iOS and tvOS restrictions settings

Select Policies & Configs > Configurations > Add New > Apple > iOS / tvOS > Restrictions to specify lockdown capabilities for iOS and tvOS devices.

There are restrictions available on all iOS/tvOS devices. Each restriction has a default value that is determined by Apple. Without a restrictions configuration, the values in Ivanti EPMM's Restrictions tab will be the default ones as defined by Apple. When Ivanti EPMM sends a restriction configuration, the values will be set based on that configuration. The next Restrictions "report" will display in the Device Details page > Restrictions tab and will list the new values based on the configurations sent and what was sent by the device.

The Restrictions report may not display each and every restriction that was sent.

When iOS 13 devices upgrade to Ivanti EPMM, restrictions are enabled by default. However, when tvOS 12.2 and 13.0 devices upgrade, the restrictions are not enabled by default.

If User Enrollment through Apple Business Manager was done, the Restrictions tab may not display the table and instead display "No Data." This is because no data was returned listing which restrictions were set and what the values were.

If Notes for Audit Logs is enabled, after selecting Save, a text dialog box opens. Enter the reason for the change and then select Confirm. For more information, see Best practices: label management.

When there are two iOS restrictions of the same key and are pushed to the device with conflicting values, Ivanti EPMM will send both restrictions to device. However, when two restriction configuration are sent to device with different values, Apple states that the most restrictive option takes precedence. There is no clear documentation from Apple about this behavior. Best practice is to have a single restriction setting with the desired value set instead of multiple settings with same key, which results in having value conflicts.

The following table summarizes the settings.

Table 113.   Restrictions settings (iOS)

Item

Description

Enabled by default

Name

Enter brief text that identifies this group of iOS restriction settings.

N/A

Description

Enter additional text that clarifies the purpose of this group of iOS restriction settings.

N/A

Device Functionality

 

Allow use of camera

allowCamera

Select to disable the camera and remove its icon from the Home screen. Users will be unable to take photographs.

Clearing this restriction also disables the Allow FaceTime restriction.

Yes

Allow FaceTime

allowVideoConferencing

When deselected, disables video conferencing.

As of iOS 13, requires a supervised device.

Yes

Allow screenshots and screen recording

allowScreenShot

When deselected, users are unable to save screenshots or record video of the display.

When deselected, this restriction prevents the Classroom app from observing remote screens. Available for iOS 9.0 or supported newer versions.

Yes

Allow AirPlay and View Screen by Classroom (supervised devices only)

allowRemoteScreenObservation

Select to enable remote screen observation. Available for iOS 9.3 or supported newer versions.

Yes

Allow Classroom to perform AirPlay and View Screen without prompting (iOS 10.3 and later with supervised devices only)

forceClassroomUnpromptedScreenObservation

Select to enable remote screen observation without prompting.

Available for iOS 10.3 or supported newer versions.

Yes

Allow AirDrop (supervised devices only)

allowAirDrop

If deselected, AirDrop is disabled.

Yes

Allow iMessage (supervised devices only)

allowChat

When deselected, disables the use of the Messages app with supervised devices.

Yes

Allow Apple Music (with supervised devices only)

allowMusicService

If disabled, Music service is disabled and Music app reverts to classic mode. Available for iOS 9.3 or supported newer versions.

Yes

Allow Radio (supervised devices only)

allowRadioService

If disabled, iTunes Radio is disabled. Available for iOS 9.3 or supported newer versions.

Yes

Allow voice dialing while device is locked

allowVoiceDialing

When deselected, disables voice dialing.

Yes

Allow Siri

allowAssistant

When deselected, disables Siri.

Yes

Allow Siri while device is locked

allowAssistantWhileLocked

When deselected, the user is unable to use Siri when the device is locked. This restriction is ignored if the device does not have a passcode set.

Yes

Enable Siri profanity filter (supervised devices only)

forceAssistantProfanityFilter

When selected, forces the use of the profanity filter assistant. Available for iOS 8.0 or supported newer versions.

No

Show user-generated content in Siri (supervised devices only)

allowAssistantUserGeneratedContent

If deselected, prevents Siri from querying user-generated content from the web.

