- 27 Feb 2024
- 9 Minutes to read
Configure Policies or Restrictions on iOS
- Updated on 27 Feb 2024
- 9 Minutes to read
The Restrictions section of an iOS Device Profile is a collection of various settings that can be configured so that can be applied on a device.
Assuming that you are creating or editing an iOS Device Profile in Scalefusion Dashboard, once you navigate to the Restrictions tab you would see the following screen.
Described below are the various options available.
Single App Mode & Autonomous Single App Mode
From the list of applications that you have allowed, choose one application run always. This helps you in setting up the device as a Kiosk. You can choose additional settings as well. Please read our How to Setup an iOS Device as Kiosk to learn more.
Alternatively you may want to set some applications that can put themselves into Single App Mode autonomously, that is as and when they want or scheduled. This feature to enter into Single app mode is dependent on the application, and some applications offer this. If you are using such applications that support this feature, then refer to How to Setup Apps in Autonomous Single App Mode.
A collection of network-related settings that lets you control Network settings. These are:
- Wifi Configuration - Select a Wifi configuration and enforce it on a Supervised device.
- Hotspot Setting - Choose whether the user can turn on/off the hotspot.
- Roaming Setting - Choose to enable/disable the Voice and Data roaming settings.
- Configure eSIM settings - Scalefusion allows configuring eSIMs and deploying the configuration to eSIM-supported iOS devices to remotely trigger and automate the download and installation of an eSIM on a managed device. All you need is an eSIM URL that is purchased from network providers.This feature is supported on iPad with OS version 13 and later and on iPhone with iOS 14 and laterThis feature is in the Beta phase
- In iOS Device profile, navigate to Restrictions > Network Settings. Scroll down to Configure eSIM settings.
- Here, enter the network provider URL. This URL is provided by your network provider
- Allow eSIM modification: If this setting is unchecked, it will restrict users from modifying eSIM settings on the device. By default it is checked.
- When the profile is applied on devices, it will activate the eSIM aka cellular plan on devices with the eSIM configurations.
In this section you can control Safari related settings,
- Enable Safari - If you have Allowed websites then this cannot be disabled.
- Allow AutoFill - Choose to Allow/Restrict the user to turn on/off the Auto-Fill feature.
- Allow PopUps - Choose to Allow/Restrict pop-up tabs.
Use these settings to control the browsing experience on the iOS devices, with access to the websites and apply Safari's content-filtering algorithms.
These settings work only on Supervised devices
Put a check in front of Configure Content Filtering to enable the settings
Access to Allowed Sites Only
|Enable this setting if you want to provide access only to the websites that are enabled under the Allowed Websites section.
Limit Access to Adult Websites and Allow the pre-selected URLs
Enable this setting to enforce Apple's inbuilt content filtering mechanism, which will apply to all websites. However, the websites selected in the Allowed websites section will be allowed.
Do not restrict browsing; only Add WebClips based on Allowed URLs
Select this option if you don't want to apply any sort of content-filtering but just want to place Web-Clips on home screen based on the visibility of Allowed websites.
When creating a new Profile and if you have selected at-least one Website then selecting this option is mandatory and admin is shown a warning when trying to save the profile.
iCloud & Siri Settings
Please find below the list of settings that are available.
Allow iCloud Backup
Allow/Restrict backing up the device to iCloud
Allow iCloud Keychain Sync
Allow/Restrict iCloud keychain restriction.
|Allow/Restrict usage of Siri.
|Force Siri Profanity filter
|Force the use of Siri’s profanity filter.
|Allow iCloud Documents Sync
Allow/Restrict document and key-value syncing to iCloud.
Lock Screen Settings
A collection of documents that drive the experience on Lock Screen that can be applied to all iOS devices.
|Allow Touch-ID for Unlock
|Allow/ Restrict users to use Touch Id for unlocking devices. If the setting is already enabled, then the user will not be able to change it.
|Allow Lock Screen Control Center
|Allow/Restrict the Control Center on the Lock screen.
|Allow Lock Screen Notification View
|Allow/Restrict Notifications view on the Lock screen.
|Allow Lock Screen Today View
|Allow/Restrict Today View notifications when the device is locked.
|Allow Passbook Notifications
|Allow/Restrict the usage of the passbook on the lock screen.
|Allow Assistant while Locked
|Allow Siri on Lock screen. Works only if Siri is Allowed in iCloud and Siri settings.
|Allow Voice Dialing
|Disable Voice dialing using Siri on Lock screen.
A collection of application-related settings, that can be enforced on the devices.
|Allow trust for Enterprise Apps
|If set to false, remove the Trust Enterprise Developer button in Settings->General->Profiles & Device Management, preventing apps from being provisioned by universal provisioning profiles. This restriction applies to free developer accounts, but it does not apply to enterprise app developers who are trusted because their apps were pushed via MDM, nor does it revoke previously granted trust.
|Allow/Restrict the use of the Messages app.
|Allow App Installation
|Allow/Restrict the installation of apps. Enables App Store on devices.
|Allow Interactive Apps Installation
|When disallowed, the App Store is disabled, and its icon is removed from the Home screen. However, users may continue to use Host apps (iTunes, Configurator) to install or update their apps.
|Allow App Removal
|Allow/Restrict removal of applications
|Allow System App Removal
|Allow/Restrict removal of system applications from iOS 11.0.
|Allow iTunes App
Allow/Restrict use of iTunes Application.
|Allow/Restrict the users to add the News widget.
|Allow/Restrict the use of Podcasts app.
|Allow Music Service
|If disallowed Music service is disabled and Music app reverts to classic mode.
|Allow/Restrict iBook store app.
