Category filter

How to use pre-configured policy template in Hexnode UEM for easy policy deployment

Hexnode UEM Policy Template is a set of pre-configured policies that you can use to create new policies and associate them to required target devices. Apart from the default policy templates, you can also create new templates in the Hexnode portal.
To associate a policy template to a target device, you have to first copy it to My Policies. You can either use the copied template directly, or you can modify the template policy to attach it to the devices. With Hexnode, you can create more than one policy using the same policy template. So, to create multiple policies with the same configuration, you just have to create one template and make its copy.
Hexnode’s Pre-defined Policy Templates include:

Note:


Instead of creating large number of same policies by individually configuring each, you can create a policy template in Hexnode with the required configurations. And this single template can be reproduced to policies as many times as required.

Pre-configured templates in Hexnode:

Android Website kiosk

A pre-configured policy template to lockdown Android devices to a couple of web apps in multi-app kiosk mode.

Template name: Android Website Kiosk

Description: Lock down Android devices to a handful of websites.

Template Configuration:

Kiosk Lockdown > Android Kiosk Lockdown > Multi App: Amazon feedback & Amazon affiliates.

BitLocker Security Policy

A policy that is pre-configured to provide the basic industrial standard BitLocker encryption along with Windows password security.

Template name: BitLocker Security Policy

Description: Enable BitLocker encryption for industry-standard security.

Template Configuration:

  • Windows > Password
  • Password settings Configuration
    Allow simple value Disabled
    Password type Users can choose
    Minimum Password length 8
    Minimum complex characters Digits only
    Minimum passcode age (in days) 0
    Auto-Lock (in minutes) 0
    Passcode history 0
    Failed attempt before wipe 0
  • Windows > Security > BitLocker
  • BitLocker Settings Configuration
    Prompt to encrypt storage card Enabled
    Prompt for device encryption Enabled
    Configure encryption method for disk drives Select default value
    Configure authentication when computer starts up Enable
    Allow BitLocker without a Trusted Platform Module (TPM) Select default value
    Authenticate with TPM startup key Disallow
    Authenticate with TPM startup pin Disallow
    Authenticate with TPM startup key and PIN Disallow
    Enable TPM during startup Disallow
    Minimum length for BitLocker startup PIN 6
    Configure pre-boot recovery message Show default recovery message and URL
    Configure recovery options for system drives Disabled
    Configure recovery options for fixed drives Disabled
    Fixed drives require encryption Enabled
    Removable drives require encryption Enabled

BYOD Policy for Corporate Data Containerization

A policy template to protect the corporate data in any iOS and Android BYOD device.

Template name: BYOD Policy for Corporate Data Containerization

Description: A common policy for iOS & Android devices to safeguard the corporate data in Managed apps and Work containers.

Template Configuration:

