barscaret-downcaret-leftcaret-rightcaret-upcheckchevron-leftchevron-rightfile-pdfinfosign-in-altsignin text-widthtimesyoutube

iOS > Device Data & Configuration

Restrictions for iOS

Updated on September 30th, 2020

Restriction configuration profiles are described thoroughly in the About restrictions article. It explains how to configure and deploy restrictions for managed devices, and also how the restrictions can be lifted.

This article focuses on introducing what restrictions are supported for Apple iOS devices and whether there are any platform-specific requirements for the use of restrictions.

Requirements

Restriction configuration profiles are available in the Miradore Business and Enterprise plans. The restriction configuration profiles are not included in the Miradore Free plan.

Restriction configuration profiles can be applied to all Apple iOS devices that are managed with Miradore. Some restrictions may require that devices are Supervised. In Miradore’s user interface, these restrictions are marked with the Supervisedsymbol.

Available restrictions

Below you can find a list of all restrictions supported on the Apple iOS platform.

Links to the restriction categories: Applications, Device functionalities, Security and privacy, iCloud, Media and content.

 

Applications

Deny Camera

Defines if the camera is completely disabled and its icon is removed from the Home screen. Users are unable to take photos.

Available since iOS 4. Requires a supervised device as of iOS 13. This restriction is deprecated on unsupervised devices.

Deny FaceTime

Defines if FaceTime and video conferencing are disabled.

Available since iOS 4. Requires a supervised device as of iOS 13. This restriction is deprecated on unsupervised devices.

Deny Dictation

Defines if the user is able to use the dictation input method.

Available in iOS 10.3 and later. Requires a supervised device.

Deny Game Center

Defines if Game Center is disabled and its icon is removed from the Home screen.

Available in iOS 6.0 and later. Requires a supervised device.

Game Center: Deny adding friends

Defines if adding friends to Game Center is denied.

Available in iOS 4.2.1 and later. Requires a supervised device as of iOS 13. This restriction is deprecated on unsupervised devices.

Game Center: Deny multiplayer gaming

Defines if multiplayer gaming is denied. This restriction is deprecated on unsupervised devices.

Available in iOS 4.1 and later. Requires a supervised device.

Deny iBookstore

Denies the store functionality of Apple Books. The user will not be able to purchase books but he/she can read and open the books that he/she already owns.

Available in iOS 6.0 and later. Requires that devices are Supervised.

iBookstore: Deny adult content

Defines if the user will not be able to download Apple Books media that is tagged as erotica.

Available in iOS 6.0 and later.

Deny iTunes Store

Defines if the iTunes Music Store is disabled and its icon is removed from the Home screen. Users cannot preview, purchase, or download content.

Available in iOS 4 and later. Requires a supervised device as of iOS 13. This restriction is deprecated on unsupervised devices.

Deny iTunes Radio

Defines if Apple Music Radio is disabled and its icon is removed from the users.

Available in iOS 9.3 and later. Requires a supervised device.

Deny iMessages

Defines if iMessages are denied. Users can’t send or receive messages using iMessage. If the device supports text messaging, the user can still send and receive text messages. If your device doesn’t support text messaging, the Messages icon is removed from the Home screen.

Available in iOS 6.0 and later. Requires that devices are Supervised.

Deny News

Defines if Apple News is denied.

Available in iOS 9.0 and later. Requires that devices are Supervised.

Deny Safari

Defines if the Safari web browser is disabled and its icon removed from the Home screen. This also prevents users from opening web clips.

Available in iOS 4 and later. Requires a supervised device as of iOS 13. This restriction is deprecated on unsupervised devices.

Safari: Disable autofill

Defines if Safari auto-fill is disabled for passwords, contact info and credits cards and also prevents the Keychain from being used for autofill. Third-party password managers are allowed and apps can use autofill.

Available in iOS 4 and later. Requires a supervised device as of iOS 13.

Safari: Force fraud warning

Defines if Safari fraud warnings are enabled.

Available in iOS 4 and later.

Safari: Disable JavaScript

Defines if JavaScript is disabled in Safari. When denied, Safari doesn’t execute JavaScript.

Available in iOS 4 and later.

Safari: Block popups

Defines if popups are blocked in Safari.

Available in iOS 4 and later.

Safari: Accept cookies

Controls when Safari accepts cookies. Possible values are:

  • Never
  • From visited sites
  • Always

Available in iOS 4 and later.

