Managed domains settings
Managed domains enable you to specify which domains are trusted for Mail and Safari on iOS
- Email from domains that are not specified in the configuration will be highlighted (untrusted) in the native Mail app.
- Documents downloaded from domains that are specified in the configuration will be considered managed for the purposes of the Safari on the device. Use this configuration combined with restrictions to control the data downloads allowed in Safari.
- Device users will be unable to use the Safari autofill feature for passwords unless the URLs they access have been specifically configured as managed Safari password autofill domains.
Managed domains work together with the managed app options in the restrictions configuration. Ivanti EPMM requires a special license for using these options.
This setting does not apply to tvOS devices.
Configuring managed domains
Procedure
- In the Admin Portal, select Policies & Configs.
- Select Add New > Apple > iOS / tvOS > Restrictions. The New Restrictions Setting dialog box opens.
- Create a restrictions configuration with at least the following settings not checked:
- Allow documents from managed apps to unmanaged apps
- Allow documents from unmanaged apps to managed apps
- Apply the configuration to an appropriate label to distribute it to target devices.
- In the Admin Portal, select Policies & Configs > Configurations.
- Select Add New > Apple > iOS / tvOS > Managed Domains. The Managed Domains Configuration dialog box opens.
-
Use the following guidelines to complete the form:
Item
Description
Name
Enter brief text to identify this configuration. Note that this text will display in the iOS Settings app on the device.
Description
Enter optional text to clarify the purpose of this configuration.
Email Domains
Select Add+ to enter an email domain, such as mycompany.com. Email domains may not include the wild card format “/*”. Any email address lacking a suffix specified in the list of managed email domains will be highlighted as out-of-domain in the Mail app.
Note that the www prefix and trailing slashes are ignored.
Web Domains
Select Add+ to enter a web domain, as in mycompany.com. Note that the www prefix and trailing slashes are ignored. See Domain formats for more information.
Managed Safari Password Auto Fill Domains (iOS 9.3+ Supervised Only)
Select Add+ to enable password auto-fill and auto-save for URLs matching a specific Safari web domain. Supported on supervised devices running iOS 9.3 or supported newer versions.
Notes:
•The managed Safari password auto-filled domain feature is disabled on multi-user devices.
•Safari will only save and auto-fill passwords on web pages that are configured for auto-fill. Password auto-fill will not work on domains where auto-fill is not configured, even if you add the domain to the list.
•The www prefix and trailing slashes are ignored.
•If a managed Safari password auto-fill domain contains a port number, Safari will only manage URLs that specify that port number. Otherwise, the domain will be matched without regard to the specified port number.
For example, the pattern *.example.com:8080 will match http://site.example.com:8080/page.html, but not http://site.example.com/page.html. The pattern *.example.com will match both URLs.
•Be sure to enable saving passwords on all iOS devices before enabling this feature. On the iOS device, select Settings > Safari > Autofill > Names and Passwords > Enable.
- Apply the configuration to an appropriate label to distribute it to target devices.
Domain formats
Use the following table as a guideline for entering both web domains and managed Safari password auto-fill domains:
Table 1. Web domain and managed Safari password auto-fill domain formats
Enter |
To match |
To exclude |
company.com |
company.com/* |
site.company.com/ |
site.company.com |
site.company.com/* |
company.com/ site2.company.com/ |
*.company.com |
site.company.com/* site2.company.com/* |
company.com/ |
company.com/folder |
company.com/folder/* |
company.com/ |
*.company.com/folder |
foo.company.com/folder bar.company.com/folder |
company.com foo.company.com/ |
foo.company.com/folder |
foo.apple.com/folder foo.apple.com/folder2 foo.apple.com/folder/folder |
company.com company.com/sub foo.company.com/ bar.company.com/folder |
*.co |
company.co beats.co company.co/folder |
company.co.uk company.com |
If you specify a port number, then only addresses that specify that port number will be matched. Otherwise, port 80 will be assumed for http and port 443 will be assumed for https.
Managed domains example
Acme, Inc. wants to use managed domains to do the following:
- provide a cue to users who are about to email content outside of Acme, Inc.
- prevent users from emailing confidential documents downloaded from their website
They have created the following managed domain configuration and assigned it to a label that identifies all iOS 8 devices:
Figure 1. Managed domains configuration example
They have also created a restrictions configuration and assigned it to the same label as the managed domains configuration. The restrictions configuration has the managed apps options disabled, as shown in the following figure.
Figure 2. Restrictions setting example
As a result of these two configurations, external addresses are highlighted in red when a user composes an email in the native Mail app:
Figure 3. Highlighted external addresses in email
Also, users who use Safari to download documents from acme.com/confidential find that the usual Mail and Message apps are not available for these documents because they are not managed apps.
Figure 4. Unmanaged apps are not available