Managed domains settings

Managed domains enable you to specify which domains are trusted for Mail and Safari on iOS and macOS devices. Once the configuration is applied to the device:

  • Email from domains that are not specified in the configuration will be highlighted (untrusted) in the native Mail app.
  • Documents downloaded from domains that are specified in the configuration will be considered managed for the purposes of the Safari on the device. Use this configuration combined with restrictions to control the data downloads allowed in Safari.
  • Device users will be unable to use the Safari autofill feature for passwords unless the URLs they access have been specifically configured as managed Safari password autofill domains.

Managed domains work together with the managed app options in the restrictions configuration. Ivanti EPMM requires a special license for using these options.

This setting does not apply to tvOS devices.

Configuring managed domains

Procedure 

  1. In the Admin Portal, select Policies & Configs.
  2. Select Add New > Apple > iOS / tvOS > Restrictions. The New Restrictions Setting dialog box opens.
  3. Create a restrictions configuration with at least the following settings not checked:
    • Allow documents from managed apps to unmanaged apps
    • Allow documents from unmanaged apps to managed apps
  4. Apply the configuration to an appropriate label to distribute it to target devices.
  5. In the Admin Portal, select Policies & Configs > Configurations.
  6. Select Add New > Apple > iOS / tvOS > Managed Domains. The Managed Domains Configuration dialog box opens.
  7. Use the following guidelines to complete the form:

    Item

    Description

    Name

    Enter brief text to identify this configuration. Note that this text will display in the iOS Settings app on the device.

    Description

    Enter optional text to clarify the purpose of this configuration.

    Email Domains

    Select Add+ to enter an email domain, such as mycompany.com. Email domains may not include the wild card format “/*”. Any email address lacking a suffix specified in the list of managed email domains will be highlighted as out-of-domain in the Mail app.

    Note that the www prefix and trailing slashes are ignored.

    Web Domains

    Select Add+ to enter a web domain, as in mycompany.com. Note that the www prefix and trailing slashes are ignored. See Domain formats for more information.

    Managed Safari Password Auto Fill Domains (iOS 9.3+ Supervised Only)

    Select Add+ to enable password auto-fill and auto-save for URLs matching a specific Safari web domain. Supported on supervised devices running iOS 9.3 or supported newer versions.

    Notes:

    The managed Safari password auto-filled domain feature is disabled on multi-user devices.

    Safari will only save and auto-fill passwords on web pages that are configured for auto-fill. Password auto-fill will not work on domains where auto-fill is not configured, even if you add the domain to the list.

    The www prefix and trailing slashes are ignored.

    If a managed Safari password auto-fill domain contains a port number, Safari will only manage URLs that specify that port number. Otherwise, the domain will be matched without regard to the specified port number.

    For example, the pattern *.example.com:8080 will match http://site.example.com:8080/page.html, but not http://site.example.com/page.html. The pattern *.example.com will match both URLs.

    Be sure to enable saving passwords on all iOS devices before enabling this feature. On the iOS device, select Settings > Safari > Autofill > Names and Passwords > Enable.

  8. Apply the configuration to an appropriate label to distribute it to target devices.

Domain formats

Use the following table as a guideline for entering both web domains and managed Safari password auto-fill domains:

Table 1. Web domain and managed Safari password auto-fill domain formats

Enter

To match

To exclude

company.com

company.com/*

site.company.com/

site.company.com

site.company.com/*

company.com/

site2.company.com/

*.company.com

site.company.com/*

site2.company.com/*

company.com/

company.com/folder

company.com/folder/*

company.com/

*.company.com/folder

foo.company.com/folder

bar.company.com/folder

company.com

foo.company.com/

foo.company.com/folder

foo.apple.com/folder

foo.apple.com/folder2

foo.apple.com/folder/folder

company.com

company.com/sub

foo.company.com/

bar.company.com/folder

*.co

company.co

beats.co

company.co/folder

company.co.uk

company.com

If you specify a port number, then only addresses that specify that port number will be matched. Otherwise, port 80 will be assumed for http and port 443 will be assumed for https.

Managed domains example

Acme, Inc. wants to use managed domains to do the following:

  • provide a cue to users who are about to email content outside of Acme, Inc.
  • prevent users from emailing confidential documents downloaded from their website

They have created the following managed domain configuration and assigned it to a label that identifies all iOS 8 devices:

Figure 1. Managed domains configuration example

Managed domains configuration example

They have also created a restrictions configuration and assigned it to the same label as the managed domains configuration. The restrictions configuration has the managed apps options disabled, as shown in the following figure.

Figure 2. Restrictions setting example

Example restrictions configuration with the managed apps options disabled.

As a result of these two configurations, external addresses are highlighted in red when a user composes an email in the native Mail app:

Figure 3. Highlighted external addresses in email

External email addresses are highlighted in red.

Also, users who use Safari to download documents from acme.com/confidential find that the usual Mail and Message apps are not available for these documents because they are not managed apps.

Figure 4. Unmanaged apps are not available

Unmanaged apps are not available.