  • iOS > Restrictions
  • Restrictions Configuration
    Allow Device Functionality  Camera  Enabled 
    FaceTime  Enabled 
    Screen capture  Enabled 
    Touch ID  Enabled 
    Siri  Enabled 
    Allow Siri while device is locked  Enabled 
    Voice dialing  Enabled 
    Automatic sync while roaming  Enabled 
    Allow Application Settings  Show App Store on the device  Enabled 
    iTunes Store  Enabled 
    Force user to enter iTunes store password for each purchase  Enabled 
    In-app purchases  Enabled 
    Trust enterprise app  Enabled 
    Users can modify enterprise app trust  Enabled 
    Backup enterprise-deployed iBooks  Enabled 
    Sync managed app data with iCloud  Disabled 
    YouTube  Enabled 
    Safari  Enabled 
    Autofill  Enabled 
    Fraud warning  Disabled 
    JavaScript  Enabled 
    Block pop-ups  Enabled 
    Accept cookies  Always 
    Access Passbook when the device is locked  Disabled 
    Add friends in Game Center  Enabled 
    Allow iCloud Settings Backup Enabled
    Sync documents Enabled
    Photo Stream (Disallowing might cause data loss) Enabled
    Share photo streams Enabled
    iCloud photo library Enabled
    Sync enterprise book metadata across devices Enabled
    Allow Security and Privacy Settings  Lock screen notifications  Enabled 
    Today View on lock screen  Enabled 
    Control Center on lock screen  Enabled 
    Over the air PKI updates  Enabled 
    Limit ad tracking  Disabled 
    Send diagnostic data to Apple  Enabled 
    Accept untrusted TLS certificate  Enabled 
    Force encrypted backup  Disabled 
    Show notification on Apple Watch if worn  Disabled 
    Allow Explicit Content  Explicit music, podcasts and iTunes U services  Enabled 
    iBooks store erotica  Disabled 
    Rating region  United States 
    Content rating
    Movies Allow All Movies 
    TV Shows  Allow All TV Shows 
    Apps  Allow All Apps 
  • iOS > Advanced Restrictions
  • Restrictions Configuration
    Allow Device Functionality AirDrop Enabled
    Apps can modify cellular data usage Enabled
    Add or remove Touch ID/Face ID Enabled
    iMessage Enabled
    Game Center Enabled
    Multiplayer gaming Enabled
    Pair with iTunes Enabled
    Install configuration profile Enabled
    Definition lookup Enabled
    Predictive keyboard Enabled
    Auto-correct words Enabled
    Suggest words on misspellings Enabled
    Keyboard shortcuts Enabled
    Pair with Apple Watch Enabled
    Modify diagnostic data submission settings Enabled
    Modify Bluetooth settings Enabled
    Use voice to type Enabled
    Connect to MDM-configured Wi-Fi networks only Disabled
    Users can modify Personal Hotspot settings Enabled
    Create VPN configuration Enabled
    AirPrint Enabled
    Connect with iBeacon Enabled
    Store AirPrint credentials in Keychain Enabled
    Use trusted certificates for secure printing Disabled
    Allow App Settings Install app from App Store Enabled
    Remove apps Enabled
    Remove system apps Enabled
    iBooks store Enabled
    Apple Music Enabled
    iTunes Radio Enabled
    News Enabled
    Podcasts Enabled
    Download all purchased apps automatically Enabled
    Allow Security and Privacy Settings Activation Lock Disabled
    Modify an account Enabled
    Erase content and settings Enabled
    Siri can access user-generated content Enabled
    Modify Find My Friends Enabled
    Use profanity filter Disabled
    Show web results using Spotlight Search Enabled
    Modify Restrictions/Screen Time Enabled
    Modify passcode Enabled
    Modify device name Enabled
    Modify wallpaper Enabled
    Users can turn notifications on/off Enabled
    Force Automatic Date and Time Disabled
    Autofill Passwords Enabled
    Request passwords from nearby devices Enabled
    Share passwords via Airdrop Passwords feature Enabled
  • iOS > Security > Business Container
  • Settings Configuration
    Open documents from managed apps in unmanaged apps Disabled
    Open documents from unmanaged apps in managed apps Disabled
    Managed apps can write to Unmanaged Contact Accounts Disabled
    Unmanaged apps can read from Managed Contact Accounts Disabled
    Block Sharing Managed Document using AirDrop Disabled
  • Android > Advanced Restrictions
  • Restrictions Configuration
    Allow device functionality Microphone Enabled
    Screen capture Disabled
    Clipboard Enabled
    Copy contents between normal and work profiles Enabled
    Share via other apps Enabled
    Users can adjust volume Enabled
    Make a call Enabled
    Display Settings Hide System bars Disabled
    Hide Status Bar Disabled
    Hide Navigation Bar Disabled
    Split-screen mode Enabled
    Display dialogs/windows Enabled
    Allow Connectivity Options NFC Enabled
    Android Beam Enabled
    Beam from the device Enabled
    Transfer data via Bluetooth Enabled
    Configure Bluetooth Enabled
    Configure cell broadcast Enabled
    Configure cellular network Enabled
    Users can reset network settings Enabled
    Configure Wi-Fi Enabled
    Configure hotspot and tethering Enabled
    Security Options Minimum Wi-Fi Security Level Open
    Allow Sync Settings Sync data in background Enabled
    Sync data with Google account Enabled
    Allow Account Settings SMS Enabled
    Receive messages Enabled
    Send messages Enabled
    Modify Accounts/Users Enabled
    Add Users Enabled
    Remove Users Enabled
    Configure user credentials Enabled
    Allow Settings Developer mode Enabled
    USB debugging Enabled
    Modify settings Enabled
    Power saving mode Enabled
    Users can enable location sharing Enabled
    Factory reset Enabled
    Read any connected physical external media Enabled
    Update date and time automatically Enabled
    Set time zone automatically Enabled
    Disable screen lock if the screen was turned off Disabled
    Configure VPN Enabled
    Allow App Settings Install apps Enabled
    Uninstall apps Enabled
    Control apps Enabled
    Google Play Store Enabled
    Verify apps before install Disabled
    Install apps from unknown sources Disabled
    App Runtime Permissions Default permissions
    Parent profile app linking Enabled
    Factory Reset Protection (Google Account Verification) Default

