physical external media | Enabled | |
Update date and time automatically | Enabled | |
Set time zone automatically | Enabled | |
Disable screen lock if the screen was turned off | Disabled | |
Configure VPN | Enabled | |
Allow App Settings | Install apps | Enabled |
Uninstall apps | Enabled | |
Control apps | Enabled | |
Google Play Store | Enabled | |
Verify apps before install | Disabled | |
Install apps from unknown sources | Disabled | |
App Runtime Permissions | Default permissions | |
Parent profile app linking | Enabled | |
Factory Reset Protection (Google Account Verification) | Default |
A standard data loss prevention policy for iOS, Android, Windows, and macOS devices.
Template name: Standard DLP Policy
Description: Standard Data Loss Prevention policies for optimal security.
Template Configuration:
- iOS > Passcode
- iOS > Advanced Restrictions
- Android > Advanced Restrictions
- Windows > Security > BitLocker
- macOS > Security > FileVault
Policy | Configuration |
---|---|
Allow simple value | Disabled |
Require alpha numeric value | Enabled |
Minimum Passcode Length | 8 |
Minimum complex characters | 1 |
Minimum passcode age in days (0-730 days) | 30 |
Auto Lock | 1 Minute |
Passcode History (1-50 passcodes) | 5 |
Grace period for device lock | Immediately |
Failed attempts (After the specified number of failed attempts, the device data will be wiped automatically) | 10 |
Restrictions | Configuration | |
---|---|---|
Allow Device Functionality | AirDrop | Enabled |
Apps can modify cellular data usage | Enabled | |
Add or remove Touch ID/Face ID | Enabled | |
iMessage | Enabled | |
Game Center | Enabled | |
Multiplayer gaming | Enabled | |
Pair with iTunes | Enabled | |
Install configuration profile | Enabled | |
Definition lookup | Enabled | |
Predictive keyboard | Enabled | |
Auto-correct words | Enabled | |
Suggest words on misspellings | Enabled | |
Keyboard shortcuts | Enabled | |
Pair with Apple Watch | Enabled | |
Modify diagnostic data submission settings | Enabled | |
Modify Bluetooth settings | Enabled | |
Use voice to type | Enabled | |
Connect to MDM-configured Wi-Fi networks only | Disabled | |
Users can modify Personal Hotspot settings | Enabled | |
Create VPN configuration | Enabled | |
AirPrint | Enabled | |
Connect with iBeacon | Enabled | |
Store AirPrint credentials in Keychain | Enabled | |
Use trusted certificates for secure printing | Disabled | |
Allow App Settings | Install app from App Store | Enabled |
Remove apps | Enabled | |
Remove system apps | Enabled | |
iBooks store | Enabled | |
Apple Music | Enabled | |
iTunes Radio | Enabled | |
News | Enabled | |
Podcasts | Enabled | |
Download all purchased apps automatically | Enabled | |
Allow Security and Privacy Settings | Activation Lock | Disabled |
Modify an account | Enabled | |
Erase content and settings | Enabled | |
Siri can access user-generated content | Enabled | |
Modify Find My Friends | Enabled | |
Use profanity filter | Disabled | |
Show web results using Spotlight Search | Enabled | |
Modify Restrictions/Screen Time | Enabled | |
Modify passcode | Enabled | |
Modify device name | Enabled | |
Modify wallpaper | Enabled | |
Users can turn notifications on/off | Enabled | |
Force Automatic Date and Time | Disabled | |
Autofill Passwords | Enabled | |
Request passwords from nearby devices | Enabled | |
Share passwords via Airdrop Passwords feature | Enabled |
Restrictions | Configuration | |
---|---|---|
Allow device functionality | Microphone | Enabled |
Screen capture | Enabled | |
Clipboard | Enabled | |
Copy contents between normal and work profiles | Disabled | |
Share via other apps | Enabled | |
Users can adjust volume | Enabled | |
Make a call | Enabled | |
Display Settings | Hide System bars | Disabled |
Hide Status Bar | Disabled | |
Hide Navigation Bar | Disabled | |
Split-screen mode | Enabled | |
Display dialogs/windows | Enabled | |
Allow Connectivity Options | NFC | Enabled |
Android Beam | Enabled | |
Beam from the device | Enabled | |
Transfer data via Bluetooth | Enabled | |
Configure Bluetooth | Enabled | |
Configure cell broadcast | Enabled | |
Configure cellular network | Enabled | |
Users can reset network settings | Enabled | |
Configure Wi-Fi | Enabled | |
Configure hotspot and tethering | Enabled | |
Security Options | Minimum Wi-Fi Security Level | Open |
Allow Sync Settings | Sync data in background | Enabled |
Sync data with Google account | Enabled | |
Allow Account Settings | SMS | Enabled |
Receive messages | Enabled | |
Send messages | Enabled | |
Modify Accounts/Users | Enabled | |
Add Users | Enabled | |
Remove Users | Enabled | |
Configure user credentials | Enabled | |
Allow Settings | Developer mode | Disabled |
USB debugging | Disabled | |
Modify settings | Enabled | |
Power saving mode | Enabled | |
Users can enable location sharing | Enabled | |
Factory reset | Enabled | |
Read any connected physical external media | Enabled | |
Update date and time automatically | Enabled | |
Set time zone automatically | Enabled | |
Disable screen lock if the screen was turned off | Disabled | |
Configure VPN | Enabled | |
Allow App Settings | Install apps | Enabled |
Uninstall apps | Enabled | |
Control apps | Enabled | |
Google Play Store | Enabled | |
Verify apps before install | Disabled | |
Install apps from unknown sources | Disabled | |
App Runtime Permissions | Default permissions | |
Parent profile app linking | Enabled | |
Factory Reset Protection (Google Account Verification) | Default |
BitLocker Settings | Configuration |
---|---|
Prompt to encrypt storage card | Enabled |
Prompt for device encryption | Enabled |
Configure encryption method for disk drives | Select default value |
Configure authentication when computer starts up | Select default value |
Minimum length for BitLocker startup PIN | 6 |
Configure pre-boot recovery message | Show default recovery message and URL |
Configure recovery options for system drives | Disabled |
Configure recovery options for fixed drives | Disabled |
Fixed drives require encryption | Enabled |
Removable drives require encryption | Enabled |
Policy Settings | Configuration |
---|---|
Enable FileVault | Enabled |
Encrypt using | Institutional and Personal Recovery Key |
Encryption certificate | HexnodeMDM FileVault Certificate |
Show Personal Recovery Key to user | Enabled |
Skip enabling FileVault at user login | Disabled |
The CIS (Center for Internet Security) benchmarks are a set of security configuration guidelines for various operating systems, applications, and network devices. They provide a standardized framework for strengthening system security, helping organizations to reduce their exposure to attacks and improve their overall security posture. These benchmarks are developed through a community consensus process and are widely recognized as a best practice for securing devices across all supported platforms. Hexnode supports making devices partially CIS Benchmark compliant.
