MDM restrictions available in Apple Configurator for Mac
Certain MDM restrictions for iPhone, iPad, Apple TV, and Apple Vision Pro devices are available in Apple Configurator 2.18 for Mac. These restrictions are detailed in the table below.
The default state for all restrictions listed below is on unless the words “Default is off” are in the Restriction Functionality column.
Setting | Minimum supported operating system versions | Supervised | Restriction functionality | ||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
Allow app installation from a website (In eligible regions) | iOS 17.5 | Yes | Prevents installation of apps directly from the web. | ||||||||
Allow auto-dim | iPadOS 17.4 | Yes | Prevents a device with a Tandem OLED screen from dimming. | ||||||||
Allow app installation from an alternative marketplace (In eligible regions) | iOS 17.4 | Yes | Prevents installation of new alternative app marketplaces and apps hosted on those marketplaces. | ||||||||
Force preservation of eSIM on erase | iOS 17.2 iPadOS 17.2 | Yes | Prevents the eSIM from being erased when a device is set to wipe after entering an incorrect passcode too many times. Note: The operating system doesn’t preserve an eSIM if Find My initiates erasing the device. | ||||||||
Force preservation of eSIM on erase | iOS 17.2 iPadOS 17.2 | Yes | Prevents the eSIM from being erased when a device is set to wipe after entering an incorrect passcode too many times. Note: The operating system doesn’t preserve an eSIM if Find My initiates erasing the device. | ||||||||
Allow Live Voicemail | iOS 17.2 | Yes | Prevents the user from using Live Voicemail. Default is off. | ||||||||
iPhone or iPad Widgets on a Mac | iOS 17 iPadOS 17 | Yes | Prevents the user from adding iPhone or iPad widgets to their Mac. | ||||||||
Use of cameras | iOS 5 iPadOS 13.1 tvOS 17 | This restriction is deprecated on unsupervised devices and will be supervised only in a future release. No (tvOS) | Cameras are disabled and the Camera icon is removed from the Home Screen. Users can’t take photographs or videos. In tvOS, the FaceTime app is removed from the Home Screen and third-party apps can’t use Continuity Camera. | ||||||||
Install apps | iOS 5 iPadOS 13.1 | No (iOS 12.4 or earlier) Yes (iPadOS 13.1 or later) | App Store is disabled and its icon is removed from the Home Screen. Users can’t install or update apps. For devices with iOS 10 or later and watchOS, MDM app commands can still be used. Note: If native system apps are removed, they can be reinstalled. | ||||||||
Install apps using App Store | iOS 9 iPadOS 13.1 | Yes | App Store is disabled and its icon is removed from the Home Screen. Users can’t install or update apps. For devices with iOS 10 or later and watchOS, MDM app commands can still be used. | ||||||||
Remove apps | iOS 5 iPadOS 13.1 | Yes | Users can’t remove installed apps. | ||||||||
Automatic app downloads | iOS 9 iPadOS 13.1 | Yes | The App Store won’t automatically download apps. | ||||||||
User-generated content in Siri | iOS 7 iPadOS 13.1 | Yes | Siri can’t access content from sources that allow user-generated content, such as Wikipedia. | ||||||||
Modify account settings | iOS 7 iPadOS 13.1 | Yes | Users can’t create new accounts or change their user name, password, or other settings associated with their account. | ||||||||
Force on-device-only dictation | iOS 14.5 iPadOS 14.5 | No | Prevents dictated content from being sent to Siri servers for processing. Supported on the following devices:
Default is off. | ||||||||
Modify device name | iOS 9 iPadOS 13.1 tvOS 11 | Yes | Users can’t change the name of the device as shown in Settings > General > About. | ||||||||
Siri | iOS 5 iPadOS 13.1 | No | Siri can’t be used. | ||||||||
Modify biometric authentication | iOS 8.3 (Touch ID) iOS 11 (Face ID) iPadOS 13.1 (Face ID or Touch ID) | Yes | Users can’t add or remove existing biometric information. | ||||||||
