Configure Policies or Restrictions on iOS
  • 27 Feb 2024
  • 9 Minutes to read
  • PDF

Configure Policies or Restrictions on iOS

  • PDF

Article Summary

The Restrictions section of an iOS Device Profile is a collection of various settings that can be configured so that can be applied on a device.

Assuming that you are creating or editing an iOS Device Profile in Scalefusion Dashboard, once you navigate to the Restrictions tab you would see the following screen.

Described below are the various options available.

Single App Mode & Autonomous Single App Mode

From the list of applications that you have allowed, choose one application run always. This helps you in setting up the device as a Kiosk. You can choose additional settings as well. Please read our How to Setup an iOS Device as Kiosk to learn more.

Alternatively you may want to set some applications that can put themselves into Single App Mode autonomously, that is as and when they want or scheduled. This feature to enter into Single app mode is dependent on the application, and some applications offer this. If you are using such applications that support this feature, then refer to How to Setup Apps in Autonomous Single App Mode.

Network Settings

A collection of network-related settings that lets you control Network settings. These are:

  1. Wifi Configuration - Select a Wifi configuration and enforce it on a Supervised device.
  2. Hotspot Setting - Choose whether the user can turn on/off the hotspot.
  3. Roaming Setting - Choose to enable/disable the Voice and Data roaming settings.
  4. Configure eSIM settings - Scalefusion allows configuring eSIMs and deploying the configuration to eSIM-supported iOS devices to remotely trigger and automate the download and installation of an eSIM on a managed device. All you need is an eSIM URL that is purchased from network providers.
    This feature is supported on iPad with OS version 13 and later and on iPhone with iOS 14 and later
    This feature is in the Beta phase
    1. In iOS Device profile, navigate to Restrictions > Network Settings. Scroll down to Configure eSIM settings.
    2. Here, enter the network provider URL. This URL is provided by your network provider
      1. Allow eSIM modification: If this setting is unchecked, it will restrict users from modifying eSIM settings on the device. By default it is checked.
    3. When the profile is applied on devices, it will activate the eSIM aka cellular plan on devices with the eSIM configurations.

Safari Settings

In this section you can control Safari related settings,

  1. Enable Safari - If you have Allowed websites then this cannot be disabled.
  2. Allow AutoFill - Choose to Allow/Restrict the user to turn on/off the Auto-Fill feature.
  3. Allow Javascript - Choose to Allow/Restrict javascript to run.
  4. Allow PopUps - Choose to Allow/Restrict pop-up tabs.

Content Filtering

Use these settings to control the browsing experience on the iOS devices, with access to the websites and apply Safari's content-filtering algorithms.

These settings work only on Supervised devices

Put a check in front of Configure Content Filtering to enable the settings

SettingDescription

Access to Allowed Sites Only

Enable this setting if you want to provide access only to the websites that are enabled under the Allowed Websites section.

Limit Access to Adult Websites and Allow the pre-selected URLs

Enable this setting to enforce Apple's inbuilt content filtering mechanism, which will apply to all websites. However, the websites selected in the Allowed websites section will be allowed.

Do not restrict browsing; only Add WebClips based on Allowed URLs

Select this option if you don't want to apply any sort of content-filtering but just want to place Web-Clips on home screen based on the visibility of Allowed websites.

When creating a new Profile and if you have selected at-least one Website then selecting this option is mandatory and admin is shown a warning when trying to save the profile.

iCloud & Siri Settings

Please find below the list of settings that are available.

SettingsDescriptionSupport

Allow iCloud Backup

Allow/Restrict backing up the device to iCloud

All

Allow iCloud Keychain Sync

Allow/Restrict iCloud keychain restriction.

All
Allow SiriAllow/Restrict usage of Siri.All
Force Siri Profanity filterForce the use of Siri’s profanity filter.

Supervised

Allow iCloud Documents Sync

Allow/Restrict document and key-value syncing to iCloud.

Supervised

Lock Screen Settings

A collection of documents that drive the experience on Lock Screen that can be applied to all iOS devices.

