Restrictions

You can configure various restrictions on the managed devices, as per the requirements of your organization. You can allow or restrict users to access various features of the devices, like profile settings, application settings, iCloud settings, security, and privacy settings.

The status of restrictions imposed using MDM for a particular device, is shown under Inventory-> Restrictions. When no restrictions are imposed by MDM, by default the status is displayed as Allowed.

PROFILE SETTINGS

DESCRIPTION

SUPERVISED

UNSUPERVISED

DEVICE FUNCTIONALITY

Camera

Camera(s) can be completely disabled and the icons removed from the home screen. This ensures users cannot take photos or use FaceTime.

** For iOS 13 or later versions, this restriction is applicable only for supervised devices. With this restriction enabled, updating devices to iOS 13 will have no effect, unless the profile is revoked and re-associated with the device.

FaceTime

Allow/Restrict FaceTime video and audio calls. To allow FaceTime, Camera has to be allowed on the device.

** For iOS 13 or later versions, this restriction is applicable only for supervised devices. With this restriction enabled, updating devices to iOS 13 will have no effect, unless the profile is revoked and re-associated with the device.

Screenshot and Screen Recording

Allow/Restrict users from capturing the screenshot of the display.

Spotlight Internet Search (iOS 8 or later versions)

Allow/Restrict the usage of Spotlight Search to find content directly from the internet.

AirDrop (iOS 7 or later versions)

Allow/Restrict sharing of documents, media etc., using AirDrop to other devices. If Bluetooth is disabled via restrictions, AirDrop gets automatically disabled as well.

Voice Dialing

Allow/Restrict the usage of voice dialing.

iMessage (iOS 6 or later versions)

Allow/Restrict the usage of iMessage.

Siri

Allow/Restrict the usage of Siri.

Allow Siri when device is locked

Allow/Restrict the usage of Siri when the device is locked. This can be permitted only when Siri is enabled on the device.

Force Siri Profanity Filter (iOS 6 or later versions)

Allow/Restrict the profanity filtering in Siri. This can be permitted only when Siri is enabled on the device.

Allow Siri to query from the web (iOS 7 or later versions)

Allow/Restrict Siri to query content from the web (Wikipedia, Bing, and Twitter). This can be permitted only when Siri is enabled on the device.

Handoff (iOS 8 or later versions)

Enabling this option lets you resume an existing work or access content from any device which is logged in, using the same iCloud account.

Allow user to modify device name

Allow/Restrict the user from modifying the name of the device.

Set device date and time

Date and time can be set automatically on the device, based on the current network and location or it can be left to the user to configure.

AirPrint (iOS 11 or later versions)

Allow/Restrict managed devices to pair with a printer via AirPrint.

Store AirPrint credentials on iCloud (iOS 11 or later versions)

Allow/Restrict saving of AirPrint credentials on iCloud.

Enforce TLS trusted certificates for AirPrint (iOS 11 or later versions)

Secure AirPrint communication by enforcing TLS certificates to be used on the AirPrint printers.

Discover AirPrint printers using iBeacons (iOS 11 or later versions)

Enable/Disable using of Bluetooth service, iBeacons to discover AirPrint printers.

SECURITY

Share data from managed apps to unmanaged apps (iOS 7 or later versions)

Allow/Restrict the sharing of corporate data from apps distributed by MDM to personal apps (not distributed by MDM). Till iOS 11, contacts shared from Exchange or using the Contact Sync profile are considered as managed contacts and cannot be accessed by unmanaged apps. From iOS 12, the managed contacts can be managed seperately using the Allow managed apps to save contacts in unmanaged accounts or Allow unmanaged apps to access managed contacts.

Use AirDrop to share data from managed apps (iOS 9 or later)

Enable/Disable the usage of AirDrop to share data from managed apps to unmanaged apps. To enable this, Share data from managed apps to unmanaged apps should be allowed.

