macOS Policies
Description of policy: Activation Lock helps you keep your device secure, even if it’s in the wrong hands, and can improve your chances of recovering it. Even if you erase your device remotely, Activation Lock can continue to deter anyone from reactivating your device without your permission.
Behavior of policy: Allows activation lock to be enabled when a user turns on "Find My", or enables activation lock if the user has already turned on "Find My". Removing the policy does not disable activation lock. However, if the policy is removed and the user then disables activation lock, the user will not be able to enable activation lock again.
Activation of policy: No user action is required for the allow activation lock policy to be applied. User action is required to turn on "Find My" in order to enable Activation Lock for their device. Note: This policy only works on a supervised device.
Applicable policy groups & Default settings/applications: Applicable for all policy groups.
Description of policy: This policy disables the local Guest account. This policy works on all JumpCloud supported operating systems. Due to the behavior specific to macOS 10.13.2 and 10.13.3, the Guest account will still be available at the FileVault 2 login window.
Behavior of policy: Disable the local Guest account. This will prevent Guest from appearing as an available login account at the login window.
Activation of policy: No action is needed for the policy to be activated.
Applicable policy groups & Default settings/applications: Applicable for all policy Groups
Description of policy: Enabling this policy prevents users from accessing features on the System Preferences screen that have been disallowed by the administrator. Starting with macOS 13, this policy has been marked as deprecated by Apple, due to the replacement of System Preferences with System Settings. The behavior of this policy on macOS 13 is undefined, and should not be trusted.
Behavior of policy: NA
Activation of policy: After you save and apply this policy, the user must logout of their system and log back in before the policy takes effect.
Applicable policy groups & Default settings/applications: Only available on Standard & Enhanced Policy Groups
Restrict System Preferences for macOS 12 and earlier (Not Enabled at default)
Restrict System Settings for macOS 13 (Not Enabled at default)
Description of policy: Controls the applications that standard users are allowed to approve to screen share & record on macOS 11 and above.
Behavior of policy: Selecting the checkbox for a privacy preferences area grants access to the application. You must relaunch the application after applying the settings.
Activation of policy: No action is needed for the policy to be activated.
Applicable policy groups & Default settings/applications: Applicable for all policy groups.
Default applications enabled are :
Description of policy: This policy allows you to preapprove certain privileges for a specific application. You must gather a code-signing block for the application, and then choose which privilege areas to approve. You can approve one or more privacy preference areas. You cannot programmatically approve access to the microphone, camera, and remote screen sharing – you can only deny access to those areas.
Behavior of policy: Selecting the checkbox for a privacy preferences area grants access to the application. You must relaunch the application after applying the settings.
Activation of policy: The user will need to logout and log back in for the policy to take effect.
Applicable policy groups & Default settings/applications: Applicable for all policy groups.
Default settings enabled in each policy group are as below
Description of policy: This policy allows you to enable and enforce FileVault. This policy works on all JumpCloud supported operating systems.
Behavior of policy: Once the policy is successfully enabled for the system, a Recovery Key will be displayed for that respective System under System Details. Removing this policy will not disable FileVault 2 once enabled.
Activation of policy: A user will need to logout and log back in for the policy to take effect.
Applicable policy groups & Default settings/applications:
Applies for all group policies
Default settings:
Show the FileVault Recovery Key to the user when enabled (Not Enabled at default)
Do not prompt the user to enable FileVault at logout (Not Enabled at default)
Number of times the user can bypass enabling FileVault is set at '0'
Description of policy: The policy manages the local host firewall settings. In order to enable “Block All Incoming Connections”, “Stealth Mode”, or “Logging Mode”, the Firewall must be enabled. Selecting “Enable Private Data Collection” will include identifying information about the user or computer at the time of the log entry. This is likely required for full transparency, but may require disclosure to your user.
Behavior of policy: When this policy is applied against a system, it will enforce and modify the behavior of the firewall.
Activation of policy: The user will need to logout and log back in for the policy to take effect.
Applicable policy groups & Default settings/applications:
Default settings in all policy groups are as below
Description of policy: Configure the notification settings for an application by bundle identifier.
Behavior of policy: When this policy is applied, the notifications for the app will be delivered based on the settings in this policy and the user will not need to configure the notification settings.
Activation of policy: No action is needed for the policy to be activated.
Applicable policy groups & Default settings/applications: Only applicable on Standard & Enhanced policies.
Default features selected are as below.
Description of policy: This policy will disable all access to the Siri assistant. This policy works on all JumpCloud supported operating systems.
Behavior of policy: Disable Siri.
