Category filter

How to set up iOS MDM Restrictions?

A restriction policy pushed to an iOS device blocks several device functionalities in one go. This, in turn, protects the corporate data from being vulnerable to a security attack. Hexnode allows you to selectively restrict functionalities or apps on your iOS device from the web console.

Configuring iOS device restrictions via MDM policy

To configure restrictions on your iOS device,

  1. Log in to your Hexnode MDM portal.
  2. Navigate to Policies > New Policy. Assign a suitable name and description (optional) for the policy. You can also choose to continue with an existing policy.
  3. Go to iOS > Restrictions / Advanced Restrictions. Click Configure.
Note:


Some restrictions are applicable only for supervised iOS devices. Such restrictions are listed under Advanced Restrictions.

Basic Restrictions

List of iOS basic restrictions on the Hexnode portal

Allow Device Functionality

Restricting Device Functions
Restrictions Description Supported versions
Camera Allow users to access the device camera. If this option is disabled, the Camera icon will be hidden, and users will not be able to capture photographs or videos. Enabled by default.
  • iOS 4.0 +
  • Supervised iOS 13.0+
Facetime

(Available when Camera is enabled)

Allow access to the FaceTime app when the device camera is enabled. If this option is disabled, users will not be able to make or receive FaceTime audio or video calls. Enabled by default.
  • iOS 4.0+
  • Supervised iOS 13.0+
Screen capture Allow users to take a screenshot or recording of the screen. Enabled by default. iOS 4.0+
Allow Remote Screen Observation

(Available when Screen capture is enabled)

Allows Remote Screen Observation by the classroom app. Enabled by default. iOS 12.0+
Touch ID Allow users to unlock devices using biometric fingerprint authentication. Enabled by default. iOS 7.0+
Siri Allow users to access Siri, the personal voice assistant on all Apple devices. Enabled by default. iOS 5.0+
Allow Siri while device is locked

(Available when Siri is enabled)

Allows Siri to identify voice when the device is locked. Enabled by default.
Note:

The device must be passcode protected for this option to work.

iOS 5.1+
Voice dialing Uncheck to disable voice dialing, a feature that will call Josh (for example) if you hold down the home button and say “Call Josh.” It is allowed by default.
Note:

If the voice dialing is disabled and if a passcode is set on the device, the device asks for the passcode on voice dialing.

iOS 4.0+
Automatic sync while roaming Allow apps on the device to fetch data in the background while roaming, which might incur additional data charges. Enabled by default. iOS 4.0+

Allow Application Settings

App-based Restrictions
Restrictions Description Supported versions
Install apps If unchecked, the App Store is disabled, and its icon is removed from the home screen, preventing users from installing or updating apps. This applies to all types of apps, including those from the third-party marketplace and locally installed apps through methods like Configurator or Xcode.
Note:


Store apps can be installed from the Hexnode UEM portal on iOS 10+ devices, even if this option is unchecked.

Supervised iOS 13.0+
iTunes Store Option to allow/disallow the iTunes store. If this option is disabled, users cannot view, buy, or download any content from the iTunes store. Allowed by default.
  • iOS 4.0+
  • Supervised iOS 13.0+
Force user to enter iTunes store password for each purchase Users are asked to provide the Apple ID password for each in-app or iTunes purchase. Forced by default. iOS 6.0+
In-app purchases Allow users to make purchases within the app, for example, additional gems in a game (or in-game coins) with real money. Allowed by default. iOS 4.0+
Trust enterprise app Enterprise apps need to be trusted before getting them installed. Checking this option allows you to install Enterprise apps on the device. If this option is unchecked, the ‘Trust (Enterprise Developer Name)’ button under Settings > General > Profiles & Device Management will be removed. Allowed by default. iOS 9.0+
Users can modify enterprise app trust Users can choose whether or not to install an enterprise app. Allowed by default. iOS 9.0+
Backup enterprise-deployed iBooks If disallowed, users cannot back up the iBooks, which are deployed by their organization, to iCloud. Allowed by default. iOS 8.0+
Sync managed app data with iCloud Allow users to store data from managed apps in their iCloud accounts. Allowed by default. iOS 8.0+
YouTube Choose whether to disable the YouTube app on the Apple device. Allowed by default. Below iOS 6
Safari Disables Safari and hides the app icon if this option is unchecked. It also prevents users from opening web clips. Allowed by default.
  • iOS 4.0+
  • Supervised iOS 13.0+
Autofill