Install a configuration profile | iOS 6 iPadOS 13.1 | Yes | Users can’t manually install configuration profiles in Settings. | ||||||||
Allow accessory connections | iOS 11.4.1 iPadOS 13.1 | Yes | The device can always connect to specific accessories while locked. For Mac computers, this allows new specific accessories to connect without authorization. | ||||||||
AirPlay security | tvOS 10.2 | Yes | Users can’t use AirPlay to stream content to the Mac or Apple TV. | ||||||||
Force on-device-only translation | iOS 15 iPadOS 15 | No | Won’t let the device connect to Siri servers for the purposes of translation. Default is off. | ||||||||
iCloud Private Relay | iOS 15 iPadOS 15 | Yes | Prevents the user from turning on iCloud Private Relay. | ||||||||
Managed pasteboard | iOS 15 iPadOS 15 | No | Helps control the pasting of content from an app that’s using Open In management by following the Managed Open In restrictions in force. Apple apps that work with the managed pasteboard include Calendar, Files, Mail, and Notes. Third-party apps are controlled based on whether they’re managed. When a user attempts to paste content where it isn’t permitted, a Paste Not Allowed notice appears along with the organization’s name (which can be changed using the Settings command). Apps also can’t request items from the pasteboard when this restriction is used and the content crosses the managed boundary. Default is off. | ||||||||
Allow App to Request to Track | iOS 14.5 iPadOS 14.5 | No | Users can’t turn on Allow App to Request to Track. Default is off. | ||||||||
Auto unlock | iOS 14.5 | This restriction is deprecated on unsupervised devices and will be supervised only in a future release. | Users can’t use their Apple Watch with watchOS 7.4 or later to unlock a paired iPhone with iOS 14.5 or later. | ||||||||
Allow putting an iPhone or iPad into Recovery Mode from an unpaired host | iOS 14.5 iPadOS 14.5 | Yes | Previously, any external host computer was allowed to restart a connected iPhone or iPad into recoveryOS (also known as Recovery Mode). This meant that the host computer could completely erase the device and restore iOS or iPadOS over a USB connection without any other physical interaction with the device. iOS 14.5 and iPadOS 14.5, or later, prevent this behavior by default. Default is off. | ||||||||
Allow Near–field communications (NFC) | iOS 14.2 | Yes | Prevents users from using built-in NFC hardware in compatible devices using iOS 14.2 or later. | ||||||||
Allow personalized ads delivered by Apple | iOS 14 iPadOS 14 | No | Users’ data won’t be used by the Apple advertising platform to deliver personalized ads. | ||||||||
Allow App Clips | iOS 14 iPadOS 14 | Yes | Users can’t add App Clips. Any existing App Clips are removed when this restriction is applied. | ||||||||
Allow Shared iPad Temporary Session | iPadOS 13.4 | Yes | Shared iPad won’t allow a Temporary Session. | ||||||||
Allow network drive connections | iOS 13 iPadOS 13.1 | Yes | Users can’t connect to network drives in the Files app. | ||||||||
Force Wi-Fi on | iOS 13 iPadOS 13.1 | Yes | Users can’t turn off Wi-Fi in:
Users can still select which Wi-Fi network to use. Default is off. | ||||||||
Allow Find My Device | iOS 13 iPadOS 13.1 | Yes | Users can’t use the Find My app. | ||||||||
Allow Find My Friends | iOS 13 iPadOS 13.1 | Yes | Users can’t use the Find My Friends feature in the Find My app. | ||||||||
Allow QuickPath keyboard | iOS 13 iPadOS 13.1 | Yes | Users can’t use the QuickPath keyboard. | ||||||||
Prevent Apple TV from going to sleep | tvOS 13 | Yes | Users and tvOS can’t put the Apple TV to sleep. | ||||||||
Modify personal Hotspot settings | iOS 12.2 iPadOS 13.1 | Yes | Users can’t modify personal Hotspot settings. | ||||||||
