Profile configuration in the Restrictions tab
Last adaptation to the version: 2.15 (03.2026)
New:
- New Option: Allow Apple Intelligence
notempty
This article refers to a Beta version
Partial configuration for profiles in the Mobile Security Portal.
Further information is displayed here:
- MS (← liens)
- MS/Changelog Portal (← liens)
- MS/deployment/profile-shared-iPad (inclusion) (← liens)
- MS/deployment/profile-Device (inclusion) (← liens)
Restrictions
Restrictions
Configuration by clicking on Activate restrictions
Numerous restrictions can be configured to control the behavior of a device.
List of possible restrictions with default values and explanations:
Show restrictions
Hide restrictions
| 1. | 2. | 3. |
| Abb.1 | Abb.2 | Abb.3 |
| Abbildungen | ||
| Caption | Value | Description |
|---|---|---|
|
| ||
| Allow automatic unlocking | When deactivated , the automatic unlocking is disabled | |
| When deactivated , today's lock screen view will be disabled | ||
| Force encrypted backups | When activated , encrypted backups are enforced | |
| When activated , ad tracking will be restricted | ||
| Allow trusting enterprise apps | When deactivated , Enterprise apps are not trusted | |
| When deactivated , wallet notifications will not be shown on the lock screen | ||
| When activated , Apple's Mail Privacy Protection (AMPP) is activated | ||
| When deactivated , Touch ID/Face ID is not allowed to unlock the device | ||
| When deactivated , the user is not permitted to change the Touch ID/Face ID | ||
| When deactivated , diagnostic and usage data is not sent to Apple | ||
| When deactivated , the user is not permitted to change the diagnostic settings | ||
|
| ||
| Allow network access for files | When deactivated , the connection to network drives is prevented in the file app | |
| When deactivated , changes to the Bluetooth settings are not permitted | ||
| When deactivated , the mobile data uses for app settings cannot be changed | ||
| When deactivated , the user is not allowed to accept untrusted certificates in TLS | ||
| When deactivated , handoff is deactivated. Handoff allows you to continue an activity started on an iOS-device on another device. | ||
|
| ||
| When deactivated , the use of the iCloud Photo Library on the device is not permitted | ||
| When deactivated , the backup with the iCloud is not permitted | ||
| When deactivated , automatic synchronisation is deactivated during roaming | ||
| When deactivated , Enterprise books are not saved | ||
| When deactivated , Enterprise books and highlights are not synchronised | ||
|
| ||
| When deactivated no in-app purchases can be made | ||
| When deactivated , multiplayer gaming is not allowed | ||
| When activated , the user's iTunes password is required for all purchases | ||
|
| ||
| When deactivated , Siri is not allowed | ||
| When deactivated , Siri is not allowed while the device is locked | ||
| When deactivated , it prevents Siri from querying requests with user-generated content | ||
| When deactivated , dictations are not allowed | ||
| When deactivated , the QuickPath keyboard is disabled | ||
| Force translation on the device only | When activated , the device does not connect to Siri servers for translation purposes | |
| Allow QuickPath keyboard | When deactivated , the QuickPath keyboard is disabled | |
|
| ||
| When deactivated , Apple Music will be disabled in the Music app | ||
| When deactivated , iTunes Radio will be disabled in the Music app | ||
| When deactivated no news can be used | ||
|
hide Klicken für dauerhafte Anzeige 17+ 12+ 9+ 4+
| ||
|
hide Klicken für dauerhafte Anzeige FSK 18 FSK 16 FSK 12 FSK 6 FSK 0
| ||
|
hide Klicken für dauerhafte Anzeige | ||
|
| ||
|
hide Klicken für dauerhafte Anzeige Never Always
| ||
| When deactivated , JavaScript is not allowed in Safari | ||
| When deactivated , pop-ups are not allowed in Safari | ||
| Enable fraud warning | When activated , the fraud warning in Safari is activated | |
|
| ||
| Allow OTAPKI updates | When deactivated , OTAPKI updates are disabled | |
| When deactivated , the temporary session of the shared device is disabled | ||
| When activated , all devices receiving AirPlay requests from this device will be forced to use a pairing password | ||
