Configure Policies or Restrictions on iOS
The Restrictions section of an iOS Device Profile is a collection of various settings that can be configured so that can be applied on a device.
Assuming that you are creating or editing an iOS Device Profile in Scalefusion Dashboard, once you navigate to the Restrictions tab you would see the following screen.
Described below are the various options available,
Single App Mode & Autonomous Single App Mode
From the list of applications that you have allowed, choose one application run always. This helps you in setting up the device as a Kiosk. You can choose additional settings as well. Please read our How to Setup an iOS Device as Kiosk to learn more.
Alternatively you may want to set some applications that can put themselves into Single App Mode autonomously, that is as and when they want or scheduled. This feature to enter into Single app mode is dependent on the application, and some applications offer this. If you are using such applications that support this feature, then refer to How to Setup Apps in Autonomous Single App Mode.
A collection of network related settings that you lets you control Network settings. These are:
- Wifi Configuration - Select a Wifi configuration and enforce it on Supervised device.
- Hotspot Setting - Choose whether the user can turn on/off the hotspot.
- Roaming Setting - Choose to enable/disable the Voice and Data roaming settings.
- Configure eSIM settings - Scalefusion allows configuring eSIMs and deploy the configuration to eSIM- supported iOS devices to remotely trigger and automate the download and installation of an eSIM on a managed device. All you need is an eSIM URL that is purchased from network providers. This feature is supported on iPad with OS version 13 and later and on iPhone with iOS 14 and laterThis feature is in Beta phaseTo configure eSIM settings,
- In iOS Device profile, navigate to Restrictions > Network Settings. Scroll down to Configure eSIM settings.
- Here, enter the network provider URL. This URL is provided by your network provider
- Allow eSIM modification: If this setting is unchecked, it will restrict users from modifying eSIM settings on the device. By default it is checked.
- When the profile is applied on devices, it will activate the eSIM aka cellular plan on devices with the eSIM configurations.
In this section you can control Safari related settings,
- Enable Safari - If you have Allowed websites then this cannot be disabled.
- Allow AutoFill - Choose to Allow/Restrict the user to turn on/off the Auto-Fill feature.
- Allow PopUps - Choose to Allow/Restrict pop-up tabs.
Use these settings to control the browsing experience on the iOS devices, with access to the websites and apply Safari's content-filtering algorithms.
Put a check in front of Configure Content Filtering to enable the settings
Access to Allowed Sites Only
Enable this setting if you want to provide access only to the websites that are enabled under Allowed websites section.
Limit Access to Adult Websites and Allow the pre-selected URLs
Enable this setting to enforce Apple's inbuilt content filtering mechanism which will apply to all websites. However, the websites selected in Allowed websites section, will be allowed.
Do not restrict browsing, only Add WebClips based on Allowed URLs
Select this option if you don't want to apply any sort of content-filtering but just want to place Web-Clips on home screen based on the visibility of Allowed websites.
iCloud & Siri Settings
Please find below the list of settings that are available.
Allow iCloud Backup
Allow/Restrict backing up the device to iCloud.
Allow iCloud Keychain Sync
Allow/Restrict iCloud keychain restriction.
Allow/Restrict usage of Siri.
Force Siri Profanity filter
Force the use of Siri’s profanity filter.
Allow iCloud Documents Sync
Allow/Restrict document and key-value syncing to iCloud.
Lock Screen Settings
A collection of documents that drive the experience on Lock Screen that can be applied to all iOS devices.
Allow Touch-ID for Unlock
Allow/ Restrict users to use Touch Id for unlocking device. If the setting is already enabled, then user will not be able to change it.
Allow Lock Screen Control Center
Allow/Restrict Control centre on Lock screen.
Allow Lock Screen Notification View
Allow/Restrict Notifications view on Lock screen.
Allow Lock Screen Today View
Allow/Restrict Today View notifications when the device is locked.
Allow Passbook Notifications
Allow/Restrict the usage of passbook on lock screen.
Allow Assistant while Locked
Allow Siri on Lock screen. Works only if Siri is Allowed in iCloud and Siri settings.
Allow Voice Dialing
Disable Voice dialing using Siri on Lock screen.
A collection of application related settings, that can be enforced on the devices.
Allow trust for Enterprise Apps
If set to false removes the Trust Enterprise Developer button in Settings->General->Profiles & Device Management, preventing apps from being provisioned by universal provisioning profiles. This restriction applies to free developer accounts but it does not apply to enterprise app developers who are trusted because their apps were pushed via MDM, nor does it revoke previously granted trust.
Allow/Restrict the use of Messages app.
Allow App Installation
Allow/Restrict the installation of apps. Enables App store on devices.
Allow Interactive Apps Installation
When disallowed, the App Store is disabled and its icon is removed from the Home screen. However, users may continue to use Host apps (iTunes, Configurator) to install or update their apps.
Allow App Removal
Allow/Restrict removal of applications
Allow System App Removal
Allow/Restrict removal of system applications from iOS 11.0.
