iOS and tvOS restrictions settings
Select Policies & Configs > Configurations > Add New > Apple > iOS / tvOS > Restrictions to specify lockdown capabilities for iOS and tvOS devices.
There are restrictions available on all iOS/tvOS devices. Each restriction has a default value that is determined by Apple. Without a restrictions configuration, the values in Ivanti EPMM's Restrictions tab will be the default ones as defined by Apple. When Ivanti EPMM sends a restriction configuration, the values will be set based on that configuration. The next Restrictions "report" will display in the Device Details page > Restrictions tab and will list the new values based on the configurations sent and what was sent by the device.
The Restrictions report may not display each and every restriction that was sent.
When iOS 13 devices upgrade to Ivanti EPMM, restrictions are enabled by default. However, when tvOS 12.2 and 13.0 devices upgrade, the restrictions are not enabled by default.
If User Enrollment through Apple Business Manager was done, the Restrictions tab may not display the table and instead display "No Data." This is because no data was returned listing which restrictions were set and what the values were.
If Notes for Audit Logs is enabled, after selecting Save, a text dialog box opens. Enter the reason for the change and then select Confirm. For more information, see Best practices: label management.
When there are two iOS restrictions of the same key and are pushed to the device with conflicting values, Ivanti EPMM will send both restrictions to device. However, when two restriction configuration are sent to device with different values, Apple states that the most restrictive option takes precedence. There is no clear documentation from Apple about this behavior. Best practice is to have a single restriction setting with the desired value set instead of multiple settings with same key, which results in having value conflicts.
The following table summarizes the settings.
|
Item |
Description |
Enabled by default |
|---|---|---|
|
Name |
Enter brief text that identifies this group of iOS restriction settings. |
N/A |
|
Description |
Enter additional text that clarifies the purpose of this group of iOS restriction settings. |
N/A |
|
Device Functionality |
|
|
|
allowCamera Select to disable the camera and remove its icon from the Home screen. Users will be unable to take photographs. Clearing this restriction also disables the Allow FaceTime restriction. |
Yes |
|
|
Allow FaceTime |
allowVideoConferencing When deselected, disables video conferencing. As of iOS 13, requires a supervised device. |
Yes |
|
Allow screenshots and screen recording |
allowScreenShot When deselected, users are unable to save screenshots or record video of the display. When deselected, this restriction prevents the Classroom app from observing remote screens. Available for iOS 9.0 or supported newer versions. |
Yes |
|
Allow AirPlay and View Screen by Classroom (supervised devices only) |
allowRemoteScreenObservation Select to enable remote screen observation. Available for iOS 9.3 or supported newer versions. |
Yes |
|
Allow Classroom to perform AirPlay and View Screen without prompting (iOS 10.3 and later with supervised devices only) |
forceClassroomUnpromptedScreenObservation Select to enable remote screen observation without prompting. Available for iOS 10.3 or supported newer versions. |
Yes |
|
Allow AirDrop (supervised devices only) |
allowAirDrop If deselected, AirDrop is disabled. |
Yes |
|
Allow iMessage (supervised devices only) |
allowChat When deselected, disables the use of the Messages app with supervised devices. |
Yes |
|
Allow Apple Music (with supervised devices only) |
allowMusicService If disabled, Music service is disabled and Music app reverts to classic mode. Available for iOS 9.3 or supported newer versions. |
Yes |
|
Allow Radio (supervised devices only) |
allowRadioService If disabled, iTunes Radio is disabled. Available for iOS 9.3 or supported newer versions. |
Yes |
|
Allow voice dialing while device is locked |
allowVoiceDialing When deselected, disables voice dialing. |
Yes |
|
Allow Siri |
allowAssistant When deselected, disables Siri. |
Yes |
|
