Category filter
How to use pre-configured policy template in Hexnode UEM for easy policy deployment
Hexnode UEM Policy Template is a set of pre-configured policies that you can use to create new policies and associate them to required target devices. Apart from the default policy templates, you can also create new templates in the Hexnode portal.
To associate a policy template to a target device, you have to first copy it to My Policies. You can either use the copied template directly, or you can modify the template policy to attach it to the devices. With Hexnode, you can create more than one policy using the same policy template. So, to create multiple policies with the same configuration, you just have to create one template and make its copy.
Hexnode’s Pre-defined Policy Templates include:
- Android Website kiosk
- BitLocker Security Policy
- BYOD Policy for Corporate Data Containerization
- Expense Management Policy
- HIPAA Compliance Policy
- iOS Single App Kiosk Policy
- Location Policy
- Samsung Knox Policy
- Standard DLP Policy
- CIS Benchmark Compliance
Note:
Instead of creating large number of same policies by individually configuring each, you can create a policy template in Hexnode with the required configurations. And this single template can be reproduced to policies as many times as required.
Pre-configured templates in Hexnode:
Android Website kiosk
A pre-configured policy template to lockdown Android devices to a couple of web apps in multi-app kiosk mode.
Template name: Android Website Kiosk
Description: Lock down Android devices to a handful of websites.
Template Configuration:
Kiosk Lockdown > Android Kiosk Lockdown > Multi App: Amazon feedback & Amazon affiliates.
BitLocker Security Policy
A policy that is pre-configured to provide the basic industrial standard BitLocker encryption along with Windows password security.
Template name: BitLocker Security Policy
Description: Enable BitLocker encryption for industry-standard security.
Template Configuration:
- Windows > Password
- Windows > Security > BitLocker
| Password settings | Configuration |
|---|---|
| Allow simple value | Disabled |
| Password type | Users can choose |
| Minimum Password length | 8 |
| Minimum complex characters | Digits only |
| Minimum passcode age (in days) | 0 |
| Auto-Lock (in minutes) | 0 |
| Passcode history | 0 |
| Failed attempt before wipe | 0 |
| BitLocker Settings | Configuration |
|---|---|
| Prompt to encrypt storage card | Enabled |
| Prompt for device encryption | Enabled |
| Configure encryption method for disk drives | Select default value |
| Configure authentication when computer starts up | Enable |
| Allow BitLocker without a Trusted Platform Module (TPM) | Select default value |
| Authenticate with TPM startup key | Disallow |
| Authenticate with TPM startup pin | Disallow |
| Authenticate with TPM startup key and PIN | Disallow |
| Enable TPM during startup | Disallow |
| Minimum length for BitLocker startup PIN | 6 |
| Configure pre-boot recovery message | Show default recovery message and URL |
| Configure recovery options for system drives | Disabled |
| Configure recovery options for fixed drives | Disabled |
| Fixed drives require encryption | Enabled |
| Removable drives require encryption | Enabled |
BYOD Policy for Corporate Data Containerization
A policy template to protect the corporate data in any iOS and Android BYOD device.
Template name: BYOD Policy for Corporate Data Containerization
Description: A common policy for iOS & Android devices to safeguard the corporate data in Managed apps and Work containers.
Template Configuration:
- iOS > Restrictions
- iOS > Advanced Restrictions
- iOS > Security > Business Container
- Android > Advanced Restrictions
| Restrictions | Configuration | |
|---|---|---|
| Allow Device Functionality | Camera | Enabled |
| FaceTime | Enabled | |
| Screen capture | Enabled | |
| Touch ID | Enabled | |
| Siri | Enabled | |
| Allow Siri while device is locked | Enabled | |
| Voice dialing | Enabled | |
| Automatic sync while roaming | Enabled | |
| Allow Application Settings | Show App Store on the device | Enabled |
| iTunes Store | Enabled | |
| Force user to enter iTunes store password for each purchase | Enabled | |
| In-app purchases | Enabled | |
| Trust enterprise app | Enabled | |
| Users can modify enterprise app trust | Enabled | |
| Backup enterprise-deployed iBooks | Enabled | |
| Sync managed app data with iCloud | Disabled | |
| YouTube | Enabled | |
| Safari | Enabled | |
| Autofill | Enabled | |
| Fraud warning | Disabled | |
| JavaScript | Enabled | |
| Block pop-ups | Enabled | |
| Accept cookies | Always | |
| Access Passbook when the device is locked | Disabled | |
| Add friends in Game Center | Enabled | |
| Allow iCloud Settings | Backup | Enabled |
| Sync documents | Enabled | |
| Photo Stream (Disallowing might cause data loss) | Enabled | |
| Share photo streams | Enabled | |
| iCloud photo library | Enabled | |
| Sync enterprise book metadata across devices | Enabled | |
| Allow Security and Privacy Settings | Lock screen notifications | Enabled |
| Today View on lock screen | Enabled | |
| Control Center on lock screen | Enabled | |
| Over the air PKI updates | Enabled | |
| Limit ad tracking | Disabled | |
