MDM restrictions for iPhone and iPad devices
You can set restrictions for iPhone and iPad devices enrolled in a mobile device management (MDM) solution. The default state for all restrictions listed below is on unless the words “Default is off” are in the Restriction Functionality column.
Note: Not all restrictions are available in all MDM solutions, and they have the ability to change the default state for any restriction. To learn more about MDM restriction availability for your devices, consult your MDM vendor’s documentation.
Setting | Minimum supported operating systems | Supervised | Restriction functionality | ||||||||
---|---|---|---|---|---|---|---|---|---|---|---|
Allow app installation from a website (In eligible regions) | iOS 17.5 | Yes | Prevents installation of apps directly from the web. | ||||||||
Allow auto-dim | iPadOS 17.4 | Yes | Prevents a device with a Tandem OLED screen from dimming. | ||||||||
Allow app installation from an alternative marketplace (In eligible regions) | iOS 17.4 | Yes | Prevents installation of new alternative app marketplaces and apps hosted on those marketplaces. | ||||||||
Force preservation of eSIM on erase | iOS 17.2 iPadOS 17.2 | Yes | Prevents the eSIM from being erased when a device is set to wipe after entering an incorrect passcode too many times. Note: The operating system doesn’t preserve an eSIM if Find My initiates erasing the device. | ||||||||
Allow Live Voicemail | iOS 17.2 | Yes | Prevents the user from using Live Voicemail. Default is off. | ||||||||
iPhone or iPad Widgets on a Mac | iOS 17 iPadOS 17 | No | Prevents the user from adding iPhone or iPad widgets to their Mac. | ||||||||
Force on-device-only translation | iOS 15 iPadOS 15 | No | Won’t let the device connect to Siri servers for the purposes of translation. Default is off. | ||||||||
iCloud Private Relay | iOS 15 iPadOS 15 | No | Prevents the user from turning on iCloud Private Relay. | ||||||||
Managed pasteboard | iOS 15 iPadOS 15 | No | Helps control the pasting of content from an app that’s using Open In management by following the Managed Open In restrictions in force. Apple apps that work with the managed pasteboard include Calendar, Files, Mail, and Notes. Third-party apps are controlled based on whether they’re managed. When a user attempts to paste content where it isn’t permitted, a Paste Not Allowed notice appears along with the organization’s name (which can be changed using the Settings command). Apps also can’t request items from the pasteboard when this restriction is used and the content crosses the managed boundary. Default is off. | ||||||||
Allow App to Request to Track | iOS 14.5 iPadOS 14.5 | No | Users can’t turn on Allow App to Request to Track. Default is off. | ||||||||
Auto unlock | iOS 14.5 | No | Users can’t use their Apple Watch using watchOS 7.4 to unlock a paired iPhone using iOS 14.5. | ||||||||
Force on-device-only dictation | iOS 14.5 iPadOS 14.5 | No | Prevents dictated content from being sent to Siri servers for processing. Supported on the following devices:
Default is off. | ||||||||
Allow putting an iOS or iPadOS device into Recovery Mode from an unpaired host | iOS 14.5 iPadOS 14.5 | Yes | Previously, any external host computer was allowed to restart a connected iPhone or iPad into recoveryOS (also known as Recovery Mode). This meant that the host computer could completely erase the device and restore iOS or iPadOS over a USB connection without any other physical interaction with the device. iOS 14.5 and iPadOS 14.5 or later prevent this behavior by default. Default is off. | ||||||||
Allow Near–field communications (NFC) | iOS 14.2 | Yes | Prevents users from using built-in NFC hardware in compatible devices using iOS 14.2 or later. | ||||||||
Allow personalized ads delivered by Apple | iOS 14 iPadOS 14 | No | Users’ data won’t be used by the Apple advertising platform to deliver personalized ads. | ||||||||
Allow App Clips | iOS 14 iPadOS 14 | Yes | Users can’t add App Clips. Any existing App Clips are removed when this restriction is applied. | ||||||||
Allow Shared iPad Temporary Session | iPadOS 13.4 | Yes | Shared iPad won’t allow a Temporary Session. | ||||||||