Allow Siri while device is locked |
allowAssistantWhileLocked When deselected, the user is unable to use Siri when the device is locked. This restriction is ignored if the device does not have a passcode set. |
Yes |
|
Enable Siri profanity filter (supervised devices only) |
forceAssistantProfanityFilter When selected, forces the use of the profanity filter assistant. Available for iOS 8.0 or supported newer versions. |
No |
|
Show user-generated content in Siri (supervised devices only) |
allowAssistantUserGeneratedContent If deselected, prevents Siri from querying user-generated content from the web. |
Yes |
|
Allow Siri Suggestions (supervised devices only) |
allowSpotlightInternetResults If deselected, prevents Siri from offering suggestions for apps, people, search results, and more. |
Yes |
|
Allow server-side logging of Siri commands (iOS 12.2 and later) |
allowSiriServerLogging If deselected, disables server-side Siri logging. Applicable to iOS 12.2 or supported newer versions. |
Yes |
|
Allow Apple Books (supervised devices only) |
allowBookstore Select to allow access to iBookstore. |
Yes |
|
Allow installing apps using Apple Configurator and iTunes (supervised devices only) |
allowAppInstallation When deselected, the App Store is disabled and its icon is removed from the Home screen. Users are unable to install or update their applications. This setting does not affect installation of in-house apps. |
Yes |
|
Allow installing apps using App Store (supervised devices only) |
allowUIAppInstallation When deselected, the App Store is disabled and its icon is removed from the Home screen. However, users may continue to use host apps (iTunes, Configurator) to install or update their apps. Available for iOS 9.0 or supported newer versions. This restriction is unavailable if Allow installing apps using Apple Configurator and iTunes is deselected. |
Yes |
|
Allow automatic app downloads (supervised devices only) |
allowAutomaticAppDownloads If deselected, prevents automatic downloading of apps purchased on other devices. Does not affect updates to existing apps. If selected, apps purchased by the device user will be automatically downloaded. This restriction is unavailable if Allow installing apps using Apple Configurator and iTunes is deselected. |
Yes |
|
Allow removing apps (supervised devices only) |
allowAppRemoval If deselected, disables removal of apps from iOS devices. Available for iOS 9.0 or supported newer versions. |
Yes |
|
Allow System App Removal (iOS 11.0 and later with supervised devices only) |
allowSystemAppRemoval When deselected, disables the removal of system apps from the device. Available for iOS 11.0 or supported newer versions. |
Yes |
|
Allow App Clips (iOS 14.0 and later with supervised devices only) |
allowAppClips When deselected, prevents a device user from adding any App Clips and removes any existing App Clips on the device. Available for iOS 14.0 or supported newer versions. |
Yes |
|
Allow Personalized Advertising (iOS 14.1 and later) |
allowApplePersonalizedAdvertising When deselected, limits personalized advertising. Available for iOS 14.1 or supported newer versions. |
Yes |
|
Allow NFC (iOS 14.2 and later) |
allowNFC When deselected, NFC is not allowed on the device. This is not specific to device registration. Available for iOS 14.2 or supported newer versions. |
Yes |
|
Force Dictation Processing Only on Device (iOS 14.3 and later) |
forceOnDeviceOnlyDictation When selected, uses the native dictation program that sends information such as voice input, contacts, and location to Apple (when necessary) for processing your requests. Available for iOS 14.3 or supported newer versions. |
No |
|
Force on-device only language translation |
forceOnDeviceOnlyTranslation If true, the device won’t connect to Siri servers for the purposes of translation. Available in iOS 15 and later. Boolean. Default: false |
No |
|
Allow In-App Purchases |
allowInAppPurchases When deselected, prohibits in-app purchasing. |
Yes |
|
Require iTunes Store password for all purchases |
forceITunesStorePasswordEntry When selected, forces device users to enter their iTunes password for each App Store transaction. |
Yes |
|
Allow iCloud backup |
