Restrictions configuration (iOS device policy)
The Restrictions configuration lets you configure restrictions for iPhones and iPads.
Note
Some settings are only available for certain device types or operation system versions. For details, see the labels next to a setting in Sophos Mobile.
For details on device supervision, see Configure device supervision.
Device
| Setting | Description |
|---|---|
| Allow app installation | If you clear the checkbox, the App Store is unavailable, and its icon is removed from the Home Screen. Users can’t install or update apps from the App Store, from an alternative app marketplace, or from Apple Configurator. |
| Allow alternative app marketplace | If you clear the checkbox, users can’t install alternative app marketplaces, and any alternative app marketplace already installed is disabled. Note that alternative app marketplaces are only available in the European Union. The following requirements must be met:
For details, see About alternative app marketplaces in the European Union. |
| Allow app installation from device UI | If you clear the checkbox, the App Store is unavailable, and its icon is removed from the Home Screen. Users can still install or update apps from an alternative app marketplace or from Apple Configurator. |
| Allow App Clips | Users can add App Clips. If you clear the checkbox, any existing App Clips are removed. |
| Allow use of camera | If the checkbox is cleared, the camera is unavailable and the Camera icon is removed from the Home screen. Users cannot take pictures, record videos, or use FaceTime. |
| Allow FaceTime | Users can place or receive FaceTime video calls. This setting only applies to supervised devices. |
| Allow screen capture | Users can take a screenshot of the display. |
| Allow automatic sync while roaming | If the checkbox is cleared, devices that are roaming will only sync when the user accesses an account. |
| Allow Siri | If the checkbox is cleared, users cannot use Siri, voice commands, or dictation. |
| Allow Siri while device is locked | If the checkbox is cleared, users must unlock their devices by entering their password before they use Siri. |
| Allow Siri querying content from the web | If the checkbox is cleared, Siri does not query content from the web. |
| Force Siri explicit language filter | If the checkbox is cleared, the Siri filter for explicit language is not enforced on the device. |
| Force local dictation | Don’t connect to Siri servers when using dictation. |
| Force local translation | Don’t connect to Siri servers for translations. |
| Allow voice dialing while device is locked | If the checkbox is cleared, users cannot dial by using voice commands when the device is locked by a password. If the user has not configured a device password, voice dialing is always allowed. |
| Allow Passbook while device is locked | Passbook notifications are displayed when the device is locked. |
| Allow USB accessory mode while device is locked | The device can access USB accessories, such as USB assistive input devices for entering the passcode, when locked. |
| Allow in-app purchase | Users can make in-app purchases. |
| Force user to enter store password for all purchases | Users must enter their Apple ID password to make any purchase. If the checkbox is cleared, there is a brief grace period during which users can make subsequent purchases without having to enter their password again. |
| Allow multiplayer gaming | Users can play multi-player games in Game Center. |
| Allow Game Center | If the checkbox is cleared, Game Center is unavailable. |
| Allow adding Game Center friends | Users can add friends in Game Center. This setting only applies to supervised devices. |
| Allow Find My Friends modification | If the checkbox is cleared, modifications to the Find my Friends app are unavailable. |
| Allow Find My Friends | Users can find people in the Find My app. If you turn off both Allow Find My Device and Allow Find My Friends, the Find My app becomes unavailable. |
| Allow Find My Device | Users can find devices in the Find My app. If you turn off both Allow Find My Device and Allow Find My Friends, the Find My app becomes unavailable. |
| Allow host pairing | If the checkbox is cleared, you can only pair the device with Macs you’ve configured for device supervision. |
| Allow pairing with Apple Watch | If the checkbox is cleared, users cannot pair the device with an Apple Watch. Any currently paired Apple Watch is unpaired. |