Modify eSIM settings | iOS 12.1 iPadOS 13.1 | Yes | Users can’t add or remove an eSIM plan for an iPhone that supports eSIM. | ||||||||
Proximity AutoFill | iOS 12 iPadOS 13.1 tvOS 12 | Yes | Users’ devices won’t advertise themselves to nearby devices for passwords by use of Proximity AutoFill. For devices with iOS and iPadOS, this feature restricts only Wi-Fi password requests. | ||||||||
Share passwords over AirDrop | iOS 12 iPadOS 13.1 | Yes | Users can’t share their passwords over AirDrop. | ||||||||
Unmanaged apps to read managed contacts | iOS 12 iPadOS 13.1 | No | Unmanaged apps can read contacts from managed accounts, even if unmanaged apps are prevented from reading to managed destinations. Default is off. | ||||||||
Password AutoFill | iOS 12 iPadOS 13.1 | Users can’t use AutoFill Passwords, and no prompt is shown to pick a saved password from iCloud Keychain or third-party password managers. | |||||||||
AirPlay, View Screen by Classroom, and screen sharing | iPadOS 13.1 | No | Teachers using Classroom can’t use AirPlay with students’ screens, view students’ screens, or share students’ screens. | ||||||||
Turn on “Set Automatically” in Date and Time settings | iOS 12 iPadOS 13.1 tvOS 12.2 | Yes | Set Automatically is turned on, and users can’t turn it off. Default is off. | ||||||||
Modify restrictions or Screen Time settings | iPadOS 13.1 iOS 12 (Screen Time) iOS 8 (Restrictions) | Yes | Users can’t set their own restrictions on their device for iOS 11.4.1 or earlier. Users can’t set their own Screen Time settings on their device with iOS 12, iPadOS 13.1, visionOS 2.0, or later. | ||||||||
Defer software updates | iOS 11.3 iPadOS 13.1 tvOS 12.2 | Yes | For more information, see Test and defer software updates. Default is off. | ||||||||
Require teacher permission to leave Classroom teacher-created classes | iOS 11.3 iPadOS 13.1 | Yes | Students must request permission before they can leave a teacher-created class. Default is off. | ||||||||
Classroom can focus students on a single app and lock the device without prompting | iOS 11 iPadOS 13.1 | Yes | Teachers can lock an app open or lock the device without first prompting the user. Default is off. | ||||||||
Automatic joining of Classroom classes without prompting | iOS 11 iPadOS 13.1 | Yes | Students can join a class without prompting the teacher. Default is off. | ||||||||
Classroom to perform AirPlay and View Screen without prompting | iOS 11 iPadOS 13.1 | Yes | Students in managed classes aren’t prompted when the teacher uses AirPlay or View Screen. Default is off. | ||||||||
AirPrint | iOS 11 iPadOS 13.1 | Yes | Users can’t use AirPrint. | ||||||||
Discover AirPrint printers using iBeacon | iOS 11 iPadOS 13.1 | Yes | Users can’t discover AirPrint printers using nearby iBeacon-compatible hardware transmitters. | ||||||||
Store AirPrint credentials in Keychain | iOS 11 iPadOS 13.1 | Yes | Users can’t save their AirPrint credentials to their Keychain. | ||||||||
AirPrint to destinations with untrusted certificates | iOS 11 iPadOS 13.1 | Yes | Users can’t use AirPrint to print to printers with untrusted certificates. Default is off. | ||||||||
Set up a nearby Apple device | iOS 11 iPadOS 13.1 | Yes | Users can’t use their Apple devices to set up and configure other Apple devices. | ||||||||
Modify Bluetooth settings | iOS 11 iPadOS 13.1 | Yes | Users can’t modify the Bluetooth setting. | ||||||||
Modify cellular plan settings | iOS 11 iPadOS 13.1 | Yes | Users can’t change any settings for the cellular plan. | ||||||||
Remove system apps | iOS 11 iPadOS 13.1 | Yes | Users can’t remove native Apple apps. | ||||||||
Add VPN configurations | iOS 11 iPadOS 13.1 | Yes | Users and third-party apps can’t create and add VPN configurations. | ||||||||
Require biometric authentication for AutoFill | iOS 11 iPadOS 13.1 | Yes | Users are required to authenticate with biometric authentication or with a passcode to automatically fill password and credit card information. Default is off. | ||||||||
