Restrictions
The Restrictions settings restrict specific features, network settings, developer options, and location detection policies on iOS devices. Enable Configure device restrictions to configure restrictions on device functions, applications, iCloud, and content.
Device settings
The following table describes the restrictions that you can configure on an iOS device:
Policy setting | Description | Supported devices or workflows | ||||||
---|---|---|---|---|---|---|---|---|
Allow open from managed to unmanaged apps | If this setting is disabled, documents in managed apps and accounts only open in other managed apps and accounts. | iOS 7.0+, User Enrollment | ||||||
Allow open from unmanaged to managed apps | If this setting is disabled, documents in unmanaged apps and accounts only open in other unmanaged apps and accounts. | iOS 7.0+, User Enrollment | ||||||
Allow AirDrop for managed apps | The user can use AirDrop to share and work with files from managed apps. | iOS 9.0+, User Enrollment | ||||||
Allow installing of applications | The user can install apps on a device. If this setting is disabled, the user cannot install or update apps from the App Store using the Finder (macOS 10.15 or later) or iTunes (macOS 10.14 or earlier). Note: This feature is being deprecated, but available functions might vary
with OS versions. This setting is not supported from iOS 13 on managed devices. To configure this
setting for supervised devices, go to .
|
|||||||
Allow use of camera | The user can use the camera app on the device. If this setting is disabled, the camera app is
hidden from the user and the user cannot access the camera app from other apps. Note: This setting
is not supported from iOS 13 on managed devices. To configure this setting for supervised devices,
go to .
Allow use of FaceTime: The user can use the FaceTime app on the device to make audio and video calls from the device. Note: This setting is not supported from iOS 13 on managed devices. To configure
this setting for supervised devices, go to .
|
|||||||
Allow screen capture | The user can take a screen capture from a device by pressing the Sleep/Wake button and the Home button on the device at the same time. This setting allows iOS 9 devices to capture video. | User Enrollment | ||||||
Allow automatic synchronization while roaming | The user can automatically synchronize features on the device while the device is roaming. | User Enrollment | ||||||
Allow Siri | The user can use Siri (virtual assistant) on the device. If this setting is disabled, the
user cannot use Siri on the device and the dictation feature is removed from the device keyboard.
Allow Siri while locked: The user can use Siri (virtual assistant) on a locked device. |
iOS 5.0+, User Enrollment | ||||||
Allow Touch ID/Face ID | The user can use the Touch ID fingerprint identification sensor or facial recognition on the device. The Touch ID and the Face ID settings do not affect the general passcode settings. | iOS 7.0+ | ||||||
Allow Handoff | The user can use the Handoff feature to transfer activities on the device to other iOS devices. | iOS 8.0+ | ||||||
Allow voice dialing | The user can use the voice dialing feature on the device. | |||||||
Allow in-app purchase | The user can purchase items through apps on the device. If this setting is disabled, a user cannot make purchases in an app. However, the user can still purchase individual apps, not purchase items through the app. | |||||||
Allow multiplayer gaming | The user can play games online over wifi or cellular data on the device. Note: This setting
is not supported from iOS 13 on managed devices. To configure this setting for supervised devices,
go to .
|
|||||||
Allow adding Game Center friends | The user can add contacts from the Game Center social network. Note: This setting is not
supported from iOS 13 on managed devices. To configure this setting for supervised devices, go to .
|
|||||||
Allow submission of diagnostic information to Apple | The user can send diagnostic information that contains device information to Apple, including device crashes and other unexpected behaviors. | iOS 6.0+, User Enrollment | ||||||
Enforce iTunes password entry | The user is prompted to enter an iTunes password to access the iTunes store on the device. | |||||||
Allow untrusted TLS prompt | If this setting is enabled, the user is prompted whether to allow or deny untrusted HTTPS certificates that are received on the device. If this setting is disabled, untrusted HTTPS certificates are automatically rejected on the device. | |||||||
Allow Passbook while locked | The user can use the Passbook feature to store coupons, boarding passes, event tickets, credit cards, and debit cards on a locked device. | iOS 6.0+ | ||||||
Limit ad tracking | The user does not receive as many targeted ads on the device. The user might still receive ads on the device, but the ads are more random and less personal. | iOS 7.0+ | ||||||
Allow Today view in Lock screen | The user can access Today view notifications on the screen of a locked device. | iOS 7.0+, User Enrollment | ||||||
Allow Control Center in Lock screen | The user can access the Control Center on the screen of a locked device. | iOS 7.0+, User Enrollment | ||||||
Allow web results in Spotlight search | If this setting is enabled, the Spotlight feature searches content on the device and on the internet. If this setting is disabled, the Spotlight feature searches only on the device. | iOS 8.0+ | ||||||
Allow unauthenticated AirPlay connections | The device does not require a security or wifi password to connect to other Apple devices
through AirPlay.
|
User Enrollment | ||||||
Allow Lock screen notifications | The user can view notifications on the screen of a locked device. | iOS 7.0+, User Enrollment | ||||||
Allow Over-the-Air PKI updates | The user can accept PKI certificate updates over-the-air on the device. | iOS 7.0+ | ||||||
Force Apple Watch wrist detection | A device that is paired with an Apple Watch is forced to use wrist detection to determine if the device is worn on the wrist of the device user. | iOS 8.2+, User Enrollment | ||||||
Allow managed to write unmanaged contacts | Managed apps can write Contacts to unmanaged Contacts accounts. For this restriction to work
on iOS 12, you must enable Allow Unmanaged to read Managed Contacts to allow
delete access for Contacts on the apps. Note: This restriction does not apply if Allow
Open from Managed to Unmanaged apps is enabled.
