Profile configuration in the Restrictions tab
Last adaption: 11.2022
notempty
This article refers to a Resellerpreview
Partial configuration for profiles in the Mobile Security Portal.
Further information is displayed here:
- MS (← links)
- MS/deployment/profile-AppleTV (transclusion) (← links)
- MS/deployment/profile-shared-iPad (transclusion) (← links)
- MS/deployment/profile-Device (transclusion) (← links)
- MS/deployment/profile-User (transclusion) (← links)
Restrictions
Restrictions
Configuration by clicking on Activate restrictions
Numerous restrictions can be configured to control the behavior of a device.
List of possible restrictions with default values and explanations
General restrictions
General restrictions
Restriction | Default | Explanation |
---|---|---|
Demo-Dev-Einschränkung | Sollte nur im devWiki angezeigt werden | |
Allow automatic unlocking | If set to false, the automatic unlocking is disabled | |
Allow cloud address book | If set to false, the cloud address book will be disabled | |
Allow cloud bookmarks | If set to false, cloud bookmarks will be disabled | |
Allow cloud calendar | If set to false, the cloud calendar will be disabled | |
Allow cloud desktop & documents | If set to false, cloud desktop and documents will be disabled | |
Allow cloud mail | If set to false, cloud mail will be disabled | |
Allow cloud notes | If set to false, cloud notes will be disabled | |
Allow cloud reminders | If set to false, cloud reminders will be disabled | |
Allow content caching | If set to false, content caching will be disabled | |
Allow iTunes file sharing | If set to false, iTunes file sharing will be disabled | |
Allow automatic screen saver | Allow automatic screen saver | |
Allow lock screen ControlCenter | If set to false, the ControlCenter is disabled for the lock screen | |
Allow lock screen notifications to display | If set to false, the notification preview of the lock screen will be disabled | |
Allow lock screen view today | If set to false, today's lock screen view will be disabled | |
Allow to write unmanaged contacts | If set to false, writing unmanaged contacts will be disabled | |
Allow unmanaged reading of managed contacts | These restrictions prevent unmanaged apps from accessing contacts of managed accounts and prevent managed apps from saving contacts in the local Contacts app | |
Allow OTAPKI updates | If set to false, OTAPKI updates are disabled | |
Allow temporary session of the shared device | If set to false, the temporary session of the shared device is disabled | |
Force password for outgoing AirPlay requests | If set to true, all devices receiving AirPlay requests from this device will be forced to use a pairing password | |
Force encrypted backups | Force encrypted backups | |
Limit ad tracking | If set to true, ad tracking will be restricted | |
Dictation only | If set to true, connections to Siri servers for dictation are disabled | |
Force WLAN Allowlist | Join Wi-Fi networks installed by profiles only | |
Allow QuickPath keyboard | If set to inactive, the QuickPath keyboard is disabled | |
Allow network access for files | If inactive, the connection to network drives is prevented in the file app | |
Allow USB drive for files | When inactive, it prevents the File app from connecting to connected USB devices | |
Allow Find My Device | When inactive, Find My Device is disabled in the Find my App | |
Allow Find My Friends | When inactive, Find My Friends is disabled in the Find My app | |
Force WiFi activation | If set to true, prevents Wi-Fi from being turned off in settings or control center, even by entering or leaving airplane mode. It does not prevent selecting which Wi-Fi network to use. | |
Allow trusting enterprise apps | Required for future implementations Allows the user to trust enterprise apps. (Apps that can be deployed without the iTunes App Store and don't need to be authorized by Apple) | |
Allow screenshots and screen recording | Allows the user to take screenshots or screen recordings | |
Allow Apple Music | If set to false, Apple Music will be disabled in the Music app | |
Allow iTunes Radio | If set to false, iTunes Radio will be disabled in the Music app | |
Allow shared stream | If set to false, the shared stream is disabled | |
Allow Wallet while locked | If set to false, wallet notifications will not be shown on the lock screen | |