Activation of policy: Users will need to logout/login to ensure complete application of the policy. Any attempt to access Siri will result in being prompted to configure Siri. Canceling the prompt will remove Siri from the Menu Bar. If Siri is pinned to the Dock the icon will need to be manually removed. If the policy is removed, the user must logout/login to re-enable Siri.
Applicable policy groups & Default settings/applications: Only applicable on enhanced Policies
Description of policy: This policy controls the ability of the machine to install and run software by leveraging Gatekeeper in macOS. This policy works on all JumpCloud supported operating systems.
Behavior of policy: When this policy is applied against a system, it will affect which applications are allowed to install and run based on the selected options.
Activation of policy: No action is needed for the policy to be activated.
Applicable policy groups & Default settings/applications: Only applicable for Mac on Standard & Enhanced policies
Defaults settings are same for both groups:
Enable Gatekeeper Control ✔
Allow Apps From Identified Developers ✔
Disable Gatekeeper Override ✔
Description of policy: This policy controls a user's ability to install applications from the Apple App Store. This policy works on all JumpCloud supported operating systems.
Behavior of policy: Checking the boxes below will restrict App Store access. When 'Restrict App Store to Updates only' is selected on macOS 10.14, it disables all access to the App Store.
Activation of policy: No action is needed for the policy to be activated.
Applicable policy groups & Default settings/applications: Only applicable on Standard & Enhanced policies.
Description of policy: The user's screen saver will lock after the amount of seconds specified. A password will be required to unlock the screen saver. This policy works on all JumpCloud supported operating systems.
Behavior of policy: NA
Activation of policy: This change will take effect immediately.
Applicable policy groups & Default settings/applications: Applicable for all policies.
timetaken for lockout of the device as below.
Description of policy: This policy controls the presentation of users at the login window on selected machines. This policy works on all JumpCloud supported operating systems.
Behavior of policy: When this policy is applied against a system, it will modify the login window behavior based on the selected options.
Activation of policy: The user will need to logout and log back in for the policy to take effect.
Applicable policy groups & Default settings/applications: Only applicable on enhanced Policies
Show Username And Password Dialog ✔
Description of policy: This policy prevents users from installing individual configuration profiles on supervised devices by blocking the installation, effectively limiting profiles to being delivered by MDM or not at all. The policy applies to devices running macOS 13 or newer.
Behavior of policy: When a user attempts to install a configuration profile manually, they will receive a message that profile installation is disallowed due to a restriction.
Activation of policy: No action is needed to activate this policy.
Applicable policy groups & Default settings/applications: Only applicable on Standard & Enhanced Policy Groups
Description of policy: Allows an admin to prevent a user from activating the native Content Caching feature in the Sharing settings of the macOS device.
Behavior of policy: Adding this policy to a user's device will prevent the use of this feature, preserving disk space on the device.
Activation of policy: No activation is required for this policy.
Applicable policy groups & Default settings/applications: Only available on Enhanced Policy Group
Description of policy: Users on managed machines will only be able to access the features of iCloud allowed by an administrator. Any feature that is unselected will no longer be available for users on managed machines to modify. This policy works on all JumpCloud supported operating systems.
Behavior of policy: When this policy is applied against a system, it will restrict users from using the unchecked iCloud options.
Activation of policy: The user will need to logout and log back in for the policy to take effect.
Applicable policy groups & Default settings/applications: applicable to mac on enhanced policy
Only applicable for Mac, on enhanced Policies
Allow Cloud Address Book
Allow Cloud Bookmarks
Allow Cloud Calendar
Allow Cloud Desktop And Documents
Allow Cloud Document Sync
Allow Cloud Freeform (Requires macOS 14+) ✔
Allow Cloud Keychain Sync
Allow Cloud Mail
Allow Cloud Notes
Allow Cloud Photo Library
Allow Cloud Reminders
Description of policy: This policy disables iCloud Private Relay for macOS. Devices that are assigned to this policy will not be able to use iCloud Private Relay.
Behavior of policy: Devices must be enrolled in MDM and be supervised to use this policy.
Activation of policy: No action is needed for the policy to be activated.
Applicable policy groups & Default settings/applications: Only available on Standard & Enhanced Policy Groups.
Description of policy: This policy manages the text presented at the login window on selected machines. This policy works on all JumpCloud supported operating systems. Due to the reduced size of the login window space on macOS Monterey, displays under 900px in vertical height may experience display overlap between the login area and policy text that is displayed on the screen.
Behavior of policy: The text entered into the text field will be shown at the login window on selected machines.
Activation of policy: The user will need to logout and log back in for the policy to take effect.
Applicable policy groups & Default settings/applications: Only applicable for Mac, on Standard & Enhanced policies
Set Text Displayed At Login Window: Your admin manages this device with JumpCloud.
iOS Policies
Description of policy: This policy helps secure corporate and personal iOS devices and enforces settings for passcode length, complexity, failed attempts, etc.
