Configuration iOS profile: Device

Managing iOS profiles with the Device type in the Mobile Security Portal

Last adaptation to the version: 1.28 (07.2024)

New:

Changed menu navigation

Last updated:

04.2024

notempty

This article refers to a Resellerpreview

Preamble

In a profile permissions, restrictions, password requirements, email settings and security settings are configured.
Several users or user groups (roles) can be assigned to a profile.
Several devices or device groups (devices designated by tags) can be assigned to a profile.

notempty

For a large number of devices and users it is recommended to map the assignment via groups.

Device registration is directly tied to a profile
A profile must be created first' (and configured) before a device can be registered

In Android Enterprise profiles, numerous security-relevant settings can be made, e.g.

Disable Kamara
Disable microphone
Disable USB file transfer
Disable outgoing calls
Disable Bluetooth
Disable contact sharing
Disable tethering
Disable sms
Enable network only with VPN
and much more.

notempty

Android Enterprise Profiles are used immediately and do not need to be published!

Outdated Android profiles behave fundamentally different than Android Enterprise Profiles (EMM)
It is no longer possible to assign a profile to a role, user or tag

Overview of profile management

In the profile overview new profiles can be created, existing ones can be edited and deleted. The view of the profiles can be displayed in the list or tile view. You can also view details of existing profiles, update the list of profiles, and publish profiles.

Overview of profile management iOS

Overview of profile management Android

General Options

Name

Sorts the tiles by profile name

Priority

Sorts the tiles according to the priority of the profile

Ascending

Sorts the tiles in ascending or descending order according to the selected criterion

Search

Filters on profile tiles that contain the search text

Add profile

Creates a new profile. The settings in the profile vary depending on the operating system.

Import profile

Existing profiles that were previously exported from the Securepoint Mobile Security Portal can be imported here

Hide generated profiles

Hides the generated profiles

Show / hide details: For a large number of profiles, it can be useful to hide the most important details for clarity.

/

Switch between lists and grid view

Refreshes the display

Profile tile

Profile-Options

The button at the top right of each profile tile provides the following options:

Edit

Editing the settings (see below)

Copy

Copying the profile to the clipboard

Export

Exporting the settings

Delete

Deletes one or more selected profiles

Details displayed in the profile tile:

Updated

Changes have been made to the profile that have not yet been published!

Partially installed

Not all sub profiles were able to be installed

Profile information

Type

Profile type (see below)

Roles

Users

User

Devices

Copy & paste of profiles

Click on the logo of the profile tile to mark one or more profiles In the general options, another field now appears under the filter mask:

Action for selected items

Please choose

Execute the selected action with Ok

Copy

Copies one or more selected profiles to the clipboard

Delete

Deletes one or more selected profiles

Paste

Inserts a copy of a profile from the clipboard

This also works from one tenant / customer to another as long as they are assigned to the same reseller account

Configuration iOS profile Device

General iOS

General

Add profile

Caption	Values	Description
Type	Device profile	Standard device profile
	Shared iPad	Profile that allows different users for one iPad Only for devices with iPadOS
	Apple TV profiles	Profile with limited settings options. Additional settings for Apple TV
	User Enrollmant profile	Profile owned by the user on which managed apps of the company can be installed
Name	Name	Profile name
Priority	5	The higher the number, the higher the priority. This is only used if a device is assigned to multiple profiles.
Roles	Add roles	Click-Box: The profile will be assigned to all devices of all users with these roles
Users	Add users	The profile will be assigned to all devices from these users
Devices	Add devices	The profile will be assigned to these devices
Tags	Add tags	The profile will be assigned to all devices with these tags
Comment	Comment	Comment

Schließen	Schließt den Reiter ohne Änderungen zu übernehmen
Speichern	Übernimmt die Änderungen / Neuanlage, speichert und schließt den Reiter

Restrictions

Configuration by clicking on Activate restrictions

Numerous restrictions can be configured to control the behavior of a device.

List of possible restrictions with default values and explanations:

General restrictions

Restrictions

Default

Explanation

Demo-Dev-Einschränkung

'

Sollte nur im devWiki angezeigt werden

Allow automatic unlocking

'

If set to false, the automatic unlocking is disabled

Allow cloud address book

'

If set to false, the cloud address book will be disabled

Allow cloud bookmarks

'

If set to false, cloud bookmarks will be disabled

Allow cloud calendar

'

If set to false, the cloud calendar will be disabled

Allow cloud desktop & documents

'

If set to false, cloud desktop and documents will be disabled

Allow cloud mail

'

If set to false, cloud mail will be disabled

Allow cloud notes

'

If set to false, cloud notes will be disabled

Allow cloud reminders

'

If set to false, cloud reminders will be disabled

Allow content caching

'

If set to false, content caching will be disabled

Allow iTunes file sharing

'

If set to false, iTunes file sharing will be disabled

Allow automatic screen saver

'

Allow automatic screen saver

Allow lock screen ControlCenter

'

If set to false, the ControlCenter is disabled for the lock screen

Allow lock screen notifications to display

'

If set to false, the notification preview of the lock screen will be disabled

Allow lock screen view today

'

If set to false, today's lock screen view will be disabled

Allow to write unmanaged contacts

'

If set to false, writing unmanaged contacts will be disabled

Allow unmanaged reading of managed contacts

'

These restrictions prevent unmanaged apps from accessing contacts of managed accounts and prevent managed apps from saving contacts in the local Contacts app

Allow OTAPKI updates

'

If set to false, OTAPKI updates are disabled

Allow temporary session of the shared device

'

If set to false, the temporary session of the shared device is disabled

Force password for outgoing AirPlay requests

'

If set to true, all devices receiving AirPlay requests from this device will be forced to use a pairing password

Force encrypted backups

'

Force encrypted backups

Limit ad tracking

'

If set to true, ad tracking will be restricted

Dictation only

'

If set to true, connections to Siri servers for dictation are disabled

Force WLAN Allowlist

'

Join Wi-Fi networks installed by profiles only

Allow QuickPath keyboard

Default:

If set to inactive, the QuickPath keyboard is disabled

Allow network access for files

Default:

If inactive, the connection to network drives is prevented in the file app

Allow USB drive for files

Default:

When inactive, it prevents the File app from connecting to connected USB devices

Allow Find My Device

Default:

When inactive, Find My Device is disabled in the Find my App

Allow Find My Friends

Default:

When inactive, Find My Friends is disabled in the Find My app

Force WiFi activation

Default:

If set to true, prevents Wi-Fi from being turned off in settings or control center, even by entering or leaving airplane mode. It does not prevent selecting which Wi-Fi network to use.

Erlaubt Enterprise-Apps zu vertrauen

Default:

Required for future implementations

Allows the user to trust enterprise apps. (Apps that can be deployed without the iTunes App Store and don't need to be authorized by Apple)

Allow screenshots and screen recording

Default:

Allows the user to take screenshots or screen recordings

Apple Music erlauben

Default:

If set to false, Apple Music will be disabled in the Music app

iTunes Radio erlauben

Default:

If set to false, iTunes Radio will be disabled in the Music app

Allow shared stream

Default:

If set to false, the shared stream is disabled

Allow Wallet while locked

Default:

If set to false, wallet notifications will not be shown on the lock screen

Allow use of News

Default:

Allows the user to access and use News

Allow modifying bluetooth settings

Default:

Allow modifying bluetooth settings

Allow modifying cellular data usage for app settings

Default:

If set to false, the mobile data uses for app settings cannot be changed

Allow modifying device name

Default:

Allows the user to change device names

Allow automatic sync while roaming

Default:

Allows automatic synchronization during roaming

Allow iCloud sync for managed apps

Default:

Allows iCloud synchronization for managed apps

Allow enterprise books backup

Default:

Allows enterprise books to be backed up

Allow enterprise books and highlights to sync

Default:

Allows enterprise books to synchronize notes and highlights

Allow email privacy

'

If activated, Apple's Mail Privacy Protection (AMPP) is activated

Allow In App purchases

Default:

Allows the user to make purchases within applications

Allow multiplayer gaming

Default:

Allows multiplayer gaming

Allow voice dialing while device is locked

Default:

Allows voice dialing while device is locked

Force Apple Watch wrist detection

Default:

Forces Apple watch wrist detection

Allow pairing with Apple Watch

Default:

Allows pairing with Apple Watch

Allow Internet results in Spotlight

Default:

If set to false, search results from the web will not be shown in Spotlight

Allow user to accept untrusted TLS certificates

Default:

Allows user to accept untrusted TLS certificates

Photo-Stream erlauben

Default:

Allows Photo Stream to be used on the device

Allow iCloud Photo Library

Default:

Allows iCloud photo library to be used on the device

Allow iCloud Backup

Default:

Allows backup using iCloud

Allow personalized advertising

Default:

When disabled, restricts Apple's personalized advertising. Available in iOS 14 and later.

Requires iTunes password for all purchases

Default:

Requires the user's iTunes password to be entered for every purchase

Apps ranking number

1000

Der eingegebene Wert beschreibt das maximal erlaubte Level an jugendschutzrelevanten Apps auf dem Gerät.

Possible values based on US valuation levels:

1000	→ All
600	→ 17
300	→ 12+
200	→ 9+
100	→ 4+
0	→ None

The US Parental Guide rating is comparable to the German FSK rating

Movie-Ranking-Nummer

1000

Der eingegebene Wert beschreibt das maximal erlaubte Level an jugendschutzrelevanten Filmen auf dem Gerät.

Possible values based on US valuation levels:

1000	→ All
500	→ NC-17	(18+)
400	→ R	(16+)
300	→ PG-13	(12+)
200	→ PG	(6+)
100	→ G	(from 0)
0	→ None

The US Parental Guide rating is comparable to the German FSK rating

TV-Serien-Ranking-Nummer

1000

The value entered describes the maximum permitted level of TV content relevant to youth protection on the device.

Possible values based on US valuation levels:

1000	→ All
600	→ TV-MA	(18+)
500	→ TV-14	(14+)
400	→ TV-PG	(not for "younger" children)
300	→ TV-G	(from 0)
200	→ TV-Y7	(produced for children from 7)
100	→ TV-Y	(produced for children from 0)
0	→ None

The US Parental Guide rating is comparable to the German FSK rating

Regionscode

Germany

Two-character code for the region used to specify ratings

Accept cookies in Safari

Never

Cookies akzeptieren:
Does not accept cookies

From current website only (iOS 8) or visited sites (pre-iOS 8)

Depending on iOS version:
from iOS 8: Only from current website
from iOS 8: Only from visited pages

From websites I visited

Accepts cookies from all visited websites

Always

Accepts all cookies

JavaScript erlauben

Default:

Allows JavaScript in Safari

Allow Pop-ups

Default:

Allows Pop-ups in Safari

Enable fraud warning

Default:

Enables fraud warning in Safari

Force translation on the device only

'

When this option is enabled, the device does not connect to Siri servers for translation purposes

Allow unmanaged documents in managed apps

Default:

Allows managed apps to access unmanaged documents

Allow managed documents in unmanaged apps

Default:

Allows unmanaged apps to access managed documents

Managed clipboard required

'

When enabled, the copy and paste feature follows the "Allow open from managed to unmanaged" and "Allow open from unmanaged to managed" constraints.

Treat AirDrop as unmanaged destination

Default:

When activated, protected (managed) data is prevented from leaving the device unauthorized by Airdrop.

Handoff erlauben

Default:

If this value is set to "false", handoff is deactivated. Handoff allows you to continue an activity started on an iOS-device on another device.