(To modify, allow Safari)

Allow Safari to have your web forms auto-filled with your name, phone number, email address, password, etc. If this option is disabled, Safari Autofill will be disabled, and automatic strong passwords will not be suggested to the users. Enabled by default.
  • iOS 4.0+
  • Supervised iOS 13.0+
Fraud warning

(To modify, allow Safari)

Safari shows a warning when you try to access fraudulent or compromised sites and asks whether you need to continue browsing or not. Fraud warning is disabled by default. iOS 4.0+
JavaScript

(To modify, allow Safari)

Most websites use JavaScript (JS) to display some content and to handle background tasks (handling forms, for instance) on the web page. If you do not wish to expose more functionality to the users, you can disable JS. Hexnode UEM enables JavaScript by default. The text below shows whether you’ve enabled/disabled JS.
iOS 4.0+
Block pop-ups

(To modify, allow Safari)

All pop-ups are blocked by default in Safari. Allowed by default. iOS 4.0+
Accept cookies

(To modify, allow Safari)

You can choose from three available options.
  • Never: Safari will not accept any cookies.
  • Note:


    Some websites may fail to function properly if this option is selected. 

  • From Visited Sites: Safari will accept cookies and data from the websites you visit. Cookies from a website that have embedded contents in the website you browse will be blocked. This option is available on iOS 8 and later versions.
  • Always (default): Safari allows all websites to store cookies on your device.
iOS 4.0+
Access Passbook when the device is locked Allow accessing the Wallet app when the device is locked. Disallowed by default iOS 6.0+
Add friends in Game Center Allow users to find or add friends in Game Center. Allowed by default.
  • iOS 4.2.1+
  • Supervised iOS 13.0+

Allow iCloud Settings

Restricting iCloud Features

All these restrictions will be allowed by default.

Restriction Description Supported versions
Backup Users are allowed to back up their files to iCloud if this option is enabled.
  • iOS 5.0+
  • Supervised iOS 13.0+
Sync documents Allow users to sync documents and data in the devices with their iCloud accounts.
  • iOS 5.0+
  • Supervised iOS 13.0+
Photo Stream

(WARNING: Disabling this option can cause data loss)

‘My Photo Stream’ lets you automatically upload new photos to iCloud and send them to all of your iCloud devices. So, if you take a new photo with your device, you can see it on your other iCloud devices, including Mac or Windows PC, for 30 days using ‘My Photo Stream’. If the Photo Stream option is disabled, existing photos in ‘My Photo Stream’ will be erased, and new photos from the Camera Roll will not be sent to ‘My Photo Stream.’ iOS 5.0+
Share photo streams You can choose whether the users can share the photos and albums in their Apple devices with their friends or family. If set to disabled, ‘iCloud Photo Sharing’ will not be available on the devices. iOS 6.0+
iCloud photo library Photo Library stores all the photos and videos on iCloud and can be viewed across all your devices as long as the files reside in iCloud. If this option is unchecked, ‘iCloud Photo Library’ will be disabled, and any incomplete downloads from the library will be removed from the devices. iOS 9.0+
Sync enterprise book metadata across devices Synchronize book metadata (notes and highlights) across devices. iOS 8.0+

Allow Security and Privacy Settings

Setting up Restrictions to Improve Security and Privacy
Restriction Description Supported versions
Lock screen notifications When disabled, users cannot view the Notification history on the lock screen. However, they can still see new notifications as they arrive. Allowed by default. iOS 7.0+
Today View on lock screen Today View can show the news, sports scores, calendar notification, weather, and a lot more for the day. If disabled, users cannot swipe down to access the Today View on the lock screen. Allowed by default.
Note:

Today View is disabled by default on Shared iPads.