Behavior of policy: Devices must be enrolled in MDM to use this policy. After the MDM enrollment profile is installed, the user has 60 minutes to enter a passcode that meets the restrictions in this policy. If the user does not comply within the time limit, the user is forced to change the passcode.
Activation of policy: No action is needed to activate this policy.
Applicable policy groups & Default settings/applications: Applicable for all policy groups
Description of policy: Activation Lock helps you keep company-owned supervised iOS devices secure. If the device is lost or stolen, you can improve your chances of recovering it. If you erase your device remotely, Activation Lock can continue to deter anyone from reactivating the device without your permission.
Behavior of policy: Allows activation lock to be enabled when a user turns on "Find My", or enables activation lock if the user has already turned on "Find My". Removing the policy does not disable activation lock. However, if the policy is removed and the user then disables activation lock, the user will not be able to enable activation lock again.
Activation of policy: After the Allow Activation Lock Policy is applied, user action is required to turn on "Find My" in order to enable Activation Lock for the device. Note: This policy only works on a supervised device.
Applicable policy groups & Default settings/applications: Applicable for all policy groups.
Description of policy: This policy disables sending diagnostic reports to Apple from an iOS device.
Behavior of policy: Devices must be enrolled in MDM to use this policy.
Activation of policy: No action is needed to activate this policy.
Applicable policy groups & Default settings/applications: Applicable only for standard policy.
Description of policy: This policy hides the FaceTime app. FaceTime lets users make video and audio calls on an iOS device.
Behavior of policy: Devices must be enrolled in MDM and be supervised to use this policy.
Activation of policy: No action is needed to activate this policy.
Applicable policy groups & Default settings/applications: Applicable only for Standard Policy.
Description of policy: Erase All Contents and Settings allows an admin user on a given device to rapidly return a iOS device to factory defaults. Admins may want to prevent admin users from easily invoking this feature of iOS and iPadOS. This policy will allow admins to prevent access to Erase All Contents and Settings from the Settings app.
Behavior of policy: When this policy is applied against a system, it will restrict users from using Erase All Contents and Settings from the Settings app.
Activation of policy: No action is needed for the policy to be activated.
Applicable policy groups & Default settings/applications: Applicable only for Standard and Enhanced
Description of policy: This policy helps secure User-Enrolled devices by forcing users to enter a passcode to access the device. These restrictions are automatically applied: simple passcodes with sequential or repeated characters are not allowed, the passcode is required, and the minimum length must be 6 characters. You can only apply the policy or remove it from devices that were user enrolled.
Behavior of policy: Devices must be enrolled in MDM to use this policy. After the MDM enrollment profile is installed, the user has 60 minutes to enter a passcode that meets the restrictions in this policy. If the user does not comply within the time limit, the user is forced to change the passcode.
Activation of policy: No action is needed to activate this policy.
Applicable policy groups & Default settings/applications: Applicable for all policy groups.
Description of policy: Controls how Managed Apps can communicate with Unmanaged Apps, including the ability to copy and paste between these app types.
Behavior of policy: Devices must be enrolled in MDM to use this policy, and iOS 15 or later is required for all configurations of this policy.
Activation of policy: No action is needed to use this policy.
Applicable policy groups & Default settings/applications: Available only for Standard and Enhanced.
Features enabled on default
Description of policy: Supervised devices can support restrictions that are unavailable for other enrollment types. This policy provides for controls in two areas: Security of the Device and Admin Control of the device.
Behavior of policy: When this policy is applied to an iPhone or iPad, it will restrict a number of settings on supervised devices.
Activation of policy: No action is needed for the policy to be activated.
Applicable policy groups & Default settings/applications: Available only for Standard and Enhanced
Default settings are as below
Windows Policies
Description of policy: Help strengthen authentication and guard against potential spoofing by using fingerprint matching provided by the Windows Hello service.
Behavior of policy: This policy lets you remotely allow or restrict the user from logging in to a managed system using biometrics. NOTE: JumpCloud does not allow the use of Multi-Factor Authentication (MFA) and biometrics simultaneously. For example, if you enable MFA in JumpCloud, users can’t log in to their managed system with their fingerprint.
Activation of policy: After you save the policy it takes effect immediately.
Applicable policy groups & Default settings/applications: Applicable for all policy groups
Description of policy: This policy will enable and enforce BitLocker. If BitLocker is already enabled on the target system, it must have a single BitLocker numerical password set. This policy works on Windows 10 Pro/Enterprise/Education and Windows 11 Pro/Enterprise/Education (must have TPM 2.0). NOTE: This policy will fail if enabled on Windows 10 Home or Windows 11 Home Editions.
