How to use pre-configured policy template in Hexnode UEM for easy policy deployment

A pre-configured policy template to lockdown Android devices to a couple of web apps in multi-app kiosk mode.

Template name: Android Website Kiosk

Description: Lock down Android devices to a handful of websites.

Template Configuration:

Kiosk Lockdown > Android Kiosk Lockdown > Multi App: Amazon feedback & Amazon affiliates.

A policy that is pre-configured to provide the basic industrial standard BitLocker encryption along with Windows password security.

Template name: BitLocker Security Policy

Description: Enable BitLocker encryption for industry-standard security.

Template Configuration:

• Windows > Password

Password settings	Configuration
Allow simple value	Disabled
Password type	Users can choose
Minimum Password length	8
Minimum complex characters	Digits only
Minimum passcode age (in days)	0
Auto-Lock (in minutes)	0
Passcode history	0
Failed attempt before wipe	0

• Windows > Security > BitLocker

BitLocker Settings	Configuration
Prompt to encrypt storage card	Enabled
Prompt for device encryption	Enabled
Configure encryption method for disk drives	Select default value
Configure authentication when computer starts up	Enable
Allow BitLocker without a Trusted Platform Module (TPM)	Select default value
Authenticate with TPM startup key	Disallow
Authenticate with TPM startup pin	Disallow
Authenticate with TPM startup key and PIN	Disallow
Enable TPM during startup	Disallow
Minimum length for BitLocker startup PIN	6
Configure pre-boot recovery message	Show default recovery message and URL
Configure recovery options for system drives	Disabled
Configure recovery options for fixed drives	Disabled
Fixed drives require encryption	Enabled
Removable drives require encryption	Enabled

A policy template to protect the corporate data in any iOS and Android BYOD device.

Template name: BYOD Policy for Corporate Data Containerization

Description: A common policy for iOS & Android devices to safeguard the corporate data in Managed apps and Work containers.

Template Configuration:

• iOS > Restrictions
  

Restrictions		Configuration
Allow Device Functionality	Camera	Enabled
	FaceTime	Enabled
	Screen capture	Enabled
	Touch ID	Enabled
	Siri	Enabled
	Allow Siri while device is locked	Enabled
	Voice dialing	Enabled
	Automatic sync while roaming	Enabled
Allow Application Settings	Show App Store on the device	Enabled
	iTunes Store	Enabled
	Force user to enter iTunes store password for each purchase	Enabled
	In-app purchases	Enabled
	Trust enterprise app	Enabled
	Users can modify enterprise app trust	Enabled
	Backup enterprise-deployed iBooks	Enabled
	Sync managed app data with iCloud	Disabled
	YouTube	Enabled
	Safari	Enabled
	Autofill	Enabled
	Fraud warning	Disabled
	JavaScript	Enabled
	Block pop-ups	Enabled
	Accept cookies	Always
	Access Passbook when the device is locked	Disabled
	Add friends in Game Center	Enabled
Allow iCloud Settings	Backup	Enabled
	Sync documents	Enabled
	Photo Stream (Disallowing might cause data loss)	Enabled
	Share photo streams	Enabled
	iCloud photo library	Enabled
	Sync enterprise book metadata across devices	Enabled
Allow Security and Privacy Settings	Lock screen notifications	Enabled
	Today View on lock screen	Enabled
	Control Centeron lock screen	Enabled
	Over the air PKI updates	Enabled
	Limit ad tracking	Disabled
	Send diagnostic data to Apple	Enabled
	Accept untrusted TLS certificate	Enabled
	Force encrypted backup	Disabled
	Show notification on Apple Watch if worn	Disabled
Allow Explicit Content	Explicit music, podcasts and iTunes U services	Enabled
	iBooks store erotica	Disabled
	Rating region	United States
	Content rating
	Movies	Allow All Movies
	TV Shows	Allow All TV Shows
	Apps	Allow All Apps

• iOS > Advanced Restrictions
  

Restrictions		Configuration
Allow Device Functionality	AirDrop	Enabled
	Apps can modify cellular data usage	Enabled
	Add or remove Touch ID/Face ID	Enabled
	iMessage	Enabled
	Game Center	Enabled
	Multiplayer gaming	Enabled
	Pair with iTunes	Enabled
	Install configuration profile	Enabled
	Definition lookup	Enabled
	Predictive keyboard	Enabled
	Auto-correct words	Enabled
	Suggest words on misspellings	Enabled
	Keyboard shortcuts	Enabled
	Pair with Apple Watch	Enabled
	Modify diagnostic data submission settings	Enabled
	Modify Bluetooth settings	Enabled
	Use voice to type	Enabled
	Connect to MDM-configured Wi-Fi networks only	Disabled
	Users can modify Personal Hotspot settings	Enabled
	Create VPN configuration	Enabled
	AirPrint	Enabled
	Connect with iBeacon	Enabled
	Store AirPrint credentials in Keychain	Enabled
	Use trusted certificates for secure printing	Disabled
Allow App Settings	Install app from App Store	Enabled
	Remove apps	Enabled
	Remove system apps	Enabled
	iBooks store	Enabled
	Apple Music	Enabled
	iTunes Radio	Enabled
	News	Enabled
	Podcasts	Enabled
	Download all purchased apps automatically	Enabled
Allow Security and Privacy Settings	Activation Lock	Disabled
	Modify an account	Enabled
	Erase content and settings	Enabled
	Siri can access user-generated content	Enabled
	Modify Find My Friends	Enabled
	Use profanity filter	Disabled
	Show web results using Spotlight Search	Enabled
	Modify Restrictions/Screen Time	Enabled
	Modify passcode	Enabled
	Modify device name	Enabled
	Modify wallpaper	Enabled
	Users can turn notifications on/off	Enabled
	Force Automatic Date and Time	Disabled
	Autofill Passwords	Enabled
	Request passwords from nearby devices	Enabled
	Share passwords via Airdrop Passwords feature	Enabled

• iOS > Security > Business Container

Settings	Configuration
Open documents from managed apps in unmanaged apps	Disabled
Open documents from unmanaged apps in managed apps	Disabled
Managed apps can write to Unmanaged Contact Accounts	Disabled
Unmanaged apps can read from Managed Contact Accounts	Disabled
Block Sharing Managed Document using AirDrop	Disabled

• Android > Advanced Restrictions

Restrictions		Configuration
Allow device functionality	Microphone	Enabled
	Screen capture	Disabled
	Clipboard	Enabled
	Copy contents between normal and work profiles	Enabled
	Share via other apps	Enabled
	Users can adjust volume	Enabled
	Make a call	Enabled
Display Settings	Hide System bars	Disabled
	Hide Status Bar	Disabled
	Hide Navigation Bar	Disabled
	Split-screen mode	Enabled
	Display dialogs/windows	Enabled
Allow Connectivity Options	NFC	Enabled
	Android Beam	Enabled
	Beam from the device	Enabled
	Transfer data via Bluetooth	Enabled
	Configure Bluetooth	Enabled
	Configure cell broadcast	Enabled
	Configure cellular network	Enabled
	Users can reset network settings	Enabled
	Configure Wi-Fi	Enabled
	Configure hotspot and tethering	Enabled
Security Options	Minimum Wi-Fi Security Level	Open
Allow Sync Settings	Sync data in background	Enabled
	Sync data with Google account	Enabled
Allow Account Settings	SMS	Enabled
	Receive messages	Enabled
	Send messages	Enabled
	Modify Accounts/Users	Enabled
	Add Users	Enabled
	Remove Users	Enabled
	Configure user credentials	Enabled
Allow Settings	Developer mode	Enabled
	USB debugging	Enabled
	Modify settings	Enabled
	Power saving mode	Enabled
	Users can enable location sharing	Enabled
	Factory reset	Enabled
	Read any connected physical external media	Enabled
	Update date and time automatically	Enabled
	Set time zone automatically	Enabled
	Disable screen lock if the screen was turned off	Disabled
	Configure VPN	Enabled
Allow App Settings	Install apps	Enabled
	Uninstall apps	Enabled
	Control apps	Enabled
	Google Play Store	Enabled
	Verify apps before install	Disabled
	Install apps from unknown sources	Disabled
	App Runtime Permissions	Default permissions
	Parent profile app linking	Enabled
Factory Reset Protection (Google Account Verification)		Default

An Android policy to set data and Wi-Fi restrictions and notifications to have control over expenses.