Template name: CIS Benchmark Compliance Level 1 – macOS
Description: Apply this template to get one step closer to CIS compliance on your macOS devices.
Note: Not all rules mentioned in CIS Benchmark are configurable via Hexnode.
Template Configuration:
- macOS > Passcode
- macOS > Restrictions
- Add friends in Game Center
- Game Center account modifications
- Multiplayer gaming
- macOS > Advanced Restrictions
- macOS > Security > Firewall
- macOS > Security > FileVault
- macOS > Security > Login Window Preferences
- macOS > Patches & Updates > Software Update Preferences
- macOS > Configurations > Setup Assistant
- macOS > Configurations > Screensaver
- macOS > Configurations > Energy Saver
Settings | Configuration |
---|---|
Allow simple value | Enabled |
Require alphanumeric value | Enabled |
Change password at next login | Disabled |
Minimum passcode length | 15 |
Minimum complex characters | |
Maximum passcode age in days | 1 |
Auto lock | |
Passcode history | 15 |
Grace period for device to lock | |
Maximum failed attempts | 5 |
Custom regular expression | Disabled |
Restrictions | Configuration | |
---|---|---|
Allow Device Functionality | Auto-unlock with Apple Watch in proximity | Enabled |
Touch ID | Enabled | |
Definition lookup | Enabled | |
Enforce on-device-only dictation | Disabled | |
Universal control | Enabled | |
USB restricted mode | Enabled | |
Incoming Airplay requests | Disabled | |
Allow personalized ads from Apple | Disabled | |
Install configuration profiles | Enabled | |
Users can turn VPN on/off | Enabled | |
Allow App Settings | Stream using Music app | Enabled |
Camera | Enabled | |
Game Center
|
Disabled | |
App Store | Allow software update notifications only | Disabled |
Finder Settings | Burn data to disk | Enabled |
Connect to local servers or on the internet | Enabled | |
Eject mounted volumes | Enabled | |
Go to Folder | Enabled | |
Show external hard disks on desktop | Enabled | |
Show hard disk on desktop | Disabled | |
Show mounted file servers on desktop | Disabled | |
Show removable media items on desktop | Enabled | |
Warn the user before emptying the trash | Enabled | |
Security | Ask for password when removing the policy | Disabled |
Timeout for Fingerprint | 48 hour(s) | |
Send diagnostics | Disabled | |
Allow iCloud Options | Back to My Mac | Disabled |
Find My Mac | Enabled | |
iCloud Mail | Enabled | |
Calendar | Enabled | |
Reminder | Enabled | |
Address Book | Enabled | |
Notes | Enabled | |
Auto-upload files in Desktop and Documents | Enabled | |
Sync bookmarks with iCloud | Enabled | |
Document and key-value sync | Enabled | |
Sync passwords across devices | Enabled | |
Photo library | Enabled | |
Freeform services | Enabled |
Restrictions | Configuration | |
---|---|---|
Device Functionality and Personalization | Screen Capture | |
Remote Screen Observation | Enabled | |
AirDrop | Disabled | |
Wallpaper Modification | Enabled | |
Dictation | Enabled | |
Handoff | Enabled | |
iTunes or Finder File Sharing | Enabled | |
Show Web Results in Spotlight Search | Enabled | |
iPhone mirroring | Enabled | |
Show Wi-Fi status in menu bar | Enabled | |
Show Bluetooth status in menu bar | Enabled | |
Security and Privacy | Activation Lock | Enabled |
Content caching | Let user choose | |
Erase all content and settings | Enabled | |
Passcode Modification | Enabled | |
Autofill Passwords | Enabled | |
Safari AutoFill | Enabled | |
Request passwords from nearby devices | Enabled | |
Share passwords via Airdrop Passwords feature | Enabled | |
Users can modify File Sharing settings | Disabled | |
Users can modify Bluetooth Sharing settings | Disabled | |
Users can modify Printer Sharing settings | Disabled | |
Users can modify Internet Sharing settings | Disabled | |
Users can modify Remote Management Sharing settings | Disabled | |
Users can modify Remote Apple Events Sharing settings | Disabled | |
Users can modify an account | Enabled | |
Users can modify Device Name | Enabled | |
Users can create local user accounts | Enabled | |
Users can add or remove Touch ID/Face ID | Enabled | |
Users can modify Time Machine settings | Enabled | |
Users can modify Startup Disk settings | Enabled | |
Guest Account | Disabled | |
keyboard entry for Terminal app | Enabled | |
Software update deferment | 15 | |
Users can modify Media Sharing settings | Enabled | |
Bypass screen capture alert | Disabled | |
App Installation From | Mac App Store and Identified Developers | |
App Store | Restrict app installations to admin users | Disabled |
Restrict App Store to Software Updates Only | Disabled | |
Disable App Store app adoption | Disabled | |
Restrict App Store to apps installed via MDM and software updates only | Disabled | |
Secure Wi-Fi Settings | Enforce admin authorization when switching between Wi-Fi networks | Disabled |
Enforce admin authorization to enable IBSS | Disabled | |
Enforce admin authorization to turn Wi-Fi on/off | Disabled | |
Allow Apple Intelligence | Image playground | Enabled |
Writing tools | Enabled | |
ChatGPT integration | Enabled | |
ChatGPT user account sign-in | Enabled |
Restrictions | Configuration | |
---|---|---|
Firewall | Enable Firewall | Enabled |
Enable stealth mode | Enabled | |
Enable logging | Disabled | |
Logging level | Throttled | |
Block all incoming connections | Disabled | |
Allow incoming connections to built-in software | Enabled | |
Allow incoming connections to downloaded signed software | Enabled | |
Applications | Allow/block incoming connections to the following apps | Allow incoming connections |
Settings | Configuration |
---|---|
Prevent FileVault from being disabled | Disabled |
Prevent FileVault from being enabled | Disabled |
Enable FileVault | Enabled |
Encrypt using | Institutional and Personal Recovery Key |
Encryption certificate | – |