Behavior of policy: Checking the box 'Encrypt All Non-Removeable Drives' will enable and enforce BitLocker on all fixed drives on the device. By default, BitLocker is only enabled and enforced on the system drive. Once the policy is applied to a system, a Recovery Key will be displayed for that respective System under System Details. The drive is not fully encrypted until the policy result shows that it was applied successfully. Removing this policy will not disable BitLocker or remove key protectors once enabled.
Activation of policy: The policy will take effect on the next reboot.
Applicable policy groups & Default settings/applications: Same for all Policy Groups
Encrypt All Non-Removable Drives. System Drive is encrypted by default. ✔
Description of policy: This policy will disable or enable the built-in administrator account. It is advised to have an additional local administrator account to manage the system. This policy works on all JumpCloud supported operating systems.
Behavior of policy: Unchecking the box 'Disable Built-in Administrator Account' will enable the built-in administrator account.
Activation of policy: No action is needed for the policy to be activated.
Applicable policy groups & Default settings/applications: applicable for all Policy Groups
Disable Built-in Administrator Account ✔
Description of policy: This policy will disable or enable the built-in guest account. This policy works on all JumpCloud supported operating systems.
Behavior of policy: Unchecking the box 'Disable Built-in Guest Account' will enable the built-in guest account.
Activation of policy: No action is needed for the policy to be activated.
Applicable policy groups & Default settings/applications: applicable for all policy groups
Disable Built-in Guest Account ✔
Description of policy: This policy will ensure that the logged-in user's information will show or not show when the system is locked. It is advised to also enforce 'Do Not Display Last Username On Logon Screen' for this policy to be effective. This policy works on all JumpCloud supported operating systems.
Behavior of policy: Checking the box 'Do Not Display User Information' will restrict the lock screen from showing the logged-in user's information.
Activation of policy: No action is needed for the policy to be activated.
Applicable policy groups & Default settings/applications: Available only on Light Group Policy
Do Not Display User Information ✔
Description of policy: This policy will ensure that entering a username and password is required before logging into a system. This policy works on all JumpCloud supported operating systems.
Behavior of policy: Checking the box 'Do Not Display Last Username' will require the user to type both username and password to log on. Unchecking the box below will display the last logged-in username at logon.
Activation of policy: No action is needed for the policy to be activated.
Applicable policy groups & Default settings/applications: applicable for all Policy Groups
Do Not Display User information ✔
Description of policy: When a managed system is inactive for the length of time specified in the policy's configuration, the screen saver will activate and lock the machine. A password will be required for unlocking the machine. This policy works on all JumpCloud supported operating systems.
Behavior of policy: NA
Activation of policy: The user will need to logout and log back in for the policy to take effect. For Windows 10 and 11, expect a 5 minute delay after each new login before the specified timeout settings will take effect.
Applicable policy groups & Default settings/applications:
Description of policy: The user will only be able to access the panes of the Control Panel allowed by the administrator. Checking the box adjacent to a given feature will cause that feature to no longer be visible to target users. This policy works on all JumpCloud supported operating systems.
Behavior of policy: NA
Activation of policy: The user will need to logout and log back in for the policy to take effect.
Applicable policy groups & Default settings/applications: Applicable for all policy groups
Default settings
Description of policy: Controls the behavior of Windows Defender in Windows. This policy works on all JumpCloud supported operating systems. However, individual settings may not be applicable to all versions of Windows.
Behavior of policy: This policy will apply to all users on the system.
Activation of policy: Policy will take effect on the next boot.
Applicable policy groups & Default settings/applications: Applicable for all policy groups
Default Settings are below
Description of policy: Controls the behavior of Windows Firewall in Windows. This policy works on all JumpCloud supported operating systems. However, individual settings may not be applicable to all versions of Windows.
Behavior of policy: This policy will apply to all users on the system.
Activation of policy: Policy will take effect on the next boot.
Applicable policy groups & Default settings/applications: Applicable for all policies
Default Settings are below
Description of policy: Controls the behavior of Device Installation in Windows. This policy works on all JumpCloud supported operating systems. However, individual settings may not be applicable to all versions of Windows.
Behavior of policy: This policy will apply to all users on the system.
Activation of policy: Policy will take effect on the next boot.
Applicable policy groups & Default settings/applications: Available only on Standard & Enhanced
Will add image 37
Description of policy: This policy prevents the usage of Microsoft's Cortana on systems when applied. Users will still be able to leverage the search functionality on their system with Cortana disabled. This policy works on Windows 10 and Windows 11.
Behavior of policy: Cortana will be disabled system wide.
Activation of policy: A logoff or reboot is required for this policy to be activated.
