The Apple Security Access Control Policy allows administrators to manage biometric security, camera access, USB restrictions, host pairing, ad tracking, and other critical security behaviors across macOS, iOS, and iPadOS devices.
This policy is essential for organizations that require strict control over device hardware features, identity authentication, USB connections, or data access.
Supported Platforms
macOS 10.11+
iOS 4.0+
iPadOS 4.0+
1. Biometric Authentication & Identity
Allow Fingerprint for Unlock
Controls whether Touch ID or Face ID can unlock the device.
Values:
true/falseDefault: Not configured
Requires (iOS/iPadOS): Supervised
Supported: macOS 10.12.4+, iOS/iPadOS 7.0+
Allow Fingerprint Modification
Determines whether users can modify stored biometric data (Touch ID / Face ID).
Values:
true/falseDefault: Not configured
Requires: Supervised on iOS/iPadOS
Supported: macOS 14+, iOS/iPadOS 8.3+
Enforced Fingerprint Timeout
Sets the timeout (in seconds) after which fingerprint/Face ID unlock requires password re-authentication.
Value type: Integer
Minimum:
0secondsMaximum:
172800seconds (48 hours)Default:
172800Supported: macOS 12+
Force Authentication Before AutoFill
Requires biometric authentication before Safari or apps can auto-fill passwords or credit card data.
Values:
true/falseDefault: Not configured
Requires: Supervised device
Supported: iOS/iPadOS 11+
2. Camera & Media Access
Allow Camera
Enables or disables the device camera system-wide.
Values:
true/falseDefault: Not configured
Note: On iOS, deprecated for unsupervised devices
Supported: macOS 10.11+, iOS/iPadOS 4+
3. USB, Accessory, and External Device Security
Allow Files USB Drive Access
Controls whether users can access USB drives from the Files app.
Values:
true/falseDefault: Not configured
Requires: Supervised device
Supported: iOS/iPadOS 13.1+
Allow USB Restricted Mode
Controls USB accessory behavior when the device is locked.
Values:
true→ USB Restricted Mode allowed (stricter security)false→ Device allows USB accessories while locked
Default: Not configured
Notes:
macOS: applies to USB, Thunderbolt, and SD card accessories
iOS/iPadOS: requires supervised device
Supported: macOS 13+, iOS/iPadOS 11.4.1+
Allow Host Pairing
Controls whether the device may pair with host Macs/PCs (e.g., via Finder/iTunes).
Values:
true/falseDefault: Not configured
Requires: Supervised device
Supported: iOS/iPadOS 7+
When disabled:
Device cannot pair with computers
Only the supervision host is allowed
If supervision host is not configured, all pairing is blocked
4. Apple Account & Identity Services
Apple Account to disable
Prevents users from signing in with personal Apple IDs.
Values:
true/falseDefault:
trueSupported: macOS 14+, iOS/iPadOS 7+
This is critical for:
Corporate-owned devices
Preventing data leakage into personal iCloud accounts
Maintaining proper MDM-managed Apple IDs
5. Privacy & Tracking Controls
Force Limit Ad Tracking
When enabled:
Advertising identifier is limited
App tracking requests are disabled
“Allow Apps to Request to Track” is turned off
Values:
true/falseDefault: Not configured
Supported: iOS/iPadOS 7+
Summary Table
Section | Field Name | Values | Notes |
Biometrics | Allow Fingerprint for Unlock | true/false | Prevent Touch ID/Face ID unlock |
Biometrics | Allow Fingerprint Modification | true/false | Prevent adding/removing biometrics |
Biometrics | Enforced Fingerprint Timeout | 0–172800 seconds | Password required after timeout |
Autofill Security | Force Authentication Before AutoFill | true/false | Requires supervised iOS/iPadOS |
Camera | Allow Camera | true/false | Disable device camera |
USB Access | Allow Files USB Drive Access | true/false | Blocks Files app USB access |
USB Restricted Mode | Allow USB Restricted Mode | true/false | Controls accessories when locked |
Host Pairing | Allow Host Pairing | true/false | Controls pairing with Macs/PCs |
Apple ID | Apple Account to disable | true/false | Prevent personal Apple ID sign-in |
Privacy | Force Limit Ad Tracking | true/false | Disables tracking and IDFA use |