Escrow Personal Recovery Key | Disabled |
Show Personal Recovery Key to user | Enabled |
Skip enabling FileVault at user login | Disabled |
Require user to unlock FileVault after hibernation | Disabled |
Settings | Configuration |
---|---|
Display login window as | Name and password |
Hide Shut Down button | Disabled |
Hide Restart button | Disabled |
Hide Sleep button | Disabled |
Disable login items bypass | Disabled |
Disable Console Access from Login Screen | Disabled |
Disable Shut Down while user is logged in | Disabled |
Disable Restart while user is logged in | Disabled |
Disable Power Off while user is logged in | Disabled |
Disable Log Out while user is logged in | Disabled |
Disable Immediate Screen Lock options | Disabled |
Password hints | Disabled |
Automatic login | Disabled |
Show text to display in the Login Window* | Welcome |
Show Admin Host Info | – |
Restrictions | Configuration | |
---|---|---|
Software Update Preferences | Automatically check for new updates | Enable |
Automatically download new updates | Enable | |
Automatically install macOS updates | Enable | |
Automatically install app updates | Enable | |
Automatically install critical updates | Enable | |
Automatically install configuration data | Enable | |
Install pre-release software | Not Configured | |
Force admin privilege requirement for software updates | Not Configured | |
Install Rapid Security Responses | Not Configured | |
Allow removal of Rapid Security Responses | Not Configured | |
Defer Software Updates | Defer major upgrades | Not Configured |
Defer minor upgrades | Not Configured | |
Defer app upgrades | Not Configured |
Settings | Configuration |
---|---|
Skip Privacy setup | Disabled |
Skip signing in with Apple ID | Disabled |
Skip iCloud Storage setup | Disabled |
Skip Siri setup | Disabled |
Skip Choose Your Look setup | Disabled |
Settings | Configuration |
---|---|
Enable Screensaver | Enabled |
Login window screensaver idle time | 1 min |
Screensaver idle time | 20 min |
Require Password to unlock screen | Enabled |
Set delay for password prompt | 5 sec |
Restrictions | Configuration | |
---|---|---|
Desktop | Automatically startup on power loss | Disabled |
Idle timeout for system sleep | 0 mins | |
Idle timeout for display sleep | 0 mins | |
Wake for network access | Disabled | |
Laptop on AC Power | Automatically startup on power loss | Disabled |
Idle timeout for system sleep | 0 mins | |
Idle timeout for display sleep | 0 mins | |
Wake for network access | Disabled | |
Laptop on Battery Power | Automatically startup on power loss | Disabled |
Idle timeout for system sleep | 0 mins | |
Idle timeout for display sleep | 0 mins | |
Wake for network access | Disabled | |
General Settings | Prevent temporary FileVault key storage during standby | Disabled |
Disable device sleep | Disabled |
Template name: CIS Benchmark Compliance Level 2 – macOS
Template Configuration:
- macOS > Passcode
- macOS > Restrictions
- Add friends in Game Center
- Game Center account modifications
- Multiplayer gaming
- macOS > Advanced Restrictions
- Remote Screen Observation
- macOS > Security > Firewall
- macOS > Security > FileVault
- macOS > Security > Login Window Preferences
- macOS > Patches & Updates > Software Update Preferences
- macOS > Configurations > Setup Assistant
- macOS > Configurations > Screensaver
- macOS > Configurations > Energy Saver
Settings | Configuration |
---|---|
Allow simple value | Enabled |
Require alphanumeric value | Enabled |
Change password at next login | Disabled |
Minimum passcode length | 15 |
Minimum complex characters | 1 |
Maximum passcode age in days | 1 |
Auto lock | – |
Passcode history | 15 |
Grace period for device to lock | – |
Maximum failed attempts | 5 |
Custom regular expression | Disabled |
Restrictions | Configuration | |
---|---|---|
Allow Device Functionality | Auto-unlock with Apple Watch in proximity | Enabled |
Touch ID | Enabled | |
Definition lookup | Enabled | |
Enforce on-device-only dictation | Disabled | |
Universal control | Enabled | |
USB restricted mode | Enabled | |
Incoming Airplay requests | Disabled | |
Allow personalized ads from Apple | Disabled | |
Install configuration profiles | Enabled | |
Allow App Settings | Stream using Music app | Enabled |
Camera | Enabled | |
Game Center
|
Disabled | |
App Store | Allow software update notifications only | Disabled |
Finder Settings | Burn data to disk | Enabled |
Connect to local servers or on the internet | Enabled | |
Eject mounted volumes | Enabled | |
Go to Folder | Enabled | |
Show external hard disks on desktop | Enabled | |
Show hard disk on desktop | Disabled | |
Show mounted file servers on desktop | Disabled | |
Show removable media items on desktop | Enabled | |
Warn the user before emptying the trash | Enabled | |
Security | Ask for password when removing the policy | Disabled |
Timeout for Fingerprint | 48 hour(s) | |
Send diagnostics | Disabled | |
Allow iCloud Options | Back to My Mac | Enabled |
Find My Mac | Enabled | |
iCloud Mail | Enabled | |
Calendar | Enabled | |
Reminder | Enabled | |
Address Book | Enabled | |
Notes | Enabled | |
Auto-upload files in Desktop and Documents | Disabled | |
Sync bookmarks with iCloud | Enabled | |
Document and key-value sync | Enabled | |
Sync passwords across devices | Enabled | |
Photo library | Enabled | |
Freeform services | Enabled |
Restrictions | Configuration | |
---|---|---|
Device Functionality and Personalization | Screen Capture
|
Enabled |
AirDrop | Disabled | |
Wallpaper Modification | Enabled | |
Dictation | Enabled | |
Handoff | Enabled | |
iTunes or Finder File Sharing | Enabled | |
Show Web Results in Spotlight Search | Enabled | |
iPhone mirroring | Enabled | |
Show Wi-Fi status in menu bar | Disabled | |
Show Bluetooth status in menu bar | Disabled | |
Security and Privacy | Activation Lock | Enabled |
