iOS policies are divided into six categories, which are explained in the following lines:
Passcode
When enabled, this category defines passcode settings like complexity, history, etc. See the table below to see the different settings controlled by this category.
| Setting | Definition |
| Require alphanumeric value | Switch that, when activated, enforces the use of both numbers (123) and alphabetical characters (Abc) in the passcode. The “Require alphanumeric value” and “Allow simple passcode” switches are mutually exclusive. |
| Allow simple passcode | Switch that, when activated, allows entry of a simple passcode. Simple passcodes may contain repeated characters or increasing or decreasing characters (123 or CBA).). The “Require alphanumeric value” and “Allow simple passcode” switches are mutually exclusive. |
| Maximum number of failed attempts | The number of allowed failed attempts when entering the passcode at the device’s lock screen. After six failed attempts, a time delay is imposed before a passcode can be entered again. The delay increases with each attempt. If a user’s failed attempts exceed the number set in the policy, then the device will be wiped. |
| Maximum passcode age (days) | The number of days for which the passcode can remain unchanged. After this number of days, the user is required to change the passcode before the device is unlocked. If set to zero (0), then the passcode will not time out. This property is ignored for User Enrollments. |
| Maximum grace period for device lock | The period to unlock the phone without entering a passcode. When the grace period expires, the device is auto locked by the system and the user will be prompted to enter their passcode. |
| Minimum number of complex characters | A complex (or ‘special’) character is a character other than a number or a letter, such as & % $ #. This property is ignored for User Enrollments. |
| Minimum passcode length | This parameter is independent of the optional ‘Minimum number of complex characters’ setting. |
| Passcode history | The number set here defines the number of passcode entries that can be applied before a new, unique passcode must be created. For example, if this requirement is set to “3” then a user can reset their password to something they used in the past up to three times before they need to apply different characters. |
| Maximum auto-lock | The number of minutes for which the device can be idle before it gets locked by the system. When this limit is reached, the device is locked, and the passcode must be entered. The user can edit this setting on their device, but the value cannot exceed the policy setting. |
Table 8. iOS policy passcode settings.
Restrictions
Through this category, there is a series of restrictions that can be applied, they are divided into Functionality, Application, Network, Security & Privacy, Media, iCloud and Classroom. Some restrictions apply to supervised, others to unsupervised. All restrictions are displayed under their appropriate category and can be filtered using the Category dropdown at the top of the page; they can be enabled or disabled by checking/unchecking the box next to the restriction name. The policy configuration will be sent to all devices managed by the policy. Refer to the sections below for an explanation of each restriction.
Functionality restrictions
The table below explains the functionality restrictions for iOS policies. Some apply to supervised enrollment while others to unsupervised.
| Setting | Category | Enrollment | Description |
| Allow modifying account settings | Functionality | Supervised | If unchecked, it prohibits account modification. Requires a supervised device. |
| Allow Handoff | Functionality | Unsupervised. | If unchecked, it prohibits activity continuation. |
| Allow AirDrop | Functionality | Supervised | If checked, allows AirDrop sharing. |
| Allow AirPrint | Functionality | Supervised | Requires a supervised device. Available in iOS 11 and later |
| Allow Storage AirPrint credentials in Keychain.
(Requires Allow AirPrint enabled). |
Functionality | Supervised | Enables keychain storage of username and password for AirPrint. Requires a supervised device. |
| Allow Storage AirPrint credentials in Keychain.
(Requires Allow AirPrint enabled). |
Functionality | Supervised | Enables iBeacon discovery of AirPrint printers, which prevents spurious AirPrint Bluetooth beacons from phishing for network traffic. Requires a supervised device. Available in iOS 11 and later. |
| Disallow AirPrint to destinations with untrusted certificates.
