Common mobile device management settings
Using configuration profiles with common mobile device management (MDM) settings for education, most MDM solutions can automatically apply these settings and policies to devices as soon as they’re enrolled.
For more information how to to secure devices, facilitate communication and collaboration, and personalize iPad to support diverse learning styles and requirements, see the video Personalize Devices for Learners.
There are several commonly used management settings in education. Some common restrictions and settings are listed below, along with their implications.
Restrictions
The following restrictions are often used in education settings. Most of these restrictions work only with supervised devices. For more information about supervision, see About Apple device supervision in Apple Platform Deployment.
Note: Some restrictions require a specific version of iOS, iPadOS, or tvOS. To see the version supported by the restriction, see MDM restrictions for iPhone and iPad devices and MDM restrictions for Apple TV devices in Apple Platform Deployment.
Allow Manual VPN creation: MDM can restrict a user’s ability to manually configure VPN connections. This ensures that student devices route all internet requests through an organization’s content filtering service. Requires iOS 11 or later.
Allow System App Removal: This restriction prevents users from removing built-in apps like Mail and Calendar. Requires iOS 11 or later.
Show or Hide apps: MDM can configure exactly which apps can be used. All built-in and third-party apps can be hidden with the exception of Phone (on iPhone only) and Settings. Hidden apps may still consume space on a device but can’t be used while hidden. Requires iOS 9.3 or later.
Note: When deploying multiple show or hide apps profiles, such as a device profile and a user profile for Shared iPad, the resulting app set is the intersection of the specified apps. For example, if a device profile requires the device to show only Clock and Safari and a user profile requires the device to show only Mail and Safari, only Safari is shown.
Allow installing apps: When you don’t allow apps to be installed, the App Store is disabled on the device and its icon is removed from the Home screen.
Note: This won’t prevent your MDM solution from installing apps.
Allow Safari: iPad devices include Safari, the native Apple web browser. MDM can disable Safari through configuration profiles. If Safari is disabled, many features of iPadOS and third-party apps may not function. For example, links in mail messages won’t open. For the best user experience, avoid disabling Safari. To restrict inappropriate web content, see Use content filtering.
Allow modifying account settings: When this option is restricted, users can’t configure new accounts or change their user name, password, or other settings associated with their account. For Shared iPad, this setting is recommended to ensure that each student only uses their assigned Managed Apple ID.
Allow Erase All Content and Settings: With iOS 8 or later, when this option is off, users can’t erase their device and reset it to factory defaults from within the Settings app. Users can still erase devices with the Finder (macOS 10.15 or later) or with iTunes (in macOS 10.14 or earlier) or through a USB connection.
Allow configuring restrictions: When this option is off, a user can’t set their own restrictions on their device. This can prevent users from setting restrictions that conflict with restrictions set by the organization. Your MDM solution can also remotely clear a restrictions passcode.
Allow pairing with non-Apple Configurator hosts: When this option is off, users can’t connect their iPad with a computer. Pairing must be enabled at activation to allow users to connect supervised devices to a computer host.
Allow installing configuration profiles: When this option is off, configuration profiles can’t be manually installed by users. This can prevent users from installing profiles that conflict with organization settings.
Additional MDM settings
Some MDM solutions may offer one or more of these additional settings:
Mark specific managed apps as nonremovable: With iOS 14 or later and iPadOS 14 or later, this allows you to ensure that mission-critical apps such as content filtering apps are always present on student devices.
Set time zone: With iOS 14 or later and iPadOS 14 or later, this MDM command ensures all your devices use the correct time zone without touching them. If this isn’t enabled, users must set it using Location Services.
Get eSIM EID: With iOS 14 or later and iPadOS 14 or later, the MDM solution can gather the eSIM identifier (EID), which—in addition to the IMEI—is an important identifier to have on hand when troubleshooting cellular devices.
Home screen layout: With iOS 9.3 or later, MDM can configure the location of app icons on the Home screen, including the contents of folders and the Dock on supervised devices. Icons can’t be rearranged by users.
Wi-Fi settings: MDM can configure Wi-Fi settings on a device including WPA/WPA2-PSK, WPA/WPA2 Enterprise, and 802.1X. Wi-Fi-only devices, such as some iPad models and iPod touch, must join a Wi-Fi network before enrolling in MDM through Apple School Manager. This may require a temporary deployment network if your campus network normally requires a configuration profile to join. Remotely changing a Wi-Fi profile requires removing the existing profile from the device first, which may disconnect the device from Wi-Fi before the new profile is deployed. For this reason, you should carefully test this functionality before widely deploying an updated Wi-Fi profile.
Passcode policy: When an iPad is locked with a passcode, no one but the user can access the device, including the organization, and data on the device is protected. MDM can require a passcode on an iPad, and require different levels of passcode complexity, including length, special characters, and age.
Note: Your MDM solution can remotely clear a passcode when the device is connected to the internet. When an iPad is restarted, it can’t connect to secure Wi-Fi networks until the passcode is entered, possibly preventing the passcode from being cleared remotely.
Web clips: A web clip is an icon on the device Home screen that links to a website or URL. Web clips can optionally launch full-screen web apps and can run offline using HTML5 local storage. Configuration profiles can include web clips that use a custom title and icon, and can optionally be nonremovable. Web clips can point students to specific websites for educational purposes. For more information about configuring web clips on a device, see WebClip profile page in Apple Developer documentation.
User unenrollment: Many MDM solutions offer self-service apps or web clips that provide features beyond the standard MDM features built into iOS and iPadOS. Some self-service interfaces allow the user to remotely unenroll their device from MDM. Disable the capability if the organization wants to prevent users from unenrolling from MDM. See your MDM vendor’s documentation for guidance on preventing user unenrollment.