How to set up iOS MDM Restrictions using Hexnode MDM?

Restricting device features or apps can be handy when they are no longer required in the work environment or is vulnerable to a security attack. This article lists the features that can be restricted on an iOS device using Hexnode MDM.

Configuring Restrictions for iOS Devices

To configure restrictions for an iOS device,

  1. From your Hexnode MDM portal, head on to Policies tab.
  2. Create a new policy by clicking on New Policy button, or continue with an existing one.
  3. From iOS Settings, choose Restrictions or Advanced Restrictions. These are from where the restrictions can be set up.


  • Some restrictions will work only on supervised iOS devices. Such restrictions are marked “Supervised only” in the list below.
  • Some options will be grayed out or won’t show up on your portal, according to the plan to which you’ve subscribed.

Restricting Device Functions

Restrictions Description
Allow app store If disabled, the App Store will be disabled and its icon will be hidden from the device. Allowed by default
Block Sharing Managed Document using AirDrop Block sharing documents from managed apps. Sharing is allowed by default.
Allow use of camera Allow users from accessing the camera. Allowed by default.
Allow Facetime
(Available when camera is allowed to be used)
Allow Facetime app when the device camera is allowed to be used. Allowed by default.
Allow screen capture Enable this option to allow the user to take a screenshot. Allowed by default.
Allow automatic sync while roaming Allow apps on the device to sync data in the background while roaming, which might incur additional data charges. Allowed by default.
Touch ID Uncheck to forbid users from using the biometric fingerprint authentication. TouchID enabled by default.
Allow Siri Let the users use Siri, the personal assistant available on all Apple devices. Allowed by default.
Allow Siri while device locked
(Available when Siri is allowed)
Disallow, and Siri won’t identify voice when the device is locked. Allowed by default.
Allow voice dialing Uncheck to disable voice dialing, a feature that will call Josh (for example) if you hold down the home button and say “Call Josh.” Voice dialing is allowed by default.
Allow Passbook while device locked Allow accessing Passbook app when the device is locked. Disallowed by default
Allow In-App purchase Allow the users to make purchases within the app, for example, additional gems in a game (or in-game coins) with real money. Allowed by default.
Force user to enter iTunes store password for all purchase Users are asked to provide the iTunes store password every time they try to install an app. Forced by default.
Allow multiplayer gaming Allow users to play multiplayer games on their Apple devices. Allowed by default.
Allow adding Game Center friends Allow users to add friends in Game Center. Allowed by default.
Allow AirDrop
(Supervised iOS 7.0+)
Allow iOS devices to transfer data between iOS or Mac devices over WiFi or Bluetooth. Allowed by default.
Allow app cellular data modification
(Supervised iOS 7.0+)
Allow the users to allow/disallow apps to use cellular data. Allowed by default.
Allow removing apps
(Supervised only)
Give the users the privilege to uninstall apps from their device. Allowed by default.
Allow book store
(Supervised iOS 6.0+)
Allow users to browse iBooks store and purchase books. Allowed by default.
Allow Adding or Removing Touch ID
(Supervised only)
Uncheck this option to prevent users from adding a new fingerprint or remove an existing one. Disallowed by default.
Allow iMessage
(Supervised iOS 6.0+)
Allow use of iMessage app. If disallowed, the app will be disabled and the app icon will be hidden. Allowed by default.
Allow Game Center
(Supervised iOS 6.0+)
Allow using GameCenter app. Allowed by default.
Allow Pairing with iTunes
(Supervised iOS 7.0+)
Disable to block the device from pairing with iTunes. Allowed by default.
Allow Configuration profile installation
(Supervised iOS 6.0+)
Allow users to install configuration profiles on their device. Although this is restricted to be installed only by MDM software from iOS 11, older iOS versions can allow it to be installed. Allowed by default.
Allow podcasts
(Supervised iOS 8.0+)
Allow users from using the Podcasts app. Allowed by default.
Allow Definition lookup
(Supervised iOS 8.1.3+)
Definition lookup is a feature in iOS where the user can select a word and look up its definition. Allowed by default.
Allow Predictive keyboard
(Supervised iOS 8.1.3+)
Turn this option off to disable the keyboard from predicting the next word as you type. Allowed by default.
Allow Auto-Correction
(Supervised only)
Allow the device to auto-correct the word the user types with the one in the dictionary. It can be frustrating if, for example, the keyboard language is set English but the user is typing in his native language. Allowed by default.
Allow Spell-check
(Supervised only)
Allow the device to check for misspellings and suggest words if found misspelled. Allowed by default.
Allow Apple Music Services
(Supervised iOS 9.3+)
Allow users to turn on the Apple Music app. Allowed by default.
Allow iTunes Radio
(Supervised iOS 9.3+)
iTunes Radio is an app which allows you to listen to Internet Radio. Allowed by default.
Allow News
(Supervised iOS 9.0+)
Allow users to access to News app. Disallowing will disable the app and hide its icon from the list of apps. Allowed by default.
Allow App Installation from Device
(Supervised iOS 9.0+)
Unchecking this option disables App Store. However, users can install or update apps via iTunes app or Configurator. Allowed by default.
Allow keyboard shortcuts
(Supervised iOS 9.0+)
Keyboard shortcuts in iOS are way different from Ctrl+C and Ctrl+V in Windows. To set up shortcuts, go to SettingsGeneralText Replacement → the + sign on top-right. Enter a phrase like “I’m in a meeting. I’ll call you later” and a shortcut, something like “iiamcy”, then save. Whenever you type iiamcy and leave a space, the text “I’m in a meeting. I’ll call you later” will be auto-pasted. Allowed by default.
Allow Paired Watch
(Supervised iOS 9.0+)
Allows the device to pair with Apple watch. Allowed by default.
Allow Diagnostic submission settings modification
(Supervised iOS 9.3.2+)
To block users from turning on/off the option to send diagnostic data to Apple, uncheck this option. Allowed by default.
Allow Bluetooth settings modification
(Supervised iOS 10.0+)
Allow users to turn Bluetooth on/off on their device. Allowed by default.
Allow Dictation input
(Supervised iOS 10.3+)
Allow users to use their voice to type. Allowed by default.
Force MDM-configured Wi-Fi networks
(Supervised iOS 10.3+, available if WiFi is configured)
Consider the case where there are user-configured and MDM-configured WiFi networks in an area. If this option is enabled, even if the user tries to connect to the user-configured network, the device will connect to the MDM-configured one (Policiesselect an existing policy or create a new oneiOS SettingsNetworkWiFi). Not forced by default.
Allow removal of system apps
(Supervised iOS 11.0+)
Users can remove apps that are built in the device by default. Find below the list of apps that can be removed (Take me there). Once removed, you can restore them from the App Store. Allowed by default.
Allow creation of VPN configurations
(Supervised iOS 11.0+)
Allow users to create new VPN configuration. Allowed by default.
Allow AirPrint
(Supervised iOS 11.0+)
AirPrint is the feature which allows printing with AirPrint-compatible or shared printers wirelessly. Allowed by default.

