pdf icon
Category Filter

Restrictions

MDM lets you configure various restrictions on the managed Apple devices, as per the requirements of your organization. You can allow or restrict users to access various features of the devices, like profile settings, application settings, iCloud settings, security, and privacy settings.

Note:To view a detailed comparison of various policies supported with respect to specific OS version, click here.

The status of restrictions imposed using MDM for a particular device, is shown under Inventory-> Restrictions. When no restrictions are imposed by MDM, by default the status is displayed as Allowed.

Profile Description

PROFILE SETTINGS DESCRIPTION SUPERVISED UNSUPERVISED
DEVICE FUNCTIONALITY
Camera Camera(s) can be completely disabled and the icons removed from the home screen. This ensures users cannot take photos or use FaceTime. *
FaceTime Allow/Restrict FaceTime video and audio calls. To allow FaceTime, Camera has to be allowed on the device. *
Screenshot and Screen Recording Allow/Restrict users from capturing screenshots and screenrecording. 
Spotlight Internet Search (iOS 8 or later versions) Allow/Restrict the usage of Spotlight Search to find content directly from the internet.
AirDrop (iOS 7 or later versions) Allow/Restrict sharing of documents, media etc., using AirDrop to other devices. If Bluetooth is disabled via restrictions, AirDrop gets automatically disabled as well.
Voice Dialing Allow/Restrict the usage of voice dialing.
iMessage (iOS 6 or later versions) Allow/Restrict the usage of iMessage.
Siri Allow/Restrict the usage of Siri.
Allow Siri when device is locked Allow/Restrict the usage of Siri when the device is locked. This can be permitted only when Siri is enabled on the device.
Force Siri Profanity Filter (iOS 6 or later versions) Allow/Restrict the profanity filtering in Siri. This can be permitted only when Siri is enabled on the device.
Allow Siri to query from the web (iOS 7 or later versions) Allow/Restrict Siri to query content from the web (Wikipedia, Bing, and Twitter). This can be permitted only when Siri is enabled on the device.
Handoff (iOS 8 or later versions) Enabling this option lets you resume an existing work or access content from any device which is logged in, using the same iCloud account.
Allow user to modify device name Allow/Restrict the user from modifying the name of the device.
Set device date and time Date and time can be set automatically on the device, based on the current network and location or it can be left to the user to configure or the admin can select a specific timezone.
Note: If the Screen Time Passcode is enabled on the device, the user cannot manually set the date and time on the device and the admin too cannot set the date and time to a specific timezone.
AirPrint (iOS 11 or later versions) Allow/Restrict managed devices to pair with a printer via AirPrint.
Store AirPrint credentials on iCloud (iOS 11 or later versions) Allow/Restrict saving of AirPrint credentials on iCloud.
Enforce TLS trusted certificates for AirPrint (iOS 11 or later versions) Secure AirPrint communication by enforcing TLS certificates to be used on the AirPrint printers.
Discover AirPrint printers using iBeacons (iOS 11 or later versions) Enable/Disable using of Bluetooth service, iBeacons to discover AirPrint printers.
iPhone widgets on Mac Allow/Restrict users to add iPhone widgets on Mac devices.
Live voice mail Allow/Restrict users to add live voice mail.
SECURITY
Share data between managed and unmanaged apps (iOS 7 or later versions)
Allow both ways Allow sharing data between managed and unmanaged apps.
Restrict from unmanaged to managed Allow pasting of cut/copied unmanaged app data in managed apps (iOS 15 or later versions)
 