iOS 7.0+
Control Center on lock screen Control Center provides quick access to commonly used controls and settings. If disabled, users cannot swipe up to access the Control Center app from the lock screen. Allowed by default. iOS 7.0+
Over the air PKI updates Allow businesses to make changes to the root certificate over-the-air. If disabled, users cannot receive software updates without connecting the devices to a computer. Allowed by default. iOS 7.0+
Limit ad tracking Prevent user-targeted ads from advertising networks. By default, ad tracking will not be limited. iOS 7.0+
Send diagnostic data to Apple Diagnostic data contains hardware specifications, details of the operating system, and other details like when and why an app crashed. It will not contain any app usage/personal data. Allowed by default. iOS 6.0+
Accept untrusted TLS certificate The device accepts untrusted Transport Layer Security (TLS) certificates if this option is enabled. This restriction applies to Mail, Safari, Contacts, and Calendar accounts. Allowed by default. iOS 5.0+
Force encrypted backup Data are encrypted while backing up. Encrypted backup is not forced by default. iOS 4.0+
Show notification on Apple Watch if worn Notifications are shown on the paired Apple Watch only when it is worn. If the Apple Watch is removed from the user’s wrist, it will be locked automatically. By default, wrist detection isn’t forced. iOS 8.2+

Allow Explicit Content

Restrictions based on Content Rating
Restriction Description Supported versions
Explicit music, podcasts and iTunes U services Allow users to access adult-rated music and podcast and iTunes U services (free courses for colleges). If disabled, explicit content listed in iTunes U or purchased from the iTunes store will be hidden. Allowed by default.
  • iOS 4.0+
  • Supervised iOS 13.0+
iBooks store erotica Allow access to adult-rated content in the iBooks store. If this option is left unchecked, explicit content purchased from Apple Books will be hidden. Disabled by default. iOS 6.0+

Rating region

Select the ratings region to show the region-based rating for movies, TV shows, and apps (shown in the next section). The available rating regions are United States, Australia, Canada, Germany, France, Ireland, Japan, New Zealand, and the United Kingdom.

Content Rating

Movie and TV show ratings differ with the ratings region. The ratings displayed here are based on the rating region you set above. In every region you choose, you may allow or disallow all movies and TV shows.

Movies
Region Rating Description
United States G Movies that are meant for the general audience.
PG Recommended parental guidance since some material might be inappropriate for children.
PG-13 Recommended parental guidance for those aged below 13.
R Restricted content, recommended parental guidance for under 17.
NC-17 Strictly restricted to adults (17 or above). No children are allowed.
Australia G Suitable for all audiences.
PG Parental guidance is required for children below 15.
M Content is not recommended for children under 15 but is not restricted to 15 and above.
MA-15+ Audience below 15 should be accompanied by adults.
R-18+ Restricted to 18 and above.
Canada G Viewable for the general audience.
PG Parental guidance is suggested.
14A Audiences under 14 are allowed if accompanied by an adult.
18A Audiences under 18 are allowed if accompanied by an adult.
R Restricted to adults (18 and above).
France 10 Not suitable for those aged under 10.
12 Not suitable for those aged under 12.
16 Not suitable for those aged under 16.
18 Not suitable for those aged under 18.
Germany Ohne Altersbeschränkung Unrestricted content.
Freigegeben ab 6 Jahren Content suitable for all aged 6 or above.
Freigegeben ab 12 Jahren Content suitable for all aged 12 or above.
Freigegeben ab 16 Jahren Content suitable for all aged 16 or above.
Keine Jugendfreigabe Content suitable for all aged 18 or above.
Ireland G Movies that are meant for the general audience.
PG Parental guidance recommended.
12 Content strictly for aged 12 or above.
15 Content strictly for aged 15 or above.
16 Content strictly for aged 16 or above.
18 Content strictly for aged 18 or above.
Japan G Suitable for all.
PG-12 Under 12 are allowed only if accompanied by parents.
R-15 Content strictly for 15 or above.
R-18 Content strictly for 18 or above.
New Zealand G Content which is suitable for the general audience.
PG Parental guidance required for the younger audience.
M All above 10 are permitted to view the content.
R13 Restricted to 13 and above.
R15 Restricted to 15 and above.
R16 Restricted to 16 and above.
R18 Restricted to 18 and above.
R Restricted to a certain class of people.
RP16 Younger audience (under 16) are permitted only if accompanied by a parent.
United Kingdom U Universal – suitable for all ages.
Uc Suitable for children.
PG Requires parental guidance for under 8.
12 Strictly restricted to 12 or above.
12A Restricted to 12 or above unless accompanied by an adult.
15 Strictly restricted to 15 or above.
18 Strictly restricted to 18 or above.

