MDM restrictions for supervised Apple devices
Certain restrictions are available only for Apple devices that are enrolled in a mobile device management (MDM) solution and supervised. For more information, see About Apple device supervision.
The default state for all restrictions listed below is on unless the words “Default is off” are in the Restriction Functionality column.
Note: Not all restrictions are available in all MDM solutions, and they have the ability to change the default state for any restriction. To learn more about MDM restriction availability for your devices, consult your MDM vendor’s documentation.
Setting | Minimum supported operating system versions | Restriction functionality | |||||||||
---|---|---|---|---|---|---|---|---|---|---|---|
Allow external intelligence integrations | macOS 15.2 | Prevents the use of external, cloud-based intelligence services with Siri. This currently includes ChatGPT and Google Lens (visual intelligence). | |||||||||
Allow signing in to external intelligence integrations | iOS 18.2 iPadOS 18.2 macOS 15.2 | Forces external intelligence providers into anonymous mode. If a user is already signed in to an external intelligence provider, applying this restriction signs them out. | |||||||||
Allow default browser modification | iOS 18.2 iPadOS 18.2 | Prevents the default browser preference modification. The MDM Settings command to set the default browser preference still works when this is applied. | |||||||||
Allow satellite connection | iOS 18.2 | Prevents the connection to and use of satellite services. | |||||||||
Allow Mail summary | iOS 18.1 iPadOS 18.1 macOS 15.1 | Prevents the ability to create summaries of email messages manually. This doesn’t affect automatic summary generation. | |||||||||
Allow RCS messaging | iOS 18.1 iPadOS 18.1 | Prevents the use of RCS messaging. | |||||||||
Allow call recording | iOS 18.1 | Prevents the use of call recording on iPhone. | |||||||||
Allow media sharing | macOS 15.1 | Prevents modification of Media Sharing settings. | |||||||||
Force bypass screen capture alert | macOS 15.1 | Prevents showing the screen capture alert dialog. Default is off. | |||||||||
Allow writing tools | iOS 18 iPadOS 18 macOS 15 | Prevents Apple Intelligence writing tools. | |||||||||
Allow Image Playground | iOS 18 iPadOS 18 macOS 15 | Prevents users from using Image Playground. | |||||||||
Allow Genmoji | iOS 18 iPadOS 18 macOS 15 | Prevents users from creating a Genmoji. | |||||||||
Allow iPhone mirroring | iOS 18 macOS 15 | On iPhone, prevents an iPhone from mirroring to a Mac. On Mac, prevents a Mac from mirroring an iPhone. | |||||||||
Allow eSIM outgoing transfers | iOS 18 iPadOS 18 | Prevents the transfer of an eSIM from the device on which the restriction is installed to a different device. | |||||||||
Allow apps to be hidden | iOS 18 iPadOS 18 | Prevents users from hiding apps. | |||||||||
Allow apps to be locked | iOS 18 iPadOS 18 | Prevents users from locking apps. If this restriction is used, hiding apps is also prevented. | |||||||||
Allow personalized handwriting results | iOS 18 iPadOS 18 | Prevents iOS and iPadOS from generating text in the user’s handwriting. | |||||||||
Allow Image Wand | iOS 18 iPadOS 18 | Prevents users from using Image Wand. | |||||||||
Allow app installation from a website (In eligible regions) | iOS 17.5 | Prevents installation of apps directly from the web. | |||||||||
Allow app installation from an alternative marketplace (In eligible regions) | iOS 17.4 | Prevents installation of new alternative app marketplaces and apps hosted on those marketplaces. | |||||||||
Allow auto-dim | iPadOS 17.4 | Prevents a device with a Tandem OLED screen from dimming. | |||||||||
Force preservation of eSIM on erase | iOS 17.2 iPadOS 17.2 | Prevents the eSIM from being erased when a device is set to wipe after entering an incorrect passcode too many times. Note: The operating system doesn’t preserve an eSIM if Find My initiates erasing the device. | |||||||||
Allow Live Voicemail | iOS 17.2 | Prevents the user from using Live Voicemail. Default is off. | |||||||||
iCloud Private Relay | iOS 15 iPadOS 15 macOS 12.0.1 visionOS 2.0 | Prevents the user from turning on iCloud Private Relay. | |||||||||
