OS,Policy name,Policy,Settings,Note macOS,JC Standard Security - Allow Activation Lock,Allow Activation Lock,TRUE, iOS,JC Standard Security - Allow Activation Lock - iOS,Allow Activation Lock,TRUE, macOS,JC Standard Security - Allow Standard Users To Approve Screen Sharing & Recording,Allow Standard Users To Approve Screen Sharing & Recording,"AnyDesk :FALSE, BlueJeans :FALSE, Camtasia 2020 :FALSE, Cisco Webex Meeting Manager :TRUE, Cisco Webex Meetings :TRUE, Firefox :TRUE, Google Chrome :TRUE, GoToMeeting :FALSE, LogMeIn Ignition :FALSE, Microsoft Edge :TRUE, Microsoft Teams :TRUE, QuickTime Player :TRUE, Skype :TRUE, Skype for Business :TRUE, Slack :TRUE, Snagit 2020 :TRUE, TeamViewer :FALSE, Zoho Assist :FALSE, Zoho Cliq :FALSE, Zoho Join :FALSE, Zoho Meeting :FALSE, Zoom :TRUE, ",Also in Light Security Linux,JC Standard Security - Disable USB Storage - Linux,Disable USB Storage,TRUE, macOS,JC Standard Security - App Store Restrictions,App Store Restrictions,"Restrict App Store installs to Admin only: TRUE, Restrict App Store to Updates only: FALSE,",Also in Light Security macOS,JC Standard Security - Application Privacy Preferences - Google Chrome Access to User Files,Mac - Application Privacy Preferences Policy,Configured for Google Chrome, MacOS,JC Standard Security - Application Privacy Preferences - Google Chrome Access to User Files, Mac - Application Privacy Preferences Policy ,configured for Google Chrome,Also in Light Security macOS,JC Standard Security - Block Manual Profile Installation,Block Manual Profile Installation,TRUE, Windows,JC Standard Security - Allow The Use of Biometrics,Allow The Use of Biometrics,Allow The Use Of Biometrics :TRUE, Windows,JC Standard Security - BitLocker Full Disk Encryption,Encrypt All Non-Removable Drives.,Encrypt All Non-Removable Drives :TRUE , Windows,JC Standard Security - Built-in Administrator Account Status,Built-in Administrator Account Status,Disable Built-in Administrator Account :TRUE, Windows,JC Standard Security - Built-in Guest Account Status,Built-in Guest Account Status,Disable Built-in Guest Account :TRUE, Windows,JC Standard Security - Device Installation,Device Installation,"Allow administrators to override Device Installation Restriction policies :FALSE, Allow remote access to the Plug and Play interface :FALSE, Prevent creation of a system restore point during device activity that would normally prompt creation of a restore point :FALSE, Prevent installation of devices not described by other policy settings :TRUE, Prevent installation of removable devices :FALSE, Prioritize all digitally signed drivers equally during the driver ranking and selection process :FALSE,", Windows,JC Standard Security - Disable Cortana,Disable Cortana,TRUE, Windows,JC Standard Security - Display User Info When The Session Is Locked,Display User Info When The Session Is Locked,"Do Not Display User Information :TRUE,", iOS,JC Standard Security - Restrict Erase All Contents and Settings,Restrict Erase All Contents and Settings,TRUE, macOS,JC Standard Security - Disable Guest Account,Disable Guest Account,"Show the FileVault Recovery Key to the user when enabled: FALSE Do not prompt the user to enable FileVault at logout: FALSE Number of times the user can bypass enabling FileVault: VALUE 0",Also in Light Security Windows,JC Standard Security - Do Not Display Last Username on Logon Screen,Do Not Display Last Username on Logon Screen,"Do Not Display Last Username: TRUE,", macOS,JC Standard Security - Disable iCloud Private Relay,Disable iCloud Private Relay,TRUE, Linux,JC Standard Security - Check Disk Encryption,Check Disk Encryption,Check if all managed users home directories are encrypted:TRUE, Linux,JC Standard Security - Disable Unused Filesystems,Disable Unused Filesystems,"Ensure