| When deactivated , the device name cannot be changed | ||
| Allow voice dialing while device is locked | When deactivated , no voice dialling is allowed, even if the device is locked | |
| Force Apple Watch wrist detection | When activated , Apple Watch wrist detection is enforced | |
| Allow pairing with Apple Watch | When deactivated , pairing with Apple Watch is not permitted | |
| When deactivated , search results from the web will not be shown in Spotlight | ||
| When deactivated , restricts Apple's personalized advertising. Available in iOS 14 and later | ||
| When deactivated , the user is not allowed to use the camera | ||
|
| ||
| When deactivated , writing unmanaged contacts will be disabled | ||
| When deactivated , unmanaged apps cannot access contacts of managed accounts and that managed apps do not save contacts in the local Contacts app | ||
| When deactivated , iCloud synchronisation is deactivated for managed apps | ||
| When deactivated , iCloud synchronisation is deactivated for managed apps | ||
| When deactivated , iCloud synchronisation is deactivated for managed apps | ||
| When activated , the copy and paste feature follows the "Allow open from managed to unmanaged" and "Allow open from unmanaged to managed" constraints. | ||
| Treat AirDrop as unmanaged destination | When activated , it prevents protected (managed) data from leaving the device without authorisation via Airdrop | |
For Apple TVs
Show restrictions
Hide restrictions
| 1. | 2. | 3. |
| Abb.1 | Abb.2 | Abb.3 |
| Abbildungen | ||
| Caption | Value | Description |
|---|---|---|
| Allow automatic unlocking | When deactivated , the automatic unlocking is disabled | |
| When deactivated , today's lock screen view will be disabled | ||
| Force encrypted backups | When activated , encrypted backups are enforced | |
| When activated , ad tracking will be restricted | ||
| Allow trusting enterprise apps | When deactivated , Enterprise apps are not trusted | |
| When deactivated , wallet notifications will not be shown on the lock screen | ||
| When activated , Apple's Mail Privacy Protection (AMPP) is activated | ||
| When deactivated , Touch ID/Face ID is not allowed to unlock the device | ||
| When deactivated , the user is not permitted to change the Touch ID/Face ID | ||
| When deactivated , diagnostic and usage data is not sent to Apple | ||
| When deactivated , the user is not permitted to change the diagnostic settings | ||
| Allow network access for files | When deactivated , the connection to network drives is prevented in the file app | |
| When deactivated , changes to the Bluetooth settings are not permitted | ||
| When deactivated , the mobile data uses for app settings cannot be changed | ||
| When deactivated , the user is not allowed to accept untrusted certificates in TLS | ||
| When deactivated , handoff is deactivated. Handoff allows you to continue an activity started on an iOS-device on another device. | ||
| When deactivated , the use of the iCloud Photo Library on the device is not permitted | ||
| When deactivated , the backup with the iCloud is not permitted | ||
| When deactivated , automatic synchronisation is deactivated during roaming | ||
| When deactivated , Enterprise books are not saved | ||
| When deactivated , Enterprise books and highlights are not synchronised | ||
| When deactivated no in-app purchases can be made | ||
| When deactivated , multiplayer gaming is not allowed | ||
| When activated , the user's iTunes password is required for all purchases | ||
| When deactivated , Siri is not allowed | ||
| When deactivated , Siri is not allowed while the device is locked | ||
| When deactivated , it prevents Siri from querying requests with user-generated content | ||
| When deactivated , dictations are not allowed | ||
| When deactivated , the QuickPath keyboard is disabled | ||
| Force translation on the device only | When activated , the device does not connect to Siri servers for translation purposes | |
| Allow QuickPath keyboard | When deactivated , the QuickPath keyboard is disabled | |
|
| ||
| When deactivated , Apple Music will be disabled in the Music app | ||