Allow Touch ID/Face ID for unlocking

Default:

Allows Touch ID/Face ID to unlock device

Fingerprint timeout

'

The time after which unlocking the fingerprint requires a password for authentication.
Possible values: 1, 6, 12 hours, 1, 2, 3 days or 1 week

Allow modifying notification settings

Default:

Allows modifying notification settings

Allow incoming AirPlay requests

Default:

Allows incoming AirPlay requests

Allow pairing with Remote app

Default:

Allows pairing with Remote app

Diktat erlauben

Default:

Allows dictation

Allow camera use

Default:

Allows the user to use the camera

Siri erlauben

Default:

Erlaubt Siri.

Allow Siri while locked

Default:

Allows Siri while device is locked

Allow Siri user generated content

Default:

When inactive, it prevents Siri from querying requests with user-generated content

Allow modifying Touch ID/Face ID

Default:

The user is allowed to change the Touch ID/Face ID

Allow diagnostic submission

Default:

Send diagnostic and usage stats to Apple

Allow modifying diagnostics settings

Default:

The user is allowed to change the diagnostic settings

Restrictions

Default

Explanation

Demo-Dev-Einschränkung

'

Sollte nur im devWiki angezeigt werden

Allow automatic unlocking

'

If set to false, the automatic unlocking is disabled

Allow cloud address book

'

If set to false, the cloud address book will be disabled

Allow cloud bookmarks

'

If set to false, cloud bookmarks will be disabled

Allow cloud calendar

'

If set to false, the cloud calendar will be disabled

Allow cloud desktop & documents

'

If set to false, cloud desktop and documents will be disabled

Allow cloud mail

'

If set to false, cloud mail will be disabled

Allow cloud notes

'

If set to false, cloud notes will be disabled

Allow cloud reminders

'

If set to false, cloud reminders will be disabled

Allow content caching

'

If set to false, content caching will be disabled

Allow iTunes file sharing

'

If set to false, iTunes file sharing will be disabled

Allow automatic screen saver

'

Allow automatic screen saver

Allow lock screen ControlCenter

'

If set to false, the ControlCenter is disabled for the lock screen

Allow lock screen notifications to display

'

If set to false, the notification preview of the lock screen will be disabled

Allow lock screen view today

'

If set to false, today's lock screen view will be disabled

Allow to write unmanaged contacts

'

If set to false, writing unmanaged contacts will be disabled

Allow unmanaged reading of managed contacts

'

These restrictions prevent unmanaged apps from accessing contacts of managed accounts and prevent managed apps from saving contacts in the local Contacts app

Allow OTAPKI updates

'

If set to false, OTAPKI updates are disabled

Allow temporary session of the shared device

'

If set to false, the temporary session of the shared device is disabled

Force password for outgoing AirPlay requests

'

If set to true, all devices receiving AirPlay requests from this device will be forced to use a pairing password

Force encrypted backups

'

Force encrypted backups

Limit ad tracking

'

If set to true, ad tracking will be restricted

Dictation only

'

If set to true, connections to Siri servers for dictation are disabled

Force WLAN Allowlist

'

Join Wi-Fi networks installed by profiles only

Allow QuickPath keyboard

Default:

If set to inactive, the QuickPath keyboard is disabled

Allow network access for files

Default:

If inactive, the connection to network drives is prevented in the file app

Allow USB drive for files

Default:

When inactive, it prevents the File app from connecting to connected USB devices

Allow Find My Device

Default:

When inactive, Find My Device is disabled in the Find my App

Allow Find My Friends

Default:

When inactive, Find My Friends is disabled in the Find My app

Force WiFi activation

Default:

If set to true, prevents Wi-Fi from being turned off in settings or control center, even by entering or leaving airplane mode. It does not prevent selecting which Wi-Fi network to use.

Erlaubt Enterprise-Apps zu vertrauen

Default:

Required for future implementations

Allows the user to trust enterprise apps. (Apps that can be deployed without the iTunes App Store and don't need to be authorized by Apple)

Allow screenshots and screen recording

Default:

Allows the user to take screenshots or screen recordings

Apple Music erlauben

Default:

If set to false, Apple Music will be disabled in the Music app

iTunes Radio erlauben

Default:

If set to false, iTunes Radio will be disabled in the Music app

Allow shared stream

Default:

If set to false, the shared stream is disabled

Allow Wallet while locked

Default:

If set to false, wallet notifications will not be shown on the lock screen

Allow use of News

Default:

Allows the user to access and use News

Allow modifying bluetooth settings

Default:

Allow modifying bluetooth settings

Allow modifying cellular data usage for app settings

Default:

If set to false, the mobile data uses for app settings cannot be changed

Allow modifying device name

Default:

Allows the user to change device names

Allow automatic sync while roaming

Default:

Allows automatic synchronization during roaming

Allow iCloud sync for managed apps

Default:

Allows iCloud synchronization for managed apps

Allow enterprise books backup

Default:

Allows enterprise books to be backed up

Allow enterprise books and highlights to sync

Default:

Allows enterprise books to synchronize notes and highlights

Allow email privacy

'

If activated, Apple's Mail Privacy Protection (AMPP) is activated

Allow In App purchases

Default:

Allows the user to make purchases within applications

Allow multiplayer gaming

Default:

Allows multiplayer gaming

Allow voice dialing while device is locked

Default:

Allows voice dialing while device is locked

Force Apple Watch wrist detection

Default:

Forces Apple watch wrist detection

Allow pairing with Apple Watch

Default:

Allows pairing with Apple Watch

Allow Internet results in Spotlight

Default:

If set to false, search results from the web will not be shown in Spotlight

Allow user to accept untrusted TLS certificates

Default:

Allows user to accept untrusted TLS certificates

Photo-Stream erlauben

Default:

Allows Photo Stream to be used on the device

Allow iCloud Photo Library

Default:

Allows iCloud photo library to be used on the device

Allow iCloud Backup

Default:

Allows backup using iCloud

Allow personalized advertising

Default:

When disabled, restricts Apple's personalized advertising. Available in iOS 14 and later.

Requires iTunes password for all purchases

Default:

Requires the user's iTunes password to be entered for every purchase

Apps ranking number

1000

Der eingegebene Wert beschreibt das maximal erlaubte Level an jugendschutzrelevanten Apps auf dem Gerät.

Possible values based on US valuation levels:

1000	→ All
600	→ 17
300	→ 12+
200	→ 9+
100	→ 4+
0	→ None

The US Parental Guide rating is comparable to the German FSK rating

Movie-Ranking-Nummer

1000

Der eingegebene Wert beschreibt das maximal erlaubte Level an jugendschutzrelevanten Filmen auf dem Gerät.

Possible values based on US valuation levels:

1000	→ All
500	→ NC-17	(18+)
400	→ R	(16+)
300	→ PG-13	(12+)
200	→ PG	(6+)
100	→ G	(from 0)
0	→ None

The US Parental Guide rating is comparable to the German FSK rating

TV-Serien-Ranking-Nummer

1000

The value entered describes the maximum permitted level of TV content relevant to youth protection on the device.

Possible values based on US valuation levels:

1000	→ All
600	→ TV-MA	(18+)
500	→ TV-14	(14+)
400	→ TV-PG	(not for "younger" children)
300	→ TV-G	(from 0)
200	→ TV-Y7	(produced for children from 7)
100	→ TV-Y	(produced for children from 0)
0	→ None

The US Parental Guide rating is comparable to the German FSK rating

Regionscode

Germany

Two-character code for the region used to specify ratings

Accept cookies in Safari

Never

Cookies akzeptieren:
Does not accept cookies

From current website only (iOS 8) or visited sites (pre-iOS 8)

Depending on iOS version:
from iOS 8: Only from current website
from iOS 8: Only from visited pages

From websites I visited

Accepts cookies from all visited websites

Always

Accepts all cookies

JavaScript erlauben

Default:

Allows JavaScript in Safari

Allow Pop-ups

Default:

Allows Pop-ups in Safari

Enable fraud warning

Default:

Enables fraud warning in Safari

Force translation on the device only

'

When this option is enabled, the device does not connect to Siri servers for translation purposes

Allow unmanaged documents in managed apps

Default:

Allows managed apps to access unmanaged documents

Allow managed documents in unmanaged apps

Default:

Allows unmanaged apps to access managed documents

Managed clipboard required

'

When enabled, the copy and paste feature follows the "Allow open from managed to unmanaged" and "Allow open from unmanaged to managed" constraints.

Treat AirDrop as unmanaged destination

Default:

When activated, protected (managed) data is prevented from leaving the device unauthorized by Airdrop.

Handoff erlauben

Default:

If this value is set to "false", handoff is deactivated. Handoff allows you to continue an activity started on an iOS-device on another device.

Allow Touch ID/Face ID for unlocking

Default:

Allows Touch ID/Face ID to unlock device

Fingerprint timeout

'

The time after which unlocking the fingerprint requires a password for authentication.
Possible values: 1, 6, 12 hours, 1, 2, 3 days or 1 week

Allow modifying notification settings

Default:

Allows modifying notification settings

Allow incoming AirPlay requests

Default:

Allows incoming AirPlay requests

Allow pairing with Remote app

Default:

Allows pairing with Remote app

Diktat erlauben

Default:

Allows dictation

Allow camera use

Default:

Allows the user to use the camera

Siri erlauben

Default:

Erlaubt Siri.

Allow Siri while locked

Default:

Allows Siri while device is locked

Allow Siri user generated content

Default:

When inactive, it prevents Siri from querying requests with user-generated content

Allow modifying Touch ID/Face ID

Default:

The user is allowed to change the Touch ID/Face ID

Allow diagnostic submission

Default:

Send diagnostic and usage stats to Apple

Allow modifying diagnostics settings

Default:

The user is allowed to change the diagnostic settings

Restrictions

Default

Explanation

Demo-Dev-Einschränkung

'

Sollte nur im devWiki angezeigt werden

Allow automatic unlocking

'

If set to false, the automatic unlocking is disabled

Allow cloud address book

'

If set to false, the cloud address book will be disabled

Allow cloud bookmarks

'

If set to false, cloud bookmarks will be disabled

Allow cloud calendar

'

If set to false, the cloud calendar will be disabled

Allow cloud desktop & documents

'

If set to false, cloud desktop and documents will be disabled

Allow cloud mail

'

If set to false, cloud mail will be disabled

Allow cloud notes

'

If set to false, cloud notes will be disabled

Allow cloud reminders

'

If set to false, cloud reminders will be disabled

Allow content caching

'

If set to false, content caching will be disabled

Allow iTunes file sharing

'

If set to false, iTunes file sharing will be disabled

Allow automatic screen saver

'

Allow automatic screen saver

Allow lock screen ControlCenter

'

If set to false, the ControlCenter is disabled for the lock screen

Allow lock screen notifications to display

'

If set to false, the notification preview of the lock screen will be disabled

Allow lock screen view today

'

If set to false, today's lock screen view will be disabled

Allow to write unmanaged contacts

'

If set to false, writing unmanaged contacts will be disabled

Allow unmanaged reading of managed contacts

'

These restrictions prevent unmanaged apps from accessing contacts of managed accounts and prevent managed apps from saving contacts in the local Contacts app

Allow OTAPKI updates

'

If set to false, OTAPKI updates are disabled

Allow temporary session of the shared device

'

If set to false, the temporary session of the shared device is disabled

Force password for outgoing AirPlay requests

'

If set to true, all devices receiving AirPlay requests from this device will be forced to use a pairing password

Force encrypted backups

'

Force encrypted backups

Limit ad tracking

'

If set to true, ad tracking will be restricted

Dictation only

'

If set to true, connections to Siri servers for dictation are disabled

Force WLAN Allowlist

'

Join Wi-Fi networks installed by profiles only

Allow QuickPath keyboard

Default:

If set to inactive, the QuickPath keyboard is disabled

Allow network access for files

Default:

If inactive, the connection to network drives is prevented in the file app

Allow USB drive for files

Default:

When inactive, it prevents the File app from connecting to connected USB devices

Allow Find My Device

Default:

When inactive, Find My Device is disabled in the Find my App

Allow Find My Friends

Default:

When inactive, Find My Friends is disabled in the Find My app

Force WiFi activation

Default:

If set to true, prevents Wi-Fi from being turned off in settings or control center, even by entering or leaving airplane mode. It does not prevent selecting which Wi-Fi network to use.