Expense Management Policy

An Android policy to set data and Wi-Fi restrictions and notifications to have control over expenses.

Template name: Expense Management Policy

Description: Data/Wi-Fi usage warning & restrictions for an arbitrary monthly limit.

Template Configuration:
Android > Mobile Data Management
Data Usage Restrictions:

Restriction Configuration
Enable data usage tracking Enabled
Enable network & data usage restrictions Enabled
Network Restrictions No Restrictions
Data Usage Notifications Notify both User and Admin, Monthly when Mobile data exceeds 0.5 GB
Data Usage Restrictions Restrict and notify all, Monthly when Mobile Data exceeds 1 GB
Reset Data Tracking Daily at 18:30 (UTC +00:00) GMT Standard Time, Monthly on day 1 of each month

HIPAA Compliance Policy

A policy with iOS and Android passcode and restriction along with Mac and Windows encryption configurations to set standards of confidentiality and integrity to protect ePHI.

Template name: HIPAA Compliance Policy

Description: Workstation and Device Security policies to protect ePHI.

Template Configuration:

  • iOS > Passcode
  • Policy Configuration
    Allow simple value Disabled
    Require alpha numeric value Enabled
    Minimum Passcode Length 8
    Minimum complex characters 1
    Minimum passcode age in days (0-730 days) 30
    Auto Lock 1 Minute
    Passcode History (1-50 passcodes) 5
    Grace period for device lock Immediately
    Failed attempts (After the specified number of failed attempts, the device data will be wiped automatically) 10
  • iOS > Advanced Restrictions
  • Restrictions Configuration
    Allow Device Functionality AirDrop Enabled
    Apps can modify cellular data usage Enabled
    Add or remove Touch ID/Face ID Enabled
    iMessage Enabled
    Game Center Enabled
    Multiplayer gaming Enabled
    Pair with iTunes Enabled
    Install configuration profile Enabled
    Definition lookup Enabled
    Predictive keyboard Enabled
    Auto-correct words Enabled
    Suggest words on misspellings Enabled
    Keyboard shortcuts Enabled
    Pair with Apple Watch Enabled
    Modify diagnostic data submission settings Enabled
    Modify Bluetooth settings Enabled
    Use voice to type Enabled
    Connect to MDM-configured Wi-Fi networks only Disabled
    Users can modify Personal Hotspot settings Enabled
    Create VPN configuration Enabled
    AirPrint Enabled
    Connect with iBeacon Enabled
    Store AirPrint credentials in Keychain Enabled
    Use trusted certificates for secure printing Disabled
    Allow App Settings Install app from App Store Enabled
    Remove apps Enabled
    Remove system apps Enabled
    iBooks store Enabled
    Apple Music Enabled
    iTunes Radio Enabled
    News Enabled
    Podcasts Enabled
    Download all purchased apps automatically Enabled
    Allow Security and Privacy Settings Activation Lock Disabled
    Modify an account Enabled
    Erase content and settings Enabled
    Siri can access user-generated content Enabled
    Modify Find My Friends Enabled
    Use profanity filter Disabled
    Show web results using Spotlight Search Enabled
    Modify Restrictions/Screen Time Enabled
    Modify passcode Enabled
    Modify device name Enabled
    Modify wallpaper Enabled
    Users can turn notifications on/off Enabled
    Force Automatic Date and Time Disabled
    Autofill Passwords Enabled
    Request passwords from nearby devices Enabled
    Share passwords via Airdrop Passwords feature Enabled
  • iOS > Security > Business Container
  • Settings Configuration
    Open documents from managed apps in unmanaged apps Enabled
    Open documents from unmanaged apps in managed apps Enabled
    Managed apps can write to Unmanaged Contact Accounts Disabled
    Unmanaged apps can read from Managed Contact Accounts Disabled
    Block Sharing Managed Document using AirDrop Disabled
  • Android > Advanced Restrictions
  • Restrictions Configuration
    Allow device functionality Microphone Enabled
    Screen capture Enabled
    Clipboard Enabled
    Copy contents between normal and work profiles Disabled