Allow use of News | Allows the user to access and use News | |
Allow modifying bluetooth settings | Allow modifying bluetooth settings | |
Allow modifying cellular data usage for app settings | If set to false, the mobile data uses for app settings cannot be changed | |
Allow modifying device name | Allows the user to change device names | |
Allow automatic sync while roaming | Allows automatic synchronization during roaming | |
Allow iCloud sync for managed apps | Allows iCloud synchronization for managed apps | |
Allow enterprise books backup | Allows enterprise books to be backed up | |
Allow enterprise books and highlights to sync | Allows enterprise books to synchronize notes and highlights | |
Allow email privacy | If activated, Apple's Mail Privacy Protection (AMPP) is activated | |
Allow In App purchases | Allows the user to make purchases within applications | |
Allow multiplayer gaming | Allows multiplayer gaming | |
Allow voice dialing while device is locked | Allows voice dialing while device is locked | |
Force Apple Watch wrist detection | Forces Apple watch wrist detection | |
Allow pairing with Apple Watch | Allows pairing with Apple Watch | |
Allow Internet results in Spotlight | If set to false, search results from the web will not be shown in Spotlight | |
Allow user to accept untrusted TLS certificates | Allows user to accept untrusted TLS certificates | |
Allow Photo Stream | Allows Photo Stream to be used on the device | |
Allow iCloud Photo Library | Allows iCloud photo library to be used on the device | |
Allow iCloud backup | Allows backup using iCloud | |
Allow personalized advertising | When disabled, restricts Apple's personalized advertising. Available in iOS 14 and later. | |
Requires iTunes password for all purchases | Requires the user's iTunes password to be entered for every purchase | |
Apps ranking number | 1000 | Ranking number for apps |
Movies ranking number | 1000 | Ranking number for movies |
TV Shows ranking number | 1000 | Ranking number for TV Shows |
Region code | Germany | Two-character code for the region used to specify ratings |
Accept cookies in Safari | Never | Accept cookies: Does not accept cookies |
From current website only (iOS 8) or visited sites (pre-iOS 8) | Depending on iOS version: from iOS 8: Only from current website from iOS 8: Only from visited pages | |
From websites I visited | Accepts cookies from all visited websites | |
Always | Accepts all cookies | |
Allow JavaScript | AllowS JavaScript in Safari | |
Allow Pop-ups | AllowS Pop-ups in Safari | |
Enable fraud warning | Enables fraud warning in Safari | |
Force translation on the device only | When this option is enabled, the device does not connect to Siri servers for translation purposes | |
Allow unmanaged documents in managed apps | Allows managed apps to access unmanaged documents | |
Allow managed documents in unmanaged apps | Allows unmanaged apps to access managed documents | |
Managed clipboard required | When enabled, the copy and paste feature follows the "Allow open from managed to unmanaged" and "Allow open from unmanaged to managed" constraints. | |
Treat AirDrop as unmanaged destination | ||
Allows Handoff | If this value is set to "false", handoff is deactivated. Handoff allows you to continue an activity started on an iOS-device on another device. | |
Allow Touch ID/Face ID for unlocking | Allows touch ID/Face ID to unlock device | |
Fingerprint timeout | The time after which unlocking the fingerprint requires a password for authentication. Possible values: 1, 6, 12 hours, 1, 2, 3 days or 1 week | |
Allow modifying notification settings | Allows modifying notification settings | |
Allow incoming AirPlay requests | Allows incoming AirPlay requests | |
Allow pairing with Remote app | Allows pairing with Remote app | |
Allow dictation | Allows dictation | |
Allow camera use | Allows the user to use the camera | |
Allow Siri | Allows Siri | |
Allow Siri while locked | Allows Siri while device is locked | |
Allow Siri user generated content | When inactive, it prevents Siri from querying requests with user-generated content | |
Allow modifying Touch ID/Face ID | The user is allowed to change the Touch ID/Face ID | |
Allow diagnostic submission | Send diagnostic and usage stats to Apple | |
Allow modifying diagnostics settings | The user is allowed to change the diagnostic settings |