(Requires Allow AirPrint enabled). |
Functionality | Supervised | Disallow AirPrint to destinations with untrusted certificates |
| Allow Modifying cellular data app settings | Functionality | Supervised | Enables changing settings for cellular data usage for apps. Requires a supervised device. |
| Allow App Clips | Functionality | Supervised | If disabled, prevents a user from adding any App Clips, and removes any existing App Clips on the device. Requires a supervised device. |
| Allow Apple personalized advertising | Functionality | Unsupervised | If disabled, limits Apple personalized advertising. Requires iOS 14 or later. |
| Allow autocorrection | Functionality | Supervised | Enables keyboard autocorrection. Requires a supervised device. |
| Allow modifying Bluetooth settings | Functionality | Supervised | Allows modification of Bluetooth settings. Requires a supervised device. Available in iOS 11 and later. |
| Allow Camera | Functionality | Supervised | If disabled, blocks the camera, and its icon is removed from the home screen. Users are unable to take photographs. |
| Allow FaceTime. (Requires Allow Camera enabled). | Functionality | Supervised | If disabled blocks Facetime. |
| Allow modifying cellular plan settings | Functionality | Supervised | If disabled, users can’t change any settings related to their cellular plan. Requires a supervised device. |
| Allow continuous path keyboard | Functionality | Supervised | Enables QuickPath keyboard. Requires a supervised device. |
| Allow Definition Lookup | Functionality | Supervised | Enables definition lookup. Requires a supervised device on iOS. |
| Allow modifying device name | Functionality | Supervised | If disabled, prevents the user from changing the device name. Requires a supervised device. |
| Allow submitting diagnostic and usage data to Apple | Functionality | Unsupervised | If disabled, prevents the device from automatically submitting diagnostic reports to Apple. Available for user enrollment. |
| Allow modifying diagnostic settings. (Requires Allow submitting diagnostic and usage data to Apple enabled.) | Functionality | Supervised | Enables changing the diagnostic submission and app analytics settings in the Diagnostics & Usage UI in Settings. Requires a supervised device. |
| Allow dictation | Functionality | Supervised | Enables dictation input. |
| Allow Screen time | Functionality | Supervised | If disabled, it blocks the ‘Enable Restrictions’ option in the Restrictions UI in Settings. On iOS 12 or later, it blocks the ‘Enable ScreenTime’ option in the ScreenTime UI and disables ScreenTime if it is already enabled. |
| Allow trusting new enterprise app authors | Functionality | Unsupervised | If disabled, it removes the ‘Trust Enterprise Developer’ button in Settings > General > Profiles & Device Management, preventing app installation via universal provisioning profiles. This restriction applies to free developer accounts but not to enterprise apps trusted through MDM. Previously granted trust is not revoked. |
| Allow Erase All Content and Settings | Functionality | Supervised | If turned off, disables the Erase All Content and Settings option in the Reset UI. |
| Allow modifying eSIM settings | Functionality | Supervised | If turned off, disables modifications to carrier plan related settings (only available on select carriers). |
| Allow Find My Device | Functionality | Supervised | Enables Find My Device in the Find My app. Available in iOS 13 and later. |
| Allow Find My Friends | Functionality | Unsupervised | Enables Find My Friends in the Find My app. Available in iOS 13 and later. |
| Allow modifying Find My Friends settings | Functionality | Unsupervised | Enables modifying Find My Friends settings. |
| Allow automatic sync while roaming | Functionality | Enables global background fetch activity when an iOS phone is roaming. | |
| Allow host pairing | Functionality | Supervised | If turned off, disables host pairing except for the supervision host. If no supervision host certificate is configured, all pairing is disabled. Host pairing allows administrators to control whether an iOS device can connect to a Mac or PC. |
| Allow keyboard shortcuts | Functionality | Supervised | If turned off, disables keyboard shortcuts. |
