Skip to content

Restrictions configuration (iOS device policy)

The Restrictions configuration lets you configure restrictions for iPhones and iPads.

Note

Some options are only available for certain versions of iOS or iPadOS or for supervised devices. This is indicated by blue labels in Sophos Mobile Admin.

For details on device supervision, see Configure device supervision.

Device

Setting Description
Allow app installation If the check box is cleared, the App Store is unavailable and its icon is removed from the Home screen. Users can’t install or update apps from the App Store or Apple Configurator.

If the device uses iOS 13.0 (or iPadOS 13.1) or later, it must be supervised to support this option.

Allow app installation from device UI If the check box is cleared, the App Store is unavailable and its icon is removed from the Home screen. Users can still install or update apps from Apple Configurator.
Allow use of camera If the check box is cleared, the camera is unavailable and the Camera icon is removed from the Home screen. Users cannot take pictures, record videos, or use FaceTime.

If the device uses iOS 13.0 (or iPadOS 13.1) or later, it must be supervised to support this option.

Allow FaceTime Users can place or receive FaceTime video calls.

If the device uses iOS 13.0 (or iPadOS 13.1) or later, it must be supervised to support this option.

Allow screen capture Users can take a screenshot of the display.
Allow automatic sync while roaming If the check box is cleared, devices that are roaming will only sync when the user accesses an account.
Allow Siri If the check box is cleared, users cannot use Siri, voice commands, or dictation.
Allow Siri while device is locked If the check box is cleared, users must unlock their devices by entering their password before they use Siri.
Allow Siri querying content from the web If the check box is cleared, Siri does not query content from the web.
Force Siri explicit language filter If the check box is cleared, the Siri filter for explicit language is not enforced on the device.
Allow voice dialing while device is locked If the check box is cleared, users cannot dial by using voice commands when the device is locked by a password.

If the user has not configured a device password, voice dialing is always allowed.

Allow Passbook while device is locked Passbook notifications are displayed when the device is locked.
Allow in-app purchase Users can make in-app purchases.
Force user to enter store password for all purchases Users must enter their Apple ID password to make any purchase.

If the check box is cleared, there is a brief grace period during which users can make subsequent purchases without having to enter their password again.

Allow multiplayer gaming Users can play multi-player games in Game Center.
Allow Game Center If the check box is cleared, Game Center is unavailable.
Allow adding Game Center friends Users can add friends in Game Center.

If the device uses iOS 13.0 (or iPadOS 13.1) or later, it must be supervised to support this option.

Allow Find My Friends modification If the check box is cleared, modifications to the Find my Friends app are unavailable.
Allow Find My Friends Users can find people in the Find My app.

If you turn off both Allow Find My Device and Allow Find My Friends, the Find My app becomes unavailable.

Allow Find My Device Users can find devices in the Find My app.

If you turn off both Allow Find My Device and Allow Find My Friends, the Find My app becomes unavailable.

