Configure Policies or Restrictions on iOS

The Restrictions section of an iOS Device Profile is a collection of various settings that can be configured so that can be applied on a device.


Assuming that you are creating or editing an iOS Device Profile in Scalefusion Dashboard, once you navigate to the Restrictions tab you would see the following screen.

Described below are the various options available,

Single App Mode & Autonomous Single App Mode

From the list of applications that you have allowed, choose one application run always. This helps you in setting up the device as a Kiosk. You can choose additional settings as well. Please read our How to Setup an iOS Device as Kiosk to learn more.

Alternatively you may want to set some applications that can put themselves into Single App Mode autonomously, that is as and when they want or scheduled. This feature to enter into Single app mode is dependent on the application, and some applications offer this. If you are using such applications that support this feature, then refer to How to Setup Apps in Autonomous Single App Mode.

Network Settings

A collection of network related settings that you lets you control Network settings. These are:

  1. Wifi Configuration - Select a Wifi configuration and enforce it on Supervised device.
  2. Hotspot Setting - Choose whether the user can turn on/off the hotspot.
  3. Roaming Setting - Choose to enable/disable the Voice and Data roaming settings.
  4. Configure eSIM settings - Scalefusion allows configuring eSIMs and deploy the configuration to eSIM- supported iOS devices to remotely trigger and automate the download and installation of an eSIM on a managed device. All you need is an eSIM URL that is purchased from network providers.
    This feature is supported on iPad with OS version 13 and later and on iPhone with iOS 14 and later
    This feature is in Beta phase
    To configure eSIM settings,
    1. In iOS Device profile, navigate to Restrictions > Network Settings. Scroll down to Configure eSIM settings.
    2. Here, enter the network provider URL. This URL is provided by your network provider
      1. Allow eSIM modification: If this setting is unchecked, it will restrict users from modifying eSIM settings on the device. By default it is checked.
    3. When the profile is applied on devices, it will activate the eSIM aka cellular plan on devices with the eSIM configurations.

Safari Settings

In this section you can control Safari related settings,

  1. Enable Safari - If you have Allowed websites then this cannot be disabled.
  2. Allow AutoFill - Choose to Allow/Restrict the user to turn on/off the Auto-Fill feature.
  3. Allow Javascript - Choose to Allow/Restrict javascript to run.
  4. Allow PopUps - Choose to Allow/Restrict pop-up tabs.

Content Filtering

Use these settings to control the browsing experience on the iOS devices, with access to the websites and apply Safari's content-filtering algorithms.

These settings work only on Supervised devices

Put a check in front of Configure Content Filtering to enable the settings

Setting

Description

Access to Allowed Sites Only

Enable this setting if you want to provide access only to the websites that are enabled under Allowed websites section.

Limit Access to Adult Websites and Allow the pre-selected URLs

Enable this setting to enforce Apple's inbuilt content filtering mechanism which will apply to all websites. However, the websites selected in Allowed websites section, will be allowed.

Do not restrict browsing, only Add WebClips based on Allowed URLs

Select this option if you don't want to apply any sort of content-filtering but just want to place Web-Clips on home screen based on the visibility of Allowed websites.

When creating a new Profile and if you have selected at-least one Website then selecting this option is mandatory and admin is shown a warning when trying to save the profile.

iCloud & Siri Settings

Please find below the list of settings that are available.

 

Settings

Description

Support

Allow iCloud Backup

Allow/Restrict backing up the device to iCloud.

All

Allow iCloud Keychain Sync

Allow/Restrict iCloud keychain restriction.

All

Allow Siri

Allow/Restrict usage of Siri.

All

Force Siri Profanity filter

Force the use of Siri’s profanity filter.

Supervised

Allow iCloud Documents Sync

Allow/Restrict document and key-value syncing to iCloud.

Supervised

Lock Screen Settings

A collection of documents that drive the experience on Lock Screen that can be applied to all iOS devices.

 

 

Settings

Description

Support

Allow Touch-ID for Unlock

Allow/ Restrict users to use Touch Id for unlocking device. If the setting is already enabled, then user will not be able to change it.

All

Allow Lock Screen Control Center

Allow/Restrict Control centre on Lock screen.

All

Allow Lock Screen Notification View

Allow/Restrict Notifications view on Lock screen.

All

Allow Lock Screen Today View

Allow/Restrict Today View notifications when the device is locked.

All

Allow Passbook Notifications

Allow/Restrict the usage of passbook on lock screen.

All

Allow Assistant while Locked

Allow Siri on Lock screen. Works only if Siri is Allowed in iCloud and Siri settings.

All

Allow Voice Dialing

Disable Voice dialing using Siri on Lock screen.

All

App Settings

A collection of application related settings, that can be enforced on the devices.

 

 

Settings

Description

Support

Allow trust for Enterprise Apps

If set to false removes the Trust Enterprise Developer button in Settings->General->Profiles & Device Management, preventing apps from being provisioned by universal provisioning profiles. This restriction applies to free developer accounts but it does not apply to enterprise app developers who are trusted because their apps were pushed via MDM, nor does it revoke previously granted trust.

All

Allow iMessage

Allow/Restrict the use of Messages app.

Supervised

Allow App Installation

Allow/Restrict the installation of apps. Enables App store on devices.

Supervised

Allow Interactive Apps Installation

When disallowed, the App Store is disabled and its icon is removed from the Home screen. However, users may continue to use Host apps (iTunes, Configurator) to install or update their apps.

Supervised

Allow App Removal

Allow/Restrict removal of applications

Supervised

Allow System App Removal

Allow/Restrict removal of system applications from iOS 11.0.