allowCloudBackup When deselected, disables backing up the device to iCloud. |
Yes |
|
Allow iCloud documents & data |
allowCloudDocumentSync When deselected, disables document and key-value syncing to iCloud. |
Yes |
|
Allow iCloud Keychain |
allowCloudKeychainSync If deselected, disables iCloud Keychain synchronization. |
Yes |
|
Allow managed apps to store data in iCloud |
allowManagedAppsCloudSync If deselected, prevents managed applications from using cloud sync. |
Yes |
|
Allow backup of enterprise books |
allowEnterpriseBookBackup Select to allow device users to back up enterprise-managed books to iCloud. Available for iOS 8.0 or supported newer versions. |
Yes |
|
Allow notes and highlights sync for enterprise books |
allowEnterpriseBookMetadataSync Select to allow device users to synchronize with iCloud their notes and highlights in enterprise-managed books. Available for iOS 8.0 or supported newer versions. |
Yes |
|
Allow iCloud photo sharing |
allowSharedStream If deselected, Shared Photo Stream will be disabled. |
Yes |
|
Allow iCloud Photo Library |
allowCloudPhotoLibrary If deselected, disables iCloud Photo Library. Any photos not fully downloaded from iCloud Photo Library to the device will be removed from local storage. Available for iOS 9.0 or supported newer versions. |
Yes |
|
Allow My Photo Stream (disallowing can cause data loss) |
allowPhotoStream When deselected, disables Photo Stream. |
Yes |
|
Allow automatic sync while roaming |
allowGlobalBackgroundFetchWhenRoaming When deselected, disables global background fetch activity when an iOS phone is roaming. Background fetch allows apps to update data in the background in anticipation of users accessing the app data. |
Yes |
|
Force encrypted backups |
forceEncryptedBackup When selected, encrypts all backups. Automatically selected due to SCEP requirements. |
Yes |
|
Force limited ad tracking |
forceLimitAdTracking If selected, limits ad tracking. |
No |
|
Allow Erase All Content and Settings (supervised devices only) |
allowEraseContentAndSettings Deselect to disable the “Erase All Content and Settings” option in the Reset section of iOS devices. Applicable to iOS 8 and later, and macOS 12 and later. |
Yes |
|
Allow user to accept untrusted TLS certificates |
allowUntrustedTLSPrompt Select to allow the device user to accept untrusted HTTPS certificates. If this option is not selected, then the device will automatically reject untrusted HTTPS certificates without prompting the device user. |
Yes |
|
Allow automatic updates to certificate trust settings |
allowOTAPKIUpdates If deselected, over-the-air PKI updates are disabled. Setting this restriction to false does not disable CRL and OCSP checks. |
Yes |
|
Allow trusting new enterprise app authors |
allowEnterpriseAppTrust If deselected, prevents trusting enterprise apps from other companies. Available for iOS 9.0 or supported newer versions. |
Yes |
|
Allow installing configuration profiles (supervised devices only) |
allowUIConfigurationProfileInstallation If deselected, the user is prohibited from installing configuration profiles and certificates interactively. |
Yes |
|
Allow adding VPN configurations (iOS 11.0 and later with superviseed devices only) |
allowVPNCreation When selected, allows the creation of VPN configurations. Available for iOS 11.0 or supported newer versions. |
Yes |
|
Allow Classroom to lock to an app and lock the device without prompting (iOS 11.0 and later with supervised devices only) |
forceClassroomUnpromptedAppAndDeviceLock If selected, allow the teacher to lock apps or the device without prompting the student. Available for iOS 11.0 or supported newer versions. |
Yes |
|
Automatically join Classroom classes without prompting (iOS 11.0 and later with supervised devices only) |
forceClassroomAutomaticallyJoinClasses If selected, automatically give permission to the teacher’s requests without prompting the student. Available for iOS 11.0 or supported newer versions. |
Yes |
|
Require teacher permission to leave Classroom unmanaged classes (iOS 11.3 and later with supervised devices only) |
forceClassroomRequestPermissionToLeaveClasses Requires teacher approval for a student to leave a Classroom unmanaged classes from their device. Available for iOS 11.3 or supported newer versions. |