Allow/Restrict the usage of AirDrop.
Application Management Settings
In this section, admin can configure settings that give control to users over how Applications published from the Dashboard are installed on the managed devices. This can be done by enabling the application catalog. To know more about the app catalog, click here.
Use this section to choose a delay time for the new iOS Updates. iOS does not allow to completely block the updates indefinitely. You can delay from a minimum of 30 days to a maximum of 90 days. To defer the OS Updates follow the steps below:
- Click on OS Updates and enable Defer Software Updates
- Enter a value between 30 to 90.
Email & Exchange Settings
Use this section to select the Email or Exchange configurations that you want to publish to the devices in this Device Profile. You can select one or multiple configurations to be pushed on the devices. To learn how to create Exchange and Email configurations, please refer to our document here.
Work Data Settings
These settings help you control the exchange of data between Managed (work) apps and non-Managed (personal apps). These settings work on all iOS devices irrespective of they are Supervised or not (min.OS version required), and help you secure the corporate data by preventing the Unmanaged applications from being used to view/open Managed data. The settings offered are:
|Allow Open From Managed to Unmanaged
|Allow Work documents/files to be opened via Unmanaged apps. Disabling this prevents the Unmanaged apps from being listed in the Share menu.
|Allow Managed Apps to write contacts to Unmanaged contact accounts
|Allow Managed apps to add/edit contact information to Unmanaged contact accounts. This setting will be forced to true if Allow Open From Managed to Unmanaged is true. Requires 12.0+ to work
|Allow UnManaged Apps to read contacts to Managed contact accounts
|Allow Unmanaged applications to add/edit contacts to Work managed accounts. his setting will be forced to true if Allow Open From Managed to Unmanaged is true. Requires 12.0+ to work
|Allow Work Documents to be Shared via Airdrop
|Allow Work documents/files from managed applications to be shared via Airdrop. This setting will be forced to true if Allow Open From Managed to Unmanaged is true.
|Block Copy/Paste from Managed apps to Unmanaged apps
|Blocks copy and paste actions done from managed to unmanaged apps. When this setting is enabled, and if you try to copy anything from a managed application onto an unmanaged one, the following message will appear:
This setting will not work if Allow Open From Managed to Unmanaged setting is also enabled
|Allow Open Documents From Managed to Unmanaged
|Allow non-Work documents/files to be opened via Managed applications. Enabling this will cause the managed apps to be shown in the Share menu of unmanaged apps.
Use this section to install and deploy certificates on your managed devices. The certificates uploaded via Enterprise > Certificate Management are listed here. To learn more about how certificates can be applied on managed devices, please refer to the document here.
By using the Custom Settings feature of a Scalefusion iOS Profile, IT Admins can use a top-notch XML editor and push a Custom Payload directly to the devices. Hence, with this admins will now be able to add those features for Mac and iOS which are not yet offered under Scalefusion. To learn more about Custom Settings feature, click here.
A collection of common settings that can be enforced on devices.
|Allow/Restrict the usage of Camera. Required to be Allowed if you want to use the Photobooth app.
|Allow/Restrict users to take screenshot.
|Force Encrypted Backups
|Allow/Restrict users to enforce encrypted backups where they can set a password for encrypted files while taking backup. This option is unchecked by default.
|Allow Enabling Restrictions
|Allow/Restrict users to access Restrictions in Settings.
|Allow Erase Content and Settings
|Allow/Restrict users to erase all the content and settings on the device.
|Allow Account Modification
|Allow/Restrict the users to modify the iTunes account configured on the device. Note that if it is disallowed and an iTunes account is not already configured on the device, then the Apps pushed from the Apple App Store will not be installed.
|Allow Device Name Modification
|Allow/Restrict users to modify the name of the device.
|Allow Wallpaper Modification
|Allow/Restrict users to modify wallpaper of the device.
|Allow Connection with Apple Devices
|Allow/Restrict the devices to be connected to other Apple devices. If disallowed, host pairing is disabled with the exception of the computer that you used for supervisioning. If no supervision host certificate has been configured, all pairing is disabled.
|Allow VPN Creation
|Allow/Restrict users to create VPN connections.
|Allow Explicit Content
|When disallowed, explicit music or video content purchased from the iTunes Store is hidden. Explicit content is marked as such by content providers, such as record labels when sold through the iTunes Store.
|Allow Bluetooth Settings Modification
|Allow/Restrict the users to modify Bluetooth settings.
|Allow Open From Managed to Unmanaged
|Allow documents to be opened in unmanaged applications from managed.
|Allow UI Configuration Profile Installation
|You are allowed to install the UI Configuration profile.
|Allow Passcode Modification
|Disable this setting if you do not want your end users to change or set a password. Note: You cannot apply a passcode policy if this setting is disabled.
|Allow Files USB Drive Access
|Allow USB Restricted Mode
|This option dictates whether or not a locked iOS devices recognizes a USB accessory.
Scalefusion Agent Settings
These settings will work only if Scalefusion Agent for iOS is published on this profile.Block Screenshot / Screen-Recording of the Scalefusion App
Enabling this setting will block the end user from recording the screen or take screenshots of the Scalefusion MDM Client app. When this setting is enabled, and you try to take screenshot you will see a black screen.
Allow users to import files into Scalefusion App
Enabling this feature allows organizations to import and open files using the Scalefusion app without using third-party applications thereby acting as a secure file explorer. To open a file in Scalefusion app on the device:
- On the device, click on the file there is an option Share. Click on it.
- Now click on Import to Scalefusion
- The files will be imported and displayed inside Scalefusion MDM app, under Imported section
- Now you can securely access the files from here by clicking on View