Review MDM restrictions for Apple devices
Restrictions can be turned on — or, in some cases, turned off — by administrators to help prevent users from accessing a specific app, service or function of an Apple device that’s enrolled in a mobile device management (MDM) solution. For example, a restriction can be added that prevents an iPhone or iPad from using AirPrint. Another restriction can be added to prevent the sharing of passwords over AirDrop on an iPhone, iPad, Mac and Apple Vision Pro. Certain restrictions on an iPhone can be mirrored on a paired Apple Watch.
You can set restrictions, including modifying a device and its features, on Apple devices enrolled in an MDM solution.
You can see a complete list of MDM restrictions below, or you can see restrictions based on a specific device or User Enrolment. The default state for all restrictions listed below is on unless the words “Default is off” are in the Restriction Functionality column. Note that some restrictions have been deprecated.
Note: Not all restrictions are available in all MDM solutions, and they have the ability to change the default state for any restriction. To learn more about MDM restriction availability for your devices, consult your MDM vendor’s documentation.
Setting | Minimum supported operating systems | Supervised | Restriction functionality | ||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
Allow app installation from a website (In eligible regions) | iOS 17.5 | Yes | Prevents installation of apps directly from the web. | ||||||||
Allow auto-dim | iPadOS 17.4 | Yes | Prevents a device with a Tandem OLED screen from dimming. | ||||||||
Allow app installation from an alternative marketplace (In eligible regions) | iOS 17.4 | Yes | Prevents installation of new alternative app marketplaces and apps hosted on those marketplaces. | ||||||||
Force preservation of eSIM on erase | iOS 17.2 iPadOS 17.2 | Yes | Prevents the eSIM from being erased when a device is set to wipe after entering an incorrect passcode too many times. Note: The operating system doesn’t preserve an eSIM if Find My initiates erasing the device. | ||||||||
Force preservation of eSIM on erase | iOS 17.2 iPadOS 17.2 | Yes | Prevents the eSIM from being erased when a device is set to wipe after entering an incorrect passcode too many times. Note: The operating system doesn’t preserve an eSIM if Find My initiates erasing the device. | ||||||||
Allow Live Voicemail | iOS 17.2 | Yes | Prevents the user from using Live Voicemail. Default is off. | ||||||||
iPhone or iPad Widgets on a Mac | iOS 17 iPadOS 17 | Yes | Prevents the user from adding iPhone or iPad widgets to their Mac. | ||||||||
Use of cameras | iOS 5 iPadOS 13.1 OS X 10.11 tvOS 17 visionOS 2.0 | This restriction is deprecated on unsupervised devices and will be supervised only in a future release. No (macOS, tvOS) | Cameras are disabled and the Camera icon is removed from the Home Screen in iOS, iPadOS and visionOS. Users can’t take photographs or videos. In tvOS, the FaceTime app is removed from the Home Screen and third-party apps can’t use Continuity Camera. | ||||||||
Install apps | iOS 5 iPadOS 13.1 watchOS 10 visionOS 2.0 | No (iOS 12.4 or earlier) Yes (iPadOS 13.1 or later) Yes (watchOS 10) Yes (visionOS 2.0) | App Store is disabled and its icon is removed from the Home Screen. Users can’t install or update apps. In iOS 10 or later and watchOS, MDM app commands can still be used. Note: If native iOS, iPadOS and visionOS system apps are removed, they can be reinstalled. | ||||||||