When AirPrint is allowed, then three more options are unlocked and can be modified.

Restriction Description
Allow iBeacon discovery of AirPrint printers
(Supervised iOS 11.0+)
Choose whether AirPrint can connect with iBeacon for printing. iBeacon is a protocol and there are iBeacon-enabled devices available to which if a device comes in close proximity, actions can be performed. iBeacon connects with Apple devices using WiFi or Bluetooth, and with printers using its IP address. Allowed by default.
Allow Keychain storage of AirPrint credentials
(Supervised iOS 11.0+)
The AirPrint credentials are stored in Keychain, a service which syncs credentials and credit card numbers across your Apple devices via iCloud. Allowed by default.
Force Trusted certificates for secure printing
(Supervised iOS 11.0+)
Force the trusted certificates for TLS required for printing. Disallowed by default.

Before moving on to the next section, check out the list of system apps that can be removed from the device by the user:

  1. Calculator
  2. Calendar
  3. Compass
  4. Contacts
  5. FaceTime
  6. Find My Friends
  7. Home
  8. iBooks
  9. iCloud Drive
  10. iTunes Store
  11. Mail
  12. Maps
  13. Music
  14. News
  15. Notes
  16. Podcasts
  17. Reminders
  18. Stocks
  19. Tips
  20. Videos or TV
  21. Voice Memos
  22. Watch app
  23. Weather