Yes

Allow Siri Suggestions (supervised devices only)

allowSpotlightInternetResults

If deselected, prevents Siri from offering suggestions for apps, people, search results, and more.

Yes

Allow server-side logging of Siri commands (iOS 12.2 and later)

allowSiriServerLogging

If deselected, disables server-side Siri logging.

Applicable to iOS 12.2 or supported newer versions.

Yes

Allow Apple Books (supervised devices only)

allowBookstore

Select to allow access to iBookstore.

Yes

Allow installing apps using Apple Configurator and iTunes (supervised devices only)

allowAppInstallation

When deselected, the App Store is disabled and its icon is removed from the Home screen. Users are unable to install or update their applications.

This setting does not affect installation of in-house apps.

Yes

Allow installing apps using App Store (supervised devices only)

allowUIAppInstallation

When deselected, the App Store is disabled and its icon is removed from the Home screen. However, users may continue to use host apps (iTunes, Configurator) to install or update their apps.

Available for iOS 9.0 or supported newer versions.

This restriction is unavailable if Allow installing apps using Apple Configurator and iTunes is deselected.

Yes

Allow automatic app downloads (supervised devices only)

allowAutomaticAppDownloads

If deselected, prevents automatic downloading of apps purchased on other devices. Does not affect updates to existing apps.

If selected, apps purchased by the device user will be automatically downloaded.

This restriction is unavailable if Allow installing apps using Apple Configurator and iTunes is deselected.

Yes

Allow removing apps (supervised devices only)

allowAppRemoval

If deselected, disables removal of apps from iOS devices.

Available for iOS 9.0 or supported newer versions.

Yes

Allow System App Removal (iOS 11.0 and later with supervised devices only)

allowSystemAppRemoval

When deselected, disables the removal of system apps from the device.

Available for iOS 11.0 or supported newer versions.

Yes

Allow App Clips (iOS 14.0 and later with supervised devices only)

allowAppClips

When deselected, prevents a device user from adding any App Clips and removes any existing App Clips on the device.

Available for iOS 14.0 or supported newer versions.

Yes

Allow Personalized Advertising (iOS 14.1 and later)

allowApplePersonalizedAdvertising

When deselected, limits personalized advertising.

Available for iOS 14.1 or supported newer versions.

Yes

Allow NFC (iOS 14.2 and later)

allowNFC

When deselected, NFC is not allowed on the device. This is not specific to device registration.

Available for iOS 14.2 or supported newer versions.

Yes

Force Dictation Processing Only on Device (iOS 14.3 and later)

forceOnDeviceOnlyDictation

When selected, uses the native dictation program that sends information such as voice input, contacts, and location to Apple (when necessary) for processing your requests.

Available for iOS 14.3 or supported newer versions.

No

Force on-device only language translation

forceOnDeviceOnlyTranslation

If true, the device won’t connect to Siri servers for the purposes of translation. Available in iOS 15 and later. Boolean.

Default: false

No

Allow In-App Purchases

allowInAppPurchases

When deselected, prohibits in-app purchasing.

Yes

Require iTunes Store password for all purchases

forceITunesStorePasswordEntry

When selected, forces device users to enter their iTunes password for each App Store transaction.

Yes

Allow iCloud backup

allowCloudBackup

When deselected, disables backing up the device to iCloud.

Yes

Allow iCloud documents & data

allowCloudDocumentSync

When deselected, disables document and key-value syncing to iCloud.

Yes

Allow iCloud Keychain

allowCloudKeychainSync

If deselected, disables iCloud Keychain synchronization.

Yes

Allow managed apps to store data in iCloud

allowManagedAppsCloudSync

If deselected, prevents managed applications from using cloud sync.

Yes

Allow backup of enterprise books

allowEnterpriseBookBackup

Select to allow device users to back up enterprise-managed books to iCloud.

Available for iOS 8.0 or supported newer versions.

Yes

Allow notes and highlights sync for enterprise books

allowEnterpriseBookMetadataSync

Select to allow device users to synchronize with iCloud their notes and highlights in enterprise-managed books.