| Force Wrist Detection | A paired Apple Watch must use Wrist Detection. |
| Force pairing password for outgoing AirPlay requests | Other devices receiving an AirPlay request from this device must use a pairing password. |
| Allow AirDrop | Content sharing with AirDrop is turned on. |
| Allow Control Center on lock screen | If the checkbox is cleared, the Control Center is unavailable when the device screen is locked. |
| Allow Notification Center on lock screen | If the checkbox is cleared, the Notification Center is unavailable when the device screen is locked. |
| Allow Today view on lock screen | If the checkbox is cleared, the Today view is unavailable when the device screen is locked. |
| Allow News | The News app is available. |
| Allow over-the-air PKI updates | Over-the-air PKI updates are possible. |
| Allow iBooks Store | Users can purchase books in iBooks. |
| Allow explicit sexual content in iBooks Store | If the checkbox is cleared, explicit sexual content through iBooks Store is blocked. |
| Allow user to install configuration profiles | Users can install configuration profiles. |
| Allow iMessage | Users can use iMessage to send or receive text messages. |
| Allow app removal | Users can uninstall apps from the device. |
| Allow system app removal | Users can uninstall system apps from the device. |
| Allow erase all contents and settings | If the checkbox is cleared, the Erase all Content And Settings option in the Reset UI is unavailable. |
| Allow internet search result for Spotlight | If the checkbox is cleared, Spotlight does not return internet search results. |
| Allow enabling of restrictions option | If the checkbox is cleared, the Enable Restrictions option in the Reset UI is unavailable. |
| Allow Handoff | Users can use the Apple Continuity feature Handoff. With Handoff, users can start to work on a document, email or message on one device and continue from another device. |
| Allow recovery mode from unpaired host | Allow restarting the device in recovery mode via USB from an unpaired host. Warning: When you select this option, an unauthorized user can reset the iPhone or iPad to its factory settings without directly interacting with the device. All they need is a USB connection from the device to their computer. |
| Allow device name modification | Users can change the device name. |
| Allow wallpaper modification | Users can change the wallpaper. |
| Allow changing notification settings | Users can change the notification settings. |
| Allow keyboard shortcuts | Users can use keyboard shortcuts. |
| Allow dictation for keyboard input | Users can turn on the Enable Dictation keyboard setting. |
| Allow predictive keyboard | Users can turn on the Predictive keyboard setting. |
| Allow auto-correction | Users can turn on the Auto-Correction keyboard setting. |
| Allow spell check | Users can turn on the Check Spelling keyboard setting. |
| Allow automatic app download | If the checkbox is cleared, the automatic downloading of apps purchased on other devices is turned off. This does not affect updates to existing apps. |
| Allow Apple Music | Users can access the Apple Music library. |
| Allow Apple Music Radio | Users can access Apple Music Radio. |
| Allow modification of Bluetooth settings | Users can modify the Bluetooth settings. |
| Allow VPN creation | Users can add VPN configurations. |
| Force automatic date and time | The Date & Time setting Set Automatically is turned on and can’t be turned off by the user. |
| Allow QuickPath keyboard | Users can use the QuickPath keyboard feature. |
| Allow Shared iPad temporary session | Users can access Shared iPad without a password by tapping Guest on the sign-in page. This starts a temporary session. When users sign out of a temporary session, all their data is deleted. In a temporary session, users can’t edit account settings or sign in to Apple services. |
| iOS & iPadOS software update delay | The number of days that an update of iOS or iPadOS is delayed after its release date. Enter a value from 0 (no delay) to 90. |
Company data
| Setting | Description |
|---|---|
| Allow documents to be shared only within managed apps/accounts | This restricts the opening of documents with apps or accounts managed by Sophos Mobile, for example a corporate email account. If users have an email account managed by Sophos Mobile and apps managed by Sophos Mobile on their devices, attachments from the managed email account can only be opened with managed apps. In this way you can prevent corporate documents from being opened in unmanaged apps. If you turn this setting off, the next two settings are disabled. Contacts from managed accounts can be shared with unmanaged apps. |