Template name: Expense Management Policy

Description: Data/Wi-Fi usage warning & restrictions for an arbitrary monthly limit.

Template Configuration:
Android > Mobile Data Management
Data Usage Restrictions:

A policy with iOS and Android passcode and restriction along with Mac and Windows encryption configurations to set standards of confidentiality and integrity to protect ePHI.

Template name: HIPAA Compliance Policy

Description: Workstation and Device Security policies to protect ePHI.

Template Configuration:

• iOS > Passcode

Policy	Configuration
Allow simple value	Disabled
Require alpha numeric value	Enabled
Minimum Passcode Length	8
Minimum complex characters	1
Minimum passcode age in days (0-730 days)	30
Auto Lock	1 Minute
Passcode History (1-50 passcodes)	5
Grace period for device lock	Immediately
Failed attempts (After the specified number of failed attempts, the device data will be wiped automatically)	10

• iOS > Advanced Restrictions

Restrictions		Configuration
Allow Device Functionality	AirDrop	Enabled
	Apps can modify cellular data usage	Enabled
	Add or remove Touch ID/Face ID	Enabled
	iMessage	Enabled
	Game Center	Enabled
	Multiplayer gaming	Enabled
	Pair with iTunes	Enabled
	Install configuration profile	Enabled
	Definition lookup	Enabled
	Predictive keyboard	Enabled
	Auto-correct words	Enabled
	Suggest words on misspellings	Enabled
	Keyboard shortcuts	Enabled
	Pair with Apple Watch	Enabled
	Modify diagnostic data submission settings	Enabled
	Modify Bluetooth settings	Enabled
	Use voice to type	Enabled
	Connect to MDM-configured Wi-Fi networks only	Disabled
	Users can modify Personal Hotspot settings	Enabled
	Create VPN configuration	Enabled
	AirPrint	Enabled
	Connect with iBeacon	Enabled
	Store AirPrint credentials in Keychain	Enabled
	Use trusted certificates for secure printing	Disabled
Allow App Settings	Install app from App Store	Enabled
	Remove apps	Enabled
	Remove system apps	Enabled
	iBooks store	Enabled
	Apple Music	Enabled
	iTunes Radio	Enabled
	News	Enabled
	Podcasts	Enabled
	Download all purchased apps automatically	Enabled
Allow Security and Privacy Settings	Activation Lock	Disabled
	Modify an account	Enabled
	Erase content and settings	Enabled
	Siri can access user-generated content	Enabled
	Modify Find My Friends	Enabled
	Use profanity filter	Disabled
	Show web results using Spotlight Search	Enabled
	Modify Restrictions/Screen Time	Enabled
	Modify passcode	Enabled
	Modify device name	Enabled
	Modify wallpaper	Enabled
	Users can turn notifications on/off	Enabled
	Force Automatic Date and Time	Disabled
	Autofill Passwords	Enabled
	Request passwords from nearby devices	Enabled
	Share passwords via Airdrop Passwords feature	Enabled

• iOS > Security > Business Container

Settings	Configuration
Open documents from managed apps in unmanaged apps	Enabled
Open documents from unmanaged apps in managed apps	Enabled
Managed apps can write to Unmanaged Contact Accounts	Disabled
Unmanaged apps can read from Managed Contact Accounts	Disabled
Block Sharing Managed Document using AirDrop	Disabled

• Android > Advanced Restrictions

Restrictions		Configuration
Allow device functionality	Microphone	Enabled
	Screen capture	Enabled
	Clipboard	Enabled
	Copy contents between normal and work profiles	Disabled
	Share via other apps	Enabled
	Users can adjust volume	Enabled
	Make a call	Enabled
Display Settings	Hide System bars	Disabled
	Hide Status Bar	Disabled
	Hide Navigation Bar	Disabled
	Split-screen mode	Enabled
	Display dialogs/windows	Enabled
Allow Connectivity Options	NFC	Enabled
	Android Beam	Enabled
	Beam from the device	Enabled
	Transfer data via Bluetooth	Enabled
	Configure Bluetooth	Enabled
	Configure cell broadcast	Enabled
	Configure cellular network	Enabled
	Users can reset network settings	Enabled
	Configure Wi-Fi	Enabled
	Configure hotspot and tethering	Enabled
Security Options	Minimum Wi-Fi Security Level	Open
Allow Sync Settings	Sync data in background	Enabled
	Sync data with Google account	Enabled
Allow Account Settings	SMS	Enabled
	Receive messages	Enabled
	Send messages	Enabled
	Modify Accounts/Users	Enabled
	Add Users	Enabled
	Remove Users	Enabled
	Configure user credentials	Enabled
Allow Settings	Developer mode	Disabled
	USB debugging	Disabled
	Modify settings	Enabled
	Power saving mode	Enabled
	Users can enable location sharing	Enabled
	Factory reset	Enabled
	Read any connected physical external media	Enabled
	Update date and time automatically	Enabled
	Set time zone automatically	Enabled
	Disable screen lock if the screen was turned off	Disabled
	Configure VPN	Enabled
Allow App Settings	Install apps	Enabled
	Uninstall apps	Enabled
	Control apps	Enabled
	Google Play Store	Enabled
	Verify apps before install	Disabled
	Install apps from unknown sources	Disabled
	App Runtime Permissions	Default permissions
	Parent profile app linking	Enabled
Factory Reset Protection (Google Account Verification)		Default

• Windows > Security > BitLocker

BitLocker Settings	Configuration
Prompt to encrypt storage card	Enabled
Prompt for device encryption	Enabled
Configure encryption method for disk drives	Select default value
Configure authentication when computer starts up	Select default value
Minimum length for BitLocker startup PIN	6
Configure pre-boot recovery message	Select default value
Configure recovery options for system drives	Disabled
Configure recovery options for fixed drives	Disabled
Fixed drives require encryption	Enabled
Removable drives require encryption	Enabled

• macOS > Security > FileVault

Policy Settings	Configuration
Enable FileVault	Enabled
Encrypt using	Institutional and Personal Recovery Key
Encryption certificate	HexnodeMDM FileVault Certificate
Show Personal Recovery Key to user	Enabled
Skip enabling FileVault at user login	Disabled

A preconfigured policy to restrict an iOS device to a single app in kiosk mode.

Template name: iOS Single App Kiosk Policy

Description: Lock down iOS devices to a single app

Template Configuration:

Kiosk Lockdown > iOS Kiosk Lockdown > Single App

Uber Technologies Inc. is added as the app in single app kiosk.

A pre-configured location tracking policy that tracks the devices’ location in specific time intervals.

Template name: Location Policy

Description: Enable Location Tracking on target devices.

Template Configuration:
General Settings > Location Tracking

A policy template for Samsung Knox device security.

Template name: Samsung Knox Policy

Description: With advanced restrictions exclusively available for Samsung devices.

