
MDM restrictions for iPhone and iPad devices
You can set restrictions, including modifying a device and its features, on iPhone and iPad devices enrolled in a mobile device management (MDM) solution.
iPhone and iPad MDM functionality restrictions
Setting | Functionality restriction | Supervised | Introduced |
---|---|---|---|
Allow personalized ads delivered by Apple | Users’ data will not be used by the Apple advertising platform to deliver personalized ads. | No | iOS 14.0 iPadOS 14 |
Allow App Clips | Users can’t add App Clips. Any existing App Clips are removed when this restriction is applied. | Yes | iOS 14.0 iPadOS 14 |
Allow Shared iPad Temporary Session | Shared iPad won’t allow a Temporary Session. | Yes | iPadOS 13.4 |
Allow network drive connections | Users can’t connect to network drives in the Files app. | Yes | iOS 13.0 iPadOS 13.1 |
Allow USB device connections | Users can’t connect USB devices to the device. | Yes | iOS 13.0 iPadOS 13.1 |
Force Wi-Fi on | Users can’t turn off Wi-Fi in:
Users can still select which Wi-Fi network to use. | Yes | iOS 13.0 iPadOS 13.1 |
Allow Find My Device | Users can’t use the Find My app. | Yes | iOS 13.0 iPadOS 13.1 |
Allow Find My Friends | Users can’t use the Find My Friends feature in the Find My app. | Yes | iOS 13.0 iPadOS 13.1 |
Allow QuickPath keyboard | Users can’t use the QuickPath keyboard. | Yes | iOS 13.0 iPadOS 13.1 |
Modify personal Hotspot settings | Users can’t modify personal Hotspot settings. | Yes | 12.2 |
Modify eSIM settings | Users can’t add or remove an eSIM plan for an iPhone that supports eSIM. | Yes | 12.1 |
Proximity AutoFill | Users’ devices won’t advertise themselves to nearby devices for passwords by use of Proximity AutoFill. In iOS, iPadOS, and macOS this feature restricts only Wi-Fi Password requests. | Yes | 12.0 |
Share passwords over AirDrop | Users can’t share their passwords over AirDrop. | Yes | 12.0 |
Unmanaged apps to read managed contacts | Unmanaged apps can read contacts from managed accounts, even if unmanaged apps are prevented from reading to managed destinations. | No | 12.0 |
Managed apps to edit unmanaged contacts | Managed apps can edit contacts to unmanaged accounts, even if managed apps are prevented from editing unmanaged destinations. | No | 12.0 |
Password AutoFill | Users can’t use AutoFill Passwords, and no prompt is shown to pick a saved password from iCloud Keychain or third-party password managers. | Yes | 12.0 |
AirPlay, View Screen by Classroom, and screen sharing | Teachers using Classroom can’t use AirPlay with, view, students’ screens, or share a student’s screen. | Yes (iOS 12) No (iPadOS 13.1) | 12.0 |
Turn on “Set Automatically” in Date and Time settings | Set Automatically is turned on, and users can’t turn it off. | Yes | 12.0 |
Modify restrictions or Screen Time settings | Users can’t set their own restrictions on their device for iOS 11.4.1 or earlier. Users can’t set their own Screen Time settings on their device for iOS 12 or later. | Yes | 12.0 (Screen Time) 8.0 (Restrictions) |
Allow connected accessories while locked | Users can always connect accessories when the iOS or iPadOS device is locked. See Activating data connections securely in Apple Platform Security. | Yes | 11.4.1 |
Defer software updates | Yes | 11.3 | |
Require teacher permission to leave Classroom teacher-created classes | Students must request permission before they can leave a teacher-created class. | Yes | 11.3 |