Restrict from managed to unmanaged
  • Allow pasting of cut/copied managed app data in unmanaged apps (iOS 15 or later versions)
  • Use AirDrop to share data from managed apps (iOS 9 or later versions)
  • Allow managed apps to save contacts in unmanaged accounts (iOS 12 or later versions)
  • Allow unmanaged apps to access managed contacts (iOS 12 or later versions)
 Restrict both ways
  • Allow cut/copy/paste between managed and unmanaged apps (iOS 15 or later versions)
  • Use AirDrop to share data from managed apps (iOS 9 0r later versions)
  • Allow managed apps to save contacts in unmanaged accounts (iOS 12 or later versions)
  • Allow unmanaged apps to access managed contacts (iOS 12 or later versions)
Force Encrypted Backup Enable/Disable forced encrypted backup of data.
Allow user to wipe device by erasing all content and settings (iOS 8 or later versions) Enabling this, lets users erase all the content and settings on the device.
Note: By restricting this option Erase All Content and Settings option which is equivalent to factory reset in the devices will be disbaled.
Allow user to configure Screen Time/Restrictions on device (iOS 8 or later versions) Enable/Disable users from configuring Screen time or device restrictions.
Note:
  • From iOS 12, the Restrictions setting on the device, has been renamed as Screen Time.
  • If Screen Time restriction is enabled, Location Permission will be set to Don't Change on the device.
Allow Passbook when device is locked (iOS 6 or later versions) Enable/Disable the usage of Passbook while the device is locked.
Use biometric methods such as TouchID and/or FaceID to unlock devices (iOS 7 or later versions) Enable/Disable the usage of fingerprints/facial recognition to unlock devices.
Allow user to add or modify TouchID/FaceID (iOS 8.3 or later versions) Enable users to add/modify the fingerprints/faces for facial recognition, on the device. If this has to be configured, Use biometric methods such as TouchID and/or FaceID to unlock devices has to be enabled.
ADVANCED SECURITY
Install configuration profiles and certificates interactively (iOS 6 or later versions) Allow/Restrict users from installing/modifying the configuration and certificates.
Add/Modify iCloud, Mail and other accounts (iOS 7 or later versions) Allow/Restrict users from adding/removing accounts such as Apple account, e-mail etc., Once restricted, apps requiring Apple ID cannot be installed, whether distributed by MDM or not. You can however install apps silently on iOS device without requiring Apple ID as explained here.
After enabling this restriction, accounts cannot be added or modified by the user but can be added or modified from the MDM console.If you restrict iCloud and iMessages, Facetime will also be restricted. These will be greyed out on the device.
Note: The iCloud sign out will be greyed out on the device if Screen Time is enabled. In that case, turn off the Screen Time from device settings to enable iCloud sign out.
Accept untrusted TLS certificates Allow/Restrict untrusted TLS (Transport Layer Security) certificates.
Automatic updates for trusted certificates (iOS 7 or later versions) Allow/Restrict trusted certificates from updating automatically.
Allow iTunes pairing and other USB connections (iOS 7 or later versions) Enable/Disable devices from being paired with any Mac other than the one used for supervising the device through Apple Configurator. As USB pairing is restricted, pairing with iTunes also gets restricted.
Allow USB connections when device is locked (iOS 11.4.1 or later versions) Enable/Disable data transfer between devices via USB pairing, when locked. This can be allowed or left to users to modify the settings from the device.
USB flash drive (iOS 13 or later versions) Allow/Restrict users from connecting any external storage drives to the device ensuring corporate data cannot be transferred from managed devices.
Allow unpaired computers to boot devices into recovery mode (iOS 14.5 or later versions) Allow/Restrict booting devices into recovery mode from a computer that was not paired previously.
Force password for iTunes and App Store downloads Enable/Disable prompting iTunes and AppStore password for every download.
Force password for AirPlay outgoing requests (iOS 7 or later) Enable/Disable prompting of password for all AirPlay outgoing requests during device pairing.
Force password for AirPlay incoming requests (iOS 7 or later versions) Enable/Disable prompting password for all AirPlay incoming requests during device pairing.
Force Wrist Authentication to access notifications on Apple Watch (iOS 8.3 or later versions) Enable/Disable Wrist authentication to access notifications on Apple Watch.
Pair with Apple Watch (iOS 9 or later versions) Allow/Restrict device pairing with Apple Watch.
Unlock with Apple Watch (iOS 14.5 or later, and watchOS 7.4 or later) Allow/Restrict users from unlocking devices with Apple Watch.
Set up other devices using proximity detection (iOS 11 or later versions) Allow/Restrict devices from detecting other devices in their proximity to share their settings, iCloud and Wi-Fi passwords.
Autofill passwords in Safari and apps (iOS 12 or later versions) Allow/Restrict autofill in browsers and apps.
Authenticate Face ID/Touch ID before allowing autofill (iOS 11 or later versions) Allow/Restrict Face ID/Touch ID authentication before any password or credit card details are entered in browsers and apps. To configure this, Autofill passwords in Safari and apps should be enabled.