| Show Notification Center on Lock screen | Functionality | Unsupervised | If turned off, disables the Notifications history view on the lock screen, so users can’t view past notifications. However, they can still see notifications when they arrive. |
| Allow lock screen today view. | Functionality | Unsupervised | If turned off, disables the Today view in Notification Center on the lock screen. |
| Allow Mail Privacy Protection | Functionality | Unsupervised | If turned off, disables Mail Privacy Protection on the device. Available in iOS 15.2 and later. |
| Allow managed apps to write contacts to unmanaged contacts accounts | Functionality | Unsupervised | If enabled, managed apps can save contacts to unmanaged contact accounts. This restriction is ineffective if ‘Allow Open From Managed To Unmanaged’ is also enabled. To apply this restriction, you must install the payload through MDM. |
| Allow News | Functionality | Supervised | Allow the News app. |
| Allow NFC | Functionality | Supervised | Allow Near Field Communication. |
| Allow modifying notification settings | Functionality | Supervised | If turned off, disables modification of notification settings. |
| Allow documents from managed sources in unmanaged destinations | Functionality | Unsupervised | Controls data sharing between corporate (managed) and personal (unmanaged) apps or accounts on a device. |
| Allow documents from unmanaged sources in managed destinations | Functionality | Unsupervised | Controls whether users can transfer files or data from personal (unmanaged) apps or accounts to corporate (managed) apps or accounts. |
| Allow over-the-air PKI updates | Functionality | Unsupervised | If turned off, disables over-the-air PKI updates. Setting this restriction to false doesn’t disable CRL and OCSP checks. |
| Allow pairing with Apple Watch | Functionality | Supervised | If turned off, disables pairing with an Apple Watch. Any currently paired Apple Watch is unpaired, and the watch’s content is erased. |
| Allow Apple Wallet notifications on lock screen | Functionality | Unsupervised | Controls whether Apple Wallet notifications are shown on a locked screen. |
| Allow Personal Hotspot modification | Functionality | Supervised | Controls whether a user can manage the personal Hotspot. |
| Allow predictive keyboard | Functionality | Supervised | Controls whether users can enable or disable the predictive text feature on their keyboards. |
| Allow setting up new nearby iOS devices | Functionality | Supervised | Controls whether users can use their device to help set up other nearby iOS devices. |
| Allow screenshots and screen recording | Functionality | Unsupervised | If turned off, it disables saving a screenshot of the display and capturing a screen recording. It also disables the Classroom app from observing remote screens. |
| Allow Shared iPad temporary session | Functionality | Unsupervised | If turned off, temporary sessions aren’t available on Shared iPad. |
| Allow iCloud Photo Sharing | Functionality | Unsupervised | Controls whether users can use the iCloud Photo Sharing feature. |
| Allow spell check | Functionality | Supervised | Controls whether users can use the built-in spell-checking functionality. |
| Allow Siri Suggestions | Functionality | Unsupervised | Controls whether users can receive proactive suggestions from Siri. |
| Allow user installation of configuration profiles | Functionality | Supervised | If turned off, it prohibits the user from installing configuration profiles and certificates interactively. |
| Allow unmanaged apps to read contacts from managed contacts accounts | Functionality | Unsupervised | Controls whether personal (unmanaged) apps can access contact information stored within the corporate´s (managed) contacts account. |
| Allow booting into recovery by unpaired devices | Functionality | Unsupervised | Controls whether a device can be put into Recovery Mode by a computer or device that is not paired (trusted) with it. |
| Allow users to accept untrusted TLS certificates | Functionality | Unsupervised | Controls whether users can manually accept TLS certificates that are not verified by a trusted certificate authority. |
| Allow USB accessories while device is locked | Functionality | Supervised | Controls whether users can connect and use USB accessories to the device when it´s locked.