Applicable policy groups & Default settings/applications: Available on only Standard & Enhanced.
Description of policy: This policy will ensure that CTRL+ALT+DEL is required before logging into a system. This policy works on all JumpCloud supported operating systems.
Behavior of policy: Unchecking the box 'Do Not Require CTRL+ALT+DEL' will require the user to press CTRL+ALT+DEL to log on.
Activation of policy: No action is needed for the policy to be activated.
Applicable policy groups & Default settings/applications: Available on only Standard & Enhanced
Do Not Require CTRL + ALT + DEL (not enabled on default)
Description of policy: Controls the behavior of FindMyDevice in Windows. This policy works on all JumpCloud supported operating systems. However, individual settings may not be applicable to all versions of Windows. For more information, see: Group Policy Search.
Behavior of policy: This policy will apply to all users on the system.
Activation of policy: Policy will take effect on the next boot.
Applicable policy groups & Default settings/applications: Available only on Standard
Turn On/Off Find My Device ✔
Description of policy: This policy specifies a text message & title caption that is displayed to users when they log on. This policy works on all JumpCloud supported operating systems.
Behavior of policy: The text entered into the text fields will be the title caption and text message.
Activation of policy: No action is needed for the policy to be activated.
Applicable policy groups & Default settings/applications: Available only on Standard & Enhanced (same for both)
Message Title For Users Attempting To Log On : System Message
Message Text For Users Attempting To Log On : Your administrator manages this device via JumpCloud
Description of policy: Controls the behavior of Remote Assistance in Windows. This policy works on all JumpCloud supported operating systems. However, individual settings may not be applicable to all versions of Windows.
Behavior of policy: This policy will apply to all users on the system.
Activation of policy: Policy will take effect on the next boot.
Applicable policy groups & Default settings/applications: Available only on Standard & Enhanced (same for both)
Allow only Windows Vista or later connections
Turn on session logging ✔
Description of policy: This policy will ensure that the system cannot launch autoplay features. This policy works on all JumpCloud supported operating systems.
Behavior of policy: Checking the box 'Turn Off Autoplay' will disable the system's autoplay feature on all drives.
Activation of policy: No action is needed for the policy to be activated.
Applicable policy groups & Default settings/applications: Available only on Standard & Enhanced
Turn Off Autoplay ✔
Description of policy: Controls the behavior of Removable Storage in Windows. This policy works on all JumpCloud supported operating systems. However, individual settings may not be applicable to all versions of Windows.
NOTE: Some of the settings in this policy conflict with the legacy Disable USB Storage and Disable CD & DVD Read Access policies. Before you apply this policy to your systems, we recommend that you unbind the legacy policies. If you use both this policy and the legacy policies, your systems may behave unexpectedly.
Behavior of policy: This policy will apply to all users on the system.
Activation of policy: Policy will take effect on the next boot.
Applicable policy groups & Default settings/applications: Available only on Standard & Enhanced (same for both)
Default settings are below
Description of policy: You can customize computer and user configurations to force a specific visual style on a Windows system. Instead of using Group Policy Editor to configure the control panel display Administrative template or editing the registry keys on each system, you can configure this policy to force display settings and prevent changes.
Behavior of policy: This policy can apply the same screen settings that are included in the control panel display Administrative template for Windows systems. If you force a visual style on a system, a user can’t apply a different style when trying to change themes in the Personalization Control Panel.
Activation of policy: After you save the policy, you must restart all systems where you apply it before it takes effect.
Applicable policy groups & Default settings/applications: Available only on Enhanced
Don't display the lock screen
Force a specific Start background
Force a specific background and accent color
Force a specific default lock screen and logon image
Turn off fun facts, tips, tricks, and more on lock screen ✔
Prevent changing lock screen and logon image
Prevent changing start menu background
Prevent enabling lock screen camera ✔
Prevent enabling lock screen slide show. ✔
Description of policy: This policy will ensure that system cannot launch the Windows Store application. This policy works on Windows 10 Enterprise/Education and 11 Enterprise/Education.
Behavior of policy: Checking the box 'Turn Off The Store Application' will disable the system's ability to launch the Windows Store application.
Activation of policy: No action is needed for the policy to be activated.
Applicable policy groups & Default settings/applications: Available only on Enhanced
Description of policy: Controls the behavior of Logon in Windows. This policy works on all JumpCloud supported operating systems. However, individual settings may not be applicable to all versions of Windows.
Behavior of policy: This policy will apply to all users on the system.
Activation of policy: Policy will take effect on the next boot.