| When deactivated , iTunes Radio will be disabled in the Music app | ||
| When deactivated no news can be used | ||
|
hide Klicken für dauerhafte Anzeige 17+ 12+ 9+ 4+
| ||
|
hide Klicken für dauerhafte Anzeige FSK 18 FSK 16 FSK 12 FSK 6 FSK 0
| ||
|
hide Klicken für dauerhafte Anzeige | ||
|
hide Klicken für dauerhafte Anzeige Never Always
| ||
| When deactivated , JavaScript is not allowed in Safari | ||
| When deactivated , pop-ups are not allowed in Safari | ||
| Enable fraud warning | When activated , the fraud warning in Safari is activated | |
|
| ||
| Allow OTAPKI updates | When deactivated , OTAPKI updates are disabled | |
| When deactivated , the temporary session of the shared device is disabled | ||
| When activated , all devices receiving AirPlay requests from this device will be forced to use a pairing password | ||
| When deactivated , the device name cannot be changed | ||
| Allow voice dialing while device is locked | When deactivated , no voice dialling is allowed, even if the device is locked | |
| Force Apple Watch wrist detection | When activated , Apple Watch wrist detection is enforced | |
| Allow pairing with Apple Watch | When deactivated , pairing with Apple Watch is not permitted | |
| When deactivated , search results from the web will not be shown in Spotlight | ||
| When deactivated , restricts Apple's personalized advertising. Available in iOS 14 and later | ||
| When deactivated , the user is not allowed to use the camera | ||
| When deactivated , writing unmanaged contacts will be disabled | ||
| When deactivated , unmanaged apps cannot access contacts of managed accounts and that managed apps do not save contacts in the local Contacts app | ||
| When deactivated , iCloud synchronisation is deactivated for managed apps | ||
| When deactivated , iCloud synchronisation is deactivated for managed apps | ||
| When deactivated , iCloud synchronisation is deactivated for managed apps | ||
| When activated , the copy and paste feature follows the "Allow open from managed to unmanaged" and "Allow open from unmanaged to managed" constraints. | ||
| Treat AirDrop as unmanaged destination | When activated , it prevents protected (managed) data from leaving the device without authorisation via Airdrop | |
For User Enrollment
Show restrictions
Hide restrictions
| 1. | 2. | 3. |
| Abb.1 | Abb.2 | Abb.3 |
| Abbildungen | ||
| Caption | Value | Description |
|---|---|---|
|
| ||
| Allow automatic unlocking | When deactivated , the automatic unlocking is disabled | |
| When deactivated , today's lock screen view will be disabled | ||
| Force encrypted backups | When activated , encrypted backups are enforced | |
| When activated , ad tracking will be restricted | ||
| Allow trusting enterprise apps | When deactivated , Enterprise apps are not trusted | |
| When deactivated , wallet notifications will not be shown on the lock screen | ||
| When activated , Apple's Mail Privacy Protection (AMPP) is activated | ||
| When deactivated , Touch ID/Face ID is not allowed to unlock the device | ||
| When deactivated , the user is not permitted to change the Touch ID/Face ID | ||
| When deactivated , diagnostic and usage data is not sent to Apple | ||
| When deactivated , the user is not permitted to change the diagnostic settings | ||
| Allow network access for files | When deactivated , the connection to network drives is prevented in the file app | |
| When deactivated , changes to the Bluetooth settings are not permitted | ||
| When deactivated , the mobile data uses for app settings cannot be changed | ||
| When deactivated , the user is not allowed to accept untrusted certificates in TLS | ||
| When deactivated , handoff is deactivated. Handoff allows you to continue an activity started on an iOS-device on another device. | ||
|
| ||
| When deactivated , the use of the iCloud Photo Library on the device is not permitted | ||
| When deactivated , the backup with the iCloud is not permitted | ||
| When deactivated , automatic synchronisation is deactivated during roaming | ||
| When deactivated , Enterprise books are not saved | ||
| When deactivated , Enterprise books and highlights are not synchronised | ||
| When deactivated no in-app purchases can be made | ||
