Considerations:
There are three options available offering different levels of security in the form of bundled, ready to use policy groups:
Light Security Policy Groups:
The Light Security Policy Group is for Admins looking to provide users with a minimally restrictive experience while enforcing critical security against everyday threats with targeted security policies like firewall controls, sign-on requirements, disk encryption, device storage, and configuring account statuses.
Standard Security Policy Groups:
The Standard Security Policy Group is for Admins looking to provide users with a moderately restrictive experience while enforcing critical security measures. This group contains everything in the Light security tier plus extra features like file and app-sharing restrictions, secure startup settings, SSH access and security, file ownership, permissions, and storage management.
Enhanced Security Policy Groups:
The Enhanced Security Policy Group is for Admins looking to provide significant device protections with maximum restrictions on the end user. The group contains everything in the Light and Standard tiers, plus features like system hardening, app and app store/software restrictions, remote assistance, blocked profile installation, control panel access, and notification settings.
Note: To download a Security Policy Group CSV file, click the Files below:
PGT Gallery Values JC Light Security
PGT Gallery Values JC Standard Security
PGT Gallery Values JC Enhanced Security
Policy Group Template per Operating System Summary
| Apple |
| No. | Policy Name | Light
Security | Standard Security | Enhanced Security |
| 1 | Activation Lock | TRUE | TRUE | TRUE |
| 2 | Activation Lock - iOS | TRUE | TRUE | TRUE |
| 3 | Allow Standard Users To Approve Screen Sharing & Recording | TRUE | TRUE | TRUE |
| 4 | Application Privacy Preferences - Google Chrome Access to User Files | TRUE | TRUE | TRUE |
| 5 | Disable Guest Account | TRUE | TRUE | TRUE |
| 6 | FileVault 2 | TRUE | TRUE | TRUE |
| 7 | Local Firewall Controls | TRUE | TRUE | TRUE |
| 8 | Lock Screen | TRUE | TRUE | TRUE |
| 9 | Passcode Restrictions | TRUE | TRUE | TRUE |
| 10 | Require Passcode for User-Enrolled Devices | TRUE | TRUE | TRUE |
| 11 | App Notification Settings - Google Chrome | - | TRUE | TRUE |
| 12 | App Store Restrictions | - | TRUE | TRUE |
| 13 | Block Manual Profile Installation | - | TRUE | TRUE |
| 14 | Disable Analytics | - | TRUE | TRUE |
| 15 | Disable FaceTime | - | TRUE | TRUE |
| 16 | Disable iCloud Private Relay | - | TRUE | TRUE |
| 17 | Gatekeeper Control | - | TRUE | TRUE |
| 18 | Login Window Text | - | TRUE | TRUE |
| 19 | Restrict Erase All Contents and Settings | - | TRUE | TRUE |
| 20 | Restrict Sharing Between Managed and Unmanaged Apps | - | TRUE | TRUE |
| 21 | Supervised iOS Restrictions | - | TRUE | TRUE |
| 22 | System Preferences Control | - | TRUE | TRUE |
| 23 | Block iCloud Access | - | - | TRUE |
| 24 | Disable Content Caching | - | - | TRUE |
| 25 | Disable Siri | - | - | TRUE |
| 26 | Login Window Controls | - | - | TRUE |
| Windows |
| No. | Policy Name | Light
Security | Standard Security | Enhanced Security |
| 1 | Allow The Use of Biometrics | TRUE | TRUE | TRUE |
| 2 | BitLocker Full Disk Encryption | TRUE | TRUE | TRUE |
| 3 | Built-in Administrator Account Status | TRUE | TRUE | TRUE |
| 4 | Built-in Guest Account Status | TRUE | TRUE | TRUE |
| 5 | Display User Info When The Session Is Locked | TRUE | TRUE | TRUE |
| 6 | Do Not Display Last Username on Logon Screen | TRUE | TRUE | TRUE |
| 7 | Lock Screen | TRUE | TRUE | TRUE |
| 8 | Restrict Control Panel Access | TRUE | TRUE | TRUE |
| 9 | Windows Defender | TRUE | TRUE | TRUE |
| 10 | Windows Firewall | TRUE | TRUE | TRUE |
| 11 | Device Installation | - | TRUE | TRUE |
| 12 | Disable Cortana | - | TRUE | TRUE |
| 13 | Do Not Require CTRL+ALT+DEL on logon screen | - | TRUE | TRUE |
| 14 | FindMyDevice | - | TRUE | TRUE |
| 15 | Message Text For Users Attempting To Log On | - | TRUE | TRUE |
| 16 | Remote Assistance | - | TRUE | TRUE |
| 17 | Removable Storage | - | TRUE | TRUE |
| 18 | Turn Off Autoplay | - | TRUE | TRUE |
| 19 | Control Panel Display | - | - | TRUE |
| 20 | Disable Windows Store Application | - | - | TRUE |
| 21 | Logon Behaviors | - | - | TRUE |
| 22 | Rename Local Administrator Account Policy | - | - | TRUE |
| 23 | Software Restrictions | - | - | TRUE |
| Linux |
| No. | Policy Name | Light
Security | Standard Security | Enhanced Security |
| 1 | Check Disk Encryption | TRUE | TRUE | TRUE |
| 2 | Lock Screen | TRUE | TRUE | TRUE |
| 3 | Disable USB Storage | - | TRUE | TRUE |
| 4 | File Ownership and Permissions | - | TRUE | TRUE |
| 5 | Network Parameters | - | TRUE | TRUE |
| 6 | Secure Boot Settings | - | TRUE | TRUE |
| 7 | SSH Root Access | - | TRUE | TRUE |
| 8 | SSH Server Security Enforcement | - | TRUE | TRUE |
| 9 | Additional Process Hardening | - | - | TRUE |
| 10 | Disable Forbidden Services | - | - | TRUE |
| 11 | Disable Unused Filesystems | - | - | TRUE |
| 12 | Partition and Mount Options | - | - | TRUE |
| 13 | Services Hardening: Service Clients | - | - | TRUE |