Restrictions

You can configure various restrictions on the managed devices, as per the requirements of your organization. You can allow or restrict users to access various features of the devices, like profile settings, application settings, iCloud settings, security, and privacy settings.

The status of restrictions imposed using MDM for a particular device, is shown under Inventory-> Restrictions. When no restrictions are imposed by MDM, by default the status is displayed as Allowed.

PROFILE SETTINGS

DESCRIPTION

DEVICE FUNCTIONALITY

Camera

Camera(s) can be completely disabled and the icons removed from the home screen. This ensures users cannot take photos or use FaceTime.

FaceTime

Allow/Restrict FaceTime video and audio calls. To allow FaceTime, Camera has to be allowed on the device.

Screenshot and Screen Recording

Allow/Restrict users from capturing the screenshot of the display.

Spotlight Internet Search (iOS 8 or later versions - Supervised devices only)

Allow/Restrict the usage of Spotlight Search to find content directly from the internet.

AirDrop (iOS 7 or later versions - Supervised devices only)

Allow/Restrict sharing of documents, media etc., using AirDrop to other devices. If Bluetooth is disabled via restrictions, AirDrop gets automatically disabled as well.

Voice Dialing

Allow/Restrict the usage of voice dialing.

iMessage (iOS 6 or later versions - Supervised devices only)

Allow/Restrict the usage of iMessage.

Siri

Allow/Restrict the usage of Siri.

Allow Siri when device is locked

Allow/Restrict the usage of Siri when the device is locked. This can be permitted only when Siri is enabled on the device.

Force Siri Profanity Filter (iOS 6 or later versions - Supervised devices only)

Allow/Restrict the profanity filtering in Siri. This can be permitted only when Siri is enabled on the device.

Allow Siri to query from the web (iOS 7 or later versions - Supervised devices only)

Allow/Restrict Siri to query content from the web (Wikipedia, Bing, and Twitter). This can be permitted only when Siri is enabled on the device.

Handoff (iOS 8 or later versions - Supervised devices only)

Enabling this option lets you resume an existing work or access content from any device which is logged in, using the same iCloud account.

Allow user to modify device name

Allow/Restrict the user from modifying the name of the device.

Set device date and time

Date and time can be set automatically on the device, based on the current network and location or it can be left to the user to configure.

AirPrint (iOS 11 or later versions - Supervised devices only)

Allow/Restrict managed devices to pair with a printer via AirPrint.

Store AirPrint credentials on iCloud (iOS 11 or later versions - Supervised devices only)

Allow/Restrict saving of AirPrint credentials on iCloud.

Enforce TLS trusted certificates for AirPrint (iOS 11 or later versions - Supervised devices only)

Secure AirPrint communication by enforcing TLS certificates to be used on the AirPrint printers.

Discover AirPrint printers using iBeacons (iOS 11 or later versions - Supervised devices only)

Enable/Disable using of Bluetooth service, iBeacons to discover AirPrint printers.

SECURITY

Share data from managed apps to unmanaged apps (iOS 7 or later versions)

Allow/Restrict the sharing of corporate data from apps distributed by MDM to personal apps (not distributed by MDM). Till iOS 11, contacts shared from Exchange or using the Contact Sync profile are considered as managed contacts and cannot be accessed by unmanaged apps. From iOS 12, the managed contacts can be managed seperately using the Allow managed apps to save contacts in unmanaged accounts or Allow unmanaged apps to access managed contacts.

Use AirDrop to share data from managed apps (iOS 9 or later - Supervised devices only)

Enable/Disable the usage of AirDrop to share data from managed apps to unmanaged apps. To enable this, Share data from managed apps to unmanaged apps should be allowed.

Allow managed apps to save contacts in unmanaged accounts (iOS 12 or later versions)

In devices running versions below iOS 12, contacts in managed apps are treated as managed contacts and cannot be saved in unmanaged accounts. iOS 12 onwards, users can be allowed or restricted from storing these managed contacts in unmanaged accounts. To enable this, Share data from managed apps to unmanaged apps should be restricted.

Allow unmanaged apps to access managed contacts (iOS 12 or later versions - Supervised devices only)

In devices running versions below iOS 12, unmanaged apps cannot access the contacts in managed accounts. iOS 12 onwards, users can be allowed or restricted from accessing these contacts from unmanaged apps. To enable this, Share data from managed apps to unmanaged apps should be restricted.