Yes |
|
Allow modifying account settings (supervised devices only) |
allowAccountModification Select to allow users to modify accounts settings, such as adding or removing mail accounts and modifying iCloud and iMessage settings, and so on. |
Yes |
|
Allow modifying Bluetooth settings (iOS 10.0 and later supervised devices only) |
allowBluetoothModification If deselected, prevents the modification of Bluetooth settings. For supervised devices only. Available in iOS 10.0 or supported newer versions. |
Yes |
|
Allow modifying cellular data app settings (supervised devices only) |
allowAppCellularDataModification If deselected, changes to cellular data usage for apps are disabled. |
Yes |
|
Allow modifying cellular plan settings (iOS 11.0 and later with supervised devices only) |
allowCellularPlanModification If deselected, changes to cellular plan settings are disabled. |
Yes |
|
Allow modifying device name (supervised devices only) |
allowDeviceNameModification If deselected, prevents device name from being changed. Available for iOS 9.0 or supported newer versions. |
Yes |
|
Allow modifying Find my Friends settings (supervised devices only) |
allowFindMyFriendsModification If deselected, changes to the Find My Friends app are disabled. |
Yes |
|
Allow modifying notification settings (supervised devices only) |
allowNotificationsModification If disabled, notification settings cannot be modified. Available for iOS 9.3 or supported newer versions. |
Yes |
|
Allow modifying passcode (supervised devices only) |
allowPasscodeModification iOS 9.0 and later with supervised devices only. If deselected, prevents device passcode from being added, changed, or removed. |
Yes |
|
Allow modifying Touch ID fingerprints / Face ID faces (supervised devices only) |
allowFingerprintModification If deselected, prevents device users from changing their TouchID or Face ID settings. This restriction is automatically deselected if the preceding restriction [Allow modifying passcode (iOS 9.0 and later with supervised devices only)] is deselected. Available for iOS 9.0 or supported newer versions. |
Yes |
|
Allow Screen Time (supervised devices only) |
allowEnablingRestrictions For iOS 9.0- 11.x - If deselected, disables the "Enable Restrictions" option in Settings > Restrictions on iOS devices. For iOS 12.0 or supported newer versions - If this option is deselected, the "Enable Screen Screen Time" option on iOS devices will be disabled (Settings > Restrictions.) |
Yes |
|
Allow modifying Wallpaper supervised devices only) |
allowWallpaperModification If deselected, prevents wallpaper from being changed. Available for iOS 9.0 or supported newer versions. |
Yes |
|
Allow modifying Personal Hotspot settings (iOS 12.2 and later with supervised devices only) |
allowPersonalHotspotModification Deselecting disables the device user's ability to modify the personal hotspot. Available for iOS 12.2 or supported newer versions. |
Yes |
|
Allow changing USB restricted in Settings (supervised devices only) |
allowUSBRestrictedMode Select to enable USB restricted mode. Available for iOS 12.0 or supported newer versions. |
Yes |
|
Allow pairing with non-Configurator hosts (supervised devices only) |
allowHostPairing Select to allow host pairing for iTunes synchronization. Disabling this option disables all host pairing with the exception of the supervision host. If no supervision host certificate has been configured, all pairing is disabled. Host pairing lets the administrator control which devices an iOS device can pair with. |
Yes |
|
Allow documents from managed apps to unmanaged apps |
allowOpenFromManagedToUnmanaged Select to allow documents in managed apps and accounts to be opened in unmanaged apps and accounts. Disabling this option prevents exchange of documents from managed to unmanaged apps and accounts. For example, you might want to keep enterprise documents from being opened with personal apps. If you have enabled the “Open only with Ivanti [email protected], and protect with encryption” option for attachment control, it is recommended to disable this restriction. Enabling this restriction, may cause