Supervised

Allow iTunes App

Allow/Restrict use of iTunes Application.

Supervised

Allow News

Allow/Restrict the users to add the News widget.

Supervised

Allow Podcasts

Allow/Restrict the use of Podcasts app.

Supervised

Allow Music Service

If disallowed Music service is disabled and Music app reverts to classic mode.

Supervised

Allow Bookstore

Allow/Restrict iBook store app.

Supervised

Allow AirDrop

Allow/Restrict the usage of AirDrop.

Supervised

Application Management Settings

In this section admin can configure settings that give control to users how Applications published from Dashboard are installed on the managed devices. This can be done by enabling application catalog. To know more about app catalog, click here.

OS Updates

Use this section to choose a delay time for the new iOS Updates. iOS does not allow to completely block the updates indefinitely. You can delay from a minimum of 30 days to a maximum of 90 days. To defer the OS Updates follow the steps below,

  1. Click on OS Updates and enable Defer Software Updates
  2. Enter a value between 30 to 90.

Email & Exchange Settings

Use this section to select the Email or Exchange configurations that you want to publish to the devices in this Device Profile. You can select one or multiple configurations to be pushed on the devices. To learn how to create Exchange and Email configurations, please refer to our document here.

Work Data Settings

These settings help you control the exchange of data between Managed (work) apps and non-Managed (personal apps). These settings work on all iOS devices irrespective of they are Supervised or not (min.OS version required), and help you secure the corporate data by preventing the Unmanaged applications from being used to view/open Managed data. The settings offered are,

Setting

Description

Allow Open From Managed to Unmanaged

Allow Work documents/files to be opened via Unmanaged apps. Disabling this prevents the Unmanaged apps from being listed in the Share menu.

Allow Managed Apps to write contacts to Unmanaged contact accounts

Allow Managed apps to add/edit contact information to Unmanaged contact accounts. This setting will be forced to true if Allow Open From Managed to Unmanaged is true. Requires 12.0+ to work

Allow UnManaged Apps to read contacts to Managed contact accounts

Allow Unmanaged applications to add/edit contacts to Work managed accounts. his setting will be forced to true if Allow Open From Managed to Unmanaged is true. Requires 12.0+ to work

Allow Work Documents to be Shared via Airdrop

Allow Work documents/files from managed applications to be shared via Airdrop. This setting will be forced to true if Allow Open From Managed to Unmanaged is true. 

Block Copy/Paste from Managed apps to Unmanaged apps

Blocks copy and paste actions done from managed to unmanaged apps. When this setting is enabled, and if you try to copy anything from a managed application onto an unmanaged one, the following message will appear:

This setting will not work if Allow Open From Managed to Unmanaged setting is also enabled

Allow Open Documents From Managed to Unmanaged

Allow non-Work documents/files to be opened via Managed applications. Enabling this will cause the managed apps to be shown in the Share menu of unmanaged apps.

Certificates

Use this section to install and deploy certificates on your managed devices. The certificates uploaded via Enterprise > Certificate Management are listed here. To learn more about how certificates can be applied on managed devices, please refer to the document here.

Custom Settings

By using the Custom Settings feature of a Scalefusion iOS Profile, IT Admins can use a top-notch XML editor and push a Custom Payload directly to the devices. Hence, with this admins will now be able to add those features for Mac and iOS which are not yet offered under Scalefusion. To learn more about Custom Settings feature, click here.

General Settings

A collection of common settings that can be enforced on devices.

 

Settings

Description

Support

Allow Camera

Allow/Restrict the usage of Camera. Required to be Allowed if you want to use Photobooth app.

All

Allow ScreenShot

Allow/Restrict users to take screenshot.

All

Force Encrypted Backups

Allow/Restrict users to enforce encrypted backups where they can set a password for encrypted files while taking backup. This option is unchecked by default.

All

Allow Enabling Restrictions

Allow/Restrict users to access Restrictions in Settings.

Supervised

Allow Erase Content and Settings

Allow/Restrict users to erase all the content and settings on the device.

Supervised

Allow Account Modification

Allow/Restrict the users to modify the iTunes account configured on device. Note that if it is disallowed and an iTunes account is not already configured on the device, then the Apps pushed from Apple App Store will not be installed.

Supervised

Allow Device Name Modification

Allow/Restrict users  to modify name of the device.

Supervised

Allow Wallpaper Modification

Allow/Restrict users to modify wallpaper of the device.

Supervised

Allow Connection with Apple Devices

Allow/Restrict the devices to be connected to other Apple devices. If disallowed, host pairing is disabled with the exception of the computer that you used for supervisioning. If no supervision host certificate has been configured, all pairing is disabled.

Supervised

Allow VPN Creation

Allow/Restrict users to create VPN connections.

Supervised

Allow Explicit Content

When disallowed, explicit music or video content purchased from the iTunes Store is hidden. Explicit content is marked as such by content providers, such as record labels, when sold through the iTunes Store.

Supervised

Allow Bluetooth Settings Modification

Allow/Restrict the users to modify Bluetooth settings.

Supervised

Allow Open From Managed to Unmanaged

Allow documents to be opened in unmanaged applications from managed.

Supervised

Allow UI Configuration Profile Installation

You are allowed to install UI Configuration profile.


Allow Passcode Modification

Disable this setting if you do-not want your end users to change or set a password. Note: You cannot apply a passcode policy if this settings is disabled.

Supervised


How did we do?


Powered by HelpDocs (opens in a new tab)