mounting of cramfs filesystems is disabled.:TRUE, Ensure mounting of freevxfs filesystems is disabled.:TRUE, Ensure mounting of jffs2 filesystems is disabled.:TRUE, Ensure mounting of hfs filesystems is disabled.:TRUE, Ensure mounting of hfsplus filesystems is disabled.:TRUE, Ensure mounting of squashfs filesystems is disabled.:TRUE, Ensure mounting of udf filesystems is disabled.:TRUE, Ensure mounting of FAT filesystems is disabled.:TRUE,", Linux,JC Standard Security - File Ownership and Permissions,File Ownership and Permissions,"Ensure permissions on bootloader config are configured. Sets owner to root:root and permissions to 400 on the files /boot/grub/grub.cfg or /boot/grub2/grub.cfg.:TRUE, Ensure permissions on /etc/motd are configured. Sets owner to root:root and permissions to 644 on the file /etc/motd.:TRUE, Ensure permissions on /etc/issue are configured. Sets owner to root:root and permissions to 644 on the file /etc/issue.:TRUE, Ensure permissions on /etc/issue.net are configured. Sets owner to root:root and permissions to 644 on the file /etc/issue.net.:TRUE, Ensure permissions on /etc/hosts.allow are configured. Sets owner to root:root and permissions to 644 on the file /etc/hosts.allow.:TRUE, Ensure permissions on /etc/hosts.deny are configured. Sets owner to root:root and permissions to 644 on the file /etc/hosts.deny.:TRUE, Ensure permissions on /etc/crontab are configured. Sets owner to root:root and permissions to 600 on the file /etc/crontab.:TRUE, Ensure permissions on /etc/cron.hourly are configured. Sets owner to root:root and permissions to 700 on the directory /etc/cron.hourly.:TRUE, Ensure permissions on /etc/cron.daily are configured. Sets owner to root:root and permissions to 700 on the directory /etc/cron.daily.:TRUE, Ensure permissions on /etc/cron.weekly are configured. Sets owner to root:root and permissions to 700 on the directory /etc/cron.weekly.:TRUE, Ensure permissions on /etc/cron.monthly are configured. Sets owner to root:root and permissions to 700 on the directory /etc/cron.monthly.:TRUE, Ensure permissions on /etc/cron.d are configured. Sets owner to root:root and permissions to 700 on the directory /etc/cron.d.:TRUE, Ensure permissions on /etc/ssh/sshd_config are configured. Sets owner to root:root and permissions to 600 on the file /etc/ssh/sshd_config.:TRUE, Ensure permissions on /etc/passwd are configured. Sets owner to root:root and permissions to 644 on the file /etc/passwd.:TRUE, Ensure permissions on /etc/shadow are configured. Sets owner to root:root and permissions to 640 on the file /etc/shadow.:TRUE, Ensure permissions on /etc/group are configured. Sets owner to root:root and permissions to 644 on the file /etc/group.:TRUE, Ensure permissions on /etc/gshadow are configured. Sets owner to root:root and permissions to 640 on the file /etc/gshadow.:TRUE, Ensure permissions on /etc/passwd- are configured. Sets owner to root:root and permissions to 600 on the file /etc/passwd-.:TRUE, Ensure permissions on /etc/shadow- are configured. Sets owner to root:root and permissions to 640 on the file /etc/shadow-.:TRUE, Ensure permissions on /etc/group- are configured. Sets owner to root:root and permissions to 644 on the file /etc/group-.:TRUE,", Linux,JC Standard Security - Lock Screen - Linux,Lock Screen - Linux,Value: 600 Seconds, Linux,JC Standard Security - SSH Root Access,SSH Root Access,Allow SSH Root Login: FALSE, macOS,JC Standard Security - FileVault 2,FileVault 2,,Also in Light Security macOS,JC Standard Security - Gatekeeper Control,Gatekeeper Control,"Enable Gatekeeper Control: True, Allow Apps From Identified Developers: True, Disable Gatekeeper Override: True",Also in Light Security macOS,JC Standard Security - Local Firewall Controls,Local Firewall Controls,"Enable