A '?' icon will be visible on the attachment. See "iOS managed app configuration" in the Ivanti EPMM [email protected] Guide. |
Yes |
|
Allow documents from unmanaged apps to managed apps |
allowOpenFromUnmanagedToManaged Select to allow documents in unmanaged apps and accounts to be opened in managed apps and accounts. Disabling this option prevents exchange of documents from unmanaged to managed apps and accounts. For example, you might want to keep users from sending personal documents using company email. |
Yes |
|
Treat AirDrop as unmanaged destination |
forceAirDropUnmanaged If selected, AirDrop will not be displayed as a sharing destination. This prevents confidential data from being shared through AirDrop. This restriction requires deselecting the allowOpenFromManagedToUnmanaged restriction. Available for iOS 9.0 or supported newer versions. |
Yes |
|
Allow Handoff |
allowActivityContinuation Select to enable the Handoff feature, which allows users to seamlessly continue working where they left off using any Apple device on which they are logged in with their Apple ID. Available for iOS 8.0 or supported newer versions. |
Yes |
|
Allow sending diagnostic and usage data to Apple |
allowDiagnosticSubmission When deselected, this prevents the device from automatically submitting diagnostic reports to Apple. |
Yes |
|
Allow modifying diagnostics settings (supervised devices only) |
allowDiagnosticSubmissionModification When deselected, the diagnostic submission and app analytics settings in the Diagnostics & Usage pane in Settings cannot be modified. Available for iOS 9.3.2 or supported newer versions. |
Yes |
|
Allow Touch ID / Face ID to unlock device |
allowFingerprintForUnlock Selected (default) means a PIN is required instead of FaceID to unlock device. De-selected means the use of FaceID is allowed in place of a PIN. |
Yes |
|
Force Apple Watch Wrist Detection |
forceWatchWristDetection If selected, paired Apple Watches are forced to use the wrist detection feature. Wrist detection allows the WatchOS to determine when the watch is being worn, and enable security features (such as a passcode) accordingly. Available for iOS 8.2 or supported newer versions. |
No |
|
Allow pairing with Apple Watch (supervised devices only) |
allowPairedWatch If deselected, the device user will not be able to pair their device with an Apple Watch. Currently paired Apple Watches are unpaired and erased. Available for iOS 9.0 or supported newer versions. |
Yes |
|
Require passcode on first AirPlay pairing |
forceAirPlayOutgoingRequestsPairingPassword If set to true, forces all devices receiving AirPlay requests from this device to use a pairing password when pairing for the first time. |
No |
|
Allow setting up new nearby devices (iOS 11.0 and later with supervised devices only) |
allowProximitySetupToNewDevice If deselected, device users cannot use their Apple devices to set up and configure other Apple devices. Available for iOS 11.0 or supported newer versions. |
Yes |
|
Allow AirPrint (iOS 11.0 and later and supervised devices only) |
allowAirPrint When deselected, disables Air Print feature. Available for iOS 11.0 or supported newer versions. |
Yes |
|
Allow storage of AirPrint credentials in Keychains (iOS 11.0 and later with supervised devices only) |
allowAirPrintCredentialsStorage Supervised only. When disabled, prohibits keychain storage of username and password for Airprint. Available for iOS 11.0 or supported newer versions. |
Yes |
|
Disallow AirPrint to destinations with untrusted certificates (iOS 11.0 and later with supervised devices only) |
forceAirPrintTrustedTLSRequirement When selected, requires trusted certificates for TLS printing communication. Available for iOS 11.0 or supported newer versions. |
No |
|
Allow discovery of AirPrint printers using iBeacons (iOS 11.0 and later and supervised devices only) |
allowAirPrintiBeaconDiscovery When selected, disables iBeacon discovery of AirPrint printers, preventing spurious AirPrint Bluetooth beacons from phishing for network traffic. Available for iOS 11.0 or supported newer versions. |
Yes |
|
Allow predictive keyboard (supervised devices only) |
allowPredictiveKeyboard If deselected, disables the predictive keyboard. Available for iOS 8.1.3 or supported newer versions. |
