Restrictions

The Restrictions settings restrict specific features, network settings, developer options, and location detection policies on iOS devices. Enable Configure device restrictions to configure restrictions on device functions, applications, iCloud, and content.

Device settings

The following table describes the restrictions that you can configure on an iOS device:
Policy setting Description Supported devices or workflows
Allow open from managed to unmanaged apps If this setting is disabled, documents in managed apps and accounts only open in other managed apps and accounts. iOS 7.0+, User Enrollment
Allow open from unmanaged to managed apps If this setting is disabled, documents in unmanaged apps and accounts only open in other unmanaged apps and accounts. iOS 7.0+, User Enrollment
Allow AirDrop for managed apps The user can use AirDrop to share and work with files from managed apps. iOS 9.0+, User Enrollment
Allow installing of applications The user can install apps on a device.

If this setting is disabled, the user cannot install or update apps from the App Store using the Finder (macOS 10.15 or later) or iTunes (macOS 10.14 or earlier).

Note: This feature is being deprecated, but available functions might vary with OS versions. This setting is not supported from iOS 13 on managed devices. To configure this setting for supervised devices, go to Supervised Settings > Restrictions & Network.
 
Allow use of camera The user can use the camera app on the device. If this setting is disabled, the camera app is hidden from the user and the user cannot access the camera app from other apps.
Note: This setting is not supported from iOS 13 on managed devices. To configure this setting for supervised devices, go to Supervised Settings > Restrictions & Network.

Allow use of FaceTime: The user can use the FaceTime app on the device to make audio and video calls from the device.

Note: This setting is not supported from iOS 13 on managed devices. To configure this setting for supervised devices, go to Supervised Settings > Restrictions & Network.
 
Allow screen capture The user can take a screen capture from a device by pressing the Sleep/Wake button and the Home button on the device at the same time. This setting allows iOS 9 devices to capture video. User Enrollment
Allow automatic synchronization while roaming The user can automatically synchronize features on the device while the device is roaming. User Enrollment
Allow Siri The user can use Siri (virtual assistant) on the device. If this setting is disabled, the user cannot use Siri on the device and the dictation feature is removed from the device keyboard.

Allow Siri while locked: The user can use Siri (virtual assistant) on a locked device.

 iOS 5.0+, User Enrollment
Allow Touch ID/Face ID The user can use the Touch ID fingerprint identification sensor or facial recognition on the device. The Touch ID and the Face ID settings do not affect the general passcode settings. iOS 7.0+
Allow Handoff The user can use the Handoff feature to transfer activities on the device to other iOS devices. iOS 8.0+
Allow voice dialing The user can use the voice dialing feature on the device.  
Allow in-app purchase The user can purchase items through apps on the device. If this setting is disabled, a user cannot make purchases in an app. However, the user can still purchase individual apps, not purchase items through the app.  
Allow multiplayer gaming The user can play games online over wifi or cellular data on the device.
Note: This setting is not supported from iOS 13 on managed devices. To configure this setting for supervised devices, go to Supervised Settings > Restrictions & Network.
 
Allow adding Game Center friends The user can add contacts from the Game Center social network.
Note: This setting is not supported from iOS 13 on managed devices. To configure this setting for supervised devices, go to Supervised Settings > Restrictions & Network.
 