TV Shows
Region Rating Description
United States TV-Y Appropriate for young audience.
TV-Y7 Appropriate for young audience of age 7 or above.
TV-G Content appropriate for the general audience (everyone).
TV-PG Appropriate if there is parental guidance. Such content may not be appropriate for all ages.
TV-14 Appropriate for 14 years of age or above.
TV-MA Content not suitable for audience with 17 years of age or below.
Australia P Content for pre-schoolers (no ads in-between).
C Content that can be viewed by children (14 years of age or less).
G Suitable for the general audience.
PG Viewers should be accompanied by parental guidance.
M TV programs for Mature (15+ aged) audience, medium impact.
MA15+ TV programs for matured audiences, strong impact.
AV15+ Content with adult violence. Recommended viewing for those aged 15 or above.
Canada C Suitable for children below 8.
C8 Suitable for children, 8 years or older.
G Content can be viewed by general audience.
PG Content can be viewed with parental guidance.
14+ Contains content which can be viewed by ages 14 and above.
18+ Contains content which is not meant for audience below 18 years of age.
France Déconseillé aux moins de 10 ans Not suitable for those aged under 10.
Déconseillé aux moins de 14 ans Not suitable for those aged under 14.
Déconseillé aux moins de 16 ans Not suitable for those aged under 16.
Déconseillé aux moins de 18 ans Not suitable for those aged under 18.
Germany ab 0 Jahren Suitable for all ages.
ab 6 Jahren Suitable for ages 6 and above.
ab 12 Jahren Suitable for ages 12 and above.
ab 16 Jahren Suitable for ages 16 and above.
ab 18 Jahren Suitable for ages 18 and above.
Ireland GA Content of the TV show is meant to be viewed by the general audience.
Ch Content for children. Suitable for ages 5 to 10.
YA Suitable for young adults (ages 10 to 13).
PS Suitable for ages 14 to 17. Younger audiences can be allowed to view the content with parental supervision.
MA Suitable for ages 18 and up.
Japan Explicit Allowed Not suitable for minors.
New Zealand G TV shows meant for the general audience.
PGR Shows which are meant to be viewed with parental guidance.
AO Adults only content.
United Kingdom Caution Caution for adult content.

Apps

Apps have the same ratings for every region. The options available include: Don’t allow any apps, 4+, 9+, 12+, 17+, Allow all apps.

Notes:

  • Existing managed applications that do not comply with the ratings will get removed from the device.
  • New applications that do not comply with the ratings cannot be installed manually from the App Store or via the Hexnode portal.

Advanced Restrictions

Advanced Restrictions are available only on supervised iOS devices.

Allow Device Functionality

List of supported advanced restrictions for supervised iOS devices on the Hexnode portal

Restricting Device Functions
Restrictions Description Supported versions
AirDrop Allow iOS devices to transfer data between iOS or Mac devices over Wi-Fi or Bluetooth. Allowed by default. Supervised iOS 7.0+
Apps can modify cellular data usage Allow users to allow/disallow apps to use cellular data. Allowed by default. Supervised iOS 7.0+
Add or remove TouchID/Face ID Uncheck this option to prevent users from adding, removing or changing a fingerprint/face ID. Disallowed by default.
Note:

Touch ID is replaced by Face ID on iPad Pro (third generation), iPhone X, and later models.