Yes |
|
Allow keyboard shortcuts (with supervised devices only) |
allowKeyboardShortcuts If deselected, keyboard shortcuts cannot be used. Available for iOS 9.0 or supported newer versions. |
Yes |
|
Allow auto correction (supervised devices only) |
allowAutoCorrection If deselected, disables keyboard auto-correction. Available for iOS 8.1.3 or supported newer versions. |
Yes |
|
Allow spell check (supervised devices only) |
allowSpellCheck If deselected, disables spell check. Available for iOS 8.1.3 or supported newer versions. |
Yes |
|
Allow Define (supervised devices only) |
allowDefinitionLookup If deselected, disables definition look-up. Available for iOS 8.1.3 or supported newer versions. |
Yes |
|
Allow dictation (iOS 10.3 and later with supervised devices only) |
allowDictation When deselected, disables dictation input method. Disabled automatically when using Advanced Audio Coding (AAC) mode. Available for iOS 10.3 or supported newer versions. |
Yes |
|
Allow Wallet notifications in Lock screen |
allowPassbookWhileLocked If deselected, Wallet notifications will not be shown on the lock screen. |
Yes |
|
Show Control Center in Lock screen |
allowLockScreenControlCenter If disabled, prevents Control Center from appearing on the Lock screen. |
Yes |
|
Show Notification Center in Lock screen |
allowLockScreenNotificationsView If deselected, the Notifications view in Notification Center on the lock screen is disabled. |
Yes |
|
Show Today view in Lock screen |
allowLockScreenTodayView If deselected, the Today view in Notification Center on the lock screen is disabled. |
Yes |
|
Defer software updates for __days (iOS 11.3, tvOS 12.2 and later with supervised devices only) |
enforcedSoftwareUpdateDelay forceDelayedSoftwareUpdates Enter the number of days by which you want to defer software updates. The default is 30 days, and the maximum is 90 days. Available for iOS 11.3 and tvOS 12.2 or supported newer versions. |
No |
|
Force Password on AirPlay incoming requests (tvOS up to 10.1) |
forceAirPlayIncomingRequestsPairingPassword Select to force the usage of a password for all AirPlay incoming requests for device pairing. Available for tvOS 11.3 or supported newer versions. |
No |
|
Allow incoming AirPlay requests (tvOS 11.3 and later) |
allowAirPlayIncomingRequests Select to allow incoming AirPlay requests. Available for tvOS 11.3 or supported newer versions. |
Yes |
|
Allow pairing with Remote app (tvOS 11.3 and later) |
allowPairingRemoteApp Select to allow pairing with a remote app. Available for tvOS 11.3 or supported newer versions. |
Yes |
|
Force automatic date & time setting (iOS 12.0, tvOS 12.2 and later with supervised devices only) |
forceAutomaticDateAndTime When selected, the user cannot turn it off. Note that the device's time zone will only be updated when the device can determine its location. Available for iOS 12.0 and tvOS 11.3 or supported newer versions. |
No |
|
Allow AutoFill Password |
allowPasswordAutoFill Select to allow password autofill. Available for iOS 12.0 or supported newer versions. |
Yes |
|
Allow nearby devices to request passwords (iOS / tvOS 12.0, and later with supervised devices only) |
allowPasswordProximityRequests Select to allow nearby devices to request device passwords. Available for iOS 12.0 and tvOS 12.0 or supported newer versions. |
Yes |
|
Allow users to share their passwords using AirDrop Passwords feature |
allowPasswordSharing Select to allow users to share their device passwords using Airdrop Passwords feature. Available for iOS 12.0 or supported newer versions. |
Yes |
|
Allow managed apps to write contacts to unmanaged contacts account (iOS 12.0 and later) |
allowManagedToWriteUnmanagedContacts Select to allow managed apps to write contacts to unmanaged contacts account. Available for iOS 12.0 or supported newer versions. |
Yes |
|
Allow unmanaged apps to read from managed contacts account (iOS 12.0 and later) |
allowUnmanagedToReadManagedContacts Select to allow unmanaged apps to read from managed contacts account. Available for iOS 12.0 or supported newer versions. |
Yes |
|
Allow modifying the eSim configuration (iOS 12.1 and later with supervised devices only) |