    Share via other apps Enabled
    Users can adjust volume Enabled
    Make a call Enabled
    Display Settings Hide System bars Disabled
    Hide Status Bar Disabled
    Hide Navigation Bar Disabled
    Split-screen mode Enabled
    Display dialogs/windows Enabled
    Allow Connectivity Options NFC Enabled
    Android Beam Enabled
    Beam from the device Enabled
    Transfer data via Bluetooth Enabled
    Configure Bluetooth Enabled
    Configure cell broadcast Enabled
    Configure cellular network Enabled
    Users can reset network settings Enabled
    Configure Wi-Fi Enabled
    Configure hotspot and tethering Enabled
    Security Options Minimum Wi-Fi Security Level Open
    Allow Sync Settings Sync data in background Enabled
    Sync data with Google account Enabled
    Allow Account Settings SMS Enabled
    Receive messages Enabled
    Send messages Enabled
    Modify Accounts/Users Enabled
    Add Users Enabled
    Remove Users Enabled
    Configure user credentials Enabled
    Allow Settings Developer mode Disabled
    USB debugging Disabled
    Modify settings Enabled
    Power saving mode Enabled
    Users can enable location sharing Enabled
    Factory reset Enabled
    Read any connected physical external media Enabled
    Update date and time automatically Enabled
    Set time zone automatically Enabled
    Disable screen lock if the screen was turned off Disabled
    Configure VPN Enabled
    Allow App Settings Install apps Enabled
    Uninstall apps Enabled
    Control apps Enabled
    Google Play Store Enabled
    Verify apps before install Disabled
    Install apps from unknown sources Disabled
    App Runtime Permissions Default permissions
    Parent profile app linking Enabled
    Factory Reset Protection (Google Account Verification) Default
  • Windows > Security > BitLocker
  • BitLocker Settings Configuration
    Prompt to encrypt storage card Enabled
    Prompt for device encryption Enabled
    Configure encryption method for disk drives Select default value
    Configure authentication when computer starts up Select default value
    Minimum length for BitLocker startup PIN 6
    Configure pre-boot recovery message Select default value
    Configure recovery options for system drives Disabled
    Configure recovery options for fixed drives Disabled
    Fixed drives require encryption Enabled
    Removable drives require encryption Enabled
  • macOS > Security > FileVault
  • Policy Settings Configuration
    Enable FileVault Enabled
    Encrypt using Institutional and Personal Recovery Key
    Encryption certificate HexnodeMDM FileVault Certificate
    Show Personal Recovery Key to user Enabled
    Skip enabling FileVault at user login Disabled

iOS Single App Kiosk Policy

A preconfigured policy to restrict an iOS device to a single app in kiosk mode.

Template name: iOS Single App Kiosk Policy

Description: Lock down iOS devices to a single app

Template Configuration:

Kiosk Lockdown > iOS Kiosk Lockdown > Single App

Uber Technologies Inc. is added as the app in single app kiosk.

Feature Configuration
Advanced Kiosk Settings Disable touch Disabled
Disable device screen rotation Disabled
Disable volume buttons Disabled
Disable ringer switch Enabled
Disable sleep wake button Disabled
Disable auto lock Disabled
Enable VoiceOver Disabled
Enable Zoom Disabled
Enable invert colors Disabled
Enable AssistiveTouch Disabled
Enable speak selection Disabled
User Enabled Options VoiceOver Enabled
Zoom Enabled
Invert colors Disabled
AssistiveTouch Disabled

Location Policy

A pre-configured location tracking policy that tracks the devices’ location in specific time intervals.

Template name: Location Policy

Description: Enable Location Tracking on target devices.

Template Configuration:
General Settings > Location Tracking

Policy Description
Enable Location Tracking Enabled
Location Update Interval 1 Hrs

Samsung Knox Policy

A policy template for Samsung Knox device security.

Template name: Samsung Knox Policy

Description: With advanced restrictions exclusively available for Samsung devices.

