iOS Restrictions

iOS restrictions are settings that help the primary user of the device control what other users are allowed to do with iOS, watchOS, and visionOS devices. These settings are defined by Apple and managed by Ivanti Neurons for MDM.

During the distribution of this configuration to Shared iPads, you can select either the Device Channel or the User Channel . This is useful to distribute separate configurations and enforce restrictions that are applicable only to the device or the user channel.

The global administrators can delegate space administrators to edit the configuration for All Devices and for the Custom distribution option. For the iOS Restriction configure, you can optionally select the Allow this configuration to be available in all Spaces option.

The distribution changes are applicable only to the specific space. All other spaces continue to inherit the default space distribution settings.

iOS restrictions settings

Category

Setting

What To Do

 

Name

Enter a name that identifies this configuration.

 

Description

Enter a description that clarifies the purpose of this configuration.

Device functionality iOS All Versions Enable use of device features.

 

Allow screenshots and screen recording

Select to allow the device user to take screen captures using the built-in iOS screen capture feature.

  Allow remote screen observation (iOS 9.3 and later) Select to allow user to observe remote screen.

 

Allow force unprompted managed classroom screen observation (Supervised only - iOS 10.3+)

(Applicable for iPads only) Select to allow unprompted message on the screen when a supervised iPad is configured with managed classes.

 

Allow automatic sync while roaming

Select to allow synchronization of mail accounts while the device is outside of its home country.

 

Allow Siri

Select to allow the personal assistant app on supported devices.

 

Allow Siri while device is locked

Select to allow the personal assistant app to perform tasks even when the device is locked.

  Enable Siri profanity filter (Supervised only) Select to enable the Siri profanity filter.

 

Allow voice dialing

Select to allow users to dial a contact or number by talking to the device.

 

Allow In-App Purchase

Select to allow users to make purchases through apps running on the device.

 

Allow passbook while device is locked

Select to allow Passbook notifications to display while the device is locked.

 

Allow lock screen Control Center

Select to allow access to Control Center from the lock screen.

 

Allow lock screen Notifications view

Select to allow notifications to be displayed on the lock screen.

 

Allow lock screen Today view

Select to allow access to the Today view from the lock screen.

 

Allow Open In from managed to unmanaged apps

Requires Gold license.

Select to allow documents in managed apps and accounts to be opened in unmanaged apps and accounts. Disabling this option prevents exchange of documents from managed to unmanaged apps and accounts. For example, you might want to keep enterprise documents from being opened with personal apps. You can also use this option (disable) together with a managed domains configuration to ensure that data downloaded from managed domains can only be opened in a managed app.

 

Allow Open In from unmanaged to managed apps

Requires Gold license.

Select to allow documents in unmanaged apps and accounts to be opened in managed apps and accounts. Disabling this option prevents exchange of documents from unmanaged to managed apps and accounts. For example, you might want to keep users from sending personal documents using company email. You can also use this option (turn off) together with a managed domains configuration to ensure that data downloaded from unmanaged domains cannot be opened in a managed app.

 

Require passcode on first AirPlay pairing

Select to require the Apple TV to display a passcode that the user must enter on the iOS device to authorize the initial pairing of the devices.

  Force Password on AirPlay incoming requests (tvOS up to 10.1)

Select to require the user to enter password for all incoming AirPlay requests.

Default: Deselected

 

iOS All Versions Supervised

 

Allow Apple Books

Select to allow access to the Apple Books app.

 

Allow explicit sexual content in iBooks Store (iOS and tvOS 11.3 and later)

Select to allow users to download iBooks store material that has been tagged as erotica.

 

Allow account modification

Select to allow users with supervised iOS 7 devices to add email accounts and make changes to email accounts that have already been configured.

 

Allow app cellular data modification

Select to allow users to make changes to cellular data settings for apps.

 

Allow Find My Friends modification

Select to allow users to make changes to the Find My Friends app settings.

 

Allow pairing with non- Configurator hosts

Select to allow host pairing for iTunes synchronization. In effect, enabling this option allows supervised devices to sync with iTunes on a Mac other than the supervision host. Disabling this option disables all host pairing with the exception of the supervision host. If no supervision host certificate has been configured, all pairing is disabled.