Share data from unmanaged apps to managed apps

Allow/Restrict the sharing of data from personal apps to apps distributed by MDM.

Force Encrypted Backup

Enable/Disable forced encrypted backup of data.

Allow user to wipe device by erasing all content and settings (iOS 8 or later versions - Supervised devices only)

Enabling this, lets users erase all the content and settings on the device.

Allow user to configure Screen Time/Restrictions on device (iOS 8 or later versions - Supervised devices only)

Enable/Disable users from configuring Screen time or device restrictions.
Note: From iOS 12, the Restrictions setting on the device, has been renamed as Screen Time.

Allow Passbook when device is locked (iOS 6 or later versions)

Enable/Disable the usage of Passbook while the device is locked.

Use biometric methods such as TouchID and/or FaceID to unlock devices (iOS 7 or later versions)

Enable/Disable the usage of fingerprints/facial recognition to unlock devices.

Allow user to add or modify TouchID/FaceID (iOS 8.3 or later versions - Supervised devices only)

Enable users to add/modify the fingerprints/faces for facial recognition, on the device. If this has to be configured, Use biometric methods such as TouchID and/or FaceID to unlock devices has to be enabled.

ADVANCED SECURITY

Install configuration profiles and certificates interactively (iOS 6 or later versions - Supervised devices only)

Allow/Restrict users from installing/modifying the configuration and certificates.

Add/Modify iCloud, Mail and other accounts (iOS 7 or later versions - Supervised devices only)

Allow/Restrict users from adding/removing accounts such as Apple account, e-mail etc., Once restricted, apps requiring Apple ID cannot be installed, whether distributed by MDM or not. You can however install apps silently on iOS devices without requiring Apple ID as explained here.

Accept untrusted TLS certificates

Allow/Restrict untrusted TLS (Transport Layer Security) certificates.

Automatic updates for trusted certificates (iOS 7 or later versions)

Allow/Restrict trusted certificates from updating automatically.

Allow iTunes pairing and other USB connections (iOS 7 or later versions - Supervised devices only)

Enable/Disable devices from being paired with any Mac other than the one used for supervising the device through Apple Configurator. As USB pairing is restricted, pairing with iTunes also gets restricted.

Allow USB connections when device is locked (iOS 11.4.1 or later versions - Supervised devices only)

Enable/Disable data transfer between devices via USB pairing, when locked. This can be allowed or left to users to modify the settings from the device.

Force password for iTunes and App Store downloads

Enable/Disable prompting iTunes and AppStore password for every download.

Force password for AirPlay outgoing requests (iOS 7 or later - Supervised devices only)

Enable/Disable prompting of password for all AirPlay outgoing requests during device pairing.

Force password for AirPlay incoming requests (iOS 7 or later versions - Supervised devices only)

Enable/Disable prompting password for all AirPlay incoming requests during device pairing.

Force Wrist Authentication to access notifications on Apple Watch (iOS 8.3 or later versions - Supervised devices only)

Enable/Disable Wrist authentication to access notifications on Apple Watch.

Pair with Apple Watch (iOS 9 or later versions - Supervised devices only)

Allow/Restrict device pairing with Apple Watch.

Set up other devices using proximity detection (iOS 11 or later versions - Supervised devices only)

Allow/Restrict devices from detecting other devices in their proximity to share their settings, iCloud and Wi-Fi passwords.

Autofill passwords in Safari and apps (iOS 12 or later versions - Supervised devices only)

Allow/Restrict autofill in browsers and apps.

Authenticate Face ID/Touch ID before allowing autofill (iOS 11 or later versions - Supervised devices only)

Allow/Restrict Face ID/Touch ID authentication before any password or credit card details are entered in browsers and apps. To configure this, Autofill passwords in Safari and apps should be enabled.

Share passwords with devices in proximity (iOS 12 or later versions - Supervised devices only)

Allow/Restrict devices getting notified to share their passwords with other devices in proximity.

Request passwords from devices in proximity (iOS 12 or later versions - Supervised devices only)

Allow/Restrict devices requesting other devices in proximity, to share their passwords.

APPLICATIONS

Users can install unapproved apps (iOS 9 or later versions - Supervised devices only)

Allow/Restrict users from installing apps either through App Store or by connecting it to a Mac machine and using iTunes for app installation. If restricted, in devices running iOS versions below 9, even the apps distributed through MDM cannot be installed but for devices running iOS 9.0 or later, these apps can be installed.