Allow submission of diagnostic information to Apple The user can send diagnostic information that contains device information to Apple, including device crashes and other unexpected behaviors. iOS 6.0+, User Enrollment
Enforce iTunes password entry The user is prompted to enter an iTunes password to access the iTunes store on the device.  
Allow untrusted TLS prompt If this setting is enabled, the user is prompted whether to allow or deny untrusted HTTPS certificates that are received on the device. If this setting is disabled, untrusted HTTPS certificates are automatically rejected on the device.  
Allow Passbook while locked The user can use the Passbook feature to store coupons, boarding passes, event tickets, credit cards, and debit cards on a locked device. iOS 6.0+
Limit ad tracking The user does not receive as many targeted ads on the device. The user might still receive ads on the device, but the ads are more random and less personal. iOS 7.0+
Allow Today view in Lock screen The user can access Today view notifications on the screen of a locked device. iOS 7.0+, User Enrollment
Allow Control Center in Lock screen The user can access the Control Center on the screen of a locked device. iOS 7.0+, User Enrollment
Allow web results in Spotlight search If this setting is enabled, the Spotlight feature searches content on the device and on the internet. If this setting is disabled, the Spotlight feature searches only on the device. iOS 8.0+
Allow unauthenticated AirPlay connections The device does not require a security or wifi password to connect to other Apple devices through AirPlay.
  • Incoming requests: The device can receive incoming requests from unknown Apple devices through AirPlay. This setting supports iOS 8.1+ devices.
  • Outgoing requests: The device does not authenticate with other Apple devices to connect through AirPlay. This setting supports iOS 7.1+ devices.
 User Enrollment
Allow Lock screen notifications The user can view notifications on the screen of a locked device. iOS 7.0+, User Enrollment
Allow Over-the-Air PKI updates The user can accept PKI certificate updates over-the-air on the device. iOS 7.0+
Force Apple Watch wrist detection A device that is paired with an Apple Watch is forced to use wrist detection to determine if the device is worn on the wrist of the device user. iOS 8.2+, User Enrollment
Allow managed to write unmanaged contacts Managed apps can write Contacts to unmanaged Contacts accounts. For this restriction to work on iOS 12, you must enable Allow Unmanaged to read Managed Contacts to allow delete access for Contacts on the apps.
Note: This restriction does not apply if Allow Open from Managed to Unmanaged apps is enabled.
 iOS 12.0+
Allow unmanaged to read managed contacts Unmanaged apps can read Contacts from managed Contacts accounts.
Note: This restriction does not apply if Allow Open from Managed to Unmanaged apps is enabled.
 iOS 12.0+, User Enrollment
Allow server logging for Siri The device can use Siri for server-side logging. iOS 12.2+, User Enrollment
Allow trust of enterprise apps The device can trust new enterprise apps. If this setting is disabled, this setting still allows apps that are pushed from MaaS360. iOS 9.0+
Allow Deprecated Web KitTLS Apple no longer supports TLS v1.0 and v1.1 in iOS 13.4. If this setting is enabled, you cannot access sites in Safari that use TLS v1.0 and v1.1. iOS 13.4+
Allow Apple Personalized Advertisements If this setting is disabled, the Apple advertising platform is restricted from using user data to deliver personalized ads on iOS 14 devices. This setting replaces Limit ad tracking, which is supported on iOS 13 and earlier devices only. iOS 14.0+
Allow Automatic unlock If this setting is disabled, users cannot unlock their paired iPhone running iOS 14.5 with their Apple Watch. By default, users can use their Apple Watch to unlock their iPhone when a mask prevents Face ID from recognizing a face.
Note: To unlock an iPhone with Apple Watch, the watch must be nearby, unlocked, and protected by a passcode.

If this setting is disabled, the Unlock With Apple Watch option in the Face ID & Passcode device settings is hidden.

Unlock With Apple Watch disabled
 iOS 14.5+
Force On Device only Translation If this setting is enabled, the Translate app will not send content to the Siri servers for the purposes of translation. iOS 15.0+, User Enrollment
Allow Pasteboard content between managed and unmanaged apps If this setting is disabled, copy and paste data between managed and unmanaged apps is restricted. If this setting is enabled, copy and paste functions use Allow Open from Managed to Unmanaged Apps and Allow Open from Unmanaged to Managed Apps.
For example:
Allow Open from Managed to Unmanaged Apps = False Allow Open from Unmanaged to Managed Apps = True Allow Pasteboard content between managed and unmanaged apps = True
Managed documents cannot be opened with unmanaged apps. Unmanaged documents can be opened with managed apps. The data that is copied from managed apps cannot be pasted in unmanaged apps. The data that is copied from unmanaged apps can be pasted in managed apps.
iOS 15.0+, User Enrollment

Application settings

The following table describes the restrictions that you can configure for apps on an iOS device:
Policy setting Description Supported devices
Allow use of YouTube application The user can use the native YouTube app on the device.
Note: The use of the native YouTube app on iOS devices was discontinued in iOS 6.
 iOS 4.0, iOS 5.0
Allow use of iTunes for media download The user can download apps, music, or videos from the iTunes store on the device.
Note: This setting is not supported from iOS 13 on managed devices. To configure this setting for supervised devices, go to Supervised Settings > Restrictions & Network.
 