Available for iOS 8.0 or supported newer versions.

Yes

Allow iCloud photo sharing

allowSharedStream

If deselected, Shared Photo Stream will be disabled.

Yes

Allow iCloud Photo Library

allowCloudPhotoLibrary

If deselected, disables iCloud Photo Library. Any photos not fully downloaded from iCloud Photo Library to the device will be removed from local storage.

Available for iOS 9.0 or supported newer versions.

Yes

Allow My Photo Stream (disallowing can cause data loss)

allowPhotoStream

When deselected, disables Photo Stream.

Yes

Allow automatic sync while roaming

allowGlobalBackgroundFetchWhenRoaming

When deselected, disables global background fetch activity when an iOS phone is roaming. Background fetch allows apps to update data in the background in anticipation of users accessing the app data.

Yes

Force encrypted backups

forceEncryptedBackup

When selected, encrypts all backups. Automatically selected due to SCEP requirements.

Yes

Force limited ad tracking

forceLimitAdTracking

If selected, limits ad tracking.

No

Allow Erase All Content and Settings (supervised devices only)

allowEraseContentAndSettings

Deselect to disable the “Erase All Content and Settings” option in the Reset section of iOS devices.

Applicable to iOS 8 and later, and macOS 12 and later.

Yes

Allow user to accept untrusted TLS certificates

allowUntrustedTLSPrompt

Select to allow the device user to accept untrusted HTTPS certificates. If this option is not selected, then the device will automatically reject untrusted HTTPS certificates without prompting the device user.

Yes

Allow automatic updates to certificate trust settings

allowOTAPKIUpdates

If deselected, over-the-air PKI updates are disabled. Setting this restriction to false does not disable CRL and OCSP checks.

Yes

Allow trusting new enterprise app authors

allowEnterpriseAppTrust

If deselected, prevents trusting enterprise apps from other companies.

Available for iOS 9.0 or supported newer versions.

Yes

Allow installing configuration profiles (supervised devices only)

allowUIConfigurationProfileInstallation

If deselected, the user is prohibited from installing configuration profiles and certificates interactively.

Yes

Allow adding VPN configurations (iOS 11.0 and later with superviseed devices only)

allowVPNCreation

When selected, allows the creation of VPN configurations.

Available for iOS 11.0 or supported newer versions.

Yes

Allow Classroom to lock to an app and lock the device without prompting (iOS 11.0 and later with supervised devices only)

forceClassroomUnpromptedAppAndDeviceLock

If selected, allow the teacher to lock apps or the device without prompting the student.

Available for iOS 11.0 or supported newer versions.

Yes

Automatically join Classroom classes without prompting (iOS 11.0 and later with supervised devices only)

forceClassroomAutomaticallyJoinClasses

If selected, automatically give permission to the teacher’s requests without prompting the student.

Available for iOS 11.0 or supported newer versions.

Yes

Require teacher permission to leave Classroom unmanaged classes (iOS 11.3 and later with supervised devices only)

forceClassroomRequestPermissionToLeaveClasses

Requires teacher approval for a student to leave a Classroom unmanaged classes from their device.

Available for iOS 11.3 or supported newer versions.

Yes

Allow modifying account settings (supervised devices only)

allowAccountModification

Select to allow users to modify accounts settings, such as adding or removing mail accounts and modifying iCloud and iMessage settings, and so on.

Yes

Allow modifying Bluetooth settings (iOS 10.0 and later supervised devices only)

allowBluetoothModification

If deselected, prevents the modification of Bluetooth settings. For supervised devices only.

Available in iOS 10.0 or supported newer versions.

Yes

Allow modifying cellular data app settings (supervised devices only)

allowAppCellularDataModification

If deselected, changes to cellular data usage for apps are disabled.

Yes

Allow modifying cellular plan settings (iOS 11.0 and later with supervised devices only)

allowCellularPlanModification

If deselected, changes to cellular plan settings are disabled.

Yes

Allow modifying device name (supervised devices only)

allowDeviceNameModification

If deselected, prevents device name from being changed.