Template Configuration:

• Android > Password > Device Password

Password Settings	Configuration
Password Requirement	Alphanumeric
Minimum Passcode Length	8
Password age (in days)	_
Auto-lock after	_
Password History (1-50 passcodes)	_
Failed attempts (After the specified number of failed attempts, the device data will be wiped automatically)	_

• Android > Advanced Restrictions

Restrictions		Configuration
Allow device functionality	Microphone	Enabled
	Screen capture	Disabled
	Clipboard	Disabled
	Copy contents between normal and work profiles	Disabled
	Share via other apps	Disabled
	Users can adjust volume	Enabled
	Make a call	Enabled
Display Settings	Hide System bars	Disabled
	Hide Status Bar	Disabled
	Hide Navigation Bar	Disabled
	Split-screen mode	Enabled
	Display dialogs/windows	Enabled
Allow Connectivity Options	NFC	Enabled
	Android Beam	Enabled
	Beam from the device	Enabled
	Transfer data via Bluetooth	Enabled
	Configure Bluetooth	Enabled
	Configure cell broadcast	Enabled
	Configure cellular network	Enabled
	Users can reset network settings	Enabled
	Configure Wi-Fi	Enabled
	Configure hotspot and tethering	Enabled
Security Options	Minimum Wi-Fi Security Level	Open
Allow Sync Settings	Sync data in background	Enabled
	Sync data with Google account	Enabled
Allow Account Settings	SMS	Enabled
	Receive messages	Enabled
	Send messages	Enabled
	Modify Accounts/Users	Enabled
	Add Users	Enabled
	Remove Users	Enabled
	Configure user credentials	Enabled
Allow Settings	Developer mode	Disabled
	USB debugging	Disabled
	Modify settings	Enabled
	Power saving mode	Enabled
	Users can enable location sharing	Enabled
	Factory reset	Enabled
	Read any connected physical external media	Enabled
	Update date and time automatically	Enabled
	Set time zone automatically	Enabled
	Disable screen lock if the screen was turned off	Disabled
	Configure VPN	Enabled
Allow App Settings	Install apps	Enabled
	Uninstall apps	Enabled
	Control apps	Enabled
	Google Play Store	Enabled
	Verify apps before install	Disabled
	Install apps from unknown sources	Disabled
	App Runtime Permissions	Default permissions
	Parent profile app linking	Enabled
Factory Reset Protection (Google Account Verification)		Default

A standard data loss prevention policy for iOS, Android, Windows, and macOS devices.

Template name: Standard DLP Policy

Description: Standard Data Loss Prevention policies for optimal security.

Template Configuration:

• iOS > Passcode

Policy	Configuration
Allow simple value	Disabled
Require alpha numeric value	Enabled
Minimum Passcode Length	8
Minimum complex characters	1
Minimum passcode age in days (0-730 days)	30
Auto Lock	1 Minute
Passcode History (1-50 passcodes)	5
Grace period for device lock	Immediately
Failed attempts (After the specified number of failed attempts, the device data will be wiped automatically)	10

• iOS > Advanced Restrictions

Restrictions		Configuration
Allow Device Functionality	AirDrop	Enabled
	Apps can modify cellular data usage	Enabled
	Add or remove Touch ID/Face ID	Enabled
	iMessage	Enabled
	Game Center	Enabled
	Multiplayer gaming	Enabled
	Pair with iTunes	Enabled
	Install configuration profile	Enabled
	Definition lookup	Enabled
	Predictive keyboard	Enabled
	Auto-correct words	Enabled
	Suggest words on misspellings	Enabled
	Keyboard shortcuts	Enabled
	Pair with Apple Watch	Enabled
	Modify diagnostic data submission settings	Enabled
	Modify Bluetooth settings	Enabled
	Use voice to type	Enabled
	Connect to MDM-configured Wi-Fi networks only	Disabled
	Users can modify Personal Hotspot settings	Enabled
	Create VPN configuration	Enabled
	AirPrint	Enabled
	Connect with iBeacon	Enabled
	Store AirPrint credentials in Keychain	Enabled
	Use trusted certificates for secure printing	Disabled
Allow App Settings	Install app from App Store	Enabled
	Remove apps	Enabled
	Remove system apps	Enabled
	iBooks store	Enabled
	Apple Music	Enabled
	iTunes Radio	Enabled
	News	Enabled
	Podcasts	Enabled
	Download all purchased apps automatically	Enabled
Allow Security and Privacy Settings	Activation Lock	Disabled
	Modify an account	Enabled
	Erase content and settings	Enabled
	Siri can access user-generated content	Enabled
	Modify Find My Friends	Enabled
	Use profanity filter	Disabled
	Show web results using Spotlight Search	Enabled
	Modify Restrictions/Screen Time	Enabled
	Modify passcode	Enabled
	Modify device name	Enabled
	Modify wallpaper	Enabled
	Users can turn notifications on/off	Enabled
	Force Automatic Date and Time	Disabled
	Autofill Passwords	Enabled
	Request passwords from nearby devices	Enabled
	Share passwords via Airdrop Passwords feature	Enabled

• Android > Advanced Restrictions

Restrictions		Configuration
Allow device functionality	Microphone	Enabled
	Screen capture	Enabled
	Clipboard	Enabled
	Copy contents between normal and work profiles	Disabled
	Share via other apps	Enabled
	Users can adjust volume	Enabled
	Make a call	Enabled
Display Settings	Hide System bars	Disabled
	Hide Status Bar	Disabled
	Hide Navigation Bar	Disabled
	Split-screen mode	Enabled
	Display dialogs/windows	Enabled
Allow Connectivity Options	NFC	Enabled
	Android Beam	Enabled
	Beam from the device	Enabled
	Transfer data via Bluetooth	Enabled
	Configure Bluetooth	Enabled
	Configure cell broadcast	Enabled
	Configure cellular network	Enabled
	Users can reset network settings	Enabled
	Configure Wi-Fi	Enabled
	Configure hotspot and tethering	Enabled
Security Options	Minimum Wi-Fi Security Level	Open
Allow Sync Settings	Sync data in background	Enabled
	Sync data with Google account	Enabled
Allow Account Settings	SMS	Enabled
	Receive messages	Enabled
	Send messages	Enabled
	Modify Accounts/Users	Enabled
	Add Users	Enabled
	Remove Users	Enabled
	Configure user credentials	Enabled
Allow Settings	Developer mode	Disabled
	USB debugging	Disabled
	Modify settings	Enabled
	Power saving mode	Enabled
	Users can enable location sharing	Enabled
	Factory reset	Enabled
	Read any connected physical external media	Enabled
	Update date and time automatically	Enabled
	Set time zone automatically	Enabled
	Disable screen lock if the screen was turned off	Disabled
	Configure VPN	Enabled
Allow App Settings	Install apps	Enabled
	Uninstall apps	Enabled
	Control apps	Enabled
	Google Play Store	Enabled
	Verify apps before install	Disabled
	Install apps from unknown sources	Disabled
	App Runtime Permissions	Default permissions
	Parent profile app linking	Enabled
Factory Reset Protection (Google Account Verification)		Default

• Windows > Security > BitLocker

BitLocker Settings	Configuration
Prompt to encrypt storage card	Enabled
Prompt for device encryption	Enabled
Configure encryption method for disk drives	Select default value
Configure authentication when computer starts up	Select default value
Minimum length for BitLocker startup PIN	6
Configure pre-boot recovery message	Show default recovery message and URL
Configure recovery options for system drives	Disabled
Configure recovery options for fixed drives	Disabled
Fixed drives require encryption	Enabled
Removable drives require encryption	Enabled

• macOS > Security > FileVault

Policy Settings	Configuration
Enable FileVault	Enabled
Encrypt using	Institutional and Personal Recovery Key
Encryption certificate	HexnodeMDM FileVault Certificate
Show Personal Recovery Key to user	Enabled
Skip enabling FileVault at user login	Disabled

The CIS (Center for Internet Security) benchmarks are a set of security configuration guidelines for various operating systems, applications, and network devices. They provide a standardized framework for strengthening system security, helping organizations to reduce their exposure to attacks and improve their overall security posture. These benchmarks are developed through a community consensus process and are widely recognized as a best practice for securing devices across all supported platforms. Hexnode supports making devices partially CIS Benchmark compliant.