Content caching | Restrict | |
Erase all content and settings | Enabled | |
Passcode Modification | Enabled | |
Autofill Passwords | Enabled | |
Safari AutoFill | Enabled | |
Request passwords from nearby devices | Enabled | |
Share passwords via Airdrop Passwords feature | Enabled | |
Users can modify File Sharing settings | Disabled | |
Users can modify Bluetooth Sharing settings | Disabled | |
Users can modify Printer Sharing settings | Disabled | |
Users can modify Internet Sharing settings | Disabled | |
Users can modify Remote Management Sharing settings | Disabled | |
Users can modify Remote Apple Events Sharing settings | Disabled | |
Users can modify an account | Enabled | |
Users can modify Device Name | Enabled | |
Users can create local user accounts | Enabled | |
Users can add or remove Touch ID/Face ID | Enabled | |
Users can modify Time Machine settings | Enabled | |
Users can modify Startup Disk settings | Enabled | |
Guest Account | Disabled | |
keyboard entry for Terminal app | Disabled | |
Software update deferment | 15 | |
Users can modify Media Sharing settings | Disabled | |
Bypass screen capture alert | Disabled | |
App Installation From | Mac App Store and Identified Developers | |
App Store | Restrict app installations to admin users | Disabled |
Restrict App Store to Software Updates Only | Disabled | |
Disable App Store app adoption | Disabled | |
Restrict App Store to apps installed via MDM and software updates only | Disabled | |
Secure Wi-Fi Settings | Enforce admin authorization when switching between Wi-Fi networks | Disabled |
Enforce admin authorization to enable IBSS | Disabled | |
Enforce admin authorization to turn Wi-Fi on/off | Disabled | |
Allow Apple Intelligence | Image playground | Enabled |
Writing tools | Enabled | |
ChatGPT integration | Enabled | |
ChatGPT user account sign-in | Enabled |
Restrictions | Configuration | |
---|---|---|
Firewall | Enable Firewall | Enabled |
Enable stealth mode | Enabled | |
Enable logging | Disabled | |
Logging level | Throttled | |
Block all incoming connections | Disabled | |
Allow incoming connections to built-in software | Enabled | |
Allow incoming connections to downloaded signed software | Enabled | |
Applications | Allow/block incoming connections to the following apps | Allow incoming connections |
Settings | Configuration |
---|---|
Prevent FileVault from being disabled | Disabled |
Prevent FileVault from being enabled | Disabled |
Enable FileVault | Enabled |
Encrypt using | Institutional and Personal Recovery Key |
Encryption certificate | – |
Escrow Personal Recovery Key | Disabled |
Show Personal Recovery Key to user | Enabled |
Skip enabling FileVault at user login | Disabled |
Require user to unlock FileVault after hibernation | Disabled |
Settings | Configuration |
---|---|
Display login window as | Name and password |
Hide Shut Down button | Disabled |
Hide Restart button | Disabled |
Hide Sleep button | Disabled |
Disable login items bypass | Disabled |
Disable Console Access from Login Screen | Disabled |
Disable Shut Down while user is logged in | Disabled |
Disable Restart while user is logged in | Disabled |
Disable Power Off while user is logged in | Disabled |
Disable Log Out while user is logged in | Disabled |
Disable Immediate Screen Lock options | Disabled |
Password hints | Disabled |
Automatic login | Disabled |
Show text to display in the Login Window* | Welcome |
Show Admin Host Info | – |
Restrictions | Configuration | |
---|---|---|
Software Update Preferences | Automatically check for new updates | Enable |
Automatically download new updates | Enable | |
Automatically install macOS updates | Enable | |
Automatically install app updates | Enable | |
Automatically install critical updates | Enable | |
Automatically install configuration data | Enable | |
Install pre-release software | Not Configured | |
Force admin privilege requirement for software updates | Not Configured | |
Install Rapid Security Responses | Not Configured | |
Allow removal of Rapid Security Responses | Not Configured | |
Defer Software Updates | Defer major upgrades | Not Configured |
Defer minor upgrades | Not Configured | |
Defer app upgrades | Not Configured |
Settings | Configuration |
---|---|
Skip Privacy setup | Disabled |
Skip signing in with Apple ID | Disabled |
Skip iCloud Storage setup | Disabled |
Skip Siri setup | Disabled |
Skip Choose Your Look setup | Disabled |
Settings | Configuration |
---|---|
Enable Screensaver | Enabled |
Login window screensaver idle time | 1 min |
Screensaver idle time | 20 min |
Require Password to unlock screen | Enabled |
Set delay for password prompt | 5 sec |
Restrictions | Configuration | |
---|---|---|
Desktop | Automatically startup on power loss | Disabled |
Idle timeout for system sleep | 0 mins | |
Idle timeout for display sleep | 0 mins | |
Wake for network access | Disabled | |
Laptop on AC Power | Automatically startup on power loss | Disabled |
Idle timeout for system sleep | 0 mins | |
Idle timeout for display sleep | 0 mins | |
Wake for network access | Disabled | |
Laptop on Battery Power | Automatically startup on power loss | Disabled |
Idle timeout for system sleep | 0 mins | |
Idle timeout for display sleep | 0 mins | |
Wake for network access | Disabled | |
General Settings | Prevent temporary FileVault key storage during standby | Disabled |
Disable device sleep | Disabled |
The CIS Benchmarks are compliance guidelines for securely configuring IT systems. They provide best practices to reduce vulnerabilities and enhance security, covering areas such as password policies, account management, and system services. Adhering to these guidelines helps improve security and ensure regulatory compliance. Currently, Hexnode supports making Windows devices partially CIS Benchmark compliant.