Erlaubt Enterprise-Apps zu vertrauen

Default:

Required for future implementations

Allows the user to trust enterprise apps. (Apps that can be deployed without the iTunes App Store and don't need to be authorized by Apple)

Allow screenshots and screen recording

Default:

Allows the user to take screenshots or screen recordings

Apple Music erlauben

Default:

If set to false, Apple Music will be disabled in the Music app

iTunes Radio erlauben

Default:

If set to false, iTunes Radio will be disabled in the Music app

Allow shared stream

Default:

If set to false, the shared stream is disabled

Allow Wallet while locked

Default:

If set to false, wallet notifications will not be shown on the lock screen

Allow use of News

Default:

Allows the user to access and use News

Allow modifying bluetooth settings

Default:

Allow modifying bluetooth settings

Allow modifying cellular data usage for app settings

Default:

If set to false, the mobile data uses for app settings cannot be changed

Allow modifying device name

Default:

Allows the user to change device names

Allow automatic sync while roaming

Default:

Allows automatic synchronization during roaming

Allow iCloud sync for managed apps

Default:

Allows iCloud synchronization for managed apps

Allow enterprise books backup

Default:

Allows enterprise books to be backed up

Allow enterprise books and highlights to sync

Default:

Allows enterprise books to synchronize notes and highlights

Allow email privacy

'

If activated, Apple's Mail Privacy Protection (AMPP) is activated

Allow In App purchases

Default:

Allows the user to make purchases within applications

Allow multiplayer gaming

Default:

Allows multiplayer gaming

Allow voice dialing while device is locked

Default:

Allows voice dialing while device is locked

Force Apple Watch wrist detection

Default:

Forces Apple watch wrist detection

Allow pairing with Apple Watch

Default:

Allows pairing with Apple Watch

Allow Internet results in Spotlight

Default:

If set to false, search results from the web will not be shown in Spotlight

Allow user to accept untrusted TLS certificates

Default:

Allows user to accept untrusted TLS certificates

Photo-Stream erlauben

Default:

Allows Photo Stream to be used on the device

Allow iCloud Photo Library

Default:

Allows iCloud photo library to be used on the device

Allow iCloud Backup

Default:

Allows backup using iCloud

Allow personalized advertising

Default:

When disabled, restricts Apple's personalized advertising. Available in iOS 14 and later.

Requires iTunes password for all purchases

Default:

Requires the user's iTunes password to be entered for every purchase

Apps ranking number

1000

Der eingegebene Wert beschreibt das maximal erlaubte Level an jugendschutzrelevanten Apps auf dem Gerät.

Possible values based on US valuation levels:

1000	→ All
600	→ 17
300	→ 12+
200	→ 9+
100	→ 4+
0	→ None

The US Parental Guide rating is comparable to the German FSK rating

Movie-Ranking-Nummer

1000

Der eingegebene Wert beschreibt das maximal erlaubte Level an jugendschutzrelevanten Filmen auf dem Gerät.

Possible values based on US valuation levels:

1000	→ All
500	→ NC-17	(18+)
400	→ R	(16+)
300	→ PG-13	(12+)
200	→ PG	(6+)
100	→ G	(from 0)
0	→ None

The US Parental Guide rating is comparable to the German FSK rating

TV-Serien-Ranking-Nummer

1000

The value entered describes the maximum permitted level of TV content relevant to youth protection on the device.

Possible values based on US valuation levels:

1000	→ All
600	→ TV-MA	(18+)
500	→ TV-14	(14+)
400	→ TV-PG	(not for "younger" children)
300	→ TV-G	(from 0)
200	→ TV-Y7	(produced for children from 7)
100	→ TV-Y	(produced for children from 0)
0	→ None

The US Parental Guide rating is comparable to the German FSK rating

Regionscode

Germany

Two-character code for the region used to specify ratings

Accept cookies in Safari

Never

Cookies akzeptieren:
Does not accept cookies

From current website only (iOS 8) or visited sites (pre-iOS 8)

Depending on iOS version:
from iOS 8: Only from current website
from iOS 8: Only from visited pages

From websites I visited

Accepts cookies from all visited websites

Always

Accepts all cookies

JavaScript erlauben

Default:

Allows JavaScript in Safari

Allow Pop-ups

Default:

Allows Pop-ups in Safari

Enable fraud warning

Default:

Enables fraud warning in Safari

Force translation on the device only

'

When this option is enabled, the device does not connect to Siri servers for translation purposes

Allow unmanaged documents in managed apps

Default:

Allows managed apps to access unmanaged documents

Allow managed documents in unmanaged apps

Default:

Allows unmanaged apps to access managed documents

Managed clipboard required

'

When enabled, the copy and paste feature follows the "Allow open from managed to unmanaged" and "Allow open from unmanaged to managed" constraints.

Treat AirDrop as unmanaged destination

Default:

When activated, protected (managed) data is prevented from leaving the device unauthorized by Airdrop.

Handoff erlauben

Default:

If this value is set to "false", handoff is deactivated. Handoff allows you to continue an activity started on an iOS-device on another device.

Allow Touch ID/Face ID for unlocking

Default:

Allows Touch ID/Face ID to unlock device

Fingerprint timeout

'

The time after which unlocking the fingerprint requires a password for authentication.
Possible values: 1, 6, 12 hours, 1, 2, 3 days or 1 week

Allow modifying notification settings

Default:

Allows modifying notification settings

Allow incoming AirPlay requests

Default:

Allows incoming AirPlay requests

Allow pairing with Remote app

Default:

Allows pairing with Remote app

Diktat erlauben

Default:

Allows dictation

Allow camera use

Default:

Allows the user to use the camera

Siri erlauben

Default:

Erlaubt Siri.

Allow Siri while locked

Default:

Allows Siri while device is locked

Allow Siri user generated content

Default:

When inactive, it prevents Siri from querying requests with user-generated content

Allow modifying Touch ID/Face ID

Default:

The user is allowed to change the Touch ID/Face ID

Allow diagnostic submission

Default:

Send diagnostic and usage stats to Apple

Allow modifying diagnostics settings

Default:

The user is allowed to change the diagnostic settings

Classroom-App

The Classroom App is available free of charge in the App-Store and offers possibilities for use in school classes.
Important restrictions can be configured here.

Restrictions	Default	Explanation
Allow remote screen monitoring	Default	If not allowed, remote screen monitoring is disabled by the Classroom app. When screenshots are disabled, the Classroom app does not observe remote screens.
Force courses to be joined automatically	'	If enforced, the instructor's requests are automatically accepted without prompting the student.
Force permission to leave classes	Default	If enforced, a student enrolled in an unmanaged course through Classroom must ask the instructor for permission to leave the course.
Force app and device lock	'	If enforced, the teacher can lock apps or the device without prompting the student.
Force screen monitoring	'	When enforced and remote screen monitoring is allowed, a student enrolled in a managed course through the classroom app automatically grants permission to watch the screen without being prompted.

Restrictions for supervised devices

A range of restrictions is only available for devices in the Supervised embedding mode.

Restrictions	Default	Explanation
Restrict app use	Default: Allow all apps Do not allow certain apps Allow only certain apps	Configures whether no restriction, a blocklist or a allowlist is used for apps. supervised devices only
Blocked apps Allowlisted Apps	Click box for app selection	Depending on the selection in the line above: Blocklisted Apps / Allowlisted Apps Searches the entire App Store for possible apps. supervised devices only
Blocked apps Allowlisted Apps	Add system apps	If the selection is limited to Allowed apps, all system apps can be added to the click box. The system apps can then be removed individually. supervised devices only
Allow AirDrop	'	If set to false, AirDrop will be disabled supervised devices only
Allow AirPrint	'	If set to false, AirPrint will be disabled supervised devices only
Allow saving AirPrint credentials	'	If set to false, the storage of AirPrint credentials is disabled supervised devices only
Allow AirPrint iBeacon detection	'	If set to false, AirPrint iBeacon detection will be disabled supervised devices only
Allow change of mobile tariff	'	If set to false, the change of the mobile tariff will be disabled supervised devices only non
Allow cloud keychain synchronization	'	If set to false, cloud keychain synchronization is disabled supervised devices only
Allow private cloud relay	'	If set to disabled, iCloud Private Relay will be disabled Devicesupervised devices only
Allow eSIM changes	'	If set to false, the eSIM change will be disabled
Allow access to files on USB drive	'	If set to false, access to the files USB drive is disabled supervised devices only
Allow change to find my friends	'	If set to false, the modification will be disabled for find my friends supervised devices only
Allow host pairing	'	If set to false, host pairing is disabled supervised devices only
Allow NFC	'	If set to false, NFC will be disabled supervised devices only
Allow auto-complete password	'	If set to false, the auto-completion of the password will be disabled supervised devices only
Allow device to enter sleep mode	Default:	If set to false, the hibernation of the device is disabled supervised devices only
Allow requests for password proximity	'	If set to false, password proximity requests are disabled supervised devices only
Allow password sharing	'	If set to false, password sharing will be disabled supervised devices only
Allow change of personal hotspot	'	If set to false, the change of the personal hotspot will be disabled supervised devices only
Allow Podcasts	'	If set to false, podcasts will be disabled supervised devices only
Allow proximity settings for new device	'	If set to false, the proximity set-up for the new device will be disabled supervised devices only
Allow removal of system apps	'	If set to false, the removal of system apps is disabled supervised devices only
Allow non-paired external boot for recovery	'	If set to false, unpaired external booting for recovery is disabled supervised devices only
Allow restricted USB mode	'	If set to false, the restricted USB mode will be disabled supervised devices only
Allow VPN creation	'	If set to false, VPN creation will be disabled supervised devices only
Allowed apps in single app mode	Choose application	Allowed apps in single app mode supervised devices only
Force AirPrint Trusted TLS Requirement	'	If set to true, AirPrint enforces the trusted TLS request supervised devices only
Enforce authentication before autofill	'	If set to true, authentication is enforced before autofilling supervised devices only
Force automatic date and time	'	If set to true, the date and time are automatically enforced supervised devices only
Force WLAN to approved networks only	'	If set to true, WLAN is forced only on allowed networks supervised devices only
Allow account modification	Default:	If inactive, account modification will be disabled. notempty This option prevents, for example, the creation of another Apple account, which could then be used to install additional apps. notempty iOS can only activate this restriction for all accounts. This also means that changing a password for an Exchange account is no longer possible. supervised devices only
Allow app removal	Default:	Allows the user to remove apps supervised devices only
Allow explicit content	Default:	Allows the user to access explicit content. When activated, the SafeSearch function is switched off by Safari. supervised devices only
Allow use of iMessage	Default:	Allow use of iMessage supervised devices only
Allow iBookstore	Default:	Supervised only. If disabled, iBookstore will be disabled supervised devices only
Allow erotica in the iBookstore	Default:	Supervised only. If disabled, the user will not be able to download media from the iBookstore marked as erotica supervised devices only
Allow use of iTunes	Default:	Allow the user to access and use iTunes supervised devices only
Allow use of Safari	Default:	Allows the user to use Safari supervised devices only
Allow Game Center	Default:	Allow Game Center
Allow adding Game Center friends	Default:	Allow the user to add friends to the Game Center supervised devices only
Allow modifying wallpaper	Default:	Allow changing the background image supervised devices only</smMS/deployment/profile.langall>
Permit configuration of the screen time	Default:	Allow configuration restrictions supervised devices only
Allow iCloud document sync	Default:	Allow document synchronization with iCloud supervised devices only
Allow auto-fill in Safari	Default:	Allows autocomplete in Safari browser supervised devices only
Allow predictive keyboard.	Default:	Allow predictive keyboard. supervised devices only
Allow keyboard shortcuts.	Default:	Allow keyboard shortcuts. supervised devices only
Allow autocorrect.	Default:	Allow autocorrect. supervised devices only
Allow correction help.	Default:	Allow correction help. supervised devices only
Allow definition.	Default:	Allow definition. supervised devices only
Allow video conferencing	Default:	Allow video conferencing supervised devices only
Enable Siri profanity filter	Default:	Enables Siri profanity filter. supervised devices only
Allow app installation from Apple Configurator and iTunes	Default:	Allow only a connected Mac host to install applications supervised devices only
Allow automatic app downloads	Default:	Allows automatic app downloads supervised devices only
Allow app installation from the app store	Default:	Allow the user to install applications supervised devices only
Allow modifying passcode	Default:	Allow changing the passcode supervised devices only
Allow UI configuration profile installation	Default:	If set to false, the user is prohibited from installing configuration profiles and certificates interactively supervised devices only
Allow erase all content and settings	Default:	If disabled, the user cannot select the "Clear all content and settings" option in Settings > General > Reset supervised devices only
Allow app clips	Default:	When this option is disabled, a user cannot add app clips and remove existing app clips on the device. Available in iOS 14.0 and later. supervised devices only
Force delayed app updates	Default:	If set to true, delayed app updates are forced supervised devices only
Force delayed software updates	Default:	When active, user visibility of software updates is delayed. supervised devices only
Software Update Delay in days	Default: 30	With this restriction, the administrator can specify by how many days a software or app update is delayed on the device. With this restriction, the user will not see a software update until the specified number of days after the software update release date. supervised devices only