  • Supervised iOS 8.3+ (Touch ID)
  • Supervised iOS 11.0+ (Face ID)
iMessage Allow use of the iMessage app. If disallowed, the app will be disabled, and the app icon will be hidden. Allowed by default. Supervised iOS 6.0+
Game Center Allow use of the Game Center app. If disabled, the app icon will be removed. Allowed by default. Supervised iOS 6.0+
Multiplayer gaming Allow users to play multiplayer games on their Apple devices. Allowed by default. Supervised iOS 4.1+
Install configuration profile Allow users to install configuration profiles and certificates on their devices. Although this is restricted to be installed only by MDM software from iOS 11, older iOS versions can allow it to be installed. Allowed by default. Supervised iOS 6.0+
Handoff Allows users to start tasks on one Apple device and continue working on it from another Apple device signed in using the same Apple ID. iOS 8.0+
Definition lookup Definition lookup is a feature in iOS where the user can select a word and look up its definition. Allowed by default. Supervised iOS 8.1.3+
Predictive keyboard Turn this option off to disable the keyboard from predicting the next word as you type. Allowed by default. Supervised iOS 8.1.3+
Auto-correct words Allow the device to auto-correct the word the user types with the one in the dictionary. It can be frustrating if, for example, the keyboard language is set to English, but the user is typing in his native language. Allowed by default. Supervised iOS 8.1.3+
Suggest words on misspellings Allow the device to check for misspellings and suggest words if found misspelled. If disabled, users won’t be able to see misspelled words underlined in red. Allowed by default. Supervised iOS 8.1.3+
QuickPath Keyboard Allows the user to type by sliding from one letter to the next. Supervised iOS 13.0+
Keyboard shortcuts Keyboard shortcuts in iOS are way different from Ctrl+C and Ctrl+V in Windows. To set up shortcuts, go to SettingsGeneralKeyboardText Replacement → the + sign on top-right. Enter a phrase like “I’m in a meeting. I’ll call you later” and a shortcut, something like “iiamcy”, then save. Whenever you type iiamcy and leave a space, the text “I’m in a meeting. I’ll call you later” will be auto-pasted. Allowed by default. Supervised iOS 9.0+
USB Drive Access in Files App This option allows the Files app to access any USB drives connected to the device. Supervised iOS 13.1+
Network Drive Access in Files App This option allows the user to access any network drives in the Files app. Supervised iOS 13.1+
Pair with Apple Watch Disable to block users from pairing their devices with Apple Watch. Any currently paired Apple Watch will then be removed and erased. Allowed by default. Supervised iOS 9.0+
Modify diagnostic data submission settings Uncheck this option to block users from turning on/off the option to send diagnostic data to Apple. Allowed by default. Supervised iOS 9.3.2+
Modify Bluetooth settings Allow users to turn Bluetooth on/off on their device. Allowed by default. Supervised iOS 10.0+
Use voice to type Allow users to use their voice to enter text. Allowed by default. Supervised iOS 10.3+
Force Wi-Fi ON If enabled, it restricts the user from turning off the Wi-Fi even by switching on the Airplane mode. Supervised iOS 13.0+
Connect to MDM-configured Wi-Fi networks only

(Available if Wi-Fi is configured)

Consider the case where there are user-configured and MDM-configured Wi-Fi networks in an area. If this option is enabled, even if the user tries to connect to the user-configured network, the device will connect to the MDM-configured one (PoliciesiOSNetworkWi-Fi). Not forced by default.
Warning:


Make sure the Wi-Fi password provided under the Wi-Fi configuration is correct. The devices cannot be managed if a Wi-Fi network is unavailable unless you have a cellular network connection. If devices locked in kiosk mode fail to connect to a network connection, it will result in the freezing of the devices in an inoperable mode.

Supervised iOS 10.3+
Users can modify Personal Hotspot settings Unchecking this option prevents the users from modifying the personal hotspot settings on the device. Supervised iOS 12.2+
Create VPN configuration Allow users to create a new VPN configuration. Allowed by default. Supervised iOS 11.0+
AirPrint AirPrint is the feature that allows printing with AirPrint-compatible or shared printers wirelessly. Allowed by default. Supervised iOS 11.0+
Connect with iBeacon

(Available if AirPrint is enabled)

Choose whether AirPrint can connect with iBeacon for printing. iBeacon is a protocol, and there are iBeacon-enabled devices available to which if a device comes in close proximity, actions can be performed. iBeacon connects with Apple devices using Wi-Fi or Bluetooth, and with printers using its IP address. If disabled, users will not be able to discover AirPrint printers using iBeacon, which prevents malicious AirPrint Bluetooth beacons from phishing for network traffic. Allowed by default. Supervised iOS 11.0+
Store AirPrint credentials in Keychain

