Restrictions and Network
The Restrictions and Network settings manage various functions that are available to supervised devices.
iOS uses advanced MDM configurations for devices that are configured with a Supervised profile. The administrator can tether a device to a macOS computer and use Apple Configurator 2 to supervise a device or supervise the device over-the-air as part of the Apple Device Enrollment Program (DEP).
Note: You cannot supervise an iOS device from a Windows
computer.
Restrictions and Network settings
The following table describes the functions that the administrator can manage on a supervised iOS
device:
| Policy setting | Description | Supported devices |
|---|---|---|
| Allow use of Game Center | The supervised device can access Game Center. | iOS 6.0+ |
| Allow iBookstore | The supervised device can access iBooks. | iOS 6.0+ |
| Allow configuration profile installation | Device users can add profiles or certificates to the supervised device. If this setting is disabled, users cannot add profiles or certificates to the device, but profiles and certificates can be pushed to the device through MDM. | iOS 6.0+ |
| Allow iMessage | The supervised device can use iMessage to send text messages. If this setting is disabled, the device can still use the cellular network to send text messages. | iOS 6.0+ |
| Enable Siri profanity filter | The supervised device uses a profanity filter. This setting turns the filter on or off only, but does not affect user content on the device. | iOS 6.0+ |
| Enable user generated content in Siri | The supervised device can access user content in Siri. | iOS 7.0+ |
| Allow account modification | Users can manage accounts, including iTunes, iCloud, email, FaceTime, and iMessage on a
supervised device. If this setting is disabled, the user cannot edit these settings directly in the policy. If the payload is pushed to the device before these accounts are configured, some app functions, such as app downloads might be affected. |
iOS 7.0+ |
| Allow activation lock | The supervised device is locked to the Apple ID that is used for the iCloud account.
Administrators: To manually override the activation lock setting, see Manually clearing the activation lock on supervised iOS devices. |
iOS 7.0+ |
| Allow removing apps | Users can remove any app from supervised devices. | iOS 4.2+ |
| Allow cellular data usage modification | Users can specify which apps on the supervised device can use the cellular network. | iOS 7.0+ |
| Allow Find My Friends modification | Users can access and modify Find My Friends on a supervised device to use GPS to locate friends with Apple devices. | iOS 7.0+ |
| Allow AirDrop | Users can use AirDrop on a supervised device to share content with other Apple devices. If this setting is disabled, the AirDrop function is removed from the supervised device. |
iOS 7.0+ |
| Allow erase all contents & settings | Users can remove all content and settings from a supervised device. | iOS 8.0+ |
| Allow user enabled restrictions | Users are prevented from removing apps that are disabled on a supervised device. | iOS 8.0+ |
| Allow podcasts app | Users can access podcasts on a supervised device. | iOS 8.1+ |
| Allow predictive keyboard | Users can use predictive text (where the device provides suggestions as you type words or phrases) on a supervised device. | iOS 8.1.3+ |
| Allow auto-correction | Users can automatically correct misspelled words on a supervised device. | iOS 8.1.3+ |
| Allow spell check | Users can use spell check on a supervised device. If this setting is restricted, the user cannot use spell check on the device. However, the user can still use the built-in app level spell check on the device. |
iOS 8.1.3+ |
| Allow definition lookup | Users can access the dictionary on a supervised device to look up the meaning of a word. | iOS 8.1.3+ |
| Allow modifying Touch ID fingerprints | Users can modify the Touch ID fingerprint identity sensor setting on a supervised device. Users cannot use Touch ID if this setting is not set up on the device. | iOS 8.3+ |
| Allow usage of app store | If this setting is disabled, users cannot download apps from the app store to a supervised device. MDM can still push apps to the device or the user can access Apple Configurator or iTunes on a computer to add apps to the device. However, access to the system-level app store is hidden from the user. | iOS 9.0+ |
| Allow keyboard shortcuts | Users can use keyboard shortcuts on a supervised device. | iOS 9.0+ |
| Allow Apple Watch | Users can pair a supervised device with an Apple Watch. If this setting is disabled, the paired devices are removed from each other and shared content is erased. |
iOS 9.0+ |
| Allow passcode modification | Users can change the passcode that is set on a supervised device. | iOS 9.0+ |
| Allow device name modification | Users can change the name of a supervised device. Note: This setting also blocks the MDM
profile from changing the name of the supervised device. If this setting is disabled, an
administrator cannot remotely set or automatically name a supervised device.
|
iOS 9.0+ |
| Allow wallpaper modification | Users can change the wallpaper on a supervised device. Note: This setting also blocks MDM
actions. Do not disable this setting until MaaS360®
successfully pushes settings to the device.