| Send diagnostic data to Apple | Enabled | |
| Accept untrusted TLS certificate | Enabled | |
| Force encrypted backup | Disabled | |
| Show notification on Apple Watch if worn | Disabled | |
| Allow Explicit Content | Explicit music, podcasts and iTunes U services | Enabled |
| iBooks store erotica | Disabled | |
| Rating region | United States | |
| Content rating | ||
| Movies | Allow All Movies | |
| TV Shows | Allow All TV Shows | |
| Apps | Allow All Apps | |
| Restrictions | Configuration | |
|---|---|---|
| Allow Device Functionality | AirDrop | Enabled |
| Apps can modify cellular data usage | Enabled | |
| Add or remove Touch ID/Face ID | Enabled | |
| iMessage | Enabled | |
| Game Center | Enabled | |
| Multiplayer gaming | Enabled | |
| Pair with iTunes | Enabled | |
| Install configuration profile | Enabled | |
| Definition lookup | Enabled | |
| Predictive keyboard | Enabled | |
| Auto-correct words | Enabled | |
| Suggest words on misspellings | Enabled | |
| Keyboard shortcuts | Enabled | |
| Pair with Apple Watch | Enabled | |
| Modify diagnostic data submission settings | Enabled | |
| Modify Bluetooth settings | Enabled | |
| Use voice to type | Enabled | |
| Connect to MDM-configured Wi-Fi networks only | Disabled | |
| Users can modify Personal Hotspot settings | Enabled | |
| Create VPN configuration | Enabled | |
| AirPrint | Enabled | |
| Connect with iBeacon | Enabled | |
| Store AirPrint credentials in Keychain | Enabled | |
| Use trusted certificates for secure printing | Disabled | |
| Allow App Settings | Install app from App Store | Enabled |
| Remove apps | Enabled | |
| Remove system apps | Enabled | |
| iBooks store | Enabled | |
| Apple Music | Enabled | |
| iTunes Radio | Enabled | |
| News | Enabled | |
| Podcasts | Enabled | |
| Download all purchased apps automatically | Enabled | |
| Allow Security and Privacy Settings | Activation Lock | Disabled |
| Modify an account | Enabled | |
| Erase content and settings | Enabled | |
| Siri can access user-generated content | Enabled | |
| Modify Find My Friends | Enabled | |
| Use profanity filter | Disabled | |
| Show web results using Spotlight Search | Enabled | |
| Modify Restrictions/Screen Time | Enabled | |
| Modify passcode | Enabled | |
| Modify device name | Enabled | |
| Modify wallpaper | Enabled | |
| Users can turn notifications on/off | Enabled | |
| Force Automatic Date and Time | Disabled | |
| Autofill Passwords | Enabled | |
| Request passwords from nearby devices | Enabled | |
| Share passwords via Airdrop Passwords feature | Enabled | |
| Settings | Configuration |
|---|---|
| Open documents from managed apps in unmanaged apps | Disabled |
| Open documents from unmanaged apps in managed apps | Disabled |
| Managed apps can write to Unmanaged Contact Accounts | Disabled |
| Unmanaged apps can read from Managed Contact Accounts | Disabled |
| Block Sharing Managed Document using AirDrop | Disabled |
| Restrictions | Configuration | |
|---|---|---|
| Allow device functionality | Microphone | Enabled |
| Screen capture | Disabled | |
| Clipboard | Enabled | |
| Copy contents between normal and work profiles | Enabled | |
| Share via other apps | Enabled | |
| Users can adjust volume | Enabled | |
| Make a call | Enabled | |
| Display Settings | Hide System bars | Disabled |
| Hide Status Bar | Disabled | |
| Hide Navigation Bar | Disabled | |
| Split-screen mode | Enabled | |
| Display dialogs/windows | Enabled | |
| Allow Connectivity Options | NFC | Enabled |
| Android Beam | Enabled | |
| Beam from the device | Enabled | |
| Transfer data via Bluetooth | Enabled | |
| Configure Bluetooth | Enabled | |
| Configure cell broadcast | Enabled | |
| Configure cellular network | Enabled | |
| Users can reset network settings | Enabled | |
| Configure Wi-Fi | Enabled | |
| Configure hotspot and tethering | Enabled | |
| Security Options | Minimum Wi-Fi Security Level | Open |
| Allow Sync Settings | Sync data in background | Enabled |
| Sync data with Google account | Enabled | |
| Allow Account Settings | SMS | Enabled |
| Receive messages | Enabled | |
| Send messages | Enabled | |
| Modify Accounts/Users | Enabled | |
| Add Users | Enabled | |
| Remove Users | Enabled | |
| Configure user credentials | Enabled | |
| Allow Settings | Developer mode | Enabled |
| USB debugging | Enabled | |
| Modify settings | Enabled | |
| Power saving mode | Enabled | |
| Users can enable location sharing | Enabled | |
| Factory reset | Enabled | |
| Read any connected physical external media | Enabled | |
| Update date and time automatically | Enabled | |
| Set time zone automatically | Enabled | |
| Disable screen lock if the screen was turned off | Disabled | |
| Configure VPN | Enabled | |
| Allow App Settings | Install apps | Enabled |
| Uninstall apps | Enabled | |
| Control apps | Enabled | |
| Google Play Store | Enabled | |
| Verify apps before install | Disabled | |
| Install apps from unknown sources | Disabled | |
| App Runtime Permissions | Default permissions | |
| Parent profile app linking | Enabled | |
| Factory Reset Protection (Google Account Verification) | Default | |
Expense Management Policy
An Android policy to set data and Wi-Fi restrictions and notifications to have control over expenses.