Allow putting an iPhone or iPad into Recovery Mode from an unpaired host | iOS 14.5 iPadOS 14.5 | Previously, any external host computer was allowed to restart a connected iPhone or iPad into recoveryOS (also known as Recovery Mode). This meant that the host computer could completely erase the device and restore iOS or iPadOS over a USB connection without any other physical interaction with the device. iOS 14.5 and iPadOS 14.5, or later, prevent this behavior by default. Default is off. | |||||||||
Allow Near–field communications (NFC) | iOS 14.2 | Prevents users from using built-in NFC hardware in compatible devices using iOS 14.2 or later. | |||||||||
Allow App Clips | iOS 14 iPadOS 14 | Users can’t add App Clips. Any existing App Clips are removed when this restriction is applied. | |||||||||
Allow Shared iPad Temporary Session | iPadOS 13.4 | Shared iPad won’t allow a Temporary Session. | |||||||||
Add Game Center friends | No (iOS 12.4 or earlier) Yes (iOS 13) Yes (iPadOS 13.1) | Users can’t find or add friends in Game Center. | |||||||||
Multiplayer gaming | No (iOS 12.4 or earlier) Yes (iOS 13) Yes (iPadOS 13.1) | Users can’t play multiplayer games in Game Center. | |||||||||
Safari AutoFill | No (iOS 12.4 or earlier) Yes (iOS 13) Yes (iPadOS 13.1) | Safari doesn’t keep track of what users enter in web forms. | |||||||||
Use Safari | No (iOS 12.4 or earlier) Yes (iOS 13) Yes (iPadOS 13.1) | The Safari web browser app is disabled and its icon is removed from the Home Screen. This setting also prevents users from opening Web Clips. | |||||||||
iTunes Store | No (iOS 12.4 or earlier) Yes (iOS 13) Yes (iPadOS 13.1) | The iTunes Store is disabled and its icon is removed from the Home Screen. Users can’t preview, purchase, or download content. | |||||||||
Allow network drive connections | iOS 13 iPadOS 13.1 | Users can’t connect to network drives in the Files app. | |||||||||
Allow accessory connections | iOS 13 iPadOS 13.1 | The device can always connect to specific accessories while locked. | |||||||||
Force Wi-Fi on | iOS 13 iPadOS 13.1 | Users can’t turn off Wi-Fi in:
Users can still select which Wi-Fi network to use. Default is off. | |||||||||
Allow Find My Device | iOS 13 iPadOS 13.1 | Users can’t use the Find My app. | |||||||||
Allow Find My Friends | iOS 13 iPadOS 13.1 | Users can’t use the Find My Friends feature in the Find My app. | |||||||||
Allow QuickPath keyboard | iOS 13 iPadOS 13.1 | Users can’t use the QuickPath keyboard. | |||||||||
Use Safari | iOS 13 iPadOS 13.1 | The Safari web browser app is disabled and its icon is removed from the Home Screen. This setting also prevents users from opening Web Clips. | |||||||||
Safari AutoFill | iOS 13 iPadOS 13.1 | Safari doesn’t keep track of what users enter in web forms. | |||||||||
iTunes Store | iOS 13 iPadOS 13.1 | The iTunes Store is disabled and its icon is removed from the Home Screen. Users can’t preview, purchase, or download content. | |||||||||
Playback of explicit music, video, and podcast content | iOS 13 iPadOS 13.1 | Explicit music or video content purchased from the iTunes Store or downloaded from the Podcasts app is hidden. Explicit content is flagged by content providers, such as record labels, when sold through the iTunes Store. | |||||||||
Add Game Center friends | iOS 13 iPadOS 13.1 | Users can’t find or add friends in Game Center. | |||||||||
Multiplayer gaming | iOS 13 iPadOS 13.1 | Users can’t play multiplayer games in Game Center. | |||||||||
Install apps | No (iOS 12.4 or earlier) Yes (iOS 13) Yes (iPadOS 13.1) | App Store is disabled and its icon is removed from the Home Screen. Users can’t install or update apps from the App Store using the Finder (macOS 10.15 or later), or iTunes (macOS 10.14 or earlier). For devices with iOS 10 or later, MDM can override this restriction. Proprietary in-house apps can still be installed and updated. Note: If native iOS and iPadOS system apps are removed, they can be reinstalled. | |||||||||
iCloud Documents and Data | Yes (iOS 13) Yes (iPadOS 13.1) | Documents and data aren’t added to iCloud. | |||||||||
Prevent Apple TV from going to sleep | tvOS 13 | Users and tvOS can’t put the Apple TV to sleep. | |||||||||
Modify personal Hotspot settings | iOS 12.2 iPadOS 13.1 | Users can’t modify personal Hotspot settings. | |||||||||
Modify eSIM settings | iOS 12.1 iPadOS 13.1 | Users can’t add or remove an eSIM plan for an iPhone that supports eSIM. | |||||||||
