Add a macOS platform rule
- The OMM menu is only available to orgs that implement Okta Mobility Management (OMM).
- Procedures documented on this page are only available to customers who have already purchased OMM for their organization. New OMM sales are not supported. For more information, contact Okta Support.
In the Admin Console, go to .
- Click the required device policy.
- Click Add Platform Rule.
- Select OS X.
- Choose one of the following:
- Allow devices: Select this option to allow users to enroll their macOS device through OMM, and then click Next. Proceed to the next step.
- Deny devices: Select this option to prevent users from enrolling their macOS device through OMM, and then click Save. The procedure is complete.
- Configure the macOS passcode requirements:
- Required or optional: Select if you want to require users to enter a device passcode. If so, specify the following:
- Allow simple value: Select if you want to allow end-users to use repeating or increasing/decreasing characters (such as "123" or "CBA").
- Minimum length: Specify the minimum PIN length (from 4 to 30).
- Characters: Specify whether passcodes must contain at least one letter, and/or at least one symbol.
- Expiration: Specify whether passcodes never expire (the default), or the number of days they are valid before expiration (Max age), and how many distinct passcodes a user must create before they can reuse a previous passcode (History limit).
- Failed attempts before lock: Specify the maximum number of times end users can enter the wrong passcode before their device is locked. Note the following:
- Select Unlimited attempts if you never want to lock a device because of failed passcode attempts.
- Devices are not wiped if users enter the wrong passcode less than 4 times.
- You can allow up to 10 failed attempts before the device is wiped.
Important: If you allow users 4 or more failed attempts, the macOS device must have both a user and an admin account.
- Configure OS X lock timing settings:
- Turn display off: Specify how long a user can be inactive before the display is turned off.
- Then require passcode: Specify how long after the display is turned off (auto-lock or manually by the user) that the user must enter their passcode to unlock the device.
- Configure OS X permissions settings:
Wipe all device data: Specify if the disable wipe all device data permission is enabled.
- Click Save.
- After the macOS passcode policy is enabled, end users must create or change the passcodes on their devices to comply with the policy. On macOS you can't push a message to prompt end users to create or change the passcode. However, the rule takes effect as soon as the current passcode expires. Contact the users to request the passcode change.
- If users are locked out of their devices, an administrator must sign in to the device to reset the password for the user.
- If an admin account is already set up on a device, the admin can trigger a password reset.