Allow network drive connections | iOS 13 iPadOS 13.1 | Yes | Users can’t connect to network drives in the Files app. | ||||||||
Allow accessory connections | iOS 13 iPadOS 13.1 | Yes | The device can always connect to specific accessories while locked. | ||||||||
Force Wi-Fi on | iOS 13 iPadOS 13.1 | Yes | Users can’t turn off Wi-Fi in:
Users can still select which Wi-Fi network to use. Default is off. | ||||||||
Allow Find My Device | iOS 13 iPadOS 13.1 | Yes | Users can’t use the Find My app. | ||||||||
Allow Find My Friends | iOS 13 iPadOS 13.1 | Yes | Users can’t use the Find My Friends feature in the Find My app. | ||||||||
Allow QuickPath keyboard | iOS 13 iPadOS 13.1 | Yes | Users can’t use the QuickPath keyboard. | ||||||||
Modify personal Hotspot settings | iOS 12.2 iPadOS 13.1 | Yes | Users can’t modify personal Hotspot settings. | ||||||||
Modify eSIM settings | iOS 12.1 iPadOS 13.1 | Yes | Users can’t add or remove an eSIM plan for an iPhone that supports eSIM. | ||||||||
Proximity AutoFill | iOS 12 iPadOS 13.1 | Yes | Users’ devices won’t advertise themselves to nearby devices for passwords by use of Proximity AutoFill. In iOS, iPadOS, and macOS this feature restricts only Wi-Fi Password requests. | ||||||||
Share passwords over AirDrop | iOS 12 iPadOS 13.1 | Yes | Users can’t share their passwords over AirDrop. | ||||||||
Unmanaged apps to read managed contacts | iOS 12 iPadOS 13.1 | No | Unmanaged apps can read contacts from managed accounts, even if unmanaged apps are prevented from reading to managed destinations. Default is off. | ||||||||
Managed Apps to edit unmanaged contacts | iOS 12 iPadOS 13.1 | No | Managed Apps can edit contacts to unmanaged accounts, even if Managed Apps are prevented from editing unmanaged destinations. Default is off. | ||||||||
Password AutoFill | iOS 12 iPadOS 13.1 | Yes | Users can’t use AutoFill Passwords, and no prompt is shown to pick a saved password from iCloud Keychain or third-party password managers. | ||||||||
AirPlay, View Screen by Classroom, and screen sharing | iOS 12 | No (iPadOS 13.1) or later | Teachers using Classroom can’t use AirPlay with students’ screens, view students’ screens, or share students’ screens. | ||||||||
“Set Automatically” in Date and Time settings | iOS 12 iPadOS 13.1 | Yes | Set Automatically is turned on, and users can’t turn it off. Default is off. | ||||||||
Modify restrictions or Screen Time settings | iPadOS 13.1 iOS 12 (Screen Time) iOS 8 (Restrictions) | Yes | Users can’t set their own restrictions on their device for iOS 11.4.1 or earlier. Users can’t set their own Screen Time settings on their device for iOS 12 or later. | ||||||||
Allow connected accessories while locked | iOS 11.4.1 iPadOS 13.1 | Yes | Users can always connect accessories when the iPhone or iPad is locked. For more information, see Activating data connections securely in Apple Platform Security. | ||||||||
Defer software updates | iOS 11.3 iPadOS 13.1 | Yes | For more information, see Test and defer software updates. Default is off. | ||||||||
Require teacher permission to leave Classroom teacher-created classes | iOS 11.3 iPadOS 13.1 | Yes | Students must request permission before they can leave a teacher-created class. Default is off. | ||||||||
Classroom can focus students on a single app and lock the device without prompting | iOS 11 iPadOS 13.1 | Yes | Teachers can lock an app open or lock the device without first prompting the user. Default is off. | ||||||||
Automatic joining of Classroom classes without prompting | iOS 11 iPadOS 13.1 | Yes | Students can join a class without prompting the teacher. Default is off. | ||||||||
Classroom to perform AirPlay and View Screen without prompting | iOS 11 iPadOS 13.1 | Yes | Students in managed classes aren’t prompted when the teacher uses AirPlay or View Screen. Default is off. | ||||||||
AirPrint | iOS 11 iPadOS 13.1 | Yes | Users can’t use AirPrint. | ||||||||
Discover AirPrint printers using iBeacon | iOS 11 iPadOS 13.1 | Yes | Users can’t discover AirPrint printers using nearby iBeacon-compatible hardware transmitters. | ||||||||