Template name: Expense Management Policy
Description: Data/Wi-Fi usage warning & restrictions for an arbitrary monthly limit.
Template Configuration:
Android > Mobile Data Management
Data Usage Restrictions:
| Restriction | Configuration |
|---|---|
| Enable data usage tracking | Enabled |
| Enable network & data usage restrictions | Enabled |
| Network Restrictions | No Restrictions |
| Data Usage Notifications | Notify both User and Admin, Monthly when Mobile data exceeds 0.5 GB |
| Data Usage Restrictions | Restrict and notify all, Monthly when Mobile Data exceeds 1 GB |
| Reset Data Tracking | Daily at 18:30 (UTC +00:00) GMT Standard Time, Monthly on day 1 of each month |
HIPAA Compliance Policy
A policy with iOS and Android passcode and restriction along with Mac and Windows encryption configurations to set standards of confidentiality and integrity to protect ePHI.
Template name: HIPAA Compliance Policy
Description: Workstation and Device Security policies to protect ePHI.
Template Configuration:
- iOS > Passcode
- iOS > Advanced Restrictions
- iOS > Security > Business Container
- Android > Advanced Restrictions
- Windows > Security > BitLocker
- macOS > Security > FileVault
| Policy | Configuration |
|---|---|
| Allow simple value | Disabled |
| Require alpha numeric value | Enabled |
| Minimum Passcode Length | 8 |
| Minimum complex characters | 1 |
| Minimum passcode age in days (0-730 days) | 30 |
| Auto Lock | 1 Minute |
| Passcode History (1-50 passcodes) | 5 |
| Grace period for device lock | Immediately |
| Failed attempts (After the specified number of failed attempts, the device data will be wiped automatically) | 10 |
| Restrictions | Configuration | |
|---|---|---|
| Allow Device Functionality | AirDrop | Enabled |
| Apps can modify cellular data usage | Enabled | |
| Add or remove Touch ID/Face ID | Enabled | |
| iMessage | Enabled | |
| Game Center | Enabled | |
| Multiplayer gaming | Enabled | |
| Pair with iTunes | Enabled | |
| Install configuration profile | Enabled | |
| Definition lookup | Enabled | |
| Predictive keyboard | Enabled | |
| Auto-correct words | Enabled | |
| Suggest words on misspellings | Enabled | |
| Keyboard shortcuts | Enabled | |
| Pair with Apple Watch | Enabled | |
| Modify diagnostic data submission settings | Enabled | |
| Modify Bluetooth settings | Enabled | |
| Use voice to type | Enabled | |
| Connect to MDM-configured Wi-Fi networks only | Disabled | |
| Users can modify Personal Hotspot settings | Enabled | |
| Create VPN configuration | Enabled | |
| AirPrint | Enabled | |
| Connect with iBeacon | Enabled | |
| Store AirPrint credentials in Keychain | Enabled | |
| Use trusted certificates for secure printing | Disabled | |
| Allow App Settings | Install app from App Store | Enabled |
| Remove apps | Enabled | |
| Remove system apps | Enabled | |
| iBooks store | Enabled | |
| Apple Music | Enabled | |
| iTunes Radio | Enabled | |
| News | Enabled | |
| Podcasts | Enabled | |
| Download all purchased apps automatically | Enabled | |
| Allow Security and Privacy Settings | Activation Lock | Disabled |
| Modify an account | Enabled | |
| Erase content and settings | Enabled | |
| Siri can access user-generated content | Enabled | |
| Modify Find My Friends | Enabled | |
| Use profanity filter | Disabled | |
| Show web results using Spotlight Search | Enabled | |
| Modify Restrictions/Screen Time | Enabled | |
| Modify passcode | Enabled | |
| Modify device name | Enabled | |
| Modify wallpaper | Enabled | |
| Users can turn notifications on/off | Enabled | |
| Force Automatic Date and Time | Disabled | |
| Autofill Passwords | Enabled | |
| Request passwords from nearby devices | Enabled | |
| Share passwords via Airdrop Passwords feature | Enabled | |
| Settings | Configuration |
|---|---|
| Open documents from managed apps in unmanaged apps | Enabled |
| Open documents from unmanaged apps in managed apps | Enabled |
| Managed apps can write to Unmanaged Contact Accounts | Disabled |
| Unmanaged apps can read from Managed Contact Accounts | Disabled |
| Block Sharing Managed Document using AirDrop | Disabled |
| Restrictions | Configuration | |
