Restrict device enrollment to Profile Manager
By default, users can enroll devices they own and devices owned by their organization. You can set restrictions to prevent users from enrolling unauthorized devices and using certain functions on the user portal. You can do the following for any group:
Restrict access to the user portal
Restrict configuration profile downloads
Restrict enrollment and unenrollment using the user portal (Supervised)
Restrict the ability to lock the device
Restrict the ability to clear the device passcode
Restrict the ability to wipe the device
Restrict enrollment during setup when the device was configured using:
Apple School Manager or Apple Business Manager
Apple Configurator 2
Restrict enrollment to placeholder devices
Restrict enrollment to assigned devices
Note: Changing the settings for the Everyone group affects all users. If a user is a member of more than one group and different settings are applied to those groups, the more restrictive settings apply.
Restrict all access to the user portal
You can prevent access to the user portal entirely or just restrict certain options. By default, users have full access and no restrictions.
In the Profile Manager sidebar, select Groups.
Select Everyone, then click the About tab and review restrictions options for all users.
Deselect the features you want to restrict under “Allow access to user portal,” then click Save.
All users are now restricted to only those items you left selected. To change the restrictions for a certain user or group, select an account, make your changes, then click Save.
Restrict device enrollment for all users during Setup Assistant
You can prevent users from authenticating and enrolling devices during Setup Assistant.
In the Profile Manager sidebar, select Groups.
Select Everyone, then click the About tab.
Deselect one or both of the following:
Allow enrollment during Setup Assistant for devices configured using Apple School Manager or Apple Business Manager
Allow enrollment during Setup Assistant for devices configured using Apple Configurator 2
Click Save.
Restrict enrollment of devices with no placeholder for all users
You can restrict which devices a user can enroll based on the presence of a device placeholder. For example, if a user tries to enroll a device that’s unknown to Profile Manager, you can prevent enrollment.
In the Profile Manager sidebar, select Groups.
Select Everyone, then click the About tab.
Select “Restrict enrollment to placeholder devices,” then click Save.
All users can now enroll devices that have a placeholder with the correct UDID. For more information about UDIDs, see Import a device list to Profile Manager.
Restrict enrollment of devices not assigned to a user
You can restrict device enrollment based on a user’s current device assignment.
In the Profile Manager sidebar, select Groups.
Select Everyone, then click the About tab.
Select “Restrict enrollment to assigned devices,” then click Save.
All users can now only enroll devices assigned to their account.
Enrollment restriction examples
Here are two examples where you might want to use a combination of restrictions:
Example | Restrict enrollment to placeholder devices | Restrict enrollment to assigned devices |
---|---|---|
Only devices shown in Profile Manager device list | Enabled | Disabled |
Only devices shown in Profile Manager device list and assigned to users | Enabled | Enabled |