| Allow managed apps to write contacts to unmanaged accounts | Managed apps can write contacts to unmanaged accounts. |
| Allow unmanaged apps to read contacts from managed accounts | Unmanaged apps can read contacts from managed accounts. |
| Allow documents to be shared only within unmanaged apps/accounts | This restricts the opening of documents with apps/accounts not managed by Sophos Mobile, for example a private email account. If users have an email account and apps not managed by Sophos Mobile on their devices, attachments from the unmanaged email account can only be opened with unmanaged apps. In this way you can prevent personal documents from being opened in managed apps. |
| Clipboard respects document sharing restrictions | This setting restricts sharing of clipboard content between managed and unmanaged apps and accounts, based on what you configured for sharing documents with the Allow documents to be shared only within managed apps/accounts and Allow documents to be shared only within unmanaged apps/accounts settings. For example, when you turn on Allow documents to be shared only within managed apps/accounts, turning on this setting prevents users from pasting clipboard content from managed into unmanaged apps. When you turn off both of the Allow documents ... settings, this setting has no effect. |
| Force AirDrop documents to be used as unmanaged documents | AirDrop is considered an unmanaged drop target. |
| Allow managed apps to sync with iCloud | Managed apps can use iCloud synchronization. |
| Allow backup for enterprise books | Enterprise books are backed up. |
| Allow enterprise books notes and highlights sync | Enterprise books notes and highlights are synchronized. |
Applications
| Setting | Description |
|---|---|
| Allow use of the iTunes Store | If the checkbox is cleared, the iTunes Store is unavailable and its icon is removed from the Home screen. Users cannot preview, purchase or download content. This setting only applies to supervised devices. |
| Allow use of Safari | If the checkbox is cleared, the Safari web browser is unavailable and its icon is removed from the Home screen. This also prevents users from opening Web Clips. This setting only applies to supervised devices. |
| Enable auto-fill | If the checkbox is cleared, Safari does not auto-fill web forms with previously entered information. This setting only applies to supervised devices. |
| Force fraud warning | The Safari security setting to warn the user when they visit a suspected phishing website is always turned on. |
| Block pop-ups | The Safari pop-up blocker is turned on. |
| Allow JavaScript in browser | Web pages can execute JavaScript code on the device. |
| Accept cookies | In this field, you specify if Safari accepts cookies. When you allow cookies, you can specify if only cookies from the current site, from previously visited sites, or from all sites are accepted. |
| Allow modification of cellular data usage per app | Users can change the cellular data usage per app. |
| Allow changing cellular plan settings | Users can change settings related to their cellular plan. This setting only applies to supervised devices. |
| Allow Personal Hotspot | Users can modify Personal Hotspot settings. As an administrator, you can turn on Personal Hotspot with the Roaming/Hotspot configuration. See Roaming/Hotspot configuration (iOS device policy). This setting only applies to supervised devices. |
| Allow network drive connections | Users can connect to network drives in the Files app. |
| Allow USB device connections | Users can connect USB devices. |
| Allow iPhone widgets on Mac | When you turn this setting off, users can’t use widgets from their iPhone apps on their Mac. This setting only applies to supervised devices. |
| Filter type | Select either Allowed apps or Forbidden apps and then select the app group containing the apps you want to allow or forbid. |
iCloud
| Setting | Description |
|---|---|
| Allow backup | Users can back up their devices to iCloud. This setting only applies to supervised devices. |
| Allow document sync | Users can store documents and app configuration data in iCloud. This setting only applies to supervised devices. |
| Allow Photo Stream | Users can upload photos to My Photo Stream. Warning If you clear the checkbox to forbid My Photo Stream, this also removes existing photos shared via My Photo Stream from all devices. If there are no other copies of these photos, they are lost. |
