Editing default iOS MDM settings

iOS MDM settings are editable, though, in most cases, you should not change access rights here.

Besides the initial iOS / macOS device registrations, the MDM profile is pushed to the device during

  • Ivanti Mobile@Work re-enroll option
  • Changing of the MDM access rights. Choosing less access rights results in the MDM profile being updated automatically; more access rights require a user prompt which is done via Ivanti Mobile@Work . If the device does not have Ivanti Mobile@Work , the MDM profile does not get updated until the device is retired and re-registered.

A re-push of the MDM profile will result in any applications with the Send convert unmanaged to managed app request on device registration or sign-in (iOS 9 or later) option selected. A repush of the MDM profile is considered a re-registration for the app install process. For more information, see the Ivanti EPMM Apps@Work Guide.

To edit the default iOS MDM settings:

  1. Go to Policies & Configs > Configurations.
  2. Select the System - iOS MDM configuration.
  3. Select Edit to open the Modify Profile MDM Setting dialog box.
  4. If changing an access right is necessary, select an access right in the Available list and select the appropriate arrow to move the access right to the Selected list. The table below summarizes these access rights.

  5. If you want Ivanti EPMM to indicate that the MDM profile has been removed from iOS devices, select Check out when MDM profile is removed.

    Receipt of this alert is not guaranteed. Therefore, this setting does not ensure notification upon removal of the profile.

  6. If you want to automatically alert iOS users when a new iOS MDM configuration is available, select Send an APNs message to iOS 5 and later devices...
  7. Select Save.

Table 1. Access Rights

Access Right


Allow inspection of installed configuration profiles.

Enables inventory of configuration profiles.

Allow installation and removal of configuration profiles.

Enables overall configuration tasks.

Allow device lock and passcode removal.

Enables remote lock and unlock capabilities.

Allow device erase.

Enables remote wipe.

Allow query of Device Information.

Enables inventory of standard device items, such as device capacity, serial number.

Allow query of Network Information.

Enables inventory of standard network items, such as phone/SIM numbers, MAC addresses.

Allow inspection of installed provisioning profiles.

Enables a device user to run select in-house apps.

Allow installation and removal of provisioning profiles.

Enables installation of select in-house apps.

Allow inspection of installed applications.

Enables app inventory.

Allow restriction-related queries.

Enables reports on the restrictions of each configuration profile on the device. These correspond to the settings in the iOS Restrictions and Passcode payloads.

Allow security-related queries.

Enables report on security items, such as whether a passcode is present.

Allow manipulation of settings.

Enables an administrator to turn on/off voice and data roaming.

Allow app management.

Enables the managed apps capability introduced in iOS 5 so that an administrator can push requests to install apps, prevent iCloud backup, and remove the apps and all app data on demand.