1. Home
  2. iOS
  3. How to set up iOS MDM Restrictions using Hexnode MDM?

How to set up iOS MDM Restrictions using Hexnode MDM?

A restriction policy pushed to an iOS device blocks several device functionalities in one go. This, in turn, protects the corporate data from being vulnerable to a security attack. Hexnode allows the MDM to selectively restrict functionalities or apps on your iOS device from the MDM console.

Note:

Each of the restrictions listed below are specific to Hexnode’s exclusive pricing plans.

Configuring restrictions for iOS devices via policy

To configure restrictions on your iOS device,

  1. Login to your Hexnode MDM portal.
  2. Navigate to Policies > New Policy. Assign a suitable name and description (optional) for the policy. You can also choose to continue with an existing policy.
  3. Go to iOS > Restrictions / Advanced Restrictions. Click Configure.
Notes:

  • Some restrictions are applicable only for supervised iOS devices. Such restrictions are marked “Supervised only” in the below list.
  • Based on the pricing plan subscribed, restrictions not included in the plan will be grayed out or won’t show up on the portal.

Basic Restrictions

Allow Device Functionality

Restricting Device Functions

Restrictions Description
Camera Allow users to access the device camera. Enabled by default.
Facetime

(Available when Camera is enabled)

Allow Facetime app when the device camera is enabled. Enabled by default.
Screen capture Allow the user to take a screenshot. Enabled by default.
Touch ID Allows the users to access the biometric fingerprint authentication. Enabled by default.
Siri Allows the users to access Siri, the personal assistant on all Apple devices. Enabled by default.
Allow Siri while device is locked

(Available when Siri is enabled)

Allows Siri to identify voice when the device is locked. Enabled by default.
Voice dialing Uncheck to disable voice dialing, a feature that will call Josh (for example) if you hold down the home button and say “Call Josh.” Voice dialing is allowed by default.

Note:

If the voice dialing is disabled and if a passcode is set on the device, the device asks for the passcode on voice dialing.

Automatic sync while roaming Allow apps on the device to sync data in the background while roaming, which might incur additional data charges. Enabled by default.

Allow Application Settings

App-based Restrictions

Restrictions Description
Show App Store on the device If disabled, the App Store will be disabled and its icon will be hidden from the device. Enabled by default
iTunes Store Option to allow/disallow iTunes store. Allowed by default.
Force user to enter iTunes store password for each purchase Users are asked to provide the iTunes store password every time they try to install an app. Forced by default.
In-app purchases Allow the users to make purchases within the app, for example, additional gems in a game (or in-game coins) with real money. Allowed by default.
Trust enterprise app Enterprise apps need to be trusted before getting them installed. Checking this option allows you to install Enterprise apps on the device. Allowed by default.
Users can modify enterprise app trust The users can choose whether or not to install an Enterprise app. Allowed by default.
Backup enterprise-deployed iBooks If disallowed, the iBooks which are deployed by the Enterprise are not backed up in the iCloud. Allowed by default.
Sync managed app data with iCloud Allow managed apps to sync data with the user’s iCloud account. Allowed by default.
YouTube (Below iOS 6) Choose whether to disable YouTube app on the Apple device. Allowed by default.
Safari Disables Safari and hides the app icon if this option is unchecked. Allowed by default.
Autofill

(To modify, allow Safari)

Allow Safari to have your forms auto filled with your name, phone number, email address etc. Enabled by default.
Fraud warning

(To modify, allow Safari)

Safari shows a warning when accessing a “not-so-safe-to-browse” page and asks whether you need to continue browsing or not. Fraud warning is disabled by default.
JavaScript

(To modify, allow Safari)

Most websites use JavaScript (JS) to display some content and to handle background tasks (handling forms, for instance) in the web page. If you do not wish to expose more functionality to the users, you can disable JS. Hexnode MDM enables JavaScript by default. The text below shows whether you’ve enabled/disabled JS.

Block pop-ups

(To modify, allow Safari)

All pop-ups are blocked by default in Safari. Allowed by default.
Accept cookies

(To modify, allow Safari)

You can choose from three available options.

Never: Safari will not accept any cookies.
From visited sites: Safari will accept cookies and data from the websites you visit. Cookies from a website that have embedded contents in the website you browse will be blocked. This option is available on iOS 8 and later versions.
Always (default): Safari allows all websites to store cookies on your device.