Deleting apps (Supervised devices only)

Allow/Restrict users from removing Apps.

Unauthorized enterprise apps (iOS 9 or later versions - Supervised devices only)

Allow/Restrict users from installing/using enterprise apps which are not distributed via MDM.

Automatically download apps on multiple devices with same Apple ID (iOS 9 or later versions - Supervised devices only)

Allow/Restrict users from downloading apps on multiple devices with the same Apple ID.

In-app purchase

Allow/Restrict users from making in-app purchases.

Game Center
(iOS 6 or later versions - Supervised devices only)

Allow/Restrict the usage of Game Center.

Multiplayer Gaming

Allow/Restrict multiplayer gaming. To configure this, Game Centre should be allowed.

Adding Game Center Friends

Allow/Restrict users from adding game center friends. To configure this, Game Centre should be allowed.

iTunes Store

Allow/Restrict the usage of iTunes Store.

Podcast app (iOS 8 or later versions - Supervised devices only)

Allow/Restrict users from accessing Podcasts.

News app (iOS 9 or later versions - Supervised devices only)

Allow/Restrict users from accessing News Apps.

Music Services (iOS 9.3 or later versions - Supervised devices only)

Restrict/Allow music services in the default iOS music app.

Radio Services (iOS 9.3 or later versions - Supervised devices only)

Restrict/Allow radio services in managed iOS devices.

Download iBooks content
(iOS 6 or later versions - Supervised devices only)

Allow/Restrict users from downloading content from iBooks Store.

Erotic Content (iOS 6 or later versions - Supervised devices only)

Allow/Restrict users from downloading media which is tagged as erotic from iBooks. To configure this, Download iBooks content should be enabled.

BROWSER

Safari

Allow/Restrict the use of Safari.

Settings below can be configured only if Safari is allowed.

AutoFill

Enable/Disable autofilling of forms.

Force fraudulent website warning

Enable/Disable forced fraudulent website warning.

JavaScript

Allow/Restrict JavaScript.

Pop-ups

Enable/Disable pop-ups.

Cookies

Allow/Restrict Cookies.

NETWORK AND ROAMING

Automatic sync while roaming

Enabling this, permits apps to fetch background data, when the devices are in roaming. This happens when users access the apps. It helps in controlling the data roaming charges.

Allow users to modify cellular data usage for apps (iOS 7 or later versions - Supervised devices only)

Enabling this lets users restrict the usage of cellular data for specific apps.

Modify Bluetooth (iOS 10.0 or later versions - Supervised devices only)

Allow/Restrict users from modifying Bluetooth. If Bluetooth is disabled via restrictions, AirDrop gets automatically disabled as well.

Set Bluetooth on devices (iOS 11.3 or later versions - Supervised devices only)

Bluetooth can be restricted to always On/Off state. To configure this, Modify Bluetooth should be enabled.

Connect to Wi-Fi, only if distributed via MDM (iOS 10.3 or later versions - Supervised devices only)

Enabling this ensures, devices connect to a Wi-Fi network only if a Wi-fi profile has been distributed via MDM. If no such profile has been distributed, the device cannot connect to another Wi-Fi network which implies that it cannot be managed by MDM.  If the Wi-Fi SSID has been changed, then the profile must be modified to include the new SSID and re-distributed to the device, for continued management.

Disabling this, allows the device to connect to any Wi-Fi network, including the one configured and distributed via MDM.

Allow users to configure VPN (iOS 11 or later versions - Supervised devices only)

Enabling this lets users configure VPN on the managed iOS devices.

Modify Hotspot (iOS 12.2 or later versions - Supervised devices only)

Restrict/Allow the usage of Hotspot on the managed iOS devices.

Modify eSIM settings (iOS 12.2 or later versions - Supervised devices only)

Restrict/Allow users from removing the existing eSIM or adding a new one on supported iOS devices.

iCLOUD

Device backup

Allow/Restrict automatic backup of photos and documents, when devices are connected to Wi-Fi.

Sync data & documents from managed apps (iOS 8 or later versions)

Allow/Restrict the syncing of data and documents from managed apps.

Sync device data & documents (Supervised devices only)

Allow/Restrict the syncing of data and documents from managed devices.

Sync Photo Stream

Allow/Restrict automatic backup of photos on the devices, when connected to Wi-Fi.

Sync Shared Stream
(iOS 6 or later versions)

Allow/Restrict users from creating shared albums with photos/videos, using iCloud.