Install apps using App Store | iOS 9 iPadOS 13.1 watchOS 10 visionOS 2.0 | Yes | App Store is disabled and its icon is removed from the Home Screen. Users can’t install or update apps. In iOS 10 or later and watchOS, MDM app commands can still be used. | ||||||||
Remove apps | iOS 5 iPadOS 13.1 watchOS 10 | Yes | Users can’t remove installed apps. | ||||||||
Automatic app downloads | iOS 9 iPadOS 13.1 watchOS 10 | Yes | The App Store won’t automatically download apps. | ||||||||
User-generated content in Siri | iOS 7 iPadOS 13.1 watchOS 10 | Yes | Siri can’t access content from sources that allow user-generated content, such as Wikipedia. | ||||||||
Modify account settings | iOS 7 iPadOS 13.1 macOS 14 watchOS 10 visionOS 2.0 | Yes (iOS, iPadOS, watchOS and visionOS) No (macOS) | Users can’t create new accounts or change their username, password, or other settings associated with their account. | ||||||||
Force on-device-only dictation | iOS 14.5 iPadOS 14.5 macOS 14 watchOS 10 visionOS 2.0 | No | Prevents dictated content from being sent to Siri servers for processing. Supported on the following devices:
Default is off. | ||||||||
Modify device name | iOS 9 iPadOS 13.1 macOS 14 tvOS 11 visionOS 2.0 | Yes (iOS, iPadOS, tvOS and visionOS) No (macOS) | Users can’t change the name of the device as shown in Settings > General > About. | ||||||||
Siri | iOS 5 iPadOS 13.1 macOS 14 visionOS 2.0 | No | Siri can’t be used. | ||||||||
Modify biometric authentication | iOS 8.3 (Touch ID) iOS 11 (Face ID) iPadOS 13.1 (Face ID or Touch ID) macOS 14 (Touch ID) visionOS 2.0(Optic ID) | Yes (iOS, iPadOS and visionOS) No (macOS) | Users can’t add or remove existing biometric information. | ||||||||
Remote Desktop management modification | macOS 14 | No | Prevents the user from modifying Remote Desktop management settings. | ||||||||
File Sharing modification | macOS 14 | No | Prevents the user from modifying file sharing settings. | ||||||||
Bluetooth modification | macOS 14 | No | Prevents the user from modifying Bluetooth® settings. | ||||||||
Printer sharing modification | macOS 14 | No | Prevents the user from modifying printer sharing settings. | ||||||||
Internet sharing modification | macOS 14 | No | Prevents the user from modifying internet sharing settings. | ||||||||
Remote Apple events modification | macOS 14 | No | Prevents the user from modifying remote Apple events settings. | ||||||||
Local user account creation | macOS 14 | No | Prevents a user with the role of administrator from creating new users in Users & Groups. | ||||||||
Freeform in iCloud | macOS 14 | No | Prevents the user from storing Freeform files in iCloud. | ||||||||
Startup Disk modification | macOS 14 | No | Prevents the user from selecting a different startup disk. | ||||||||
Time Machine backups | macOS 14 | No | Prevents the user from setting up and using a Time Machine backup. | ||||||||
Universal Control | macOS 13 | No | Prevents the user from using Universal Control. | ||||||||
Install a configuration profile | iOS 6 iPadOS 13.1 macOS 13 visionOS 2.0 | Yes (iOS, iPadOS and visionOS) No (macOS) | Users can’t manually install configuration profiles in System Settings (Mac) and Settings (iPhone, iPad and Apple Vision Pro). | ||||||||
Allow accessory connections | iOS 11.4.1 iPadOS 13.1 macOS 13 | Yes (iOS and iPadOS) No (macOS) | The device can always connect to specific accessories while locked. In macOS, allows new specific accessories to connect without authorisation. | ||||||||
AirPlay security | macOS 12.3 tvOS 10.2 | Yes (tvOS) No (macOS) | Users can’t use AirPlay to stream content to the Mac or Apple TV. | ||||||||