Store AirPrint credentials in Keychain | iOS 11 iPadOS 13.1 | Yes | Users can’t save their AirPrint credentials to their Keychain. | ||||||||
AirPrint to destinations with untrusted certificates | iOS 11 iPadOS 13.1 | Yes | Users can’t use AirPrint to print to printers with untrusted certificates. Default is off. | ||||||||
Set up a nearby Apple device | iOS 11 iPadOS 13.1 | Yes | Users can’t use their Apple devices to set up and configure other Apple devices. | ||||||||
Modify Bluetooth settings | iOS 11 iPadOS 13.1 | Yes | Users can’t modify the Bluetooth® setting. | ||||||||
Modify cellular plan settings | iOS 11 iPadOS 13.1 | Yes | Users can’t change any settings for the cellular plan. | ||||||||
Remove system apps | iOS 11 iPadOS 13.1 | Yes | Users can’t remove native Apple apps. | ||||||||
Add VPN configurations | iOS 11 iPadOS 13.1 | Yes | Users and third-party apps can’t create and add VPN configurations. | ||||||||
Require Face ID or Touch ID authentication for AutoFill | iOS 11 iPadOS 13.1 | Yes | Users are required to authenticate with Face ID, Touch ID, or passcode to automatically fill password and credit card information. Default is off. | ||||||||
Modify Face ID faces and Touch ID fingerprints | iOS 11 (Face ID) iOS 8.3 (Touch ID) iPadOS 13.1 (Face ID or Touch ID) | Yes | Users can’t add or remove existing biometric information. | ||||||||
Use Face ID or Touch ID to unlock device | iOS 11 (Face ID) iOS 7 (Touch ID) iPadOS 13.1 (Face ID or Touch ID) | No | Users must use a passcode to unlock the device. | ||||||||
Enforce Face ID or Touch ID timeout | iOS 11 (Face ID) iOS 7 (Touch ID) iPadOS 13.1 (Face ID or Touch ID) | No | The value, in seconds, after which the biometric unlock requires a passcode to authenticate. The default value is 48 hours. | ||||||||
Modify Dictation | iOS 10.3 iPadOS 13.1 | Yes | Users can’t use dictation on their device. | ||||||||
Join only Wi-Fi networks installed by a Wi-Fi payload | iOS 10.3 iPadOS 13.1 | Yes | Devices that have this restriction can join only the Wi-Fi networks added to the Wi-Fi payload. Default is off. Important: If the Wi-Fi network isn’t available, the device can’t be managed. | ||||||||
Modify diagnostic settings | iOS 9.3.2 iPadOS 13.1 | Yes | Modifying diagnostic data settings isn’t permitted. | ||||||||
Modify Notifications settings | iOS 9.3 iPadOS 13.1 | Yes | Users can’t change the configuration of any Notifications settings. | ||||||||
Apple Music | iOS 9.3 iPadOS 13.1 | Yes | Users can’t use Apple Music. | ||||||||
Radio | iOS 9.3 iPadOS 13.1 | Yes | Users can’t listen to the radio with Apple Music. | ||||||||
Restrict app usage | iOS 9.3 iPadOS 13.1 | Yes | Any apps other than Settings or Phone (on iPhone) can be placed on either an approved list or a disapproved one. | ||||||||
Install apps using App Store | iOS 9 iPadOS 13.1 | Yes | App Store is disabled and its icon is removed from the Home Screen. Users can’t install or update apps. In iOS 10 or later, MDM app commands can still be used. | ||||||||
News | iOS 9 iPadOS 13.1 | Yes | Users can’t use the News app. | ||||||||
Modify device name | iOS 9 iPadOS 13.1 | Yes | Users can’t change the name of the device as shown in Settings > General > About. | ||||||||
Modify passcode | iOS 9 iPadOS 13.1 | Yes | Users can’t change the set passcode. | ||||||||
Keyboard shortcuts | iOS 9 iPadOS 13.1 | Yes | Users can’t use any keyboard shortcuts. | ||||||||
iCloud Photos | iOS 9 iPadOS 13.1 | No | Users can’t use their iCloud Photos. | ||||||||
Pair with Apple Watch | iOS 9 | Yes | Users can’t pair their supervised iPhone with Apple Watch. | ||||||||
Automatic app downloads | iOS 9 iPadOS 13.1 | Yes | The App Store won’t automatically download apps. | ||||||||
Trust new proprietary in-house apps developers | iOS 9 iPadOS 13.1 | No | Users can’t allow new proprietary in-house app developers to be trusted, which prohibits apps from those developers from launching. | ||||||||
Treat AirDrop as unmanaged destination | iOS 9 iPadOS 13.1 | No | Users see AirDrop as an option from a Managed App. For this restriction to work when it’s turned on, you must also disable “Allow documents from managed sources in unmanaged destinations.”