| When deactivated , multiplayer gaming is not allowed | ||
| When activated , the user's iTunes password is required for all purchases | ||
|
| ||
| When deactivated , Siri is not allowed | ||
| When deactivated , Siri is not allowed while the device is locked | ||
| When deactivated , it prevents Siri from querying requests with user-generated content | ||
| When deactivated , dictations are not allowed | ||
| When deactivated , the QuickPath keyboard is disabled | ||
| Force translation on the device only | When activated , the device does not connect to Siri servers for translation purposes | |
| Allow QuickPath keyboard | When deactivated , the QuickPath keyboard is disabled | |
| When deactivated , Apple Music will be disabled in the Music app | ||
| When deactivated , iTunes Radio will be disabled in the Music app | ||
| When deactivated no news can be used | ||
|
hide Klicken für dauerhafte Anzeige 17+ 12+ 9+ 4+
| ||
|
hide Klicken für dauerhafte Anzeige FSK 18 FSK 16 FSK 12 FSK 6 FSK 0
| ||
|
hide Klicken für dauerhafte Anzeige | ||
|
| ||
|
hide Klicken für dauerhafte Anzeige Never Always
| ||
| When deactivated , JavaScript is not allowed in Safari | ||
| When deactivated , pop-ups are not allowed in Safari | ||
| Enable fraud warning | When activated , the fraud warning in Safari is activated | |
|
| ||
| Allow OTAPKI updates | When deactivated , OTAPKI updates are disabled | |
| When deactivated , the temporary session of the shared device is disabled | ||
| When activated , all devices receiving AirPlay requests from this device will be forced to use a pairing password | ||
| When deactivated , the device name cannot be changed | ||
| Allow voice dialing while device is locked | When deactivated , no voice dialling is allowed, even if the device is locked | |
| Force Apple Watch wrist detection | When activated , Apple Watch wrist detection is enforced | |
| Allow pairing with Apple Watch | When deactivated , pairing with Apple Watch is not permitted | |
| When deactivated , search results from the web will not be shown in Spotlight | ||
| When deactivated , restricts Apple's personalized advertising. Available in iOS 14 and later | ||
| When deactivated , the user is not allowed to use the camera | ||
|
| ||
| When deactivated , writing unmanaged contacts will be disabled | ||
| When deactivated , unmanaged apps cannot access contacts of managed accounts and that managed apps do not save contacts in the local Contacts app | ||
| When deactivated , iCloud synchronisation is deactivated for managed apps | ||
| When deactivated , iCloud synchronisation is deactivated for managed apps | ||
| When deactivated , iCloud synchronisation is deactivated for managed apps | ||
| When activated , the copy and paste feature follows the "Allow open from managed to unmanaged" and "Allow open from unmanaged to managed" constraints. | ||
| Treat AirDrop as unmanaged destination | When activated , it prevents protected (managed) data from leaving the device without authorisation via Airdrop | |
Classroom-App
The Classroom App is available free of charge in the App-Store and offers possibilities for use in school classes.
Important restrictions can be configured here.
Show restrictions
Hide restrictions
| 1. | 2. | 3. |
| Abb.1 | Abb.2 | Abb.3 |
| Abbildungen | ||
| Restrictions | Default | Explanation |
|---|---|---|
| Allow remote screen monitoring | If not allowed, remote screen monitoring is disabled by the Classroom app. When screenshots are disabled, the Classroom app does not observe remote screens. | |
| If enforced, the instructor's requests are automatically accepted without prompting the student. | ||
| If enforced, a student enrolled in an unmanaged course through Classroom must ask the instructor for permission to leave the course. | ||
| If enforced, the teacher can lock apps or the device without prompting the student. | ||
| When enforced and remote screen monitoring is allowed, a student enrolled in a managed course through the classroom app automatically grants permission to watch the screen without being prompted. |
Restrictions for supervised devices
A range of restrictions is only available for devices in the Supervised embedding mode.