Available for iOS 9.0 or supported newer versions.

Yes

Allow modifying Find my Friends settings (supervised devices only)

allowFindMyFriendsModification

If deselected, changes to the Find My Friends app are disabled.

Yes

Allow modifying notification settings (supervised devices only)

allowNotificationsModification

If disabled, notification settings cannot be modified. Available for iOS 9.3 or supported newer versions.

Yes

Allow modifying passcode (supervised devices only)

allowPasscodeModification

iOS 9.0 and later with supervised devices only. If deselected, prevents device passcode from being added, changed, or removed.

Yes

Allow modifying Touch ID fingerprints / Face ID faces (supervised devices only)

allowFingerprintModification

If deselected, prevents device users from changing their TouchID or Face ID settings.

This restriction is automatically deselected if the preceding restriction [Allow modifying passcode (iOS 9.0 and later with supervised devices only)] is deselected.

Available for iOS 9.0 or supported newer versions.

Yes

Allow Screen Time (supervised devices only)

allowEnablingRestrictions

For iOS 9.0- 11.x - If deselected, disables the "Enable Restrictions" option in Settings > Restrictions on iOS devices.

For iOS 12.0 or supported newer versions - If this option is deselected, the "Enable Screen Screen Time" option on iOS devices will be disabled (Settings > Restrictions.)

Yes

Allow modifying Wallpaper supervised devices only)

allowWallpaperModification

If deselected, prevents wallpaper from being changed.

Available for iOS 9.0 or supported newer versions.

Yes

Allow modifying Personal Hotspot settings (iOS 12.2 and later with supervised devices only)

allowPersonalHotspotModification

Deselecting disables the device user's ability to modify the personal hotspot.

Available for iOS 12.2 or supported newer versions.

Yes

Allow changing USB restricted in Settings (supervised devices only)

allowUSBRestrictedMode

Select to enable USB restricted mode.

Available for iOS 12.0 or supported newer versions.

Yes

Allow pairing with non-Configurator hosts (supervised devices only)

allowHostPairing

Select to allow host pairing for iTunes synchronization. Disabling this option disables all host pairing with the exception of the supervision host. If no supervision host certificate has been configured, all pairing is disabled. Host pairing lets the administrator control which devices an iOS device can pair with.

Yes

Allow documents from managed apps to unmanaged apps

allowOpenFromManagedToUnmanaged

Select to allow documents in managed apps and accounts to be opened in unmanaged apps and accounts. Disabling this option prevents exchange of documents from managed to unmanaged apps and accounts. For example, you might want to keep enterprise documents from being opened with personal apps.

If you have enabled the “Open only with Ivanti Docs@Work, and protect with encryption” option for attachment control, it is recommended to disable this restriction. Enabling this restriction, may cause

  • .secure attachments to not open in Ivanti Mobile@Work .

  • .secure and .attachctrl attachments to not open in the Ivanti Docs@Work app for iOS.

A '?' icon will be visible on the attachment.

See "iOS managed app configuration" in the Ivanti EPMM Apps@Work Guide.

Yes

Allow documents from unmanaged apps to managed apps

allowOpenFromUnmanagedToManaged

Select to allow documents in unmanaged apps and accounts to be opened in managed apps and accounts. Disabling this option prevents exchange of documents from unmanaged to managed apps and accounts. For example, you might want to keep users from sending personal documents using company email.

Yes

Treat AirDrop as unmanaged destination

forceAirDropUnmanaged

If selected, AirDrop will not be displayed as a sharing destination. This prevents confidential data from being shared through AirDrop.

This restriction requires deselecting the allowOpenFromManagedToUnmanaged restriction.

Available for iOS 9.0 or supported newer versions.

Yes

Allow Handoff

allowActivityContinuation

Select to enable the Handoff feature, which allows users to seamlessly continue working where they left off using any Apple device on which they are logged in with their Apple ID.

Available for iOS 8.0 or supported newer versions.

Yes

Allow sending diagnostic and usage data to Apple

allowDiagnosticSubmission

When deselected, this prevents the device from automatically submitting diagnostic reports to Apple.