Force on-device-only translation | iOS 15 iPadOS 15 | No | Won’t let the device connect to Siri servers for the purposes of translation. Default is off. | ||||||||
iCloud Private Relay | iOS 15 iPadOS 15 macOS 12.0.1 visionOS 2.0 | No | Prevents the user from turning on iCloud Private Relay. | ||||||||
Managed pasteboard | iOS 15 iPadOS 15 visionOS 2.0 | No | Helps control the pasting of content from an app that’s using Open In management by following the Managed Open In restrictions in force. Apple apps that work with the managed pasteboard include Calendar, Files, Mail and Notes. Third-party apps are controlled based on whether they’re managed. When a user attempts to paste content where it isn’t permitted, a Paste Not Allowed notice appears along with the organisation’s name (which can be changed using the Settings command). Apps also can’t request items from the pasteboard when this restriction is used and the content crosses the managed boundary. Default is off. | ||||||||
Allow App to Request to Track | iOS 14.5 iPadOS 14.5 | No | Users can’t turn on Allow App to Request to Track. Default is off. | ||||||||
Auto unlock | iOS 14.5 macOS 10.12 | This restriction is deprecated on unsupervised devices and will be supervised only in a future release. No (macOS) | Users can’t use their Apple Watch using watchOS 7.4 to unlock a paired iPhone using iOS 14.5. | ||||||||
Allow putting an iOS or iPadOS device into Recovery Mode from an unpaired host | iOS 14.5 iPadOS 14.5 | Yes | Previously, any external host computer was allowed to restart a connected iPhone or iPad into recoveryOS (also known as Recovery Mode). This meant the host computer could completely erase the device and restore iOS or iPadOS over a USB connection without any other physical interaction with the device. iOS 14.5 and iPadOS 14.5 or later prevent this behaviour by default. Default is off. | ||||||||
Allow near–field communications (NFC) | iOS 14.2 | Yes | Prevents users from using built-in NFC hardware in compatible devices using iOS 14.2 or later. | ||||||||
Allow personalised ads delivered by Apple | iOS 14 iPadOS 14 macOS 12.0.1 visionOS 2.0 | No | Users’ data won’t be used by the Apple advertising platform to deliver personalised ads. | ||||||||
Allow App Clips | iOS 14 iPadOS 14 | Yes | Users can’t add App Clips. Any existing App Clips are removed when this restriction is applied. | ||||||||
Allow Shared iPad Temporary Session | iPadOS 13.4 | Yes | Shared iPad won’t allow a Temporary Session. | ||||||||
Allow network drive connections | iOS 13 iPadOS 13.1 visionOS 2.0 | Yes | Users can’t connect to network drives in the Files app. | ||||||||
Force Wi-Fi on | iOS 13 iPadOS 13.1 | Yes | Users can’t turn off Wi-Fi in:
Users can still select which Wi-Fi network to use. Default is off. | ||||||||
Allow Find My Device | iOS 13 iPadOS 13.1 | Yes | Users can’t use the Find My app. | ||||||||
Allow Find My Friends | iOS 13 iPadOS 13.1 | Yes | Users can’t use the Find My Friends feature in the Find My app. | ||||||||
Allow QuickPath keyboard | iOS 13 iPadOS 13.1 | Yes | Users can’t use the QuickPath keyboard. | ||||||||
Prevent Apple TV from going to sleep | tvOS 13 | Yes | Users and tvOS can’t put the Apple TV to sleep. | ||||||||
Modify Personal Hotspot settings | iOS 12.2 iPadOS 13.1 | Yes | Users can’t modify personal Hotspot settings. | ||||||||
Modify eSIM settings | iOS 12.1 iPadOS 13.1 | Yes | Users can’t add or remove an eSIM plan for an iPhone that supports eSIM. | ||||||||
Proximity AutoFill | iOS 12 iPadOS 13.1 macOS 10.14 tvOS 12 | Yes (iOS, iPadOS and tvOS) No (macOS) | Users’ devices won’t advertise themselves to nearby devices for passwords by use of Proximity AutoFill. In iOS, iPadOS and macOS this feature restricts only Wi-Fi Password requests. | ||||||||