Template Configuration:

  • Android > Password > Device Password
  • Password Settings Configuration
    Password Requirement Alphanumeric
    Minimum Passcode Length 8
    Password age (in days) _
    Auto-lock after _
    Password History (1-50 passcodes) _
    Failed attempts (After the specified number of failed attempts, the device data will be wiped automatically) _
  • Android > Advanced Restrictions
  • Restrictions Configuration
    Allow device functionality Microphone Enabled
    Screen capture Disabled
    Clipboard Disabled
    Copy contents between normal and work profiles Disabled
    Share via other apps Disabled
    Users can adjust volume Enabled
    Make a call Enabled
    Display Settings Hide System bars Disabled
    Hide Status Bar Disabled
    Hide Navigation Bar Disabled
    Split-screen mode Enabled
    Display dialogs/windows Enabled
    Allow Connectivity Options NFC Enabled
    Android Beam Enabled
    Beam from the device Enabled
    Transfer data via Bluetooth Enabled
    Configure Bluetooth Enabled
    Configure cell broadcast Enabled
    Configure cellular network Enabled
    Users can reset network settings Enabled
    Configure Wi-Fi Enabled
    Configure hotspot and tethering Enabled
    Security Options Minimum Wi-Fi Security Level Open
    Allow Sync Settings Sync data in background Enabled
    Sync data with Google account Enabled
    Allow Account Settings SMS Enabled
    Receive messages Enabled
    Send messages Enabled
    Modify Accounts/Users Enabled
    Add Users Enabled
    Remove Users Enabled
    Configure user credentials Enabled
    Allow Settings Developer mode Disabled
    USB debugging Disabled
    Modify settings Enabled
    Power saving mode Enabled
    Users can enable location sharing Enabled
    Factory reset Enabled
    Read any connected physical external media Enabled
    Update date and time automatically Enabled
    Set time zone automatically Enabled
    Disable screen lock if the screen was turned off Disabled
    Configure VPN Enabled
    Allow App Settings Install apps Enabled
    Uninstall apps Enabled
    Control apps Enabled
    Google Play Store Enabled
    Verify apps before install Disabled
    Install apps from unknown sources Disabled
    App Runtime Permissions Default permissions
    Parent profile app linking Enabled
    Factory Reset Protection (Google Account Verification) Default

Standard DLP Policy

A standard data loss prevention policy for iOS, Android, Windows, and macOS devices.

Template name: Standard DLP Policy

Description: Standard Data Loss Prevention policies for optimal security.

Template Configuration:

  • iOS > Passcode
  • Policy Configuration
    Allow simple value Disabled
    Require alpha numeric value Enabled
    Minimum Passcode Length 8
    Minimum complex characters 1
    Minimum passcode age in days (0-730 days) 30
    Auto Lock 1 Minute
    Passcode History (1-50 passcodes) 5
    Grace period for device lock Immediately
    Failed attempts (After the specified number of failed attempts, the device data will be wiped automatically) 10
  • iOS > Advanced Restrictions
  • Restrictions Configuration
    Allow Device Functionality AirDrop Enabled
    Apps can modify cellular data usage Enabled
    Add or remove Touch ID/Face ID Enabled
    iMessage Enabled
    Game Center Enabled
    Multiplayer gaming Enabled
    Pair with iTunes Enabled
    Install configuration profile Enabled
    Definition lookup Enabled
    Predictive keyboard Enabled
    Auto-correct words Enabled
    Suggest words on misspellings Enabled
    Keyboard shortcuts Enabled
    Pair with Apple Watch Enabled
    Modify diagnostic data submission settings Enabled
    Modify Bluetooth settings Enabled
    Use voice to type Enabled
    Connect to MDM-configured Wi-Fi networks only Disabled
    Users can modify Personal Hotspot settings Enabled
    Create VPN configuration Enabled
    AirPrint Enabled
    Connect with iBeacon Enabled
    Store AirPrint credentials in Keychain Enabled
    Use trusted certificates for secure printing Disabled
    Allow App Settings Install app from App Store Enabled
    Remove apps Enabled
    Remove system apps Enabled
    iBooks store Enabled
    Apple Music Enabled
    iTunes Radio Enabled
    News Enabled
    Podcasts Enabled
    Download all purchased apps automatically Enabled
    Allow Security and Privacy Settings Activation Lock Disabled
    Modify an account Enabled
    Erase content and settings Enabled
    Siri can access user-generated content Enabled
    Modify Find My Friends Enabled
    Use profanity filter Disabled
    Show web results using Spotlight Search Enabled
    Modify Restrictions/Screen Time Enabled
    Modify passcode Enabled
    Modify device name Enabled
    Modify wallpaper Enabled
    Users can turn notifications on/off Enabled
    Force Automatic Date and Time Disabled
    Autofill Passwords Enabled
    Request passwords from nearby devices Enabled
    Share passwords via Airdrop Passwords feature Enabled
  • Android > Advanced Restrictions
  • Restrictions Configuration
    Allow device functionality Microphone Enabled
    Screen capture Enabled
    Clipboard Enabled
    Copy contents between normal and work profiles Disabled
    Share via other apps Enabled
    Users can adjust volume Enabled
    Make a call Enabled
    Display Settings Hide System bars Disabled
    Hide Status Bar Disabled
    Hide Navigation Bar Disabled
    Split-screen mode Enabled
    Display dialogs/windows Enabled
    Allow Connectivity Options NFC Enabled
    Android Beam Enabled
    Beam from the device Enabled
    Transfer data via Bluetooth Enabled
    Configure Bluetooth Enabled
    Configure cell broadcast Enabled
    Configure cellular network Enabled
    Users can reset network settings Enabled
    Configure Wi-Fi Enabled
    Configure hotspot and tethering Enabled
    Security Options Minimum Wi-Fi Security Level Open
    Allow Sync Settings Sync data in background Enabled
    Sync data with Google account Enabled
    Allow Account Settings SMS Enabled
    Receive messages Enabled
    Send messages Enabled
    Modify Accounts/Users Enabled
    Add Users Enabled
    Remove Users Enabled
    Configure user credentials Enabled
    Allow Settings Developer mode Disabled
    USB debugging Disabled
    Modify settings Enabled
    Power saving mode Enabled
    Users can enable location sharing Enabled
    Factory reset Enabled
    Read any connected physical external media Enabled
    Update date and time automatically Enabled
    Set time zone automatically Enabled
    Disable screen lock if the screen was turned off Disabled
    Configure VPN Enabled
    Allow App Settings Install apps Enabled
    Uninstall apps Enabled
    Control apps Enabled
    Google Play Store Enabled
    Verify apps before install Disabled
    Install apps from unknown sources Disabled
    App Runtime Permissions Default permissions
    Parent profile app linking Enabled
    Factory Reset Protection (Google Account Verification) Default
  • Windows > Security > BitLocker
  • BitLocker Settings Configuration
    Prompt to encrypt storage card Enabled
    Prompt for device encryption Enabled
    Configure encryption method for disk drives Select default value
    Configure authentication when computer starts up Select default value
    Minimum length for BitLocker startup PIN 6
    Configure pre-boot recovery message Show default recovery message and URL
    Configure recovery options for system drives Disabled
    Configure recovery options for fixed drives Disabled
    Fixed drives require encryption Enabled
    Removable drives require encryption Enabled
  • macOS > Security > FileVault
  • Policy Settings Configuration
    Enable FileVault Enabled
    Encrypt using Institutional and Personal Recovery Key
    Encryption certificate HexnodeMDM FileVault Certificate
    Show Personal Recovery Key to user Enabled
    Skip enabling FileVault at user login Disabled

To create a policy from the template,

To create a policy from the template, you can either copy the template to My Policies, or else you can choose the template directly while creating a new policy.

To choose the template directly while creating a policy,

  1. In the Hexnode portal, go to Policies.
  2. Click on New Policy and select the template that you want to use.
  3. Go to Policy Targets > +Add Devices > choose the devices to which the policy has to be associated.
  4. Click on Ok > Save.

To copy the template to My Policies,

  1. In the Hexnode portal, go to Policies > Templates.
  2. Select the template that you want to copy and click on Manage.
  3. Click on Copy to My Policies.
  4. Go to Policy Targets > +Add Devices > choose the devices to which the policy has to be associated.
  5. Click on Ok > Save.

Apart from devices, you can also associate the policy to Device Groups, Users, User Groups and Domains.

  • Configurations