Firewall :TRUE, Block All Incoming Connections :TRUE, Enable Stealth Mode :FALSE, Enable Logging :TRUE, Logging Option: BRIEF, Enable Private Data Collection :TRUE",Also in Light Security macOS,JC Standard Security - Lock Screen - macOS,Lock Screen,VALUE: 600 Seconds,Also in Light Security macOS,JC Standard Security - Login Window Text,Login Window Text,"Set Text Displayed At Login Window : ""Your admin manages this device with 黑料海角91入口""", macOS,JC Standard Security - System Preferences Control,System Preferences Control,"Block Optical Media :FALSE, App Store :FALSE, Apple ID :TRUE, Time Machine :FALSE, Bluetooth :FALSE, Classroom Settings :TRUE, Date and Time :FALSE, Desktop :FALSE, Displays :FALSE, Dock :FALSE, Energy Saver :FALSE, Family Sharing :FALSE, Fiber Channel :FALSE, Mission Control :FALSE, Extensions :TRUE, General :FALSE, iCloud :FALSE, Ink :FALSE, Internet Accounts :FALSE, Language and Region :FALSE, Network :FALSE, Notifications :FALSE, Parental Controls :TRUE, Printers and Scanners :FALSE, Profiles :TRUE, Screen Time :FALSE, Keyboard :FALSE, Security and Privacy :TRUE, Sharing :TRUE, Sidecar :FALSE, Mouse :FALSE, Siri :FALSE, Software Update :FALSE, Spotlight :FALSE, Startup Disk :FALSE, Touch ID :FALSE, Trackpad :FALSE, Universal Access :FALSE, Users & Groups :TRUE, Wallet & Apple Pay :FALSE, Xsan :FALSE, Sound :FALSE,", Windows,JC Standard Security - Do Not Require CTRL+ALT+DEL on logon screen,Do Not Require CTRL+ALT+DEL on logon screen,"Do Not Require CTRL + ALT + DEL :FALSE,", Windows,JC Standard Security - FindMyDevice,FindMyDevice,"Turn On/Off Find My Device :TRUE,", Windows,JC Standard Security - Lock Screen Windows,Lock Screen Windows,VALUE: 600 Seconds, Windows,JC Standard Security - Message Text For Users Attempting To Log On,Message Text For Users Attempting To Log On,"Message Title For Users Attempting To Log On: ""System Message:"", Message Text For Users Attempting To Log On : ""Your administrator manages this device via 黑料海角91入口.""", Windows,JC Standard Security - Remote Assistance,Remote Assistance,"Allow only Windows Vista or later connections :FALSE, Turn on session logging :TRUE,", Windows,JC Standard Security - Removable Storage,Removable Storage,"All Removable Storage classes: Deny all access :TRUE, All Removable Storage: Allow direct access in remote sessions :FALSE, CD and DVD: Deny execute access :FALSE, CD and DVD: Deny read access :FALSE, CD and DVD: Deny write access :FALSE, Floppy Drives: Deny execute access :FALSE, Floppy Drives: Deny read access :FALSE, Floppy Drives: Deny write access :FALSE, Removable Disks: Deny execute access :FALSE, Removable Disks: Deny read access :FALSE, Removable Disks: Deny write access :FALSE, Tape Drives: Deny execute access :FALSE, Tape Drives: Deny read access :FALSE, Tape Drives: Deny write access :FALSE, WPD Devices: Deny read access :FALSE, WPD Devices: Deny write access :FALSE,", Windows,JC Standard Security - Restrict Control Panel Access,Restrict Control Panel Access,"Completely disable the control panel :FALSE, Action Center :FALSE, Add features to Windows 8.1 :TRUE, Administrative Tools :FALSE, AutoPlay :FALSE, Backup and Restore :FALSE, BitLocker Drive Encryption :TRUE, Color Management :FALSE, Credential Manager :FALSE, Date and Time :FALSE, Default Programs :FALSE, Desktop Gadgets :FALSE, Device Manager :TRUE, Devices and Printers :FALSE, Display :FALSE, Ease of Access Center :FALSE, Family Safety :FALSE, Folder Options :FALSE, File Explorer Options :FALSE, File History :FALSE, Flash Player (32-bit) :TRUE, Fonts :FALSE, Getting Started :FALSE, HomeGroup :FALSE, Indexing Options :FALSE, Infrared :FALSE, Internet Options :FALSE, iSCSI Initiator :FALSE, Keyboard :FALSE, Language :FALSE, Location Settings/Other Sensors :FALSE, Mouse :FALSE, Network and Sharing Center :FALSE, Notification Area Icons :FALSE, Parental Controls :FALSE, Performance Information and Tools :FALSE, Personalization :FALSE, Phone and Modem :FALSE, Power Options :FALSE, Programs and Features :FALSE, Recovery :FALSE, Region :FALSE, RemoteApp and Desktop Connections :TRUE, Security and Maintenance :FALSE, Sound :FALSE, Speech Recognition/Text to Speech :FALSE, Storage Spaces :FALSE, Sync Center :FALSE, System :FALSE, Taskbar and Navigation :FALSE, Troubleshooting :FALSE, User Accounts :FALSE, Windows Anytime Upgrade :TRUE, Windows CardSpace :FALSE, Windows Defender (Windows Server 2016) :TRUE, Windows Defender Firewall (Windows 10 & 11) :TRUE, Windows Firewall (Windows Server 2012 R2/2016) :FALSE, Windows Mobility Center, Windows To Go :FALSE, Windows Update (Windows Server 2012 R2) :FALSE, Work Folders :FALSE,", Windows,JC Standard Security - Turn Off Autoplay.,Turn Off Autoplay.,"Turn Off Autoplay :TRUE,", Windows,JC Standard Security - Windows Defender,Windows Defender,"Allow antimalware service to remain running always :FALSE, Allow antimalware service to startup with normal priority :FALSE, Allow definition updates from Microsoft Update :FALSE, Allow definition updates when running on battery power :FALSE, Allow notifications to disable definitions based reports to Microsoft MAPS :FALSE, Allow real-time definition updates based on reports to Microsoft MAPS :FALSE, Allow users to pause scan :FALSE, Check for the latest virus and spyware definitions before running a scheduled scan :FALSE, Check for the latest virus and spyware definitions on startup :FALSE, Configure Watson events :FALSE, Configure local administrator merge behavior for lists :FALSE, Configure local setting override for maximum percentage of CPU utilization :FALSE, Configure local setting override for monitoring file and program activity on your computer :FALSE, Configure local setting override for monitoring for incoming and outgoing file activity :FALSE, Configure local setting override for reporting to Microsoft MAPS :FALSE, Configure local setting override for scanning all downloaded files and attachments :FALSE, Configure local setting override for schedule scan day :FALSE, Configure local setting override for scheduled quick scan time :FALSE, Configure local setting override for scheduled scan time :FALSE, Configure local setting override for the removal of items from Quarantine folder :FALSE, Configure local setting override for the scan type to use for a scheduled scan :FALSE, Configure local setting override for the time of day to run a scheduled full scan to complete remediation :FALSE, Configure local setting override for turn on behavior monitoring :FALSE, Configure local setting override to turn on real-time protection :FALSE, Configure the 'Block at First Sight' feature :TRUE, Create a system restore point :FALSE, Enable headless UI mode :FALSE, Initiate definition update on startup :FALSE, Monitor file and program activity on your computer :TRUE, Randomize scheduled task times :FALSE, Run full scan on mapped network drives :FALSE, Scan all downloaded files and attachments :TRUE, Scan archive files :FALSE, Scan network files :FALSE, Scan packed executables :FALSE, Scan removable drives :FALSE, Start the scheduled scan only when computer is on but not in use :FALSE, Suppress all notifications :FALSE, Suppresses reboot notifications :FALSE, Turn off Auto Exclusions :FALSE, Turn off Windows Defender Antivirus :FALSE, Turn off enhanced notifications :FALSE, Turn off real-time protection :FALSE, Turn off routine remediation :FALSE, Turn on behavior monitoring :TRUE, Turn on catch-up full scan :FALSE, Turn on catch-up quick scan :FALSE, Turn on definition retirement :FALSE, Turn on e-mail scanning :FALSE, Turn