For Apple TVsFor Apple TVs
Restriction | Default | Explanation |
---|---|---|
Demo-Dev-Einschränkung | Sollte nur im devWiki angezeigt werden | |
Allow automatic unlocking | If set to false, the automatic unlocking is disabled | |
Allow cloud address book | If set to false, the cloud address book will be disabled | |
Allow cloud bookmarks | If set to false, cloud bookmarks will be disabled | |
Allow cloud calendar | If set to false, the cloud calendar will be disabled | |
Allow cloud desktop & documents | If set to false, cloud desktop and documents will be disabled | |
Allow cloud mail | If set to false, cloud mail will be disabled | |
Allow cloud notes | If set to false, cloud notes will be disabled | |
Allow cloud reminders | If set to false, cloud reminders will be disabled | |
Allow content caching | If set to false, content caching will be disabled | |
Allow iTunes file sharing | If set to false, iTunes file sharing will be disabled | |
Allow automatic screen saver | Allow automatic screen saver | |
Allow lock screen ControlCenter | If set to false, the ControlCenter is disabled for the lock screen | |
Allow lock screen notifications to display | If set to false, the notification preview of the lock screen will be disabled | |
Allow lock screen view today | If set to false, today's lock screen view will be disabled | |
Allow to write unmanaged contacts | If set to false, writing unmanaged contacts will be disabled | |
Allow unmanaged reading of managed contacts | These restrictions prevent unmanaged apps from accessing contacts of managed accounts and prevent managed apps from saving contacts in the local Contacts app | |
Allow OTAPKI updates | If set to false, OTAPKI updates are disabled | |
Allow temporary session of the shared device | If set to false, the temporary session of the shared device is disabled | |
Force password for outgoing AirPlay requests | If set to true, all devices receiving AirPlay requests from this device will be forced to use a pairing password | |
Force encrypted backups | Force encrypted backups | |
Limit ad tracking | If set to true, ad tracking will be restricted | |
Dictation only | If set to true, connections to Siri servers for dictation are disabled | |
Force WLAN Allowlist | Join Wi-Fi networks installed by profiles only | |
Allow QuickPath keyboard | If set to inactive, the QuickPath keyboard is disabled | |
Allow network access for files | If inactive, the connection to network drives is prevented in the file app | |
Allow USB drive for files | When inactive, it prevents the File app from connecting to connected USB devices | |
Allow Find My Device | When inactive, Find My Device is disabled in the Find my App | |
Allow Find My Friends | When inactive, Find My Friends is disabled in the Find My app | |
Force WiFi activation | If set to true, prevents Wi-Fi from being turned off in settings or control center, even by entering or leaving airplane mode. It does not prevent selecting which Wi-Fi network to use. | |
Allow trusting enterprise apps | Required for future implementations Allows the user to trust enterprise apps. (Apps that can be deployed without the iTunes App Store and don't need to be authorized by Apple) | |
Allow screenshots and screen recording | Allows the user to take screenshots or screen recordings | |
Allow Apple Music | If set to false, Apple Music will be disabled in the Music app | |
Allow iTunes Radio | If set to false, iTunes Radio will be disabled in the Music app | |
Allow shared stream | If set to false, the shared stream is disabled | |
Allow Wallet while locked | If set to false, wallet notifications will not be shown on the lock screen | |
Allow use of News | Allows the user to access and use News | |
Allow modifying bluetooth settings | Allow modifying bluetooth settings | |
Allow modifying cellular data usage for app settings | If set to false, the mobile data uses for app settings cannot be changed | |
Allow modifying device name | Allows the user to change device names | |
Allow automatic sync while roaming | Allows automatic synchronization during roaming | |
Allow iCloud sync for managed apps | Allows iCloud synchronization for managed apps | |
Allow enterprise books backup | Allows enterprise books to be backed up | |