(Available if AirPrint is enabled)

The AirPrint credentials are stored in Keychain, a service that syncs credentials and credit card numbers across your Apple devices via iCloud. Allowed by default. Supervised iOS 11.0+
Use trusted certificates for secure printing

(Available if AirPrint is enabled)

Force the trusted certificates for TLS required for printing. If disabled, users cannot use AirPrint to print from printers with untrusted certificates. Disallowed by default. Supervised iOS 11.0+
Modify cellular plan settings Allows users to change any settings related to their cellular plan. Allowed by default. Supervised iOS 11.0+
eSIM Modification Unchecking this option restricts users from adding or removing a cellular plan to the eSim on their devices. Enabled by default. Supervised iOS 12.1+
Live Voicemail Live Voicemail in iOS 17 can show a real-time transcription of the voicemail message someone is leaving on the device as they speak. Unchecking this option will disable the Live Voicemail feature on the device. Enabled by default. Supervised iOS 17.2+
Force preserve eSIM on erase Enabling this option will let the system preserve the eSIM data when the device is erased due to maximum failed password attempts or the Erase All Content and Settings option in Settings > General > Reset. Disabled by default.
Note:

The system does not preserve the eSIM data if the device is erased by the Find My application.

Supervised iOS 17.2+

Allow App Settings

App-based Restrictions
Restrictions Description Supported versions
Install app from App Store Unchecking this option disables the App Store and removes its icon from the Home Screen. However, users can install or update apps via the iTunes app or Configurator. Allowed by default.
Note:


Store apps can be installed from the Hexnode UEM portal on iOS 10+ devices, even if this option is unchecked.

Supervised iOS 9.0+
Install apps from third-party app marketplaces Unchecking this option prevents the installation of apps from third-party app marketplaces from the web.
Note:


This restriction applies only to users in regions where there is availability of third-party app marketplaces.

Supervised iOS 17.4+
Install apps from web Unchecking this option prevents the installation of apps directly from websites.
Note:


This restriction applies only to users in regions where there is availability of Web Distribution by Apple.

Supervised iOS 17.5+
Remove apps Give the users the privilege to uninstall apps from their devices. Allowed by default. Supervised iOS 4.2.1+
Remove system apps Users can remove apps that are built in the device by default. Have a look at the list of system apps that can be removed from the device by the user: Calculator, Calendar, Compass, Contacts, FaceTime, Find My Friends, Home, iBooks, iCloud Drive, iTunes Store, Mail, Maps, Music, News, Notes, Podcasts, Reminders, Stocks, Tips, Videos or TV, Voice Memos, Watch app, and Weather. Once removed, you can restore them from the App Store. Allowed by default. Supervised iOS 11.0+
iBooks store Allow users to browse the iBooks store and purchase books. Allowed by default. Supervised iOS 6.0+
Apple Music Allow users to turn on the Apple Music app. Allowed by default. Supervised iOS 9.3+
iTunes Radio iTunes Radio is an app that allows you to listen to Internet Radio. Allowed by default. Supervised iOS 9.3+
News Allow users to access to News app. Disallowing will disable the app and hide its icon from the list of apps. Allowed by default. Supervised iOS 9.0+
Podcasts Allow users to use the Podcasts app. Allowed by default. Supervised iOS 8.0+
Download all purchased apps automatically By default, Apple auto-downloads the apps that you’ve already purchased (paid apps) or downloaded (free ones) on your previous device (when the same Apple ID is used). If this option is disabled, automatic downloads are held off. It also doesn’t affect updates to the existing apps. Supervised iOS 9.0+