Yes

Allow modifying diagnostics settings (supervised devices only)

allowDiagnosticSubmissionModification

When deselected, the diagnostic submission and app analytics settings in the Diagnostics & Usage pane in Settings cannot be modified.

Available for iOS 9.3.2 or supported newer versions.

Yes

Allow Touch ID / Face ID to unlock device

allowFingerprintForUnlock

Selected (default) means a PIN is required instead of FaceID to unlock device. De-selected means the use of FaceID is allowed in place of a PIN.

Yes

Force Apple Watch Wrist Detection

forceWatchWristDetection

If selected, paired Apple Watches are forced to use the wrist detection feature. Wrist detection allows the WatchOS to determine when the watch is being worn, and enable security features (such as a passcode) accordingly.

Available for iOS 8.2 or supported newer versions.

No

Allow pairing with Apple Watch (supervised devices only)

allowPairedWatch

If deselected, the device user will not be able to pair their device with an Apple Watch. Currently paired Apple Watches are unpaired and erased.

Available for iOS 9.0 or supported newer versions.

Yes

Require passcode on first AirPlay pairing

forceAirPlayOutgoingRequestsPairingPassword

If set to true, forces all devices receiving AirPlay requests from this device to use a pairing password when pairing for the first time.

No

Allow setting up new nearby devices (iOS 11.0 and later with supervised devices only)

allowProximitySetupToNewDevice

If deselected, device users cannot use their Apple devices to set up and configure other Apple devices.

Available for iOS 11.0 or supported newer versions.

Yes

Allow AirPrint (iOS 11.0 and later and supervised devices only)

allowAirPrint

When deselected, disables Air Print feature.

Available for iOS 11.0 or supported newer versions.

Yes

Allow storage of AirPrint credentials in Keychains (iOS 11.0 and later with supervised devices only)

allowAirPrintCredentialsStorage

Supervised only. When disabled, prohibits keychain storage of username and password for Airprint.

Available for iOS 11.0 or supported newer versions.

Yes

Disallow AirPrint to destinations with untrusted certificates (iOS 11.0 and later with supervised devices only)

forceAirPrintTrustedTLSRequirement

When selected, requires trusted certificates for TLS printing communication.

Available for iOS 11.0 or supported newer versions.

No

Allow discovery of AirPrint printers using iBeacons (iOS 11.0 and later and supervised devices only)

allowAirPrintiBeaconDiscovery

When selected, disables iBeacon discovery of AirPrint printers, preventing spurious AirPrint Bluetooth beacons from phishing for network traffic.

Available for iOS 11.0 or supported newer versions.

Yes

Allow predictive keyboard (supervised devices only)

allowPredictiveKeyboard

If deselected, disables the predictive keyboard.

Available for iOS 8.1.3 or supported newer versions.

Yes

Allow keyboard shortcuts (with supervised devices only)

allowKeyboardShortcuts

If deselected, keyboard shortcuts cannot be used.

Available for iOS 9.0 or supported newer versions.

Yes

Allow auto correction (supervised devices only)

allowAutoCorrection

If deselected, disables keyboard auto-correction.

Available for iOS 8.1.3 or supported newer versions.

Yes

Allow spell check (supervised devices only)

allowSpellCheck

If deselected, disables spell check.

Available for iOS 8.1.3 or supported newer versions.

Yes

Allow Define (supervised devices only)

allowDefinitionLookup

If deselected, disables definition look-up.

Available for iOS 8.1.3 or supported newer versions.

Yes

Allow dictation (iOS 10.3 and later with supervised devices only)

allowDictation

When deselected, disables dictation input method. Disabled automatically when using Advanced Audio Coding (AAC) mode.

Available for iOS 10.3 or supported newer versions.

Yes

Allow Wallet notifications in Lock screen

allowPassbookWhileLocked

If deselected, Wallet notifications will not be shown on the lock screen.

Yes

Show Control Center in Lock screen

allowLockScreenControlCenter

If disabled, prevents Control Center from appearing on the Lock screen.

Yes

Show Notification Center in Lock screen

allowLockScreenNotificationsView

If deselected, the Notifications view in Notification Center on the lock screen is disabled.