Template name: CIS Benchmark Compliance Level 1 – macOS

Description: Apply this template to get one step closer to CIS compliance on your macOS devices.

Note: Not all rules mentioned in CIS Benchmark are configurable via Hexnode.

Template Configuration:

• macOS > Passcode

Settings	Configuration
Allow simple value	Enabled
Require alphanumeric value	Enabled
Change password at next login	Disabled
Minimum passcode length	15
Minimum complex characters
Maximum passcode age in days	1
Auto lock
Passcode history	15
Grace period for device to lock
Maximum failed attempts	5
Custom regular expression	Disabled

• macOS > Restrictions

Restrictions		Configuration
Allow Device Functionality	Auto-unlock with Apple Watch in proximity	Enabled
	Touch ID	Enabled
	Definition lookup	Enabled
	Enforce on-device-only dictation	Disabled
	Universal control	Enabled
	USB restricted mode	Enabled
	Incoming Airplay requests	Disabled
	Allow personalized ads from Apple	Disabled
	Install configuration profiles	Enabled
	Users can turn VPN on/off	Enabled
Allow App Settings	Stream using Music app	Enabled
	Camera	Enabled
	Game Center Add friends in Game Center Game Center account modifications Multiplayer gaming	Disabled
App Store	Allow software update notifications only	Disabled
Finder Settings	Burn data to disk	Enabled
	Connect to local servers or on the internet	Enabled
	Eject mounted volumes	Enabled
	Go to Folder	Enabled
	Show external hard disks on desktop	Enabled
	Show hard disk on desktop	Disabled
	Show mounted file servers on desktop	Disabled
	Show removable media items on desktop	Enabled
	Warn the user before emptying the trash	Enabled
Security	Ask for password when removing the policy	Disabled
	Timeout for Fingerprint	48 hour(s)
	Send diagnostics	Disabled
Allow iCloud Options	Back to My Mac	Disabled
	Find My Mac	Enabled
	iCloud Mail	Enabled
	Calendar	Enabled
	Reminder	Enabled
	Address Book	Enabled
	Notes	Enabled
	Auto-upload files in Desktop and Documents	Enabled
	Sync bookmarks with iCloud	Enabled
	Document and key-value sync	Enabled
	Sync passwords across devices	Enabled
	Photo library	Enabled
	Freeform services	Enabled

• macOS > Advanced Restrictions

Restrictions		Configuration
Device Functionality and Personalization	Screen Capture
	Remote Screen Observation	Enabled
	AirDrop	Disabled
	Wallpaper Modification	Enabled
	Dictation	Enabled
	Handoff	Enabled
	iTunes or Finder File Sharing	Enabled
	Show Web Results in Spotlight Search	Enabled
	iPhone mirroring	Enabled
	Show Wi-Fi status in menu bar	Enabled
	Show Bluetooth status in menu bar	Enabled
Security and Privacy	Activation Lock	Enabled
	Content caching	Let user choose
	Erase all content and settings	Enabled
	Passcode Modification	Enabled
	Autofill Passwords	Enabled
	Safari AutoFill	Enabled
	Request passwords from nearby devices	Enabled
	Share passwords via Airdrop Passwords feature	Enabled
	Users can modify File Sharing settings	Disabled
	Users can modify Bluetooth Sharing settings	Disabled
	Users can modify Printer Sharing settings	Disabled
	Users can modify Internet Sharing settings	Disabled
	Users can modify Remote Management Sharing settings	Disabled
	Users can modify Remote Apple Events Sharing settings	Disabled
	Users can modify an account	Enabled
	Users can modify Device Name	Enabled
	Users can create local user accounts	Enabled
	Users can add or remove Touch ID/Face ID	Enabled
	Users can modify Time Machine settings	Enabled
	Users can modify Startup Disk settings	Enabled
	Guest Account	Disabled
	keyboard entry for Terminal app	Enabled
	Software update deferment	15
	Users can modify Media Sharing settings	Enabled
	Bypass screen capture alert	Disabled
	App Installation From	Mac App Store and Identified Developers
App Store	Restrict app installations to admin users	Disabled
	Restrict App Store to Software Updates Only	Disabled
	Disable App Store app adoption	Disabled
	Restrict App Store to apps installed via MDM and software updates only	Disabled
Secure Wi-Fi Settings	Enforce admin authorization when switching between Wi-Fi networks	Disabled
	Enforce admin authorization to enable IBSS	Disabled
	Enforce admin authorization to turn Wi-Fi on/off	Disabled
Allow Apple Intelligence	Image playground	Enabled
	Writing tools	Enabled
	ChatGPT integration	Enabled
	ChatGPT user account sign-in	Enabled

• macOS > Security > Firewall

Restrictions		Configuration
Firewall	Enable Firewall	Enabled
	Enable stealth mode	Enabled
	Enable logging	Disabled
	Logging level	Throttled
	Block all incoming connections	Disabled
	Allow incoming connections to built-in software	Enabled
		Allow incoming connections to downloaded signed software	Enabled
Applications	Allow/block incoming connections to the following apps	Allow incoming connections

• macOS > Security > FileVault

Settings	Configuration
Prevent FileVault from being disabled	Disabled
Prevent FileVault from being enabled	Disabled
Enable FileVault	Enabled
Encrypt using	Institutional and Personal Recovery Key
Encryption certificate	–
Escrow Personal Recovery Key	Disabled
Show Personal Recovery Key to user	Enabled
Skip enabling FileVault at user login	Disabled
Require user to unlock FileVault after hibernation	Disabled

• macOS > Security > Login Window Preferences

Settings	Configuration
Display login window as	Name and password
Hide Shut Down button	Disabled
Hide Restart button	Disabled
Hide Sleep button	Disabled
Disable login items bypass	Disabled
Disable Console Access from Login Screen	Disabled
Disable Shut Down while user is logged in	Disabled
Disable Restart while user is logged in	Disabled
Disable Power Off while user is logged in	Disabled
Disable Log Out while user is logged in	Disabled
Disable Immediate Screen Lock options	Disabled
Password hints	Disabled
Automatic login	Disabled
Show text to display in the Login Window*	Welcome
Show Admin Host Info	–

• macOS > Patches & Updates > Software Update Preferences

Restrictions		Configuration
Software Update Preferences	Automatically check for new updates	Enable
	Automatically download new updates	Enable
	Automatically install macOS updates	Enable
	Automatically install app updates	Enable
	Automatically install critical updates	Enable
	Automatically install configuration data	Enable
	Install pre-release software	Not Configured
	Force admin privilege requirement for software updates	Not Configured
	Install Rapid Security Responses	Not Configured
	Allow removal of Rapid Security Responses	Not Configured
Defer Software Updates	Defer major upgrades	Not Configured
	Defer minor upgrades	Not Configured
	Defer app upgrades	Not Configured

• macOS > Configurations > Setup Assistant

Settings	Configuration
Skip Privacy setup	Disabled
Skip signing in with Apple ID	Disabled
Skip iCloud Storage setup	Disabled
Skip Siri setup	Disabled
Skip Choose Your Look setup	Disabled

• macOS > Configurations > Screensaver

Settings	Configuration
Enable Screensaver	Enabled
Login window screensaver idle time	1 min
Screensaver idle time	20 min
Require Password to unlock screen	Enabled
Set delay for password prompt	5 sec

• macOS > Configurations > Energy Saver

Restrictions		Configuration
Desktop	Automatically startup on power loss	Disabled
	Idle timeout for system sleep	0 mins
	Idle timeout for display sleep	0 mins
	Wake for network access	Disabled
Laptop on AC Power	Automatically startup on power loss	Disabled
	Idle timeout for system sleep	0 mins
	Idle timeout for display sleep	0 mins
	Wake for network access	Disabled
Laptop on Battery Power	Automatically startup on power loss	Disabled
	Idle timeout for system sleep	0 mins
	Idle timeout for display sleep	0 mins
	Wake for network access	Disabled
General Settings	Prevent temporary FileVault key storage during standby	Disabled
	Disable device sleep	Disabled