Share passwords over AirDrop | iOS 12 iPadOS 13.1 macOS 10.14 visionOS 2.0 | Yes (iOS, iPadOS and visionOS) No (macOS) | Users can’t share their passwords over AirDrop. | ||||||||
Unmanaged apps to read managed contacts | iOS 12 iPadOS 13.1 visionOS 2.0 | No | Unmanaged apps can read contacts from managed accounts, even if unmanaged apps are prevented from reading to managed destinations. Default is off. | ||||||||
Managed Apps to edit unmanaged contacts | iOS 12 iPadOS 13.1 visionOS 2.0 | No | Managed Apps can edit contacts to unManaged accounts, even if managed Apps are prevented from editing unmanaged destinations. Default is off. | ||||||||
Password AutoFill | iOS 12 iPadOS 13.1 macOS 10.14 visionOS 2.0 | Yes (iOS, iPadOS and visionOS) No (macOS) | Users can’t use AutoFill Passwords, and no prompt is shown to pick a saved password from iCloud Keychain or third-party password managers. | ||||||||
AirPlay, View Screen by Classroom and screen sharing | iPadOS 13.1 macOS 10.14.4 | No | Teachers using Classroom can’t use AirPlay with students’ screens, view students’ screens or share students’ screens. | ||||||||
Turn on “Set Automatically” in Date and Time settings | iOS 12 iPadOS 13.1 tvOS 12.2 visionOS 2.0 | Yes | Set Automatically is turned on, and users can’t turn it off. Default is off. | ||||||||
Modify restrictions or Screen Time settings | iPadOS 13.1 iOS 12 (Screen Time) iOS 8 (Restrictions) visionOS 2.0 | Yes | Users can’t set their own restrictions on their device for iOS 11.4.1 or earlier. Users can’t set their own Screen Time settings on their device for iOS 12, iPadOS 13.1, visionOS 2.0, or later. | ||||||||
Defer software updates | iOS 11.3 iPadOS 13.1 macOS 11.3 tvOS 12.2 | Yes (iOS, iPadOS and tvOS) No (macOS) | For more information, see Test and defer software updates. Default is off. | ||||||||
Require teacher permission to leave Classroom teacher-created classes | iOS 11.3 iPadOS 13.1 macOS 10.14.4 | Yes | Students must request permission before they can leave a teacher-created class. Default is off. | ||||||||
Classroom can focus students on a single app and lock the device without prompting | iOS 11 iPadOS 13.1 macOS 10.14.4 | Yes | Teachers can lock an app open or lock the device without first prompting the user. Default is off. | ||||||||
Automatic joining of Classroom classes without prompting | iOS 11 iPadOS 13.1 macOS 10.14.4 | Yes | Students can join a class without prompting the teacher. Default is off. | ||||||||
Classroom to perform AirPlay and View Screen without prompting | iOS 11 iPadOS 13.1 macOS 10.14.4 | Yes | Students in managed classes aren’t prompted when the teacher uses AirPlay or View Screen. Default is off. | ||||||||
AirPrint | iOS 11 iPadOS 13.1 | Yes | Users can’t use AirPrint. | ||||||||
Discover AirPrint printers using iBeacon | iOS 11 iPadOS 13.1 | Yes | Users can’t discover AirPrint printers using nearby iBeacon-compatible hardware transmitters. | ||||||||
Store AirPrint credentials in Keychain | iOS 11 iPadOS 13.1 | Yes | Users can’t save their AirPrint credentials to their Keychain. | ||||||||
AirPrint to destinations with untrusted certificates | iOS 11 iPadOS 13.1 | Yes | Users can’t use AirPrint to print to printers with untrusted certificates. Default is off. | ||||||||
Set up a nearby Apple device | iOS 11 iPadOS 13.1 | Yes | Users can’t use their Apple devices to set up and configure other Apple devices. | ||||||||
Modify Bluetooth settings | iOS 11 iPadOS 13.1 | Yes | Users can’t modify the Bluetooth setting. | ||||||||