 

Allow AirDrop

Select to allow use of AirDrop on the device. AirDrop is Apple’s ad hoc Wi-Fi system that enables file sharing with nearby users. By restricting this feature, you ensure that sensitive documents are not leaked to unauthorized or unsecured devices.

  Allow Touch ID / Face ID to unlock device Select to allow Touch ID or Face ID to unlock the devices.
  Allow Spotlight search to return Internet search results Select to allow Spotlight search to return Internet search results.

 

Allow app in single app mode

Enter comma separated list of bundle IDs for apps that can autonomously enter single app mode on iOS supervised devices. For example, you can specify custom exam apps for students. As soon as the student launches the app, the app enters single app mode to ensure that the student cannot use other resources while taking the exam. This feature applies to apps developed for autonomous single app mode. Supervision is established with Apple Configurator.

 

iOS 8+

 

Allow Enterprise books to be backed up

Select to allow personal backup of iBooks, ePub, and PDF documents that were pushed to the device using MDM.

 

Allow Enterprise books notes and highlights to be synced

Select to allow the notes and highlights added to Enterprise books to be synchronized to iTunes.

 

Force Apple Watch wrist detection

Select to hide on-screen notifications unless someone is wearing the Apple Watch.

 

iOS 8+ Supervised

 

Allow predictive keyboard

Select to allow users to enable iOS prediction of the word being typed, enabling users to tap one of three predictions to complete the word.

 

Allow keyboard auto-correction

Select to allow use of auto-correction with Bluetooth keyboards.

 

Allow keyboard spell check

Select to allow use of spell check with Bluetooth keyboards.

 

Allow keyboard definition lookup

Select to allow definition lookup with Bluetooth keyboards.

 

Allow modifying Touch ID fingerprints / Face ID faces

Select to allow Touch ID or Face ID settings to be changed.

 

iOS 9+ Supervised

 

Allow keyboard shortcuts on iPads

Select to allow use of keyboard shortcuts on the iPad.

 

Allow modification of wallpaper

Select to allow users to change wallpaper images.

 

Allow pairing with Apple watch

Select to allow pairing of the iPhone with the Apple watch.

 

Allow modification of device name

Select to allow user to change the name of the device.

  Allow modification of enterprise app trust setting Select to allow user to change the enterprise app trust settings.
  iOS 9.3+ Supervised  
  Allow modification of notifications settings Select to allow user to change notification settings.
  iOS 9.3.2+ Supervised  
  Allow diagnostic submission modification Select to allow user to change settings related to submission of diagnostic data to Apple.

 

iOS 10+ Supervised

 

Allow Bluetooth modification

Select to allow user to modify the Bluetooth setting on supervised devices. Useful in such cases as shared iPads used for the Classroom app for Education where Bluetooth is required to run the app.

 

iOS 10.3+ Supervised

 

Allow dictation

Select to allow the user to talk to the iPhone or iPad instead of typing.

 

iOS 11+ Supervised

 

Allow AirPrint

Select to allow AirPrint feature for wireless printing.

 

Allow AirPrint Credential Storage

Select to allow keychain storage of username and password for the AirPrint.

 

Allow Airprint iBeacon Discovery

Select to allow the user to set iBeacon discovery of AirPrint printers.

 

Allow adding VPN configurations

Select to allow the user to create VPN configuration

 

Force Airprint Trusted TLS Requirement

Select to allow trusted certificates for TLS printing communication.

Default: Deselected

 

Allow System App Removal

Select to allow the removal of system app.

 

Allow modifying cellular plan settings

Select to allow users to  modify cellular plan settings.

 

Allow setting up new nearby devices

Select to allow users to setup new nearby devices.

 

Automatically join Classroom classes without prompting

Select to allow users to automatically join classroom classes without any prompt.

Default: Deselected

 

Allow Classroom to lock an app and lock the device without prompting

Select to allow classroom to lock an app and the device without prompting the user.

Default: Deselected

 

Force the user to authenticate before passwords or credit card information can be autofilled in Safari and apps

Device owner must authenticate before passwords or credit card information can be auto filled in Safari browser and in applications.