SettingsDescription

  Support

Allow Touch-ID for UnlockAllow/ Restrict users to use Touch Id for unlocking devices. If the setting is already enabled, then the user will not be able to change it.All
Allow Lock Screen Control CenterAllow/Restrict the Control Center on the Lock screen.All
Allow Lock Screen Notification ViewAllow/Restrict Notifications view on the Lock screen.All
Allow Lock Screen Today ViewAllow/Restrict Today View notifications when the device is locked.All
Allow Passbook NotificationsAllow/Restrict the usage of the passbook on the lock screen.All
Allow Assistant while LockedAllow Siri on Lock screen. Works only if Siri is Allowed in iCloud and Siri settings.All
Allow Voice DialingDisable Voice dialing using Siri on Lock screen.All

App Settings

A collection of application-related settings, that can be enforced on the devices.

SettingsDescriptionSupport
Allow trust for Enterprise AppsIf set to false, remove the Trust Enterprise Developer button in Settings->General->Profiles & Device Management, preventing apps from being provisioned by universal provisioning profiles. This restriction applies to free developer accounts, but it does not apply to enterprise app developers who are trusted because their apps were pushed via MDM, nor does it revoke previously granted trust.All
Allow iMessageAllow/Restrict the use of the Messages app.Supervised
Allow App InstallationAllow/Restrict the installation of apps. Enables App Store on devices.Supervised

Allow Interactive Apps InstallationWhen disallowed, the App Store is disabled, and its icon is removed from the Home screen. However, users may continue to use Host apps (iTunes, Configurator) to install or update their apps.Supervised

Allow App RemovalAllow/Restrict removal of applicationsSupervised
Allow System App RemovalAllow/Restrict removal of system applications from iOS 11.0.Supervised
Allow iTunes App

Allow/Restrict use of iTunes Application.

Supervised
Allow NewsAllow/Restrict the users to add the News widget.Supervised
Allow PodcastsAllow/Restrict the use of Podcasts app.Supervised
Allow Music ServiceIf disallowed Music service is disabled and Music app reverts to classic mode.Supervised
Allow BookstoreAllow/Restrict iBook store app.Supervised
Allow AirDrop

Allow/Restrict the usage of AirDrop.

Supervised

Application Management Settings

In this section, admin can configure settings that give control to users over how Applications published from the Dashboard are installed on the managed devices. This can be done by enabling the application catalog. To know more about the app catalog, click here.

OS Updates

Use this section to choose a delay time for the new iOS Updates. iOS does not allow to completely block the updates indefinitely. You can delay from a minimum of 30 days to a maximum of 90 days. To defer the OS Updates follow the steps below:

  1. Click on OS Updates and enable Defer Software Updates
  2. Enter a value between 30 to 90.

Email & Exchange Settings

Use this section to select the Email or Exchange configurations that you want to publish to the devices in this Device Profile. You can select one or multiple configurations to be pushed on the devices. To learn how to create Exchange and Email configurations, please refer to our document here.

Work Data Settings

These settings help you control the exchange of data between Managed (work) apps and non-Managed (personal apps). These settings work on all iOS devices irrespective of they are Supervised or not (min.OS version required), and help you secure the corporate data by preventing the Unmanaged applications from being used to view/open Managed data. The settings offered are:

SettingDescription
Allow Open From Managed to UnmanagedAllow Work documents/files to be opened via Unmanaged apps. Disabling this prevents the Unmanaged apps from being listed in the Share menu.
Allow Managed Apps to write contacts to Unmanaged contact accountsAllow Managed apps to add/edit contact information to Unmanaged contact accounts. This setting will be forced to true if Allow Open From Managed to Unmanaged is true. Requires 12.0+ to work
Allow UnManaged Apps to read contacts to Managed contact accountsAllow Unmanaged applications to add/edit contacts to Work managed accounts. his setting will be forced to true if Allow Open From Managed to Unmanaged is true. Requires 12.0+ to work
Allow Work Documents to be Shared via AirdropAllow Work documents/files from managed applications to be shared via Airdrop. This setting will be forced to true if Allow Open From Managed to Unmanaged is true.
Block Copy/Paste from Managed apps to Unmanaged appsBlocks copy and paste actions done from managed to unmanaged apps. When this setting is enabled, and if you try to copy anything from a managed application onto an unmanaged one, the following message will appear:
This setting will not work if Allow Open From Managed to Unmanaged setting is also enabled

Allow Open Documents From Managed to UnmanagedAllow non-Work documents/files to be opened via Managed applications. Enabling this will cause the managed apps to be shown in the Share menu of unmanaged apps.