Yes

Show Today view in Lock screen

allowLockScreenTodayView

If deselected, the Today view in Notification Center on the lock screen is disabled.

Yes

Defer software updates for __days (iOS 11.3, tvOS 12.2 and later with supervised devices only)

enforcedSoftwareUpdateDelay

forceDelayedSoftwareUpdates

Enter the number of days by which you want to defer software updates. The default is 30 days, and the maximum is 90 days.

Available for iOS 11.3 and tvOS 12.2 or supported newer versions.

No

Force Password on AirPlay incoming requests (tvOS up to 10.1)

forceAirPlayIncomingRequestsPairingPassword

Select to force the usage of a password for all AirPlay incoming requests for device pairing.

Available for tvOS 11.3 or supported newer versions.

No

Allow incoming AirPlay requests (tvOS 11.3 and later)

allowAirPlayIncomingRequests

Select to allow incoming AirPlay requests.

Available for tvOS 11.3 or supported newer versions.

Yes

Allow pairing with Remote app (tvOS 11.3 and later)

allowPairingRemoteApp

Select to allow pairing with a remote app.

Available for tvOS 11.3 or supported newer versions.

Yes

Force automatic date & time setting (iOS 12.0, tvOS 12.2 and later with supervised devices only)

forceAutomaticDateAndTime

When selected, the user cannot turn it off. Note that the device's time zone will only be updated when the device can determine its location.

Available for iOS 12.0 and tvOS 11.3 or supported newer versions.

No

Allow AutoFill Password
(iOS 12.0 and later with supervised devices only)

allowPasswordAutoFill

Select to allow password autofill.

Available for iOS 12.0 or supported newer versions.

Yes

Allow nearby devices to request passwords (iOS / tvOS 12.0, and later with supervised devices only)

allowPasswordProximityRequests

Select to allow nearby devices to request device passwords.

Available for iOS 12.0 and tvOS 12.0 or supported newer versions.

Yes

Allow users to share their passwords using AirDrop Passwords feature
(iOS 12.0 and later with supervised devices only)

allowPasswordSharing

Select to allow users to share their device passwords using Airdrop Passwords feature.

Available for iOS 12.0 or supported newer versions.

Yes

Allow managed apps to write contacts to unmanaged contacts account (iOS 12.0 and later)

allowManagedToWriteUnmanagedContacts

Select to allow managed apps to write contacts to unmanaged contacts account.

Available for iOS 12.0 or supported newer versions.

Yes

Allow unmanaged apps to read from managed contacts account (iOS 12.0 and later)

allowUnmanagedToReadManagedContacts

Select to allow unmanaged apps to read from managed contacts account.

Available for iOS 12.0 or supported newer versions.

Yes

Allow modifying the eSim configuration (iOS 12.1 and later with supervised devices only)

allowESIMModification

Select to allow modifying the eSim configuration, which allows adding or removing a cellular plan.

Available for iOS 12.1 or supported newer versions.

Yes

Allow continuous path keyboard (iOS 13.0 and later with supervised devices only)

allowContinuousPathKeyboard

Select to allow continuous path keyboard on supervised devices.

Available for iOS 13.0 or supported newer versions.

Yes

Allow device sleep (tvOS 13.0 and later with supervised devices only)

allowDeviceSleep

Select to allow device to sleep.

Available for tvOS 13.0 or supported newer versions.

Yes

Allow Find My Device (iOS 13.0 and later with supervised devices only)

allowFindMyDevice

Select to allow Find My Device in the Find My app for supervised devices.

Available for iOS 13.0 or supported newer versions.

Yes

Allow Find My Friends (iOS 13.0 and later with supervised devices only)

allowFindMyFriends

Select to allow Find My Friends for supervised devices.

Available for iOS 13.0 or supported newer versions.

Yes

Force Wi-Fi power on (iOS 13.0 and later with supervised devices only)

forceWiFiPowerOn

Select to force Wi-Fi power on/off for supervised devices.

Available for iOS 13.0 or supported newer versions.