| Allow iCloud Photo Library | Users can use iCloud Photo Library. |
| Allow shared photo streams | Users can invite others to view their photo streams and can view photo streams shared by others. |
| Allow iCloud Keychain sync | Users can use iCloud Keychain to synchronize passwords across their iPhones, iPads, and Macs. If the checkbox is cleared, iCloud Keychain data is only stored locally on the device. |
| Allow iCloud Private Relay | Users can use iCloud Private Relay. iCloud Private Relay is an Apple service to hide IP addresses and browsing activities in Safari. iCloud Private Relay requires an iCloud+ subscription. This setting only applies to supervised devices. |
Security and privacy
| Setting | Description |
|---|---|
| Allow diagnostic data to be sent to Apple | If the checkbox is cleared, diagnostic information is not sent to Apple. |
| Allow user to accept untrusted TLS certificates | If the checkbox is cleared, users are not asked if they want to trust certificates that cannot be verified. This setting applies to Safari and to Mail contacts and Calendar accounts. |
| Trust enterprise apps | Enterprise apps are trusted. |
| Allow password modification | Users can add, change or remove the device password. |
| Allow account modification | If the checkbox is cleared, users cannot modify accounts. The Accounts menu is unavailable. |
| Allow Touch ID and Face ID to unlock device | If the checkbox is cleared, the device can’t be unlocked by biometric authentication. |
| Allow Auto Unlock | Users can set up unlocking the device with their Apple Watch when wearing a face mask. |
| Allow NFC | Users can turn on near-field communication (NFC). |
| Force limit ad-tracking | Anonymous user data apps used for targeting ads are no longer provided. |
| Force encrypted backups | Users must encrypt backups in iTunes. |
| Force configured Wi-Fi networks | Devices can only connect to Wi-Fi networks that you configured with a Sophos Mobile policy. |
| Force Wi-Fi on | Users can’t turn off Wi-Fi. As a result, Wi-Fi remains turned on in Airplane Mode. |
| Allow AirPrint | Users can send files to AirPrint-enabled printers. |
| Allow AirPrint credentials storage | The AirPrint user name and password can be stored in the system keychain. |
| Allow iBeacon discovery of AirPrint printers | The device uses iBeacon to discover AirPrint devices. Warning If you allow this, malicious AirPrint devices can perform phishing attacks on network traffic. |
| Force trusted certificates for AirPrint over TLS | AirPrint over TLS is rejected if the AirPrint device uses an untrusted certificate. |
| Allow Quick Start transfer to new device | The user can transfer data from the device to a new device, using the Quick Start feature of the setup assistant. |
| Allow password auto-fill | Users can turn on the AutoFill Passwords setting, which lets them use saved password or credit card information in Safari or other apps. If this checkbox is cleared, automatic suggestion of strong passwords is disabled as well. |
| Force authentication before auto-fill | Users must authenticate when using auto-fill. This setting is only enforced on devices that support Face ID or Touch ID. |
| Request Wi-Fi passwords from nearby devices | The device requests passwords from nearby devices when setting up a Wi-Fi connection. |
| Allow AirDrop password sharing | Users can share passwords from Password Manager with other users via AirDrop. |
| Allow Apple personalized ads | Apple-delivered advertising uses user information to serve ads that are more relevant to the user. Users can turn off personalized ads with the Personalized Ads setting under Settings > Privacy > Apple Advertising. |
| Allow Mail Privacy Protection | If you clear the checkbox, Mail Privacy Protection is disabled on the device. |
| Turn on Rapid Security Response | If you clear the checkbox, the device doesn’t receive Rapid Security Response updates. |
| Allow removal of Rapid Security Response update | If you clear the checkbox, users can’t remove a Rapid Security Response update. |
Content ratings
| Setting | Description |
|---|---|
| Allow explicit music and podcasts | If the checkbox is cleared, explicit music or video content is hidden in the iTunes Store. Explicit content is flagged by content providers, for example record labels, when listed on the iTunes Store. This setting only applies to supervised devices. |