Show restrictions
Hide restrictions
| 1. | 2. | 3. |
| Abb.1 | Abb.2 | Abb.3 |
| Abbildungen | ||
| Restriction | Default | Explanation |
|---|---|---|
|
| ||
| Allow all apps |
hide Klicken für dauerhafte Anzeige Allow all apps Do not allow certain apps Allow only certain apps
| |
| Blocked apps | Choose application | Blocked apps |
| Add system apps | If the selection is limited to Allowed apps, all system apps can be added to the click box. The system apps can then be removed individually. | |
| Erlaubte Apps | Choose application | Allowed apps |
| Add system apps | If the selection is limited to Allowed apps, all system apps can be added to the click box. The system apps can then be removed individually. | |
| Choose application | Allowed apps in single app mode | |
| Allows the user to remove apps | ||
| Allow only a connected Mac host to install applications | ||
| Allow automatic app downloads | Allows automatic app downloads | |
| Allow the user to install applications | ||
| When this option is disabled, a user cannot add app clips and remove existing app clips on the device. Available in iOS 14.0 and later. | ||
|
| ||
| Allow AirDrop | If set to false, AirDrop will be disabled | |
| Allow AirPrint | If set to false, AirPrint will be disabled | |
| Allow saving AirPrint credentials | If set to false, the storage of AirPrint credentials is disabled | |
| Allow AirPrint iBeacon detection | If set to false, AirPrint iBeacon detection will be disabled | |
| If set to true, AirPrint enforces the trusted TLS request | ||
| Allow change of mobile tariff | If set to false, the change of the mobile tariff will be disabled | |
| Allow iCloud keychain synchronization | If set to false, cloud keychain synchronization is disabled | |
| Allow private iCloud relay | If set to disabled, iCloud Private Relay will be disabled | |
| Allow eSIM changes | If set to false, the eSIM change will be disabled | |
| If set to false, access to the files USB drive is disabled | ||
| Allow host pairing | Allow host pairing notempty
If pairing is switched off, the end device can no longer be connected to a computer via USB
Please ensure that the end device always has a functioning Internet connection even without pairing | |
| Allow NFC | If set to false, NFC will be disabled | |
| If set to false, the change of the personal hotspot will be disabled | ||
| Allow VPN creation | If set to false, VPN creation will be disabled | |
|
| ||
| If set to false, the auto-completion of the password will be disabled | ||
| If set to true, authentication is enforced before autofilling | ||
| If set to false, password proximity requests are disabled | ||
| If set to false, password sharing will be disabled | ||
| If inactive, account modification will be disabled. notempty
This option prevents, for example, the creation of another Apple account, which could then be used to install additional apps. notempty
iOS can only activate this restriction for all accounts. This also means that changing a password for an Exchange account is no longer possible. | ||
| If set to false, the modification will be disabled for find my friends | ||
|
| ||
| Allow Podcasts | If set to false, podcasts will be disabled | |
| Allows the user to access explicit content. When activated, the SafeSearch function is switched off by Safari. | ||
| Allow use of iMessage | ||
| Supervised only. If disabled, iBookstore will be disabled | ||
| Supervised only. If disabled, the user will not be able to download media from the iBookstore marked as erotica | ||
| When enabled the iTunes Music Store is activated | ||
| Allows the user to use Safari | ||
| Allow Game Center | ||
| Allow the user to add friends to the Game Center | ||
| Allow Game Center | ||
| Enables Siri profanity filter | ||
| Allow modifying wallpaper | Allow changing the background image | |
| Allow changing the background image | ||
|
| ||
| Allow removal of system apps | If set to false, the removal of system apps is disabled | |
| If set to false, unpaired external booting for recovery is disabled | ||
| Allow restricted USB mode | If set to false, the restricted USB mode will be disabled | |
| Force automatic date and time | If set to true, the date and time are automatically enforced | |
| If set to true, WLAN is forced only on allowed networks | ||
| If set to true, WLAN is forced only on allowed networks | ||
| Allow changing the passcode | ||
| If set to false, the user is prohibited from installing configuration profiles and certificates interactively | ||
| If disabled, the user cannot select the "Clear all content and settings" option in Settings > General > Reset | ||
| Allow configuration restrictions | ||
| Allow document synchronization with iCloud | ||
| When active, user visibility of software updates is delayed. | ||
| 30 | With this restriction, the administrator can specify by how many days a software or app update is delayed on the device. With this restriction, the user will not see a software update until the specified number of days after the software update release date. | |
|
| ||
| Allow predictive keyboard. | ||
| Allow keyboard shortcuts. | ||
| Allow autocorrect. | ||
| Allow correction help. | ||
| Allow correction help. | ||
| If set to false, the hibernation of the device is disabled | ||