Classroom can focus students on a single app and lock the device without prompting | Teachers can lock an app open or lock the device without first prompting the user. | Yes | 11.0 |
Automatic joining of Classroom classes without prompting | Students can join a class without prompting the teacher. | Yes | 11.0 |
Classroom to perform AirPlay and View Screen without prompting | Students in managed classes aren’t prompted when the teacher uses AirPlay or View Screen. | Yes | 11.0 |
AirPrint | Users can’t use AirPrint. | Yes | 11.0 |
Discover AirPrint printers using iBeacons | Users can’t discover AirPrint printers using nearby iBeacon-compatible hardware transmitters. | Yes | 11.0 |
Store AirPrint credentials in Keychain | Users can’t save their AirPrint credentials to their Keychain. | Yes | 11.0 |
AirPrint to destinations with untrusted certificates | Users can’t use AirPrint to print to printers with untrusted certificates. | Yes | 11.0 |
Setup a nearby Apple device | Users can’t use their Apple devices to set up and configure other Apple devices. | Yes | 11.0 |
Modify Bluetooth settings | Users can’t modify the Bluetooth setting. | Yes | 11.0 |
Modify cellular plan settings | Users can’t change any settings for the cellular plan. | Yes | 11.0 |
Remove system apps | Users can’t remove iOS and iPadOS-native apps. | Yes | 11.0 |
Add VPN configurations | Users can’t create and add VPN configurations. | Yes | 11.0 |
Require Touch ID or Face ID authentication for AutoFill | Users can’t use biometric authentication to AutoFill app data. | Yes | 11.0 |
Modify Touch ID fingerprints and Face ID faces | Users can’t add or remove existing biometric information. | Yes | 11.0 (Face ID) 8.3 (Touch ID) |
Touch ID or Face ID to unlock device | Users must use a passcode to unlock the device. | No | 11.0 (Face ID) 7.0 (Touch ID |
Dictation | Users can’t use dictation on their device. | Yes | 10.3 |
Join only Wi-Fi networks installed by a Wi-Fi payload | Devices that have this restriction can join only the Wi-Fi networks added to the Wi-Fi payload. Important: If the Wi-Fi network isn’t available, the device can’t be managed. | Yes | 10.3 |
Modify diagnostic settings | Modifying diagnostic data settings isn’t permitted. | Yes | 9.3.2 |
Modify Notifications settings | Users can’t change the configuration of any Notifications settings. | Yes | 9.3 |
Apple Music | Users can’t use Apple Music. | Yes | 9.3 |
Radio | Users can’t listen to the radio with Apple Music. | Yes | 9.3 |
Modify device name | Users can’t change the name of the device as shown in Settings > General > About. | Yes | 9.0 |
Modify passcode | Users can’t change the set passcode. | Yes | 9.0 |
Keyboard shortcuts | Users can’t use any keyboard shortcuts. | Yes | 9.0 |
iCloud Photos | Users can’t use their iCloud Photos. | No | 9.0 |
Pair with Apple Watch | Users can’t pair their supervised iPhone with Apple Watch. | Yes | 9.0 |
Automatic app downloads | The App Store won’t automatically download apps. | Yes | 9.0 |
Trust new enterprise app authors | Users can’t allow new enterprise app authors to be trusted, which prohibits apps from those authors from launching. | No | 9.0 |
Treat AirDrop as unmanaged destination | Users see AirDrop as an option from a managed app. For this restriction to work when it’s enabled, you must also disable “Allow documents from managed sources in unmanaged destinations.”