Deny Siri

Defines if Siri assistant is disabled.

Available in iOS 5 and later.

Siri: Deny user generated content

Prevents Siri from querying user-generated content from the web.

Available in iOS 7.0 and later. Requires that devices are Supervised.

Siri: Deny while locked

Defines if the user is unable to use Siri when the device is locked. This restriction is ignored if the device does not have a passcode set.

Available in iOS 5.1 and later.

Siri: Force profanity filter

Defines if Siri profanity filter is forced.

Available in iOS 11 and later. Requires a supervised device.

Deny system app removal

Defines if system apps can be removed from the device.

Available in iOS 11.0 and later. Requires that devices are Supervised.

Deny YouTube

Defines if the YouTube application is disabled and its icon is removed from the Home screen.

This restriction is ignored in iOS 6.0 and later because there is no built-in YouTube app.

 

Device functionality

Deny AirDrop

Defines if AirDrop is denied.

Available in iOS 7.0 and later. Requires that devices are Supervised.

AirDrop: Force unmanaged drop target

Defines if AirDrop is forced to be considered an unmanaged drop target.

Available in iOS 9.0 and later.

Deny AirPrint

Defines if the use of AirPrint is denied.

Available in iOS 11.0 and later. Requires that devices are Supervised.

AirPrint: Deny iBeacon discovery

Defines if iBeacon discovery of AirPrint printers is disabled.

Available in iOS 11 and later. Requires a supervised device.

AirPrint: Deny credentials storage

Defines if keychain storage of username and password for AirPrint is disabled.

Available in iOS 11 and later. Requires a supervised device.

AirPrint: Force TLS requirement

Defines if devices require trusted certificates for TLS printing communication.

Available in iOS 11 and later. Requires a supervised device.

Deny application installation

Defines if the App Store is disabled and its icon is removed from the Home screen. Users are unable to install or update their applications.

This restriction is deprecated on unsupervised devices.

Available in iOS 4 and later. Requires a supervised device as of iOS 13. This restriction is deprecated on unsupervised devices.

Deny application installation from App Store

Defines if the App Store is disabled and its icon is removed from the Home screen. However, users may continue to use Host apps (iTunes, Apple Configurator) to install or update their apps.

Available in iOS 9.0 and later. Requires that devices are Supervised.

Deny application removal

Defines if application removal is denied.

Available in iOS 4.2.1 and later. Requires a supervised device. This restriction is deprecated on unsupervised devices.

Deny automatic app downloads

Prevents automatic downloading of apps purchased on other devices. Does not affect updates to existing apps.

Available in iOS 9.0 and later. Requires that devices are Supervised.

Deny automatic sync while roaming

Denies global background fetch activity when an iOS phone is roaming.

Available in iOS 4 and later.

Deny cellular data usage changes for apps

Defines if changes to cellular data usage for apps are denied.

Available in iOS 7.0 and later. Requires that devices are Supervised.

Deny cellular plan modification

Defines if user is prevented from making any changes related to their cellular plan.

Available in iOS 11 and later. Requires a supervised device.

Deny definition lookup

Defines if definition lookup is denied. Users can’t double-tap to search for a word’s definition.

Available in iOS 8.1.3 and later. Requires that devices are Supervised.

Deny Handoff

Defines if users can’t use Handoff with their Apple devices.

Deny host pairing

Defines if host pairing is disabled with the exception of the supervision host. If no supervision host certificate has been configured, all pairing is disabled.  The users can’t pair their iOS device with anything but the Mac with Apple Configurator installed, where the device was first supervised.

Available in iOS 7.0 and later. Requires that devices are Supervised.

Deny in-app purchase

Defines if in-app purchases are denied.

Available in iOS 4 and later.

Deny installing configuration profiles

Defines if users are allowed to install configuration profiles and certificates.

Available in iOS 6.0 and later. Requires that devices are Supervised.

Deny Internet search results in Spotlight

Defines if Spotlight Internet search results are disabled in Siri suggestions.

Available in iOS 8 and later. Requires that devices are Supervised.

Deny keyboard auto-correction

Defines if keyboard auto-correction is disabled.

Available in iOS 8.1.3 and later. Requires that devices are Supervised.

Deny keyboard prediction

Defines if keyboard prediction is disabled.

Available in iOS 8.1.3 and later. Requires that devices are Supervised.

Deny keyboard shortcuts

Defines if the use of keyboard shortcuts is disabled.