Allow managed apps to save contacts in unmanaged accounts (iOS 12 or later versions)

In devices running versions below iOS 12, contacts in managed apps are treated as managed contacts and cannot be saved in unmanaged accounts. iOS 12 onwards, users can be allowed or restricted from storing these managed contacts in unmanaged accounts. To enable this, Share data from managed apps to unmanaged apps should be restricted.

Allow unmanaged apps to access managed contacts (iOS 12 or later versions)

In devices running versions below iOS 12, unmanaged apps cannot access the contacts in managed accounts. iOS 12 onwards, users can be allowed or restricted from accessing these contacts from unmanaged apps. To enable this, Share data from managed apps to unmanaged apps should be restricted.

Share data from unmanaged apps to managed apps

Allow/Restrict the sharing of data from personal apps to apps distributed by MDM.

Force Encrypted Backup

Enable/Disable forced encrypted backup of data.

Allow user to wipe device by erasing all content and settings (iOS 8 or later versions)

Enabling this, lets users erase all the content and settings on the device.

Allow user to configure Screen Time/Restrictions on device (iOS 8 or later versions)

Enable/Disable users from configuring Screen time or device restrictions.
Note: From iOS 12, the Restrictions setting on the device, has been renamed as Screen Time.

Allow Passbook when device is locked (iOS 6 or later versions)

Enable/Disable the usage of Passbook while the device is locked.

Use biometric methods such as TouchID and/or FaceID to unlock devices (iOS 7 or later versions)

Enable/Disable the usage of fingerprints/facial recognition to unlock devices.

Allow user to add or modify TouchID/FaceID (iOS 8.3 or later versions)

Enable users to add/modify the fingerprints/faces for facial recognition, on the device. If this has to be configured, Use biometric methods such as TouchID and/or FaceID to unlock devices has to be enabled.

ADVANCED SECURITY

Install configuration profiles and certificates interactively (iOS 6 or later versions)

Allow/Restrict users from installing/modifying the configuration and certificates.

Add/Modify iCloud, Mail and other accounts (iOS 7 or later versions)

Allow/Restrict users from adding/removing accounts such as Apple account, e-mail etc., Once restricted, apps requiring Apple ID cannot be installed, whether distributed by MDM or not. You can however install apps silently on iOS devices without requiring Apple ID as explained here.

It is recommended to push the required profiles to configure email, or corporate accounts, before enabling this restriction. After enabling this restriction, accounts cannot be added or modified.

Accept untrusted TLS certificates

Allow/Restrict untrusted TLS (Transport Layer Security) certificates.

Automatic updates for trusted certificates (iOS 7 or later versions)

Allow/Restrict trusted certificates from updating automatically.

Allow iTunes pairing and other USB connections (iOS 7 or later versions)

Enable/Disable devices from being paired with any Mac other than the one used for supervising the device through Apple Configurator. As USB pairing is restricted, pairing with iTunes also gets restricted.

Allow USB connections when device is locked (iOS 11.4.1 or later versions)

Enable/Disable data transfer between devices via USB pairing, when locked. This can be allowed or left to users to modify the settings from the device.

USB flash drive (iOS 13 or later versions)

Allow/Restrict users from connecting any external storage drives to the device ensuring corporate data cannot be transferred from managed devices.

Force password for iTunes and App Store downloads

Enable/Disable prompting iTunes and AppStore password for every download.

Force password for AirPlay outgoing requests (iOS 7 or later)

Enable/Disable prompting of password for all AirPlay outgoing requests during device pairing.

Force password for AirPlay incoming requests (iOS 7 or later versions)

Enable/Disable prompting password for all AirPlay incoming requests during device pairing.

Force Wrist Authentication to access notifications on Apple Watch (iOS 8.3 or later versions)

Enable/Disable Wrist authentication to access notifications on Apple Watch.

Pair with Apple Watch (iOS 9 or later versions)

Allow/Restrict device pairing with Apple Watch.

Set up other devices using proximity detection (iOS 11 or later versions)

Allow/Restrict devices from detecting other devices in their proximity to share their settings, iCloud and Wi-Fi passwords.