No

Allow USB drive access in Files app (iOS 13.0 and later with supervised devices only)

allowFilesUSBDriveAccess

Select to allow USB drive access in Files app.

Available for iOS 13.0 or supported newer versions.

Yes

Allow Network drive access in Files app (iOS 13.0 and later with supervised devices only)

allowFilesNetworkDriveAccess

Select to allow network drive access in the Files app.

Available for iOS 13.0 or supported newer versions.

Yes

Join only WiFi networks installed by a WiFi payload (iOS 14.5 and later supervised devices only)

forceWiFiToAllowedNetworksOnly

If selected, limits device to only join Wi-Fi networks set-up via configuration profile. Requires a supervised device.

No

Allow auto unlock (iOS 14.5 and later)

allowAutoUnlock

Selected by default, allows the ability to unlock Face ID-enabled phone with an associated Apple Watch. If deselected, disallows auto unlock.

Yes

Allow putting into recovery mode from an unpaired device (iOS 14.5 and later supervised only)

allowUnpairedExternalBootToRecovery

If selected, allows devices to be booted into recovery by an unpaired device. Requires a supervised device.

No

Force Translation Processing Only on Device (iOS 15.0 and later)

forceOnDeviceOnlyTranslation

When selected, the device will not connect to Siri servers for translation.

No

Require Managed Pasteboards (iOS 15.0 and later)

requireManagedPasteboard

Select to make device users' copy and paste managed. If not selected, device users will see a "paste not allowed" notification when trying to paste content from a managed app.

No

Allow Cloud Private Relay (iOS 15.0 and later)

allowCloudPrivateRelay

When selected, allows device to use iCloud Private Relay, making all browser traffic encrypted.

Yes

Allow Mail Privacy Protection (iOS 15.2 and later)

allowMailPrivacyProtection

If de-selected, disables Mail Privacy Protection on the device. Selected, this optin helps protect device users' privacy by preventing senders from learning about device users' email activities. When the Allow Mail Privacy Protection configuration is installed and enabled from Ivanti EPMM, the Protect Mail Activity toggle is enabled on the device and the following options are visible to the device user:

  • Hide IP Address - The email sender cannot link the email to the device user's online activity or determine location.
  • Block All Remote Content - Prevents the email sender from seeing the device user's email activities.

Yes

Allow Apple TV's automatic screen saver (tvOS 15.4 and later)

allowAutomaticScreenSaver

If de-selected, disables Apple TV's automatic screen saver.

Yes

Allow Rapid Security Response Installation (iOS 16.0 and later supervised devices only)

allowRapidSecurityResponseInstallation

To disable the responses. The user cannot install rapid security responses.

Administrators can use the iOS or macOS policies software updates to update devices to the latest Rapid Security Response updates. Use the Update to the latest version option. The Update to a specific version option is not supported in iOS for Rapid security response update formats from either the iOS Software update policy or the Device actions menu.

 

Yes

Allow Rapid Security Response Removal (iOS 16.0 and later supervised devices only)

allowRapidSecurityResponseRemoval

To block the user from being able to undo the responses. The user cannot remove rapid security responses. This feature can be used once Apple implements the functionality.

Yes

Allow iPhone widgets on a Mac (iOS 17 and later supervised devices only)

allowiPhoneWidgetsOnMac

Select to allow the iPhone widget on Mac 14 devices. Deselect to disallow iPhone widget on Mac 14 devices.

Note: Both are signed in with the same Apple ID.

Yes

Application Restrictions

 

Allow Use of iTunes Store

allowiTunes

When deselected, the iTunes Music Store is disabled and its icon is removed from the Home screen. Users cannot preview, purchase, or download content.

Yes

Allow News (supervised devices only)

allowNews

If deselected, prevents the device user from accessing News.

Available for iOS 9.0 or supported newer versions.

Yes

Allow Podcasts (supervised devices only)

allowPodcasts

Select to display the default Apple Podcast app. Deselect to hide the Apple Podcast app.

Available for iOS 8.0 or supported newer versions.