Restrictions	Default	Explanation
Restrict app use	Default: Allow all apps Do not allow certain apps Allow only certain apps	Configures whether no restriction, a blocklist or a allowlist is used for apps. supervised devices only
Blocked apps Allowlisted Apps	Click box for app selection	Depending on the selection in the line above: Blocklisted Apps / Allowlisted Apps Searches the entire App Store for possible apps. supervised devices only
Blocked apps Allowlisted Apps	Add system apps	If the selection is limited to Allowed apps, all system apps can be added to the click box. The system apps can then be removed individually. supervised devices only
Allow AirDrop	'	If set to false, AirDrop will be disabled supervised devices only
Allow AirPrint	'	If set to false, AirPrint will be disabled supervised devices only
Allow saving AirPrint credentials	'	If set to false, the storage of AirPrint credentials is disabled supervised devices only
Allow AirPrint iBeacon detection	'	If set to false, AirPrint iBeacon detection will be disabled supervised devices only
Allow change of mobile tariff	'	If set to false, the change of the mobile tariff will be disabled supervised devices only non
Allow cloud keychain synchronization	'	If set to false, cloud keychain synchronization is disabled supervised devices only
Allow private cloud relay	'	If set to disabled, iCloud Private Relay will be disabled Devicesupervised devices only
Allow eSIM changes	'	If set to false, the eSIM change will be disabled
Allow access to files on USB drive	'	If set to false, access to the files USB drive is disabled supervised devices only
Allow change to find my friends	'	If set to false, the modification will be disabled for find my friends supervised devices only
Allow host pairing	'	If set to false, host pairing is disabled supervised devices only
Allow NFC	'	If set to false, NFC will be disabled supervised devices only
Allow auto-complete password	'	If set to false, the auto-completion of the password will be disabled supervised devices only
Allow device to enter sleep mode	Default:	If set to false, the hibernation of the device is disabled supervised devices only
Allow requests for password proximity	'	If set to false, password proximity requests are disabled supervised devices only
Allow password sharing	'	If set to false, password sharing will be disabled supervised devices only
Allow change of personal hotspot	'	If set to false, the change of the personal hotspot will be disabled supervised devices only
Allow Podcasts	'	If set to false, podcasts will be disabled supervised devices only
Allow proximity settings for new device	'	If set to false, the proximity set-up for the new device will be disabled supervised devices only
Allow removal of system apps	'	If set to false, the removal of system apps is disabled supervised devices only
Allow non-paired external boot for recovery	'	If set to false, unpaired external booting for recovery is disabled supervised devices only
Allow restricted USB mode	'	If set to false, the restricted USB mode will be disabled supervised devices only
Allow VPN creation	'	If set to false, VPN creation will be disabled supervised devices only
Allowed apps in single app mode	Choose application	Allowed apps in single app mode supervised devices only
Force AirPrint Trusted TLS Requirement	'	If set to true, AirPrint enforces the trusted TLS request supervised devices only
Enforce authentication before autofill	'	If set to true, authentication is enforced before autofilling supervised devices only
Force automatic date and time	'	If set to true, the date and time are automatically enforced supervised devices only
Force WLAN to approved networks only	'	If set to true, WLAN is forced only on allowed networks supervised devices only
Allow account modification	Default:	If inactive, account modification will be disabled. notempty This option prevents, for example, the creation of another Apple account, which could then be used to install additional apps. notempty iOS can only activate this restriction for all accounts. This also means that changing a password for an Exchange account is no longer possible. supervised devices only
Allow app removal	Default:	Allows the user to remove apps supervised devices only
Allow explicit content	Default:	Allows the user to access explicit content. When activated, the SafeSearch function is switched off by Safari. supervised devices only
Allow use of iMessage	Default:	Allow use of iMessage supervised devices only
Allow iBookstore	Default:	Supervised only. If disabled, iBookstore will be disabled supervised devices only
Allow erotica in the iBookstore	Default:	Supervised only. If disabled, the user will not be able to download media from the iBookstore marked as erotica supervised devices only
Allow use of iTunes	Default:	Allow the user to access and use iTunes supervised devices only
Allow use of Safari	Default:	Allows the user to use Safari supervised devices only
Allow Game Center	Default:	Allow Game Center
Allow adding Game Center friends	Default:	Allow the user to add friends to the Game Center supervised devices only
Allow modifying wallpaper	Default:	Allow changing the background image supervised devices only</smMS/deployment/profile.langall>
Permit configuration of the screen time	Default:	Allow configuration restrictions supervised devices only
Allow iCloud document sync	Default:	Allow document synchronization with iCloud supervised devices only
Allow auto-fill in Safari	Default:	Allows autocomplete in Safari browser supervised devices only
Allow predictive keyboard.	Default:	Allow predictive keyboard. supervised devices only
Allow keyboard shortcuts.	Default:	Allow keyboard shortcuts. supervised devices only
Allow autocorrect.	Default:	Allow autocorrect. supervised devices only
Allow correction help.	Default:	Allow correction help. supervised devices only
Allow definition.	Default:	Allow definition. supervised devices only
Allow video conferencing	Default:	Allow video conferencing supervised devices only
Enable Siri profanity filter	Default:	Enables Siri profanity filter. supervised devices only
Allow app installation from Apple Configurator and iTunes	Default:	Allow only a connected Mac host to install applications supervised devices only
Allow automatic app downloads	Default:	Allows automatic app downloads supervised devices only
Allow app installation from the app store	Default:	Allow the user to install applications supervised devices only
Allow modifying passcode	Default:	Allow changing the passcode supervised devices only
Allow UI configuration profile installation	Default:	If set to false, the user is prohibited from installing configuration profiles and certificates interactively supervised devices only
Allow erase all content and settings	Default:	If disabled, the user cannot select the "Clear all content and settings" option in Settings > General > Reset supervised devices only
Allow app clips	Default:	When this option is disabled, a user cannot add app clips and remove existing app clips on the device. Available in iOS 14.0 and later. supervised devices only
Force delayed app updates	Default:	If set to true, delayed app updates are forced supervised devices only
Force delayed software updates	Default:	When active, user visibility of software updates is delayed. supervised devices only
Software Update Delay in days	Default: 30	With this restriction, the administrator can specify by how many days a software or app update is delayed on the device. With this restriction, the user will not see a software update until the specified number of days after the software update release date. supervised devices only

Schließen	Schließt den Reiter ohne Änderungen zu übernehmen
Speichern	Übernimmt die Änderungen / Neuanlage, speichert und schließt den Reiter

Notification settings

Add settings The settings are made separately for each app

Caption	Value	Description	Menu item Notification settings
Application	Enter id	The bundle ID of the application. WARNING: Entering an unknown bundle ID can cause problems
Enable notifications		Enables, respectively disables notifications for this app.
Alert type	Temporary banner	The notification type for notifications for this app: None/Banner/Warning
	Permanent banner
	None
Badges enabled		Allow or disallow for this app.
Enable critical alerts		When active , critical alerts are enabled that can ignore "Do Not Disturb" and ringer settings for this app.
Grouping type	Automatic	The notification grouping type
	by App
	Off
Preview type	Always	The notification type preview
	When unlocked	Displays the notification only when the device is unlocked
	Never	Never displays the notifications
Show in CarPlay		When active, notifications are displayed in CarPlay
Show in lock screen		Determines whether notifications can be displayed in the lock screen
Show in notification center		Determines whether notifications are displayed in the notification center
Sounds enabled		Determines if sounds are allowed for this app

Schließen	Schließt den Reiter ohne Änderungen zu übernehmen
Speichern	Übernimmt die Änderungen / Neuanlage, speichert und schließt den Reiter

Passcode

Configuration by clicking on Activate Passcode

Operation

Default

Description

Settings passcode

Request passcode on the device

Enforces the use of a passcode before using the device

Set maximum number of failed attempts

Number of passcode entry attempts allowed before all data on device will be erased

Maximum number of failed attempts 11

Set auto-lock

The number of minutes for which the device can be idle (without being unlocked by the user) before it gets locked by the system

Automatic lock after 15 minutes

Set maximum passcode age

The number of days for which the passcode can remain unchanged 730

Restrict password complexity

Allows restricting password complexity


Allow simple value		Permits the use of repeating, ascending, and descending character sequences
Require alphabetic value		Passcodes must contain at least one letter
Minimum number of complex characters	0	Smallest number of non-alphanumeric characters allowed
Minimum passcode length	0	Smallest allowed number of characters in passcode

Use passcode history

Allows defining the number of different passcodes required between the reuse of passcodes


Passcode history	1	Number of unique passcodes required between passcode reuse

Use grace period for device lock

Allows defining the maximum time in minutes to unlock the phone


Grace period for device lock	-1	The maximum grace period, in minutes, to unlock the phone without entering a passcode. The default value -1 predetermines iOS to not apply a time limit

Schließen	Schließt den Reiter ohne Änderungen zu übernehmen
Speichern	Übernimmt die Änderungen / Neuanlage, speichert und schließt den Reiter

Apps Apps
Profil ab Portalversion 1.31 angelegt notempty Profil ab Portalversion 1.31 angelegt notempty New as of 1.31
Das Verwalten von Apps und Webclips über Profile ist veraltet und nicht mehr verfügbar. Die Neuzuweisung von Applikationen zu Geräten wird stattdessen über den im Seitenmenü befindlichen Menüpunkt Mobile Security iOS/iPadOS Apps vorgenommen. Weitere Informationen sind im Wiki-Artikel über iOS-Apps zu finden.			Apps & Web clips
			Apps & Web clips
Profil vor Portalversion 1.31 angelegt notempty Profil vor Portalversion 1.31 angelegt
notempty Diese Funktion ist veraltet. In Profilen vor Version 1.31 können Apps gelöscht, aber nicht neu hinzugefügt werden. Die Neuzuweisung von Applikationen zu Geräten wird stattdessen über den im Seitenmenü befindlichen Menüpunkt Mobile Security iOS/iPadOS Apps vorgenommen. Darüber ist auch die spätere Deinstallation der Anwendungen möglich. Weitere Informationen sind im Wiki-Artikel über iOS-Apps zu finden.
Caption	Value	Description	Apps & Web clips
Apps	Securepoint VPN Client	Die angelegten Apps können lediglich gelöscht werden. Es können keine neuen Apps hinzugefügt werden. Über die Portalseite Apps werden Apps einem iOS-Profil hinzugefügt und entfernt.
Web clips	Securepoint Wiki [Label: SP Wiki] (https://wiki.securepoint.de)	Die angelegten Web clips können lediglich gelöscht werden. Es können keine neuen Web clips hinzugefügt werden. Über die Portalseite Apps werden Web clips einem iOS-Profil hinzugefügt und entfernt.