|
iOS 9.0+ |
| Allow automatic app downloads | Users can automatically download apps to a supervised device using their own Apple ID. | iOS 9.0+ |
| Allow trust of enterprise apps | (Deprecated) The supervised device can receive trusted enterprise apps that are pushed through MDM. | iOS 9.0+ |
| Allow News app | Users can access the News app on a supervised device. If this setting is disabled, the News app is hidden from the user on the supervised device. |
iOS 9.0+ |
| Allow iTunes Radio | Users can still access iTunes Radio if the Music app is disabled on the supervised device. | iOS 9.3+ |
| Allow Apple Music | Users can access the Apple Music app on a supervised device. If this setting is disabled, the Apple Music app is hidden from the user on the device. |
iOS 9.3+ |
| Allow Bluetooth modification | Users can change Bluetooth settings on a supervised device. | iOS 10.0+ |
| Allow diagnostic log submission modification | Users can change settings for the diagnostic log submission and app analytics on a supervised device. | iOS 9.3.2+ |
| Allow notification modification | Users can change notification settings on a supervised device. | iOS 9.3+ |
| Allow dictation | Users can use dictation on a supervised device. | iOS 10.3+ |
| Enforce usage of only MDM configured wifi | If this setting is enabled, the device can only connect to wifi profiles that are deployed
and configured on a supervised device. This setting prevents connections to wifi networks that are
not configured by MDM. Note: This restriction is enforced when at least one wifi network is
configured on a supervised device.
|
iOS 10.3+ |
| Allow AirPrint | Supervised devices can connect to the same network to print over-the-air (OTA) through a wifi network. | iOS 11.0+ |
| Allow AirPrint credentials storage | Device users can store AirPrint credentials on an iCloud keychain. | iOS 11.0+ |
| Allow AirPrint iBeacon discovery | A supervised device can use the iBeacon app to discover printers on the network. | iOS 11.0+ |
| Disallow AirPrint to destinations with untrusted certificates | The supervised device must use trusted TLS certificates to connect to AirPrint printers. | iOS 11.0+ |
| Allow VPN creation | A user can configure a new VPN on a supervised device. | iOS 11.0+ |
| Allow users to remove system apps | A user can remove apps from a supervised device. | iOS 11.0+ |
| Enable authentication for autofill | Users must authenticate with Face ID to allow passwords or credit card information to
automatically display in the browser or in an app on a supervised device. If Face ID authentication fails, the user must provide a valid passcode instead. |
iOS 11.0+ |
| Allow host pairing | Allows administrator control on supervised devices that pair with an iOS device. If this setting is disabled, host pairing is not allowed except for the supervision host. |
iOS 7.0+ |
| Allow date and time modification | Users are allowed to change the date and time on a supervised device. To restrict a user from editing the date and time on an iOS device, disable this setting and publish the policy to the device. |
iOS 12.0+ |
| Allow USB accessories while locked | The supervised device can connect to USB accessories even if the device is locked. | iOS 11.3+ |
| Allow proximity setup to new devices | Users can transfer data, settings, and content from an old device to a new device by using
the same Apple ID. The old device with the published policy allows automatic setup of new devices
that are within the proximity of the old device. You can also take the following action from the Device Inventory page: . |
iOS 11.0+ |
| Allow password auto fill | Users can use password autofill for saved passwords in Safari or in apps on a supervised device. | iOS 12.0+ |
| Allow password proximity requests | Users can request their device password by using proximity setup from nearby devices. | iOS 12.0+ |
| Allow password sharing | Users can share passwords with the AirDrop password feature. | iOS 12.0+ |
| Allow ESIM modification | Users can modify the cellular plan for the eSIM card that is embedded in the supervised device. | iOS 12.1+ |
| Allow cellular plan modification | Users can share the cellular password with the AirDrop password feature and also modify the cellular plan on a supervised device. | iOS 11.0+ |
| Allow personal hotspot modification | Users can modify personal hotspot settings on a supervised device. | iOS 12.2+ |
| Allow use of iTunes for media download | Users can download apps, music, or videos from the iTunes store on a supervised device. | iOS 13.0+ |
| Allow installing of applications | Users can install apps on a supervised device. If this setting is disabled, the user cannot install or update apps from the App Store, iTunes, or alternate marketplaces. For iOS 10 or later, MDM can override this restriction. Users can still install and update proprietary in-house apps. If the user removes native iOS and iPadOS system apps, they can reinstall these apps. |
iOS 13.0+ |
| Allow use of Safari | Users can use the Safari browser on a supervised device. Enable autofill in Safari: Uses the autofill feature for the Safari browser on a supervised device. |
iOS 13.0+ |
| Allow use of camera | Users can use the camera app on a supervised device. If this setting is disabled, the camera
app is hidden from the user and the user cannot access the camera app from other
apps. Allow use of FaceTime: Allows the FaceTime app on the device to make audio and video calls from the device. |
iOS 13.0+ |