allowESIMModification Select to allow modifying the eSim configuration, which allows adding or removing a cellular plan. Available for iOS 12.1 or supported newer versions. |
Yes |
|
Allow continuous path keyboard (iOS 13.0 and later with supervised devices only) |
allowContinuousPathKeyboard Select to allow continuous path keyboard on supervised devices. Available for iOS 13.0 or supported newer versions. |
Yes |
|
Allow device sleep (tvOS 13.0 and later with supervised devices only) |
allowDeviceSleep Select to allow device to sleep. Available for tvOS 13.0 or supported newer versions. |
Yes |
|
Allow Find My Device (iOS 13.0 and later with supervised devices only) |
allowFindMyDevice Select to allow Find My Device in the Find My app for supervised devices. Available for iOS 13.0 or supported newer versions. |
Yes |
|
Allow Find My Friends (iOS 13.0 and later with supervised devices only) |
allowFindMyFriends Select to allow Find My Friends for supervised devices. Available for iOS 13.0 or supported newer versions. |
Yes |
|
Force Wi-Fi power on (iOS 13.0 and later with supervised devices only) |
forceWiFiPowerOn Select to force Wi-Fi power on/off for supervised devices. Available for iOS 13.0 or supported newer versions. |
No |
|
Allow USB drive access in Files app (iOS 13.0 and later with supervised devices only) |
allowFilesUSBDriveAccess Select to allow USB drive access in Files app. Available for iOS 13.0 or supported newer versions. |
Yes |
|
Allow Network drive access in Files app (iOS 13.0 and later with supervised devices only) |
allowFilesNetworkDriveAccess Select to allow network drive access in the Files app. Available for iOS 13.0 or supported newer versions. |
Yes |
|
Join only WiFi networks installed by a WiFi payload (iOS 14.5 and later supervised devices only) |
forceWiFiToAllowedNetworksOnly If selected, limits device to only join Wi-Fi networks set-up via configuration profile. Requires a supervised device. |
No |
|
Allow auto unlock (iOS 14.5 and later) |
allowAutoUnlock Selected by default, allows the ability to unlock Face ID-enabled phone with an associated Apple Watch. If deselected, disallows auto unlock. |
Yes |
|
Allow putting into recovery mode from an unpaired device (iOS 14.5 and later supervised only) |
allowUnpairedExternalBootToRecovery If selected, allows devices to be booted into recovery by an unpaired device. Requires a supervised device. |
No |
|
Force Translation Processing Only on Device (iOS 15.0 and later) |
forceOnDeviceOnlyTranslation When selected, the device will not connect to Siri servers for translation. |
No |
|
Require Managed Pasteboards (iOS 15.0 and later) |
requireManagedPasteboard Select to make device users' copy and paste managed. If not selected, device users will see a "paste not allowed" notification when trying to paste content from a managed app. |
No |
|
Allow Cloud Private Relay (iOS 15.0 and later) |
allowCloudPrivateRelay When selected, allows device to use iCloud Private Relay, making all browser traffic encrypted. |
Yes |
|
Allow Mail Privacy Protection (iOS 15.2 and later) |
allowMailPrivacyProtection If de-selected, disables Mail Privacy Protection on the device. Selected, this optin helps protect device users' privacy by preventing senders from learning about device users' email activities. When the Allow Mail Privacy Protection configuration is installed and enabled from Ivanti EPMM, the Protect Mail Activity toggle is enabled on the device and the following options are visible to the device user:
|
Yes |
|
Allow Apple TV's automatic screen saver (tvOS 15.4 and later) |
allowAutomaticScreenSaver If de-selected, disables Apple TV's automatic screen saver. |
Yes |
|
Allow Rapid Security Response Installation (iOS 16.0 and later) |
allowRapidSecurityResponseInstallation To disable the responses. The user cannot install rapid security responses. Administrators can use the iOS or macOS policies software updates to update devices to the latest Rapid Security Response updates. Use the Update to the latest version option. The Update to a specific version option is not supported in iOS for Rapid security response update formats from either the iOS Software update policy or the Device actions menu.