Template name: CIS Benchmark Compliance Level 2 – macOS

Template Configuration:

• macOS > Passcode

Settings	Configuration
Allow simple value	Enabled
Require alphanumeric value	Enabled
Change password at next login	Disabled
Minimum passcode length	15
Minimum complex characters	1
Maximum passcode age in days	1
Auto lock	–
Passcode history	15
Grace period for device to lock	–
Maximum failed attempts	5
Custom regular expression	Disabled

• macOS > Restrictions

Restrictions		Configuration
Allow Device Functionality	Auto-unlock with Apple Watch in proximity	Enabled
	Touch ID	Enabled
	Definition lookup	Enabled
	Enforce on-device-only dictation	Disabled
	Universal control	Enabled
	USB restricted mode	Enabled
	Incoming Airplay requests	Disabled
	Allow personalized ads from Apple	Disabled
	Install configuration profiles	Enabled
	Allow App Settings	Stream using Music app	Enabled
Camera		Enabled
Game Center Add friends in Game Center Game Center account modifications Multiplayer gaming		Disabled
App Store	Allow software update notifications only	Disabled
Finder Settings	Burn data to disk	Enabled
	Connect to local servers or on the internet	Enabled
	Eject mounted volumes	Enabled
	Go to Folder	Enabled
	Show external hard disks on desktop	Enabled
	Show hard disk on desktop	Disabled
	Show mounted file servers on desktop	Disabled
	Show removable media items on desktop	Enabled
	Warn the user before emptying the trash	Enabled
Security	Ask for password when removing the policy	Disabled
	Timeout for Fingerprint	48 hour(s)
	Send diagnostics	Disabled
Allow iCloud Options	Back to My Mac	Enabled
	Find My Mac	Enabled
	iCloud Mail	Enabled
	Calendar	Enabled
	Reminder	Enabled
	Address Book	Enabled
	Notes	Enabled
	Auto-upload files in Desktop and Documents	Disabled
	Sync bookmarks with iCloud	Enabled
	Document and key-value sync	Enabled
	Sync passwords across devices	Enabled
	Photo library	Enabled
	Freeform services	Enabled

• macOS > Advanced Restrictions

Restrictions		Configuration
Device Functionality and Personalization	Screen Capture Remote Screen Observation	Enabled
	AirDrop	Disabled
	Wallpaper Modification	Enabled
	Dictation	Enabled
	Handoff	Enabled
	iTunes or Finder File Sharing	Enabled
	Show Web Results in Spotlight Search	Enabled
	iPhone mirroring	Enabled
	Show Wi-Fi status in menu bar	Disabled
	Show Bluetooth status in menu bar	Disabled
	Security and Privacy	Activation Lock	Enabled
Content caching		Restrict
Erase all content and settings		Enabled
Passcode Modification		Enabled
Autofill Passwords		Enabled
Safari AutoFill		Enabled
Request passwords from nearby devices		Enabled
Share passwords via Airdrop Passwords feature		Enabled
Users can modify File Sharing settings		Disabled
Users can modify Bluetooth Sharing settings		Disabled
Users can modify Printer Sharing settings		Disabled
Users can modify Internet Sharing settings		Disabled
Users can modify Remote Management Sharing settings		Disabled
Users can modify Remote Apple Events Sharing settings		Disabled
Users can modify an account		Enabled
Users can modify Device Name		Enabled
Users can create local user accounts		Enabled
Users can add or remove Touch ID/Face ID		Enabled
Users can modify Time Machine settings		Enabled
Users can modify Startup Disk settings		Enabled
Guest Account		Disabled
keyboard entry for Terminal app		Disabled
Software update deferment		15
Users can modify Media Sharing settings		Disabled
Bypass screen capture alert		Disabled
App Installation From		Mac App Store and Identified Developers
App Store	Restrict app installations to admin users	Disabled
	Restrict App Store to Software Updates Only	Disabled
	Disable App Store app adoption	Disabled
	Restrict App Store to apps installed via MDM and software updates only	Disabled
Secure Wi-Fi Settings	Enforce admin authorization when switching between Wi-Fi networks	Disabled
	Enforce admin authorization to enable IBSS	Disabled
	Enforce admin authorization to turn Wi-Fi on/off	Disabled
Allow Apple Intelligence	Image playground	Enabled
	Writing tools	Enabled
	ChatGPT integration	Enabled
	ChatGPT user account sign-in	Enabled

• macOS > Security > Firewall

Restrictions		Configuration
Firewall	Enable Firewall	Enabled
	Enable stealth mode	Enabled
	Enable logging	Disabled
	Logging level	Throttled
	Block all incoming connections	Disabled
	Allow incoming connections to built-in software	Enabled
	Allow incoming connections to downloaded signed software	Enabled
Applications	Allow/block incoming connections to the following apps	Allow incoming connections

• macOS > Security > FileVault

Settings	Configuration
Prevent FileVault from being disabled	Disabled
Prevent FileVault from being enabled	Disabled
Enable FileVault	Enabled
Encrypt using	Institutional and Personal Recovery Key
Encryption certificate	–
Escrow Personal Recovery Key	Disabled
Show Personal Recovery Key to user	Enabled
Skip enabling FileVault at user login	Disabled
Require user to unlock FileVault after hibernation	Disabled

• macOS > Security > Login Window Preferences

Settings	Configuration
Display login window as	Name and password
Hide Shut Down button	Disabled
Hide Restart button	Disabled
Hide Sleep button	Disabled
Disable login items bypass	Disabled
Disable Console Access from Login Screen	Disabled
Disable Shut Down while user is logged in	Disabled
Disable Restart while user is logged in	Disabled
Disable Power Off while user is logged in	Disabled
Disable Log Out while user is logged in	Disabled
Disable Immediate Screen Lock options	Disabled
Password hints	Disabled
Automatic login	Disabled
Show text to display in the Login Window*	Welcome
Show Admin Host Info	–

• macOS > Patches & Updates > Software Update Preferences

Restrictions		Configuration
Software Update Preferences	Automatically check for new updates	Enable
	Automatically download new updates	Enable
	Automatically install macOS updates	Enable
	Automatically install app updates	Enable
	Automatically install critical updates	Enable
	Automatically install configuration data	Enable
	Install pre-release software	Not Configured
	Force admin privilege requirement for software updates	Not Configured
	Install Rapid Security Responses	Not Configured
	Allow removal of Rapid Security Responses	Not Configured
Defer Software Updates	Defer major upgrades	Not Configured
	Defer minor upgrades	Not Configured
	Defer app upgrades	Not Configured

• macOS > Configurations > Setup Assistant

Settings	Configuration
Skip Privacy setup	Disabled
Skip signing in with Apple ID	Disabled
Skip iCloud Storage setup	Disabled
Skip Siri setup	Disabled
Skip Choose Your Look setup	Disabled

• macOS > Configurations > Screensaver

Settings	Configuration
Enable Screensaver	Enabled
Login window screensaver idle time	1 min
Screensaver idle time	20 min
Require Password to unlock screen	Enabled
Set delay for password prompt	5 sec

• macOS > Configurations > Energy Saver

Restrictions		Configuration
Desktop	Automatically startup on power loss	Disabled
	Idle timeout for system sleep	0 mins
	Idle timeout for display sleep	0 mins
	Wake for network access	Disabled
Laptop on AC Power	Automatically startup on power loss	Disabled
	Idle timeout for system sleep	0 mins
	Idle timeout for display sleep	0 mins
	Wake for network access	Disabled
Laptop on Battery Power	Automatically startup on power loss	Disabled
	Idle timeout for system sleep	0 mins
	Idle timeout for display sleep	0 mins
	Wake for network access	Disabled
General Settings	Prevent temporary FileVault key storage during standby	Disabled
	Disable device sleep	Disabled

The CIS Benchmarks are compliance guidelines for securely configuring IT systems. They provide best practices to reduce vulnerabilities and enhance security, covering areas such as password policies, account management, and system services. Adhering to these guidelines helps improve security and ensure regulatory compliance. Currently, Hexnode supports making Windows devices partially CIS Benchmark compliant.