Modify data plan settings | iOS 11 iPadOS 13.1 | Yes | Users can’t change any settings for the data plan. | ||||||||
Remove system apps | iOS 11 iPadOS 13.1 visionOS 2.0 | Yes | Users can’t remove native Apple apps. | ||||||||
Add VPN configurations | iOS 11 iPadOS 13.1 visionOS 2.0 | Yes | Users and third-party apps can’t create and add VPN configurations. | ||||||||
Require biometric authentication for AutoFill | iOS 11 iPadOS 13.1 visionOS 2.0 | Yes | Users are required to authenticate with biometric authentication or passcode to automatically fill password and credit card information. Default is off. | ||||||||
Use biometric authentication to unlock device | iOS 11 (Face ID) iOS 7 (Touch ID) iPadOS 13.1 (Face ID or Touch ID) macOS 10.12.4 (Touch ID) visionOS 2.0 | This restriction is deprecated on unsupervised devices and will be supervised only in a future release. No (macOS) | Users must use a passcode to unlock the device. | ||||||||
Enforce Face ID or Touch ID timeout | iOS 11 (Face ID) iOS 7 (Touch ID) iPadOS 13.1 (Face ID or Touch ID) macOS 12.0.1 (Touch ID) | No | The value, in seconds, after which the biometric unlock requires a passcode or password to authenticate. The default value is 48 hours (or 172,800 seconds). | ||||||||
Modify Dictation | iOS 10.3 iPadOS 13.1 macOS 10.13 | Yes | Users can’t use dictation on their device. | ||||||||
Join only Wi-Fi networks installed by a Wi-Fi payload | iOS 10.3 iPadOS 13.1 visionOS 2.0 | Yes | Devices that have this restriction can join only the Wi-Fi networks added to the Wi-Fi payload. Default is off. Important: If the Wi-Fi network isn’t available, the device can’t be managed. | ||||||||
Modify diagnostic settings | iOS 9.3.2 iPadOS 13.1 visionOS 2.0 | Yes | Modifying diagnostic data settings isn’t permitted. | ||||||||
Modify Notifications settings | iOS 9.3 iPadOS 13.1 visionOS 2.0 | Yes | Users can’t change the configuration of any Notifications settings. | ||||||||
Content caching | macOS 10.13 | No | Content caching isn’t permitted. | ||||||||
Apple Music | iOS 9.3 iPadOS 13.1 macOS 10.12 | Yes (iOS and iPadOS) No (macOS) | Users can’t use Apple Music. | ||||||||
Pair with Remote app | tvOS 10.2 | Yes | Users can’t use the Apple TV Remote app to control the Apple TV. | ||||||||
Radio | iOS 9.3 iPadOS 13.1 | Yes | Users can’t listen to the radio with Apple Music. | ||||||||
Restrict app usage | iOS 9.3 iPadOS 13.1 tvOS 11 | Yes | Any apps other than Settings or Phone (on iPhone) can be placed on either an approved list or an unapproved one. To allow all Web Clips, you must add the value | ||||||||
News | iOS 9 iPadOS 13.1 | Yes | Users can’t use the News app. | ||||||||
Modify passcode or password | iOS 9 iPadOS 13.1 macOS 10.13 visionOS 2.0 | Yes (iOS, iPadOS and visionOS) No (macOS) | Users can’t change the passcode or password. | ||||||||
Keyboard shortcuts | iOS 9 iPadOS 13.1 | Yes | Users can’t use any keyboard shortcuts. | ||||||||
iCloud Photos | iOS 9 iPadOS 13.1 macOS 10.12 visionOS 2.0 | No | Users can’t use their iCloud Photos. | ||||||||
Pair with Apple Watch | iOS 9 | Yes | Users can’t pair their supervised iPhone with Apple Watch. | ||||||||
Trust new proprietary in-house app developers | iOS 9 iPadOS 13.1 visionOS 2.0 | No | Users can’t allow new proprietary in-house app developers to be trusted, which prohibits apps from those developers from launching. | ||||||||
Treat AirDrop as unmanaged destination | iOS 9 iPadOS 13.1 visionOS 2.0 | No | Users see AirDrop as an option from a Managed App. For this restriction to work when it’s enabled, you must also disable “Allow documents from managed sources in unmanaged destinations”.