Template name: CIS Benchmark Compliance – Windows
Description: Apply this template to get one step closer to CIS compliance on your Windows devices.
Note: Not all rules mentioned in CIS Benchmark are configurable via Hexnode.
Template Configuration:
- Windows > Password
- Windows > Restrictions
- Windows > Advanced Restrictions
- Windows > Threat Management > Microsoft Defender
- Windows > Security > BitLocker
- Windows > Configurations > Screensaver
- Windows > Patches & Updates > Windows Update Preferences
- Windows > Patches & Updates > Windows Update Experience
Password settings | Configuration |
---|---|
Allow simple value | Disabled |
Password type | Alphanumeric password |
Minimum password length | 14 |
Password Complexity | Digits, lowercase and uppercase letters |
Minimum password age (in days) | 365 |
Auto-lock (in minutes) | 15 |
Password history | 24 |
Failed attempt before wipe | 0 |
Restrictions | Configuration | |
---|---|---|
Allow device functionality | Camera | Disabled |
Cortana voice assistant | Enabled | |
Use Cortana if device is locked | Enabled | |
Use storage card and USB drives | Disabled | |
Telemetry | Disallow | |
Location services | Force Location Off | |
Change language | Enabled | |
Users can enable/disable Workplace | Enabled | |
Users can change AutoPlay settings | Enabled | |
Allow App Settings | Sync Settings | Enabled |
Allow SignIn Options | Enabled | |
Allow News and Interests | Disabled | |
Allow Network Settings | Wi-Fi | Enabled |
Bluetooth | Enabled | |
Discover device over Bluetooth | Enabled | |
Users can turn VPN on/off | Enabled | |
Connect to VPN if on mobile network | Enabled | |
Connect to VPN if roaming | Enabled | |
Cellular data roaming | Enabled | |
Allow Security and Privacy Settings | Manual MDM administration removal | Enabled |
Show toast notification on lock screen | Disable | |
Account Settings | OneDrive file sync | Disabled |
Restrictions | Configuration | |
---|---|---|
Allow device functionality | Users can reset the device | Enabled |
Users can change date and time | Disabled | |
Users can change power and sleep settings | Enabled | |
Allow Embedded Mode | Disabled | |
Allow Region | Enabled | |
Allow App Settings | Unlock developer options | Not Configured |
Search can use user location | Disabled | |
Allow Network Settings | Internet Sharing | Enabled |
Connect to Wi-Fi Sense automatically | Disabled | |
Connect to external Wi-Fi networks manually | Enabled | |
Wi-Fi Direct | Enabled | |
Allow Security and Privacy Settings | Install provisioning package | Enabled |
Mandate signed certificate for provisioning package | Disabled | |
Remove provisioning package | Enabled | |
Receive advertisements over Bluetooth | Disabled | |
Pair with other devices automatically | Disabled | |
Users can download Windows beta updates | Disallow | |
Windows AI | AI Data Analysis | Not Configured |
Customize Start Menu | Documents folder | Not enforced |
Downloads folder | Not enforced | |
File Explorer | Not enforced | |
Home group | Not enforced | |
Music folder | Not enforced | |
Networks | Not enforced | |
Personal folder | Not enforced | |
Pictures folder | Not enforced | |
Settings | Not enforced | |
Videos folder | Not enforced | |
Account Settings | Block Microsoft accounts | Not Configured |
Users can change account settings | Enabled | |
Users can add non-Microsoft accounts | Enabled | |
Users can connect using Microsoft accounts | Enabled |
Policy Settings | Configuration | |
---|---|---|
Microsoft Defender Application Guard | Microsoft Defender Application Guard | Enabled |
Clipboard behavior | Turn On clipboard operation from an isolated session to the host | |
Clipboard settings | Allow copying texts | |
Print behavior | None | |
Block non-enterprise content | Disabled | |
Data persistence | Disabled | |
Virtual GPU | Disabled | |
Save files to host | Disabled | |
Certificate Thumbprints | Not configured | |
Access Camera and Microphone | Disabled | |
Windows Defender Security Center | Enable account protection UI | Enabled |
Enable app and browser protection UI | Enabled | |
Disallow exploit protection override | Enabled | |
Enable Device security UI | Enabled | |
Disable TPM Firmware update warning | Disabled | |
Show the Security processor (TPM) troubleshooting area | Enabled | |
Disable Clear TPM button | Disabled | |
Hide the Secure boot area | Disabled | |
Notifications | Display all notifications | |
Enable family UI | Enabled | |
Enable health UI | Enabled | |
Enable network UI | Enabled | |
Enable virus UI | Enabled | |
Hide the Ransomware data recovery area | Disabled | |
Enable customized toasts | Disabled | |
Enable in-app customization | Disabled | |
Company name | Not configured | |
Email address | Not configured | |
Phone number/Skype ID | Not configured | |
Help portal URL | Not configured | |
Hide Windows Security notification area control | Disabled |
BitLocker Settings | Configuration |
---|---|
Require encryption for OS and fixed data drives | Enabled |
Hide warning about existing third-party encryption | Disabled |
Recovery Password rotation | Not Configured |
Escrow recovery password to Hexnode UEM | Enabled |
OS Drive Settings | |
Configure BitLocker OS drive policy | Enabled |
Configure encryption method | Disabled |
Configure additional startup authentication settings | Enabled |
Allow BitLocker to be activated on devices without a compatible TPM | Disabled |
Configure advanced authentication options for devices with compatible TPM | Required Options: Startup PIN |
Minimum PIN length | 6 |
Configure pre-boot recovery message and URL | Disabled |
Users must generate a recovery key or password | Recovery Key, Password or both |
Save BitLocker recovery information to Active Directory Domain Services (AD DS) | Password and Key |
Block certificate-based data recovery agent | Enabled |