|
Yes |
|
Allow Rapid Security Response Removal (iOS 16.0 and later) |
allowRapidSecurityResponseRemoval To block the user from being able to undo the responses. The user cannot remove rapid security responses. This feature can be used once Apple implements the functionality. |
Yes |
|
Application Restrictions |
|
|
|
allowiTunes When deselected, the iTunes Music Store is disabled and its icon is removed from the Home screen. Users cannot preview, purchase, or download content. |
Yes |
|
|
Allow News (supervised devices only) |
allowNews If deselected, prevents the device user from accessing News. Available for iOS 9.0 or supported newer versions. |
Yes |
|
Allow Podcasts (supervised devices only) |
allowPodcasts Select to display the default Apple Podcast app. Deselect to hide the Apple Podcast app. Available for iOS 8.0 or supported newer versions. |
Yes |
|
Allow use of Game Center (supervised devices only) |
allowGameCenter When deselected, Game Center is disabled and its icon is removed from the Home screen. |
Yes |
|
Allow multiplayer gaming |
allowMultiplayerGaming When deselected, prohibits multiplayer gaming. Disabled when Allow use of Game Center is deselected. |
Yes |
|
Allow adding Game Center friends |
allowAddingGameCenterFriends When deselected, prohibits adding friends to Game Center. Disabled when Allow use of Game Center is deselected. |
Yes |
|
allowSafari Deselect to disable the Safari web browser, remove its icon from the Home screen, and prevent users from opening web clips. When deselected, the following restrictions are also disabled: Enable autofill, Force fraud warning, Enable Javascript, Block pop-ups, Accept cookies. Safari is required for updating configurations on iOS devices that are not managed with Apple's MDM protocol. |
Yes |
|
|
Enable autofill |
safariAllowAutoFill Select to turn on the autofill feature for fields displayed in Safari. |
Yes |
|
Force authentication before AutoFill (iOS 11.3 and later with supervised devices only, Face ID only) |
forceAuthenticationBeforeAutoFill Select to require Face ID authentication before AutoFill Available for iOS 11.3 or supported newer versions. |
Yes |
|
Force fraud warning |
safariForceFraudWarning Select to prompt Safari to attempt to prevent users from visiting websites identified as being fraudulent or compromised. |
No |
|
Enable Javascript |
safariAllowJavaScript Select to turn on Javascript support for Safari. |
Yes |
|
Block pop-ups |
safariAllowPopups Select to block pop-ups for Safari. |
No |
|
Accept cookies |
safariAcceptCookies Select an option from the drop-down list to control when Safari browser accepts cookies on devices. Options include Never, From visited sites, From Websites I Visit, and Always. |
Always |
|
Media Content Ratings |
|
|
|
Ratings region |
Select a region from the drop-down list to change the region associated with the rating selections for applications, TV shows, and movies. |
United States |
|
Allowed content ratings: Movies |
Select a rating limit for movies stored on the device: Don’t Allow Movies G PG PG-13 R NC-17 Allow All Movies |
Allow All Movies |
|
Allowed content ratings: TV Shows |
Select a rating limit for TV shows stored on the device: Don’t Allow TV Shows TV-Y TV-Y7 TV-G TV-PG TV-14 TV-MA Allow All TV Shows |
Allow All TV shows |
|
Allowed content ratings: Apps |
Select a rating limit for applications on the device: Don’t Allow Apps 4+ 9+ 12+ 17+ Allow All Apps |
Allow All Apps |
|
Allow playback of explicit music, podcasts, & iTunes U media (iOS and tvOS 11.3 and later) |
allowExplicitContent When de-selected, explicit music or video content purchased from the iTunes Store is hidden. Explicit content is marked as such by content providers, such as record labels, when sold through the iTunes Store. Available for iOS 11.3 and tvOS 11.3 or supported newer versions. |
Yes |
|
Allow explicit sexual content in iBooks Store (iOS and tvOS 11.3 and later) |
allowBookstoreErotica Select to allow users to download iBookstore material that has been tagged as erotica. Available for iOS 11.3 and tvOS 11.3 or supported newer versions. |
Yes |
|
Item |
Description |
Enabled by default |
|
|---|---|---|---|
|
App whitelist for Single App Mode |
Specify a list of apps that can autonomously enter single app mode on supervised devices running iOS 7-9.1. For example, you can specify custom exam apps for students. As soon as the student launches the app, the app enters single app mode to ensure that the student cannot use other resources while taking the exam. This feature applies to supervised iOS devices only, and apps with the ability to autonomously enter single-app mode. Use the following guidelines to complete each entry:
One way to find the bundle identifier is to add the app to the App Catalog in Ivanti EPMM. After you add the app, edit the app entry to see the Inventory Apps field, which lists the bundle ID for the app.
This feature is different from single-app mode policy, which enables an administrator to configure a specific app to run in single-app mode on devices to the exclusion of any other apps. For more information about setting a single-app mode policy, see Single-app mode policies. |
N/A |
|