Share passwords with devices in proximity (iOS 12 or later versions) Allow/Restrict devices getting notified to share their passwords with other devices in proximity.
Request passwords from devices in proximity (iOS 12 or later versions) Allow/Restrict devices requesting other devices in proximity, to share their passwords.
APPLICATIONS
Users can install unapproved apps (iOS 9 or later versions) Allow/Restrict users from installing apps either through App Store or by connecting it to a Mac machine and using iTunes for app installation. If restricted, in devices running iOS versions below 9, even the apps distributed through MDM cannot be installed but for devices running iOS 9.0 or later, these apps can be installed. Even if this restriction is disabled, by default, when a Managed Apple ID is used, the 'GET' option is disabled on the App Store. *
Deleting apps Allow/Restrict users from removing Apps. *
Unauthorized enterprise apps (iOS 9 or later versions) Allow/Restrict users from installing/using enterprise apps which are not distributed via MDM.
Automatically download apps on multiple devices with same Apple ID (iOS 9 or later versions) Allow/Restrict users from downloading apps on multiple devices with the same Apple ID.
In-app purchase Allow/Restrict users from making in-app purchases.
Game Center (iOS 6 or later versions) Allow/Restrict the usage of Game Center.
Multiplayer Gaming Allow/Restrict multiplayer gaming. To configure this, Game Centre should be allowed. *
Adding Game Center Friends Allow/Restrict users from adding game center friends. To configure this, Game Centre should be allowed. *
iTunes Store Allow/Restrict the usage of iTunes Store. *
Podcast app (iOS 8 or later versions) Allow/Restrict users from accessing Podcasts.
News app (iOS 9 or later versions) Allow/Restrict users from accessing News Apps.
Remove system apps Allow/Restrict users from removing System Apps.
Music Services (iOS 9.3 or later versions) Restrict/Allow music services in the default iOS music app.
Radio Services (iOS 9.3 or later versions) Restrict/Allow radio services in managed iOS devices.
Download iBooks content
(iOS 6 or later versions)
Allow/Restrict users from downloading content from iBooks Store.
Erotic content (iOS 6 or later versions) Allow/Restrict users from downloading media which is tagged as erotic from iBooks. To configure this, Download iBooks content should be enabled.
Install alternative marketplace apps Allow/Restrict users to install apps from alternative marketplaces other than App Store apps. If restricted, users cannot install even from Settings > Developer Menu. However this restriction does not impact app distribution through MDM. You can still distribute in-house or enterprise apps and custom B2B apps through MDM. Note This restriction is applicable only for EU region
BROWSER
Safari Allow/Restrict the use of Safari. *
Settings below can be configured only if Safari is allowed.
AutoFill Enable/Disable autofilling of forms.
Force fraudulent website warning Enable/Disable forced fraudulent website warning.
JavaScript Allow/Restrict JavaScript.
Pop-ups Enable/Disable pop-ups.
Cookies Allow/Restrict Cookies.
NETWORK AND ROAMING
Automatic sync while roaming Enabling this, permits apps to fetch background data, when the devices are in roaming. This happens when users access the apps. It helps in controlling the data roaming charges.
Allow users to modify cellular data usage for apps (iOS 7 or later versions) Enabling this lets users restrict the usage of cellular data for specific apps.
Modify Bluetooth (iOS 10.0 or later versions) Allow/Restrict users from modifying Bluetooth. If Bluetooth is disabled via restrictions, AirDrop gets automatically disabled as well.
Set Bluetooth on devices (iOS 11.3 or later versions) Bluetooth can be restricted to always On/Off state. To configure this, Modify Bluetooth should be enabled.
Connect to Wi-Fi, only if distributed via MDM (iOS 10.3 or later versions) Enabling this ensures, devices connect to a Wi-Fi network only if a Wi-fi profile has been distributed via MDM. If no such profile has been distributed, the device cannot connect to another Wi-Fi network which implies that it cannot be managed by MDM.  If the Wi-Fi SSID has been changed, then the profile must be modified to include the new SSID and re-distributed to the device, for continued management.
Disabling this, allows the device to connect to any Wi-Fi network, including the one configured and distributed via MDM.
Always on Wi-Fi (iOS 13 or later versions) Wi-Fi can forcefully be enabled on your managed devices, ensuring users cannot turn it off. You can also allow users to enable or disable Wi-Fi by themselves.
Allow users to configure VPN (iOS 11 or later versions) Enabling this lets users configure VPN on managed iOS devices.
Modify Hotspot (iOS 12.2 or later versions) Restrict/Allow the usage of Hotspot on the managed iOS devices.
Modify eSIM settings (iOS 12.2 or later versions) Restrict/Allow users from removing the existing eSIM or adding a new one on supported iOS devices.
Restrict NFC (iOS 14.2 or later versions) Enabling this feature restricts users from turning on Near Field Communication (NFC).
iCLOUD
Device backup Allow/Restrict automatic backup of photos and documents, when devices are connected to Wi-Fi. *
Sync data & documents from managed apps (iOS 8 or later versions) Allow/Restrict the syncing of data and documents from managed apps.
Sync device data & documents Allow/Restrict the syncing of data and documents from managed devices. *
Sync Photo Stream Allow/Restrict automatic backup of photos on the devices, when connected to Wi-Fi.
Sync Shared Stream
