Name

Description

Behavior

Activation

FileVault 2

This policy allows you to enable and enforce FileVault.

Once the policy is successfully enabled for the system, a Recovery Key will be displayed for that respective System under System Details. Removing this policy will not disable FileVault 2 once enabled.

A user will need to log out and log back in for the policy to take effect.

Gatekeeper

This policy controls the ability of the machine to install and run software by leveraging Gatekeeper in macOS

When this policy is applied against a system, it will affect which applications are allowed to install and run based on the selected options.

N/A

Local Firewall Controls

The policy manages the local host firewall settings. To enable “Block All Incoming Connections”, “Stealth Mode”, or “Logging Mode”, the Firewall must be enabled. Selecting “Enable Private Data Collection” will include identifying information about the user or computer at the time of the log entry. This is likely required for full transparency but may require disclosure to your user.

When this policy is applied against a system, it will enforce and modify the behavior of the firewall.

The user will need to log out and log back in for the policy to take effect.

Lock Screen - 15 minutes

The user's screen saver will lock after the amount of seconds specified. A password will be required to unlock the screen saver.

N/A

Takes effect immediately

Software Update Settings

This policy controls how and when automatic software updates are installed on user macOS devices for App Store updates, macOS version updates, critical updates, and pre-releases. This policy does not control major macOS upgrades.

This policy determines if automatic updates are installed on user devices. If you don’t want users to control how software is updated on their devices, you should deselect the fields below.

After you save this policy and apply it to devices, the user must restart the device before this policy can take effect.

Name

Description

Behavior

Activation

Windows - BitLocker Full Disk Encryption Policy

This policy will enable and enforce BitLocker. If BitLocker is already enabled on the target system, it must have a single BitLocker numerical password set. This policy works on Windows 10 Pro/Enterprise/Education and Windows 11 Pro/Enterprise/Education (must have TPM 2.0).

NOTE: This policy will fail if enabled on Windows 10 Home or Windows 11 Home Editions.

If the policy is bound to a device, BitLocker will be enabled and enforced on the system drive.

Checking the box 'Encrypt All Non-Removable Drives' will enable and enforce BitLocker on all fixed drives on the device.

Once the policy is applied to a system, a Recovery Key will be displayed for that respective System under System Details.

The drive is not fully encrypted until the policy result shows that it was applied successfully. Removing this policy will not disable BitLocker or remove key protectors once enabled.

The policy will take effect on the next reboot.

Windows - Configure Windows Updates Policy

This policy manages the system update behavior based on the options selected below.

These settings will control when and how updates and upgrades are downloaded and installed.

The system must be rebooted for the policy to take effect.

Windows - Lock Screen Policy

When a managed system is inactive for the length of time specified in the policy's configuration, the screen saver will activate and lock the machine. A password will be required to unlock the machine.

N/A

The user will need to log out and log back in for the policy to take effect. For Windows 10 and 11, expect a 5-minute delay after each new login before the specified timeout settings will take effect.

Windows - Windows Firewall Policy

Controls the behavior of Windows Firewall in Windows.

This policy will apply to all users on the system.

The policy will take effect on the next boot.