Default is off. | ||||||||
Modify Wallpaper | iOS 9 iPadOS 13.1 macOS 10.13 | Yes (iOS and iPadOS) No (macOS) | Users can’t modify the wallpaper for the Lock Screen, the Home Screen or, in macOS, the Desktop. | ||||||||
Force Apple Watch wrist detection | iOS 8.2 iPadOS 13.1 | No | Apple Watch locks automatically when it’s removed from the user’s wrist. It can be unlocked with its passcode or with the paired iPhone. Default is off. | ||||||||
Predictive keyboard | iOS 8.1.3 iPadOS 13.1 | Yes | Users won’t see the predictive keyboard. | ||||||||
Auto correction | iOS 8.1.3 iPadOS 13.1 | Yes | Users won’t see any word correction suggestions. | ||||||||
Spell check | iOS 8.1.3 iPadOS 13.1 | Yes | Users won’t see potentially misspelt words underlined in red. | ||||||||
Define and Look Up | iOS 8.1.3 iPadOS 13.1 OS X 10.11 | Yes | In iOS and iPadOS, users can’t tap and hold a selection and look up a dictionary definition about the selection. In macOS, users can’t Control-click a selection and use Look Up to locate any information about the selection. | ||||||||
Managed App’s stored data in iCloud | iOS 8 iPadOS 13.1 visionOS 2.0 | No | Users can’t store data from Managed Apps in iCloud. | ||||||||
Backup proprietary in-house books | iOS 8 iPadOS 13.1 | No | Users can’t back up books distributed by their organisation to iCloud, the Finder (macOS 10.15 or later) or in iTunes (macOS 10.14 or earlier). | ||||||||
Handoff | iOS 8 iPadOS 13.1 macOS 10.15 visionOS 2.0 | No | Users can’t use Handoff with their Apple devices. | ||||||||
Notes and highlights sync for proprietary in-house books | iOS 8 iPadOS 13.1 | No | Users can’t sync notes or highlights to other devices using iCloud. | ||||||||
Erase All Content and Settings | iOS 8 iPadOS 13.1 macOS 12.0.1 visionOS 2.0 | Yes (iOS, iPadOS and visionOS) No (macOS) | Users can’t erase their device and reset it to factory defaults. | ||||||||
Podcasts | iOS 8 iPadOS 13.1 | Yes | Users can’t download podcasts. | ||||||||
Require passcode on first AirPlay pairing | iOS 7.1 iPadOS 13.1 | No | A passcode is required when an iPhone, iPad or Apple TV is first paired for AirPlay. Default is off. | ||||||||
Automatic updates to certificate trust settings | iOS 7 iPadOS 13.1 | No | Automatic updates to certificate trust settings can’t occur. | ||||||||
iCloud Mail | macOS 10.12 | No | Mail isn’t uploaded to iCloud. | ||||||||
iCloud Contacts | macOS 10.12 | No | Contacts aren’t uploaded to iCloud. | ||||||||
iCloud Calendars | macOS 10.12 | No | Calendars aren’t uploaded to iCloud. | ||||||||
iCloud Reminders | macOS 10.12 | No | Reminders aren’t uploaded to iCloud. | ||||||||
iCloud Bookmarks | macOS 10.12 | No | Safari bookmarks aren’t uploaded to iCloud. | ||||||||
iCloud Keychain | iOS 7 iPadOS 13.1 macOS 10.12 visionOS 2.0 | This restriction is deprecated on unsupervised devices and will be supervised only in a future release. No (macOS) | iCloud Keychain can’t be used. | ||||||||
Siri Suggestions | iOS 7 iPadOS 13.1 OS X 10.11 | This restriction is deprecated on unsupervised devices and will be supervised only in a future release. No (macOS) | During search, Siri can’t offer suggestions for apps, people, locations and more. | ||||||||
Modify mobile data app settings | iOS 7 iPadOS 13.1 | Yes | Users can’t change any settings for apps that use mobile data. | ||||||||
AirDrop | iOS 7 iPadOS 13.1 macOS 10.13 visionOS 2.0 | Yes (iOS, iPadOS and visionOS) No (macOS) | Users can’t use AirDrop. | ||||||||
User unlocks Mac using Apple Watch | macOS 10.13 | No | Users can’t unlock their Mac with Apple Watch. | ||||||||
Pair with non-Apple Configurator hosts | iOS 7 iPadOS 13.1 | Yes | Users can pair their iPhone or iPad only with the Mac that first supervised the device and that has Apple Configurator installed. | ||||||||
Documents from managed sources appear in unmanaged destinations | iOS 7 iPadOS 13.1 visionOS 2.0 | No | Documents created or downloaded from managed sources can’t be opened in unmanaged destinations.
| ||||||||
Documents from unmanaged sources appear in managed destinations | iOS 7 iPadOS 13.1 visionOS 2.0 | No | Documents created or downloaded from unmanaged sources can’t be opened in managed destinations.
