# Configuration guide: macOS compliance

{% hint style="info" %}
The configuration options on this page are only accessible to [administrators](https://docs.nexthink.com/platform/user-guide/administration/account-management/roles#roles-administration).

Refer to the [Usage guide: macOS compliance](/platform/library-packs/operating-systems/macos-compliance/usage-guide-macos-compliance.md) to use library content as a standard user.
{% endhint %}

This library pack will help you monitor and manage macOS operating systems to ensure stability, compliance, and performance. This page will guide you through the structure of the content.

## **Prerequisites** <a href="#documentation-pre-requisites" id="documentation-pre-requisites"></a>

This library pack contains content from the following required [expansion products](https://docs.nexthink.com/platform/overview/products):

* [Employee Engagement - Campaigns](https://docs.nexthink.com/platform/user-guide/campaigns)

{% hint style="info" %}
Some of these products offer default access to their respective content and can still be used without [expansion products](https://docs.nexthink.com/platform/overview/products).

To learn more about default thresholds for expansion products, [visit the extended documentation](https://edocs.nexthink.com/nexthink-infinity/infinity-specifications/nexthink-infinity-default-thresholds-overview).
{% endhint %}

## **Included content and dependencies** <a href="#operatingsystems-stability-security-andcompliance-configurationguide-contentlistanddependency" id="operatingsystems-stability-security-andcompliance-configurationguide-contentlistanddependency"></a>

This library pack contains the following content and dependencies:

<table><thead><tr><th width="172">Type</th><th width="152">Name</th><th width="197">Description</th><th>Dependencies</th></tr></thead><tbody><tr><td><a href="https://docs.nexthink.com/platform/user-guide/live-dashboards">Live Dashboards</a></td><td><strong>macOS compliance</strong></td><td>Helps to monitor and manage macOS operating systems to ensure their stability, compliance, and performance</td><td>none</td></tr><tr><td><a href="https://docs.nexthink.com/platform/user-guide/remote-actions">Remote Actions</a></td><td><strong>Get XProtect status</strong></td><td>Provides information about the status of the macOS XProtect (macOS built-in antivirus software) automatic update setting on macOS devices.</td><td>Required to populate specific dashboard widgets.</td></tr><tr><td><a href="https://docs.nexthink.com/platform/user-guide/remote-actions">Remote Actions</a></td><td><strong>Get firewall options</strong></td><td>Provides information about the status of the macOS firewall on macOS devices.</td><td>Required to populate specific dashboard widgets.</td></tr><tr><td><a href="https://docs.nexthink.com/platform/user-guide/remote-actions">Remote Actions</a></td><td><strong>Invoke macOS enterprise compliance</strong></td><td>This remote action provides information about the status of macOS, performing a compliance evaluation on macOS devices by checking several configurations related to security settings, certificate checks, and software validations.</td><td>Required to populate specific dashboard widgets.</td></tr><tr><td><a href="https://docs.nexthink.com/platform/user-guide/remote-actions">Remote Actions</a></td><td><strong>Get encryption information</strong></td><td>Gets an APFS file system disk encryption and decryption information in addition to checking whether FileVault is enabled or not.</td><td>Required to populate specific dashboard widgets.</td></tr><tr><td><a href="https://docs.nexthink.com/platform/user-guide/remote-actions">Remote Actions</a></td><td><strong>Get macOS updates and restart information</strong></td><td>Gets information about macOS devices - the number of days since the last restart, whether there are pending updates, a list of names of pending updates, and others.</td><td>Required to populate specific dashboard widgets</td></tr><tr><td><a href="https://docs.nexthink.com/platform/user-guide/remote-actions">Remote Actions</a></td><td><strong>Test pending reboot</strong></td><td>Checks if the device is waiting to reboot for an update.</td><td>Required to populate specific dashboard widgets.</td></tr><tr><td><a href="https://docs.nexthink.com/platform/user-guide/remote-actions">Remote Actions</a></td><td><strong>Set firewall options</strong></td><td>Configures firewall settings under System Preferences - Security &#x26; Privacy - Firewall on macOS devices.</td><td>none</td></tr><tr><td><a href="https://docs.nexthink.com/platform/user-guide/remote-actions">Remote Actions</a></td><td><strong>Set XProtect status</strong></td><td></td><td>none</td></tr><tr><td><a href="https://docs.nexthink.com/platform/user-guide/remote-actions">Remote Actions</a></td><td><strong>Set auto updates</strong></td><td>Configures additional macOS automatic update settings under System Preferences - Software Update - Advanced on macOS devices.</td><td>none</td></tr><tr><td><a href="https://docs.nexthink.com/platform/user-guide/administration/content-management/custom-fields-management">Custom fields</a></td><td><strong>OS targeted quality update version</strong></td><td>Defines the target quality update versions of Windows and macOS operating systems.</td><td>Required to populate specific dashboard widgets.</td></tr><tr><td><a href="https://docs.nexthink.com/platform/user-guide/administration/content-management/custom-fields-management">Custom fields</a></td><td><strong>OS supported version</strong></td><td>Determines which Windows and macOS operating system versions, editions, and builds are supported.</td><td>Required to populate specific dashboard widgets.</td></tr><tr><td><a href="https://docs.nexthink.com/platform/user-guide/administration/content-management/custom-fields-management">Custom fields</a></td><td><strong>OS targeted feature update version</strong></td><td>Defines the target feature update versions of Windows operating systems. Typically, this custom field requires version updates every month.</td><td>Required to populate specific dashboard widgets.</td></tr></tbody></table>