AirPlay, View Screen by Classroom, and screen sharing | Yes (iOS 12) Yes (iPadOS 13.1) | Teachers using Classroom can’t use AirPlay with students’ screens, view students’ screens, or share students’ screens. | |||||||||
Password AutoFill | iOS 12 iPadOS 13.1 | Users can’t use AutoFill Passwords, and no prompt is shown to pick a saved password from iCloud Keychain or third-party password managers. | |||||||||
Proximity AutoFill | iOS 12 iPadOS 13.1 tvOS 12.2 | Users’ devices won’t advertise themselves to nearby devices for passwords by use of Proximity AutoFill. For devices with iOS, iPadOS, and macOS this feature restricts only Wi-Fi password requests. | |||||||||
Share passwords over AirDrop | iOS 12 iPadOS 13.1 | Users can’t share their passwords over AirDrop. | |||||||||
Turn on “Set Automatically” in Date and Time settings | iOS 12 iPadOS 13.1 tvOS 12.2 | Set Automatically is turned on and users can’t turn it off. | |||||||||
Allow connected accessories while locked | iOS 11.4.1 iPadOS 13.1 | Users can always connect accessories when the iPhone or iPad is locked. For more information, see Activating data connections securely in Apple Platform Security. | |||||||||
Require teacher permission to leave Classroom teacher-created classes | iOS 11.3 iPadOS 13.1 macOS 10.14.4 | Students must request permission before they can leave a teacher-created class. Default is off. | |||||||||
Defer software updates | iOS 11.3 iPadOS 13.1 tvOS 12.2 | For more information, see Test and defer software updates. Default is off. | |||||||||
Remove system apps | iOS 11 iPadOS 13.1 | Users can’t remove native Apple apps. | |||||||||
Set up a nearby Apple device | iOS 11 iPadOS 13.1 | Users can’t use their Apple devices to set up and configure other Apple devices. | |||||||||
Require biometric authentication for AutoFill | iOS 11 iPadOS 13.1 | Users are required to authenticate with biometric authentication or with a passcode to automatically fill password and credit card information. Default is off. | |||||||||
Modify Bluetooth settings | iOS 11 iPadOS 13.1 | Users can’t modify the Bluetooth® setting. | |||||||||
Modify cellular plan settings | iOS 11 iPadOS 13.1 | Users can’t change any settings for the cellular plan. | |||||||||
Add VPN configurations | iOS 11 iPadOS 13.1 | Users can’t create and add VPN configurations. | |||||||||
AirPrint | iOS 11 iPadOS 13.1 | Users can’t use AirPrint. | |||||||||
Discover AirPrint printers using iBeacon | iOS 11 iPadOS 13.1 | Users can’t discover AirPrint printers using nearby iBeacon-compatible hardware transmitters. | |||||||||
Classroom to perform AirPlay and View Screen without prompting | iOS 11 iPadOS 13.1 macOS 10.14.4 | Students in managed classes aren’t prompted when the teacher uses AirPlay or View Screen. Default is off. | |||||||||
Classroom can focus students on a single app and lock the device without prompting | iOS 11 iPadOS 13.1 macOS 10.14.4 | Teachers can lock an app open or lock the device without first prompting the user. Default is off. | |||||||||
Automatic joining Classroom classes without prompting | iOS 11 iPadOS 13.1 macOS 10.14.4 | Students can join a class without prompting the teacher. Default is off. | |||||||||
Store AirPrint credentials in Keychain | iOS 11 iPadOS 13.1 | Users can’t save their AirPrint credentials to their Keychain. | |||||||||
AirPrint to destinations with untrusted certificates | iOS 11 iPadOS 13.1 | Users can’t use AirPrint to print to printers with untrusted certificates. Default is off. | |||||||||
Join only Wi-Fi networks installed by a Wi-Fi payload | iOS 10.3 iPadOS 13.1 | When enabled, devices that have this restriction can join only the Wi-Fi networks added to the Wi-Fi payload. Default is off. Important: If the Wi-Fi network isn’t available, the device can’t be managed. | |||||||||
Modify Dictation | iOS 10.3 iPadOS 13.1 | Users can’t use dictation on their device. | |||||||||
Modify diagnostic settings | iOS 9.3.2 iPadOS 13.1 | Modifying diagnostic data settings isn’t permitted. | |||||||||
Restrict app usage | iOS 9.3 iPadOS 13.1 tvOS 11 | Any apps other than Settings or Phone (on iPhone) can be placed on either an approved list or a disapproved one. | |||||||||
Apple Music | iOS 9.3 iPadOS 13.1 | Users can’t use Apple Music. | |||||||||
AirPlay security | tvOS 10.2 | Users can’t use AirPlay to stream content to the Apple TV. | |||||||||