App-Lock (Kiosk mode)

The app lock activates the guided mode which limits the device to a single app. In this state - also called kiosk mode - you can control which app functions are available.

Activate configuration

Caption	Default	Description
Bundle ID	Default: Enter ID	The bundle ID of the application. WARNING: Entering an unknown bundle ID can cause problems
Options
Disable touch	Default:	If true, the touch screen is disabled
Disable device rotation	Default:	If active, device rotation detection is disabled
Disabling the volume keys	'	When active, the volume keys are disabled
Deactivating bell switch	'	When active, the ringtone switch is disabled
Disable sleep wake button	'	When active, the sleep / wake button is disabled
Disable auto lock	'
Activate Voice-Over	'	If active, voice over is enabled
Activate zoom	'	When active, zoom is enabled
Enable inverting colors	'	If active, invert colors is enabled
Enable AssistiveTouch	'	When active, AssistiveTouch is enabled
Enable language selection	'	If active, the language selection is enabled.
Enable mono audio	'	When active, mono audio is enabled
User Enabled Options
Voice-Over	'	If active, VoiceOver customization is allowed
Zoom	'	If active, the zoom setting is allowed
Invert colors	'	If active, the colors invert setting is allowed
AssistiveTouch	'	If active, AssistiveTouch customization is allowed

Schließen	Schließt den Reiter ohne Änderungen zu übernehmen
Speichern	Übernimmt die Änderungen / Neuanlage, speichert und schließt den Reiter

Home screen layout

Caption	Value	Description	Menu item Home Screen Layout: Select template
Enable home screen layout		After activation, changes can be made to the home screen layout
Select type	Use a predefined layout	Uses an already existing home screen layout
Select type	Create an individual home screen layout	Creates a profile specific layout
Select layout Only for Use predefined layout	Test layout	Displays a selection of predefined layouts under Home screen layouts.

Only for Create an individual home screen layout:			Menu item Home Screen Layout: Profile-specific layout
Type	Application	Applications from the Apple Appstore'
	System application	Provides a list of Apple system applications on the device as a selection
	Web clip	Provides a list of apps created as Web clips as a selection
	Folder	Adds a folder. Apps can then be moved into it via drag'n drop. Once the maximum number of apps that can be added to a page is reached, the folder can be configured by clicking the gear icon in the upper left corner and adding another page with +.
Choose app Only for the type Application and System application	Choose app	For System apps, an app can be selected from the drop-down menu For Applications at least 2 characters must be entered to perform a search in the app store
Web clip Only for the type Web clip	Choose a web clip	List of Web Clips
Name Only for the type Folder	Name	Name of the folder on the home screen
Add	Adds the selected element to the last page of the home screen The elements can be subsequently moved to other areas
Add all system applications Only for the type System application	Adds the selected element to the last page of the home screen The elements can be subsequently moved to other areas
Add all apps Only for the type Application	Adds all apps from the Apps menu or apps with VPP licenses to the last page of the homescreen The elements can be subsequently moved to other areas

Schließen	Schließt den Reiter ohne Änderungen zu übernehmen
Speichern	Übernimmt die Änderungen / Neuanlage, speichert und schließt den Reiter

Wallpaper

Caption	Value	Wallpaper menu item
Activate wallpaper	Activates the settings for wallpaper configuration notempty Wallpapers are not reverted to the original one after disabling the option.
Select wallpaper	Opens a dialog where an image can be uploaded in .jpg or .png format. Subsequently, the image can be marked and selected.
Use wallpaper also for lock screen	Uses the same image for the lock screen as well
Select lock screen	Opens a dialog where an image can be uploaded in .jpg or .png format. Subsequently, the image can be marked and selected.

Schließen	Schließt den Reiter ohne Änderungen zu übernehmen
Speichern	Übernimmt die Änderungen / Neuanlage, speichert und schließt den Reiter

Networks

In this section, access profiles for WiFi networks can be configured and pushed to the device.

Add a network configuration with

Network configurations

Caption

Value

Description

Network configurations

Name

Name of the configuration

Type

WiFi

Configuration type (WiFi predefined)

SSID

The SSID of the network

Security

Security level of the network key

None

No security

WEP-PSK

Insecure

WPA-PSK

Secure

Password

The networks passphrases. Hidden with placeholders.
shows the password in plain text.

Hidden SSID

Specifies whether the SSID of the network is visible or hidden .

Autoconnect

Enable for the device to automatically connect to the network.

Deactivate MAC randomisation

When activated, the devices always identify themselves with the same MAC address in a network. Cannot be changed by the user.

This function also displays a data protection warning in the settings that the network has limited data protection.
This value is only locked if the profile is installed via an MDM.
If the value is set with the Apple Configurator 2, for example, it can be changed by the user.

EAP-Client / WPA2 Enterprise

Use EAP Client

When activated, the EAP client, the WPA2 Enterprise can be used

EAP-Typen

Select EAP Types

The EAP type is selected. Several types can be selected.
The choices are:

TLS
LEAP
EAP-SIM
TTLS
EAP-AKA
PEAP
EAP-FAST

Payload Certificate Anchor UUID		The certificate that is handed to the server by the client as authentication when logging on to the WLAN. Apple: An array of the UUID of a certificate payload to trust for authentication
System Mode Credentials Source		The server for the system mode credentials
Use Open Directory credentials		When activated, logging in through Open Directory is possible
Allow two-factor authentication		Two-factor authentication is possible when activated
Max. TLS Version	1.2 default	The maximum TLS version is selected. The choice is: 1.0 1.1 1.2
Min. TLS Version	1.0 default	The minimum TLS version is selected. The choice is: 1.0 1.1 1.2
Trusted certificates		The certificates that are to be trusted are entered. These certificates must first be stored in the Menu Certificates
Trusted server names		The names of the servers that are to be trusted are entered

One time user password		If activated, the user will be prompted to enter the password each time they connect
Payload Certificate Anchor UUID		The certificate that is handed to the server by the client as authentication when logging on to the WLAN. Apple: An array of the UUID of a certificate payload to trust for authentication
System Mode Credentials Source		The server for the system mode credentials
Use Open Directory credentials		When activated, logging in through Open Directory is possible
Allow two-factor authentication		Two-factor authentication is possible when activated
Trusted certificates		The certificates that are to be trusted are entered. These certificates must first be stored in the Menu Certificates
Trusted server names		The names of the servers that are to be trusted are entered
Username		Username of the account for the server
		Password of the account for the server

EAP SIM Number Of RANDs	3 default	The number of EAP SIMs of the RANDs is selected
Payload Certificate Anchor UUID		The certificate that is handed to the server by the client as authentication when logging on to the WLAN. Apple: An array of the UUID of a certificate payload to trust for authentication
System Mode Credentials Source		The server for the system mode credentials
Use Open Directory credentials		When activated, logging in through Open Directory is possible
Allow two-factor authentication		Two-factor authentication is possible when activated
Trusted certificates		The certificates that are to be trusted are entered. These certificates must first be stored in the Menu Certificates
Trusted server names		The names of the servers that are to be trusted are entered

One time user password		If activated, the user will be prompted to enter the password each time they connect
Outer Identity		A name that hides the user's true name
Payload Certificate Anchor UUID		The certificate that is handed to the server by the client as authentication when logging on to the WLAN. Apple: An array of the UUID of a certificate payload to trust for authentication
System Mode Credentials Source		The server for the system mode credentials
Use Open Directory credentials		When activated, logging in through Open Directory is possible
Allow two-factor authentication		Two-factor authentication is possible when activated
Max. TLS Version	1.2 default	The maximum TLS version is selected. The choice is: 1.0 1.1 1.2
Min. TLS Version	1.0 default	The minimum TLS version is selected. The choice is: 1.0 1.1 1.2
Trusted certificates		The certificates that are to be trusted are entered. These certificates must first be stored in the Menu Certificates
Trusted server names		The names of the servers that are to be trusted are entered
TTLS Inner Authentication	MSCHAPv2	The inner authentication of TTLS is selected. The choices are: PAP EAP CHAP MSCHAP MSCHAPv2
Username		Username of the account for the server
		Password of the account for the server

Payload Certificate Anchor UUID		The certificate that is handed to the server by the client as authentication when logging on to the WLAN. Apple: An array of the UUID of a certificate payload to trust for authentication
System Mode Credentials Source		The server for the system mode credentials
Use Open Directory credentials		When activated, logging in through Open Directory is possible
Allow two-factor authentication		Two-factor authentication is possible when activated
Trusted certificates		The certificates that are to be trusted are entered. These certificates must first be stored in the Menu Certificates
Trusted server names		The names of the servers that are to be trusted are entered

One time user password		If activated, the user will be prompted to enter the password each time they connect
Outer Identity		A name that hides the user's true name
Payload Certificate Anchor UUID		The certificate that is handed to the server by the client as authentication when logging on to the WLAN. Apple: An array of the UUID of a certificate payload to trust for authentication
System Mode Credentials Source		The server for the system mode credentials
Use Open Directory credentials		When activated, logging in through Open Directory is possible
Allow two-factor authentication		Two-factor authentication is possible when activated
Max. TLS Version	1.2 default	The maximum TLS version is selected. The choice is: 1.0 1.1 1.2
Min. TLS Version	1.0 default	The minimum TLS version is selected. The choice is: 1.0 1.1 1.2
Trusted certificates		The certificates that are to be trusted are entered. These certificates must first be stored in the Menu Certificates
Trusted server names		The names of the servers that are to be trusted are entered
Username		Username of the account for the server
		Password of the account for the server

Provision PAC		Provide PAC
Provision anonymously Displayed when Provision PAC is activated.		Provide anonymously
Use existing PAC		Use existing PAC
One time user password		If activated, the user will be prompted to enter the password each time they connect
Outer Identity		A name that hides the user's true name
Payload Certificate Anchor UUID		The certificate that is handed to the server by the client as authentication when logging on to the WLAN. Apple: An array of the UUID of a certificate payload to trust for authentication
System Mode Credentials Source		The server for the system mode credentials
Use Open Directory credentials		When activated, logging in through Open Directory is possible
Allow two-factor authentication		Two-factor authentication is possible when activated
Max. TLS Version	1.2 default	The maximum TLS version is selected. The choice is: 1.0 1.1 1.2
Min. TLS Version	1.0 default	The minimum TLS version is selected. The choice is: 1.0 1.1 1.2
Trusted certificates		The certificates that are to be trusted are entered. These certificates must first be stored in the Menu Certificates
Trusted server names		The names of the servers that are to be trusted are entered
Username		Username of the account for the server
		Password of the account for the server

Global HTTP proxy

A Global HTTP proxy can be configured, for example, if devices are permanently on the same network and a local proxy is to be used on the device.
Especially recommended for devices that only have an MDM license. These can then use, for example, the protection functions of a Securepoint UTM with web filter, etc.