Template name: CIS Benchmark Compliance – Windows

Description: Apply this template to get one step closer to CIS compliance on your Windows devices. 

Note: Not all rules mentioned in CIS Benchmark are configurable via Hexnode.

Template Configuration:

• Windows > Password

Password settings	Configuration
Allow simple value	Disabled
Password type	Alphanumeric password
Minimum password length	14
Password Complexity	Digits, lowercase and uppercase letters
Minimum password age (in days)	365
Auto-lock (in minutes)	15
Password history	24
Failed attempt before wipe	0

• Windows > Restrictions

Restrictions		Configuration
Allow device functionality	Camera	Disabled
	Cortana voice assistant	Enabled
	Use Cortana if device is locked	Enabled
	Use storage card and USB drives	Disabled
	Telemetry	Disallow
	Location services	Force Location Off
	Change language	Enabled
	Users can enable/disable Workplace	Enabled
	Users can change AutoPlay settings	Enabled
Allow App Settings	Sync Settings	Enabled
	Allow SignIn Options	Enabled
	Allow News and Interests	Disabled
Allow Network Settings	Wi-Fi	Enabled
	Bluetooth	Enabled
	Discover device over Bluetooth	Enabled
	Users can turn VPN on/off	Enabled
	Connect to VPN if on mobile network	Enabled
	Connect to VPN if roaming	Enabled
	Cellular data roaming	Enabled
Allow Security and Privacy Settings	Manual MDM administration removal	Enabled
	Show toast notification on lock screen	Disable
Account Settings	OneDrive file sync	Disabled

• Windows > Advanced Restrictions

Restrictions		Configuration
Allow device functionality	Users can reset the device	Enabled
	Users can change date and time	Disabled
	Users can change power and sleep settings	Enabled
	Allow Embedded Mode	Disabled
	Allow Region	Enabled
Allow App Settings	Unlock developer options	Not Configured
	Search can use user location	Disabled
Allow Network Settings	Internet Sharing	Enabled
	Connect to Wi-Fi Sense automatically	Disabled
	Connect to external Wi-Fi networks manually	Enabled
	Wi-Fi Direct	Enabled
Allow Security and Privacy Settings	Install provisioning package	Enabled
	Mandate signed certificate for provisioning package	Disabled
	Remove provisioning package	Enabled
	Receive advertisements over Bluetooth	Disabled
	Pair with other devices automatically	Disabled
	Users can download Windows beta updates	Disallow
Windows AI	AI Data Analysis	Not Configured
Customize Start Menu	Documents folder	Not enforced
	Downloads folder	Not enforced
	File Explorer	Not enforced
	Home group	Not enforced
	Music folder	Not enforced
	Networks	Not enforced
	Personal folder	Not enforced
	Pictures folder	Not enforced
	Settings	Not enforced
	Videos folder	Not enforced
Account Settings	Block Microsoft accounts	Not Configured
	Users can change account settings	Enabled
	Users can add non-Microsoft accounts	Enabled
	Users can connect using Microsoft accounts	Enabled

• Windows > Threat Management > Microsoft Defender

Policy Settings		Configuration
Microsoft Defender Application Guard	Microsoft Defender Application Guard	Enabled
	Clipboard behavior	Turn On clipboard operation from an isolated session to the host
	Clipboard settings	Allow copying texts
	Print behavior	None
	Block non-enterprise content	Disabled
	Data persistence	Disabled
	Virtual GPU	Disabled
	Save files to host	Disabled
	Certificate Thumbprints	Not configured
	Access Camera and Microphone	Disabled
Windows Defender Security Center	Enable account protection UI	Enabled
	Enable app and browser protection UI	Enabled
	Disallow exploit protection override	Enabled
	Enable Device security UI	Enabled
	Disable TPM Firmware update warning	Disabled
	Show the Security processor (TPM) troubleshooting area	Enabled
	Disable Clear TPM button	Disabled
	Hide the Secure boot area	Disabled
	Notifications	Display all notifications
	Enable family UI	Enabled
	Enable health UI	Enabled
	Enable network UI	Enabled
	Enable virus UI	Enabled
	Hide the Ransomware data recovery area	Disabled
	Enable customized toasts	Disabled
	Enable in-app customization	Disabled
	Company name	Not configured
	Email address	Not configured
	Phone number/Skype ID	Not configured
	Help portal URL	Not configured
	Hide Windows Security notification area control	Disabled

• Windows > Security > BitLocker

BitLocker Settings	Configuration
Require encryption for OS and fixed data drives	Enabled
Hide warning about existing third-party encryption	Disabled
Recovery Password rotation	Not Configured
Escrow recovery password to Hexnode UEM	Enabled
OS Drive Settings
Configure BitLocker OS drive policy	Enabled
Configure encryption method	Disabled
Configure additional startup authentication settings	Enabled
Allow BitLocker to be activated on devices without a compatible TPM	Disabled
Configure advanced authentication options for devices with compatible TPM	Required Options: Startup PIN
Minimum PIN length	6
Configure pre-boot recovery message and URL	Disabled
Users must generate a recovery key or password	Recovery Key, Password or both
Save BitLocker recovery information to Active Directory Domain Services (AD DS)	Password and Key
Block certificate-based data recovery agent	Enabled
Hide recovery options on the device	Enabled
Do not enable BitLocker until recovery information is stored in AD DS	Enabled
Fixed Drive Settings
Configure BitLocker fixed drive policy	Enabled
Configure encryption method	Disabled
Block access to drives not protected by BitLocker	Disabled
Configure recovery options	Enabled
Users must generate a recovery key or password	Recovery Key, Password or both
Save BitLocker recovery information to Active Directory Domain Services (AD DS)	Disable
Block certificate-based data recovery agent	Disabled
Hide recovery options on the device	Disabled
Do not enable BitLocker until recovery information is stored in AD DS	Disabled
Removable Drive Settings
Configure BitLocker removable drive policy	Enabled
Configure encryption method	Disabled
Block access to drives not protected by BitLocker	Enabled

• Windows > Configurations > Screensaver

Screensaver Settings	Configuration
Enable Screensaver	Enabled
Select Screensaver	Blank
Require Password to unlock screen	Enabled
Start screensaver after _ minutes of inactivity	15
Prevent user from accessing screensaver settings on device	Disabled

• Windows > Patches & Updates > Windows Update Preferences

Settings	Configuration
Update drivers	Disabled
Optional Updates	Not Configured
Download updates over metered network	Not Configured
Ignore download limits for app updates	Not Configured
Ignore download limits for OS updates	Not Configured
Automatic wake up for maintenance	Enabled
Disable WUfB Safeguards	Disabled
Target product	Not Configured
Target version	Not Configured
Feature update uninstall period	10 day(s)
Pre-release builds	Not Configured
Update channel	Semi-annual
Update Deferral
Defer Quality Updates	Enabled
Deferral period (Defer Quality Updates)	0 day(s)
Defer Feature Updates	Enabled
Deferral period (Defer Feature Updates)	0 day(s)

• Windows > Patches & Updates > Windows Update Experience

Settings	Configuration
Microsoft App Update Service	Disabled
Automatic update behavior	Auto install updates and notify users to restart if required
Active hours	Start time: 8:00 AM End time: 5:00 PM
Maximum range of active hours	18 hours
Skip restart checks	Disabled
Disable pause updates	Enabled
Disallow users to check for updates	Disabled
Notifications
Update notification level	Default Windows Notification
Notifications during Active Hours	Not Configured
Auto-restart notifications	Not Configured
Deadlines
Configure update deadlines	Disabled
Configure restart deadlines	Disabled
Configure engaged restart deadlines	Disabled

A pre-configured policy template for securing point-of-sale (POS) devices with the necessary security configurations and restrictions.