Hide recovery options on the device | Enabled |
Do not enable BitLocker until recovery information is stored in AD DS | Enabled |
Fixed Drive Settings | |
Configure BitLocker fixed drive policy | Enabled |
Configure encryption method | Disabled |
Block access to drives not protected by BitLocker | Disabled |
Configure recovery options | Enabled |
Users must generate a recovery key or password | Recovery Key, Password or both |
Save BitLocker recovery information to Active Directory Domain Services (AD DS) | Disable |
Block certificate-based data recovery agent | Disabled |
Hide recovery options on the device | Disabled |
Do not enable BitLocker until recovery information is stored in AD DS | Disabled |
Removable Drive Settings | |
Configure BitLocker removable drive policy | Enabled |
Configure encryption method | Disabled |
Block access to drives not protected by BitLocker | Enabled |
Screensaver Settings | Configuration |
---|---|
Enable Screensaver | Enabled |
Select Screensaver | Blank |
Require Password to unlock screen | Enabled |
Start screensaver after _ minutes of inactivity | 15 |
Prevent user from accessing screensaver settings on device | Disabled |
Settings | Configuration |
---|---|
Update drivers | Disabled |
Optional Updates | Not Configured |
Download updates over metered network | Not Configured |
Ignore download limits for app updates | Not Configured |
Ignore download limits for OS updates | Not Configured |
Automatic wake up for maintenance | Enabled |
Disable WUfB Safeguards | Disabled |
Target product | Not Configured |
Target version | Not Configured |
Feature update uninstall period | 10 day(s) |
Pre-release builds | Not Configured |
Update channel | Semi-annual |
Update Deferral | |
Defer Quality Updates | Enabled |
Deferral period (Defer Quality Updates) | 0 day(s) |
Defer Feature Updates | Enabled |
Deferral period (Defer Feature Updates) | 0 day(s) |
Settings | Configuration |
---|---|
Microsoft App Update Service | Disabled |
Automatic update behavior | Auto install updates and notify users to restart if required |
Active hours | Start time: 8:00 AM End time: 5:00 PM |
Maximum range of active hours | 18 hours |
Skip restart checks | Disabled |
Disable pause updates | Enabled |
Disallow users to check for updates | Disabled |
Notifications | |
Update notification level | Default Windows Notification |
Notifications during Active Hours | Not Configured |
Auto-restart notifications | Not Configured |
Deadlines | |
Configure update deadlines | Disabled |
Configure restart deadlines | Disabled |
Configure engaged restart deadlines | Disabled |
A pre-configured policy template for securing point-of-sale (POS) devices with the necessary security configurations and restrictions.
Template name: POS Device Policy
Description: Secure POS devices by enforcing pre-configured security configurations.
Template Configuration:
- iOS > Basic Restrictions
- iOS > Advanced Restrictions
- iOS > App Management > Blocklist/Allowlist
Policy Setting Apps Allowlist Settings Phone FaceTime - Android > Basic Restrictions
Policy Settings Configuration Allow Device Functionality Camera Enabled USB Mass Storage Enabled USB file transfer Disabled Home button Enabled Power Off Disabled Safe mode Enabled Airplane mode Enabled Lock screen shortcuts Enabled Widgets on lock screen Enabled Screen Orientation Allow user to choose Screen Timeout Keep Current Settings Allow Network Settings Wi-Fi Enabled Force Wi-Fi Enabled Bluetooth Enabled Force Bluetooth Disabled Mobile data/td> Enabled Tethering Enabled USB tethering Enabled Bluetooth tethering Enabled Portable Wi-Fi hotspot Users can choose Data roaming Enabled Connect to 2G network Enabled Allow Location Settings Mock location Enabled GPS Enabled Force GPS to fetch location Enabled Allow Sync Settings Backup service Disabled Security Options Allow MDM Administration removal Disabled - Android > Advanced Restrictions
- Kiosk Lockdown > iOS Kiosk Lockdown > Multi App
Apps added in kiosk: Settings, Phone, FaceTime - Kiosk Lockdown > Android Kiosk Lockdown > Multi App
Apps added in kiosk: Google Chrome - Kiosk Lockdown > Android Kiosk Lockdown > Peripheral Settings
Policy Setting Configuration Users can turn Wi-Fi on/off Disabled Connect to and switch between saved Wi-Fi networks Disabled Add hidden Wi-Fi networks Disabled Users can delete Wi-Fi networks Disabled Users can disconnect from currently connected network Disabled Show all available Wi-Fi networks Disabled Auto-exit Wi-Fi settings page in Disabled Wi-Fi Hotspot Disabled Users can configure Wi-Fi hotspot Disabled Users can turn mobile data on/off Disabled Users can choose preferred network type Disabled Allow users to turn Bluetooth on/off Disabled Airplane mode Disabled Users can enable accessibility settings Disabled Display Disable system bars Disabled Enable status bar Disabled Keep screen On Enabled Brightness Keep current brightness Hardware/software buttons Users can turn device Off Enabled Disable volume button Disabled Enable Recent apps button Disabled Advanced Lock Lock task mode Disabled System Info Disabled Home button Disabled Notifications Disabled Recent apps button Disabled Global actions Disabled Activate Lock task mode on reboot while the device is locked Disabled Hexnode MDM Settings Show option to manually exit kiosk lockdown Disabled Grant Hexnode MDM any newer permissions manually Disabled Sync device with MDM Disabled Show device and server information Disabled App Settings Access app catalogs in kiosk Disabled Show blocked package name on the device Enabled Disable app crash reporting Disabled Clear apps from background when user leaves the app Disabled Enable required app installation in kiosk Disabled Location Users can add location notes Disabled Messenger View messages sent by admin Disabled Other options Allow users to turn flashlight on/off Disabled Allow users to modify device password Disabled Floating icon Disabled Tap & Swipe gesture Disabled Triple tap on the top-right corner of the screen to show device and server details option Disabled Triple tap on the top-right corner of the screen to show peripheral settings Disabled - Kiosk Lockdown > Android Kiosk Lockdown > Kiosk Exit Settings