Available in iOS 9.0 and later. Requires that devices are Supervised.

Deny keyboard spell-check

Defines if keyboard spell-check is disabled.

Available in iOS 8.1.3 and later. Requires that devices are Supervised.

Deny lock screen Control Center

Prevents Control Center from appearing on the Lock screen. Users can’t swipe up to view Control Center.

Available in iOS 7.0 and later.

Deny lock screen Notifications history view

Defines if the Notifications history view on the lock screen is disabled so that users can’t view past notifications.

Available in iOS 7.0 and later.

Deny lock screen Passbook notifications

Defines if Passbook notifications will not be shown on the lock screen.

Available in iOS 6.0 and later.

Deny lock screen Today View

Defines if the Today view in Notification Center is disabled. Users can’t swipe down to see Notification Center using the Today View in the Lock screen.

Available in iOS 7.0 and later.

Deny modifications to the eSIM setting

Defines if modifications to the eSIM setting are disabled.

Available in iOS 12.1 and later. Requires a supervised device.

Deny music service

Defines if the Music service is disabled and the Music app reverts to classic mode.

Available in iOS 9.3 and later. Requires a supervised device.

Deny paired Apple Watch

Denies pairing with an Apple Watch. Any currently paired Apple Watch is unpaired and erased.

Available in iOS 9.0 and later. Requires that devices are Supervised.

Deny podcasts

Defines if podcasts are denied. Users can’t download podcasts.

Available in iOS 8.0 and later. Requires that devices are Supervised.

Deny QuickPath keyboard

Defines if QuickPath keyboard is disabled.

Available in iOS 13 and later. Requires a supervised device.

Deny restriction configuration

Defines if the use of “Enable Restrictions” option in the Restrictions UI in Settings is disabled.

NOTE: This restriction disables the whole “Screen time” -option in iOS 12 and newer devices.

Available in iOS 8 and later. Requires that devices are Supervised.

Deny screen capture

Defines if saving a screen shot or screen recording of the display is denied. This also disables the Classroom app from observing remote screens.

Available in iOS 4 and later.

Deny remote screen observation

Defines if remote screen observation by the Classroom app is disabled.

Available in iOS 12 and later. Requires a supervised device until iOS 13.

Deny voice dialing

Denies voice dialing if the device is locked with a passcode.

Available in iOS 4 and later.

Force automatic date and time

Defines if the “Set automatically” feature in Date & Time is enabled and cannot be disabled by the user. The device’s time zone will be updated when the device can determine its location using a cellular connection or wifi with location services enabled.

Available in iOS 12 and later. Requires a supervised device.

Force delayed software updates

Defines if the user visibility of iOS version updates is delayed.

Available in iOS 11.3 and later. Requires that devices are Supervised.

Software update delay time

Defines the number of days (1-90) that the users visibility to iOS version updates is delayed.

Available in iOS 11.3 and later. Requires that devices are Supervised.

Force no permission prompt to Classroom teacher’s requests

Defines if permission is automatically given to teacher’s request without prompting the student.

Available in iOS 11 and later. Requires a supervised device.

Force no prompting when Classroom teacher locks apps or the device

Defines if teacher is allowed to lock apps or the device without prompting the student.

Available in iOS 11 and later. Requires a supervised device.

Force requesting a permission to leave Classroom course

Forces students enrolled in unmanaged Classroom course to get teacher’s approval to leave the course.

Available in iOS 11.3 and later. Requires a supervised device.

Force unprompted Classroom screen observation

Defines if student automatically gives permissions to the course teacher’s requests to observe the student’s screen without prompting the student.

Available in iOS 11 and later. Requires a supervised device.

Force WiFi power on

Prevents Wi-fi from being turned off through Settings or Control center – even by entering or leaving the Airplane mode. The restriction does not prevent device user from selecting which Wi-Fi network to use.

Available in iOS 13 and later. Requires a supervised device.

 

Security and Privacy

Deny account modification

Defines if account modification is denied.

Available in iOS 7.0 and later. Requires that devices are Supervised.

Deny automatic updates to certificate trust settings

Denies automatic updates to certificate trust settings. Over-the-air PKI updates are disabled. Denying this does not disable CRL and OCSP checks.

Available in iOS 7.0 and later.

Deny Bluetooth modification

Defines if any modifications to Bluetooth settings are prevented.

Available in iOS 11 and later. Requires a supervised device.