Autofill passwords in Safari and apps (iOS 12 or later versions)

Allow/Restrict autofill in browsers and apps.

Authenticate Face ID/Touch ID before allowing autofill (iOS 11 or later versions)

Allow/Restrict Face ID/Touch ID authentication before any password or credit card details are entered in browsers and apps. To configure this, Autofill passwords in Safari and apps should be enabled.

Share passwords with devices in proximity (iOS 12 or later versions)

Allow/Restrict devices getting notified to share their passwords with other devices in proximity.

Request passwords from devices in proximity (iOS 12 or later versions)

Allow/Restrict devices requesting other devices in proximity, to share their passwords.

APPLICATIONS

Users can install unapproved apps (iOS 9 or later versions)

Allow/Restrict users from installing apps either through App Store or by connecting it to a Mac machine and using iTunes for app installation. If restricted, in devices running iOS versions below 9, even the apps distributed through MDM cannot be installed but for devices running iOS 9.0 or later, these apps can be installed. Even if this restriction is disabled, by default, when a Managed Apple ID is used, the 'GET' option is disabled on the App Store.

** For iOS 13 or later versions, this restriction is applicable only for supervised devices. With this restriction enabled, updating devices to iOS 13 will have no effect, unless the profile is revoked and re-associated with the device.

Deleting apps

Allow/Restrict users from removing Apps.

** For iOS 13 or later versions, this restriction is applicable only for supervised devices. With this restriction enabled, updating devices to iOS 13 will have no effect, unless the profile is revoked and re-associated with the device.

Unauthorized enterprise apps (iOS 9 or later versions)

Allow/Restrict users from installing/using enterprise apps which are not distributed via MDM.

Automatically download apps on multiple devices with same Apple ID (iOS 9 or later versions)

Allow/Restrict users from downloading apps on multiple devices with the same Apple ID.

In-app purchase

Allow/Restrict users from making in-app purchases.

Game Center (iOS 6 or later versions)

Allow/Restrict the usage of Game Center.

Multiplayer Gaming

Allow/Restrict multiplayer gaming. To configure this, Game Centre should be allowed.

** For iOS 13 or later versions, this restriction is applicable only for supervised devices. With this restriction enabled, updating devices to iOS 13 will have no effect, unless the profile is revoked and re-associated with the device.

Adding Game Center Friends

Allow/Restrict users from adding game center friends. To configure this, Game Centre should be allowed.

** For iOS 13 or later versions, this restriction is applicable only for supervised devices. With this restriction enabled, updating devices to iOS 13 will have no effect, unless the profile is revoked and re-associated with the device.

iTunes Store

Allow/Restrict the usage of iTunes Store.

** For iOS 13 or later versions, this restriction is applicable only for supervised devices. With this restriction enabled, updating devices to iOS 13 will have no effect, unless the profile is revoked and re-associated with the device.

Podcast app (iOS 8 or later versions)

Allow/Restrict users from accessing Podcasts.

News app (iOS 9 or later versions)

Allow/Restrict users from accessing News Apps.

Music Services (iOS 9.3 or later versions)

Restrict/Allow music services in the default iOS music app.

Radio Services (iOS 9.3 or later versions)

Restrict/Allow radio services in managed iOS devices.

Download iBooks content
(iOS 6 or later versions)

Allow/Restrict users from downloading content from iBooks Store.

Erotic Content (iOS 6 or later versions)

Allow/Restrict users from downloading media which is tagged as erotic from iBooks. To configure this, Download iBooks content should be enabled.

BROWSER

Safari

Allow/Restrict the use of Safari.

** For iOS 13 or later versions, this restriction is applicable only for supervised devices. With this restriction enabled, updating devices to iOS 13 will have no effect, unless the profile is revoked and re-associated with the device.

Settings below can be configured only if Safari is allowed.

AutoFill

Enable/Disable autofilling of forms.

Force fraudulent website warning

Enable/Disable forced fraudulent website warning.

JavaScript

Allow/Restrict JavaScript.

