Restrict MFA option modification on iOS devices

expand collapsive

We want to make the MFA settings unchangable on all our user’s managed device. If we disable the option ‘Modify an account’ within iOS Advanced restrictions, will the user be able to modify the MFA settings for the Apple ID?

All Replies

  • Hi @Ah-lam, yes, when you disable modifying accounts on iOS devices with an iOS Advanced Restriction policy, users will not be able to ‘modify’ any accounts-related settings on the endpoint. So, naturally, they will not be able to change your account MFA settings.

    This will what will happen on the device end –

    On the Settings app,

    If the user is not signed in with Apple ID on the device, they may tap on ‘Sign in to your [device]’ to do that. However, if you have restricted modifying accounts from Hexnode, this option will be greyed out and rendered un-clickable. To modify MFA settings, the user will have to go through the options and select Passwords & Security.

    Similarly, if the user is signed in with their Apple ID on the device, they may tap on the account user name to bring up the account settings. The option will be greyed when this restriction is applied, and iOS will prevent them from accessing the account settings.

    On the Settings app, the user cannot add/modify accounts for services like Mail, Contacts and Calendar, which generally allows the user to add iCloud, Microsoft Exchange, Google or other accounts.

    On any other app that requires an account,

    Like say, the user is not already signed in and clicked on the Mail app, it should show an error message that says – “Account Restriction – This [device] is restricted from creating mail accounts.”

    But again, suppose you have a sign-in option on an app that the user can use to login into their respective service account(s), which is also within the scope of that app (the account does not get saved on the device settings). In that case, the user will be allowed to sign in regardless of the account restriction. An example would be when they sign in with their Google account on the YouTube app. This sign-in is valid for the YouTube app and could be reused optionally on another Google app.

    The modifying account restriction only applies to accounts that get saved on the device settings. When the restriction is in place, this is an overview of what the user may or may not do –

    • May not sign in with their Apple ID on the device if not already done.
    • May not modify their Apple ID settings on the Settings app.
    • May not add an account via the Settings app.
    • May not sign in to Apple ID connected services via apps.
    • May sign out of their Apple ID connected services from the respective apps. (This will prompt a system-wide sign out)

    Hope this answers your question.

    Regards,
    Zach Goodman
    Hexnode UEM

    • This reply was modified 2 years, 7 months ago by  Zach Goodman.
    • This reply was modified 2 years, 7 months ago by  Zach Goodman.
    • This reply was modified 2 years, 7 months ago by  Zach Goodman.