| ||||||||
Notification Centre in Lock Screen | iOS 7 iPadOS 13.1 | No | Users can’t view the Notification history when the screen is locked; however, they can still view a Notification when it appears. | ||||||||
Autonomous Single App Mode | iOS 7 iPadOS 13.1 | Yes | Allows selected apps to be used in Autonomous Single App Mode. | ||||||||
Today view in Lock Screen | iOS 7 iPadOS 13.1 | No | Users can’t swipe down to see Notification Centre using Today View in the Lock Screen. | ||||||||
Control Centre in Lock Screen | iOS 7 iPadOS 13.1 | No | Users can’t swipe up to view Control Centre. | ||||||||
Game Center | iOS 6 iPadOS 13.1 macOS 10.13 | Yes (iOS and iPadOS) No (macOS) | The Game Center app and its icon are removed. | ||||||||
Send diagnostic and usage data to Apple | iOS 6 iPadOS 13.1 macOS 10.13 visionOS 2.0 | No | Users can’t choose to send diagnostic information to Apple. | ||||||||
Wallet notifications in Lock Screen | iOS 6 iPadOS 13.1 | No | Users must unlock the device to use Wallet. | ||||||||
Apple Books | iOS 6 iPadOS 13.1 | Yes | Apple Books is disabled, and users can’t access it from the Books app. | ||||||||
Siri while device is locked | iOS 5.1 iPadOS 13.1 | No | Siri responds only when the device is unlocked. | ||||||||
iCloud Documents and Data | iOS 5 iPadOS 13.1 OS X 10.11 visionOS 2.0 | Yes (iOS 13 or later) Yes (iPadOS 13.1 or later) Yes (visionOS 2.0 or later) No (macOS) | Documents and data aren’t added to iCloud. | ||||||||
iCloud Backup | iOS 5 iPadOS 13.1 visionOS 2.0 | This restriction is deprecated on unsupervised devices and will be supervised only in a future release. | In iOS and iPadOS, device backup is performed only in the Finder (macOS 10.15 or later) or in iTunes (macOS 10.14 or earlier). For visionOS, no backup is performed. | ||||||||
Shared Albums | iOS 5 iPadOS 13.1 | No | Users can’t subscribe to or publish shared photo albums. | ||||||||
Users accept untrusted TLS certificates | iOS 5 iPadOS 13.1 visionOS 1.1 | No | Users aren’t asked if they want to trust certificates that can’t be verified. This setting applies to Safari, Mail, Contacts and Calendar accounts. When this option is on, only certificates with trusted root certificates are accepted without a prompt. To view the root CAs accepted, see the Apple support article List of available trusted root certificates in iOS 17, iPadOS 17, macOS 14, tvOS 17 and watchOS 10. | ||||||||
Siri profanity filter | iOS 5 iPadOS 13.1 macOS 10.13 | Yes (iOS and iPadOS) No (macOS) | The profanity filter in Siri can be disabled. Default is off. | ||||||||
iMessage | iOS 5 iPadOS 13.1 | Yes | For devices with Wi-Fi only, the Messages app is hidden. For devices with Wi-Fi and mobile, the Messages app is still available but only the SMS/MMS service can be used. | ||||||||
Force encrypted backups | iOS 5 iPadOS 13.1 | No | Users can’t choose whether device backups performed in the Finder (macOS 10.15 or later) or in iTunes (macOS 10.14 or earlier) are stored in encrypted format on the user’s Mac. If any profile is encrypted and this option is turned off, encryption of backups is required and enforced by the Finder or iTunes. Default is off. | ||||||||
Automatic sync while roaming | iOS 5 iPadOS 13.1 | No | Devices that are roaming sync only when an account is accessed by the user. | ||||||||
In-app purchase | iOS 5 iPadOS 13.1 | This restriction is deprecated on unsupervised devices and will be supervised only in a future release. | Users can’t make in-app purchases. | ||||||||
FaceTime | iOS 5 iPadOS 13.1 visionOS 2.0 | Yes | Users can’t make or receive FaceTime audio or video calls. | ||||||||