Deny USB restricted mode

Defines if the device is always allowed to connect to USB accessories while locked.

Allowing USB restricted mode prevents USB accessories that plug into the Lightning port from making data connections with the device.

Available in iOS 11.4.1 and later. Requires a supervised device.

Deny device name modification

Denies changes to the device name.

Available in iOS 9.0 and later. Requires that devices are Supervised.

Deny diagnostic data upload

Defines if the device is prevented from automatically submitting diagnostic reports to Apple.

Available in iOS 6.0 and later.

Deny diagnostic data setting modification

Defines if users are unable to modify the diagnostic data upload and app analytics settings in the Diagnostics & Usage UI in settings.

Available in iOS 9.3.2 and later. Requires a supervised device.

Deny documents from managed sources in unmanaged destination

Defines if documents created or downloaded from managed sources (apps and accounts) can’t be opened in unmanaged destinations. Documents can still be opened on other managed apps and accounts.

Available in iOS 7.0 and later.

Deny documents from unmanaged sources in managed destination

Defines if documents created or downloaded from unmanaged sources (apps and accounts) can’t be opened in managed destinations. Documents from unmanaged sources can still be opened on other unmanaged apps and accounts.

Available in iOS 7.0 and later.

Deny enterprise app trust

Denies trusting of enterprise applications. If denied, the “Trust Enterprise Developer” button in Settings > General > Profiles & Device Management” will be removed, preventing apps from being provisioned by universal provisioning profiles.

This restriction applies to free developer accounts. However, the restrictions does not apply to enterprise app developers who are trusted because their apps were pushed through MDM. The restriction doesn’t revoke previously granted trust.

Available in iOS 9.0 and later. Requires that devices are Supervised.

Deny erase all content and settings

Disables the “Erase All Content And Settings” option in the Reset UI. Users can’t erase their device and reset it to factory defaults.

Available in iOS 8 and later. Requires that devices are Supervised.

Deny Files app network drive access

Defines if accessing network files is disabled in the Files app.

Available in iOS 13.1 and later. Requires a supervised device.

Deny Find My Device

Defines if the use of Find My Device is disabled in the Find My app.

Available in iOS 13 and later. Requires a supervised device.

Deny Find My Friends in the Find My app

Defines if the use of Find My Friends is disabled in the Find My app.

Available in iOS 13 and later. Requires a supervised device.

Deny Find My Friends setting modification

Defines if device user is allowed to make changes to Find My Friends settings.

Available in iOS 7.0 and later. Requires that devices are Supervised.

Deny fingerprint unlock

Defines whether it is possible to use Touch ID or Face ID for unlocking the device.

Available in iOS 7.0 and later.

Deny notification modification

Defines if changes to the notification settings are denied.

Available in iOS 9.3 and later. Requires that devices are Supervised.

Deny passcode modification

Denies device passcode from being added, changed, or removed.

Available in iOS 9.0 and later. Requires that devices are Supervised.

Deny password auto-fill

Defines if the use of AutoFill Passwords feature in iOS (with Keychain and third-party password managers) is disabled. When denied, user won’t be prompted to use a saved password in Safari or in apps.

Available in iOS 12 and later. Requires a supervised device.

Deny proximity setup to new device

Defines if the prompt to set up nearby new devices is available.

Available in iOS 11.0 and later. Requires that devices are Supervised.

Deny password sharing

Defines if the sharing of passwords with the Airdrop Passwords is disabled.

Available in iOS 12 and later. Requires a supervised device.

Deny modifications of the personal hotspot setting

Defines if modifications of the personal hotspot setting are denied.

Available in iOS 12.2 and later. Requires a supervised device.

Deny Touch ID or Face ID modification

Defines if device user is allowed to modify Touch ID or Face ID.

Available in iOS 8.3 and later. Requires a supervised device.

Deny untrusted TLS certificates

Defines if untrusted TLS certificates are denied. The device automatically rejects untrusted HTTPS certificates without prompting the user.

Available in iOS 5.0 and later.

Deny USB devices in the Files app

Defines if accessing to any connected USB devices is disabled in the Files app.

Available in iOS 13.1 and later.

Deny temporary sessions

Defines if temporary sessions are disabled on Shared iPad.

In a temporary session, any user can unlock and access the iPad without a password.

Available in iOS 13.4 and later.

Deny VPN creation

Defines if the creation of VPN configurations is disabled.

Available in iOS 11.0 and later. Requires that devices are Supervised.