Allow use of Safari The user can use the Safari browser on the device.
Note: This feature is being deprecated, but available functions might vary with OS versions. This setting is not supported from iOS 13 on managed devices. To configure this setting for supervised devices, go to Supervised Settings > Restrictions & Network.
  • Enable autofill in Safari: The user can use the autofill feature for the Safari browser on the device.
    Note: This setting is not supported from iOS 13 on managed devices. To configure this setting for supervised devices, go to Supervised Settings > Restrictions & Network.
  • Force fraud warning: The Safari browser displays a fraud warning if the user accesses a fraudulent site on the device. This setting is also available for User Enrollment.
  • Enable JavaScripts on websites: The Safari browser can run JavaScripts that are embedded on sites that the user accesses from the browser on the device.
  • Block popups on Safari: The Safari browser cannot display messages or tabs that open in the browser window on the device.
  • Accept cookies on Safari: The Safari browser can accept cookies in the following intervals: Never, From Visited Sites, or Always.
  
Allow explicit music and podcasts purchased from iTunes The user can download explicit material on the device.
Note: This setting is not supported from iOS 13 on managed devices. To configure this setting for supervised devices, go to Supervised Settings > Restrictions & Network.
 

iCloud settings

The following table describes the restrictions that an administrator can configure for iCloud on an iOS device:
Policy setting Description Supported devices
Allow Cloud backup The user can back up the contents of the device onto iCloud.
Note: This setting is not supported from iOS 13 on managed devices. To configure this setting for supervised devices, go to Supervised Settings > Restrictions & Network.
iOS 5.0+
Allow Cloud Keychain sync The user can synchronize information such as a Safari user name and password, credit card details, or wifi settings onto iCloud.
Note: This setting is not supported from iOS 13 on managed devices. To configure this setting for supervised devices, go to Supervised Settings > Restrictions & Network.
iOS 7.0+
Allow Documents sync The user can synchronize documents that are uploaded to iCloud.
Note: This setting is not supported from iOS 13 on managed devices. To configure this setting for supervised devices, go to Supervised Settings > Restrictions & Network.
iOS 5.0+
Allow Photo Stream sync (disallowing can cause data loss) The user can synchronize images on the device onto iCloud. If you disable this setting, you might eventually lose images on the device that you did not upload to iCloud. iOS 5.0+
Allow shared Photo Stream The user can share images that are uploaded to iCloud with other users. iOS 6.0+
Allow iCloud photo library The user can download a library of images from iCloud on the device. If this setting is disabled, images that are not downloaded, but stored locally are removed from the device. iOS 9.0+
Allow managed apps to sync The user can synchronize managed apps on the device onto iCloud. iOS 8.0+, User Enrollment
Allow Enterprise Book backup The user can back up enterprise iBooks on the device onto iCloud. iOS 8.0+, User Enrollment
Allow Enterprise Book annotation sync The user can synchronize enterprise iBooks annotations on the device onto iCloud. iOS 8.0+, User Enrollment

Ratings region settings

The following table describes the restrictions that you can configure to locate an iOS device:
Policy setting Description Supported devices
Region for content ratings The device displays the country where the content rating originates.  
Maximum allowed content rating for movies The administrator can set the maximum content rating for movies that are downloaded from iTunes. Any content that is above the rating settings cannot be downloaded to or accessed by the device.  
Maximum allowed content rating for TV shows The administrator can set the maximum content rating for television shows that are downloaded from iTunes. Any content that is above the ratings setting cannot be downloaded to or accessed by the device.  
Maximum allowed content rating for applications The administrator can set the maximum content rating for apps that are downloaded from iTunes. Any content that is above the ratings setting cannot be downloaded to or accessed by the device.