A restriction profile can be customized to control what applications, hardware, and functionality your end users can access. Use these restrictions to enhance productivity, protect end users and devices, and separate personal and corporate data.
To create a restriction profile, see Enforce Device Restrictions.
The following restrictions are a representative, but not exhaustive, list of options.
OS level software delay restrictions which allow you to hide iOS updates from end users for a specified number of days.
Delay Updates (Days)
Enable this option and specify the number of days to delay the software update. Number of days range from 1 to 90. (iOS 11.3 and later, Supervised devices). The number of days dictate the length of time after the release of the software update and not after the time of installation of the profile.
Device Functionality Restrictions
Device-level restrictions can disable the core device functionality such as the camera, FaceTime, Siri, and in-app purchases to help improve productivity and security.
- Restrict end users from modifying device Bluetooth settings. (iOS 10 and later).
- Prohibit the device screen captures to protect the corporate content on the device.
Disable Siri when the device is locked to prevent access to email, phone, and notes without the secure passcode (iOS 7 and later).
By default, end users can hold down the Home button to use Siri even when a device is locked. This feature can allow unauthorized users to gain access to the sensitive information and perform actions on a device they do not own. If your organization has strict security requirements, consider deploying a Restrictions profile that restricts the use of Siri while a device is locked.
- Prevent automatic syncing while roaming to reduce data charges.
- Prevents Touch ID from unlocking a device (iOS 7 and later).
- Restrict end users from modifying the personal hotspot setting on the device (iOS 12.2 and later, Supervised). Whether the restriction is enabled or disabled in the profile, you can override the personal hotspot setting using the PersonalHotspot Managed Settings command.
- Restrict the end user's logging request on Siri servers. When the restriction is disabled, Siri does not log end user logging data to the server.
- Restrict the end users from toggling on the Wi-Fi in the device's settings or control center (even when switching the Airplane Mode on or off) by enabling the Force on Wi-Fi on the UEM console (iOS 10.3 and later).
- Disable Files Network Drive Access to restrict the users from connecting to the network drives in the Files app (iOS 10.3 and later).
Featured iOS 8 Device Restrictions
- Disable Handoff, which can be used to start an activity on one device, locate other devices and resume activities on shared apps.
- Disable Internet search results in Spotlight. This restriction prevents suggested Websites from appearing when searching using Spotlight. (iOS 8 and later, Supervised)
- Disable configuration of the Restrictions setting. This permission allows administrators to override configuration of personal restrictions through the device’s Settings menu (iOS 8 and later, Supervised).
- Prevent the end user from erasing all content and settings on the device. This restriction prevents users from wiping and unenrolling the device (iOS 8 and later, Supervised).
- Disable the local data storage by backing up managed apps with iCloud.
- Disable the backup of enterprise books with iCloud.
- Prevent users from syncing notes and highlights in enterprise books with iCloud.
- Disable adding or removing existing Touch ID information (iOS 8.1.3 and later, Supervised).
- Disable Podcasts. This restriction prevents access to Apple's podcasts application (Supervised only).
Featured iOS 9 Restrictions
- Disable passcode modification, which prevents a device passcode from being added, changed or removed (Supervised only).
- Hide the App Store. This restriction disables the App Store and removes the icon from the Home Screen. End users can still use MDM to install or update their apps, giving full application control to the administrator (Supervised only).
- Disable automatic app download. This restriction prevents apps purchased on other devices from automatically syncing. This restriction does not affect updates to existing apps (Supervised only).
- Disable device name modification. This restriction prevents end users from changing the device name. Consider this restriction for shared and staged device deployments (Supervised only).
- Disable wallpaper modification. This restriction prevents the user from changing the device wallpaper (Supervised only).
- Disable AirDrop as an unmanaged drop destination, which prevents users from sending enterprise data or attachments from a managed application to AirDrop. This restriction also requires the restriction for Apple’s managed open in feature.
- Disable keyboard shortcuts to prevent users from creating and using keyboard shortcuts (Supervised only).
- Disable News to prevent access to Apple's News application (Supervised only).
- Disable iCloud Photo Library. This restriction prevents photos that are not fully downloaded from the library from being stored locally.
- Disable trust of external enterprise apps, which prevents end users from installing any untrusted enterprise-signed, unmanaged apps. Managed in-house enterprise apps are implicitly trusted.
- Disable video recording by restricting screen capture to prevent end users from capturing the device display.
- Disable Music service, which restricts the Music app from installing (iOS 8.3.3+, Supervised only).
Featured iOS 9.3 Restrictions
- Disable iTunes Radio service, which restricts iTunes Radio from installing. If Apple Music is not restricted, the Radio service shows in the Apple Music app (Supervised only).
