Contact Us
Help Center Home > Create an iOS/iPadOS Restrictions Policy

Create an iOS/iPadOS Restrictions Policy

This policy allows administrators to manage and enforce specific device limitations on iOS and iPadOS devices to enhance organizational security and minimize distractions. By standardizing device capabilities you can ensure a more productive work environment and protect sensitive data from unauthorized access or accidental exposure.

Prerequisites

  • iOS/iPadOS devices must be enrolled in Apple MDM with the following enrollment type-
    • Device-Enrolled Devices - These devices are owned by the corporation and enrolled by the admin or by the user.
    • User-Enrolled Devices - These are personal devices used for work where the user enrolls the device to securely access corporate data while maintaining personal privacy.
    • Auto-Enrolled Devices - These devices are owned and enrolled by the corporation through Automated Device Enrollment.
      For more information see MDM Enrollment Method.
  • Target devices must be running iOS/iPadOS 4 or later.

Creating the Policy

To create the policy-

  1. Log in to the JumpCloud Admin Portal.

Important:

If your data is stored outside of the US, check which login URL you should be using depending on your region. If your organization uses LDAP, RADIUS, or requires firewall allow list configuration, the Fully Qualified Domain Names (FQDNs) will also be region specific. See JumpCloud Data Centers for the URLs, FQDNs, and IP addresses.

  1. Go to Device Management > Policy Management and click (+).
  2. On the New Policy panel select the iOS tab.
  3. Search and select Restrictions from the list then click configure.
  4. (Optional) In the Policy Name field enter a new name for the policy or keep the default. Policy names must be unique.
  5. (Optional) In the Policy Notes field enter details such as creation date of the policy and information on testing and deployment of the policy.

Configuring the Policy

To configure the Restrictions policy settings the options are available-

System & Device State

  • Allow Account Modification - Select this option to disable modification of accounts such as Apple Accounts Mail Contacts and Calendar. Requires a supervised device.
  • Allow Auto Dim - Select this option to disable auto dim on iPads with OLED displays. Requires a supervised device.
  • Allow Modifying Diagnostics Settings - Select this option to disable changing the diagnostic submission and app analytics settings in the Diagnostics & Usage UI in Settings. Requires a supervised device.
  • Allow Modifying Find My Friends Settings - Select this option to disable changes to Find My Friends. Requires a supervised device.
  • Allow Control Center on Lock Screen - Select this option to prevent Control Center from appearing on the Lock Screen. Available in iOS 7.0 and later.
  • Allow Notifications View on Lock Screen - Select this option to disable the notification history view on the Lock Screen. Users can still see new notifications as they arrive. Available in iOS 7.0 and later.
  • Allow Today View on Lock Screen - Select this option to disable the Today view in Notification Center on the Lock Screen. Available in iOS 7.0 and later.
  • Allow Over-the-Air PKI Updates - Select this option to disable over-the-air PKI updates. This does not disable CRL and OCSP checks.
  • Allow Wallet Access on Lock Screen - Select this option to Wallet (formerly Passbook) notifications are hidden from the Lock Screen.
  • Allow Proximity Setup to New Device - Select this option to disable the prompt to set up new devices that are nearby. Requires a supervised device.
  • Allow Temporary Sessions on Shared iPad - Select this option to temporary sessions are unavailable on Shared iPad. Requires a supervised device.
  • Allow Unpaired External Boot to Recovery - If enabled allows an unpaired external host to boot the device into recovery mode. Available only on supervised devices.

iCloud & Content Sync

  • Allow Handoff - Select this option to disable Handoff (activity continuation) between devices.
  • Allow iCloud Backup - Select this option to backup the device to iCloud is disabled. Note- Support for this restriction on unsupervised devices is deprecated.
  • Allow Enterprise Books Backup - Select this option to disable backup of Enterprise books.
  • Allow Enterprise Books Notes and Highlights Sync - Select this option to the system disable sync of Enterprise books notes and highlights.
  • Allow iCloud Sync for Managed Apps - Select this option to prevent managed apps from using iCloud sync.
  • Allow Shared Photo Stream - Select this option to disable Shared Photo Stream.

Media and Entertainment

  • Allow Adding Game Center Friends - Select this option to prevent users from adding friends in Game Center.
  • Allow Bookstore Erotica - Select this option to block users from downloading Apple Books media tagged as erotica.
  • Allow Explicit Content - Select this option to stop users from accessing explicit music podcasts or video content.
  • Allow Game Center - Select this option to disable the Game Center service entirely.
  • Allow Multiplayer Gaming - Select this option to restrict users from participating in multiplayer games.
  • Allow Apple Music - Select this option to disable the Music service and revert the app to classic mode.
  • Allow News App - Select this option to disable the News app on the device.
  • Allow Pairing with Apple Watch - Select this option to prevent users from pairing an Apple Watch and unpair any existing ones.
  • Allow Podcasts - Select this option to disable the Podcasts app.
  • Force Limit Ad Tracking - Select this option to limit Apple's personalized advertising for the user.
  • Ratings Region - Select a value from the dropdown menu to choose the specific geographic region that determines content rating standards.
  • Allowed App Ratings - Select a value from the dropdown menu to set the maximum age-based rating permitted for app downloads.
  • Allowed Movie Ratings - Select a value from the dropdown menu to set the maximum rating level permitted for movie content.
  • TV Shows Rating - Select this option to set the maximum rating level permitted for TV show content.