Allow Wallet while device locked Allow accessing Wallet app when the device is locked. Disallowed by default
Add friends in Game Center Allow users to add friends in Game Center. Allowed by default.

Allow iCloud Settings

Restricting iCloud Features

All these restrictions will be allowed by default.

Restriction Description
Backup Users are allowed to back up their files to iCloud if this option is enabled.
Sync documents

(Supervised only)

Allow the documents in a device to sync with their iCloud account.
Photo Stream

(WARNING: Disabling this option can cause data loss)

Photo Stream syncs photos across your devices. So, if you take a new photo with your iPhone, you can see it on your Mac or Windows PC too, for 30 days.
Share photo streams You can choose whether the users can share the photos and albums in their Apple devices with their friends or family.
iCloud photo library Photo Library stores all the photos on iCloud and can be viewed across all your devices as long as the image resides in iCloud.
Sync enterprise book metadata across devices Synchronize book metadata (notes and highlights) across devices.

Allow Security and Privacy Settings

Setting up Restrictions to Improve Security and Privacy

Restriction Description
Lock screen notifications When disabled, the iPhone or iPad do not show any notification on the lock screen. However, the notifications can be seen in the notification area. Allowed by default.
Today View on lock screen Allow Today view on the lock screen. Today view can show the news, sports scores, calendar notification, weather and a lot more for the day. Allowed by default.
Control Center on lock screen The users can access Control Center app from the lock screen. Allowed by default.
Over the air PKI updates Allow businesses to make changes to the root certificate over-the-air. Allowed by default.
Limit ad tracking Prevent user-targeted ads from advertising networks. By default, ad tracking will not be limited.
Send diagnostic data to Apple Diagnostic data contains hardware specifications, details of the operating system and other details like when and why an app crashed. It will not contain any app usage/personal data. Allowed by default.
Accept untrusted TLS certificate The device accepts untrusted Transport Layer Security (TLS) certificates if this option is enabled. Allowed by default.
Force encrypted backup Data are encrypted while backing up. Encrypted backup is not forced by default.
Show notification on Apple Watch if worn Notifications are shown on the paired Apple Watch only when it is worn. By default, wrist detection isn’t forced.

Allow Explicit Content

Restrictions based on Content Rating

Restriction Description
Explicit music, podcasts and iTunes U services Allow users to access adult-rated music and podcast, and iTunes U services (free courses for colleges). Allowed by default.
iBooks store erotica Allow access to adult-rated content in iBooks store. Disabled by default.

Rating region

Select the rating region to show the region-based rating for movies, TV shows and apps (shown in the next section). The available rating regions are United States, Australia, Canada, Germany, France, Ireland, Japan, New Zealand and the United Kingdom.

Content Rating

Movie and TV show ratings differ with rating region. The ratings displayed here are based on the rating region you set above. In every region you choose, you may allow or disallow all movies and TV shows.

Movies

Region Rating Description
United States G Movies that are meant for general audience.
PG Recommended parental guidance since some material might be inappropriate for children.
PG-13 Recommended parental guidance for those aged below 13.
R Restricted content, recommended parental guidance for under 17.
NC-17 Strictly restricted to adults (17 or above). No children are allowed.
Australia G Suitable for all audiences.
PG Parental guidance is required for children below 15.
M Content is not recommended for children under 15, but is not restricted to 15 and above.
MA-15+ Audience below 15 should be accompanied by adults.
R-18+ Restricted to 18 and above.
Canada G Viewable for general audience.
PG Parental guidance is suggested.
14A Audiences under 14 are allowed if accompanied by an adult.
18A Audiences under 18 are allowed if accompanied by an adult.
R Restricted to adults (18 and above).
France 10 Not suitable for those aged under 10.
12 Not suitable for those aged under 12.
16 Not suitable for those aged under 16.
18 Not suitable for those aged under 18.
Germany Ohne Altersbeschränkung Unrestricted content.
Freigegeben ab 6 Jahren Content suitable for all 6 or above.
Freigegeben ab 12 Jahren Content suitable for all aged 12 or above.
Freigegeben ab 16 Jahren Content suitable for all aged 16 or above.
Keine Jugendfreigabe Content suitable for all aged 18 or above.
Ireland G Movies that are meant for general audience.
PG Parental guidance recommended.
12 Content strictly for aged 12 or above.
15 Content strictly for aged 15 or above.
16 Content strictly for aged 16 or above.
18 Content strictly for aged 18 or above.
Japan G Suitable for all.
PG-12 Under 12 are allowed only if accompanied by parents.
R-15 Content strictly for 15 or above.
R-18 Content strictly for 18 or above.
New Zealand G Content which is suitable for general audience.
PG Parental guidance required for younger audience.
M All above 10 are permitted to view the content.
R13 Restricted to 13 and above.
R15 Restricted to 15 and above.
R16 Restricted to 16 and above.
R18 Restricted to 18 and above.
R Restricted to a certain class of people.
RP16 Younger audience (under 16) are permitted only if accompanied by a parent.
United Kingdom U Universal – suitable for all ages.
Uc Suitable for children.
PG Required parental guidance for under 8.
12 Strictly restricted to 12 or above.
12A Restricted to 12 or above unless accompanied by an adult.
15 Strictly restricted to 15 or above.
18 Strictly restricted to 18 or above.