| No | 9.0 |
Modify Wallpaper | Users can’t modify the wallpaper for the Lock Screen or Home Screen. | Yes | 9.0 |
Force Apple Watch wrist detection | Apple Watch locks automatically when it’s removed from the user’s wrist. It can be unlocked with its passcode or the paired iPhone. | No | 8.2 |
Predictive keyboard | Users won’t see the predictive keyboard. | Yes | 8.1.3 |
Auto correction | Users won’t see any word correction suggestions. | Yes | 8.1.3 |
Spell check | Users won’t see potentially misspelled words underlined in red. | Yes | 8.1.3 |
Define | Users can’t double-tap to search for a word’s definition. | Yes | 8.1.3 |
Managed app’s stored data in iCloud | Users can’t store data from managed apps in iCloud. | No | 8.0 |
Backup enterprise books | Users can’t back up books distributed by their organization to iCloud, the Finder (in macOS 10.15 or later), and iTunes (in macOS 10.14 or earlier). | No | 8.0 |
Handoff | Users can’t use Handoff with their Apple devices. | No | 8.0 |
Notes and highlights sync for enterprise books | Users can’t sync notes or highlights to other devices using iCloud. | No | 8.0 |
Erase All Content and Settings | Users can’t erase their device and reset it to factory defaults. | Yes | 8.0 |
Require passcode on first AirPlay pairing | A passcode is required when an iOS, iPadOS, or tvOS device is first paired for AirPlay. | No | 7.1 |
Automatic updates to certificate trust settings | Automatic updates to certificate trust settings can’t occur. | No | 7.0 |
iCloud Keychain | iCloud Keychain can’t be used. | This restriction is deprecated on unsupervised devices and will be supervised only in a future release. | 7.0 |
User-generated content in Siri | Siri can’t access content from sources that allow user-generated content, such as Wikipedia. | Yes | 7.0 |
Siri Suggestions | During search, Siri can’t offer suggestions for apps, people, locations, and more. | No | 7.0 |
Modify account settings | Users can’t create new accounts or change their user name, password, or other settings associated with their account. | Yes | 7.0 |
Modify cellular data app settings | Users can’t change any settings for apps that use cellular data. | Yes | 7.0 |
AirDrop | Users can’t use AirDrop. | Yes | 7.0 |
Pair with non-Apple Configurator 2 hosts | Users can’t pair their iPhone or iPad device with anything but the Mac with Apple Configurator 2 installed, where the device was first supervised. | Yes | 7.0 |
Documents from managed sources appear in unmanaged destinations | Documents created or downloaded from managed sources can’t be opened in unmanaged destinations.
| No | 7.0 |
Documents from unmanaged sources appear in managed destinations | Documents created or downloaded from unmanaged sources can’t be opened in managed destinations.
| No | 7.0 |
Notification Center in Lock Screen | Users can’t view the Notification history when the screen is locked; however, they can still view a Notification when it appears. | No | 7.0 |
Today view in Lock Screen | Users can’t swipe down to see Notification Center using Today View in the Lock Screen. | No | 7.0 |
Control Center in Lock Screen | Users can’t swipe up to view Control Center. | No | 7.0 |
Install configuration profiles | Configuration profiles can’t be manually installed by users. | Yes | 6.0 |
Send diagnostic and usage data to Apple | Users can’t choose to send diagnostic information to Apple. | No | 6.0 |
Wallet notifications in Lock Screen | Users must unlock the device to use Wallet. | No | 6.0 |
Apple Books | Apple Books is disabled, and users can’t access it from the Books app. | Yes | 6.0 |
Require iTunes Store password for all purchases | In-app purchases and iTunes Store purchases prompt for the account password. | No | 6.0 |
Siri while device locked | Siri responds only when the device is unlocked. | No | 5.1 |
Siri | Siri can’t be used. | No | 5.0 |
iCloud Backup | Device backup is performed only in the Finder (in macOS 10.15 or later), and iTunes (in macOS 10.14 or earlier). | This restriction is deprecated on unsupervised devices and will be supervised only in a future release. | 5.0 |
Shared Albums | Users can’t subscribe to or publish shared photo albums. | No | 5.0 |
My Photo Stream | Photos in My Photo Stream are erased from the device, photos from the Camera Roll aren’t sent to My Photo Stream, and photos and videos in shared streams can no longer be viewed on the device. Important: If there are no other copies of these photos and videos, they may be lost. | No | 5.0 |
Users accept untrusted TLS certificates | Users aren’t asked if they want to trust certificates that can’t be verified. This setting applies to Safari, Mail, Contacts, and Calendar accounts. When this option is on, only certificates with trusted root certificates are accepted without a prompt. To view the root CAs accepted by iOS, see the Apple Support article Lists of available trusted root certificates in iOS. | No | 5.0 |