Connectivity & Communication

  • Allow Adding Game Center Friends - Select this option to prevent users from adding friends in Game Center.
  • Allow Bookstore Erotica - Select this option to block users from downloading Apple Books media tagged as erotica.
  • Allow Explicit Content - Select this option to stop users from accessing explicit music podcasts or video content.
  • Allow Game Center - Select this option to disable the Game Center service entirely.
  • Allow Multiplayer Gaming - Select this option to restrict users from participating in multiplayer games.
  • Allow Apple Music - Select this option to disable the Music service and revert the app to classic mode.
  • Allow News App - Select this option to disable the News app on the device.
  • Allow Pairing with Apple Watch - Select this option to prevent users from pairing an Apple Watch and unpair any existing ones.
  • Allow Podcasts - Select this option to disable the Podcasts app.
  • Force Limit Ad Tracking - Select this option to limit Apple's personalized advertising for the user.
  • Ratings Region - Select this option to choose the specific geographic region that determines content rating standards.
  • Allowed App Ratings - Select this option to set the maximum age-based rating permitted for app downloads.
  • Allowed Movie Ratings - Select this option to set the maximum rating level permitted for movie content.
  • TV Shows Rating - Select this option to set the maximum rating level permitted for TV show content.
  • Allow Storage of AirPrint Credentials in Keychain - Select this option to prevent the device from saving AirPrint usernames and passwords in the Keychain.
  • Allow Discovery of AirPrint Printers via iBeacons - Select this option to stop the device from using iBeacon proximity to discover AirPrint printers.
  • Allow Call Recording - Select this option to prevent users from recording phone calls on the device.
  • Allow Cellular Plan Modification - Select this option to restrict users from changing, adding or removing cellular plans.
  • Allow Default Calling App Modification - Select this option to prevent users from changing the default app used for making phone calls.
  • Allow Default Messaging App Modification - Select this option to prevent users from changing the default app used for sending messages.
  • Allow eSIM Modification - Select this option to prohibit users from adding, removing or modifying eSIM configurations.
  • Allow eSIM Outgoing Transfers - Select this option to stop users from transferring an active eSIM from this device to another device.
  • Allow Automatic Sync While Roaming - Select this option to disable automatic data synchronization when the device is on a roaming network.
  • Allow Host Pairing - Select this option to prevent the device from pairing with any computer except for the designated supervision host.
  • Allow Live Voicemail - Select this option to disable the Live Voicemail feature which provides real-time transcriptions of incoming messages.
  • Allow Modifying Personal Hotspot Settings - Select this option to prevent users from changing any Personal Hotspot configurations or toggling the service.
  • Allow RCS Messaging - Select this option to disable Rich Communication Services (RCS) for enhanced texting with non-Apple devices.
  • Allow Satellite Connection - Select this option to prevent the device from connecting to satellite services for messaging or emergency SOS.
  • Allow Video Conferencing Remote Control - Select this option to prevent remote participants from taking control of the device during a video conference.
  • Denied ICCIDs for iMessage & FaceTime - Select this option to specify a list of SIM cards (by ICCID) that are blocked from activating iMessage and FaceTime.
  • Denied ICCID - Enter a specific Integrated Circuit Card Identifier to be restricted by the system.
  • Denied ICCIDs for RCS Messaging - Select this option to specify a list of SIM cards (by ICCID) that are prohibited from using RCS messaging.
  • Denied ICCID for RCS - Enter the specific SIM identifier that should be blocked from using RCS services.
  • Treat AirDrop as Unmanaged Destination - Select this option to force AirDrop to be treated as an unmanaged location preventing data transfer from managed apps.
  • Require Password for Outgoing AirPlay Requests - Select this option to force the device to request a password whenever it attempts to stream content via AirPlay.
  • Force Preserve eSIM on Erase - Select this option to ensure the eSIM profile remains on the device even if the device is wiped or factory reset.