If the device has Lockdown mode enabled, this setting is ignored. |
| Allow voice dialing while the device is locked | Functionality | Unsupervised | If enabled, the voice dialing feature can be used while the device is locked. |
| Allow adding VPN configurations | Functionality | Supervised | If enabled, the user can add VPN configurations. |
| Allow modifying Wallpaper | Functionality | Supervised | If disabled, the user cannot modify the
device´s wallpaper. |
| Treat AirDrop as unmanaged destination | Functionality | Unsupervised | If enabled, it causes AirDrop to be considered an unmanaged drop target. |
| Require passcode on first outgoing AirPlay pairing | Functionality | Unsupervised | If enabled, all devices receiving AirPlay requests from this device to use a pairing password. |
| Require Touch ID / Face ID authentication before Autofill | Functionality | Supervised | If enabled, the user must authenticate before passwords or credit card information can be autofilled in Safari and Apps. If this restriction isn’t enforced, the user can toggle this feature in Settings. Only supported on devices with Face ID or Touch ID. |
| Force automatic date and time | Functionality | Supervised | If enabled, date and time are automatically set, and the user cannot change this behavior. |
| Force encrypted backups | Functionality | Unsupervised | If enabled, all backups are automatically encrypted. |
| Require iTunes Store password for all purchases | Functionality | Unsupervised | If enabled, forces the user to enter their iTunes password for each transaction. |
| Force limited ad tracking | Functionality | Unsupervised | If enabled, limits ad tracking. Additionally, it disables app tracking and the Allow Apps To Request To Track setting. |
| Force on-device only dictation | Functionality | Unsupervised | If enabled, the device won’t connect to Siri servers for the purposes of translation. |
| Force on-device only translation | Functionality | Unsupervised | If enabled, the device won’t connect to Siri servers for the purposes of translation. |
| Force Apple Watch wrist detection | Functionality | Unsupervised | If enabled, forces a paired Apple Watch to use Wrist Detection. |
| Join only Wi-Fi networks installed by a Wi-Fi payload | Functionality | Supervised | If enabled, limits device to only join Wi-Fi networks set-up via configuration profile. |
| Force Wi-Fi Power On | Functionality | Supervised | If enabled, prevents Wi-Fi from being turned off in Settings or Control Center, even by entering or leaving Airplane Mode. It doesn’t prevent selecting which Wi-Fi network to use. |
| Require managed pasteboard | Functionality | Unsupervised | If turned off, the system disallows iPhone widgets on a Mac that has signed in the same Apple ID for iCloud. Available on iOS 17 and later. |
| Allow iOS widgets on a Mac signed in with the same Apple ID | Functionality | Supervised | If turned off, the system disables live voicemail on the device Available in iOS 17.2 and later. |
| Allow live voicemail | Functionality | Supervised | If turned on, the system preserves eSIM when it erases the device due to too many failed password attempts or the Erase All Content and Settings option in Settings > General > Reset. Available in iOS 17.2 and later. Note: The system doesn’t preserve eSIM if Find My initiates erasing the device. |
| Allow auto dim | Functionality | Supervised | If turned off, disables auto dim on iPads with OLED displays. Available in iOS 17.4 and later. |
| Allow eSIM outgoing transfers | Functionality | Supervised | If turned off, it prevents the transfer of an eSIM from the device on which the restriction is installed to a different device. Available in iOS 18 and later. |
| Allow Genmoji | Functionality | Supervised | If turned off, it prohibits creating new Genmoji. Available in iOS 18 and later. |
| Allow Image Playground | Functionality | Supervised | If turned off, it prohibits the use of image generation. Available in iOS 18 and later. |
| Allow Image Wand | Functionality | Supervised | If turned off, it prohibits the use of Image Wand. Available in iOS 18 and later. |
| Allow Writing Tools | Functionality | Supervised | If turned off, disables Apple Intelligence writing tools. Available in iOS 18 and later. |
| Allow personalized handwriting results | Functionality | Supervised | If turned off, it prevents the system from generating text in the user’s handwriting. Available in iOS 18 and later. |
| Allow iPhone mirroring | Functionality | Supervised | If turned off, it prohibits the use of iPhone Mirroring. This prevents the iPhone from mirroring to any Mac. Available in iOS 18 and later. |
| Allow video conferencing remote control | Functionality | Supervised | If turned off, disables the ability for a remote FaceTime session to request control of the device. Available in iOS 18 and later. |
| Allow hiding apps | Functionality | Supervised | If turned off, disables the ability for the user to hide apps. It does not affect the user’s ability to leave it in the App Library, while removing it from the home screen. Available in iOS 18.0 and later. |
| Allow locking apps | Functionality | Supervised | If turned off, disables the ability for the user to lock apps. Because hiding apps also requires locking them, disallowing locking also disallows hiding. Available in iOS 18.0 and later. |
| Allow call recording | Functionality | Supervised | If turned off, call recording is disabled. Available in iOS 18.1 and later. |
| Allow mail summary | Functionality | Supervised | If turned off, disables the ability to create summaries of email messages manually. This does not affect automatic summary generation. Available in iOS 18.1 and later. |
| Allow RCS messaging | Functionality | Supervised | If turned off, prevents the use of RCS messaging. Available in iOS 18.1 and later. |
Table 9. iOS policy functionality restrictions.