Use biometric authentication to unlock device | iOS 11 (Face ID) iOS 7 (Touch ID) iPadOS 13.1 (Face ID or Touch ID) | This restriction is deprecated on unsupervised devices and will be supervised only in a future release. | Users must use a passcode to unlock the device. | ||||||||
Modify Dictation | iOS 10.3 iPadOS 13.1 | Yes | Users can’t use dictation on their device. | ||||||||
Join only Wi-Fi networks installed by a Wi-Fi payload | iOS 10.3 iPadOS 13.1 | Yes | Devices that have this restriction can join only the Wi-Fi networks added to the Wi-Fi payload. Default is off. Important: If the Wi-Fi network isn’t available, the device can’t be managed. | ||||||||
Modify diagnostic settings | iOS 9.3.2 iPadOS 13.1 | Yes | Modifying diagnostic data settings isn’t permitted. | ||||||||
Modify Notifications settings | iOS 9.3 iPadOS 13.1 | Yes | Users can’t change the configuration of any Notifications settings. | ||||||||
Apple Music | iOS 9.3 iPadOS 13.1 | Yes | Users can’t use Apple Music. | ||||||||
Pair with Remote app | tvOS 10.2 | Yes | Users can’t use the Apple TV Remote app to control Apple TV. | ||||||||
Radio | iOS 9.3 iPadOS 13.1 | Yes | Users can’t listen to the radio with Apple Music. | ||||||||
Restrict app usage | iOS 9.3 iPadOS 13.1 tvOS 11 | Yes | Any apps other than Settings or Phone (on iPhone) can be placed on either an approved list or a disapproved one. To allow all Web Clips, you must add the value | ||||||||
News | iOS 9 iPadOS 13.1 | Yes | Users can’t use the News app. | ||||||||
Modify passcode or password | iOS 9 iPadOS 13.1 | Yes | Users can’t change the passcode or password. | ||||||||
Keyboard shortcuts | iOS 9 iPadOS 13.1 | Yes | Users can’t use any keyboard shortcuts. | ||||||||
iCloud Photos | iOS 9 iPadOS 13.1 | No | Users can’t use their iCloud Photos. | ||||||||
Pair with Apple Watch | iOS 9 | Yes | Users can’t pair their supervised iPhone with Apple Watch. | ||||||||
Trust new proprietary in-house app developers | iOS 9 iPadOS 13.1 | No | Users can’t allow new proprietary in-house app developers to be trusted, which prohibits apps from those developers from launching. | ||||||||
Treat AirDrop as unmanaged destination | iOS 9 iPadOS 13.1 | No | Users see AirDrop as an option from a Managed App. For this restriction to work when it’s enabled, you must also disable “Allow documents from managed sources in unmanaged destinations.”
Default is off. | ||||||||
Modify Wallpaper | iOS 9 iPadOS 13.1 | Yes | Users can’t modify the wallpaper for the Lock Screen or the Home Screen. | ||||||||
Force Apple Watch wrist detection | iOS 8.2 iPadOS 13.1 | No | Apple Watch locks automatically when it’s removed from the user’s wrist. It can be unlocked with its passcode or with the paired iPhone. Default is off. | ||||||||
Predictive keyboard | iOS 8.1.3 iPadOS 13.1 | Yes | Users won’t see the predictive keyboard. | ||||||||
Auto correction | iOS 8.1.3 iPadOS 13.1 | Yes | Users won’t see any word correction suggestions. | ||||||||
Spell check | iOS 8.1.3 iPadOS 13.1 | Yes | Users won’t see potentially misspelled words underlined in red. | ||||||||
Define and Look Up | iOS 8.1.3 iPadOS 13.1 | Yes | Users can’t tap and hold a selection and look up a dictionary definition about the selection. | ||||||||
Managed App’s stored data in iCloud | iOS 8 iPadOS 13.1 | No | Users can’t store data from Managed Apps in iCloud. | ||||||||
Backup proprietary in-house books | iOS 8 iPadOS 13.1 | No | Users can’t back up books distributed by their organization to iCloud, the Finder (macOS 10.15 or later), or in iTunes (macOS 10.14 or earlier). | ||||||||
Handoff | iOS 8 iPadOS 13.1 | No | Users can’t use Handoff with their Apple devices. | ||||||||