Allow host pairing If the check box is cleared, you can only pair the device with Macs you’ve configured for device supervision.
Allow pairing with Apple Watch If the check box is cleared, users cannot pair the device with an Apple Watch. Any currently paired Apple Watch is unpaired.
Force Wrist Detection A paired Apple Watch must use Wrist Detection.
Force pairing password for outgoing AirPlay requests Other devices receiving an AirPlay request from this device must use a pairing password.
Allow AirDrop Content sharing with AirDrop is turned on.
Allow Control Center on lock screen If the check box is cleared, the Control Center is unavailable when the device screen is locked.
Allow Notification Center on lock screen If the check box is cleared, the Notification Center is unavailable when the device screen is locked.
Allow Today view on lock screen If the check box is cleared, the Today view is unavailable when the device screen is locked.
Allow News The News app is available.
Allow over-the-air PKI updates Over-the-air PKI updates are possible.
Allow iBooks Store Users can purchase books in iBooks.
Allow explicit sexual content in iBooks Store If the check box is cleared, explicit sexual content through iBooks Store is blocked.
Allow user to install configuration profiles Users can install configuration profiles.
Allow iMessage Users can use iMessage to send or receive text messages.
Allow app removal Users can uninstall apps from the device.
Allow system app removal Users can uninstall system apps from the device.
Allow erase all contents and settings If the check box is cleared, the Erase all Content And Settings option in the Reset UI is unavailable.
Allow internet search result for Spotlight If the check box is cleared, Spotlight does not return internet search results.
Allow enabling of restrictions option If the check box is cleared, the Enable Restrictions option in the Reset UI is unavailable.
Allow Handoff Users can use the Apple Continuity feature Handoff. With Handoff, users can start to work on a document, email or message on one device and continue from another device.
Allow device name modification Users can change the device name.
Allow wallpaper modification Users can change the wallpaper.
Allow changing notification settings Users can change the notification settings.
Allow keyboard shortcuts Users can use keyboard shortcuts.
Allow dictation for keyboard input Users can turn on the Enable Dictation keyboard setting.
Allow predictive keyboard Users can turn on the Predictive keyboard setting.
Allow auto-correction Users can turn on the Auto-Correction keyboard setting.
Allow spell check Users can turn on the Check Spelling keyboard setting.
Allow automatic app download If the check box is cleared, the automatic downloading of apps purchased on other devices is turned off. This does not affect updates to existing apps.
Allow Apple Music Users can access the Apple Music library.
Allow Apple Music Radio Users can access Apple Music Radio.
Allow modification of Bluetooth settings Users can modify the Bluetooth settings.
Allow VPN creation Users can add VPN configurations.
Force automatic date and time The Date & Time setting Set Automatically is turned on and can’t be turned off by the user.
Allow QuickPath keyboard Users can use the QuickPath keyboard feature.
Allow Shared iPad temporary session Users can access Shared iPad without a password by tapping Guest on the sign-in page. This starts a temporary session.

When users sign out of a temporary session, all their data is deleted.

In a temporary session, users can’t edit account settings or sign in to Apple services.

iOS & iPadOS software update delay The number of days that an update of iOS or iPadOS is delayed after its release date.

Enter a value from 0 (no delay) to 90.

Company data

Setting Description
Allow documents to be shared only within managed apps/accounts This restricts the opening of documents with apps or accounts managed by Sophos Mobile, for example a corporate email account.

If users have an email account managed by Sophos Mobile and apps managed by Sophos Mobile on their devices, attachments from the managed email account can only be opened with managed apps.

In this way you can prevent corporate documents from being opened in unmanaged apps.

If you turn this setting off, the next two settings are disabled. Contacts from managed accounts can be shared with unmanaged apps.

Allow managed apps to write contacts to unmanaged accounts Managed apps can write contacts to unmanaged accounts.
Allow unmanaged apps to read contacts from managed accounts Unmanaged apps can read contacts from managed accounts.
Allow documents to be shared only within unmanaged apps/accounts This restricts the opening of documents with apps/accounts not managed by Sophos Mobile, for example a private email account.

If users have an email account and apps not managed by Sophos Mobile on their devices, attachments from the unmanaged email account can only be opened with unmanaged apps.

In this way you can prevent personal documents from being opened in managed apps.

Force AirDrop documents to be used as unmanaged documents AirDrop is considered an unmanaged drop target.
Allow managed apps to sync with iCloud Managed apps can use iCloud synchronization.
Allow backup for enterprise books Enterprise books are backed up.
Allow enterprise books notes and highlights sync Enterprise books notes and highlights are synchronized.

Applications

Setting Description
Allow use of the iTunes Store If the check box is cleared, the iTunes Store is unavailable and its icon is removed from the Home screen. Users cannot preview, purchase or download content.

If the device uses iOS 13.0 (or iPadOS 13.1) or later, it must be supervised to support this option.

Allow use of Safari If the check box is cleared, the Safari web browser is unavailable and its icon is removed from the Home screen. This also prevents users from opening Web Clips.

If the device uses iOS 13.0 (or iPadOS 13.1) or later, it must be supervised to support this option.

Enable auto-fill If the check box is cleared, Safari does not auto-fill web forms with previously entered information.

If the device uses iOS 13.0 (or iPadOS 13.1) or later, it must be supervised to support this option.