Application restrictions
The table below explains the application restrictions for iOS policies. Some apply to supervised enrollment while others to unsupervised.
| Setting | Category | Enrollment | Description |
| Allow Game Center | Application | Supervised | If disabled, blocks Game Center, and its icon is removed from the Home screen. |
| Allow adding Game Center friends. Requires “Allow Game Center” to be enabled. | Application | Supervised | If disabled, prohibits adding friends to Game Center. As of iOS 13. |
| Allow multiplayer gaming. Requires “Allow Game Center” to be enabled. | Application | Supervised | If disabled, prohibits multiplayer gaming. |
| Allow Installation Apps | Application | Supervised | If disabled, blocks the App Store, and its icon is removed from the home screen. Users are unable to install or update their apps. |
| Allow automatic app download. Requires “Allow Installation Apps” to be enabled. | Application | Supervised | If disabled, prevents automatic downloading of apps purchased on other devices. This setting doesn’t affect updates to existing apps. |
| Allow installing apps using App Store. Requires “Allow Installation Apps” to be enabled. | Application | Supervised | If turned off, disables the App Store, and its icon is removed from the Home screen. However, users may continue to use host apps (iTunes, Configurator) to install or update their apps. |
| Allow removing apps | Application | Supervised | If disabled, user cannot remove any apps. |
| Allow app installation from alternative marketplaces | Application | Supervised | If disabled, prevents installation of alternative marketplace apps from the web and prevents any installed alternative marketplace apps from installing apps. This restriction does not impact the native App Store app. Available in iOS 17.4 and later. |
| Allow Siri | Application | Unsupervised | If disabled, prevents the use of the Siri built-in feature. |
| Show user-generated contents in Siri.
Requires “Allow Siri” to be enabled. |
Application | Supervised | If disabled, prevents Siri from querying user-generated content from the web. |
| Allow Siri when device is locked.
Requires “Allow Siri” to be enabled. |
Application | Unsupervised | Enable Siri when the device is locked. This restriction is ignored if the device doesn’t have a passcode set. |
| Enable Siri profanity filter assistant.
Requires “Allow Siri” to be enabled. |
Application | Supervised | If enabled, Siri will filter out and avoid using or recognizing any profane or explicit language in its responses and dictations. |
| Allow iBooks Store | Application | Supervised | If disabled, removes the Book Store tab from the Books app. |
| Allow iMessage | Application | Supervised | Enables the use of the iMessage with supervised devices. If the device supports text messaging, the user can still send and receive text messages. |
| Allow in app purchases | Application | Unsupervised | If turned off, prohibits in-app purchasing. |
| Allow iTunes Store | Application | Supervised | If turned off, disables the iTunes Music Store, and its icon is removed from the Home screen. Users cannot preview, purchase, or download content. |
| Allow Apple Music | Application | Supervised | If turned off, disables the Music service, and the Music app reverts to classic mode. |
| Allow podcasts | Application | Supervised | If turned off, disables the Podcasts app. |
| Allow Radio | Application | Supervised | If turned off, disables the radio app. |
| Allow use of Safari | Application | Unsupervised | If turned off, disables the Safari web browser app, and its icon is removed from the Home screen. This setting also prevents users from opening web clips. |
| Enable Autofill on Safari. Requires “Allow use of Safari” to be enabled. | Application | Supervised | If turned off, disables Safari AutoFill for passwords, contact info, and credit cards and also prevents the Keychain from being used for AutoFill. Though third-party password managers are allowed and apps can use AutoFill. |
| Enable JavaScript on Safari.