TV Shows

Region Rating Description
United States TV-Y Appropriate for young audience.
TV-Y7 Appropriate for young audience of age 7 or above.
TV-G Content appropriate for general audience (everyone).
TV-PG Appropriate if there is parental guidance. Such content may not be appropriate for all ages.
TV-14 Appropriate for 14 years of age or above.
TV-MA Content not suitable for audience with 17 years of age or below.
Australia P Content for preschoolers (no ads in-between).
C Content that can be viewed by children (14 years of age or less).
G Suitable for general audience.
PG Viewers should be accompanied by parental guidance.
M TV programs for Mature (15+ aged) audience, medium impact.
MA15+ TV programs for matured audiences, strong impact.
AV15+ Content with adult violence. Recommended viewing for those aged 15 or above.
Canada C Suitable for children below 8.
C8 Suitable for children, 8 years or older.
G Content can be viewed by general audience.
PG Content can be viewed with parental guidance.
14+ Contains content which can be viewed by ages 14 and above.
18+ Contains content which are not meant for audience below 18 years of age.
France Déconseillé aux moins de 10 ans Not suitable for those aged under 10.
Déconseillé aux moins de 14 ans Not suitable for those aged under 14.
Déconseillé aux moins de 16 ans Not suitable for those aged under 16.
Déconseillé aux moins de 18 ans Not suitable for those aged under 18.
Germany ab 0 Jahren Suitable for all ages.
ab 6 Jahren Suitable for ages 6 and above.
ab 12 Jahren Suitable for ages 12 and above.
ab 16 Jahren Suitable for ages 16 and above.
ab 18 Jahren Suitable for ages 18 and above.
Ireland GA Content of the TV show are meant to be viewed by a general audience.
Ch Content for children. Suitable for ages 5 to 10.
YA Suitable for young adults (ages 10 to 13).
PS Suitable for ages 14 to 17. Younger audiences can be allowed to view the content with parental supervision.
MA Suitable for ages 18 and up.
Japan Explicit Allowed Not suitable for minors.
New Zealand G TV shows meant for general audience.
PGR Shows which are meant to be viewed with parental guidance.
AO Adults only content.
United Kingdom Caution Caution for adult content.

Apps

Apps have the same ratings for every region. The options available includes: Don’t allow any apps, 4+, 9+, 12+, 17+, Allow all apps.

Advanced Restrictions

Advanced Restrictions are available only on Supervised iOS devices.

Allow Device Functionality

Restricting Device Functions

Restrictions Description
AirDrop

(Supervised iOS 7.0+)

Allow iOS devices to transfer data between iOS or Mac devices over WiFi or Bluetooth. Allowed by default.
Apps can modify cellular data usage

(Supervised iOS 7.0+)

Allow the users to allow/disallow apps to use cellular data. Allowed by default.
Add or remove TouchID

(Supervised only)

Uncheck this option to prevent users from adding a new fingerprint or remove an existing one. Disallowed by default.
iMessage

(Supervised iOS 6.0+)

Allow use of iMessage app. If disallowed, the app will be disabled and the app icon will be hidden. Allowed by default.
Game Center
(Supervised iOS 6.0+)
Allow using GameCenter app. Allowed by default.
Multiplayer gaming Allow users to play multiplayer games on their Apple devices. Allowed by default.
Pair with iTunes

(Supervised iOS 7.0+)