Pop-ups

Enable/Disable pop-ups.

Cookies

Allow/Restrict Cookies.

NETWORK AND ROAMING

Automatic sync while roaming

Enabling this, permits apps to fetch background data, when the devices are in roaming. This happens when users access the apps. It helps in controlling the data roaming charges.

Allow users to modify cellular data usage for apps (iOS 7 or later versions)

Enabling this lets users restrict the usage of cellular data for specific apps.

Modify Bluetooth (iOS 10.0 or later versions)

Allow/Restrict users from modifying Bluetooth. If Bluetooth is disabled via restrictions, AirDrop gets automatically disabled as well.

Set Bluetooth on devices (iOS 11.3 or later versions)

Bluetooth can be restricted to always On/Off state. To configure this, Modify Bluetooth should be enabled.

Connect to Wi-Fi, only if distributed via MDM (iOS 10.3 or later versions)

Enabling this ensures, devices connect to a Wi-Fi network only if a Wi-fi profile has been distributed via MDM. If no such profile has been distributed, the device cannot connect to another Wi-Fi network which implies that it cannot be managed by MDM.  If the Wi-Fi SSID has been changed, then the profile must be modified to include the new SSID and re-distributed to the device, for continued management.

Disabling this, allows the device to connect to any Wi-Fi network, including the one configured and distributed via MDM.

Always on Wi-Fi (iOS 13 or later versions)

Wi-Fi can forcefully be enabled on your managed devices, ensuring users cannot turn it off. You can also allow users to enable or disable Wi-Fi by themselves.

Allow users to configure VPN (iOS 11 or later versions)

Enabling this lets users configure VPN on the managed iOS devices.

Modify Hotspot (iOS 12.2 or later versions)

Restrict/Allow the usage of Hotspot on the managed iOS devices.

Modify eSIM settings (iOS 12.2 or later versions)

Restrict/Allow users from removing the existing eSIM or adding a new one on supported iOS devices.

iCLOUD

Device backup

Allow/Restrict automatic backup of photos and documents, when devices are connected to Wi-Fi.

** For iOS 13 or later versions, this restriction is applicable only for supervised devices. With this restriction enabled, updating devices to iOS 13 will have no effect, unless the profile is revoked and re-associated with the device.

Sync data & documents from managed apps (iOS 8 or later versions)

Allow/Restrict the syncing of data and documents from managed apps.

Sync device data & documents

Allow/Restrict the syncing of data and documents from managed devices.

** For iOS 13 or later versions, this restriction is applicable only for supervised devices. With this restriction enabled, updating devices to iOS 13 will have no effect, unless the profile is revoked and re-associated with the device.

Sync Photo Stream

Allow/Restrict automatic backup of photos on the devices, when connected to Wi-Fi.

Sync Shared Stream
(iOS 6 or later versions)

Allow/Restrict users from creating shared albums with photos/videos, using iCloud.

Sync Keychain (iOS 8 or later versions)

Allow/Restrict Keychain data such as account passwords, credit card information, security notes etc., on devices to be synced.

** For iOS 13 or later versions, this restriction is applicable only for supervised devices. With this restriction enabled, updating devices to iOS 13 will have no effect, unless the profile is revoked and re-associated with the device.

Sync iCloud Photo Library (iOS 9 or later versions only)

Allow/Restrict syncing photos from the iCloud Library, for downloading onto the devices.

Enterprise books backup (iOS 8 or later versions only)

Allow/Restrict backing up of data from the books distributed by the organization.

Enterprise books metadata sync (iOS 8 or later versions only)

Allow/Restrict syncing metadata like notes and highlights from enterprise books. To configure this, Enterprise books backup has to be enabled.

PRIVACY

Find My Friends (iOS 13 or later versions)

Allow/Restrict users from configuring Find My Friends in the Find My app.

Modify Find My Friends settings (iOS 7 or later versions)

Allow/Restrict users from modifying settings under Find My Friends. This can be configured only when Find My Friends is allowed.