Requires “Allow use of Safari” to be enabled. |
Application | Unsupervised | If turned off, Safari doesn’t execute JavaScript. |
| Block pop-ups on Safari. Requires “Allow use of Safari” to be enabled. | Application | Unsupervised | If turned off, Safari doesn’t allow pop-up windows. |
| If enabled,
Requires “Allow use of Safari” to be enabled. |
Application | Unsupervised | If enabled, forces the use of Safari’s built-in security measures to help protect users from phishing attempts or other malicious websites that might steal personal information. |
| Allow removing system apps | Application | Supervised | If turned off, disables the removal of system apps from the device. |
| Accept cookies | Application | Unsupervised | Defines the behavior for Cross-Site Tracking and Cookies. Options are:
|
| Allow apps to be installed directly from the web | Application | Supervised | If turned off, the device prevents installation of apps directly from the web. Requires a supervised device. Available in iOS 17.5 and later. |
Table 10. iOS policy application restrictions.
Security & privacy restrictions
The table below explains the Security & Privacy restrictions for iOS policies. Some apply to supervised enrollment while others to unsupervised.
| Setting | Category | Enrollment | Description |
| Allow auto unlock | Security & Privacy | Unsupervised | If turned on, allows the ability to unlock Face ID-enabled phone with an associated Apple Watch.
Available in iOS 14.5 and later. |
| Allow Touch ID / Face ID to unlock device | Security & Privacy | Unsupervised | If turned on the device can be unlocked using Touch ID or Face ID. If turned off, the device can only be unlocked using passcode. |
| Allow modifying passcode | Security & Privacy | Supervised | If turned off, prevents the device passcode from being added, changed, or removed. This restriction is ignored by Shared iPads. |
| Allow modifying Touch ID / Face ID. Requires “Allow modifying passcode” to be enabled. | Security & Privacy | Supervised | If turned off, prevents modifying Touch ID / Face ID. This restriction is ignored by Shared iPads. |
| Allow password autofill | Security & Privacy | Supervised | If turned off, disables the AutoFill Passwords feature in iOS (with Keychain and third-party password managers) and the user isn’t prompted to use a saved password in Safari or in apps. This restriction also disables Automatic Strong Passwords, and strong passwords are no longer suggested to users. It doesn’t prevent AutoFill for contact info and credit cards in Safari. |
| Allow proximity based password sharing requests | Security & Privacy | Supervised
|
If turned off, disables requesting passwords from nearby devices. |
| Allow password sharing | Security & Privacy | Supervised
|
If turned off, disables sharing passwords with the Airdrop Passwords feature. |
| Allow lock screen Control Center | Security & Privacy | Supervised | If disabled, prevents Control Center from appearing on the Lock screen. |
Table 11. iOS policy security & privacy restrictions.
Media restrictions
The table below explains the Media restrictions for iOS policies. Some apply to supervised enrollment while others to unsupervised.
| Setting | Category | Enrollment | Description |
| Allow explicit sexual content in Apple Books | Media | Unsupervised | If disabled, the user can’t download Apple Books media that is tagged as erotica. |
| Allow playback of explicit music, podcast & iTunes U media | Media | Supervised | If disabled, hides explicit music or video content purchased from the iTunes Store. Explicit content is marked as such by content providers, such as record labels, when sold through the iTunes Store. |
| Allow Files Network Drive Access | Media | Supervised | If disabled, prevents connecting to network drives in the Files app. Available in iOS 13.1 and later. |
| Allow Files USB Drive Access | Media | Supervised | If disabled, prevents connecting to any connected USB devices in the Files app |
| Allowed content ratings – Apps | Media | Unsupervised | The maximum level of app content allowed on the device. Options are:
|
| Allowed content ratings – Movies | Media | Unsupervised | The maximum level of movie content allowed on the device. Options are:
|
| Ratings region | Media | Unsupervised | The two-letter key that profile tools use to display the proper ratings for the given region. Options are:
|
| Allowed content ratings – TV Shows | Media | Unsupervised | The maximum level of TV content allowed on the device. Options are:
|
iCloud restrictions
The table below explains the iCloud restrictions for iOS policies. Some apply to supervised enrollment while others to unsupervised.