Allow iTunes App
Allow/Restrict use of iTunes Application.
Allow/Restrict the users to add the News widget.
Allow/Restrict the use of Podcasts app.
Allow Music Service
If disallowed Music service is disabled and Music app reverts to classic mode.
Allow/Restrict iBook store app.
Allow/Restrict the usage of AirDrop.
Application Management Settings
In this section admin can configure settings that give control to users how Applications published from Dashboard are installed on the managed devices. This can be done by enabling application catalog. To know more about app catalog, click here.
Use this section to choose a delay time for the new iOS Updates. iOS does not allow to completely block the updates indefinitely. You can delay from a minimum of 30 days to a maximum of 90 days. To defer the OS Updates follow the steps below,
- Click on OS Updates and enable Defer Software Updates
- Enter a value between 30 to 90.
Email & Exchange Settings
Use this section to select the Email or Exchange configurations that you want to publish to the devices in this Device Profile. You can select one or multiple configurations to be pushed on the devices. To learn how to create Exchange and Email configurations, please refer to our document here.
Work Data Settings
These settings help you control the exchange of data between Managed (work) apps and non-Managed (personal apps). These settings work on all iOS devices irrespective of they are Supervised or not (min.OS version required), and help you secure the corporate data by preventing the Unmanaged applications from being used to view/open Managed data. The settings offered are,
Allow Open From Managed to Unmanaged
Allow Work documents/files to be opened via Unmanaged apps. Disabling this prevents the Unmanaged apps from being listed in the Share menu.
Allow Managed Apps to write contacts to Unmanaged contact accounts
Allow Managed apps to add/edit contact information to Unmanaged contact accounts. This setting will be forced to true if Allow Open From Managed to Unmanaged is true. Requires 12.0+ to work
Allow UnManaged Apps to read contacts to Managed contact accounts
Allow Unmanaged applications to add/edit contacts to Work managed accounts. his setting will be forced to true if Allow Open From Managed to Unmanaged is true. Requires 12.0+ to work
Allow Work Documents to be Shared via Airdrop
Allow Work documents/files from managed applications to be shared via Airdrop. This setting will be forced to true if Allow Open From Managed to Unmanaged is true.
Block Copy/Paste from Managed apps to Unmanaged apps
Blocks copy and paste actions done from managed to unmanaged apps. When this setting is enabled, and if you try to copy anything from a managed application onto an unmanaged one, the following message will appear:
This setting will not work if Allow Open From Managed to Unmanaged setting is also enabled
Allow Open Documents From Managed to Unmanaged
Allow non-Work documents/files to be opened via Managed applications. Enabling this will cause the managed apps to be shown in the Share menu of unmanaged apps.
Use this section to install and deploy certificates on your managed devices. The certificates uploaded via Enterprise > Certificate Management are listed here. To learn more about how certificates can be applied on managed devices, please refer to the document here.
By using the Custom Settings feature of a Scalefusion iOS Profile, IT Admins can use a top-notch XML editor and push a Custom Payload directly to the devices. Hence, with this admins will now be able to add those features for Mac and iOS which are not yet offered under Scalefusion. To learn more about Custom Settings feature, click here.
A collection of common settings that can be enforced on devices.
Allow/Restrict the usage of Camera. Required to be Allowed if you want to use Photobooth app.
Allow/Restrict users to take screenshot.
Force Encrypted Backups
Allow/Restrict users to enforce encrypted backups where they can set a password for encrypted files while taking backup. This option is unchecked by default.
Allow Enabling Restrictions
Allow/Restrict users to access Restrictions in Settings.
Allow Erase Content and Settings
Allow/Restrict users to erase all the content and settings on the device.
Allow Account Modification
Allow/Restrict the users to modify the iTunes account configured on device. Note that if it is disallowed and an iTunes account is not already configured on the device, then the Apps pushed from Apple App Store will not be installed.
Allow Device Name Modification
Allow/Restrict users to modify name of the device.
Allow Wallpaper Modification
Allow/Restrict users to modify wallpaper of the device.
Allow Connection with Apple Devices
Allow/Restrict the devices to be connected to other Apple devices. If disallowed, host pairing is disabled with the exception of the computer that you used for supervisioning. If no supervision host certificate has been configured, all pairing is disabled.
Allow VPN Creation
Allow/Restrict users to create VPN connections.
Allow Explicit Content
When disallowed, explicit music or video content purchased from the iTunes Store is hidden. Explicit content is marked as such by content providers, such as record labels, when sold through the iTunes Store.
Allow Bluetooth Settings Modification
Allow/Restrict the users to modify Bluetooth settings.
Allow Open From Managed to Unmanaged
Allow documents to be opened in unmanaged applications from managed.
Allow UI Configuration Profile Installation
You are allowed to install UI Configuration profile.
Allow Passcode Modification
Disable this setting if you do-not want your end users to change or set a password. Note: You cannot apply a passcode policy if this settings is disabled.