Applicable policy groups & Default settings/applications: Available only on Enhanced
Always wait for the network at computer startup and logon
Block user from showing account details on sign-in ✔
Display highly detailed status messages
Do not display network selection UI
Do not process the legacy run list
Do not process the run once list
Hide entry points for Fast User Switching
Show first sign-in animation
Turn off Windows Startup sound ✔
Turn off app notifications on the lock screen
Description of policy: This policy allows the renaming of the inbuilt Local Administrator Account. This policy works on all JumpCloud supported operating systems.
Behavior of policy: The text entered into the text field will be the new name for the local administrator account.
Activation of policy: No action is needed for the policy to be activated.
Applicable policy groups & Default settings/applications: Available only on Enhanced
Local Administrator Account Name: JC-User
Description of policy: To protect computers and networks from potentially harmful applications, you can specify locations where applications can run or can’t run. We recommend testing before applying to all systems. For more information on what to add or how best to implement this policy, see the Controlling Software Access Using a Policy KB.
Behavior of policy: This policy restricts or allows applications to run on a user’s Windows system. You can specify the locations as a fully-qualified path that ends with a file name to allow or restrict the running of that one file. You can also just specify a directory to allow or restrict any executable file in that directory from running. This policy does not restrict an application from being installed or moved to another location.
Activation of policy: After you save this policy and apply it to systems, you must restart the systems before this policy takes effect.
Applicable policy groups & Default settings/applications: Available only on Enhanced
Will include a picture 49
Linux Policies
Description of policy: This policy will check a linux machine for Full-Disk or Home-Directory encryption and report the status. If the root partition is encrypted using cryptsetup/LUKS, the policy will succeed. If the home directories are encrypted with fscrypt or ecryptfs, and the 'Check Managed Users' option is checked, the policy will also succeed.
Behavior of policy: This policy reports on the status of disk encryption on a Linux machine.
Activation of policy: After you create the policy and apply it to a system or group, no additional action is required.
Applicable policy groups & Default settings/applications: Applicable for all policy Groups
Check if all managed users home directories are encrypted. ✔
Description of policy: The user's screen saver will lock after the amount of seconds specified. A password will be required to unlock the screen saver. This policy works on all JumpCloud supported operating systems.
Behavior of policy: NA
Activation of policy: Once this policy is saved, the user may need to log out and back into their session for the lock screen policy to become active.
Applicable policy groups & Default settings/applications: Applicable for all policy groups
Description of policy: This policy prevents USB mass storage devices, such as flash drives and USB hard drives, from being used on the system. This policy works on all JumpCloud supported operating systems.
Behavior of policy: All USB mass storage devices will be disabled for all users on the system.
Activation of policy: The policy will take effect on the next reboot.
Applicable policy groups & Default settings/applications: Available for Standard and enhanced Policy
Description of policy: This policy secures system files for Linux systems.
Behavior of policy: This policy sets permissions and ownership for system files.
Activation of policy: After you create the policy and apply it to a system or group, no additional action is required.
Applicable policy groups & Default settings/applications: Available for Standard and enhanced Policy
All below settings are enabled for both groups
Ensure permissions on bootloader config are configured. Sets owner to root:root and permissions to 400 on the files /boot/grub/grub.cfg or /boot/grub2/grub.cfg.
Ensure permissions on /etc/motd are configured. Sets owner to root:root and permissions to 644 on the file /etc/motd.
Ensure permissions on /etc/issue are configured. Sets owner to root:root and permissions to 644 on the file /etc/issue.
Ensure permissions on /etc/issue.net are configured. Sets owner to root:root and permissions to 644 on the file /etc/issue.net.
Ensure permissions on /etc/hosts.allow are configured. Sets owner to root:root and permissions to 644 on the file /etc/hosts.allow.
Ensure permissions on /etc/hosts.deny are configured. Sets owner to root:root and permissions to 644 on the file /etc/hosts.deny.
Ensure permissions on /etc/crontab are configured. Sets owner to root:root and permissions to 600 on the file /etc/crontab.
Ensure permissions on /etc/cron.hourly are configured. Sets owner to root:root and permissions to 700 on the directory /etc/cron.hourly.
Ensure permissions on /etc/cron.daily are configured. Sets owner to root:root and permissions to 700 on the directory /etc/cron.daily.
Ensure permissions on /etc/cron.weekly are configured. Sets owner to root:root and permissions to 700 on the directory /etc/cron.weekly.
Ensure permissions on /etc/cron.monthly are configured. Sets owner to root:root and permissions to 700 on the directory /etc/cron.monthly.
Ensure permissions on /etc/cron.d are configured. Sets owner to root:root and permissions to 700 on the directory /etc/cron.d.
Ensure permissions on /etc/ssh/sshd_config are configured. Sets owner to root:root and permissions to 600 on the file /etc/ssh/sshd_config.