Default is off. | ||||||||
Modify Wallpaper | iOS 9 iPadOS 13.1 | Yes | Users can’t modify the wallpaper for the Lock Screen or Home Screen. | ||||||||
Force Apple Watch wrist detection | iOS 8.2 iPadOS 13.1 | No | Apple Watch locks automatically when it’s removed from the user’s wrist. It can be unlocked with its passcode or the paired iPhone. Default is off. | ||||||||
Predictive keyboard | iOS 8.1.3 iPadOS 13.1 | Yes | Users won’t see the predictive keyboard. | ||||||||
Auto correction | iOS 8.1.3 iPadOS 13.1 | Yes | Users won’t see any word correction suggestions. | ||||||||
Spell check | iOS 8.1.3 iPadOS 13.1 | Yes | Users won’t see potentially misspelled words underlined in red. | ||||||||
Define and Look Up | iOS 8.1.3 iPadOS 13.1 | Yes | In iOS and iPadOS, users can’t tap and hold a selection and look up a dictionary definition about the selection. In macOS, users can’t Control-click a selection and use Look Up to locate any information about the selection. | ||||||||
Managed App’s stored data in iCloud | iOS 8 iPadOS 13.1 | No | Users can’t store data from Managed Apps in iCloud. | ||||||||
Backup proprietary in-house books | iOS 8 iPadOS 13.1 | No | Users can’t back up books distributed by their organization to iCloud, the Finder (macOS 10.15 or later), or in iTunes (macOS 10.14 or earlier). | ||||||||
Handoff | iOS 8 iPadOS 13.1 | No | Users can’t use Handoff with their Apple devices. | ||||||||
Notes and highlights sync for proprietary in-house books | iOS 8 iPadOS 13.1 | No | Users can’t sync notes or highlights to other devices using iCloud. | ||||||||
Erase All Content and Settings | iOS 8 iPadOS 13.1 | Yes | Users can’t erase their device and reset it to factory defaults. | ||||||||
Podcasts | iOS 8 iPadOS 13.1 | Yes | Users can’t download podcasts. | ||||||||
Require passcode on first AirPlay pairing | iOS 7.1 iPadOS 13.1 | No | A passcode is required when an iOS, iPadOS, or tvOS device is first paired for AirPlay. Default is off. | ||||||||
Automatic updates to certificate trust settings | iOS 7 iPadOS 13.1 | No | Automatic updates to certificate trust settings can’t occur. | ||||||||
iCloud Keychain | iOS 7 iPadOS 13.1 | This restriction is deprecated on unsupervised devices and will be supervised only in a future release. | iCloud Keychain can’t be used. | ||||||||
User-generated content in Siri | iOS 7 iPadOS 13.1 | Yes | Siri can’t access content from sources that allow user-generated content, such as Wikipedia. | ||||||||
Siri Suggestions | iOS 7 iPadOS 13.1 | No | During search, Siri can’t offer suggestions for apps, people, locations, and more. | ||||||||
Modify account settings | iOS 7 iPadOS 13.1 | Yes | Users can’t create new accounts or change their user name, password, or other settings associated with their account. | ||||||||
Modify cellular data app settings | iOS 7 iPadOS 13.1 | Yes | Users can’t change any settings for apps that use cellular data. | ||||||||
AirDrop | iOS 7 iPadOS 13.1 | Yes | Users can’t use AirDrop. | ||||||||
Pair with non-Apple Configurator hosts | iOS 7 iPadOS 13.1 | Yes | Users can pair their iPhone or iPad only with the Mac that first supervised the device and that has Apple Configurator installed. | ||||||||
Documents from managed sources appear in unmanaged destinations | iOS 7 iPadOS 13.1 | No | Documents created or downloaded from managed sources can’t be opened in unmanaged destinations.
