Restrictions configuration (iOS device profile)

With the Restrictions configuration you define restrictions for devices.

Note Some options are only available for certain versions of iOS or for supervised devices. This is indicated by blue labels in Sophos Mobile Admin.

Device

Setting/Field

Description

Allow app installation

If the check box is cleared, the App Store is unavailable and its icon is removed from the Home screen. Users can’t install or update apps from the App Store or Apple Configurator.

Allow app installation from device UI

If the check box is cleared, the App Store is unavailable and its icon is removed from the Home screen. Users can still install or update apps from Apple Configurator.

Allow use of camera

If the check box is cleared, the camera is unavailable and the Camera icon is removed from the Home screen. Users cannot take pictures, record videos, or use FaceTime.

Allow FaceTime

Users can place or receive FaceTime video calls.

Allow screen capture

Users can take a screenshot of the display.

Allow automatic sync while roaming

If the check box is cleared, devices that are roaming will only sync when the user accesses an account.

Allow Siri

If the check box is cleared, users cannot use Siri, voice commands, or dictation.

Allow Siri while device is locked

If the check box is cleared, users must unlock their devices by entering their password before they use Siri.

Allow Siri querying content from the web

If the check box is cleared, Siri does not query content from the web.

Force Siri explicit language filter

If the check box is cleared, the Siri filter for explicit language is not enforced on the device.

Allow voice dialing while device is locked

If the check box is cleared, users cannot dial by using voice commands when the device is locked by a password.
Note If the user has not configured a device password, voice dialing is always allowed.

Allow Passbook while device is locked

Passbook notifications are displayed when the device is locked.

Allow in-app purchase

Users can make in-app purchases.

Force user to enter store password for all purchases

Users must enter their Apple ID password to make any purchase.

If the check box is cleared, there is a brief grace period during which users can make subsequent purchases without having to enter their password again.

Allow multiplayer gaming

Users can play multi-player games in Game Center.

Allow Game Center

If the check box is cleared, Game Center is unavailable.

Allow adding Game Center friends

Users can add friends in Game Center.

Allow find my friends modification

If the check box is cleared, modifications to the Find my Friends app are unavailable.

Allow host pairing

If the check box is cleared, host pairing is turned off with the exception of the supervision host. If no supervision host certificate is configured, all pairing is turned off.

Allow pairing with Apple Watch

If the check box is cleared, users cannot pair the device with an Apple Watch. Any currently paired Apple Watch is unpaired.

Force Wrist Detection

A paired Apple Watch must use Wrist Detection.

Allow AirDrop

Content sharing with AirDrop is turned on.

Allow Control Center on lock screen

If the check box is cleared, the Control Center is unavailable when the device screen is locked.

Allow Notification Center on lock screen

If the check box is cleared, the Notification Center is unavailable when the device screen is locked.

Allow Today view on lock screen

If the check box is cleared, the Today view is unavailable when the device screen is locked.

Allow News

The News app is available.

Allow over-the-air PKI updates

Over-the-air PKI updates are possible.

Allow iBooks Store

Users can purchase books in iBooks.

Allow explicit sexual content in iBooks Store

If the check box is cleared, explicit sexual content through iBooks Store is blocked.

Allow user to install configuration profiles

Users can install configuration profiles.

Allow iMessage

Users can use iMessage to send or receive text messages.

Allow app removal

Users can uninstall apps from the device.

Allow system app removal

Users can uninstall system apps from the device.

Allow erase all contents and settings

If the check box is cleared, the Erase all Content And Settings option in the Reset UI is unavailable.

Allow internet search result for Spotlight

If the check box is cleared, Spotlight does not return internet search results.

Allow enabling of restrictions option

If the check box is cleared, the Enable Restrictions option in the Reset UI is unavailable.

Allow Handoff

Users can use the Apple Continuity feature Handoff. With Handoff, users can start to work on a document, email or message on one device and continue from another device.

Allow device name modification

Users can change the device name.

Allow wallpaper modification

Users can change the wallpaper.

Allow changing notification settings

Users can change the notification settings.

Allow keyboard shortcuts

Users can use keyboard shortcuts.

Allow dictation for keyboard input

Users can turn on the Enable Dictation keyboard setting.

Allow predictive keyboard

Users can turn on the Predictive keyboard setting.

Allow auto-correction

Users can turn on the Auto-Correction keyboard setting.

Allow spell check

Users can turn on the Check Spelling keyboard setting.

Allow automatic app download

If the check box is cleared, the automatic downloading of apps purchased on other devices is turned off. This does not affect updates to existing apps.

Allow Apple Music

Users can access the Apple Music library.

Allow Apple Music Radio

Users can access Apple Music Radio.

Allow modification of Bluetooth settings

Users can modify the Bluetooth settings.

Allow VPN creation

Users can add VPN configurations.

Force automatic date and time

The iOS Date & Time setting Set Automatically is turned on and can’t be turned off by the user.

iOS software update delay

The number of days that an update of the iOS software is delayed after its release date.

Enter a value between 0 (no delay) and 90.

Company data

Setting/Field

Description

Allow documents to be shared only within managed apps/accounts

This restricts the opening of documents with apps or accounts managed by Sophos Mobile, for example a corporate email account.

If users have an email account managed by Sophos Mobile and apps managed by Sophos Mobile on their devices, attachments from the managed email account can only be opened with managed apps.