on heuristics :FALSE, Turn on process scanning whenever real-time protection is enabled :TRUE, Turn on protocol recognition :FALSE, Turn on raw volume write notifications :FALSE, Turn on reparse point scanning :FALSE, Turn on scan after signature update :FALSE,", Windows,JC Standard Security - Windows Firewall,Windows Firewall,"Windows Firewall: Allow local port exceptions (domain profile) :FALSE, Windows Firewall: Allow local port exceptions (standard profile) :FALSE, Windows Firewall: Allow local program exceptions (standard profile) :FALSE, Windows Firewall: Allow local program exceptions (domain profile) :FALSE, Windows Firewall: Do not allow exceptions (standard profile) :FALSE, Windows Firewall: Do not allow exceptions (domain profile) :FALSE, Windows Firewall: Prohibit notifications (standard profile) :FALSE, Windows Firewall: Prohibit notifications (domain profile) :FALSE, Windows Firewall: Prohibit unicast response to multicast or broadcast requests (domain profile) :TRUE, Windows Firewall: Prohibit unicast response to multicast or broadcast requests (standard profile) :TRUE, Windows Firewall: Protect all network connections (domain profile) :TRUE, Windows Firewall: Protect all network connections (standard profile) :TRUE,", iOS,JC Standard Security - Supervised iOS Restriction,Supervised iOS Restrictions,"Force Automatic Time & Date :FALSE, Block Modifying Cellular Data App Settings :FALSE, Block Modifying Device Name :FALSE, Block Screen Time :TRUE, Block Modifying Wallpaper :FALSE, Block Dictation :FALSE, Block AirDrop :TRUE, Block AirPrint :TRUE, Block iMessage :TRUE, Block iBooks Store :FALSE, Block Apple Music :FALSE, Block Apple Music Radio :FALSE, Block Installation of Apps :FALSE, Block User Installation of Configuration Profiles :TRUE, Block Adding VPN Configs :FALSE, Block Modifying Bluetooth Settings :FALSE, Block Find My Devices :FALSE, Block Find My Friends :TRUE, Block Predictive Keyboard :FALSE, Block Keyboard Shortcuts :FALSE, Block iCloud Drive Sync :TRUE, Block USB Drive Access :TRUE, Block Network Drive Access :TRUE, Block Password AutoFill :FALSE, Block iCloud Private Relay :TRUE,", iOS,JC Standard Security - Disable Analytics, iOS - Disable Analytics Policy ,TRUE, iOS,JC Standard Security - Disable FaceTime, iOS - Disable FaceTime Policy ,TRUE, iOS,JC Standard Security - Passcode Restrictions, iOS - Passcode Restrictions Policy ,"Allow simple passcodes: FALSE, Require alphanumeric: FALSE, Force PIN: TRUE Set max failed attempts: TRUE Max failed attempts: 10, Set max grace period: FALSE Set max inactivity: TRUE, Max inactivity: 2, Set max PIN age: FALSE Minimum complex characters: 0, Minimum length: 6, Set PIN history length: TRUE, PIN history length: 5", iOS,JC Standard Security - Require Passcode for User-Enrolled Devices,iOS - Require Passcode for User-Enrolled Devices Policy,TRUE, iOS,JC Standard Security - Restrict Sharing Between Managed and Unmanaged Apps,iOS - Restrict Sharing Between Managed and Unmanaged Apps Policy,, Linux,JC Standard Security - Network Parameters, Linux - Network Parameters Policy ,"Ensure IP forwarding is disabled.: TRUE, Ensure packet redirect sending is disabled.: TRUE, Ensure source routed packets are not accepted.: TRUE, Ensure ICMP redirects are not accepted.: TRUE, Ensure secure ICMP redirects are not accepted.: TRUE, Ensure suspicious packets are logged.: TRUE, Ensure broadcast ICMP requests are ignored.: TRUE, Ensure bogus ICMP responses are ignored.: TRUE, Ensure Reverse Path Filtering is enabled.: TRUE, Ensure TCP SYN Cookies is enabled.: TRUE,", Linux,JC Standard Security - Secure Boot Settings,Linux - Secure Boot Settings Policy,"Ensure bootloader password is set Ensure authentication required for single user mode Ensure interactive boot is not enabled",