(iOS 6 or later versions)
Allow/Restrict users from creating shared albums with photos/videos, using iCloud.
Sync Keychain (iOS 8 or later versions) Allow/Restrict Keychain data such as account passwords, credit card information, security notes etc., on devices to be synced. *
Sync iCloud Photo Library (iOS 9 or later versions only) Allow/Restrict syncing photos from the iCloud Library, for downloading onto the devices.
Enterprise books backup (iOS 8 or later versions only) Allow/Restrict backing up of data from the books distributed by the organization.
Enterprise books metadata sync (iOS 8 or later versions only) Allow/Restrict syncing metadata like notes and highlights from enterprise books. To configure this, Enterprise books backup has to be enabled.
Allow iCloud Private Relay Allowing Private relay hides IP address and Safari browsing activity of users from websites, network providers and Apple.
PRIVACY
Find My Friends (iOS 13 or later versions) Allow/Restrict users from configuring Find My Friends in the Find My app.
Modify Find My Friends settings (iOS 7 or later versions) Allow/Restrict users from modifying settings under Find My Friends. This can be configured only when Find My Friends is allowed.
Find My Device (iOS 13 or later versions) Allow/Restrict users from configuring Find My Device in the Find My app.
Send diagnostics data to Apple (iOS 6 or later versions) Enabling this, lets diagnostic data to be sent to Apple.
Modify Diagnostics & Usage pane settings (iOS 9.3. or later versions) Allowing this, lets users enable/disable diagnostics and usage pane settings.
Force limited ad tracking (iOS 7 or later versions) Enable/Disable users from ad tracking and marketing on the devices.
Allow Mail Privacy (iOS 15.2 or later versions) Mail Privacy Protection is a feature on iPhones which users can enable. When this setting is turned on, senders cannot determine whether the mails are opened or not. It ensures the privacy of users by hiding their email activities and IP addresses. With MDM, admins can prevent users from enabling Mail Privacy Protection on their device.
Enable lock screen settings (iOS 7 or later versions) Allow/Restrict users from accessing Control Center, Notification Center and Today View settings when the device is locked.
Settings below can be configured only if Enable lock screen settings is allowed.
Control Center (iOS 7 or later versions) Allow/Restrict users from accessing Control Center when the device is locked.
Notification Center (iOS 7 or later versions) Allow/Restrict notifications from being displayed when the device is locked.
Today View (iOS 7 or later versions) Allow/Restrict Today View which displays information like the day, date, weather, reminders, etc., on the screen when the device is locked.
CONTENT RATINGS
Explicit Music & Podcasts Allow/Restrict explicit music and podcasts. *
Enable ratings by region Enable/Disable ratings by region.
Settings below can be configured only if Enable ratings by region is allowed.
Specify the Region Choose the region, to specify the settings accordingly.
Maximum Allowable Ratings for Movies Allow/Restrict to view movies based on the specified ratings.
Maximum Allowable Ratings for TV shows Allow/Restrict to view TV shows based on the specified ratings.
Maximum Allowable Ratings for Apps Allow/Restrict to use apps based on the specified ratings.
KEYBOARD SETTINGS
Dictionary word lookup (iOS 8.13 or later versions) Allow/Restrict the built-in dictionary to retrieve words.
Predictive keyboard (iOS 8.1.3 or later versions) Allow/Restrict the usage of predictive keyboard on the device.
Auto correction (iOS 8.1.3 or later versions) Allow/Restrict use of auto correct on managed devices.
Spellcheck (iOS 8.1.3 or later versions) Allow/Restrict the use of Spellcheck on managed devices.
Shortcuts on external keyboards (iOS 9 or later versions) Allow/Restrict use of shortcuts from external keyboard(s).
Dictation (iOS 10.3 or later versions) Allow/Restrict use of Dictation from the keyboard(s).
Process dictation on device Allow/Restrict content from being sent to Apple servers for dictation.
Swipe keyboard (iOS 13 or later versions) Allow/Restrict the usage of QuickPath keyboard which lets you swipe across letters instead of typing manually.
Process translation on device Allow/Restrict content from being sent to Apple servers for translation.
CLASSROOM (Applicable if Classroom 2.0 app is installed on the Teacher devices and the Student devices are Supervised)
Automatically join classes without prompting (iOS 11 or later versions) Enabling this ensures, the student devices mandatorily join the classes, without any notification/prompt on the device.
Allow teacher's device to lock apps and devices without prompting (iOS 11 or later versions) Enabling this ensures, the teacher can either fully lock the student device or lock specific apps on the device, without any notification/prompt on the device.
Allow AirPlay and screen viewing by teacher's device Enabling this allows the teacher to view the student device screen, after notifying/requesting permission(s) to do the same from the user.
Allow teacher's device to AirPlay and view screen without prompting Enabling this allows the teacher to view the student device screen, without any notification/prompt on the device. To configure this, Allow AirPlay and screen viewing by teacher's device should be enabled.
Teacher's permission required before leaving a classroom (iOS 11.3 or later versions) Enabling this ensures, students request permission from the teacher before leaving a classroom.

 

 

Jump To