|
iOS 12.0+ | ||||||
Allow unmanaged to read managed contacts | Unmanaged apps can read Contacts from managed Contacts accounts. Note: This restriction does
not apply if Allow Open from Managed to Unmanaged apps is
enabled.
|
iOS 12.0+, User Enrollment | ||||||
Allow server logging for Siri | The device can use Siri for server-side logging. | iOS 12.2+, User Enrollment | ||||||
Allow trust of enterprise apps | The device can trust new enterprise apps. If this setting is disabled, this setting still allows apps that are pushed from MaaS360. | iOS 9.0+ | ||||||
Allow Deprecated Web KitTLS | Apple no longer supports TLS v1.0 and v1.1 in iOS 13.4. If this setting is enabled, you cannot access sites in Safari that use TLS v1.0 and v1.1. | iOS 13.4+ | ||||||
Allow Apple Personalized Advertisements | If this setting is disabled, the Apple advertising platform is restricted from using user data to deliver personalized ads on iOS 14 devices. This setting replaces Limit ad tracking, which is supported on iOS 13 and earlier devices only. | iOS 14.0+ | ||||||
Allow Automatic unlock | If this setting is disabled, users cannot unlock their paired iPhone running iOS 14.5 with
their Apple Watch. By default, users can use their Apple Watch to unlock their iPhone when a mask
prevents Face ID from recognizing a face. Note: To unlock an iPhone with Apple Watch, the watch must
be nearby, unlocked, and protected by a passcode.
If this setting is disabled, the Unlock With Apple Watch option in the Face ID & Passcode device settings is hidden. |
iOS 14.5+ | ||||||
Force On Device only Translation | If this setting is enabled, the Translate app will not send content to the Siri servers for the purposes of translation. | iOS 15.0+, User Enrollment | ||||||
Allow Pasteboard content between managed and unmanaged apps | If this setting is disabled, copy and paste data between managed and unmanaged apps is
restricted. If this setting is enabled, copy and paste functions use Allow Open from
Managed to Unmanaged Apps and Allow Open from Unmanaged to Managed
Apps. For example:
|
iOS 15.0+, User Enrollment |
Application settings
The following table describes the restrictions that you can configure for apps on an iOS
device:
Policy setting | Description | Supported devices |
---|---|---|
Allow use of YouTube application | The user can use the native YouTube app on the device. Note: The use of the native YouTube
app on iOS devices was discontinued in iOS 6.
|
iOS 4.0, iOS 5.0 |
Allow use of iTunes for media download | The user can download apps, music, or videos from the iTunes store on the device. Note: This
setting is not supported from iOS 13 on managed devices. To configure this setting for supervised
devices, go to .
|
|
Allow use of Safari | The user can use the Safari browser on the device. Note: This feature is being deprecated, but
available functions might vary with OS versions. This setting is not supported from iOS 13 on
managed devices. To configure this setting for supervised devices, go to .
|
|
Allow explicit music and podcasts purchased from iTunes | The user can download explicit material on the device. Note: This setting is not supported
from iOS 13 on managed devices. To configure this setting for supervised devices, go to .
|
iCloud settings
The following table describes the restrictions that an administrator can configure for iCloud on
an iOS device:
Policy setting | Description | Supported devices |
---|---|---|
Allow Cloud backup | The user can back up the contents of the device onto iCloud. Note: This setting is not
supported from iOS 13 on managed devices. To configure this setting for supervised devices, go to .
|
iOS 5.0+ |
Allow Cloud Keychain sync | The user can synchronize information such as a Safari user name and password, credit card
details, or wifi settings onto iCloud. Note: This setting is not supported from iOS 13 on managed
devices. To configure this setting for supervised devices, go to .
|
iOS 7.0+ |
Allow Documents sync | The user can synchronize documents that are uploaded to iCloud. Note: This setting is not
supported from iOS 13 on managed devices. To configure this setting for supervised devices, go to .
|
iOS 5.0+ |
Allow Photo Stream sync (disallowing can cause data loss) | The user can synchronize images on the device onto iCloud. If you disable this setting, you might eventually lose images on the device that you did not upload to iCloud. | iOS 5.0+ |
Allow shared Photo Stream | The user can share images that are uploaded to iCloud with other users. | iOS 6.0+ |
Allow iCloud photo library | The user can download a library of images from iCloud on the device. If this setting is disabled, images that are not downloaded, but stored locally are removed from the device. | iOS 9.0+ |
Allow managed apps to sync | The user can synchronize managed apps on the device onto iCloud. | iOS 8.0+, User Enrollment |
Allow Enterprise Book backup | The user can back up enterprise iBooks on the device onto iCloud. | iOS 8.0+, User Enrollment |
Allow Enterprise Book annotation sync | The user can synchronize enterprise iBooks annotations on the device onto iCloud. | iOS 8.0+, User Enrollment |
Ratings region settings
The following table describes the restrictions that you can configure to locate an iOS
device:
Policy setting | Description | Supported devices |
---|---|---|
Region for content ratings | The device displays the country where the content rating originates. | |
Maximum allowed content rating for movies | The administrator can set the maximum content rating for movies that are downloaded from iTunes. Any content that is above the rating settings cannot be downloaded to or accessed by the device. | |
Maximum allowed content rating for TV shows | The administrator can set the maximum content rating for television shows that are downloaded from iTunes. Any content that is above the ratings setting cannot be downloaded to or accessed by the device. | |
Maximum allowed content rating for applications | The administrator can set the maximum content rating for apps that are downloaded from iTunes. Any content that is above the ratings setting cannot be downloaded to or accessed by the device. |