Siri profanity filter | The profanity filter in Siri can be disabled. | Yes | 5.0 |
iMessage | For Wi-Fi–only devices, the Messages app is hidden. For devices with Wi-Fi and cellular, the Messages app is still available, but only the SMS/MMS service can be used. | Yes | 5.0 |
Remove apps | Users can’t remove installed apps. | Yes | 4.2.1 |
Force encrypted backups | Users can’t choose whether device backups performed in the Finder (in macOS 10.15 or later), and iTunes (in macOS 10.14 or earlier) are stored in encrypted format on the user’s Mac. If any profile is encrypted and this option is turned off, encryption of backups is required and enforced by the Finder or iTunes. Profiles installed on the device by Profile Manager are never encrypted. | No | 4.0 |
Automatic sync while roaming | Devices that are roaming sync only when an account is accessed by the user. | No | 4.0 |
In-app purchase | Users can’t make in-app purchases. | No | 4.0 |
Voice dialing while device is locked | Users can’t use voice commands to dial their phone when it’s locked. | No | 4.0 |
FaceTime | Users can’t place or receive FaceTime audio or video calls. | Yes | 4.0 |
Install apps using App Store | App Store is disabled and its icon is removed from the Home Screen. Users can’t install or update apps from the App Store using the Finder (in macOS 10.15 or later), and iTunes (in macOS 10.14 or earlier). In iOS 10 or later, MDM can override this restriction. In-house enterprise apps can still be installed and updated. Note: If native iOS and iPadOS system apps are removed, they can be reinstalled. | No (iOS 12.4 or earlier) Yes (iOS 13, iPadOS 13.1) | 4.0 |
Screenshots and screen recordings | Users can’t save a screenshot or recording of the screen. | No | 3.1 |
Use of cameras | Cameras are disabled and the Camera icon is removed from the Home Screen in iOS and iPadOS. Users can’t take photographs or videos. | This restriction is deprecated on unsupervised devices and will be supervised in a future release. | 2.0 |
iPhone and iPad MDM app restrictions
Setting | Functionality restriction | Supervised | Introduced |
---|---|---|---|
Restrict app usage | Allows any apps other than Settings or Phone (iPhone) to be placed in an approved list or in a disapproved list. | Yes | 9.3 |
News | Users can’t use the News app. | Yes | 9.0 |
Podcasts | Users can’t download podcasts. | Yes | 8.0 |
Autonomous Single App Mode | Allows selected apps to be used in Autonomous Single App Mode. | Yes | 7.0 |
Game Center | The Game Center app and its icon are removed. | Yes | 6.0 |
Add Game Center friends | Users can’t find or add friends in Game Center. | No (iOS 12.4 or earlier) Yes (iOS 13, iPadOS 13.1) | 4.2.1 |
Multiplayer gaming | Users can’t play multiplayer games in Game Center. | No (iOS 12.4 or earlier) Yes (iOS 13, iPadOS 13.1) | 4.1 |
Safari AutoFill | Safari doesn’t keep track of what users enter in web forms. | No (iOS 12.4 or earlier) Yes (iOS 13, iPadOS 13.1) | 4.0 |
Force fraud warning | Safari attempts to prevent the user from visiting websites identified as being fraudulent or compromised. | No | 4.0 |
JavaScript | Safari ignores all JavaScript on websites. | No | 4.0 |
Safari pop-ups | Pop-ups are blocked in Safari. | No | 4.0 |
Block cookies | Sets the cookie policy in Safari. | No | 4.0 |
Use Safari | The Safari web browser app is disabled and its icon is removed from the Home Screen. This setting also prevents users from opening Web Clips. | No (iOS 12.4 or earlier) Yes (iOS 13, iPadOS 13.1) | 2.0 |
iTunes Store | The iTunes Store is disabled and its icon is removed from the Home Screen. Users can’t preview, purchase, or download content. | No (iOS 12.4 or earlier) Yes (iOS 13, iPadOS 13.1) | 2.0 |
iPhone and iPad MDM media content restrictions
Setting | Functionality restriction | Introduced |
---|---|---|
Explicit content in Apple Books | Explicit content purchased from Apple Books is hidden. Explicit content is flagged by content providers when sold through the Books app. | 6.0 |
Ratings region | Select from nine different regions. This setting can’t be disabled. The default is United States. | 4.0 |
Define content ratings | Select maximum allowed ratings for movies, TV shows, and apps. | 4.0 |
Playback of explicit music, podcasts, and iTunes U content | Explicit music or video content purchased from the iTunes Store or listed in iTunes U is hidden. Explicit content is flagged by content providers, such as record labels, when sold through the iTunes Store or distributed through iTunes U. | 4.0 |