Policy Settings Configuration Allow manually exiting kiosk mode Enabled Number of taps to display the popup to enter the exit passcode 10 Exit manually from kiosk mode while an app is open Disabled Reboot and tap to exit from kiosk mode Enabled Relaunch app 20 seconds after reboot Auto-enable kiosk mode Disabled
Restrictions | Configuration | |
---|---|---|
Allow Device Functionality | Camera | Enabled |
FaceTime | Enabled | |
Screen capture | Enabled | |
Allow Remote Screen Observation | Enabled | |
Touch ID | Enabled | |
Siri | Enabled | |
Allow Siri while device is locked | Enabled | |
Voice dialing | Enabled | |
Automatic sync while roaming | Enabled | |
Allow Application Settings | Install apps | Disabled |
iTunes Store | Enabled | |
Force user to enter iTunes store password for each purchase | Enabled | |
In-app purchases | Enabled; | |
Trust enterprise app | Enabled | |
Users can modify enterprise app trust | Enabled | |
Backup enterprise-deployed iBooks | Enabled | |
Sync managed app data with iCloud | Disabled | |
YouTube | Enabled | |
Safari | Enabled | |
Autofill | Enabled | |
Fraud warning | Disabled | |
JavaScript | Enabled | |
Block pop-ups | Enabled | |
Accept cookies | Always | |
Access Passbook when the device is locked | Disabled | |
Add friends in Game Center | Enabled | |
Allow iCloud Settings | Backup | Enabled |
Sync documents | Enabled | |
Photo Stream | Enabled | |
Share photo streams | Enabled | |
iCloud photo library | Enabled | |
Sync enterprise book metadata across devices | Enabled | |
Allow Security and Privacy Settings | Lock screen notifications | Enabled |
Today View on lock screen | Enabled | |
Control Center on lock screen | Enabled | |
Over the air PKI updates | Enabled | |
Limit ad tracking | Disabled | |
Send diagnostic data to Apple | Enabled | |
Accept untrusted TLS certificate | Enabled | |
Force encrypted backup | Disabled | |
Show notification on Apple Watch if worn | Disabled | |
Allow Explicit Content | Explicit music, podcasts and iTunes services | Enabled |
iBooks store erotica | Disabled | |
Rating region | United States | |
Movies | Allow All Movies | |
TV Shows | Allow All TV Shows | |
Apps | Allow All Apps |
Restrictions | Configuration | |
---|---|---|
Allow Device Functionality | AirDrop | Enabled |
Apps can modify cellular data usage | Enabled | |
Add or remove Touch ID/Face ID | Enabled | |
iMessage | Enabled | |
RCS messaging | Enabled | |
Game Center | Enabled | |
Multiplayer gaming | Enabled | |
Install configuration profile | Enabled | |
Handoff | Enabled | |
Definition lookup | Enabled | |
Predictive keyboard | Enabled | |
Auto-correct words | Enabled | |
Suggest words on misspellings | Enabled | |
QuickPath Keyboard | Enabled | |
Keyboard shortcuts | Enabled | |
USB Drive Access in Files App | Enabled | |
Network Drive Access in Files App | Enabled | |
Pair with Apple Watch | Enabled | |
Modify diagnostic data submission settings | Enabled | |
Modify Bluetooth settings | Enabled | |
Use voice to type | Enabled | |
Force Wi-Fi ON | Enabled | |
Connect to MDM-configured Wi-Fi networks only | Disabled | |
Users can modify Personal Hotspot settings | Enabled | |
Create VPN configuration | Enabled | |
AirPrint | Enabled | |
Connect with iBeacon | Enabled | |
Store AirPrint credentials in Keychain | Enabled | |
Use trusted certificates for secure printing | Disabled | |
Modify cellular plan settings | Enabled | |
eSIM Modification | Enabled | |
Outgoing eSIM transfer | Enabled | |
Live Voicemail | Enabled | |
Force preserve eSIM on erase | Disabled | |
Auto dimming | Enabled | |
iPhone mirroring | Enabled | |
Call recording | Enabled | |
Allow App Settings | Install app from App Store | Disabled |
Install apps from third-party app marketplaces | Enabled | |
Install apps from web | Enabled | |
Remove apps | Disabled | |
Remove system apps | Enabled | |
iBooks store | Enabled | |
Apple Music | Enabled | |
iTunes Radio | Enabled | |
News | Enabled | |
Podcasts | Enabled | |
Download all purchased apps automatically | Enabled | |
Lock apps | Enabled | |
Hide apps | Enabled | |
Allow Security and Privacy Settings | Activation Lock | Disabled |
Modify an account | Enabled | |
Erase content and settings | Enabled | |
Siri can access user-generated content | Enabled | |
Find My Friends | Enabled | |
Find My Device | Enabled | |
Modify Find My Friends | Enabled | |
Use profanity filter | Disabled | |
Show web results using Spotlight Search | Enabled | |
Modify Restrictions/Screen Time | Enabled | |
Modify passcode | Enabled | |
Modify device name | Enabled | |
Users can modify default browser | Enabled | |
Modify wallpaper | Enabled | |
Users can turn notifications on/off | Enabled | |
Force Automatic Date and Time | Disabled | |
Autofill Passwords | Enabled | |
Request passwords from nearby devices | Enabled | |
Share passwords via Airdrop Passwords feature | Enabled | |
Allow USB accessories when locked | Disabled | |
Prevent pairing with non-Configurator hosts | Disabled | |
Shared iPad temporary session | Enabled | |
Allow Apple Intelligence | Genmoji | Enabled |
Image Playground | Enabled | |
Image Wand | Enabled | |
Personalized Handwriting Results | Enabled | |
Writing Tools | Enabled | |
Mail Summary | Enabled | |
ChatGPT integration | Enabled | |
ChatGPT user account sign-in | Enabled |
Policy Setting | Configuration | |
---|---|---|
Allow Device functionality | Microphone | Enabled |
Screen capture | Disabled | |
Clipboard | Disabled | |
