Security and privacy MDM restrictions for Apple devices
You can manage security and privacy settings on iPhone, iPad and Mac devices enrolled in a mobile device management (MDM) solution or with Apple Configurator 2 (iPhone and iPad only). See the Apple Configurator 2 User Guide.
Setting | Function | Supervised | OS |
|---|---|---|---|
Allow managed apps to edit unmanaged contacts | Managed apps can edit contacts to unmanaged accounts, even if managed apps are prevented from editing unmanaged destinations. | No | iOS 12.0 |
Allow unmanaged apps to read managed contacts | Unmanaged apps can read contacts from managed accounts, even if unmanaged apps are prevented from reading to managed destinations. | No | iOS 12.0 |
Password AutoFill | Users can’t use AutoFill Passwords, and no prompt is shown to pick a saved password from iCloud Keychain. | Yes (iOS) Yes (iPadOS) No (macOS) | iOS 12.0 macOS 10.14 |
Proximity AutoFill | Users’ devices won’t advertise themselves to nearby devices for passwords by use of Proximity AutoFill. In iOS, iPadOS and macOS this feature restricts only Wi-Fi Password requests. | Yes (iOS) Yes (iPadOS) Yes (tvOS) No (macOS) | iOS 12.0 tvOS 12.0 macOS 10.14 |
Share passwords over AirDrop. | Users can’t share their passwords over AirDrop. | Yes (iOS) Yes (iPadOS) No (macOS) | iOS 12.0 macOS 10.14 |
Require Face ID authentication for AutoFill | Users can’t use Face ID authentication to AutoFill app data. | Yes | iOS 11.0 |
Add VPN configurations | Users can’t create and add VPN configurations. | Yes | iOS 11.0 |
Join only Wi-Fi networks installed by a Wi-Fi payload | Devices with this restriction can join only the Wi-Fi networks added to the Wi-Fi payload. Important: If the Wi-Fi network isn’t available, the device can’t be managed. | Yes | iOS 10.3 |
Modify sending diagnostic usage data to Apple | Modifying diagnostic data settings isn’t permitted. | Yes | iOS 9.3.2 |
Treat AirDrop as unmanaged destination | Users see AirDrop as an option from a managed app. For this restriction to work when it’s enabled, you must also disable “Allow documents from managed sources in unmanaged destinations”. | No | iOS 9.0 |
Trust new enterprise app authors | Users can’t allow new enterprise app authors to be trusted, which prohibits apps from those authors from launching. | No | iOS 9.0 |
Modify passcode | Users can’t change the set passcode. | Yes (iOS) Yes (iPadOS) No (macOS) | iOS 9.0 macOS 10.13 |
Modify Touch ID fingerprints and Face ID faces | Users can’t add or remove existing biometric information. | Yes | iOS 8.3 |
Erase All Content and Settings | Users can’t erase their device and reset it to factory defaults. | Yes | iOS 8.0 |
Require passcode on first AirPlay pairing | A passcode is required when an iOS, iPadOS or tvOS device is first paired for AirPlay. | No | iOS 7.1 |
AirDrop | Users can’t use AirDrop. | Yes (iOS) Yes (iPadOS) No (macOS) | iOS 7.0 macOS 10.13 |
Touch ID or Face ID unlocks device | Users must use a passcode or password to unlock the device. | No | iOS 7.0 (Touch ID) iOS 11.0 (Face ID) macOS 10.12.4 |
Autonomous Single App Mode | Allows selected apps to be used in Single App Mode. | Yes | iOS 7.0 |
Force limited ad tracking | Apps can’t use the Advertising Identifier (a non-permanent device identifier) to serve user-targeted ads. | No | iOS 7.0 |
Automatic updates to certificate trust settings | Automatic updates to certificate trust settings can’t occur. | No | iOS 7.0 |
Documents from managed sources appear in unmanaged destinations | Documents created or downloaded from managed sources can’t be opened in unmanaged destinations. | No | iOS 7.0 |
Documents from unmanaged sources appear in managed destinations | Documents created or downloaded from unmanaged sources can’t be opened in managed destinations. | No | iOS 7.0 |
Send diagnostic and usage data to Apple | Users can’t choose to send diagnostic information to Apple. | No | iOS 6.0 macOS 10.13 |
Explicit content in Apple Books | Explicit content purchased from Apple Books is hidden. Explicit content is flagged by content providers when sold through the Books app. | No (iOS 12.4 or earlier) Yes (iOS 13 and iPadOS 13.1) | iOS 6.0 tvOS 11.3 |
Require iTunes Store password for all purchases | In-app purchases and iTunes Store purchases prompt for the account password. | No | iOS 6.0 |
Users accept untrusted TLS certificates | Users aren’t asked if they want to trust certificates that can’t be verified. This setting applies to Safari, Mail, Contacts and Calendar accounts. When this option is on, only certificates with trusted root certificates are accepted without a prompt. To view the root CAs accepted by iOS, go to the Apple Support article Lists of available trusted root certificates in iOS. | No | iOS 5.0 |
Force encrypted backups | Users can’t choose whether or not device backups performed in iTunes (in macOS 10.14 or earlier) or the Finder (in macOS 10.15 or later) are stored in encrypted format on the user’s Mac. If any profile is encrypted and this option is turned off, encryption of backups is required and enforced by iTunes or the Finder. Profiles installed on the device by Profile Manager are never encrypted. | No | iOS 4.0 |
Ratings region | Select from nine different regions. This setting can’t be disabled. The default is United States. | No | iOS 4.0 tvOS 11.3 |
Define content ratings | Select maximum allowed ratings for films, TV programmes and apps. | No | iOS 4.0 tvOS 11.3 |
Playback of explicit music, podcasts and iTunes U content | Explicit music or video content purchased from the iTunes Store or listed in iTunes U is hidden. Explicit content is flagged by content providers, such as record labels, when sold through the iTunes Store or distributed through iTunes U. | No (iOS 12.4 or earlier) Yes (iOS 13 and iPadOS 13.1) | iOS 2.0 tvOS 11.3 |