| Setting | Category | Enrollment | Description |
| Allow iCloud backup | iCloud | Unsupervised | Enables backing up the device to iCloud. |
| Allow iCloud Keychain sync | iCloud | Unsupervised | Enables iCloud keychain synchronization on the device. |
| Allow iCloud Photo Library | iCloud | Unsupervised | Enables iCloud Photo Library. Any photos not fully downloaded from iCloud Photo Library to the device are removed from local storage. |
| Allow iCloud Private Relay | iCloud | Unsupervised | Enables iCloud Private Relay. For iOS devices, this restriction requires a supervised device. |
| Allow backup of enterprise books | iCloud | Unsupervised | If turned off, disables backup of Enterprise books. Also available for user enrollment. |
| Allow notes and highlights sync for enterprise books | iCloud | Unsupervised | Enables synchronization of notes and highlights for enterprise books. |
| Allow managed apps to store data in iCloud | iCloud | Unsupervised | Allows managed apps to store their data in iCloud.
Enables My Photo Stream functionality. |
| Allow My Photo Stream | iCloud | Unsupervised | If enabled, photos taken on the device are automatically uploaded to My Photo Stream and synchronized across all other iOS devices linked to the same Apple ID via iCloud. |
| Allow cloud document sync | iCloud | Supervised | Enables document and key-value syncing to iCloud. As of iOS 13. Shared iPad doesn’t support it. |
Table 13. iOS iCloud policy Media restrictions
Classroom restrictions
The table below explains the classroom restrictions for iOS policies. Some apply to Supervised enrollment while others to unsupervised.
| Setting | Category | Enrollment | Description |
| Allow AirPlay screen view | Classroom | Supervised | If turned off, disables remote screen observation by the Classroom app. If ScreenShot is disabled, the Classroom app doesn’t observe remote screens. |
| Allow Classroom screen view without prompting.
Requires “Allow AirPlay screen view” to be enabled. |
Classroom | Supervised | If enabled, Teachers using the Classroom app can view the screen of a supervised student’s device without the student being prompted to allow or deny the action. This is particularly useful for maintaining seamless classroom management and monitoring during lessons.
If disabled, Students will be prompted for permission each time a teacher attempts to view their device screen, giving them the ability to allow or deny access. |
| Require teacher permission to leave Classroom app unmanaged classes | Classroom | Supervised | If enabled, automatically gives permission to the teacher’s requests without prompting the student. |
| Allow Classroom to lock apps or the device without prompting | Classroom | Supervised | If enabled, Teachers using the Classroom app can remotely lock a student’s iPad or iPhone, or limit the device to a single app, without the student receiving a prompt or needing to approve the action. This ensures uninterrupted focus during lessons or exams.
If disabled, students will receive a prompt asking for their consent before the teacher can lock their device or restrict it to a specific app. |
Table 14. iOS policy classroom restrictions.
Applications
This category controls which apps are available to end users, and which apps are blocked from use. In addition, NinjaOne’s MDM supports apps assigned through Apple’s App and Books feature – formerly Volume Purchase Program (VPP). Apple Business Manager (ABM) content tokens are supported per organization/location, and provides information related to the token, assigned apps, and licenses from the MDM Configuration page in NinjaOne. To learn more about Apple’s App and Books, consult the Buying content through apps and books tutorial.
Follow the steps below to add and configure apps in a policy.
Click + Add apps.
- Switch between the Apps and Books and Public App Store tabs depending on the type of app you want to add. Please note that if you do not have your Apps and Books token set up you will not see any content under the Apps and Books tab.
- Type the name of the app or the app’s publisher into the search field. If you’re unsure what to enter, you can simply type a single letter and then click Search. A list of matching applications will appear.
- Click the desired application. A dialog box will appear.
- Select the assignment type from the drop-down (force installed or blocked). Note that the Blocked assignment type is only supported on supervised devices.
- If the selection was blocked, go to step eight.