Ensure permissions on /etc/passwd are configured. Sets owner to root:root and permissions to 644 on the file /etc/passwd.
Ensure permissions on /etc/shadow are configured. Sets owner to root:root and permissions to 640 on the file /etc/shadow.
Ensure permissions on /etc/group are configured. Sets owner to root:root and permissions to 644 on the file /etc/group.
Ensure permissions on /etc/gshadow are configured. Sets owner to root:root and permissions to 640 on the file /etc/gshadow.
Ensure permissions on /etc/passwd- are configured. Sets owner to root:root and permissions to 600 on the file /etc/passwd-.
Ensure permissions on /etc/shadow- are configured. Sets owner to root:root and permissions to 640 on the file /etc/shadow-.
Ensure permissions on /etc/group- are configured. Sets owner to root:root and permissions to 644 on the file /etc/group-.
Description of policy: You can enhance a system's network security by setting kernel parameters for IP forwarding, packet routing, ICMP requests, path filtering, and TCP SYN cookies.
Behavior of policy: This policy can disable IP and packet forwarding, prevent routed packets from being accepted, ignore ICMP broadcasts, enable path filtering and TCP SYN cookies, and log information about suspicious packets.
Activation of policy: After you create the policy and apply it to a system or group, no additional action is required.
Applicable policy groups & Default settings/applications: Available for Standard and enhanced Policies
Below settings are enabled for both groups
Ensure IP forwarding is disabled.
Ensure packet redirect sending is disabled.
Ensure source routed packets are not accepted.
Ensure ICMP redirects are not accepted.
Ensure secure ICMP redirects are not accepted.
Ensure suspicious packets are logged.
Ensure broadcast ICMP requests are ignored.
Ensure bogus ICMP responses are ignored.
Ensure Reverse Path Filtering is enabled.
Ensure TCP SYN Cookies is enabled.
Description of policy: This policy secures the bootloader and settings associated with the Linux device boot process.
Behavior of policy: Control the end user's authentication requirements when booting and prevent users from booting in interactive mode.
Activation of policy: No activation is required.
Applicable policy groups & Default settings/applications: Available for Standard and enhanced Policy.
below all settings are enabled for both groups
Ensure bootloader password is set
Ensure authentication required for single user mode
Ensure interactive boot is not enabled
Description of policy: Control Root Login via SSH. The SSH Server securely provides remote access to devices. The setting in this policy only applies if the SSH daemon is installed on the system. To ensure that access is restricted to only authorized users, the policy allows for mass control of the PermitRootLogin setting on one or more devices at once.
Behavior of policy: Checking the box below will ensure that the SSH Server allows root login. Unchecking the box will DISABLE root login.
Activation of policy: No action is needed for the policy to be activated.
Applicable policy groups & Default settings/applications: Available for Standard and enhanced Policy
Allow SSH Root Login (not allowed for both groups in default)
Description of policy: The SSH Server securely provides remote access to devices. The settings in this policy only apply if the SSH daemon is installed on the system. To ensure that access is restricted to only authorized users, the server should be configured to: place sensible resource limits; disable features with high potential for abuse; disable algorithms and ciphers known to be weak.
Behavior of policy: Checking the boxes below will ensure that the corresponding aspect of the SSH Server has a secure configuration. Directives in conditional match blocks will not be enforced or validated.
Activation of policy: No action is needed for the policy to be activated.
Applicable policy groups & Default settings/applications: Available for Standard and enhanced Policy
Default settings enabled for both groups are below
Ensure SSH Protocol is set to 2.
Ensure SSH LogLevel is appropriate.
Ensure SSH X11 forwarding is disabled.
Ensure SSH MaxAuthTries is set to 4 or less.
Ensure SSH IgnoreRhosts is enabled.
Ensure SSH HostbasedAuthentication is disabled.
Ensure SSH PermitEmptyPasswords is disabled.
Ensure SSH PermitUserEnvironment is disabled.
Ensure only strong Ciphers are used.
Ensure only strong MAC algorithms are used.
Ensure only strong Key Exchange algorithms are used.
Ensure SSH Idle Timeout Interval is configured.
Ensure SSH LoginGraceTime is set to one minute or less.
Ensure SSH warning banner is configured.
Ensure SSH PAM is enabled.
Ensure SSH AllowTcpForwarding is disabled.
Ensure SSH MaxStartups is configured.
Ensure SSH MaxSessions is set to 4 or less.
Description of policy: You can restrict access to core dumps by enabling address space layout randomization (ASLR) and uninstalling prelink packages. Core dumps can be used to discover confidential information on the system. ASLR randomly arranges the address space of key data areas to make it difficult to write memory page exploits. Removing prelink prevents malicious users from changing binaries or compromising common libraries. Enabling No Execute(NX) and Execute Disable (XD) can help prevent exploitation of buffer overflow vulnerabilities.