Template name: POS Device Policy

Description: Secure POS devices by enforcing pre-configured security configurations.

Template Configuration:

• iOS > Basic Restrictions
  

Restrictions		Configuration
Allow Device Functionality	Camera	Enabled
	FaceTime	Enabled
	Screen capture	Enabled
	Allow Remote Screen Observation	Enabled
	Touch ID	Enabled
	Siri	Enabled
	Allow Siri while device is locked	Enabled
	Voice dialing	Enabled
	Automatic sync while roaming	Enabled
Allow Application Settings	Install apps	Disabled
	iTunes Store	Enabled
	Force user to enter iTunes store password for each purchase	Enabled
	In-app purchases	Enabled;
	Trust enterprise app	Enabled
	Users can modify enterprise app trust	Enabled
	Backup enterprise-deployed iBooks	Enabled
	Sync managed app data with iCloud	Disabled
	YouTube	Enabled
	Safari	Enabled
	Autofill	Enabled
	Fraud warning	Disabled
	JavaScript	Enabled
	Block pop-ups	Enabled
	Accept cookies	Always
	Access Passbook when the device is locked	Disabled
	Add friends in Game Center	Enabled
Allow iCloud Settings	Backup	Enabled
	Sync documents	Enabled
	Photo Stream	Enabled
	Share photo streams	Enabled
	iCloud photo library	Enabled
	Sync enterprise book metadata across devices	Enabled
Allow Security and Privacy Settings	Lock screen notifications	Enabled
	Today View on lock screen	Enabled
	Control Center on lock screen	Enabled
	Over the air PKI updates	Enabled
	Limit ad tracking	Disabled
	Send diagnostic data to Apple	Enabled
	Accept untrusted TLS certificate	Enabled
	Force encrypted backup	Disabled
	Show notification on Apple Watch if worn	Disabled
Allow Explicit Content	Explicit music, podcasts and iTunes services	Enabled
	iBooks store erotica	Disabled
	Rating region	United States
	Movies	Allow All Movies
	TV Shows	Allow All TV Shows
	Apps	Allow All Apps

• iOS > Advanced Restrictions
  

Restrictions		Configuration
Allow Device Functionality	AirDrop	Enabled
	Apps can modify cellular data usage	Enabled
	Add or remove Touch ID/Face ID	Enabled
	iMessage	Enabled
	RCS messaging	Enabled
	Game Center	Enabled
	Multiplayer gaming	Enabled
	Install configuration profile	Enabled
	Handoff	Enabled
	Definition lookup	Enabled
	Predictive keyboard	Enabled
	Auto-correct words	Enabled
	Suggest words on misspellings	Enabled
	QuickPath Keyboard	Enabled
	Keyboard shortcuts	Enabled
	USB Drive Access in Files App	Enabled
	Network Drive Access in Files App	Enabled
	Pair with Apple Watch	Enabled
	Modify diagnostic data submission settings	Enabled
	Modify Bluetooth settings	Enabled
	Use voice to type	Enabled
	Force Wi-Fi ON	Enabled
	Connect to MDM-configured Wi-Fi networks only	Disabled
	Users can modify Personal Hotspot settings	Enabled
	Create VPN configuration	Enabled
	AirPrint	Enabled
	Connect with iBeacon	Enabled
	Store AirPrint credentials in Keychain	Enabled
	Use trusted certificates for secure printing	Disabled
	Modify cellular plan settings	Enabled
	eSIM Modification	Enabled
	Outgoing eSIM transfer	Enabled
	Live Voicemail	Enabled
	Force preserve eSIM on erase	Disabled
	Auto dimming	Enabled
	iPhone mirroring	Enabled
	Call recording	Enabled
Allow App Settings	Install app from App Store	Disabled
	Install apps from third-party app marketplaces	Enabled
	Install apps from web	Enabled
	Remove apps	Disabled
	Remove system apps	Enabled
	iBooks store	Enabled
	Apple Music	Enabled
	iTunes Radio	Enabled
	News	Enabled
	Podcasts	Enabled
	Download all purchased apps automatically	Enabled
	Lock apps	Enabled
	Hide apps	Enabled
Allow Security and Privacy Settings	Activation Lock	Disabled
	Modify an account	Enabled
	Erase content and settings	Enabled
	Siri can access user-generated content	Enabled
	Find My Friends	Enabled
	Find My Device	Enabled
	Modify Find My Friends	Enabled
	Use profanity filter	Disabled
	Show web results using Spotlight Search	Enabled
	Modify Restrictions/Screen Time	Enabled
	Modify passcode	Enabled
	Modify device name	Enabled
	Users can modify default browser	Enabled
	Modify wallpaper	Enabled
	Users can turn notifications on/off	Enabled
	Force Automatic Date and Time	Disabled
	Autofill Passwords	Enabled
	Request passwords from nearby devices	Enabled
	Share passwords via Airdrop Passwords feature	Enabled
	Allow USB accessories when locked	Disabled
	Prevent pairing with non-Configurator hosts	Disabled
	Shared iPad temporary session	Enabled
Allow Apple Intelligence	Genmoji	Enabled
	Image Playground	Enabled
	Image Wand	Enabled
	Personalized Handwriting Results	Enabled
	Writing Tools	Enabled
	Mail Summary	Enabled
	ChatGPT integration	Enabled
	ChatGPT user account sign-in	Enabled

• iOS > App Management > Blocklist/Allowlist
  

  Policy Setting	Apps
  Allowlist	Settings	Phone	FaceTime

• Android > Basic Restrictions
  

  Policy Settings		Configuration
  Allow Device Functionality	Camera	Enabled
  	USB Mass Storage	Enabled
  	USB file transfer	Disabled
  	Home button	Enabled
  	Power Off	Disabled
  	Safe mode	Enabled
  	Airplane mode	Enabled
  	Lock screen shortcuts	Enabled
  	Widgets on lock screen	Enabled
  	Screen Orientation	Allow user to choose
  	Screen Timeout	Keep Current Settings
  Allow Network Settings	Wi-Fi	Enabled
  	Force Wi-Fi	Enabled
  	Bluetooth	Enabled
  	Force Bluetooth	Disabled
  	Mobile data/td>	Enabled
  	Tethering	Enabled
  	USB tethering	Enabled
  	Bluetooth tethering	Enabled
  	Portable Wi-Fi hotspot	Users can choose
  	Data roaming	Enabled
  	Connect to 2G network	Enabled
  Allow Location Settings	Mock location	Enabled
  	GPS	Enabled
  	Force GPS to fetch location	Enabled
  Allow Sync Settings	Backup service	Disabled
  Security Options	Allow MDM Administration removal	Disabled