|---|---|---|
| Allow device functionality | Microphone | Enabled |
| Screen capture | Enabled | |
| Clipboard | Enabled | |
| Copy contents between normal and work profiles | Disabled | |
| Share via other apps | Enabled | |
| Users can adjust volume | Enabled | |
| Make a call | Enabled | |
| Display Settings | Hide System bars | Disabled |
| Hide Status Bar | Disabled | |
| Hide Navigation Bar | Disabled | |
| Split-screen mode | Enabled | |
| Display dialogs/windows | Enabled | |
| Allow Connectivity Options | NFC | Enabled |
| Android Beam | Enabled | |
| Beam from the device | Enabled | |
| Transfer data via Bluetooth | Enabled | |
| Configure Bluetooth | Enabled | |
| Configure cell broadcast | Enabled | |
| Configure cellular network | Enabled | |
| Users can reset network settings | Enabled | |
| Configure Wi-Fi | Enabled | |
| Configure hotspot and tethering | Enabled | |
| Security Options | Minimum Wi-Fi Security Level | Open |
| Allow Sync Settings | Sync data in background | Enabled |
| Sync data with Google account | Enabled | |
| Allow Account Settings | SMS | Enabled |
| Receive messages | Enabled | |
| Send messages | Enabled | |
| Modify Accounts/Users | Enabled | |
| Add Users | Enabled | |
| Remove Users | Enabled | |
| Configure user credentials | Enabled | |
| Allow Settings | Developer mode | Disabled |
| USB debugging | Disabled | |
| Modify settings | Enabled | |
| Power saving mode | Enabled | |
| Users can enable location sharing | Enabled | |
| Factory reset | Enabled | |
| Read any connected physical external media | Enabled | |
| Update date and time automatically | Enabled | |
| Set time zone automatically | Enabled | |
| Disable screen lock if the screen was turned off | Disabled | |
| Configure VPN | Enabled | |
| Allow App Settings | Install apps | Enabled |
| Uninstall apps | Enabled | |
| Control apps | Enabled | |
| Google Play Store | Enabled | |
| Verify apps before install | Disabled | |
| Install apps from unknown sources | Disabled | |
| App Runtime Permissions | Default permissions | |
| Parent profile app linking | Enabled | |
| Factory Reset Protection (Google Account Verification) | Default | |
| BitLocker Settings | Configuration |
|---|---|
| Prompt to encrypt storage card | Enabled |
| Prompt for device encryption | Enabled |
| Configure encryption method for disk drives | Select default value |
| Configure authentication when computer starts up | Select default value |
| Minimum length for BitLocker startup PIN | 6 |
| Configure pre-boot recovery message | Select default value |
| Configure recovery options for system drives | Disabled |
| Configure recovery options for fixed drives | Disabled |
| Fixed drives require encryption | Enabled |
| Removable drives require encryption | Enabled |
| Policy Settings | Configuration |
|---|---|
| Enable FileVault | Enabled |
| Encrypt using | Institutional and Personal Recovery Key |
| Encryption certificate | HexnodeMDM FileVault Certificate |
| Show Personal Recovery Key to user | Enabled |
| Skip enabling FileVault at user login | Disabled |
iOS Single App Kiosk Policy
A preconfigured policy to restrict an iOS device to a single app in kiosk mode.
Template name: iOS Single App Kiosk Policy
Description: Lock down iOS devices to a single app
Template Configuration:
Kiosk Lockdown > iOS Kiosk Lockdown > Single App
Uber Technologies Inc. is added as the app in single app kiosk.
| Feature | Configuration | |
|---|---|---|
| Advanced Kiosk Settings | Disable touch | Disabled |
| Disable device screen rotation | Disabled | |
| Disable volume buttons | Disabled | |
| Disable ringer switch | Enabled | |
| Disable sleep wake button | Disabled | |
| Disable auto lock | Disabled | |
| Enable VoiceOver | Disabled | |
| Enable Zoom | Disabled | |
| Enable invert colors | Disabled | |
| Enable AssistiveTouch | Disabled | |
| Enable speak selection | Disabled | |
| User Enabled Options | VoiceOver | Enabled |
| Zoom | Enabled | |
| Invert colors | Disabled | |
| AssistiveTouch | Disabled | |
Location Policy
A pre-configured location tracking policy that tracks the devices’ location in specific time intervals.