| Allow Cloud backup | Users can back up the contents of a supervised device onto iCloud. | iOS 13.0+ |
| Allow documents sync | Users can synchronize documents that are uploaded to iCloud. | iOS 13.0+ |
| Allow cloud keychain sync | Users can synchronize information such as a Safari user name and password, credit card details, or wifi settings onto iCloud. | iOS 13.0+ |
| Allow explicit music and podcasts purchased from iTunes | Users can download explicit material on a supervised device. | iOS 13.0+ |
| Allow adding Game Center friends | Users can add contacts from the Game Center social network on a supervised device. | iOS 13.0+ |
| Allow multiplayer gaming | Users can play games online over wifi or cellular data on a supervised device. | iOS 13.0+ |
| Allow Find My iPhone | Users can use the Find My iPhone app on a supervised device. | iOS 13.0+ |
| Allow Find My Friends | Users can use the Find My Friends app on a supervised device. Note: For iOS 13.0+ devices, the
Find My Friends and Find My iPhone settings are
combined with Find My App. These settings function as follows:
|
iOS 13.0+ |
| Force wifi on | Users cannot disable wifi on a supervised device from Settings or the Control Center even during Airplane Mode. This setting does not prevent the user from selecting which wifi network to use on the device. | iOS 13.0+ |
| Allow QuickPath keyboard | Users can use the QuickPath keyboard on a supervised device. | iOS 13.0+ |
| Allow network drives access files app | Users can connect to network drives in the Files app on a supervised device. | iOS 13.0+ |
| Allow USB drive access files app | Users can connect to any USB devices that are present in the Files app. | iOS 13.0+ |
| Allow shared device guest session | Allows guest login sessions on a shared iPad device. For more information about shared iPad temporary sessions, see https://support.apple.com/en-in/guide/deployment/dep9a34c2ba2/web. | iOS 13.4+ |
| Allow App Clips | Users can use App Clips on a supervised device. App Clips are a small part of an app that
allows the user to do a task quickly. App Clips are available in Safari, Maps, and Messages, or through NFC tags, QR codes, and App Clip codes—unique markers that take you to specific App Clips. |
iOS 14.0+ |
| Allow near field communication | Users can use NFC to exchange information on a supervised device wirelessly. | iOS 14.0+ |
| Allow unpaired external boot to recovery | If this setting is enabled, allows users to boot iOS or iPad OS devices into Recovery Mode from an external host computer (unpaired host). By default, an external host computer cannot start a device in Recovery Mode. | iOS 14.5+ |
| Force on device only dictation | If this setting is enabled, this setting prevents the use of Siri for dictation on a
supervised device. By default, users can use dictation to enter text with many apps and features
that use the keyboard on devices. |
iOS 14.5+ |
| Allow iCloud private relay | If this setting is disabled, the Private Relay option under iCloud is unavailable. | iOS 15.0+ |
| Allow mail privacy protection | If this setting is disabled, the device cannot use Mail Privacy Protection. Path on the device: |
iOS 15.2+ |
| Allow rapid security response installation | If this setting is disabled, Apple does not automatically push security patches to supervised
devices. If this setting is enabled, Apple automatically pushes security patches by default. iPhone
users do not need to reboot the phone for these updates to take effect. Path on the device: |
iOS 16.0+ |
| Allow rapid security response removal | If this setting is disabled, users cannot remove the rapid security response from supervised devices. | iOS 16.0+ |
| Allow iPhone Widgets On Mac | This setting is turned on by default. When this setting is turned on, MaaS360 allows iPhone widgets on a Mac that has signed in the same Apple ID for iCloud. | iOS 17.0+ |
| Allow Live Voicemail | If this setting is disabled, the system disables live voicemail on the device. | iOS 17.2+ |
| Force Preserve E-SIM | If this setting is enabled, the system will retain the eSIM when the device is erased due to too many failed password attempts or when the Erase All Content and Settings option is configured in Settings > General > Reset. | iOS 17.2+ |
| Allow Marketplace App Installation | If this setting is disabled, users cannot install app from alternate
marketplaces. |
iOS 17.4+ |
| Classroom Restrictions | ||
| Join classes automatically | A student is automatically joined to the class without being prompted to join the class. | iOS 11.0+ |
| Request permission to leave classes | A student must receive the teacher's consent before they are removed from participating in a teacher-created class. | iOS 11.3+ |
| Allow app and device lock without prompt | The teacher can lock the student device in the Classroom app on a student's iPad to prevent the student from closing the app or opening another app without being prompted. | iOS 11.0+ |
| Allow screen observation without prompt | The teacher can view a student's iPad screen without being prompted. | iOS 11.0+ |
| Configure global proxy settings | The administrator can configure proxy settings for network traffic on a supervised device. | |
| Configure AirPlay settings | The administrator can configure which supervised devices can connect to AirPlay to share content with other iOS devices. | iOS 7.0+ |
| Configure delay for software updates | Number of days to delay (1-90) days: Updates on devices are delayed and hidden from the user based on the number of days (1 - 90 days) specified by the administrator. | iOS 11.3+ |