Default: False

  iOS 11.3+  
  Allow pairing with Remote app (tvOS 11.3 and later) Select to allow pairing the device with the Remote app.
  Allow incoming AirPlay requests (tvOS 11.3 and later) Select to allow incoming AirPlay requests.

 

iOS 11.3+ Supervised

 

Allow USB restricted mode

Select to allow user to access USB restricted mode.

 

Defer software updates for 30 days (for iOS 11.3, tvOS 12.2 and later with supervised devices only)

Select to enter the number of days by which you want to defer software updates. The default is 30 days, and the maximum is 90 days.

Default: Deselected

 

Require teacher permission to leave Classroom unmanaged classes

Select to allow user to get the required teacher permission to leave classroom unmanaged classes.

  iOS 12+ Supervised
  Force automatic Date & Time (iOS 12.0 & tvOS 12.2 and later)

Select to turn on the Date & Time "Set Automatically" feature. It cannot be turned off by the user.

Default: False

 

Allow modifying eSIM settings (iPhone XS, iPhone XS Max, & iPhone XR - iOS 12.1 and later versions)

Select to allow user to modify the eSim configuration on supported devices. This option also prevents users from adding or removing a cellular plan in Settings on their devices.

Default: True

  iOS 12.2+ Supervised

 

Allow modifying Personal Hotspot settings

Select to allow the user to modify Personal Hotspot settings.

Default: True

  iOS 13.0+
  Allow Files Network Drive Access

Select to allow the user to connect to network drives in the Files app.

Default: True

  Allow Files USB Drive Access

Select to allow the user to connect to any connected USB devices in the Files app.

Default: True

 

iOS 13.0+ Supervised

 

Allow Continuous Path Keyboard

Select to enable continuous path keyboard (swipe or trace typing).

Default: True

  Allow Device Sleep

Select to enable device sleeping.

Default: True

  Allow Find Device

Select to enable Find My Device in the Find My app.

Default: True

  Allow Find My Friend

Select to enable Find My Friends in the Find My app.

Default: True

 

Force WiFi Power On

Select to enable WiFi power to be in the on state.

Default: False

  iOS 13.4+  
  Allow Guest Session for shared iPad

If false, temporary sessions are not available on Shared iPad.

Default: True

 

iOS 14.0+

 

 

Allow Apple Personalized Advertising

If false, limits Apple personalized advertising. This will prevent Apple from using the user's information for targeting ads. This may not reduce the number of ads received, but the ads will be less relevant to the user.

Default: True

 

iOS 14.0+ Supervised

 

 

Allow App Clips

If false, prevents a user from adding any App Clips, and removes any existing App Clips on the device.

Default: True

 

iOS 14.2+ Supervised

 

 

Allow NFC

If false, disables NFC. Requires a supervised device. Available in iOS 14.2 and later.

Default: True

 

iOS 14.5+

 

 

Allow Auto Unlock

Administrators can use the existing allowAutoUnlock restriction to manage this feature. If false, disallows auto unlock. Available in macOS 10.12 and later, and iOS 14.5 and later.

Default: true

 

Force on Device only Dictation

If true, disables connections to Siri servers for the purposes of dictation.

Default: false

 

iOS 14.5+ Supervised

 

 

Allow unpaired external boot to recovery

If true, allows devices to be booted into recovery by an unpaired device.

Default: false

 

Force WiFi to allowed networks only

If true, limits device to only join WiFi networks set-up via configuration profile.

Default: false

If the Force WiFi to allowed networks only restriction is enabled and WiFi configuration is not distributed to the device, the WiFi connection is lost.

 

iOS 15+

 

 

Force on Device only Translation

If true, the device won’t connect to Siri servers for the purposes of translation.

Default: false

 

Require Managed Pasteboard

If true, copy and paste functionality respects the allowOpenFromManagedToUnmanaged and allowOpenFromUnmanagedToManaged restrictions.

Default: false

 

iOS 15.2+

 

 

Allow Mail Privacy Protection

If false, disables Mail Privacy Protection on the device. Available in iOS 15.2 and later.