Template name: Location Policy
Description: Enable Location Tracking on target devices.
Template Configuration:
General Settings > Location Tracking
| Policy | Description |
|---|---|
| Enable Location Tracking | Enabled |
| Location Update Interval | 1 Hrs |
Samsung Knox Policy
A policy template for Samsung Knox device security.
Template name: Samsung Knox Policy
Description: With advanced restrictions exclusively available for Samsung devices.
Template Configuration:
- Android > Password > Device Password
- Android > Advanced Restrictions
| Password Settings | Configuration |
|---|---|
| Password Requirement | Alphanumeric |
| Minimum Passcode Length | 8 |
| Password age (in days) | _ |
| Auto-lock after | _ |
| Password History (1-50 passcodes) | _ |
| Failed attempts (After the specified number of failed attempts, the device data will be wiped automatically) | _ |
| Restrictions | Configuration | |
|---|---|---|
| Allow device functionality | Microphone | Enabled |
| Screen capture | Disabled | |
| Clipboard | Disabled | |
| Copy contents between normal and work profiles | Disabled | |
| Share via other apps | Disabled | |
| Users can adjust volume | Enabled | |
| Make a call | Enabled | |
| Display Settings | Hide System bars | Disabled |
| Hide Status Bar | Disabled | |
| Hide Navigation Bar | Disabled | |
| Split-screen mode | Enabled | |
| Display dialogs/windows | Enabled | |
| Allow Connectivity Options | NFC | Enabled |
| Android Beam | Enabled | |
| Beam from the device | Enabled | |
| Transfer data via Bluetooth | Enabled | |
| Configure Bluetooth | Enabled | |
| Configure cell broadcast | Enabled | |
| Configure cellular network | Enabled | |
| Users can reset network settings | Enabled | |
| Configure Wi-Fi | Enabled | |
| Configure hotspot and tethering | Enabled | |
| Security Options | Minimum Wi-Fi Security Level | Open |
| Allow Sync Settings | Sync data in background | Enabled |
| Sync data with Google account | Enabled | |
| Allow Account Settings | SMS | Enabled |
| Receive messages | Enabled | |
| Send messages | Enabled | |
| Modify Accounts/Users | Enabled | |
| Add Users | Enabled | |
| Remove Users | Enabled | |
| Configure user credentials | Enabled | |
| Allow Settings | Developer mode | Disabled |
| USB debugging | Disabled | |
| Modify settings | Enabled | |
| Power saving mode | Enabled | |
| Users can enable location sharing | Enabled | |
| Factory reset | Enabled | |
| Read any connected physical external media | Enabled | |
| Update date and time automatically | Enabled | |
| Set time zone automatically | Enabled | |
| Disable screen lock if the screen was turned off | Disabled | |
| Configure VPN | Enabled | |
| Allow App Settings | Install apps | Enabled |
| Uninstall apps | Enabled | |
| Control apps | Enabled | |
| Google Play Store | Enabled | |
| Verify apps before install | Disabled | |
| Install apps from unknown sources | Disabled | |
| App Runtime Permissions | Default permissions | |
| Parent profile app linking | Enabled | |
| Factory Reset Protection (Google Account Verification) | Default | |
Standard DLP Policy
A standard data loss prevention policy for iOS, Android, Windows, and macOS devices.
Template name: Standard DLP Policy
Description: Standard Data Loss Prevention policies for optimal security.