| ||||||||
Documents from unmanaged sources appear in managed destinations | iOS 7 iPadOS 13.1 | No | Documents created or downloaded from unmanaged sources can’t be opened in managed destinations.
| ||||||||
Notification Center in Lock Screen | iOS 7 iPadOS 13.1 | No | Users can’t view the Notification history when the screen is locked; however, they can still view a Notification when it appears. | ||||||||
Autonomous Single App Mode | iOS 7 iPadOS 13.1 | Yes | Allows selected apps to be used in Autonomous Single App Mode. | ||||||||
Today view in Lock Screen | iOS 7 iPadOS 13.1 | No | Users can’t swipe down to see Notification Center using Today View in the Lock Screen. | ||||||||
Control Center in Lock Screen | iOS 7 iPadOS 13.1 | No | Users can’t swipe up to view Control Center. | ||||||||
Game Center | iOS 6 iPadOS 13.1 | Yes | The Game Center app and its icon are removed. | ||||||||
Install a configuration profile | iOS 6 iPadOS 13.1 | Yes | Users can’t manually install configuration profiles in Settings. | ||||||||
Send diagnostic and usage data to Apple | iOS 6 iPadOS 13.1 | No | Users can’t choose to send diagnostic information to Apple. | ||||||||
Wallet notifications in Lock Screen | iOS 6 iPadOS 13.1 | No | Users must unlock the device to use Wallet. | ||||||||
Apple Books | iOS 6 iPadOS 13.1 | Yes | Apple Books is disabled, and users can’t access it from the Books app. | ||||||||
Siri while device locked | iOS 5.1 iPadOS 13.1 | No | Siri responds only when the device is unlocked. | ||||||||
iCloud Documents and Data | iOS 5 iPadOS 13.1 | Yes (iOS 13) or later Yes (iPadOS 13.1) or later | Documents and data aren’t added to iCloud. | ||||||||
Siri | iOS 5 iPadOS 13.1 | No | Siri can’t be used. | ||||||||
iCloud Backup | iOS 5 iPadOS 13.1 | This restriction is deprecated on unsupervised devices and will be supervised only in a future release. | Device backup is performed only in the Finder (macOS 10.15 or later) or in iTunes (macOS 10.14 or earlier). | ||||||||
Shared Albums | iOS 5 iPadOS 13.1 | No | Users can’t subscribe to or publish shared photo albums. | ||||||||
Users accept untrusted TLS certificates | iOS 5 iPadOS 13.1 | No | Users aren’t asked if they want to trust certificates that can’t be verified. This setting applies to Safari, Mail, Contacts, and Calendar accounts. When this option is on, only certificates with trusted root certificates are accepted without a prompt. To view the root CAs accepted, see the Apple Support article List of available trusted root certificates in iOS 17, iPadOS 17, macOS 14, tvOS 17, and watchOS 10. | ||||||||
Siri profanity filter | iOS 5 iPadOS 13.1 | Yes | The profanity filter in Siri can be disabled. Default is off. | ||||||||
iMessage | iOS 5 iPadOS 13.1 | Yes | For Wi-Fi–only devices, the Messages app is hidden. For devices with Wi-Fi and cellular, the Messages app is still available, but only the SMS/MMS service can be used. | ||||||||
Force encrypted backups | iOS 5 iPadOS 13.1 | No | Users can’t choose whether device backups performed in the Finder (macOS 10.15 or later) or in iTunes (macOS 10.14 or earlier) are stored in encrypted format on the user’s Mac. If any profile is encrypted and this option is turned off, encryption of backups is required and enforced by the Finder or iTunes. Default is off. | ||||||||
