Downloads and setup
This article answers the most common questions about configuring password policy and screen lock on employee devices, downloading Secureframe's pre-built profiles, and getting the related Agent checks to pass. For full setup steps see the Password Policy Check and Screen Lock / Session Timeout Check articles, or the Master Index: Secureframe Agent.
Where can I download Secureframe's pre-built macOS profile for password policy and screen lock?
Secureframe provides one macOS configuration profile that enforces both the password policy and the screen lock (session timeout) requirements. Download it here: Secureframe macOS password and screen lock profile.
Open the downloaded file and macOS will open System Settings to Device Management, where you can review and install it. Full steps are in the Password Policy Check article.
Is there a working link for the Windows batch script to install gpedit.msc on Windows Home?
Yes. Windows 10/11 Home does not include Group Policy Editor by default. Download the installer script here: gpedit.msc install script for Windows Home, right click it, and choose Run as administrator.
Allow up to 10 minutes for it to finish, then set the password policy using gpedit.msc. Full steps and troubleshooting, including the DISM 0x8007371b error, are in the Password Policy Check article.
The download link looks broken or removed. Is the file still available?
The files are still available. When you open the link, Google Drive may show a "Can't scan this file for viruses" warning because the profile and the script are executable files. This is expected. Click Download anyway to save the file.
If the link asks you to request access or does not open at all, you are usually signed in to a personal Google account or on a device or network that blocks Google Drive. Try opening the link in a private or incognito window, or on a different network.
If it still will not download, email [email protected] and we can send the file to you directly.
Should I build my own .mobileconfig, or use Secureframe's profile?
Either works. Most customers without an MDM use Secureframe's pre-built profile because it already includes the required password and screen lock settings.
If you manage devices with an MDM such as Jamf, Kandji, or Kolide, enforce the same settings through the MDM instead of installing the profile manually.
If you build your own profile, it must set
requireAlphanumericto true,minLengthto at least 8,askForPasswordto true, andloginWindowIdleTimeto 900 seconds or less.
How do I install the macOS profile on macOS 15?
Download and open the profile. On macOS 15, profiles are managed under System Settings > Privacy & Security > Device Management. On macOS 14 and earlier this appears as System Settings > Profiles.
Open that section, double click the Secureframe profile, and install it. After installing, the device needs to check in and the Agent integration needs to sync before the checks update.
Checks still failing after setup
I installed the profile but Asset Inventory still shows password policy, screen lock, or firewall as missing. What should I do?
Confirm the profile is actually installed on the device (System Settings > Privacy & Security > Device Management on macOS 15, or Profiles on older macOS).
Make sure the device has been online for at least 5 minutes so the Agent can check in with the new settings.
Run a manual sync of the Secureframe Agent integration. See Managing your Integration connections.
If it still fails, you may be on an outdated Agent build. Fully uninstall the Agent, download a fresh package from Employee Onboarding, and reinstall. See the Password Policy Check article for details.
If the check still does not pass after a sync, contact [email protected] with the device name and operating system version.
How do I manually sync the Secureframe Agent so my changes show up?
Go to Integrations on the Monitoring dashboard, open the Native tab, find the Secureframe Agent integration, and click Sync. When the sync completes, the Last Completed Sync column updates and the checks reflect your latest device settings. Steps are in Managing your Integration connections.
How long after I change a device setting until the Agent check updates?
The device first has to check in with the new setting, which requires it to be online for a few minutes. After that, the Agent integration syncs. Changes typically appear within a few hours on the daily automatic sync, or sooner if you run a manual sync.
Why does my Windows 11 Home device show the password policy as non-compliant even though I set a password?
Having a password is not the same as enforcing a password policy. The check verifies that a minimum length of 8 and complexity requirements are enforced through Group Policy or Local Security Policy.
Windows Home does not include those tools by default, so you need the gpedit.msc install script above, an MDM, or manual evidence. See the Password Policy Check article for the Windows Home steps and options.
MDM vs Agent vs manual evidence
Does Microsoft Intune satisfy the password policy test, or do I still need the Secureframe Agent?
If Intune is connected and enforcing a compliant password policy that is assigned to the affected devices, it can provide the evidence for the password policy test without the Secureframe Agent.
If devices are failing, confirm the Intune password policy is assigned to those specific devices and that they are reporting as compliant in Intune, then run a manual sync.
Avoid running both the Agent and an MDM on the same device for the same check, since conflicting sources can cause status mismatches. See Supported MDMs and their endpoint security capabilities.
Why doesn't Rippling MDM show password policy or firewall status in Secureframe?
Secureframe pulls device fields from Rippling through its App Management APIs. If password policy or firewall do not appear, it usually means those settings are not being enforced by a Rippling device profile, or Rippling is not exposing that field for that operating system.
Confirm a Rippling device policy actually enforces password, screen lock, and firewall, then run a manual sync. For anything Rippling does not report, enforce it with a Rippling configuration profile, use the Secureframe Agent on those devices, or upload manual evidence. See the Rippling and Supported MDMs articles.
Can BYOD or personal Windows Home devices be marked as exceptions for the password policy and screen lock tests?
For personal or BYOD devices where you cannot enforce settings through an MDM or Group Policy, you can upload manual evidence, such as a screenshot of the configured setting, to satisfy the test.
Your auditor decides whether the evidence is acceptable, so confirm the approach with them. Where possible, enforcing the policy through an MDM is the more durable option. See Supported MDMs and their endpoint security capabilities.
Is the Agent's password policy a fixed setting in Secureframe, or is it configured on the device?
The requirement, a minimum length of 8 with complexity and a screen lock of 15 minutes or less, is fixed and is not something you change inside Secureframe. The Agent only reads what is configured on the device.
To pass, you enforce the policy on the device itself or through an MDM, not in the Secureframe UI.
Removing the profile
How do I uninstall the Secureframe Agent and remove the Mac password and screen lock profile?
Uninstall the Agent using the OS-specific steps in Unenrolling & Uninstall Secureframe Agent. Removing the Agent does not remove the configuration profile.
To remove the profile on a Mac, open System Settings > Privacy & Security > Device Management (or Profiles on older macOS), select the Secureframe password and screen lock profile, and remove it.
Important: Removing the profile will drop the enforced password and screen lock settings, which can cause those checks to fail if the device is still in scope for your audit.