Sync Keychain (iOS 8 or later versions)

Allow/Restrict Keychain data such as account passwords, credit card information, security notes etc., on devices to be synced.

Sync iCloud Photo Library (iOS 9 or later versions only)

Allow/Restrict syncing photos from the iCloud Library, for downloading onto the devices.

Enterprise books backup (iOS 8 or later versions only)

Allow/Restrict backing up of data from the books distributed by the organization.

Enterprise books metadata sync (iOS 8 or later versions only)

Allow/Restrict syncing metadata like notes and highlights from enterprise books. To configure this, Enterprise books backup has to be enabled.

PRIVACY

Modify Find My Friends settings (iOS 7 or later versions - Supervised devices only)

Allow/Restrict users from modifying the settings of Find my Friends.

Send diagnostics data to Apple (iOS 6 or later versions)

Enabling this, lets diagnostic data to be sent to Apple.

Modify Diagnostics & Usage pane settings (iOS 9.3. or later versions - Supervised devices only)

Allowing this, lets users enable/disable diagnostics and usage pane settings.

Force limited ad tracking (iOS 7 or later versions)

Enable/Disable users from ad tracking and marketing on the devices.

Enable lock screen settings (iOS 7 or later versions)

Allow/Restrict users from accessing Control Center, Notification Center and Today View settings when the device is locked.

Settings below can be configured only if Enable lock screen settings is allowed.

Control Center (iOS 7 or later versions)

Allow/Restrict users from accessing Control Center when the device is locked.

Notification Center (iOS 7 or later versions)

Allow/Restrict notifications from being displayed when the device is locked.

Today View (iOS 7 or later versions)

Allow/Restrict Today View which displays information like the day, date, weather, reminders, etc., on the screen when the device is locked.

CONTENT RATINGS

Explicit Music & Podcasts (Supervised devices only)

Allow/Restrict explicit music and podcasts.

Enable ratings by region

Enable/Disable ratings by region.

Settings below can be configured only if Enable ratings by region is allowed.

Specify the Region

Choose the region, to specify the settings accordingly.

Maximum Allowable Ratings for Movies

Allow/Restrict to view movies based on the specified ratings.

Maximum Allowable Ratings for TV shows

Allow/Restrict to view TV shows based on the specified ratings.

Maximum Allowable Ratings for Apps

Allow/Restrict to use apps based on the specified ratings.

KEYBOARD SETTINGS

Dictionary word lookup (iOS 8.13 or later versions - Supervised devices only)

Allow/Restrict the built-in dictionary to retrieve words.

Predictive keyboard (iOS 8.1.3 or later versions - Supervised devices only)

Allow/Restrict the usage of predictive keyboard on the device.

Auto correction (iOS 8.1.3 or later versions - Supervised devices only)

Allow/Restrict use of auto correct on managed devices.

Spellcheck (iOS 8.1.3 or later versions - Supervised devices only)

Allow/Restrict the use of Spellcheck on managed devices.

Shortcuts on external keyboards (iOS 9 or later versions - Supervised devices only)

Allow/Restrict use of shortcuts from external keyboard(s).

Dictation (iOS 10.3 or later versions - Supervised devices only)

Allow/Restrict use of Dictation from the keyboard(s).

CLASSROOM (Applicable if Classroom 2.0 app is installed on the Teacher devices and the Student devices are Supervised)

Automatically join classes without prompting (iOS 11 or later versions)

Enabling this ensures, the student devices mandatorily join the classes, without any notification/prompt on the device.

Allow teacher's device to lock apps and devices without prompting (iOS 11 or later versions)

Enabling this ensures, the teacher can either fully lock the student device or lock specific apps on the device, without any notification/prompt on the device.

Allow AirPlay and screen viewing by teacher's device

Enabling this allows the teacher to view the student device screen, after notifying/requesting permission(s) to do the same from the user.

Allow teacher's device to AirPlay and view screen without prompting

Enabling this allows the teacher to view the student device screen, without any notification/prompt on the device. To configure this, Allow AirPlay and screen viewing by teacher's device should be enabled.

Teacher's permission required before leaving a classroom (iOS 11.3 or later versions)

Enabling this ensures, students request permission from the teacher before leaving a classroom.

See Also: Associating Profiles to Groups, Associating Profiles to Devices, App Management, Distribute Apps to Devices, Distribute Apps to Groups
Copyright © 2019, ZOHO Corp. All Rights Reserved.
ManageEngine