• Android > Advanced Restrictions

Policy Setting		Configuration
Allow Device functionality	Microphone	Enabled
	Screen capture	Disabled
	Clipboard	Disabled
	Share via other apps	Enabled
	Users can adjust volume	Enabled
	Make a call	Enabled
	Receive calls	Enabled
	USB Host Storage	Enabled
	Allow input methods	Enabled
Allow Settings	Developer mode	Enabled
	USB debugging	Enabled
	Modify settings	Enabled
	Power saving mode	Enabled
	Users can enable location sharing	Enabled
	Factory Reset	Enabled
	Advanced Factory Reset	Enabled
	Read any connected physical external media	Enabled
	Disable screen lock if the screen was turned off	Disabled
	Configure VPN	Enabled
	Automatically power off a device when power cable is detached	Disabled
	Automatically power on a device when power cable is connected	Disabled
Date and Time Settings	Set date and time automatically	Enabled
	Set time zone automatically	Enabled
	Allow users to modify date, time and time zone	Enabled
	Time format	Keep Current Settings
Lock Screen Customizations	Lock Screen Camera	Enabled
	Trust Agents for Smart Lock	Enabled
	Lock Screen Notifications	Enabled
	Fingerprint Unlock	Enabled
	Iris Scanner	Enabled
	Face Unlock	Enabled
	Unredacted Notifications	Enabled
Allow App Settings	Install apps	Enabled
	Uninstall apps	Enabled
	Control apps	Enabled
	Google Play Store	Enabled
	Verify apps before install	Disabled
	Install apps from unknown sources	Enabled
	App Runtime Permissions	Default
	Parent profile app linking	Enabled
	Allow cross-profile app communication	Disabled
	Factory Reset Protection (Google Account Verification)	Default
Accessibility Settings	Accessibility services	Enabled
	Accessibility services	Disabled

• Kiosk Lockdown > iOS Kiosk Lockdown > Multi App
  Apps added in kiosk: Settings, Phone, FaceTime
• Kiosk Lockdown > Android Kiosk Lockdown > Multi App
  Apps added in kiosk: Google Chrome
• Kiosk Lockdown > Android Kiosk Lockdown > Peripheral Settings
  

  Policy Setting		Configuration
  	Users can turn Wi-Fi on/off	Disabled
  	Connect to and switch between saved Wi-Fi networks	Disabled
  	Add hidden Wi-Fi networks	Disabled
  	Users can delete Wi-Fi networks	Disabled
  	Users can disconnect from currently connected network	Disabled
  	Show all available Wi-Fi networks	Disabled
  	Auto-exit Wi-Fi settings page in	Disabled
  	Wi-Fi Hotspot	Disabled
  	Users can configure Wi-Fi hotspot	Disabled
  	Users can turn mobile data on/off	Disabled
  	Users can choose preferred network type	Disabled
  	Allow users to turn Bluetooth on/off	Disabled
  	Airplane mode	Disabled
  	Users can enable accessibility settings	Disabled
  Display	Disable system bars	Disabled
  	Enable status bar	Disabled
  	Keep screen On	Enabled
  	Brightness	Keep current brightness
  Hardware/software buttons	Users can turn device Off	Enabled
  	Disable volume button	Disabled
  	Enable Recent apps button	Disabled
  Advanced Lock	Lock task mode	Disabled
  	System Info	Disabled
  	Home button	Disabled
  	Notifications	Disabled
  	Recent apps button	Disabled
  	Global actions	Disabled
  	Activate Lock task mode on reboot while the device is locked	Disabled
  Hexnode MDM Settings	Show option to manually exit kiosk lockdown	Disabled
  	Grant Hexnode MDM any newer permissions manually	Disabled
  	Sync device with MDM	Disabled
  	Show device and server information	Disabled
  App Settings	Access app catalogs in kiosk	Disabled
  	Show blocked package name on the device	Enabled
  	Disable app crash reporting	Disabled
  	Clear apps from background when user leaves the app	Disabled
  	Enable required app installation in kiosk	Disabled
  Location	Users can add location notes	Disabled
  Messenger	View messages sent by admin	Disabled
  Other options	Allow users to turn flashlight on/off	Disabled
  	Allow users to modify device password	Disabled
  	Floating icon	Disabled
  	Tap & Swipe gesture	Disabled
  	Triple tap on the top-right corner of the screen to show device and server details option	Disabled
  	Triple tap on the top-right corner of the screen to show peripheral settings	Disabled

• Kiosk Lockdown > Android Kiosk Lockdown > Kiosk Exit Settings
  

  Policy Settings	Configuration
  Allow manually exiting kiosk mode	Enabled
  Number of taps to display the popup to enter the exit passcode	10
  Exit manually from kiosk mode while an app is open	Disabled
  Reboot and tap to exit from kiosk mode	Enabled
  Relaunch app	20 seconds after reboot
  Auto-enable kiosk mode	Disabled

A pre-configured policy to set up a website kiosk on Android TVs.

Template name: Website Kiosk for Android TV

Description: Lock down your Android TVs to a specific website using website kiosk mode.

Template Configuration:

• Kiosk Lockdown > Android Kiosk Lockdown > Single App
  Apps added: Hexnode MDM Portal (Web App)
• Kiosk Lockdown > Android Kiosk Lockdown > Launcher
  

  Policy Settings		Configuration
  Auto-Launch	Select app	Hexnode MDM Portal
  	App auto-launch delay	20 seconds
  Customizations	Customize kiosk launcher	Disabled
  	Icon size	Medium
  	Font size	Small
  	Title bar height	10 % of screen height
  	Logo height	50 % of title bar height
  	Logo width	25 % of screen width
  	Title font	Helvetica
  	Title height	50 % of title bar height
  	Title color	Default
  	Title bar background color	Default
  	Logo-title alignment	Left

• Kiosk Lockdown > Android Kiosk Lockdown > Kiosk Exit Settings
  

  Policy Settings	Configuration
  Allow manually exiting kiosk mode	Enabled
  Number of taps to display the popup to enter the exit passcode	10
  Exit manually from kiosk mode while an app is open	Disabled
  Reboot and tap to exit from kiosk mode	Enabled
  Relaunch app	20 seconds after reboot
  Auto-enable kiosk mode	Disabled

A policy template to lock down Android TV to a set of apps using pre-configured kiosk configurations.

Template name: Kiosk Lockdown for Android TV

Description: Lock down your Android TV to a handful of applications.
Template Configuration:

• Kiosk Lockdown > Android Kiosk Lockdown > Multi App
  • Apps added: YouTube for Android TV
  • Customizations: Icon size (Medium)
• Kiosk Lockdown > Android Kiosk Lockdown >Kiosk Exit Settings
  

  Policy Settings	Configuration
  Allow manually exiting kiosk mode	Enabled
  Number of taps to display the popup to enter the exit passcode	10
  Exit manually from kiosk mode while an app is open	Disabled
  Reboot and tap to exit from kiosk mode	Enabled
  Relaunch app	20 seconds after reboot
  Auto-enable kiosk mode	Disabled

A policy template to secure Android TV using password policies and restrictions.

Template name: Android TV Security Settings

Description: Secure Android TV by enforcing password rules and restrictions.

Template Configuration:

• Android > Password > Device Password
  

  Policy Settings	Configuration
  Minimum password complexity	None
  Customize password complexity	Enabled
  Password Complexity	Alphanumeric
  Minimum Passcode Length	8
  Auto-lock after	5

• Android > Restrictions > Basic
  

  Policy Settings		Configuration
  Allow Device Functionality	Camera	Enabled
  	USB Mass Storage	Enabled
  	USB file transfer	Disabled
  	Home button	Enabled
  	Power Off	Disabled
  	Safe mode	Enabled
  	Airplane mode	Enabled
  	Lock screen shortcuts	Enabled
  	Widgets on lock screen	Enabled
  	Screen Orientation	Allow user to choose
  	Screen Timeout	Keep Current Settings
  Allow Network Settings	Wi-Fi	Enabled
  	Force Wi-Fi	Enabled
  	Bluetooth	Disabled
  	Force Bluetooth	Disabled
  	Mobile data	Enabled
  	Tethering	Enabled
  	USB tethering	Enabled
  	Bluetooth tethering	Enabled
  	Portable Wi-Fi hotspot	Users can choose
  	Data roaming	Enabled
  	Connect to 2G network	Enabled
  Allow Location Settings	Mock location	Enabled
  	GPS	Enabled
  	Force GPS to fetch location	Enabled
  Allow Sync Settings	Backup service	Enabled
  Security Options	Allow MDM Administration removal	Enabled