Global HTTP proxy configuration

Use global HTTP proxy

Activates the global HTTP proxy

Type

Manual
Automatic

For a manual proxy type, the profile contains the proxy server address, including the port, and optionally a user name and password. For an auto proxy type, you can enter a PAC URL.

Allow captive login

When active, the device can bypass the proxy server to display the login page for networks with a captive portal

Username

The username used to authenticate to the proxy server

Password

The password used for authentication to the proxy server

Server

The network address of the proxy server

Server port

8080

The port used to connect to the proxy server

Schließen	Schließt den Reiter ohne Änderungen zu übernehmen
Speichern	Übernimmt die Änderungen / Neuanlage, speichert und schließt den Reiter

Email & Exchange Active Sync

Multiple mail accounts can be set up in the Email settings section.
These settings affect IMAP or POP3 accounts. Settings for Exchange ActiveSync must be made in the corresponding menu item!

Email accounts

Add account

Operation

Default

Description

Email settings

Account description

The display name of the account (e.g. "Company Mail Account")

Account name

The display name of the user (e.g. "John Appleseed")
Variables can be used as well.

The values are taken from the user settings of the user to whom the respective device is assigned

Variable name in profiles	Description	Example
$username$ alternative names: %device_user% %device_user_username%	Username	jdoe
$emailaddress$ alternative name: %device_email%	Email address	jdoe@ttt-point.de
$firstname$ alternative name: %device_user_firstname%	First name	John
$lastname$ alternative name: %device_user_lastname%	Last name	Doe
$name$ alternative name: %device_user_name%	First name and surname	John Doe
$variable1$ alternative name: %variable1%	custom value	jdoe/ttt-point.local
$variable2$ alternative name: %variable2%	custom value
$variable3$ alternative name: %variable3%	custom value
$device_name$ alternative name: %device_name%	Only for iOS: The name assigned on the phone (see: Settings → General → Info → Name) This variable can also be used in iOS profiles in the Shared device section	Cell phone from Markus Müller
$device_alias$ alternative name: %device_alias%	Only for iOS: The alias assigned in the portal. If the alias is not assigned, the device_name is displayed. This variable can also be used in iOS profiles in the Shared device section	Tablet Storage1
Defining the values in the user administration in the portal under: General Users or for the device alias in the device tile. To avoid input errors, different variable names are possible for compatibility reasons. A distinction between Android and iOS is no longer necessary.

The display name can be combined with the variable %device_user_name%. The variable reads from the user settings of the user to whom the respective device is assigned the fields first name and last name. e.g.: %device_user_name% | ttt-Point AG → Martin Müller | ttt-Point AG

Email address

The address of the account (e.g. "john@company.com")
The entry $emailaddress$ reads the email address from the user settings of the user to whom the device is assigned.
Variables can be used as well.

The entries $variable1$, $variable2$ and $variable3$ can be defined individually.

The values are taken from the user settings of the user to whom the respective device is assigned

Variable name in profiles	Description	Example
$username$ alternative names: %device_user% %device_user_username%	Username	jdoe
$emailaddress$ alternative name: %device_email%	Email address	jdoe@ttt-point.de
$firstname$ alternative name: %device_user_firstname%	First name	John
$lastname$ alternative name: %device_user_lastname%	Last name	Doe
$name$ alternative name: %device_user_name%	First name and surname	John Doe
$variable1$ alternative name: %variable1%	custom value	jdoe/ttt-point.local
$variable2$ alternative name: %variable2%	custom value
$variable3$ alternative name: %variable3%	custom value
$device_name$ alternative name: %device_name%	Only for iOS: The name assigned on the phone (see: Settings → General → Info → Name) This variable can also be used in iOS profiles in the Shared device section	Cell phone from Markus Müller
$device_alias$ alternative name: %device_alias%	Only for iOS: The alias assigned in the portal. If the alias is not assigned, the device_name is displayed. This variable can also be used in iOS profiles in the Shared device section	Tablet Storage1
Defining the values in the user administration in the portal under: General Users or for the device alias in the device tile. To avoid input errors, different variable names are possible for compatibility reasons. A distinction between Android and iOS is no longer necessary.

Prevent move

If set to true, messages may not be moved out of this email account into another account

Disable email recipient synchronization

If set to true, this account is excluded from address "recent" syncing

Allow Mail drop

If set to true, this account is allowed to use Mail drop

Prevent App Sheet

If set to true, this account will not be available for sending mail in third party applications

S/MIME Enabled

If set to true, this account will support S/MIME

S/MIME signing enabled

If set to true, this account will enable message signing

S/MIME encryption enabled

If set to true, this account will support message encryption

S/MIME enable Per-Message Switch

If set to true, enables the per-message encryption switch

Incoming mails

Operation

Default

Description

Mail server

Hostname or IP address

Port

993

Port number for incoming mail

Account type

IMAP

POP

The protocol for accessing the email account

Username

Select user

The username used to connect to the server for incoming emails
Variables can be used as well.
$emailaddress$, $username$, $variable1$, $variable2$, $variable3$

The values are taken from the user settings of the user to whom the respective device is assigned

Variable name in profiles	Description	Example
$username$ alternative names: %device_user% %device_user_username%	Username	jdoe
$emailaddress$ alternative name: %device_email%	Email address	jdoe@ttt-point.de
$firstname$ alternative name: %device_user_firstname%	First name	John
$lastname$ alternative name: %device_user_lastname%	Last name	Doe
$name$ alternative name: %device_user_name%	First name and surname	John Doe
$variable1$ alternative name: %variable1%	custom value	jdoe/ttt-point.local
$variable2$ alternative name: %variable2%	custom value
$variable3$ alternative name: %variable3%	custom value
$device_name$ alternative name: %device_name%	Only for iOS: The name assigned on the phone (see: Settings → General → Info → Name) This variable can also be used in iOS profiles in the Shared device section	Cell phone from Markus Müller
$device_alias$ alternative name: %device_alias%	Only for iOS: The alias assigned in the portal. If the alias is not assigned, the device_name is displayed. This variable can also be used in iOS profiles in the Shared device section	Tablet Storage1
Defining the values in the user administration in the portal under: General Users or for the device alias in the device tile. To avoid input errors, different variable names are possible for compatibility reasons. A distinction between Android and iOS is no longer necessary.

Examples:

The email user name is identical to the device user name: ttt-point.local\%device_user_username%
The email user name is stored in the user settings as variable1: ttt-point.local\%variable1%

Path prefix

Path prefix for IMAP mail server

Incoming Mail Server authentication

authentication method

The authentication method for the incoming mail server
None
Password
CrammD5
NTLM
HTTPMD5

Password

The password for the incoming mail server

Use SSL

Incoming email retrieval via Secure Socket Layer

Outgoing mails

Operation

Default

Description

Mail server

Hostname or IP address for outgoing email

Port

587

The port number for outgoing email

Username

Select user

The username used to connect to the server for outgoing mail
Variables can be used as well. $emailaddress$, $username$, $variable1$, $variable2$, $variable3$

The values are taken from the user settings of the user to whom the respective device is assigned

Variable name in profiles	Description	Example
$username$ alternative names: %device_user% %device_user_username%	Username	jdoe
$emailaddress$ alternative name: %device_email%	Email address	jdoe@ttt-point.de
$firstname$ alternative name: %device_user_firstname%	First name	John
$lastname$ alternative name: %device_user_lastname%	Last name	Doe
$name$ alternative name: %device_user_name%	First name and surname	John Doe
$variable1$ alternative name: %variable1%	custom value	jdoe/ttt-point.local
$variable2$ alternative name: %variable2%	custom value
$variable3$ alternative name: %variable3%	custom value
$device_name$ alternative name: %device_name%	Only for iOS: The name assigned on the phone (see: Settings → General → Info → Name) This variable can also be used in iOS profiles in the Shared device section	Cell phone from Markus Müller
$device_alias$ alternative name: %device_alias%	Only for iOS: The alias assigned in the portal. If the alias is not assigned, the device_name is displayed. This variable can also be used in iOS profiles in the Shared device section	Tablet Storage1
Defining the values in the user administration in the portal under: General Users or for the device alias in the device tile. To avoid input errors, different variable names are possible for compatibility reasons. A distinction between Android and iOS is no longer necessary.

Examples:

The email user name is identical to the device user name: ttt-point.local\%device_user_username%
The email user name is stored in the user settings as variable1: ttt-point.local\%variable1%

authentication type

authentication method

The authentication method for the outgoing mail server
Password
CrammD5
NTLM
HTTPMD5

Outgoing Password: Same as incoming

SMTP authentication uses the same password as POP/IMAP server for incoming emails


Password	Password	The password for the outgoing mail server

Use SSL

Send outgoing email through Secure Socket Layer

Exchange accounts

Exchange accounts Add account

Configuration for Exchange mails retrieved via https connections

Configuration by clicking on Activate Exchange ActiveSync

Operation

Default

Description

Settings Exchange ActiveSync

Account name

The display name of the user (e.g. "John Appleseed"). Different variables can be used.

The values are taken from the user settings of the user to whom the respective device is assigned

Variable name in profiles	Description	Example
$username$ alternative names: %device_user% %device_user_username%	Username	jdoe
$emailaddress$ alternative name: %device_email%	Email address	jdoe@ttt-point.de
$firstname$ alternative name: %device_user_firstname%	First name	John
$lastname$ alternative name: %device_user_lastname%	Last name	Doe
$name$ alternative name: %device_user_name%	First name and surname	John Doe
$variable1$ alternative name: %variable1%	custom value	jdoe/ttt-point.local
$variable2$ alternative name: %variable2%	custom value
$variable3$ alternative name: %variable3%	custom value
$device_name$ alternative name: %device_name%	Only for iOS: The name assigned on the phone (see: Settings → General → Info → Name) This variable can also be used in iOS profiles in the Shared device section	Cell phone from Markus Müller
$device_alias$ alternative name: %device_alias%	Only for iOS: The alias assigned in the portal. If the alias is not assigned, the device_name is displayed. This variable can also be used in iOS profiles in the Shared device section	Tablet Storage1
Defining the values in the user administration in the portal under: General Users or for the device alias in the device tile. To avoid input errors, different variable names are possible for compatibility reasons. A distinction between Android and iOS is no longer necessary.

Exchange ActiveSync Host

Enter host

Host name or IP address of the Exchange server

Past days of mail to sync

Synchronization period

Use SSL

Encrypts all messages with SSL (Secure Socket layer)

Email address

Select email address

The address of the account to be synchronized (e.g. "john@company.com") Variables can be used as well.

The entries $variable1$, $variable2$ and $variable3$ can be defined individually.