Deny wallpaper modification

Denies changes to the device’s wallpaper.

Available in iOS 9.0 and later. Requires that devices are Supervised.

Force AirPlay pairing password

Defines if AirPlay pairing password is forced.

Available in iOS 7.1 and later.

Force Apple Watch wrist detection

Forces a paired Apple Watch to use Wrist Detection. Apple Watch locks automatically when it’s removed from the user’s wrist. It can be unlocked with its passcode or the paired iPhone.

Available in iOS 8.2 and later.

Force authentication before autofill

Defines if user is enforced to authenticate before passwords or credit card information can be autofilled in Safari or apps.

Available in iOS 11 and later. Requires a supervised device. Only supported on devices with Face ID or Touch ID.

Force encrypted backups

Defines if all backups are encrypted.

Available in iOS 4 and later.

Force user to enter iTunes Store password for all purchases

Forces users to enter their iTunes Store password for each transaction.

Available in iOS 6.0 and later

Force limited ad tracking

Defines if limited ad tracking for apps is forced.

Available in iOS 7.0 and later.

Force Wi-Fi whitelisting

Defines if the user is able to add Wi-Fi networks manually. If enabled, the device can only connect to MDM deployed Wi-Fi networks.

Available in iOS 10.3 and later. Requires that devices are Supervised.

Allowed Single App Mode apps

Allows apps identified by the bundle identifiers listed in the array to autonomously enter Single App Mode. Type the desired bundle identifier, for example. com.company.app and click Add to insert application to the white list.

Available in iOS 7.0 and later. Requires that devices are Supervised.

iCloud

Deny backup

Defines if backing up the device to iCloud is denied.

Available in iOS 5.0 and later

Deny document sync

Defines if document and key-value syncing to iCloud is disabled.

Available in iOS 5.0 and later. Requires a supervised device. This restriction is deprecated on unsupervised devices.

Deny enterprise book backup

Defines if users can’t back up books distributed by their organization to iCloud or iTunes.

Available in iOS 8 and later.

Deny enterprise book metadata sync

Defines if metadata synchronization to iCloud is denied for Enterprise books. Users can’t sync notes or highlights to other devices using iCloud.

Available in iOS 8 and later.

Deny keychain sync

Denies keychain synchronization to iCloud.

Available in iOS 7.0 and later.

Deny managed apps sync

Defines if managed apps are allowed to use iCloud sync.

Available in iOS 8 and later.

Deny Photo Library

Defines if iCloud Photo Library is denied. Any photos not fully downloaded from iCloud Photo Library to the device will be removed from local storage.

Available in iOS 9.0 and later.

Deny Photo Stream

Defines if iCloud Photo Stream is disabled. Note that disallowing can cause data loss.

Available in iOS 5.0 and later.

Deny shared Photo Stream

Defines if shared Photo Stream is denied. Users can’t subscribe to or publish shared photo streams.

Available in iOS 6.0 and later.

Media content

Rating region

Defines rating region for media content restrictions. Possible values are:

  • Australia
  • Canada
  • France
  • Germany
  • Ireland
  • Japan
  • New Zealand
  • United Kingdom
  • United States

Allowed app rating

Defines the maximum rating level of app content allowed on the device.

Possible values are:

  • Don’t allow apps
  • 4+
  • 9+
  • 12+
  • 17+
  • Allow all apps

This applies to all regions.

Available in iOS 4 and later.

Allowed movie rating

Defines the maximum rating level of movie content allowed on the device.

Possible values depend on the chosen rating region.

Available in iOS 4 and later.

Allowed TV show rating

Defines the maximum rating level of TV content allowed on the device.

Possible values depend on the chosen rating region.

Available in iOS 4 and later.

Deny explicit content

Denies explicit music or video content purchased from the iTunes Store. Explicit content is marked as such by content providers, such as record labels, when sold through the iTunes Store.

Available in iOS 4 and later. As of iOS 13 requires a supervised device. This restriction is deprecated on unsupervised devices.

More information:

About restrictions

About configuration profiles

Creating a configuration profile

Deploying a configuration profile

Removing deployed configuration profiles

Previous Article:
«

Next Article:
»

Get started with Miradore

Start securing your devices and data today with Miradore. Create a site in just a few minutes and start adding devices immediately. You can get started for free and try out the full features with our 14-day Enterprise trial.

No credit card needed.

SIGN UP FOR MIRADORESEE PLANS AND PRICING