Certificates

Use this section to install and deploy certificates on your managed devices. The certificates uploaded via Enterprise > Certificate Management are listed here. To learn more about how certificates can be applied on managed devices, please refer to the document here.

Custom Settings

By using the Custom Settings feature of a Scalefusion iOS Profile, IT Admins can use a top-notch XML editor and push a Custom Payload directly to the devices. Hence, with this admins will now be able to add those features for Mac and iOS which are not yet offered under Scalefusion. To learn more about Custom Settings feature, click here.

General Settings

A collection of common settings that can be enforced on devices.

SettingsDescriptionSupport
Allow CameraAllow/Restrict the usage of Camera. Required to be Allowed if you want to use the Photobooth app.All
Allow ScreenShotAllow/Restrict users to take screenshot.All
Force Encrypted BackupsAllow/Restrict users to enforce encrypted backups where they can set a password for encrypted files while taking backup. This option is unchecked by default.All
Allow Enabling RestrictionsAllow/Restrict users to access Restrictions in Settings.Supervised
Allow Erase Content and SettingsAllow/Restrict users to erase all the content and settings on the device.Supervised
Allow Account ModificationAllow/Restrict the users to modify the iTunes account configured on the device. Note that if it is disallowed and an iTunes account is not already configured on the device, then the Apps pushed from the Apple App Store will not be installed.Supervised
Allow Device Name ModificationAllow/Restrict users to modify the name of the device.Supervised
Allow Wallpaper ModificationAllow/Restrict users to modify wallpaper of the device.Supervised
Allow Connection with Apple DevicesAllow/Restrict the devices to be connected to other Apple devices. If disallowed, host pairing is disabled with the exception of the computer that you used for supervisioning. If no supervision host certificate has been configured, all pairing is disabled.Supervised
Allow VPN CreationAllow/Restrict users to create VPN connections.Supervised
Allow Explicit ContentWhen disallowed, explicit music or video content purchased from the iTunes Store is hidden. Explicit content is marked as such by content providers, such as record labels when sold through the iTunes Store.Supervised
Allow Bluetooth Settings ModificationAllow/Restrict the users to modify Bluetooth settings.Supervised
Allow Open From Managed to UnmanagedAllow documents to be opened in unmanaged applications from managed.Supervised
Allow UI Configuration Profile InstallationYou are allowed to install the UI Configuration profile.Supervised
Allow Passcode ModificationDisable this setting if you do not want your end users to change or set a password. Note: You cannot apply a passcode policy if this setting is disabled.Supervised
Allow Files USB Drive Access
  • If unchecked, iOS will prevent connecting to any USB devices in the Files App.
  • If checked, connected USB devices will show up in the Files App to access the files/data.
Supervised
Allow USB Restricted ModeThis option dictates whether or not a locked iOS devices recognizes a USB accessory.
  • If it is checked, then it won't recognize the USB accessories and restrict them while locked.
  • If it is unchecked, then there is no restriction and USB accessories can be connected while the device is locked.
Supervised

Scalefusion Agent Settings

These settings will work only if Scalefusion Agent for iOS is published on this profile.
Block Screenshot / Screen-Recording of the Scalefusion App

Enabling this setting will block the end user from recording the screen or take screenshots of the Scalefusion MDM Client app. When this setting is enabled, and you try to take screenshot you will see a black screen. 

Allow users to import files into Scalefusion App

Enabling this feature allows organizations to import and open files using the Scalefusion app without using third-party applications thereby acting as a secure file explorer. To open a file in Scalefusion app on the device:

  1. On the device, click on the file there is an option Share. Click on it.
  2. Now click on Import to Scalefusion
  3. The files will be imported and displayed inside Scalefusion MDM app, under Imported section
  4. Now you can securely access the files from here by clicking on View

You can import files upto 100MB and view all common file types.



Was this article helpful?