Share via other apps | Enabled | |
Users can adjust volume | Enabled | |
Make a call | Enabled | |
Receive calls | Enabled | |
USB Host Storage | Enabled | |
Allow input methods | Enabled | |
Allow Settings | Developer mode | Enabled |
USB debugging | Enabled | |
Modify settings | Enabled | |
Power saving mode | Enabled | |
Users can enable location sharing | Enabled | |
Factory Reset | Enabled | |
Advanced Factory Reset | Enabled | |
Read any connected physical external media | Enabled | |
Disable screen lock if the screen was turned off | Disabled | |
Configure VPN | Enabled | |
Automatically power off a device when power cable is detached | Disabled | |
Automatically power on a device when power cable is connected | Disabled | |
Date and Time Settings | Set date and time automatically | Enabled |
Set time zone automatically | Enabled | |
Allow users to modify date, time and time zone | Enabled | |
Time format | Keep Current Settings | |
Lock Screen Customizations | Lock Screen Camera | Enabled |
Trust Agents for Smart Lock | Enabled | |
Lock Screen Notifications | Enabled | |
Fingerprint Unlock | Enabled | |
Iris Scanner | Enabled | |
Face Unlock | Enabled | |
Unredacted Notifications | Enabled | |
Allow App Settings | Install apps | Enabled |
Uninstall apps | Enabled | |
Control apps | Enabled | |
Google Play Store | Enabled | |
Verify apps before install | Disabled | |
Install apps from unknown sources | Enabled | |
App Runtime Permissions | Default | |
Parent profile app linking | Enabled | |
Allow cross-profile app communication | Disabled | |
Factory Reset Protection (Google Account Verification) | Default | |
Accessibility Settings | Accessibility services | Enabled |
Accessibility services | Disabled |
A pre-configured policy to set up a website kiosk on Android TVs.
Template name: Website Kiosk for Android TV
Description: Lock down your Android TVs to a specific website using website kiosk mode.
Template Configuration:
- Kiosk Lockdown > Android Kiosk Lockdown > Single App
Apps added: Hexnode MDM Portal (Web App) - Kiosk Lockdown > Android Kiosk Lockdown > Launcher
Policy Settings Configuration Auto-Launch Select app Hexnode MDM Portal App auto-launch delay 20 seconds Customizations Customize kiosk launcher Disabled Icon size Medium Font size Small Title bar height 10 % of screen height Logo height 50 % of title bar height Logo width 25 % of screen width Title font Helvetica Title height 50 % of title bar height Title color Default Title bar background color Default Logo-title alignment Left - Kiosk Lockdown > Android Kiosk Lockdown > Kiosk Exit Settings
Policy Settings Configuration Allow manually exiting kiosk mode Enabled Number of taps to display the popup to enter the exit passcode 10 Exit manually from kiosk mode while an app is open Disabled Reboot and tap to exit from kiosk mode Enabled Relaunch app 20 seconds after reboot Auto-enable kiosk mode Disabled
A policy template to lock down Android TV to a set of apps using pre-configured kiosk configurations.
Template name: Kiosk Lockdown for Android TV
Description: Lock down your Android TV to a handful of applications.
Template Configuration:
- Kiosk Lockdown > Android Kiosk Lockdown > Multi App
- Apps added: YouTube for Android TV
- Customizations: Icon size (Medium)
- Kiosk Lockdown > Android Kiosk Lockdown >Kiosk Exit Settings
Policy Settings Configuration Allow manually exiting kiosk mode Enabled Number of taps to display the popup to enter the exit passcode 10 Exit manually from kiosk mode while an app is open Disabled Reboot and tap to exit from kiosk mode Enabled Relaunch app 20 seconds after reboot Auto-enable kiosk mode Disabled
A policy template to secure Android TV using password policies and restrictions.
Template name: Android TV Security Settings
Description: Secure Android TV by enforcing password rules and restrictions.
Template Configuration:
- Android > Password > Device Password
Policy Settings Configuration Minimum password complexity None Customize password complexity Enabled Password Complexity Alphanumeric Minimum Passcode Length 8 Auto-lock after 5 - Android > Restrictions > Basic
Policy Settings Configuration Allow Device Functionality Camera Enabled USB Mass Storage Enabled USB file transfer Disabled Home button Enabled Power Off Disabled Safe mode Enabled Airplane mode Enabled Lock screen shortcuts Enabled Widgets on lock screen Enabled Screen Orientation Allow user to choose Screen Timeout Keep Current Settings Allow Network Settings Wi-Fi Enabled Force Wi-Fi Enabled Bluetooth Disabled Force Bluetooth Disabled Mobile data Enabled Tethering Enabled USB tethering Enabled Bluetooth tethering Enabled Portable Wi-Fi hotspot Users can choose Data roaming Enabled Connect to 2G network Enabled Allow Location Settings Mock location Enabled GPS Enabled Force GPS to fetch location Enabled Allow Sync Settings Backup service Enabled Security Options Allow MDM Administration removal Enabled
To create a policy from the template,
To create a policy from the template, you can either copy the template to My Policies, or else you can choose the template directly while creating a new policy.
To choose the template directly while creating a policy,
- In the Hexnode portal, go to Policies.
- Click on New Policy and select the template that you want to use.
- Go to Policy Targets > +Add Devices > choose the devices to which the policy has to be associated.
- Click on Ok > Save.
To copy the template to My Policies,
- In the Hexnode portal, go to Policies > Templates.
- Select the template that you want to copy and click on Manage.
- Click on Copy to My Policies.
- Go to Policy Targets > +Add Devices > choose the devices to which the policy has to be associated.
- Click on Ok > Save.
Apart from devices, you can also associate the policy to Device Groups, Users, User Groups and Domains.