Allow enterprise books and highlights to sync | Allows enterprise books to synchronize notes and highlights | |
Allow email privacy | If activated, Apple's Mail Privacy Protection (AMPP) is activated | |
Allow In App purchases | Allows the user to make purchases within applications | |
Allow multiplayer gaming | Allows multiplayer gaming | |
Allow voice dialing while device is locked | Allows voice dialing while device is locked | |
Force Apple Watch wrist detection | Forces Apple watch wrist detection | |
Allow pairing with Apple Watch | Allows pairing with Apple Watch | |
Allow Internet results in Spotlight | If set to false, search results from the web will not be shown in Spotlight | |
Allow user to accept untrusted TLS certificates | Allows user to accept untrusted TLS certificates | |
Allow Photo Stream | Allows Photo Stream to be used on the device | |
Allow iCloud Photo Library | Allows iCloud photo library to be used on the device | |
Allow iCloud backup | Allows backup using iCloud | |
Allow personalized advertising | When disabled, restricts Apple's personalized advertising. Available in iOS 14 and later. | |
Requires iTunes password for all purchases | Requires the user's iTunes password to be entered for every purchase | |
Apps ranking number | 1000 | Ranking number for apps |
Movies ranking number | 1000 | Ranking number for movies |
TV Shows ranking number | 1000 | Ranking number for TV Shows |
Region code | Germany | Two-character code for the region used to specify ratings |
Accept cookies in Safari | Never | Accept cookies: Does not accept cookies |
From current website only (iOS 8) or visited sites (pre-iOS 8) | Depending on iOS version: from iOS 8: Only from current website from iOS 8: Only from visited pages | |
From websites I visited | Accepts cookies from all visited websites | |
Always | Accepts all cookies | |
Allow JavaScript | AllowS JavaScript in Safari | |
Allow Pop-ups | AllowS Pop-ups in Safari | |
Enable fraud warning | Enables fraud warning in Safari | |
Force translation on the device only | When this option is enabled, the device does not connect to Siri servers for translation purposes | |
Allow unmanaged documents in managed apps | Allows managed apps to access unmanaged documents | |
Allow managed documents in unmanaged apps | Allows unmanaged apps to access managed documents | |
Managed clipboard required | When enabled, the copy and paste feature follows the "Allow open from managed to unmanaged" and "Allow open from unmanaged to managed" constraints. | |
Treat AirDrop as unmanaged destination | ||
Allows Handoff | If this value is set to "false", handoff is deactivated. Handoff allows you to continue an activity started on an iOS-device on another device. | |
Allow Touch ID/Face ID for unlocking | Allows touch ID/Face ID to unlock device | |
Fingerprint timeout | The time after which unlocking the fingerprint requires a password for authentication. Possible values: 1, 6, 12 hours, 1, 2, 3 days or 1 week | |
Allow modifying notification settings | Allows modifying notification settings | |
Allow incoming AirPlay requests | Allows incoming AirPlay requests | |
Allow pairing with Remote app | Allows pairing with Remote app | |
Allow dictation | Allows dictation | |
Allow camera use | Allows the user to use the camera | |
Allow Siri | Allows Siri | |
Allow Siri while locked | Allows Siri while device is locked | |
Allow Siri user generated content | When inactive, it prevents Siri from querying requests with user-generated content | |
Allow modifying Touch ID/Face ID | The user is allowed to change the Touch ID/Face ID | |
Allow diagnostic submission | Send diagnostic and usage stats to Apple | |
Allow modifying diagnostics settings | The user is allowed to change the diagnostic settings |
For User EnrollmentFor User Enrollment
Restriction | Default | Explanation |
---|---|---|
Demo-Dev-Einschränkung | Sollte nur im devWiki angezeigt werden | |
Allow automatic unlocking | If set to false, the automatic unlocking is disabled | |
Allow cloud address book | If set to false, the cloud address book will be disabled | |
Allow cloud bookmarks | If set to false, cloud bookmarks will be disabled | |
Allow cloud calendar | If set to false, the cloud calendar will be disabled | |
Allow cloud desktop & documents | If set to false, cloud desktop and documents will be disabled | |
Allow cloud mail | If set to false, cloud mail will be disabled | |