Template Configuration:
- iOS > Passcode
- iOS > Advanced Restrictions
- Android > Advanced Restrictions
- Windows > Security > BitLocker
- macOS > Security > FileVault
| Policy | Configuration |
|---|---|
| Allow simple value | Disabled |
| Require alpha numeric value | Enabled |
| Minimum Passcode Length | 8 |
| Minimum complex characters | 1 |
| Minimum passcode age in days (0-730 days) | 30 |
| Auto Lock | 1 Minute |
| Passcode History (1-50 passcodes) | 5 |
| Grace period for device lock | Immediately |
| Failed attempts (After the specified number of failed attempts, the device data will be wiped automatically) | 10 |
| Restrictions | Configuration | |
|---|---|---|
| Allow Device Functionality | AirDrop | Enabled |
| Apps can modify cellular data usage | Enabled | |
| Add or remove Touch ID/Face ID | Enabled | |
| iMessage | Enabled | |
| Game Center | Enabled | |
| Multiplayer gaming | Enabled | |
| Pair with iTunes | Enabled | |
| Install configuration profile | Enabled | |
| Definition lookup | Enabled | |
| Predictive keyboard | Enabled | |
| Auto-correct words | Enabled | |
| Suggest words on misspellings | Enabled | |
| Keyboard shortcuts | Enabled | |
| Pair with Apple Watch | Enabled | |
| Modify diagnostic data submission settings | Enabled | |
| Modify Bluetooth settings | Enabled | |
| Use voice to type | Enabled | |
| Connect to MDM-configured Wi-Fi networks only | Disabled | |
| Users can modify Personal Hotspot settings | Enabled | |
| Create VPN configuration | Enabled | |
| AirPrint | Enabled | |
| Connect with iBeacon | Enabled | |
| Store AirPrint credentials in Keychain | Enabled | |
| Use trusted certificates for secure printing | Disabled | |
| Allow App Settings | Install app from App Store | Enabled |
| Remove apps | Enabled | |
| Remove system apps | Enabled | |
| iBooks store | Enabled | |
| Apple Music | Enabled | |
| iTunes Radio | Enabled | |
| News | Enabled | |
| Podcasts | Enabled | |
| Download all purchased apps automatically | Enabled | |
| Allow Security and Privacy Settings | Activation Lock | Disabled |
| Modify an account | Enabled | |
| Erase content and settings | Enabled | |
| Siri can access user-generated content | Enabled | |
| Modify Find My Friends | Enabled | |
| Use profanity filter | Disabled | |
| Show web results using Spotlight Search | Enabled | |
| Modify Restrictions/Screen Time | Enabled | |
| Modify passcode | Enabled | |
| Modify device name | Enabled | |
| Modify wallpaper | Enabled | |
| Users can turn notifications on/off | Enabled | |
| Force Automatic Date and Time | Disabled | |
| Autofill Passwords | Enabled | |
| Request passwords from nearby devices | Enabled | |
| Share passwords via Airdrop Passwords feature | Enabled | |
| Restrictions | Configuration | |
|---|---|---|
| Allow device functionality | Microphone | Enabled |
| Screen capture | Enabled | |
| Clipboard | Enabled | |
| Copy contents between normal and work profiles | Disabled | |
| Share via other apps | Enabled | |
| Users can adjust volume | Enabled | |
| Make a call | Enabled | |
| Display Settings | Hide System bars | Disabled |
| Hide Status Bar | Disabled | |
| Hide Navigation Bar | Disabled | |
| Split-screen mode | Enabled | |
| Display dialogs/windows | Enabled | |
| Allow Connectivity Options | NFC | Enabled |
| Android Beam | Enabled | |
| Beam from the device | Enabled | |
| Transfer data via Bluetooth | Enabled | |
| Configure Bluetooth | Enabled | |
| Configure cell broadcast | Enabled | |
| Configure cellular network | Enabled | |
| Users can reset network settings | Enabled | |
| Configure Wi-Fi | Enabled | |
| Configure hotspot and tethering | Enabled | |
| Security Options | Minimum Wi-Fi Security Level | Open |
| Allow Sync Settings | Sync data in background | Enabled |
| Sync data with Google account | Enabled | |
| Allow Account Settings | SMS | Enabled |
| Receive messages | Enabled | |
| Send messages | Enabled | |
| Modify Accounts/Users | Enabled | |
| Add Users | Enabled | |
| Remove Users | Enabled | |
| Configure user credentials | Enabled | |
| Allow Settings | Developer mode | Disabled |
| USB debugging | Disabled | |
| Modify settings | Enabled | |
| Power saving mode | Enabled | |
| Users can enable location sharing | Enabled | |
| Factory reset | Enabled | |
| Read any connected physical external media | Enabled | |
| Update date and time automatically | Enabled | |
| Set time zone automatically | Enabled | |
| Disable screen lock if the screen was turned off | Disabled | |
| Configure VPN | Enabled | |
| Allow App Settings | Install apps | Enabled |
| Uninstall apps | Enabled | |
| Control apps | Enabled | |
| Google Play Store | Enabled | |
| Verify apps before install | Disabled | |
| Install apps from unknown sources | Disabled | |
| App Runtime Permissions | Default permissions | |
| Parent profile app linking | Enabled | |
| Factory Reset Protection (Google Account Verification) | Default | |
| BitLocker Settings | Configuration |
|---|---|
| Prompt to encrypt storage card | Enabled |
| Prompt for device encryption | Enabled |
| Configure encryption method for disk drives | Select default value |
| Configure authentication when computer starts up | Select default value |
| Minimum length for BitLocker startup PIN | 6 |
| Configure pre-boot recovery message | Show default recovery message and URL |
| Configure recovery options for system drives | Disabled |
| Configure recovery options for fixed drives | Disabled |
| Fixed drives require encryption | Enabled |
| Removable drives require encryption | Enabled |
| Policy Settings | Configuration |
|---|---|
| Enable FileVault | Enabled |
| Encrypt using | Institutional and Personal Recovery Key |
| Encryption certificate | HexnodeMDM FileVault Certificate |
| Show Personal Recovery Key to user | Enabled |
| Skip enabling FileVault at user login | Disabled |
CIS Benchmark Compliance
The CIS Benchmarks are compliance guidelines for securely configuring IT systems. They provide best practices to reduce vulnerabilities and enhance security, covering areas such as password policies, account management, and system services. Adhering to these guidelines helps improve security and ensure regulatory compliance. Currently, Hexnode supports making Windows devices partially CIS Benchmark compliant.