Automatic sync while roaming | iOS 5 iPadOS 13.1 | No | Devices that are roaming sync only when an account is accessed by the user. | ||||||||
In-app purchase | iOS 5 iPadOS 13.1 | No | Users can’t make in-app purchases. | ||||||||
FaceTime | iOS 5 iPadOS 13.1 | Yes | Users can’t place or receive FaceTime audio or video calls. | ||||||||
Install apps | iOS 5 iPadOS 13.1 | Yes (iOS 13) or later Yes (iPadOS 13.1) or later | App Store is disabled and its icon is removed from the Home Screen. Users can’t install or update apps. In iOS 10 or later, MDM app commands can still be used. Note: If native iOS and iPadOS system apps are removed, they can be reinstalled. | ||||||||
Screenshots and screen recordings | iOS 5 iPadOS 13.1 | No | Users can’t save a screenshot or recording of the screen. | ||||||||
Use of cameras | iOS 5 iPadOS 13.1 | This restriction is deprecated on unsupervised devices and will be supervised only in a future release. | Cameras are disabled and the Camera icon is removed from the Home Screen in iOS and iPadOS. Users can’t take photographs or videos. | ||||||||
Remove apps | iOS 5 iPadOS 13.1 | Yes | Users can’t remove installed apps. | ||||||||
Add Game Center friends | iOS 5 iPadOS 13.1 | Yes (iOS 13) or later Yes (iPadOS 13.1) or later | Users can’t find or add friends in Game Center. | ||||||||
Multiplayer gaming | iOS 5 iPadOS 13.1 | Yes (iOS 13) or later Yes (iPadOS 13.1) or later | Users can’t play multiplayer games in Game Center. | ||||||||
Safari AutoFill | iOS 5 iPadOS 13.1 | Yes (iOS 13) or later Yes (iPadOS 13.1) or later | Safari doesn’t keep track of what users enter in web forms. | ||||||||
Force fraud warning | iOS 5 iPadOS 13.1 | No | Safari attempts to prevent the user from visiting websites identified as being fraudulent or compromised. Default is off. | ||||||||
JavaScript | iOS 5 iPadOS 13.1 | No | Safari ignores all JavaScript on websites. | ||||||||
Safari pop-ups | iOS 5 iPadOS 13.1 | No | Pop-ups are blocked in Safari. | ||||||||
Block cookies | iOS 5 iPadOS 13.1 | No | The cookie policy is set in Safari. For more information, see Manage Safari cookies. | ||||||||
Use Safari | iOS 5 iPadOS 13.1 | Yes (iOS 13) or later Yes (iPadOS 13.1) or later | The Safari web browser app is disabled and its icon is removed from the Home Screen. This setting also prevents users from opening Web Clips. | ||||||||
iTunes Store | iOS 5 iPadOS 13.1 | Yes (iOS 13) or later Yes (iPadOS 13.1) or later | The iTunes Store is disabled and its icon is removed from the Home Screen. Users can’t preview, purchase, or download content. | ||||||||
Explicit content in Apple Books | iOS 5 iPadOS 13.1 | No | Explicit content purchased from Apple Books is hidden. Explicit content is flagged by content providers when sold through the Books app. | ||||||||
Ratings region | iOS 5 iPadOS 13.1 | No | Ratings are set by selecting one of nine different regions. This setting can’t be disabled. The default is United States. | ||||||||
Define content ratings | iOS 5 iPadOS 13.1 | No | The maximum allowed ratings are selected for movies, TV shows, and apps purchased in iTunes. | ||||||||
Playback of explicit music, video, and podcast content | iOS 5 iPadOS 13.1 | No | Explicit music or video content purchased from the iTunes Store or downloaded from the Podcasts app is hidden. Explicit content is flagged by content providers, such as record labels, when sold through the iTunes Store. |