Pair with Remote app | tvOS 10.2 | Users can’t use the Apple TV Remote app to control Apple TV. | |||||||||
Radio | iOS 9.3 iPadOS 13.1 | Users can’t listen to the radio with Apple Music. | |||||||||
Modify Notifications settings | iOS 9.3 iPadOS 13.1 | Users can’t change the configuration of any Notifications settings. | |||||||||
Modify passcode | iOS 9 iPadOS 13.1 | Users can’t change the set passcode. | |||||||||
News | iOS 9 iPadOS 13.1 | Users can’t use the News app. | |||||||||
Automatic app downloads | iOS 9 iPadOS 13.1 | The App Store won’t automatically download apps. | |||||||||
Pair with Apple Watch | iOS 9 | Users can’t pair their supervised iPhone with Apple Watch. | |||||||||
Modify device name | iOS 9 iPadOS 13.1 tvOS 11 | Users can’t change the name of the device as shown in Settings > General > About. | |||||||||
Modify Wallpaper | iOS 9 iPadOS 13.1 | Users can’t modify the wallpaper for the Lock Screen or Home Screen. | |||||||||
Keyboard shortcuts | iOS 9 iPadOS 13.1 | Users can’t use any keyboard shortcuts. | |||||||||
Modify Touch ID fingerprints and Face ID faces | iOS 8.3 (Touch ID) iOS 11 (Face ID) iPad 13.1 (Touch ID orFace ID) | Users can’t add or remove existing biometric information. | |||||||||
Predictive keyboard | iOS 8.1.3 iPadOS 13.1 | Users won’t see the predictive keyboard. | |||||||||
Auto correction | iOS 8.1.3 iPadOS 13.1 | Users won’t see any word correction suggestions. | |||||||||
Spell check | iOS 8.1.3 iPadOS 13.1 | Users won’t see potentially misspelled words underlined in red. | |||||||||
Define and Look Up | iOS 8.1.3 iPadOS 13.1 | Users can’t tap and hold a selection and look up a dictionary definition about the selection. | |||||||||
Modify restrictions or Screen Time settings | iOS 8 (Restrictions) iOS 12 (Screen Time) iPadOS 13.1 (Screen Time) | Users can’t set their own Screen Time settings on their device for iOS 12 or later. Users can’t set their own restrictions on their device for iOS 11.4.1 or earlier. | |||||||||
Podcasts | iOS 8 iPadOS 13.1 | Users can’t download podcasts. | |||||||||
Erase All Content and Settings | iOS 8 iPadOS 13.1 | Users can’t erase their device and reset it to factory defaults. | |||||||||
AirDrop | iOS 7 iPadOS 13.1 | Users can’t use AirDrop. | |||||||||
Modify Find My settings | iOS 7 iPadOS 13.1 | Users can’t change any settings in the Find My app. | |||||||||
Modify account settings | iOS 7 iPadOS 13.1 | Users can’t create new accounts or change their user name, password, or other settings associated with their account. | |||||||||
Modify cellular data app settings | iOS 7 iPadOS 13.1 | Users can’t change any settings for apps that use cellular data. | |||||||||
Autonomous Single App Mode | iOS 7 iPadOS 13.1 | Allows selected apps to be used in Single App Mode. | |||||||||
User-generated content in Siri | iOS 7 iPadOS 13.1 | Siri can’t access content from sources that allow user-generated content, such as Wikipedia. | |||||||||
Install a configuration profile | iOS 6 iPadOS 13.1 | Users can’t manually install configuration profiles in Settings. | |||||||||
Game Center | iOS 6 iPadOS 13.1 | The Game Center app and its icon are removed. | |||||||||
Apple Books | iOS 6 iPadOS 13.1 | Apple Books is disabled, and users can’t access it from the Books app. | |||||||||
iMessage | iOS 6 iPadOS 13.1 | For Wi-Fi–only devices, the Messages app is hidden. For devices with Wi-Fi and cellular, the Messages app is still available, but only the SMS/MMS service can be used. | |||||||||
Siri profanity filter | iOS 5 iPadOS 13.1 | The profanity filter in Siri can be disabled. Default is off. | |||||||||
Pair with non-Apple Configurator hosts | iOS 5 iPadOS 13.1 | Users can pair their iPhone or iPad only with the Mac that first supervised the device and that has Apple Configurator installed. | |||||||||
Install apps | iOS 5 iPadOS 13.1 | App Store is disabled and its icon is removed from the Home Screen. Users can’t install or update apps from the App Store using the Finder (macOS 10.15 or later), or iTunes (macOS 10.14 or earlier). For devices with iOS 10 or later, MDM can override this restriction. Proprietary in-house apps can still be installed and updated. Note: If native iOS and iPadOS system apps are removed, they can be reinstalled. | |||||||||
Remove apps | iOS 4.2.1 iPadOS 13.1 | Users can’t remove installed apps. |