Featured watchOS Restrictions
- Disable Apple Watch pairing, which unpairs and erases any currently paired Apple Watch (iOS 9 and later, Supervised).
- Enforce Wrist Detection, which locks an Apple Watch when not being worn.
Application-level restrictions disable certain applications such as YouTube, iTunes, and Safari, or some of their features, to enforce corporate use policies. Available restrictions include:
- Disable Autofill to ensure that sensitive information does not automatically appear on certain forms.
- Enable the Force Fraud Warning feature to force Safari to display a warning when end users visit suspected phishing Websites.
- Control cookie acceptance in Safari. You can set Safari to not accept any cookies or to accept cookies only from specific sites.
- Forbid access to the Game Center and multiplayer gaming to enforce corporate policies for device use while at work.
- Enable or disable the individual, native, and other applications by adding them to the Show Apps or the Hide Apps section. This restriction enables you to show or hide applications as required (for iOS 9.3 and later, Supervised only).
- For whitelisting the web clips, add the bundleID com.apple.webapp to the Show Apps text box.
For devices running iOS 7 and later, end users can store, back up or sync data on their devices to the iCloud, a collection of Apple servers. This data includes photos, videos, device settings, app data, messages, documents, and more. To align with your business needs, Workspace ONE UEM provides restrictions for iOS 7 and later devices that can disable iCloud or iCloud functionality if needed.
Exchange ActiveSync content (Mail, Contacts, Calendars, Tasks) and any mobile provision profiles are not synchronized to an end user's iCloud.
Setting Disabled on Device
|Restrict iCloud Configuration (device functionality restriction)|
Restrict the ability to sign into and configure iCloud settings
Allow Account Modification
Disables iCloud option under device Settings (iOS 7 and later, Supervised)
This restriction also prevents modification of other accounts such as email within device settings.
iCloud Management (granular iCloud restrictions)
Prevent users from backing up data to iCloud
|Turns off the "Backup" option under iCloud settings (iOS 7)|
Prevent users from storing documents and data to iCloud Drive
Allow document sync
Removes "iCloud Drive" option under iCloud settings (iOS 7)
|Prevent users from keeping password and credit card information in iCloud||Allow keychain sync||
Removes "Keychain" option under iCloud Settings (iOS 7)
|Prevent users of managed applications from storing documents to iCloud||Allow managed apps to store data||Disables managed applications from storing documents within iCloud drive (iOS 8)|
|Prevent users from backing up Enterprise books to iCloud||Allow backing up Enterprise books||Disables managed books from being backed up through iCloud or iTunes (iOS 8)|
|Prevent syncing of enterprise books, notes, highlights||Allow synchronizing Enterprise Books notes and highlights||Disables notes and highlights for Enterprise books within iBooks (iOS 8)|
|Prevent users from syncing photos to iCloud||Allow Photo Stream and Allow Shared Photo Stream||Remove the "Photos" option under iCloud Settings (iOS 7)|
|Prevent automatically uploading new photos and sending them to iCloud devices||Allow Shared Photo Stream||Disables "My Photo Stream" in "Photos" under iCloud Settings (iOS 7)|
iCloud backups only take place when:
- No restriction exists on iCloud backup.
- The iCloud toggle setting is enabled in on the device.
- Wi-Fi is enabled.
- The device is connected to a power source and locked.
Security and Privacy Restrictions
Security and privacy-based restrictions prohibit end users from performing certain actions that might violate corporate policy or otherwise compromise their device. Available restrictions include to:
- Prevent iOS 11.4.1 and later device users to enter passcode to initially connect or remain connected to USB accessories while the device is locked.
- Prevent user to trust unmanaged enterprise apps.
- Prevent force iTunes Store Password entry.
- Prevent diagnostic data, which includes location information and usage data, being sent to Apple to help improve the iOS software.
- Prevent end users from accepting untrusted TLS certificates so they cannot access Websites with invalid SSL certificates. If you permit untrusted TLS certificates, users are still notified of invalid certificates but can proceed if needed.
- Prevent over the air PKI updates.
- Force encrypted backups. Encrypted backups ensure all personal information, such as email account passwords or contact information, is encrypted when it is backed up and stored on devices.
- Prevent pairing with non-configurator hosts.
Prevent iOS 10.3 and later devices from connecting to unknown or malicious networks. Devices enabled with this restriction can only connect to managed WiFi networks. Select Force WiFi Whitelisting to enforce this restriction.
Media Content Restrictions
Ratings-based restrictions prevent access to certain content based on its rating, which is managed by region. Available restrictions include:
- Restrict access to adult or mature content on corporate-owned devices as part of a corporate policy.
- Prohibit access to apps with a 17+ age restriction during normal business hours.
- Block access to inappropriate or explicit iBook content on corporate-owned devices.