Allow cloud notes | If set to false, cloud notes will be disabled | |
Allow cloud reminders | If set to false, cloud reminders will be disabled | |
Allow content caching | If set to false, content caching will be disabled | |
Allow iTunes file sharing | If set to false, iTunes file sharing will be disabled | |
Allow automatic screen saver | Allow automatic screen saver | |
Allow lock screen ControlCenter | If set to false, the ControlCenter is disabled for the lock screen | |
Allow lock screen notifications to display | If set to false, the notification preview of the lock screen will be disabled | |
Allow lock screen view today | If set to false, today's lock screen view will be disabled | |
Allow to write unmanaged contacts | If set to false, writing unmanaged contacts will be disabled | |
Allow unmanaged reading of managed contacts | These restrictions prevent unmanaged apps from accessing contacts of managed accounts and prevent managed apps from saving contacts in the local Contacts app | |
Allow OTAPKI updates | If set to false, OTAPKI updates are disabled | |
Allow temporary session of the shared device | If set to false, the temporary session of the shared device is disabled | |
Force password for outgoing AirPlay requests | If set to true, all devices receiving AirPlay requests from this device will be forced to use a pairing password | |
Force encrypted backups | Force encrypted backups | |
Limit ad tracking | If set to true, ad tracking will be restricted | |
Dictation only | If set to true, connections to Siri servers for dictation are disabled | |
Force WLAN Allowlist | Join Wi-Fi networks installed by profiles only | |
Allow QuickPath keyboard | If set to inactive, the QuickPath keyboard is disabled | |
Allow network access for files | If inactive, the connection to network drives is prevented in the file app | |
Allow USB drive for files | When inactive, it prevents the File app from connecting to connected USB devices | |
Allow Find My Device | When inactive, Find My Device is disabled in the Find my App | |
Allow Find My Friends | When inactive, Find My Friends is disabled in the Find My app | |
Force WiFi activation | If set to true, prevents Wi-Fi from being turned off in settings or control center, even by entering or leaving airplane mode. It does not prevent selecting which Wi-Fi network to use. | |
Allow trusting enterprise apps | Required for future implementations Allows the user to trust enterprise apps. (Apps that can be deployed without the iTunes App Store and don't need to be authorized by Apple) | |
Allow screenshots and screen recording | Allows the user to take screenshots or screen recordings | |
Allow Apple Music | If set to false, Apple Music will be disabled in the Music app | |
Allow iTunes Radio | If set to false, iTunes Radio will be disabled in the Music app | |
Allow shared stream | If set to false, the shared stream is disabled | |
Allow Wallet while locked | If set to false, wallet notifications will not be shown on the lock screen | |
Allow use of News | Allows the user to access and use News | |
Allow modifying bluetooth settings | Allow modifying bluetooth settings | |
Allow modifying cellular data usage for app settings | If set to false, the mobile data uses for app settings cannot be changed | |
Allow modifying device name | Allows the user to change device names | |
Allow automatic sync while roaming | Allows automatic synchronization during roaming | |
Allow iCloud sync for managed apps | Allows iCloud synchronization for managed apps | |
Allow enterprise books backup | Allows enterprise books to be backed up | |
Allow enterprise books and highlights to sync | Allows enterprise books to synchronize notes and highlights | |
Allow email privacy | If activated, Apple's Mail Privacy Protection (AMPP) is activated | |
Allow In App purchases | Allows the user to make purchases within applications | |
Allow multiplayer gaming | Allows multiplayer gaming | |
Allow voice dialing while device is locked | Allows voice dialing while device is locked | |
Force Apple Watch wrist detection | Forces Apple watch wrist detection | |
Allow pairing with Apple Watch | Allows pairing with Apple Watch | |
Allow Internet results in Spotlight | If set to false, search results from the web will not be shown in Spotlight | |