Notes and highlights sync for proprietary in-house books | iOS 8 iPadOS 13.1 | No | Users can’t sync notes or highlights to other devices using iCloud. | ||||||||
Erase All Content and Settings | iOS 8 iPadOS 13.1 | Yes | Users can’t erase their device and reset it to factory defaults. | ||||||||
Podcasts | iOS 8 iPadOS 13.1 | Yes | Users can’t download podcasts. | ||||||||
Require passcode on first AirPlay pairing | iOS 7.1 iPadOS 13.1 | No | A passcode is required when an iPhone, iPad, or Apple TV is first paired for AirPlay. Default is off. | ||||||||
Automatic updates to certificate trust settings | iOS 7 iPadOS 13.1 | No | Automatic updates to certificate trust settings can’t occur. | ||||||||
iCloud Keychain | iOS 7 iPadOS 13.1 | This restriction is deprecated on unsupervised devices and will be supervised only in a future release. | iCloud Keychain can’t be used. | ||||||||
Siri Suggestions | iOS 7 iPadOS 13.1 | This restriction is deprecated on unsupervised devices and will be supervised only in a future release. | During search, Siri can’t offer suggestions for apps, people, locations, and more. | ||||||||
Modify cellular data app settings | iOS 7 iPadOS 13.1 | Yes | Users can’t change any settings for apps that use cellular data. | ||||||||
AirDrop | iOS 7 iPadOS 13.1 | Yes | Users can’t use AirDrop. | ||||||||
Pair with non-Apple Configurator hosts | iOS 7 iPadOS 13.1 | Yes | Users can pair their iPhone or iPad only with the Mac that first supervised the device and that has Apple Configurator installed. | ||||||||
Documents from managed sources appear in unmanaged destinations | iOS 7 iPadOS 13.1 | No | Documents created or downloaded from managed sources can’t be opened in unmanaged destinations.
| ||||||||
Documents from unmanaged sources appear in managed destinations | iOS 7 iPadOS 13.1 | No | Documents created or downloaded from unmanaged sources can’t be opened in managed destinations.
| ||||||||
Notification Center in Lock Screen | iOS 7 iPadOS 13.1 | No | Users can’t view the Notification history when the screen is locked; however, they can still view a Notification when it appears. | ||||||||
Autonomous Single App Mode | iOS 7 iPadOS 13.1 | Yes | Allows selected apps to be used in Autonomous Single App Mode. | ||||||||
Today view in Lock Screen | iOS 7 iPadOS 13.1 | No | Users can’t swipe down to see Notification Center using Today View in the Lock Screen. | ||||||||
Control Center in Lock Screen | iOS 7 iPadOS 13.1 | No | Users can’t swipe up to view Control Center. | ||||||||
Game Center | iOS 6 iPadOS 13.1 | Yes | The Game Center app and its icon are removed. | ||||||||
Send diagnostic and usage data to Apple | iOS 6 iPadOS 13.1 | No | Users can’t choose to send diagnostic information to Apple. | ||||||||
Wallet notifications in Lock Screen | iOS 6 iPadOS 13.1 | No | Users must unlock the device to use Wallet. | ||||||||
Apple Books | iOS 6 iPadOS 13.1 | Yes | Apple Books is disabled, and users can’t access it from the Books app. | ||||||||
Siri while device locked | iOS 5.1 iPadOS 13.1 | No | Siri responds only when the device is unlocked. | ||||||||
iCloud Documents and Data | iOS 13 iPadOS 13.1 | Yes | Documents and data aren’t added to iCloud. | ||||||||
iCloud Backup | iOS 5 iPadOS 13.1 | This restriction is deprecated on unsupervised devices and will be supervised only in a future release. | Device backup is performed only in the Finder (macOS 10.15 or later) or in iTunes (macOS 10.14 or earlier). | ||||||||
Shared Albums | iOS 5 iPadOS 13.1 | No | Users can’t subscribe to or publish shared photo albums. | ||||||||
Automatic sync while roaming | iOS 5 iPadOS 13.1 | No | Devices that are roaming sync only when an account is accessed by the user. | ||||||||
