Set Time and Date Automatically

What the macOS NTP sync enforcer does

This Automox Worklet™ enforces automatic Network Time Protocol synchronization on macOS endpoints across your fleet. The Worklet uses the built-in systemsetup utility to inspect and correct two settings: whether the endpoint is configured to use network time, and which NTP server the endpoint points at. Endpoints already in compliance are left untouched, so the policy is safe to schedule on a recurring cadence.

The evaluation script queries systemsetup -getusingnetworktime and exits 0 when the response is Network Time: On. When the response is Network Time: Off, the endpoint is flagged non-compliant and remediation is scheduled by the policy engine.

The remediation script runs systemsetup -setusingnetworktime on to switch automatic network time back on, then pins the authoritative server with systemsetup -setnetworktimeserver time.apple.com. The Worklet ships with time.apple.com as the default because Apple uses it on stock macOS installs. Swap the value for time.nist.gov, a public pool.ntp.org host, or an internal mirror to match your network's policy before assigning the Worklet.

Why enforce a single authoritative NTP source

When a macOS endpoint drifts more than five minutes from the domain controller, Kerberos rejects the ticket request outright. The user sees an opaque login or SSO error and files a help desk ticket. Certificate-based authentication fails the same way when the endpoint clock falls outside the notBefore or notAfter window of a client certificate. Audit logs from the same endpoint cannot be correlated to firewall, EDR, or identity provider events, so security investigations stall at the merge step. PCI-DSS 10.6 and CIS Benchmark recommendation 2.2.1 both require a documented, enforced time source for exactly these reasons.

Clock drift on macOS endpoints comes from predictable sources: a user toggles Set date and time automatically off to extend a software trial, a build image bakes in an empty NTP setting, or an MDM time profile lapses and leaves the endpoint with no configured server. Scheduling this Worklet on a recurring cadence catches drift before it surfaces as a Kerberos failure, a broken client certificate, or a PCI-DSS 10.6 audit finding.

How macOS NTP sync enforcement works

1. Evaluation phase: The Worklet runs systemsetup -getusingnetworktime and parses the response. An On result exits 0 and the endpoint is reported compliant. An Off result exits 1 and the policy engine schedules the remediation script. The evaluation is read-only and safe to run on any cadence, including hourly, without touching endpoint state.

2. Remediation phase: The remediation script runs systemsetup -setusingnetworktime on to enable automatic network time if it is off, then checks whether the configured NTP server matches the target value and runs systemsetup -setnetworktimeserver time.apple.com if it does not. Each check is conditional, so endpoints already in the correct state are not modified. The script exits 0 on success or non-zero if systemsetup returns an error.

NTP sync enforcement requirements

• macOS 10.12 (Sierra) or later. The systemsetup utility ships with every supported macOS release, including macOS 13 Ventura, 14 Sonoma, and 15 Sequoia on both Apple Silicon and Intel hardware.

• Root privileges. The Automox agent runs as root by default, so the systemsetup calls succeed without extra configuration. A non-root execution context returns You need administrator access to run this tool and the remediation exits non-zero.

• Outbound UDP/123 reachability from the endpoint to the chosen NTP server. The default time.apple.com resolves to Apple's anycast pool; an internal NTP mirror requires that the same port is open on the firewall path between the endpoint and the mirror.

• Edit the NTP server value in remediation.sh before assigning the Worklet if your environment uses an internal time source (for example ntp.corp.example.com) or a regulated public source such as time.nist.gov.

• Both workstation and server macOS endpoints are supported. The systemsetup interface is identical across form factors.

Expected state after NTP sync enforcement

After remediation, systemsetup -getusingnetworktime returns Network Time: On and systemsetup -getnetworktimeserver returns the value you set in remediation.sh. macOS resumes hourly background calls against the pinned server and applies any necessary correction without user interaction. The endpoint's date output stays within one second of the authoritative source under normal network conditions, and Kerberos, certificate, and SSO flows stop failing on clock skew.

Validate the change with sudo sntp -q time.apple.com to observe the current offset, or open System Settings → General → Date and Time and confirm the Set time and date automatically toggle is on. For audit evidence, capture the contents of /etc/ntp.conf alongside the Automox policy run identifier; the file lists the active server line and is sufficient documentation for PCI-DSS 10.6 and CIS Benchmark 2.2.1 evidence. The Worklet's recurring evaluation phase is what keeps this state in place: if a user disables network time through the GUI or another tool, the next policy run flags the endpoint and remediation restores the baseline.