When the Allow Mail Privacy Protection configuration is installed and enabled from the Ivanti Neurons for MDM administrative portal, the Protect Mail Activity toggle is enabled on the device and the following options are visible:

  • Hide IP Address - The email sender cannot link the email to your online activity or determine your location
  • Block All Remote Content - Prevents the email sender from seeing your email activities

Default: true

 

iOS 15.4+

 

 

Allow Apple TV's automatic screen saver (tvOS 15.4 and later)

If false, disables Apple TV’s automatic screen saver. Available in tvOS 15.4 and later.

Default: true

 

iOS 16.0+

 

 

Allow Rapid Security Response Installation To disable the responses. The user cannot install rapid security responses.

 

Allow Rapid Security Response Removal To block the user from being able to undo the responses. The user cannot remove rapid security responses.

 

iOS 17.0+ Supervised

  Allow iPhone widgets on Mac devices Select to allow the iPhone widgets to appear on Mac devices that uses the same AppleID of the iPhone for iCloud on both the devices.
  iOS 17.2+ Supervised
  Allow Live Voice Mail Select to enable live voicemail on the device.
  Force Preserve ESIM On Erase

Select to preserve the eSIM when the system erases the device due to too many failed password attempts or the Erase All Content and Settings option in Settings > General > Reset.

The system doesn’t preserve eSIM if Find My initiates to erase the device.

  iOS 17.4+ Supervised
  Allow Marketplace App Installation Select to allow the users from downloading apps from alternative marketplaces. This Restriction when set to false, will prevent users from installing new alternative marketplace apps and apps installed from those marketplaces.
  Allow Auto Dim Select to allow auto dimming option on iPads with OLED displays.

 

iOS 17.5+ Supervised

 

Allow Web distribution App Installation

This allowWebdistributionAppInstallation restriction when set to false, will prevent users from installing apps directly from new alternative websites. It is applicable for supervised devices only.

Applications iOS All Versions Enable access to applications on the devices.

 

Allow installing apps

Select to enable the user to install applications from the Apple App Store. Deselect to disable the App Store and remove its icon from the Home Screen.

 

All use of camera

Select to enable the user to operate the camera. Deselect to disable the camera and remove its icon from the Home screen.

 

Allow use of Safari

Select to allow use of the Safari web browser. Deselect to disable the Safari web browser, remove its icon from the Home screen, and prevent users from opening web clips.

 

Enable autofill

Select to turn on the autofill feature for fields displayed in Safari.

 

Force fraud warning

Select to prompt Safari to attempt to prevent the user from visiting websites identified as being fraudulent or compromised.

 

Enable JavaScript

Select to turn on Javascript support for Safari.

 

Block pop-ups

Select to block pop-ups for Safari.

  iOS All Versions Supervised
 

Allow removing apps

Select to allow users to remove apps from the device.

 

Allow use of Game Center

Select to allow access to Game Center.

 

Allow adding Game Center friends

Select to allow users to add friends to Game Center.

 

Allow multiplayer gaming

Select to allow users to play games that include other users.

 

Allow iMessage

Select to allow use of iMessage.

 

Accept cookies

Select Never, Always, or From Visited sites.

 

Allow FaceTime

Select to allow the user to run FaceTime if the camera is enabled.

  iOS 8+
 

Allow managed applications to use cloud sync

Select to allow managed apps to use cloud sync.

 

Allow Activity Continuation

Select to allow activity continuation in apps supporting Handoff.

  iOS 8+ Supervised

 

Allow use of Podcasts

Select to allow use of Podcasts.

  iOS 9+

 

Allow trusting of new enterprise app authors

Select to allow user to access new enterprise apps.

  iOS 9+ Supervised
 

Allow App Store

Select to allow user access to the Apple App store.

 

Allow automatic app download

Select to allow the app to download files, data, updates with prompting the user.

 

Allow News app

Select to allow use of the News app.

  iOS 9.3+ Supervised  
  Allow iTunes Radio Select to allow use of iTunes radio.
  Allow Apple Music Select to allow use of Apple Music.

 

Allow Listed App Bundle IDs

Select to allow only bundle IDs listed in the array to be shown or launchable. Include the value com.apple.webapp to allow all webclips.

 

Blocked App Bundle IDs

Select to prevent bundle IDs listed in the array from being shown or launchable. Include the value com.apple.webapp to restrict all webclips.

  iOS 13.0+ Supervised

 

Allow use of iTunes Store

Select to allow use of the iTunes Music Store. Deselect to disable iTunes Music store and remove its icon from the Home screen.