- If the selection was Force Installed, fill out the remaining fields.
Note: If you opt to remove the app when a device is removed from a policy, this function also applies when you switch a device’s policy under the Settings tab on the device dashboard if the new policy does not also have the app included.
- Click Add. You can continue adding applications, once you’re done,
- Click Save on the upper right side of the screen. Enter your MFA response method and close.
The app(s) will now appear under Managed Applications, displaying its details and assignment type. When the policy attempts to install an application via the Public App Store on company-supervised devices, or through any method on unsupervised devices, the end user receives a notification on their device. The user may need to sign in with an Apple ID and enter their password to complete the installation. Additionally, the user must select Install to proceed with the installation.
Network
In this category, device´s network settings can be configured, like Proxy and Wi-Fi networks. Multiple Wi-Fi networks can be added, but only one proxy.
Proxy
Use the Manual proxy setup button to configure proxy settings. This action will open the Manual Proxy Setup dialog box.
Turn on the Direct Proxy switch to manually enter the proxy configuration information – Host name and port.
Turn on the Proxy auto-configuration (PAC) switch to enter the URL for the PAC file.
Host names can be excluded from the proxy by writing the name under the Excluded host field and pressing enter.
After entering the information, click the blue Save button. This will add the proxy settings used by the mobile device. Once added, the information can be edited or removed.
Wi-Fi Networks
Use the Add new Wi-Fi Network button to configure a new Wi-Fi network. This action will open the iOS policy Wi-Fi Network Dialog Box, then follow the next steps to configure a new Wi-Fi network.
- Enter a configuration name (a friendly name of your choice to distinguish this Wi-Fi network).
- Enter the SSID.
- Under Security, select the encryption method, options are: ‘WEP-PSK‘, ‘WPA-PSK‘, ‘WPA2-PSK‘, ‘WPA3-PSK‘, Any or None.
- Enter the password.
- Select the additional options if required (Auto Join, Enable IPv6, Hidden Network, Hotspot or Random MAC Address).
- Select the proxy method (Auto, Manual or None).
- Click Save.
- The new Wi-Fi network configuration will appear on the list. This network can be edited or removed by selecting it using the check mark to the left of the name.
OS updates
This category defines how users can install software updates and defines enforced OS versions.
- Type of updates that can be self-installed (iOS 18+). This option controls what updates will be installed. Options are: All available updates, Highest available update, and Lowest available update.
- Allow user to install beta OS versions (iOS 18+). This option controls the installation of beta OS versions. The available settings are: Allowed, Always On, and Always Off.
- Delay when new iOS updates can be self-installed. This option delays the availability of a released operating system (OS) update for the device. When enabled, you can specify the delay duration, which can range from 1 to 90 days.
- Allow the user to install Rapid Security Responses. If enabled, critical security updates released by Apple will be installed. RSRs are released more quickly than traditional OS updates.
- Allow the user to remove Rapid Security Responses. This option controls the ability for a used to remove RSRs.
- Show additional notifications for scheduled updates (iOS 18+). If enabled, users will receive daily notifications for updates scheduled in the future. If disabled, users will only receive notifications beginning one hour before the scheduled deadline.
- Manually scheduled updates. This option is used to enforce software updates. An approval date is set to give the user the option to install the update voluntarily. If the user does not install the update by the approval date, an enforcement date ensures the update is installed automatically.
Location tracking
This category enables location tracking and specifies the accuracy and frequency of location updates.
Follow the instructions below to enable location tracking.
- Click Enable.
- Select accuracy: Balanced mode is accurate to within 100 meters and consumes less battery. High Accuracy mode captures the best available location but consumes more battery.
- Select the location update frequency: Distance traveled means a location update is sent to the server after the device moves a specified distance (500 m, 1000 m or 5000 m). Time based means a location update is sent to the server based on time. Options are five minutes, 30 minutes, one hour, six hours, 12 hours or 24 hours.
- Click Save.
Note: Location tracking requires the NinjaOne Assist app to be installed and active on the device, with Location Services enabled. The app must also be added to the policy as a managed application with Forced Install selected.