The values are taken from the user settings of the user to whom the respective device is assigned

Variable name in profiles	Description	Example
$username$ alternative names: %device_user% %device_user_username%	Username	jdoe
$emailaddress$ alternative name: %device_email%	Email address	jdoe@ttt-point.de
$firstname$ alternative name: %device_user_firstname%	First name	John
$lastname$ alternative name: %device_user_lastname%	Last name	Doe
$name$ alternative name: %device_user_name%	First name and surname	John Doe
$variable1$ alternative name: %variable1%	custom value	jdoe/ttt-point.local
$variable2$ alternative name: %variable2%	custom value
$variable3$ alternative name: %variable3%	custom value
$device_name$ alternative name: %device_name%	Only for iOS: The name assigned on the phone (see: Settings → General → Info → Name) This variable can also be used in iOS profiles in the Shared device section	Cell phone from Markus Müller
$device_alias$ alternative name: %device_alias%	Only for iOS: The alias assigned in the portal. If the alias is not assigned, the device_name is displayed. This variable can also be used in iOS profiles in the Shared device section	Tablet Storage1
Defining the values in the user administration in the portal under: General Users or for the device alias in the device tile. To avoid input errors, different variable names are possible for compatibility reasons. A distinction between Android and iOS is no longer necessary.

Domain\User

Username

Mail domain and mail user

The field must remain empty if the device should ask.
If the domain should be entered automatically, this can be configured on the server.

Variables can be used as well.
$emailaddress$, $username$, $variable1$, $variable2$, $variable3$

The values are taken from the user settings of the user to whom the respective device is assigned

Variable name in profiles	Description	Example
$username$ alternative names: %device_user% %device_user_username%	Username	jdoe
$emailaddress$ alternative name: %device_email%	Email address	jdoe@ttt-point.de
$firstname$ alternative name: %device_user_firstname%	First name	John
$lastname$ alternative name: %device_user_lastname%	Last name	Doe
$name$ alternative name: %device_user_name%	First name and surname	John Doe
$variable1$ alternative name: %variable1%	custom value	jdoe/ttt-point.local
$variable2$ alternative name: %variable2%	custom value
$variable3$ alternative name: %variable3%	custom value
$device_name$ alternative name: %device_name%	Only for iOS: The name assigned on the phone (see: Settings → General → Info → Name) This variable can also be used in iOS profiles in the Shared device section	Cell phone from Markus Müller
$device_alias$ alternative name: %device_alias%	Only for iOS: The alias assigned in the portal. If the alias is not assigned, the device_name is displayed. This variable can also be used in iOS profiles in the Shared device section	Tablet Storage1
Defining the values in the user administration in the portal under: General Users or for the device alias in the device tile. To avoid input errors, different variable names are possible for compatibility reasons. A distinction between Android and iOS is no longer necessary.

Examples:

The email user name is identical to the device user name: ttt-point.local\%device_user_username%
The email user name is stored in the user settings as variable1: ttt-point.local\%variable1%

Password

The password for the account

Use OAuth

Specifies whether the connection should use OAuth for authentication. notempty

If OAuth is specified, the password field should remain blank

Payload certificate UUID

Select certificate

UUID of the certificate that is used for authentication

Prevent move

If set to true, messages may not be moved out of this email account into another account

Prevent App sheet

If set to true, this account will not be available for sending mail in third party applications

Allow Mail Drop

If set to true, this account is allowed to use Mail Drop

S/MIME enabled

If set to true, this account will support S/MIME

S/MIME signing enabled

If set to true, this account will enable message signing

S/MIME encryption enabled

If set to true, this account will support message encryption

S/MIME enable Per-Message Switch

If set to true, enables the per-message encryption switch

Disable email recipient synchronization

If this value is set to true, this account will be excluded from the synchronization of the "Recent" addresses

Activate calendar

Calendar overwritable

Allow account to enable/disable calendar

Enable/disable contacts

Enable contacts

Contacts overwritable

Allow account to enable/disable contacts

Enable email

Mail overwritable

Allow account to enable/disable mail

Enable notes

Allow account to enable/disable notes

Enable reminders

Reminders overwritable

Allow the account to enable/disable reminders

Overwrite previous password

Audio calls

Enter ID

The bundle ID of the application that processes audio calls made to contacts from this account

Example: Office365 accountsExample: Office365 accounts

Example: Integration of an Office 365 account with OAuth

OAuth only works with ActiveSync
Configuration in the Email & Exchange Active Sync tab when adding an Exchange Account

The OAuth data of other providers can be obtained exclusively and directly from these providers

Operation	Value	Description
Account name	Account name	Name of the user to be displayed
Exchange ActiveSync Host	outlook.office365.com	Example for Office365
Number of days in which the emails from the past are synchronized	Forever	Possible values: 1 day, 3 days, 1 week, 2 weeks, 1 month, forever
Use SSL		Sends all communications via Secure Socket Layer. notempty Securepoint recommends to activate the option
Email address	alice@ttt-point.onmicrosoft.de	Possible addresses are selectable from the dropdown menu incl. variables that take the information from the user data
Domain\User	alice@ttt-point.onmicrosoft.de	The previously selected e-mail address of the user
Password		The password for the email account on the mail server notempty If OAuth is specified, the password field should remain blank
Use OAuth		Specifies whether the connection should use OAuth for authentication. Must be activated on the mail server! If OAuth is specified, the password field should remain blank
OAuth login URL	https://login.microsoftonline.com/common/oauth2/v2.0/authorize	Login URL Here shown for Office365 accounts (example)
OAuth token request URL	https://login.microsoftonline.com/common/oauth2/v2.0/token	OAuth token request URL Here shown for Office365 accounts (example)
Payload certificate UUID:	None	If the authentication on the Exchange server is to be done with a certificate, this can be selected here. notempty Additionally, in the Certificates tab, the desired certificate must be added in the click box to be transferred to the device.

Schließen	Schließt den Reiter ohne Änderungen zu übernehmen
Speichern	Übernimmt die Änderungen / Neuanlage, speichert und schließt den Reiter

Calendar

Calendar with user account

Calendar with user account Variables can be used as well.

The values are taken from the user settings of the user to whom the respective device is assigned

Variable name in profiles	Description	Example
$username$ alternative names: %device_user% %device_user_username%	Username	jdoe
$emailaddress$ alternative name: %device_email%	Email address	jdoe@ttt-point.de
$firstname$ alternative name: %device_user_firstname%	First name	John
$lastname$ alternative name: %device_user_lastname%	Last name	Doe
$name$ alternative name: %device_user_name%	First name and surname	John Doe
$variable1$ alternative name: %variable1%	custom value	jdoe/ttt-point.local
$variable2$ alternative name: %variable2%	custom value
$variable3$ alternative name: %variable3%	custom value
$device_name$ alternative name: %device_name%	Only for iOS: The name assigned on the phone (see: Settings → General → Info → Name) This variable can also be used in iOS profiles in the Shared device section	Cell phone from Markus Müller
$device_alias$ alternative name: %device_alias%	Only for iOS: The alias assigned in the portal. If the alias is not assigned, the device_name is displayed. This variable can also be used in iOS profiles in the Shared device section	Tablet Storage1
Defining the values in the user administration in the portal under: General Users or for the device alias in the device tile. To avoid input errors, different variable names are possible for compatibility reasons. A distinction between Android and iOS is no longer necessary.

User	Add account
Caption	Value	Description	Calendar with user account
Hostname	Hostname	Server address of the calendar
Username	Username	The username for the login The entries $emailaddress$, $username$, $variable1$, $variable2$ and $variable3$ are also possible.
Password	Password	Optional. The password of the user
Use SSL		Enable Secure Socket Layer communication with the CalDAV server
Port	Port	Optional. The port of the server to which the connection is made.
Main URL	Main URL	The URL to the user's calendar. In iOS/iPadOS, this URL is required when the user does not provide a password, because the service auto-detection fails and the account is not created. Optional.
Account description	Account description	Optional. The description of the account.

Add subscription

Subscribed calendar Variables can be used as well.

The values are taken from the user settings of the user to whom the respective device is assigned

Variable name in profiles	Description	Example
$username$ alternative names: %device_user% %device_user_username%	Username	jdoe
$emailaddress$ alternative name: %device_email%	Email address	jdoe@ttt-point.de
$firstname$ alternative name: %device_user_firstname%	First name	John
$lastname$ alternative name: %device_user_lastname%	Last name	Doe
$name$ alternative name: %device_user_name%	First name and surname	John Doe
$variable1$ alternative name: %variable1%	custom value	jdoe/ttt-point.local
$variable2$ alternative name: %variable2%	custom value
$variable3$ alternative name: %variable3%	custom value
$device_name$ alternative name: %device_name%	Only for iOS: The name assigned on the phone (see: Settings → General → Info → Name) This variable can also be used in iOS profiles in the Shared device section	Cell phone from Markus Müller
$device_alias$ alternative name: %device_alias%	Only for iOS: The alias assigned in the portal. If the alias is not assigned, the device_name is displayed. This variable can also be used in iOS profiles in the Shared device section	Tablet Storage1
Defining the values in the user administration in the portal under: General Users or for the device alias in the device tile. To avoid input errors, different variable names are possible for compatibility reasons. A distinction between Android and iOS is no longer necessary.

Subscriptions	Add subscription
Caption	Value	Description	Subscribed calendar
Hostname	Hostname	Server address of the calendar
Username	Username	The username for the login The entries $emailaddress$, $username$, $variable1$, $variable2$ and $variable3$ are also possible.
Password	Password	Optional. The password of the user
Use SSL		Enable Secure Socket Layer communication with the CalDAV server
Account description	Account description	Optional. The description of the account.

Schließen	Schließt den Reiter ohne Änderungen zu übernehmen
Speichern	Übernimmt die Änderungen / Neuanlage, speichert und schließt den Reiter

CardDav

Variables can be used as well.

The values are taken from the user settings of the user to whom the respective device is assigned

Variable name in profiles	Description	Example
$username$ alternative names: %device_user% %device_user_username%	Username	jdoe
$emailaddress$ alternative name: %device_email%	Email address	jdoe@ttt-point.de
$firstname$ alternative name: %device_user_firstname%	First name	John
$lastname$ alternative name: %device_user_lastname%	Last name	Doe
$name$ alternative name: %device_user_name%	First name and surname	John Doe
$variable1$ alternative name: %variable1%	custom value	jdoe/ttt-point.local
$variable2$ alternative name: %variable2%	custom value
$variable3$ alternative name: %variable3%	custom value
$device_name$ alternative name: %device_name%	Only for iOS: The name assigned on the phone (see: Settings → General → Info → Name) This variable can also be used in iOS profiles in the Shared device section	Cell phone from Markus Müller
$device_alias$ alternative name: %device_alias%	Only for iOS: The alias assigned in the portal. If the alias is not assigned, the device_name is displayed. This variable can also be used in iOS profiles in the Shared device section	Tablet Storage1
Defining the values in the user administration in the portal under: General Users or for the device alias in the device tile. To avoid input errors, different variable names are possible for compatibility reasons. A distinction between Android and iOS is no longer necessary.

User	Add account
Caption	Value	Description	Include address books
Hostname	Hostname	The CardDAV server hostname or IP address
Username	Username	The CardDAV username The entries $emailaddress$, $username$, $variable1$, $variable2$ and $variable3$ are also possible.
Password	Password	The CardDAV password
Use SSL		When enabled , the Secure Socket Layer communicates with the CardDAV server.
Port	Port	The port number to connect to the CardDAV server
Main URL	Main URL	The main URL for the CardDAV account
Account description	Account description	The display name of the account (e.g. "Company CardDAV Account").