App Management & Restrictions

  • Allow App Clips - Select this option to prevent users from adding or opening App Clips on the device.
  • Allow Apple Personalized Advertising - Select this option to limit Apple’s ability to use the user's data for personalized advertising.
  • Allow App Removal - Select this option to prevent users from deleting any installed apps from the device.
  • Allow Hiding Apps - Select this option to restrict users from hiding apps from the Home Screen.
  • Allow Locking Apps - Select this option to prevent users from using Face ID Touch ID or a passcode to lock specific apps.
  • Allow Automatic App Downloads - Select this option to stop the App Store from automatically downloading apps purchased on other devices.
  • Allow Trusting Enterprise Apps - Select this option to prevent users from manually trusting unmanaged enterprise app developers in Settings.
  • Allow In-App Purchases - Select this option to disable the ability to make purchases within apps.
  • Allowed App Bundle IDs - Select this option to specify a list of specific app identifiers that are permitted on the device.
  • App Bundle ID - Select this option to enter the unique identifier for a specific app to be included in the allowed list.
  • Allow App Installation from Alternative Marketplaces - Select this option to prevent the installation of apps from third-party marketplaces (in eligible regions).
  • Allow Modifying Notification Settings - Select this option to stop users from changing how notifications appear for their apps.
  • Allow System App Removal - Select this option to prevent users from deleting native Apple apps that come pre-installed.
  • Allow App Installation from App Store - Select this option to disable the App Store and prevent users from installing or updating apps.
  • Allow App Installation from Websites - Select this option to block users from installing apps directly from a developer's website.
  • Permitted App IDs for Autonomous Single App Mode - Select this option to define which apps are allowed to put themselves into a locked single-app state.
  • App Bundle ID - Select this option to enter the identifier for an app permitted to use Autonomous Single App Mode.

Security & Privacy

  • Allow iCloud Keychain Sync - Select this option to prevent the device from syncing passwords and credit card information to iCloud Keychain.
  • Allow Modifying Biometrics - Select this option to stop users from adding, deleting or changing Face ID or Touch ID data.
  • Allow Mail Privacy Protection - Select this option to prevent the device from hiding the user's IP address and loading remote content privately in the Mail app.
  • Allow Passcode Modification - Select this option to prohibit users from adding, changing or removing the device passcode.
  • Allow Password Proximity Requests - Select this option to stop the device from requesting passwords from nearby Apple devices.
  • Allow Password Sharing - Select this option to prevent users from sharing their saved passwords with others via AirDrop.
  • Allow User to Accept Untrusted TLS Certificates - Select this option to prevent users from manually trusting and visiting websites with invalid or expired security certificates.
  • Allow USB Restricted Mode - Select this option to prevent the device from requiring an unlock to connect to USB accessories after being locked for a period of time.
  • Disallow AirPrint to Destinations with Untrusted Certificates - Select this option to force the device to block printing to any AirPrint destination that lacks a valid security certificate.
  • Require Authentication Before AutoFill - Select this option to force the device to require Face ID Touch ID or a passcode before automatically filling in saved passwords or credit card info.
  • Force Encrypted Backups - Select this option to ensure that all backups made to a computer are encrypted with a password.
  • Disallow Turning Off Wi-Fi - Select this option to prevent users from disabling Wi-Fi in Settings or Control Center.
  • Force Wi-Fi to Allowed Networks Only - Select this option to restrict the device so it can only connect to Wi-Fi networks specifically defined in a configuration profile.

Safari & Web Browsing

  • Allow Default Browser Modification - Select this option to prevent users from changing the default web browser on the device.
  • Allow Use of Safari - Select this option to disable the Safari browser and remove its icon from the Home Screen.
  • Allow Clearing Safari History - Select this option to prevent users from deleting their browsing history and website data in Safari.
  • Allow Safari Private Browsing - Select this option to disable the ability to use private tabs or windows in Safari.
  • Accept Cookies in Safari - Select this option to define the specific conditions under which Safari is permitted to accept or block browser cookies.
  • Allow Safari AutoFill - Select this option to prevent Safari from automatically filling in forms with user information passwords or credit card details.
  • Allow JavaScript in Safari - Select this option to disable the execution of JavaScript on websites visited within Safari.
  • Allow Pop-ups in Safari - Select this option to prevent Safari from opening new windows or tabs via pop-ups.
  • Enable Fraud Warning in Safari - Select this option to force Safari to warn users when they visit websites suspected of phishing or other fraudulent activity.

Hardware & Education

  • Allow NFC - Select this option to disable Near Field Communication (NFC) and prevent the device from using contactless features.
  • Allow Remote Screen Observation - Select this option to prevent the device screen from being viewed remotely by authorized administrators or teachers.
  • Automatically Join Classroom Classes - Select this option to force the device to join Apple Classroom classes without requiring a prompt for the user.
  • Require Permission to Leave Classroom Classes - Select this option to prevent students from leaving an Apple Classroom session without the teacher's approval.
  • Allow Unprompted App and Device Lock by Teacher - Select this option to allow a teacher to lock a student's device or specific app without requesting permission.
  • Allow Unprompted Screen Observation by Teacher - Select this option to allow a teacher to view a student's screen in Apple Classroom without triggering a local notification or request.
  • Force Apple Watch Wrist Detection - Select this option to ensure that an Apple Watch automatically locks whenever it is removed from the user's wrist.

Applying and Assigning the Policy

  1. (Optional) Select the Device Groups tab. Select one or more device groups where you want to apply this policy. For device groups with multiple OS member types the policy is applied only to the supported OS.
  2. (Optional) Select the Devices tab. Select one or more devices where you want to apply this policy.
  3. Click Save. If prompted click Save again. The policy configuration settings are applied automatically and do not require a system restart.
Back to Top

List IconIn this Article

Still Have Questions?

If you cannot find an answer to your question in our FAQ, you can always contact us.

Submit a Case