## Configuring macOS compliance

{% hint style="info" %}
Adapt these suggested configuration steps to edit and customize content according to your organizational needs.
{% endhint %}

Follow these steps to install and configure content:

* Before configuration - Install library pack content from [Nexthink Library](https://docs.nexthink.com/platform/user-guide/nexthink-library)
* [Step 1 - Configure remote actions](#step-1-configure-remote-actions)
* [Step 2 - Configure custom fields](#step-2-configure-custom-fields)

### **Step 1 - Configure remote actions**

Navigate to the [manage remote actions](/platform/user-guide/remote-actions/getting-started-with-remote-actions/managing-remote-actions.md) administration page to review and edit your remote actions.

We recommend the following configurations for these remote actions:

<table><thead><tr><th width="153">Name</th><th>Trigger</th><th width="298">Schedule query</th></tr></thead><tbody><tr><td><strong>Get XProtect status</strong></td><td>Scheduled, daily</td><td><pre data-title="Code"><code>1 devices
2 | where operating_system.platform == macos
</code></pre></td></tr><tr><td><strong>Get firewall options</strong></td><td>Scheduled, daily</td><td><pre data-title="Code"><code>1 devices
2 | where operating_system.platform == macos
</code></pre></td></tr><tr><td><strong>Invoke macOS enterprise compliance</strong></td><td>Scheduled, daily</td><td><pre data-title="Code"><code>1 devices
2 | where operating_system.platform == macos
</code></pre></td></tr><tr><td><strong>Get encryption information</strong></td><td>Scheduled, daily</td><td><pre data-title="Code"><code>1 devices
2 | where operating_system.platform == macos
</code></pre></td></tr><tr><td><strong>Get macOS updates and restart information</strong></td><td>Scheduled, daily</td><td><pre data-title="Code"><code><strong>1 devices
</strong>2 | where operating_system.platform == macos
</code></pre></td></tr><tr><td><strong>Set firewall options</strong></td><td>Manual, can be triggered on multiple devices</td><td>Manual actions cannot be scheduled</td></tr><tr><td><strong>Set XProtect status</strong></td><td>Manual, can be triggered on multiple devices</td><td>Manual actions cannot be scheduled</td></tr><tr><td><strong>Set auto updates</strong></td><td>Manual, can be triggered on multiple devices</td><td>Manual actions cannot be scheduled</td></tr></tbody></table>

{% hint style="info" %}
The **Set auto updates** remote action comes unsigned and must be signed before use.

Nexthink at this point is unable to provide a copy of the remote action **Set auto updates** signed with a digital signature.
{% endhint %}

### **Step 2 - Configure custom fields**

{% hint style="warning" %}
Operating system versions in the custom fields below are subject to change due to regular patches released by vendors and Apple and Microsoft support policies.

Update the custom fields monthly to maintain the latest patch versions.
{% endhint %}

Navigate to the [manage custom fields](https://docs.nexthink.com/platform/user-guide/administration/content-management/custom-fields-management) administration page to review and edit your custom fields.

We recommend the following configurations for these custom fields:

<table><thead><tr><th width="140">Name</th><th width="161">NQL ID</th><th width="154">Rule name</th><th width="114">Object</th><th>NQL query</th></tr></thead><tbody><tr><td>OS targeted quality update version</td><td>os_targeted_quality_update_version</td><td>macos_sequoia</td><td>device</td><td><pre class="language-nql_/apigateway/nql-editor"><code class="lang-nql_/apigateway/nql-editor">devices
| where operating_system.platform == macos
| where operating_system.name == "*macOS Sequoia 15.5*"
</code></pre></td></tr><tr><td>OS targeted quality update version</td><td>os_targeted_quality_update_version</td><td>macos_sonoma</td><td>device</td><td><pre data-title="Code"><code>1 devices
2 | where operating_system.platform == macos
3 | where operating_system.name == "*macOS Sonoma 14.7.6*"
</code></pre></td></tr><tr><td>OS targeted quality update version</td><td>os_targeted_quality_update_version</td><td>macos_ventura</td><td>device</td><td><pre data-title="Code"><code>1 devices
2 | where operating_system.platform == macos
3 | where operating_system.name == "*macOS Ventura 13.7.6*"
</code></pre></td></tr><tr><td>OS targeted quality update version</td><td>os_targeted_quality_update_version</td><td>windows_10_quality_update</td><td>device</td><td><pre data-title="Code"><code>devices
| where operating_system.platform == windows and operating_system.name == "*windows 10*"
| where (operating_system.name == "*22H2*" and operating_system.build >= v19045.6036) or (operating_system.name == "*21H2*" and operating_system.build >= v19044.5965)
</code></pre></td></tr><tr><td>OS targeted quality update version</td><td>os_targeted_quality_update_version</td><td>windows_11_quality_update</td><td>device</td><td><pre><code>devices
| where operating_system.platform == windows and operating_system.name == "*windows 11*"
| where (operating_system.name == "*22H2*" and operating_system.build >= v22621.5549) or (operating_system.name == "*23H2*" and operating_system.build >= v22631.5549) or (operating_system.name == "*24H2*" and operating_system.build >= v26100.4484)
</code></pre></td></tr><tr><td>OS targeted feature update version</td><td>os_targeted_feature_update_version</td><td>windows_10_feature_update</td><td>device</td><td><pre data-title="Code"><code>devices
| where operating_system.platform == windows and operating_system.name == "*windows 10*"
| where (operating_system.name =="Windows 10*22H2*" or (operating_system.name =="Windows 10*21H2*" and device.operating_system.name == "*ltsc*"))
</code></pre></td></tr><tr><td>OS targeted feature update version</td><td>os_targeted_feature_update_version</td><td>windows_11_feature_update</td><td>device</td><td><pre data-title="Code"><code>devices
| where operating_system.platform == windows and operating_system.name == "*windows 11*"
| where operating_system.name == "*24H2*"
</code></pre></td></tr><tr><td>OS supported version</td><td>os_supported_version</td><td>macos_unsupported_version</td><td>device</td><td><pre data-title="Code"><code>devices
| where operating_system.platform == macos
| where operating_system.name !in ["*Ventura*","*Sequoia*","*Sonoma*"]
</code></pre></td></tr><tr><td>OS supported version</td><td>os_supported_version</td><td>macos_supported_version</td><td>device</td><td><pre data-title="Code"><code>devices
| where operating_system.platform == macos
| where operating_system.name in ["*Ventura*","*Sequoia*","*Sonoma*"]
</code></pre></td></tr><tr><td>OS supported version</td><td>os_supported_version</td><td>windows_unsupported_version</td><td>device</td><td><pre data-title="Code"><code>1 devices
2 | where operating_system.platform == windows and operating_system.name != "*server*"
<strong>3 | where (operating_system.name !in ["*enterprise*", "*education*", "*ltsc*", "*ltsb*"] and operating_system.name in ["*windows 11*"] and operating_system.build &#x3C; v22621.521) or (operating_system.name !in ["*enterprise*", "*education*", "*ltsc*", "*ltsb*"] and operating_system.build &#x3C; v19045.0) or (operating_system.name !in ["*ltsc*", "*ltsb*"] and operating_system.name in ["*pro*", "*pro*"] and operating_system.build &#x3C; v19045.2130) or (operating_system.name in ["*enterprise*", "*education*"] and operating_system.name !in [ "*ltsc*", "*ltsb*"] and operating_system.build &#x3C; v19044.0) or (operating_system.name in [ "*ltsc*", "*ltsb*"] and operating_system.build &#x3C; v19044.0) or operating_system.name == "*Windows 7*" or operating_system.name == "*Windows 8*" or operating_system.build &#x3C; v7601.0
</strong></code></pre></td></tr><tr><td>OS supported version</td><td>os_supported_version</td><td>windows_supported_version</td><td>device</td><td><pre data-title="Code"><code>1 devices
2 | where operating_system.platform == windows and operating_system.name != "*server*"
<strong>3 | where (operating_system.name !in ["*ltsc*", "*ltsb*"] and operating_system.name in ["*enterprise*", "*education*"] and operating_system.name == "*windows 11*" and operating_system.build > v22000.194) or (operating_system.name !in ["*ltsc*", "*ltsb*", "*enterprise*", "*education*"] and operating_system.name == "*windows 11*" and operating_system.build > v22621.521) or (operating_system.name !in ["*ltsc*", "*ltsb*"] and operating_system.name == "*windows 10*" and operating_system.name in ["*enterprise*", "*education*"] and operating_system.build > v19044.1288) or (operating_system.name !in ["*ltsc*", "*ltsb*"] and operating_system.name in ["*pro*", "*pro*"] and operating_system.name == "windows 10*" and operating_system.build > v19045.0) or (operating_system.name in ["*ltsc*", "*ltsb*"] and operating_system.build > v19044.0)
</strong></code></pre></td></tr></tbody></table>

***

RELATED TOPICS

* [macOS compliance](/platform/library-packs/operating-systems/macos-compliance.md)
* [Usage guide: macOS compliance](/platform/library-packs/operating-systems/macos-compliance/usage-guide-macos-compliance.md)


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.nexthink.com/platform/library-packs/operating-systems/macos-compliance/configuration-guide-macos-compliance.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.