Disable to block the device from pairing with iTunes. Allowed by default.
Install configuration profile

(Supervised iOS 6.0+)

Allow users to install configuration profiles on their device. Although this is restricted to be installed only by MDM software from iOS 11, older iOS versions can allow it to be installed. Allowed by default.
Definition lookup

(Supervised iOS 8.1.3+)

Definition lookup is a feature in iOS where the user can select a word and look up its definition. Allowed by default.
Predictive keyboard

(Supervised iOS 8.1.3+)

Turn this option off to disable the keyboard from predicting the next word as you type. Allowed by default.
Auto-correct words

(Supervised only)

Allow the device to auto-correct the word the user types with the one in the dictionary. It can be frustrating if, for example, the keyboard language is set English but the user is typing in his native language. Allowed by default.
Suggest words on misspellings

(Supervised only)

Allow the device to check for misspellings and suggest words if found misspelled. Allowed by default.
Keyboard shortcuts

(Supervised iOS 9.0+)

Keyboard shortcuts in iOS are way different from Ctrl+C and Ctrl+V in Windows. To set up shortcuts, go to SettingsGeneralText Replacement → the + sign on top-right. Enter a phrase like “I’m in a meeting. I’ll call you later” and a shortcut, something like “iiamcy”, then save. Whenever you type iiamcy and leave a space, the text “I’m in a meeting. I’ll call you later” will be auto-pasted. Allowed by default.
Pair with Apple Watch

(Supervised iOS 9.0+)

Allows the device to pair with Apple Watch. Allowed by default.
Modify diagnostic data submission settings

(Supervised iOS 9.3.2+)

uncheck this option to block users from turning on/off the option to send diagnostic data to Apple. Allowed by default.
Modify Bluetooth settings

(Supervised iOS 10.0+)

Allow users to turn Bluetooth on/off on their device. Allowed by default.
Use voice to type

(Supervised iOS 10.3+)

Allow users to use their voice to type. Allowed by default.
Connect to MDM-configured Wi-Fi networks only

(Supervised iOS 10.3+, available if WiFi is configured)

Consider the case where there are user-configured and MDM-configured WiFi networks in an area. If this option is enabled, even if the user tries to connect to the user-configured network, the device will connect to the MDM-configured one (Policiesselect an existing policy or create a new oneiOS SettingsNetworkWiFi). Not forced by default.
Users can modify Personal Hotspot settings

(Supervised iOS 12.2+)

Unchecking this option prevents the users from modifying the personal hotspot settings on the device.
Create VPN configuration

(Supervised iOS 11.0+)

Allow users to create new VPN configuration. Allowed by default.
AirPrint

(Supervised iOS 11.0+)

AirPrint is the feature which allows printing with AirPrint-compatible or shared printers wirelessly. Allowed by default.

When AirPrint is allowed, then three more options are unlocked and can be modified.

Restrictions with AirPrint

Restriction Description
Connect with iBeacon

(Supervised iOS 11.0+)

Choose whether AirPrint can connect with iBeacon for printing. iBeacon is a protocol and there are iBeacon-enabled devices available to which if a device comes in close proximity, actions can be performed. iBeacon connects with Apple devices using WiFi or Bluetooth, and with printers using its IP address. Allowed by default.
Store AirPrint credentials in Keychain

(Supervised iOS 11.0+)

The AirPrint credentials are stored in Keychain, a service which syncs credentials and credit card numbers across your Apple devices via iCloud. Allowed by default.
Use trusted certificates for secure printing

(Supervised iOS 11.0+)

Force the trusted certificates for TLS required for printing. Disallowed by default.

Allow App Settings

App-based Restrictions

Restrictions Description
Install app from App Store

(Supervised iOS 9.0+)

Unchecking this option disables App Store. However, users can install or update apps via iTunes app or Configurator. Allowed by default.
Remove apps

(Supervised iOS 9.0+)

Give the users the privilege to uninstall apps from their device. Allowed by default.
Remove system apps

(Supervised iOS 11.0+)

Users can remove apps that are built in the device by default. Have a look at the list of system apps that can be removed from the device by the user: Calculator, Calendar, Compass, Contacts, FaceTime, Find My Friends, Home, iBooks, iCloud Drive, iTunes Store, Mail, Maps, Music, News, Notes, Podcasts, Reminders, Stocks, Tips, Videos or TV, Voice Memos, Watch app, and Weather. Once removed, you can restore them from the App Store. Allowed by default.
iBooks store