Users accept untrusted TLS certificates | iOS 5 iPadOS 13.1 | No | Users aren’t asked if they want to trust certificates that can’t be verified. This setting applies to Safari, Mail, Contacts, and Calendar accounts. When this option is on, only certificates with trusted root certificates are accepted without a prompt. To view the root CAs accepted, see the Apple support article List of available trusted root certificates in iOS 17, iPadOS 17, macOS 14, tvOS 17, and watchOS 10. | ||||||||
Siri profanity filter | iOS 5 iPadOS 13.1 | Yes | The profanity filter in Siri can be disabled. Default is off. | ||||||||
iMessage | iOS 5 iPadOS 13.1 | Yes | For devices with Wi-Fi only, the Messages app is hidden. For devices with Wi-Fi and cellular, the Messages app is still available, but only the SMS/MMS service can be used. | ||||||||
Force encrypted backups | iOS 5 iPadOS 13.1 | No | Users can’t choose whether device backups performed in the Finder (macOS 10.15 or later) or in iTunes (macOS 10.14 or earlier) are stored in encrypted format on the user’s Mac. If any profile is encrypted and this option is turned off, encryption of backups is required and enforced by the Finder or iTunes. Default is off. | ||||||||
In-app purchase | iOS 5 iPadOS 13.1 | This restriction is deprecated on unsupervised devices and will be supervised only in a future release. | Users can’t make in-app purchases. | ||||||||
FaceTime | iOS 5 iPadOS 13.1 | Yes | Users can’t place or receive FaceTime audio or video calls. | ||||||||
Screenshots and screen recordings | iOS 5 iPadOS 13.1 | No | Users can’t save a screenshot or recording of the screen. | ||||||||
Add Game Center friends | iOS 13 iPadOS 13.1 | Yes | Users can’t find or add friends in Game Center. | ||||||||
Multiplayer gaming | iOS 13 iPadOS 13.1 | Yes | Users can’t play multiplayer games in Game Center. | ||||||||
Safari AutoFill | iOS 13 iPadOS 13.1 | Yes | Safari doesn’t keep track of what users enter in web forms. | ||||||||
Force fraud warning | iOS 5 iPadOS 13.1 | No | Safari attempts to prevent the user from visiting websites identified as being fraudulent or compromised. Default is off. | ||||||||
JavaScript | iOS 5 iPadOS 13.1 | This restriction is deprecated on unsupervised devices and will be supervised only in a future release. | Safari ignores all JavaScript on websites. | ||||||||
Safari pop-ups | iOS 5 iPadOS 13.1 | This restriction is deprecated on unsupervised devices and will be supervised only in a future release. | Pop-ups are blocked in Safari. | ||||||||
Block cookies | iOS 5 iPadOS 13.1 | This restriction is deprecated on unsupervised devices and will be supervised only in a future release. | The cookie policy is set in Safari. For more information, see Manage Safari cookies. | ||||||||
Use Safari | iOS 13 iPadOS 13.1 | Yes | The Safari web browser app is disabled and its icon is removed from the Home Screen. This setting also prevents users from opening Web Clips. | ||||||||
iTunes Store | iOS 13 iPadOS 13.1 | Yes | The iTunes Store is disabled and its icon is removed from the Home Screen. Users can’t preview, purchase, or download content. | ||||||||
Ratings region | iOS 5 iPadOS 13.1 tvOS 11.3 | No | Ratings are set by selecting one of nine different regions. This setting can’t be disabled. The default is United States. | ||||||||
Define content ratings | iOS 5 iPadOS 13.1 tvOS 11.3 | This restriction is deprecated on unsupervised devices and will be supervised only in a future release. | The maximum allowed ratings are selected for movies, TV shows, and apps purchased in iTunes. | ||||||||
Playback of explicit music, video, and podcast content | iOS 5 iPadOS 13.1 tvOS 11.3 | This restriction is deprecated on unsupervised devices and will be supervised only in a future release. | Explicit music or video content purchased from the iTunes Store or downloaded from the Podcasts app is hidden. Explicit content is flagged by content providers, such as record labels, when sold through the iTunes Store. | ||||||||