Allow user to accept untrusted TLS certificates | Allows user to accept untrusted TLS certificates | |
Allow Photo Stream | Allows Photo Stream to be used on the device | |
Allow iCloud Photo Library | Allows iCloud photo library to be used on the device | |
Allow iCloud backup | Allows backup using iCloud | |
Allow personalized advertising | When disabled, restricts Apple's personalized advertising. Available in iOS 14 and later. | |
Requires iTunes password for all purchases | Requires the user's iTunes password to be entered for every purchase | |
Apps ranking number | 1000 | Ranking number for apps |
Movies ranking number | 1000 | Ranking number for movies |
TV Shows ranking number | 1000 | Ranking number for TV Shows |
Region code | Germany | Two-character code for the region used to specify ratings |
Accept cookies in Safari | Never | Accept cookies: Does not accept cookies |
From current website only (iOS 8) or visited sites (pre-iOS 8) | Depending on iOS version: from iOS 8: Only from current website from iOS 8: Only from visited pages | |
From websites I visited | Accepts cookies from all visited websites | |
Always | Accepts all cookies | |
Allow JavaScript | AllowS JavaScript in Safari | |
Allow Pop-ups | AllowS Pop-ups in Safari | |
Enable fraud warning | Enables fraud warning in Safari | |
Force translation on the device only | When this option is enabled, the device does not connect to Siri servers for translation purposes | |
Allow unmanaged documents in managed apps | Allows managed apps to access unmanaged documents | |
Allow managed documents in unmanaged apps | Allows unmanaged apps to access managed documents | |
Managed clipboard required | When enabled, the copy and paste feature follows the "Allow open from managed to unmanaged" and "Allow open from unmanaged to managed" constraints. | |
Treat AirDrop as unmanaged destination | ||
Allows Handoff | If this value is set to "false", handoff is deactivated. Handoff allows you to continue an activity started on an iOS-device on another device. | |
Allow Touch ID/Face ID for unlocking | Allows touch ID/Face ID to unlock device | |
Fingerprint timeout | The time after which unlocking the fingerprint requires a password for authentication. Possible values: 1, 6, 12 hours, 1, 2, 3 days or 1 week | |
Allow modifying notification settings | Allows modifying notification settings | |
Allow incoming AirPlay requests | Allows incoming AirPlay requests | |
Allow pairing with Remote app | Allows pairing with Remote app | |
Allow dictation | Allows dictation | |
Allow camera use | Allows the user to use the camera | |
Allow Siri | Allows Siri | |
Allow Siri while locked | Allows Siri while device is locked | |
Allow Siri user generated content | When inactive, it prevents Siri from querying requests with user-generated content | |
Allow modifying Touch ID/Face ID | The user is allowed to change the Touch ID/Face ID | |
Allow diagnostic submission | Send diagnostic and usage stats to Apple | |
Allow modifying diagnostics settings | The user is allowed to change the diagnostic settings |
Classroom-App
Classroom-AppThe Classroom App is available free of charge in the App-Store and offers possibilities for use in school classes.
Important restrictions can be configured here.
Restriction | Default | Explanation |
---|---|---|
Allow remote screen monitoring | If not allowed, remote screen monitoring is disabled by the Classroom app. When screenshots are disabled, the Classroom app does not observe remote screens. | |
Force courses to be joined automatically | If enforced, the instructor's requests are automatically accepted without prompting the student. | |
Force permission to leave classes | If enforced, a student enrolled in an unmanaged course through Classroom must ask the instructor for permission to leave the course. | |
Force app and device lock | If enforced, the teacher can lock apps or the device without prompting the student. | |
Force screen monitoring | When enforced and remote screen monitoring is allowed, a student enrolled in a managed course through the classroom app automatically grants permission to watch the screen without being prompted. |
Restrictions for supervised devices
Restrictions for supervised devicesA range of restrictions is only available for devices in the Supervised embedding mode.
For Apple TVsFor Apple TVs