Template name: CIS Benchmark Compliance
Description: Apply this template to get one step closer to CIS compliance on your Windows devices.
Note: Not all rules mentioned in CIS Benchmark are configurable via Hexnode.
Template Configuration:
- Windows > Password
- Windows > Restrictions
- Windows > Advanced Restrictions
- Windows > Threat Management > Microsoft Defender
- Windows > Security > BitLocker
- Windows > Configurations > Screensaver
Screensaver Settings Configuration Enable Screensaver Enabled Select Screensaver Blank Require Password to unlock screen Enabled Start screensaver after _ minutes of inactivity 15 Prevent user from accessing screensaver settings on device Disabled - Windows > Patches & Updates > Windows Update Preferences
Settings Configuration Update drivers Disabled Optional Updates Not Configured Download updates over metered network Not Configured Ignore download limits for app updates Not Configured Ignore download limits for OS updates Not Configured Automatic wake up for maintenance Enabled Disable WUfB Safeguards Disabled Target product Not Configured Target version Not Configured Feature update uninstall period 10 day(s) Pre-release builds Not Configured Update channel Semi-annual Update Deferral Defer Quality Updates Enabled Deferral period (Defer Quality Updates) 0 day(s) Defer Feature Updates Enabled Deferral period (Defer Feature Updates) 0 day(s) - Windows > Patches & Updates > Windows Update Experience
Settings Configuration Microsoft App Update Service Disabled Automatic update behavior Auto install updates and notify users to restart if required Active hours Start time: 8:00 AM
End time: 5:00 PMMaximum range of active hours 18 hours Skip restart checks Disabled Disable pause updates Enabled Disallow users to check for updates Disabled Notifications Update notification level Default Windows Notification Notifications during Active Hours Not Configured Auto-restart notifications Not Configured Deadlines Configure update deadlines Disabled Configure restart deadlines Disabled Configure engaged restart deadlines Disabled To create a policy from the template,
To create a policy from the template, you can either copy the template to My Policies, or else you can choose the template directly while creating a new policy.
To choose the template directly while creating a policy,
- In the Hexnode portal, go to Policies.
- Click on New Policy and select the template that you want to use.
- Go to Policy Targets > +Add Devices > choose the devices to which the policy has to be associated.
- Click on Ok > Save.
To copy the template to My Policies,
- In the Hexnode portal, go to Policies > Templates.
- Select the template that you want to copy and click on Manage.
- Click on Copy to My Policies.
- Go to Policy Targets > +Add Devices > choose the devices to which the policy has to be associated.
- Click on Ok > Save.
Apart from devices, you can also associate the policy to Device Groups, Users, User Groups and Domains.
| Password settings | Configuration |
|---|---|
| Allow simple value | Disabled |
| Password type | Alphanumeric password |
| Minimum password length | 14 |
| Password Complexity | Digits, lowercase and uppercase letters |
| Minimum password age (in days) | 365 |
| Auto-lock (in minutes) | 15 |
| Password history | 24 |
| Failed attempt before wipe | 0 |
| Restrictions | Configuration | |
|---|---|---|
| Allow device functionality | Camera | Disabled |
| Cortana voice assistant | Enabled | |
| Use Cortana if device is locked | Enabled | |
| Use storage card and USB drives | Disabled | |
| Telemetry | Disallow | |
| Location services | Force Location Off | |
| Change language | Enabled | |
| Users can enable/disable Workplace | Enabled | |
| Users can change AutoPlay settings | Enabled | |
| Allow App Settings | Sync Settings | Enabled |
| Allow SignIn Options | Enabled | |
| Allow News and Interests | Disabled | |
| Allow Network Settings | Wi-Fi | Enabled |
| Bluetooth | Enabled | |
| Discover device over Bluetooth | Enabled | |
| Users can turn VPN on/off | Enabled | |
| Connect to VPN if on mobile network | Enabled | |
| Connect to VPN if roaming | Enabled | |
| Cellular data roaming | Enabled | |
| Allow Security and Privacy Settings | Manual MDM administration removal | Enabled |
| Show toast notification on lock screen | Disable | |
| Account Settings | OneDrive file sync | Disabled |
| Restrictions | Configuration | |
|---|---|---|
| Allow device functionality | Users can reset the device | Enabled |
| Users can change date and time | Disabled | |
| Users can change power and sleep settings | Enabled | |
| Allow Embedded Mode | Disabled | |
| Allow Region | Enabled | |
| Allow App Settings | Unlock developer options | Not Configured |