Allow Security and Privacy Settings

Setting up Restrictions to Improve Security and Privacy
Restriction Description Supported versions
Activation Lock Check this option to enable Activation Lock on the device. Activation Lock is a feature to lock your device from activating if it’s been lost, stolen, or reset. To enable Activation Lock, disable Find My iPhone manually and enable it again for the restriction to take effect on the device. Supervised iOS 7.0+
Modify an account When disabled, users are not permitted to create/delete an account or change the password of an account. Account modification also includes modification of app accounts accessible from the device settings app, such as Mail, Calendar, Contacts, and more. Allowed by default. Supervised iOS 7.0+
Erase content and settings Allow users to erase their devices and reset them to factory defaults. Allowed by default. Supervised iOS 8.0+
Siri can access user-generated content Allow Siri to access content from websites that use user-generated content, such as Wikipedia. If disabled, Siri cannot access user-generated content from the internet. Allowed by default. Supervised iOS 7.0+
Find My Device Enables the Find My Device option in the Find My application. Supervised iOS 13.0+
Find My Friends Enables the Find My Friends option in the Find My application. Supervised iOS 13.0+
Modify Find My Friends This option enables the user’s ability to change the settings for Find My Friends app. Allowed by default. Supervised iOS 7.0+
Use profanity filter Restrict Siri from using abusive languages. By default, use of profanity filter is disabled. Supervised iOS 6.0+
Show web results using Spotlight Search Disable this option to block Spotlight from returning any results from the internet. Spotlight is a feature that brings up the definition for terms from the Oxford dictionary, Wikipedia, etc. and searches across the device for files. Allowed by default. Supervised iOS 8.0+
Modify Restrictions / Screen Time Allows users to enable their own restrictions or parental controls on the device. Unchecking this option in iOS 12+ devices removes the Turn on Screen Time option from Settings > Screen Time and also prevents users from accessing the restrictions tab under Settings > General > Device Management > Management Profile.

For iOS 12+ devices, Parental controls come under Screen Time settings.

Supervised iOS 8.0+
Modify passcode Unchecking this option prevents the users from adding/changing or removing passcode from the devices. It also prevents the user from associating a passcode policy with the device. Supervised iOS 9.0+
Modify device name Unchecking this option prevents the user from changing the device name as shown in Settings > General > About.

Note: You cannot modify the device name both from the device end and the portal.

Supervised iOS 9.0+
Modify wallpaper Unchecking this option prevents the user from changing the home screen and lock screen wallpaper on the device. Supervised iOS 9.0+
Users can turn notifications on/off Unchecking this option disables Notification Style under Settings > Notifications. It prevents the user from modifying the notification settings for each app. Supervised iOS 9.3+
Force Automatic Date and Time This option turns on the ‘Set Automatically’ option under Settings > General > Date & Time and restricts the user from turning it off.

Note: The device’s time zone will be updated only if location services are enabled on the device.

Supervised iOS 12.0+
Autofill Passwords Unchecking this option prevents the prompt from using the saved passwords in Safari or other apps. Automatic strong passwords will also be disabled and strong passwords will not be suggested to the users. Supervised iOS 12.0+
Request passwords from nearby devices Allows users to request passwords from nearby devices. Supervised iOS 12.0+
Share passwords via Airdrop Passwords feature Checking this option allows the users to share their passwords through Airdrop. Supervised iOS 12.0+
Allow USB accessories when locked Enables the device to access USB accessories connected to the device even when locked.
Notes:
  • If a USB accessory has been granted access within the past 1 hour, it may be granted access without unlocking the device.
  • Existing USB connections may be temporarily disabled if the device remains locked for more than 1 hour. The connections can be enabled by unlocking the device again.

Supervised iOS 11.4.1+
Prevent pairing with non-configurator hosts Checking this option blocks users from pairing their devices with anything except the supervision host. The supervision host refers to the Mac with Apple Configurator 2 where the devices were first supervised. Allowed by default. Supervised iOS 7.0+
Shared iPad Temporary Session Checking this option allows users to access shared iPads by signing in as a Guest, without needing a Managed Apple ID or password. Supervised iOS 13.4+

How to Associate the Policies with Device/Groups?

There are two ways by which you can associate restrictions with the devices in bulk.

If the policy has not yet been saved,

  1. Navigate to Policy Targets.
  2. Click on +Add Devices.
  3. Select the devices and click OK.
  4. Click on Save to apply the policies to devices.

Apart from devices, you can also associate the policies with Device Groups, Users, User Groups, or Domains from Policy Targets.

If the policy has been saved, you can associate it by another method.

  1. From Policies, check the policies to be associated.
  2. Click on Manage > Associate Targets and select the device.
  3. Click on Associate to apply the policy to the devices.
  • Managing iOS Devices