Profile Manager user and user group restrictions
These settings are on by default for all users and the user group Everyone. They’re off by default for the group Workgroup and any administrator-created user groups.
Other MDM solutions may have similar settings.
Allow access to My Devices portal: When this option is on, users can access the Profile Manager My Devices portal.
The following are additional administrator settings:
Allow configuration profile downloads: When this option is on, users can download configuration profiles from the My Device portal.
Allow device enrollment and unenrollment: When this option is on, users can enroll additional devices and unenroll devices.
Allow device wipe: When this option is on, users can wipe their devices.
Allow device lock: When this option is on, users can lock their devices.
Allow device passcode to be cleared: When this option is on, users can clear their device passcode.
Allow enrollment during Setup Assistant for devices configured using Apple School Manager or Apple Business Manager: When this option is on, devices set up with Apple Configurator can be enrolled in Profile Manager’s MDM service.
The following settings are off by default for all users and user groups.
Allow enrollment during Setup Assistant for devices configured using Apple Configurator: When this option is on, a user’s device set up with Apple Configurator can be enrolled in Profile Manager’s MDM service.
Restrict enrollment to placeholder devices: When this option is on, only devices that have a placeholder can enroll in Profile Manager’s MDM service. The placeholder must contain one of the following:
Serial Number
UDID
IMEI
MEID
Bonjour device ID (Apple TV only)
When this option is on, you can also configure this setting:
Restrict enrollment to assigned devices: When this option is on, only devices that have been assigned to a user can be enrolled in Profile Manager’s MDM service.