| Search can use user location | Disabled | |
| Allow Network Settings | Internet Sharing | Enabled |
| Connect to Wi-Fi Sense automatically | Disabled | |
| Connect to external Wi-Fi networks manually | Enabled | |
| Wi-Fi Direct | Enabled | |
| Allow Security and Privacy Settings | Install provisioning package | Enabled |
| Mandate signed certificate for provisioning package | Disabled | |
| Remove provisioning package | Enabled | |
| Receive advertisements over Bluetooth | Disabled | |
| Pair with other devices automatically | Disabled | |
| Users can download Windows beta updates | Disallow | |
| Windows AI | AI Data Analysis | Not Configured |
| Customize Start Menu | Documents folder | Not enforced |
| Downloads folder | Not enforced | |
| File Explorer | Not enforced | |
| Home group | Not enforced | |
| Music folder | Not enforced | |
| Networks | Not enforced | |
| Personal folder | Not enforced | |
| Pictures folder | Not enforced | |
| Settings | Not enforced | |
| Videos folder | Not enforced | |
| Account Settings | Block Microsoft accounts | Not Configured |
| Users can change account settings | Enabled | |
| Users can add non-Microsoft accounts | Enabled | |
| Users can connect using Microsoft accounts | Enabled | |
| Policy Settings | Configuration | |
|---|---|---|
| Microsoft Defender Application Guard | Microsoft Defender Application Guard | Enabled |
| Clipboard behavior | Turn On clipboard operation from an isolated session to the host | |
| Clipboard settings | Allow copying texts | |
| Print behavior | None | |
| Block non-enterprise content | Disabled | |
| Data persistence | Disabled | |
| Virtual GPU | Disabled | |
| Save files to host | Disabled | |
| Certificate Thumbprints | Not configured | |
| Access Camera and Microphone | Disabled | |
| Windows Defender Security Center | Enable account protection UI | Enabled |
| Enable app and browser protection UI | Enabled | |
| Disallow exploit protection override | Enabled | |
| Enable Device security UI | Enabled | |
| Disable TPM Firmware update warning | Disabled | |
| Show the Security processor (TPM) troubleshooting area | Enabled | |
| Disable Clear TPM button | Disabled | |
| Hide the Secure boot area | Disabled | |
| Notifications | Display all notifications | |
| Enable family UI | Enabled | |
| Enable health UI | Enabled | |
| Enable network UI | Enabled | |
| Enable virus UI | Enabled | |
| Hide the Ransomware data recovery area | Disabled | |
| Enable customized toasts | Disabled | |
| Enable in-app customization | Disabled | |
| Company name | Not configured | |
| Email address | Not configured | |
| Phone number/Skype ID | Not configured | |
| Help portal URL | Not configured | |
| Hide Windows Security notification area control | Disabled | |
| BitLocker Settings | Configuration |
|---|---|
| Require encryption for OS and fixed data drives | Enabled |
| Hide warning about existing third-party encryption | Disabled |
| Recovery Password rotation | Not Configured |
| Escrow recovery password to Hexnode UEM | Enabled |
| OS Drive Settings | |
| Configure BitLocker OS drive policy | Enabled |
| Configure encryption method | Disabled |
| Configure additional startup authentication settings | Enabled |
| Allow BitLocker to be activated on devices without a compatible TPM | Disabled |
| Configure advanced authentication options for devices with compatible TPM | Required Options: Startup PIN |
| Minimum PIN length | 6 |
| Configure pre-boot recovery message and URL | Disabled |
| Users must generate a recovery key or password | Recovery Key, Password or both |
| Save BitLocker recovery information to Active Directory Domain Services (AD DS) | Password and Key |
| Block certificate-based data recovery agent | Enabled |
| Hide recovery options on the device | Enabled |
| Do not enable BitLocker until recovery information is stored in AD DS | Enabled |
| Fixed Drive Settings | |
| Configure BitLocker fixed drive policy | Enabled |
| Configure encryption method | Disabled |
| Block access to drives not protected by BitLocker | Disabled |
| Configure recovery options | Enabled |
| Users must generate a recovery key or password | Recovery Key, Password or both |
| Save BitLocker recovery information to Active Directory Domain Services (AD DS) | Disable |
| Block certificate-based data recovery agent | Disabled |
| Hide recovery options on the device | Disabled |
| Do not enable BitLocker until recovery information is stored in AD DS | Disabled |
| Removable Drive Settings | |
| Configure BitLocker removable drive policy | Enabled |
| Configure encryption method | Disabled |
| Block access to drives not protected by BitLocker | Enabled |
Need more help?