Yes

Allow use of Game Center (supervised devices only)

allowGameCenter

When deselected, Game Center is disabled and its icon is removed from the Home screen.

Yes

Allow multiplayer gaming

allowMultiplayerGaming

When deselected, prohibits multiplayer gaming. Disabled when Allow use of Game Center is deselected.

Yes

Allow adding Game Center friends

allowAddingGameCenterFriends

When deselected, prohibits adding friends to Game Center. Disabled when Allow use of Game Center is deselected.

Yes

Allow use of Safari

allowSafari

Deselect to disable the Safari web browser, remove its icon from the Home screen, and prevent users from opening web clips.

When deselected, the following restrictions are also disabled: Enable autofill, Force fraud warning, Enable Javascript, Block pop-ups, Accept cookies.

Safari is required for updating configurations on iOS devices that are not managed with Apple's MDM protocol.

Yes

Enable autofill

safariAllowAutoFill

Select to turn on the autofill feature for fields displayed in Safari.

Yes

Force authentication before AutoFill (iOS 11.3 and later with supervised devices only, Face ID only)

forceAuthenticationBeforeAutoFill

Select to require Face ID authentication before AutoFill

Available for iOS 11.3 or supported newer versions.

Yes

Force fraud warning

safariForceFraudWarning

Select to prompt Safari to attempt to prevent users from visiting websites identified as being fraudulent or compromised.

No

Enable Javascript

safariAllowJavaScript

Select to turn on Javascript support for Safari.

Yes

Block pop-ups

safariAllowPopups

Select to block pop-ups for Safari.

No

Accept cookies

safariAcceptCookies

Select an option from the drop-down list to control when Safari browser accepts cookies on devices. Options include Never, From visited sites, From Websites I Visit, and Always.

Always

Media Content Ratings

 

Ratings region

Select a region from the drop-down list to change the region associated with the rating selections for applications, TV shows, and movies.

United States

Allowed content ratings: Movies

Select a rating limit for movies stored on the device:

Don’t Allow Movies

G

PG

PG-13

R

NC-17

Allow All Movies

Allow All Movies

Allowed content ratings:

TV Shows

Select a rating limit for TV shows stored on the device:

Don’t Allow TV Shows

TV-Y

TV-Y7

TV-G

TV-PG

TV-14

TV-MA

Allow All TV Shows

Allow All TV shows

Allowed content ratings:

Apps

Select a rating limit for applications on the device:

Don’t Allow Apps

4+

9+

12+

17+

Allow All Apps

Allow All Apps

Allow playback of explicit music, podcasts, & iTunes U media (iOS and tvOS 11.3 and later)

allowExplicitContent

When de-selected, explicit music or video content purchased from the iTunes Store is hidden. Explicit content is marked as such by content providers, such as record labels, when sold through the iTunes Store.

Available for iOS 11.3 and tvOS 11.3 or supported newer versions.

Yes

Allow explicit sexual content in iBooks Store (iOS and tvOS 11.3 and later)

allowBookstoreErotica

Select to allow users to download iBookstore material that has been tagged as erotica.

Available for iOS 11.3 and tvOS 11.3 or supported newer versions.

Yes

 

Table 114.   Restrictions settings (iOS)

Item

Description

Enabled by default

App whitelist for Single App Mode

Specify a list of apps that can autonomously enter single app mode on supervised devices running iOS 7-9.1. For example, you can specify custom exam apps for students. As soon as the student launches the app, the app enters single app mode to ensure that the student cannot use other resources while taking the exam. This feature applies to supervised iOS devices only, and apps with the ability to autonomously enter single-app mode.

Use the following guidelines to complete each entry:

  • Enter the app name defined in the app’s bundle.

  • Enter the bundle identifier for this app.

One way to find the bundle identifier is to add the app to the App Catalog in Ivanti EPMM. After you add the app, edit the app entry to see the Inventory Apps field, which lists the bundle ID for the app.

  • Enter an optional description for the app.

This feature is different from single-app mode policy, which enables an administrator to configure a specific app to run in single-app mode on devices to the exclusion of any other apps. For more information about setting a single-app mode policy, see Single-app mode policies.

N/A