For Apple TVs
Show restrictions
Hide restrictions
| 1. | 2. | 3. |
| Abb.1 | Abb.2 | Abb.3 |
| Abbildungen | ||
| Restriction | Default | Explanation |
|---|---|---|
|
| ||
| Allow all apps |
hide Klicken für dauerhafte Anzeige Allow all apps Do not allow certain apps Allow only certain apps
| |
| Blocked apps | Choose application | Blocked apps |
| Add system apps | If the selection is limited to Allowed apps, all system apps can be added to the click box. The system apps can then be removed individually. | |
| Erlaubte Apps | Choose application | Allowed apps |
| Add system apps | If the selection is limited to Allowed apps, all system apps can be added to the click box. The system apps can then be removed individually. | |
| Choose application | Allowed apps in single app mode | |
| Allows the user to remove apps | ||
| Allow only a connected Mac host to install applications | ||
| Allow automatic app downloads | Allows automatic app downloads | |
| Allow the user to install applications | ||
| When this option is disabled, a user cannot add app clips and remove existing app clips on the device. Available in iOS 14.0 and later. | ||
| Allow AirDrop | If set to false, AirDrop will be disabled | |
| Allow AirPrint | If set to false, AirPrint will be disabled | |
| Allow saving AirPrint credentials | If set to false, the storage of AirPrint credentials is disabled | |
| Allow AirPrint iBeacon detection | If set to false, AirPrint iBeacon detection will be disabled | |
| If set to true, AirPrint enforces the trusted TLS request | ||
| Allow change of mobile tariff | If set to false, the change of the mobile tariff will be disabled | |
| Allow iCloud keychain synchronization | If set to false, cloud keychain synchronization is disabled | |
| Allow private iCloud relay | If set to disabled, iCloud Private Relay will be disabled | |
| Allow eSIM changes | If set to false, the eSIM change will be disabled | |
| If set to false, access to the files USB drive is disabled | ||
| Allow host pairing | Allow host pairing notempty
If pairing is switched off, the end device can no longer be connected to a computer via USB
Please ensure that the end device always has a functioning Internet connection even without pairing | |
| Allow NFC | If set to false, NFC will be disabled | |
| If set to false, the change of the personal hotspot will be disabled | ||
| Allow VPN creation | If set to false, VPN creation will be disabled | |
|
| ||
| If set to false, the auto-completion of the password will be disabled | ||
| If set to true, authentication is enforced before autofilling | ||
| If set to false, password proximity requests are disabled | ||
| If set to false, password sharing will be disabled | ||
| If inactive, account modification will be disabled. notempty
This option prevents, for example, the creation of another Apple account, which could then be used to install additional apps. notempty
iOS can only activate this restriction for all accounts. This also means that changing a password for an Exchange account is no longer possible. | ||
| If set to false, the modification will be disabled for find my friends | ||
|
| ||
| Allow Podcasts | If set to false, podcasts will be disabled | |
| Allows the user to access explicit content. When activated, the SafeSearch function is switched off by Safari. | ||
| Allow use of iMessage | ||
| Supervised only. If disabled, iBookstore will be disabled | ||
| Supervised only. If disabled, the user will not be able to download media from the iBookstore marked as erotica | ||
| When enabled the iTunes Music Store is activated | ||
| Allows the user to use Safari | ||
| Allow Game Center | ||
| Allow the user to add friends to the Game Center | ||
| Allow Game Center | ||
| Enables Siri profanity filter | ||
| Allow modifying wallpaper | Allow changing the background image | |
| Allow changing the background image | ||
|
| ||
| Allow removal of system apps | If set to false, the removal of system apps is disabled | |
| If set to false, unpaired external booting for recovery is disabled | ||
| Allow restricted USB mode | If set to false, the restricted USB mode will be disabled | |
| Force automatic date and time | If set to true, the date and time are automatically enforced | |
| If set to true, WLAN is forced only on allowed networks | ||
| If set to true, WLAN is forced only on allowed networks | ||
| Allow changing the passcode | ||
| If set to false, the user is prohibited from installing configuration profiles and certificates interactively | ||
| If disabled, the user cannot select the "Clear all content and settings" option in Settings > General > Reset | ||
| Allow configuration restrictions | ||
| Allow document synchronization with iCloud | ||
| When active, user visibility of software updates is delayed. | ||
| 30 | With this restriction, the administrator can specify by how many days a software or app update is delayed on the device. With this restriction, the user will not see a software update until the specified number of days after the software update release date. | |
| Allow predictive keyboard. | ||
| Allow keyboard shortcuts. | ||
| Allow autocorrect. | ||
| Allow correction help. | ||
| Allow correction help. | ||
|
| ||
| If set to false, the hibernation of the device is disabled | ||