In this way you can prevent corporate documents from being opened in unmanaged apps.

If you turn this setting off, the next two settings are disabled. Contacts from managed accounts can be shared with unmanaged apps.

Allow managed apps to write contacts to unmanaged accounts

Managed apps can write contacts to unmanaged accounts.

Allow unmanaged apps to read contacts from managed accounts

Unmanaged apps can read contacts from managed accounts.

Allow documents to be shared only within unmanaged apps/accounts

This restricts the opening of documents with apps/accounts not managed by Sophos Mobile, for example a private email account.

If users have an email account and apps not managed by Sophos Mobile on their devices, attachments from the unmanaged email account can only be opened with unmanaged apps.

In this way you can prevent personal documents from being opened in managed apps.

Force AirDrop documents to be used as unmanaged documents

AirDrop is considered an unmanaged drop target.

Allow managed apps to sync with iCloud

Managed apps can use iCloud synchronization.

Allow backup for enterprise books

Enterprise books are backed up.

Allow enterprise books notes and highlights sync

Enterprise books notes and highlights are synchronized.

Applications

Setting/Field

Description

Allow use of the iTunes Store

If the check box is cleared, the iTunes Store is unavailable and its icon is removed from the Home screen. Users cannot preview, purchase or download content.

Allow use of Safari

If the check box is cleared, the Safari web browser is unavailable and its icon is removed from the Home screen. This also prevents users from opening Web Clips.

Enable auto-fill

If the check box is cleared, Safari does not auto-fill web forms with previously entered information.

Force fraud warning

The Safari security setting to warn the user when they visit a suspected phishing website is always turned on.

Block pop-ups

The Safari pop-up blocker is turned on.

Allow JavaScript in browser

Web pages can execute JavaScript code on the device.

Accept cookies

In this field, you specify if Safari accepts cookies.

When you allow cookies, you can specify if only cookies from the current site, from previously visited sites, or from all sites are accepted.

Allow modification of cellular data usage per app

Users can change the cellular data usage per app.

Allowed apps / Forbidden apps

You can specify either Allowed apps or Forbidden apps. Select the desired option from the first list and then select the app group containing the apps that should be allowed or forbidden from the second list. For information on creating app groups, see App groups.

iCloud

Setting/Field

Description

Allow backup

Users can back up their devices to iCloud.

Allow document sync

Users can store documents and app configuration data in iCloud.

Allow Photo Stream

Users can upload photos to My Photo Stream.
Note If you clear the check box to forbid My Photo Stream, this also removes existing photos shared via My Photo Stream from all devices. If there are no other copies of these photos, they are lost.

Allow iCloud Photo Library

Users can use iCloud Photo Library.

Allow shared photo streams

Users can invite others to view their photo streams and can view photo streams shared by others.

Allow iCloud Keychain sync

Users can use iCloud Keychain to synchronize passwords across their iPhones, iPads, and Macs.

If the check box is cleared, iCloud Keychain data is only stored locally on the device.

Security and privacy

Setting/Field

Description

Allow diagnostic data to be sent to Apple

If the check box is cleared, iOS diagnostic information is not sent to Apple.

Allow user to accept untrusted TLS certificates

If the check box is cleared, users are not asked if they want to trust certificates that cannot be verified.

This setting applies to Safari and to Mail contacts and Calendar accounts.

Trust enterprise apps

Enterprise apps are trusted.

Allow password modification

Users can add, change or remove the device password.

Allow account modification

If the check box is cleared, users cannot modify accounts. The Accounts menu is unavailable.

Allow Touch ID to unlock device

If the check box is cleared, the device can’t be unlocked by Touch ID.

Force limit ad-tracking

Anonymous user data apps used for targeting ads are no longer provided.

Force encrypted backups

Users must encrypt backups in iTunes.

Force configured Wi-Fi networks

Devices can only connect to Wi-Fi networks that have been configured by a Sophos Mobile profile.

Allow AirPrint

Users can send files to AirPrint-enabled printers.

Allow AirPrint credentials storage

The AirPrint user name and password can be stored in the system keychain.

Allow iBeacon discovery of AirPrint printers

The device uses iBeacon to discover AirPrint devices.

Important If you allow this, malicious AirPrint devices can perform phishing attacks on network traffic.

Force trusted certificates for AirPrint over TLS

AirPrint over TLS is rejected if the AirPrint device uses an untrusted certificate.

Allow Quick Start transfer to new device

The user can transfer data from the device to a new device, using the Quick Start feature of the iOS Setup Assistant.

Allow password auto-fill

Users can turn on the AutoFill Passwords setting, which lets them use saved password or credit card information in Safari or other apps.

If this check box is cleared, automatic suggestion of strong passwords is disabled as well.

Force authentication before auto-fill

Users must authenticate when using auto-fill.

This setting is only enforced on devices that support Face ID or Touch ID.

Request Wi-Fi passwords from nearby devices

The device requests passwords from nearby devices when setting up a Wi-Fi connection.

Allow AirDrop password sharing

Users can share passwords from Password Manager with other users via AirDrop.

Content ratings

Setting/Field

Description

Allow explicit music and podcasts

If the check box is cleared, explicit music or video content is hidden in the iTunes Store. Explicit content is flagged by content providers, for example record labels, when listed on the iTunes Store.