Find My Device (iOS 13 or later versions)

Allow/Restrict users from configuring Find My Device in the Find My app.

Send diagnostics data to Apple (iOS 6 or later versions)

Enabling this, lets diagnostic data to be sent to Apple.

Modify Diagnostics & Usage pane settings (iOS 9.3. or later versions)

Allowing this, lets users enable/disable diagnostics and usage pane settings.

Force limited ad tracking (iOS 7 or later versions)

Enable/Disable users from ad tracking and marketing on the devices.

Enable lock screen settings (iOS 7 or later versions)

Allow/Restrict users from accessing Control Center, Notification Center and Today View settings when the device is locked.

Settings below can be configured only if Enable lock screen settings is allowed.

Control Center (iOS 7 or later versions)

Allow/Restrict users from accessing Control Center when the device is locked.

Notification Center (iOS 7 or later versions)

Allow/Restrict notifications from being displayed when the device is locked.

Today View (iOS 7 or later versions)

Allow/Restrict Today View which displays information like the day, date, weather, reminders, etc., on the screen when the device is locked.

CONTENT RATINGS

Explicit Music & Podcasts

Allow/Restrict explicit music and podcasts.

** For iOS 13 or later versions, this restriction is applicable only for supervised devices. With this restriction enabled, updating devices to iOS 13 will have no effect, unless the profile is revoked and re-associated with the device.

Enable ratings by region

Enable/Disable ratings by region.

Settings below can be configured only if Enable ratings by region is allowed.

Specify the Region

Choose the region, to specify the settings accordingly.

Maximum Allowable Ratings for Movies

Allow/Restrict to view movies based on the specified ratings.

Maximum Allowable Ratings for TV shows

Allow/Restrict to view TV shows based on the specified ratings.

Maximum Allowable Ratings for Apps

Allow/Restrict to use apps based on the specified ratings.

KEYBOARD SETTINGS

Dictionary word lookup (iOS 8.13 or later versions)

Allow/Restrict the built-in dictionary to retrieve words.

Predictive keyboard (iOS 8.1.3 or later versions)

Allow/Restrict the usage of predictive keyboard on the device.

Auto correction (iOS 8.1.3 or later versions)

Allow/Restrict use of auto correct on managed devices.

Spellcheck (iOS 8.1.3 or later versions)

Allow/Restrict the use of Spellcheck on managed devices.

Shortcuts on external keyboards (iOS 9 or later versions)

Allow/Restrict use of shortcuts from external keyboard(s).

Dictation (iOS 10.3 or later versions)

Allow/Restrict use of Dictation from the keyboard(s).

Swipe keyboard (iOS 13 or later versions)

Allow/Restrict the usage of QuickPath keyboard which lets you swipe across letters instead of typing manually.

CLASSROOM (Applicable if Classroom 2.0 app is installed on the Teacher devices and the Student devices are Supervised)

Automatically join classes without prompting (iOS 11 or later versions)

Enabling this ensures, the student devices mandatorily join the classes, without any notification/prompt on the device.

Allow teacher's device to lock apps and devices without prompting (iOS 11 or later versions)

Enabling this ensures, the teacher can either fully lock the student device or lock specific apps on the device, without any notification/prompt on the device.

Allow AirPlay and screen viewing by teacher's device

Enabling this allows the teacher to view the student device screen, after notifying/requesting permission(s) to do the same from the user.

Allow teacher's device to AirPlay and view screen without prompting

Enabling this allows the teacher to view the student device screen, without any notification/prompt on the device. To configure this, Allow AirPlay and screen viewing by teacher's device should be enabled.

Teacher's permission required before leaving a classroom (iOS 11.3 or later versions)

Enabling this ensures, students request permission from the teacher before leaving a classroom.

See Also: Associating Profiles to Groups, Associating Profiles to Devices, App Management, Distribute Apps to Devices, Distribute Apps to Groups
Copyright © 2020, ZOHO Corp. All Rights Reserved.
ManageEngine