Screenshots and screen recordings | iOS 5 iPadOS 13.1 macOS 11 visionOS 2.0 | No | Users can’t save a screenshot or recording of the screen. | ||||||||
Add Game Center friends | iOS 5 iPadOS 13.1 macOS 10.13 | Yes (iOS 13 or later) Yes (iPadOS 13.1 or later) No (macOS) | Users can’t find or add friends in Game Center. | ||||||||
Multiplayer gaming | iOS 5 iPadOS 13.1 macOS 10.13 | Yes (iOS 13 or later) Yes (iPadOS 13.1 or later) No (macOS) | Users can’t play multiplayer games in Game Center. | ||||||||
Safari AutoFill | iOS 5 iPadOS 13.1 macOS 10.13 visionOS 2.0 | Yes (iOS 13 or later) Yes (iPadOS 13.1 or later) Yes (visionOS 2.0 or later) No (macOS) | Safari doesn’t keep track of what users enter in web forms. | ||||||||
App Store app adoption | OS X 10.10 | No | iLife and iWork apps that shipped with macOS can’t be adopted by the App Store. | ||||||||
Require administrator password to install or update apps | OS X 10.9 | No | An administrator password is required to update any apps. | ||||||||
Force fraud warning | iOS 5 iPadOS 13.1 | No | Safari attempts to prevent the user from visiting websites identified as being fraudulent or compromised. Default is off. | ||||||||
JavaScript | iOS 5 iPadOS 13.1 | This restriction is deprecated on unsupervised devices and will be supervised only in a future release. | Safari ignores all JavaScript on websites. | ||||||||
Safari pop-ups | iOS 5 iPadOS 13.1 | This restriction is deprecated on unsupervised devices and will be supervised only in a future release. | Pop-ups are blocked in Safari. | ||||||||
Block cookies | iOS 5 iPadOS 13.1 | This restriction is deprecated on unsupervised devices and will be supervised only in a future release. | The cookie policy is set in Safari. For more information, see Manage Safari cookies. | ||||||||
Use Safari | iOS 5 iPadOS 13.1 | Yes (iOS 13 or later) Yes (iPadOS 13.1 or later) | The Safari web browser app is disabled and its icon is removed from the Home Screen. This setting also prevents users from opening Web Clips. | ||||||||
iTunes Store | iOS 5 iPadOS 13.1 | Yes (iOS 13 or later) Yes (iPadOS 13.1 or later) | The iTunes Store is disabled and its icon is removed from the Home Screen. Users can’t preview, purchase or download content. | ||||||||
Ratings region | iOS 5 iPadOS 13.1 tvOS 11.3 | No | Ratings are set by selecting one of nine different regions. This setting can’t be disabled. The default is United States. | ||||||||
Define content ratings | iOS 5 iPadOS 13.1 tvOS 11.3 | This restriction is deprecated on unsupervised devices and will be supervised only in a future release. | The maximum allowed ratings are selected for movies, TV shows and apps purchased in iTunes. | ||||||||
Playback of explicit music, video and podcast content | iOS 5 iPadOS 13.1 tvOS 11.3 | This restriction is deprecated on unsupervised devices and will be supervised only in a future release. | Explicit music or video content purchased from the iTunes Store or downloaded from the Podcasts app is hidden. Explicit content is flagged by content providers, such as record labels, when sold through the iTunes Store. | ||||||||
Show on Desktop | OS X 10.7 | No | Internal storage devices External storage devices CDs, DVDs and iPod devices Connected servers | ||||||||
Show warning before emptying Trash | OS X 10.7 | No | Allow or deny | ||||||||
Connect to a server | OS X 10.7 | No | Allow or deny | ||||||||
Eject | OS X 10.7 | No | Allow or deny | ||||||||
Burn disc | OS X 10.7 | No | Allow or deny | ||||||||
Go to folder | OS X 10.7 | No | Allow or deny | ||||||||
Restart | OS X 10.7 | No | Allow or deny | ||||||||
Shut Down | OS X 10.7 | No | Allow or deny | ||||||||
Log out | OS X 10.7 | No | Allow or deny | ||||||||