Behavior of policy: This policy restricts core dumps by enabling ASLR and disabling prelink.
Activation of policy: After you create the policy and apply it to a system or group, no additional action is required.
Applicable policy groups & Default settings/applications: Available only on enhanced Security policty
Ensure core dumps are restricted ✔
Ensure XD/NX support is enabled ✔
Ensure address space layout randomization (ASLR) is enabled ✔
Ensure prelink is disabled ✔
Description of policy: This policy helps you protect devices against unknown vulnerabilities by disabling services that are not required for normal operation. If a specific service is not required, reduce your risk by disabling or deleting the service from the device. This policy works on Linux systems running on x86 and x64 platforms.
Behavior of policy: This policy helps you protect devices against unknown vulnerabilities by disabling services that are not required for normal operation. If a specific service is not required, reduce your risk by disabling or deleting the service from the device. This policy works on Linux systems running on x86 and x64 platforms.
Activation of policy: No activation is required.
Applicable policy groups & Default settings/applications: Available only on enhanced Security policy group.
below all settings are selected on default)
Disable xinetd
Disable Avahi
Disable CUPS
Disable DHCP
Disable LDAP
Disable NFS and RPC
Disable DNS
Disable FTP
Disable HTTP
Disable IMAP and POP3 server
Disable Samba
Disable HTTP Proxy server
Disable SNMP server
Disable rsync service
Disable NIS server
Description of policy: To prevent an unauthorized user from introducing data onto or extracting data from a system, you should determine if a filesystem type is not necessary and if so, disable it. Native Linux file systems are designed to ensure that built-in security controls function as expected. Although non-native filesystems can be used to solve different kinds of problems, they can also lead to unexpected consequences to both the security and functionality of the system. Depending on the flags used to build the kernel some filesystem modules are built in, and this policy cannot disable them.
Behavior of policy: This policy prevents selected filesystems from being loaded into the kernel.
Activation of policy: After you create the policy and apply it to a system or group, no additional action is required.
Applicable policy groups & Default settings/applications: Available only on enhanced Security policty (below all settings are selected on default)
Ensure mounting of cramfs filesystems is disabled.
Ensure mounting of freevxfs filesystems is disabled.
Ensure mounting of jffs2 filesystems is disabled.
Ensure mounting of hfs filesystems is disabled.
Ensure mounting of hfsplus filesystems is disabled.
Ensure mounting of squashfs filesystems is disabled.
Ensure mounting of udf filesystems is disabled.
Ensure mounting of FAT filesystems is disabled.
Description of policy: This policy checks partition and mount options. Directories that are used for system-wide functions can be further protected by placing them on separate partitions. This provides protection for resource exhaustion and enables the use of mounting options that are applicable to the directory's intended use.
Behavior of policy: This policy will check that the '/tmp', '/var', '/var/tmp', '/var/log', '/var/log/audit' and '/home' partitions exist when the associated checkboxes are selected. The policy will not create those partitions. When the checkboxes for the 'nodev', 'nosuid' and 'noexec' mounting options are selected, this policy will apply those options to the associated partitions if they exist.
Activation of policy: No action is needed for the policy to be activated.
Applicable policy groups & Default settings/applications: Available only on enhanced Security policy
below all settings are selected on default
Ensure nodev option set on /tmp partition.
Ensure nosuid option set on /tmp partition.
Ensure noexec option set on /tmp partition.
Ensure separate partition exists for /var.
Ensure separate partition exists for /var/tmp.
Ensure nodev option set on /var/tmp partition.
Ensure nosuid option set on /var/tmp partition.
Ensure noexec option set on /var/tmp partition.
Ensure separate partition exists for /var/log.
Ensure separate partition exists for /var/log/audit.
Ensure separate partition exists for /home.
Ensure nodev option set on /home partition.
Ensure nodev option set on /dev/shm partition.
Ensure nosuid option set on /dev/shm partition.
Ensure noexec option set on /dev/shm partition.
Description of policy: To minimize the risk involved when the compromise of a service leads to the compromise of the clients who use those services, remove unnecessary clients. This policy works on all supported Linux distros.
Behavior of policy: This policy uninstalls the client component for the services you select.
Activation of policy: After you create the policy and apply it to a system or group, no additional action is required.
Applicable policy groups & Default settings/applications: Available only on enhanced Security policy
below all settings are selected on default
Ensure NIS Client is not installed
Ensure rsh client is not installed
Ensure talk client is not installed
Ensure telnet client is not installed
Ensure LDAP client is not installed