Force fraud warning The Safari security setting to warn the user when they visit a suspected phishing website is always turned on.
Block pop-ups The Safari pop-up blocker is turned on.
Allow JavaScript in browser Web pages can execute JavaScript code on the device.
Accept cookies In this field, you specify if Safari accepts cookies.

When you allow cookies, you can specify if only cookies from the current site, from previously visited sites, or from all sites are accepted.

Allow modification of cellular data usage per app Users can change the cellular data usage per app.
Allow network drive connections Users can connect to network drives in the Files app.
Allow USB device connections Users can connect USB devices.
Filter type Select either Allowed apps or Forbidden apps and then select the app group containing the apps you want to allow or forbid.

iCloud

Setting Description
Allow backup Users can back up their devices to iCloud.

If the device uses iOS 13.0 (or iPadOS 13.1) or later, it must be supervised to support this option.

Allow document sync Users can store documents and app configuration data in iCloud.

If the device uses iOS 13.0 (or iPadOS 13.1) or later, it must be supervised to support this option.

Allow Photo Stream Users can upload photos to My Photo Stream.

Warning If you clear the check box to forbid My Photo Stream, this also removes existing photos shared via My Photo Stream from all devices. If there are no other copies of these photos, they are lost.

Allow iCloud Photo Library Users can use iCloud Photo Library.
Allow shared photo streams Users can invite others to view their photo streams and can view photo streams shared by others.
Allow iCloud Keychain sync Users can use iCloud Keychain to synchronize passwords across their iPhones, iPads, and Macs.

If the check box is cleared, iCloud Keychain data is only stored locally on the device.

Security and privacy

Setting Description
Allow diagnostic data to be sent to Apple If the check box is cleared, diagnostic information is not sent to Apple.
Allow user to accept untrusted TLS certificates If the check box is cleared, users are not asked if they want to trust certificates that cannot be verified.

This setting applies to Safari and to Mail contacts and Calendar accounts.

Trust enterprise apps Enterprise apps are trusted.
Allow password modification Users can add, change or remove the device password.
Allow account modification If the check box is cleared, users cannot modify accounts. The Accounts menu is unavailable.
Allow Touch ID and Face ID to unlock device If the check box is cleared, the device can’t be unlocked by biometric authentication.
Force limit ad-tracking Anonymous user data apps used for targeting ads are no longer provided.
Force encrypted backups Users must encrypt backups in iTunes.
Force configured Wi-Fi networks Devices can only connect to Wi-Fi networks that have been configured by a Sophos Mobile policy.
Force Wi-Fi on Users can’t turn off Wi-Fi. As a result, Wi-Fi remains turned on in Airplane Mode.
Allow AirPrint Users can send files to AirPrint-enabled printers.
Allow AirPrint credentials storage The AirPrint user name and password can be stored in the system keychain.
Allow iBeacon discovery of AirPrint printers The device uses iBeacon to discover AirPrint devices.

Warning If you allow this, malicious AirPrint devices can perform phishing attacks on network traffic.

Force trusted certificates for AirPrint over TLS AirPrint over TLS is rejected if the AirPrint device uses an untrusted certificate.
Allow Quick Start transfer to new device The user can transfer data from the device to a new device, using the Quick Start feature of the setup assistant.
Allow password auto-fill Users can turn on the AutoFill Passwords setting, which lets them use saved password or credit card information in Safari or other apps.

If this check box is cleared, automatic suggestion of strong passwords is disabled as well.

Force authentication before auto-fill Users must authenticate when using auto-fill.

This setting is only enforced on devices that support Face ID or Touch ID.

Request Wi-Fi passwords from nearby devices The device requests passwords from nearby devices when setting up a Wi-Fi connection.
Allow AirDrop password sharing Users can share passwords from Password Manager with other users via AirDrop.

Content ratings

Setting Description
Allow explicit music and podcasts If the check box is cleared, explicit music or video content is hidden in the iTunes Store. Explicit content is flagged by content providers, for example record labels, when listed on the iTunes Store.

If the device uses iOS 13.0 (or iPadOS 13.1) or later, it must be supervised to support this option.