Schließen	Schließt den Reiter ohne Änderungen zu übernehmen
Speichern	Übernimmt die Änderungen / Neuanlage, speichert und schließt den Reiter

Google account

Caption	Value	Description	Google Accounts menu item
User	Add account	Adds a Google account. This also makes, for example, the history of Google searches or individual Google Maps configurations, such as special points, available on the device.
Account description	Account description	The displayed name of the account (e.g. "Company Server Account").
Account name	Account name	Full user name of the Google account
Email address	Email address	The address of the account (e.g. "mdm.ttt-point@gmailcom") Addresses of created users (from General Users ) can be selected or freely entered.
Audio calls	Enter ID	The bundle ID of the application that processes audio calls made to contacts from this account

Schließen	Schließt den Reiter ohne Änderungen zu übernehmen
Speichern	Übernimmt die Änderungen / Neuanlage, speichert und schließt den Reiter

AirPrint

Caption	Value	Description	AirPrint menu item
Printer	Add printer	Adds a printer configuration that should always be displayed
IP address	IP address	The IP address of the AirPrint destination
Resource path	ipp/print	The resource path associated with the printer. This corresponds to the rp parameter of the _ipps.tcp Bonjour record. For example: printers/Canon_MG5300_series, printers/Xerox_Phaser_7600 or ipp/print
Port	Port	The port through which to connect to the printer
Force TLS		Secures active AirPrint connections through Transport Layer Security (TLS) when it is enabled.

Schließen	Schließt den Reiter ohne Änderungen zu übernehmen
Speichern	Übernimmt die Änderungen / Neuanlage, speichert und schließt den Reiter

Certificates

Certificates are required, for example, to retrieve emails from an Exchange server with https or to confirm the authenticity of self-signed apps.

Caption	Values	Description	Certificates
Activate certificates		Once set, you can add certificates
Certificates	Select certificates	Selection of certificates, Base-64-encoded X.509 or PKCS#12, imported in the Mobile Security Certificate menu.

Schließen	Schließt den Reiter ohne Änderungen zu übernehmen
Speichern	Übernimmt die Änderungen / Neuanlage, speichert und schließt den Reiter

Security iOS

Security / VPN

Caption

Value

Description

Allow Suspend Always-On-VPN

Allows the user to temporary disable the VPN-Connection. If not activated manually, the VPN will resume at a time chosen by the user.

Allow other VPN profiles

Allows adding other VPN profiles in addition to the security profile

Authentifizierung nach App-Start erforderlich notempty

New as of 2.1

Requirement for this feature: App version 3.1

Wenn aktiviert, ist eine Authentifizierung (PIN oder biometrisch) beim App-Start erforderlich. Diese muss der User festlegen.

Activate security

To be able to use Mobile Security, the "Securepoint VPN Client" app is first installed automatically. This requires either a VPP license from the Apple Business Manager or an Apple ID on the device.

Protocol

TCP

Protocol used for VPN tunnel. TCP or UDP

Portfilter Type

Open

Filter network traffic based on network ports.all ports are open

Closed

Only port 80 (http) and 443 (https) are enabled

Selection

Port filter rule selection: Specify which port collections are open for network traffic:

Port-Collection	Port	Protocol	Application
Administrative Tools	21	TCP	ftp
	3389	TCP	ms-rdp
	23	TCP	telnet
	5900	TCP	vnc
	22	TCP	ssh
	5938	TCP/UDP	teamviewer
Communication	3478-3481	UDP	Skype
	49152-65535	UDP
	49152-65535	TCP
	5222	TCP	Google Push-Notifications
	5223	UDP
	5228	TCP
VOIP	5060	UDP	SIP/RTP
VOIP	7070-7089	UDP	SIP/RTP
VPN	1194	TCP	OpenVPN
	1194	UDP	OpenVPN
	500	UDP	IPSec
	4500	UDP & ESP	IPSec
	1701	UDP	L2TP
Mail	25	TCP	smtp
	587	TCP	smtp
	465	TCP	smtps
	110	TCP	pop3
	995	TCP	pop3
	143	TCP	imap
	993	TCP	imap

SSL interception

Default

Defines whether or not to intercept SSL traffic. The default value is to intercept traffic based on content filter response.

Content-Filter Allowlist

Add entries

Click box: Web pages that are to be added to a allowlist. Possible entries: Contentfilter

Content-Filter Blocklist

Add entries

Click box: Websites that are to be added to a blocklist.

Disable for SSIDs

Add SSIDs

Enter WLAN SSIDs for which the security features shall be disabled.

Disable for IP addresses

Add IPs

IP addresses or networks can be entered for which the security functions are to be deactivated, i.e. the individual host 192.0.2.192/32 or the entire subnet 192.0.2.0/24. For address blocks with less than three digits, a dot must be entered or navigated within the mask using the cursor keys.

Exclude local WLAN from VPN

If enabled, a route is added that excludes the local WLAN IP range from the tunnel.

Security settings

VPN-Konfigurationen

notempty

New as of: 1.32

Zeigt eine Auflistung sämtlicher Roadwarrior-Verbindungen an, die mit diesem Profil verbunden sind.
Über können neue Verbindungen erstellt werden.
Weitere Informationen sind im folgendem Wiki-Artikel zu finden.

Roadwarrior:

Aliasname der Roadwarrior-Verbindung, das Transfernetz, die Core-UTM und die benutzten IPs.
Per Klick auf den Aliasnamen erfolgt eine Weiterleitung auf die entsprechende VPN-Konfiguration.

VPN on Demand:

Bei Aktivierung wird diese Verbindung sofort gestartet, wenn sie als aktive Verbindung ausgewählt wird.
Bei einem Verbindungsabbruch wird sie automatisch neu gestartet.
Diese Einstellung kann auf dem Gerät vom Benutzer selbst anschließend verändert werden.

Schließen	Schließt den Reiter ohne Änderungen zu übernehmen
Speichern	Übernimmt die Änderungen / Neuanlage, speichert und schließt den Reiter

Lock screen Message

Information that can be displayed on the login screen and lock screen.
Devices used by different people

Shared device in Apple terminology

can thus display accessible information for everyone (e.g. an inventory number).

notempty

Supervised devices only.

The values are taken from the user settings of the user to whom the respective device is assigned

Variable name in profiles	Description	Example
$username$ alternative names: %device_user% %device_user_username%	Username	jdoe
$emailaddress$ alternative name: %device_email%	Email address	jdoe@ttt-point.de
$firstname$ alternative name: %device_user_firstname%	First name	John
$lastname$ alternative name: %device_user_lastname%	Last name	Doe
$name$ alternative name: %device_user_name%	First name and surname	John Doe
$variable1$ alternative name: %variable1%	custom value	jdoe/ttt-point.local
$variable2$ alternative name: %variable2%	custom value
$variable3$ alternative name: %variable3%	custom value
$device_name$ alternative name: %device_name%	Only for iOS: The name assigned on the phone (see: Settings → General → Info → Name) This variable can also be used in iOS profiles in the Shared device section	Cell phone from Markus Müller
$device_alias$ alternative name: %device_alias%	Only for iOS: The alias assigned in the portal. If the alias is not assigned, the device_name is displayed. This variable can also be used in iOS profiles in the Shared device section	Tablet Storage1
Defining the values in the user administration in the portal under: General Users or for the device alias in the device tile. To avoid input errors, different variable names are possible for compatibility reasons. A distinction between Android and iOS is no longer necessary.

Caption	Default	Description
Activate configuration		After setting this, you can set the shared device configuration. Shared device configuration options allow you to specify optional text to be displayed in the login window and lock screen (i.e. a ”If lost, return to” message and Asset Tag information). It is supported on iOS 9.3 and later.
Lock screen footnote	Enter display text	Optional. A footnote displayed on the login window and lock screen.
Asset Tag Information	Enter display text	Optional. Asset tag information for the device, displayed on the login window and lock screen. Example: This device belongs to the company TTT-Point AG. The device is called %device_name% and is managed under %device_alias%.

Schließen	Schließt den Reiter ohne Änderungen zu übernehmen
Speichern	Übernimmt die Änderungen / Neuanlage, speichert und schließt den Reiter

Declarative management

Declarative management notempty

New as of 05.2023 (v1.15)

Apple devices have various system information that (according to Apple's conception at least) can theoretically change.
With Apple's declarative management, device information can be kept up to date in the portal via status reports.

Here you can configure which of these values are automatically transmitted to the MDM portal when changes are made.
The display in the device dashboard then does not need to be updated manually.

The Changes are logged in the Operations Log menu item in the device details.

notempty

For privacy reasons, the options can be enabled or disabled individually.

For full functionality the iOS iPadOS tvOS version 16.1 is required

Caption	Default	Description	Available as of version	Menu option Status message
Activate configuration		When activated , the details of the status information can be specified.
Model family		A string that describes the hardware family of the device, such as Mac, iPhone, or iPad.	iOS 15.0 iPadOS 15.0
Model identifier		A status report of the device’s hardware identifier.	iOS 15.0 iPadOS 15.0
Model name		A string that identifies the device’s marketing name, such as iPhone 12.	iOS 15.0 iPadOS 15.0
OS build version		A string that identifies the operating system’s build version on the device, such as 18F132.	iOS 15.0 iPadOS 15.0
OS family		A string that identifies the operating system family in use on the device, such as macOS or iOS.	iOS 15.0 iPadOS 15.0
OS version		A string that identifies the operating system’s version in use on the device, such as 15.0.	iOS 15.0 iPadOS 15.0
OS name		A string that identifies the operating system’s marketing name in use on the device, such as Catalina.	iOS 15.0 iPadOS 15.0
OS supplemental build version		Identifies the operating system’s build and rapid security response versions in use on the device (for example, 20A123a, or 20B27c).	iOS 16.1 iPadOS 16.1
OS supplemental extra version		Identifies the operating system’s rapid security response version in use on the device (for example, a).	iOS 16.1 iPadOS 16.1
Passcode compliance		If true, the passcode is in compliance with all passcode policies set on the device. If false, the passcode isn’t in compliance with one or more passcode policies set on the device. When there are no passcode policies on the device, this value true.	iOS 16.0 iPadOS 16.0
Passcode presence		If true, a passcode is present on the device. If false, a passcode isn’t present on the device. When a passcode is present, the specific attributes of the passcode (length, number of complex characters, etc), isn’t reported.	iOS 16.0 iPadOS 16.0
MDM app		The applications installed by Securepoint MDM. The details can also be found in the overview in the menu option Applications.	iOS 16.0 iPadOS 16.0

Schließen	Schließt den Reiter ohne Änderungen zu übernehmen
Speichern	Übernimmt die Änderungen / Neuanlage, speichert und schließt den Reiter

Caption	Value	Description	Mobileconfig menu item
	Upload	Opens a system dialog for uploading a mobile configuration from the Apple Configurator II
All values are purely for information. They are defined by the .mobileconfig and cannot be changed
Name		Name of the configuration
Type	Configuration	File type
	1	Version of the file
Identifier		Can be set manually in the Apple Configurator (composed of the device name and a string)
		Clear identification
Replace		Opens the dialog for importing a configuration that replaces an existing configuration
Delete		Deletes configuration from the devices

Schließen	Schließt den Reiter ohne Änderungen zu übernehmen
Speichern	Übernimmt die Änderungen / Neuanlage, speichert und schließt den Reiter

Preamble

Overview of profile management

General Options

Profile tile

Profile-Options

Details displayed in the profile tile:

Profile information

Copy & paste of profiles

Configuration iOS profile Device

General iOS

Restrictions

General restrictions

Classroom-App

Restrictions for supervised devices

Notification settings

Passcode

Apps

Profil ab Portalversion 1.31 angelegt

Profil vor Portalversion 1.31 angelegt

App-Lock (Kiosk mode)

Home screen layout

Wallpaper

Networks

Network configurations

EAP-Client / WPA2 Enterprise

Global HTTP proxy

Email & Exchange Active Sync

Exchange accounts

Example: Office365 accountsExample: Office365 accounts

Calendar

Calendar with user account

Add subscription

CardDav

Google account

AirPrint

Certificates

Security iOS

VPN-Konfigurationen

Lock screen Message

Declarative management