 

Category

Setting

What To Do

iCloud iOS All Versions Enable access to iCloud services.

Allow backup

Select to allow the device to back up data via Apple’s iCloud service.

 

Allow document sync

Select to allow documents to be synchronized via Apple’s iCloud service.

 

Allow Photo Stream

Select to allow photos to be synchronized to your other iOS devices via Apple’s iCloud.

 

Allowed shared Photo Streams(disallowing can cause data loss)

Select to allow synchronization of shared photos.

Deselecting this option can result in loss of photos.

 

Allow Keychain sync

Select to allow synchronization of your keychain.

 

iOS 9+

 

Allow iCloud Photo Library

Select to allow access to iCloud photo library.

 

iOS 15+ Supervised

 

 

Allow cloud private relay

If false, disables iCloud Private Relay. Default: true

 

Category

Setting

What To Do

Security and Privacy

iOS All Versions Enable security and privacy policies.

 

Allow over-the-air certificate updates

Select to allow over-the-air updates of root certificates.

 

Force limit ad tracking

Select to require use of the limit ad tracking feature.

 

iOS All Versions Supervised

 

Allow configuration profile installation

Select to allow users to install configuration profiles and certificates interactively.

 

Allow assistant user generated content

Select to allow Siri to query user-generated content from the web.

 

iOS 8+ Supervised

 

Allow user to erase all content and settings in Reset UI

Select to enable the "Erase All Content And Settings" option in the iOS Reset UI on the device.

 

Allow Screen Time

Select to allow screen time (Settings > Screen Time).

 

Allow diagnostic data to be sent to Apple

Select to allow automatic submission of diagnostic data to Apple.

 

Allow user to accept untrusted TLS certificates

Select to allow the device user to accept untrusted HTTPS certificates. If this option is not selected, then the device will automatically reject untrusted HTTPS certificates without prompting the device user.

 

Force encrypted backups

Select to require encrypted backups via iTunes. Automatically selected due to SCEP requirements.

 

Force user to enter iTunes Store password for all transactions

Select to force device users to enter their iTunes password for each App Store transaction. If this option is not selected, then the device user can make multiple transactions on a single authentication.

 

iOS 9+

 

Treat AirDrop as unmanaged destination

Select to allow user access to AirDrop file sharing.

Default: False

 

iOS 9+ Supervised

 

Allow modification of device passcode Select to allow user to change the passcode for the device.
  iOS 12+
  Allow managed apps to write contacts to unmanaged contact accounts

Select to allow managed apps to write contacts to unmanaged contacts accounts.

Default: False

  iOS 12+ Supervised
  Allow autofill passwords Select to allow users to use the AutoFill Passwords feature on iOS and be prompted to use a saved password in Safari or in apps.
  Allow nearby devices to share requests for a password Select to allow user's device to request passwords from nearby devices.
  Allow password sharing Select to allow users to share their passwords with the Airdrop Passwords feature.
  Allow unmanaged apps to read contacts from managed contact accounts

Select to allow unmanaged apps to read from managed contacts accounts.

Default: False

 

Category

Setting

What To Do

Content Ratings   Control access to apps and media.

 

Allow playback of explicit music, podcasts & iTunes U media (iOS 13+ Supervised only and tvOS 11.3 and later)

Explicit content is marked as such by content providers, such as record labels, when sold through the iTunes Store.

 

Ratings region

Select a region from the drop-down list to change the region associated with the rating selections for applications, TV shows, and movies.

 

Movies

Select a rating limit for movies stored on the device:

  • Do not Allow Movies
  • G
  • PG
  • PG-13
  • R
  • NC-17
  • Allow All Movies

 

TV Shows

Select a rating limit for TV shows stored on the device:

  • Do not Allow TV Shows
  • TV-Y
  • TV-Y7
  • TV-G
  • TV-PG
  • TV-14
  • TV-MA
  • Allow All TV Shows

 

Apps

Select a rating limit for applications on the device:

  • Do not Allow Apps
  • 4+
  • 9+
  • 12+
  • 17+
  • Allow All Apps

For more information, see How to create a configuration