(Supervised iOS 6.0+)

Allow users to browse iBooks store and purchase books. Allowed by default.
Apple Music

(Supervised iOS 9.3+)

Allow users to turn on the Apple Music app. Allowed by default.
iTunes Radio

(Supervised iOS 9.3+)

iTunes Radio is an app which allows you to listen to Internet Radio. Allowed by default.
News

(Supervised iOS 9.0+)

Allow users to access to News app. Disallowing will disable the app and hide its icon from the list of apps. Allowed by default.
Podcasts

(Supervised iOS 8.0+)

Allow users from using the Podcasts app. Allowed by default.
Download all purchased apps automatically

(Supervised iOS 9.0+)

By default, Apple auto-downloads the apps that you’ve already purchased (paid apps) or started downloading once (free ones) on your previous device (when the same Apple ID is used). If this option is disabled, automatic downloads are held off.

Allow Security and Privacy Settings

Setting up Restrictions to Improve Security and Privacy

Restriction Description
Activation Lock

(Supervised iOS 7.0+)

Check this option to enable Activation Lock on the device. To enable Activation Lock, disable Find My iPhone manually and enable it again for the restriction to take effect on the device.
Modify an account

(Supervised only)

When disabled, users are not permitted to create/delete an account or change the password of an account. Account modification also includes modification of app accounts from the device settings. Allowed by default.
Erase content and settings

(Supervised only)

Allow users to erase every content along with the device settings. Allowed by default.
Siri can access user-generated content

(Supervised iOS 7.0+)

Allow Siri to access user-generated content to answer the queries. Allowed by default.
Modify Find My Friends

(Supervised iOS 7.0+)

This option enables the user’s ability to change the settings for Find My Friends app. Allowed by default.
Use profanity filter

(Supervised only)

Restrict Siri from using abusive languages. By default, use of profanity filter is disabled.
Show web results using Spotlight Search

(Supervised only)

Disable this option to block results from the internet. Spotlight is a feature which brings up the definition for terms from Oxford dictionary, Wikipedia etc. and searches across the device for files. Allowed by default.
Modify Restrictions / Screen Time

(Supervised iOS 8.0+)

Allows the users to enable restrictions or parental controls on the device. Unchecking this option disables Turn On Screen Time even if already enabled.

For iOS 12+ devices, Parental controls comes under Screen Time settings.

Modify passcode

(Supervised iOS 9.0+)

Unchecking this option prevents the users from adding / changing or removing passcode from the devices. It also prevents the user from associating a passcode policy with the device.
Modify device name 

(Supervised iOS 9.0+)

Unchecking this option prevents the user from changing the device name.

Note: You cannot modify the device name both from the device end and the portal.

Modify wallpaper

(Supervised iOS 9.0+)

Unchecking this option prevents the user from changing the home screen and lock screen wallpaper from the device.
Users can turn notifications on/off

(Supervised iOS 9.3+)

Unchecking this option prevents the users from modifying device’s notification settings.
Force Automatic Date and Time

(Supervised iOS 12.0+)

Allows the user to set Date and Time automatically on the device.

Note: The Device’s time zone will be updated only if location services are enabled on the device.

Autofill Passwords

(Supervised iOS 12.0+)

Unchecking this option prevents the prompt from using the saved passwords in Safari or in apps.
Request passwords from nearby devices

(Supervised iOS 12.0+)

Allows the user to request password from nearby devices.
Share passwords via Airdrop Passwords feature

(Supervised iOS 12.0+)

Checking this option allows the user to share their passwords through Airdrop.

How to Associate the Policies to Device/Groups?

There are two ways by which you can associate restrictions to the devices in bulk.

If the policy has not yet been saved.

  1. Navigate to Policy Targets.
  2. Click on +Add Devices.
  3. Select the devices and click OK.
  4. Click on Save to apply the policies to devices.

Apart from devices, you can also associate the policies to device groups, user, user groups or domain from Policy Targets.

If the policy has been saved, you can associate it by another method.

  1. From Policies, check the policies to be associated.
  2. Click on Manage > Associate Targets and select the device.
  3. Click on Associate to apply policy to the devices.
  •  
  •  
  •  
  •  
  •  

Was this article helpful?

Related Articles

Leave a Comment