App-based Restrictions

Restriction Description
Allow trust enterprise app Enterprise apps need to be trusted before getting them installed. Checking this option allows you to install Enterprise apps on the device. Allowed by default.
Allow modify enterprise app trust The users can choose whether or not to install an Enterprise app. Allowed by default.
Allow Enterprise Book Backup If disallowed, the iBooks which are deployed by the Enterprise are not backed up in the iCloud. Allowed by default.
Allow Managed Apps to Sync Allow managed apps to sync data with the user’s iCloud account. Allowed by default.
Allow use of YouTube Choose whether to disable YouTube app on the Apple device. Allowed by default.
Allow use of iTunes Store Option to allow/disallow iTunes store. Allowed by default.
Allow Safari
(Supervised only)
Disables Safari and hide the app icon if this option is disallowed. Allowed by default.
Enable autofill
(To modify, allow Safari)
Allow Safari to have your forms auto filled with your name, phone number, email address etc. if this option is enabled. Allowed by default.
Force fraud warning
(To modify, allow Safari)
Safari shows a warning when accessing a “not-so-safe-to-browse” page and asks whether you need to continue browsing or not. Fraud warning disabled by default.
Enable JavaScript
(To modify, allow Safari)
Most websites use JavaScript (JS) to display some content and to handle background tasks (handling forms, for instance) in the web page. If you think it’s not good to expose more functionality to the users, you can disable JS. Hexnode MDM enables JavaScript by default. Oh, the text below shows whether you’ve enabled/disabled JS.
Block pop-ups
(To modify, allow Safari)
All pop-ups are blocked by default in Safari. Allowed by default.
Accept cookies
(To modify, allow Safari)
You can choose from three available options.
Never: Safari will not accept any cookies.From visited sites: Safari will accept cookies and data from the websites you visit. Cookies from a website that have embedded contents in the website you browse will be blocked. This option is available on iOS 8 and later versions.
Always (default): Safari allows all websites to store cookies on your device.
Allow automatic apps downloading
(Supervised iOS 9.0+)
By default, Apple auto-downloads the apps that you’ve already purchased (paid apps) or started downloading once (free ones) on your previous device (when the same Apple ID is used). If this option is disabled, automatic downloads are held off.
Autonomous single app mode apps
(Supervised only)
Autonomous single app mode is used for testing purposes where a single app is made working while restricting the others. The app can be exited with the push of a specific button or by restarting the device. You can add as many apps as you like. If you exit one, the next app will take its place.
Note: This feature works only for those apps that support this feature.

Restricting iCloud Features

All these restrictions will be allowed by default.

Restriction Description
Allow backup Users are allowed to back up their files to iCloud if this option is enabled.
Allow document sync
(Supervised only)
Allow the documents in a device to sync with their iCloud account.
Allow photo stream
(WARNING: Disabling this option can cause data loss)
Photo Stream syncs photos across your devices. So, if you take a new photo with your iPhone, you can see it on your Mac or Windows PC too, for 30 days.
Allow shared photo streams You can choose whether the users can share the photos and albums in their Apple devices with their friends or family.
Allow iCloud photo library Photo Library stores all the photos on iCloud and can be viewed across all your devices as long as the image resides in iCloud.
Allow Enterprise book metadata sync Synchronize book metadata (notes and highlights) across devices.

Setting up Restrictions to Improve Security and Privacy

Restriction Description
Allow lock screen notifications When disabled, the iPhone or iPad do not show any notification on the lock screen. However, the notifications can be seen in the notification area. Allowed by default.
Allow Today view in lock screen Allow Today view on the lock screen. Today view can show the news, sports scores, calendar notification, weather and a lot more for the day. Allowed by default.
Allow Control Center in lock screen The users can access Control Center app from the lock screen. Allowed by default.
Allow over-the-air PKI updates Allow businesses to make changes to the root certificate over-the-air. Allowed by default.
Limit ad tracking Prevent user-targeted ads from advertising networks. By default, ad tracking will not be limited.
Allow diagnostic data to be sent to Apple Diagnostic data contains hardware specifications, details of the operating system and other details like when and why an app crashed. It will not contain any app usage/personal data. Allowed by default.
Allow user to accept untrusted TLS certificate The device accepts untrusted Transport Layer Security (TLS) certificates if this option is enabled. Allowed by default.
Force encrypted backup Data are encrypted while backing up. Encrypted backup not forced by default.
Force Apple Watch wrist detection Notifications are shown on the paired Apple Watch only when it is worn. By default, wrist detection isn’t forced.
Allow documents from managed apps in unmanaged apps Documents from managed apps can be opened in unmanaged apps. If unchecked, such documents can be opened only in other managed apps. Allowed by default.
Allow documents from unmanaged apps in managed apps If this is disabled, the documents from unmanaged apps cannot be opened in managed apps. They can only be opened in other unmanaged apps. Allowed by default.
Allow Account Modification
(Supervised only)
When disabled, users are not permitted to create/delete an account or change the password of an account. Account modification also includes modification of app accounts from the device settings. Allowed by default.
Allow Erase content and Settings
(Supervised only)
Allow users to erase every content along with the device settings. Allowed by default.
Allow Siri to access user-generated content
(Supervised iOS 7.0+)
Allow Siri to access user-generated content to answer the queries. Allowed by default.
Allow Modify find my friends
(Supervised iOS 7.0+)
This option enables the user’s ability to change the settings for Find My Friends app. Allowed by default.
Force use of profanity filter
(Supervised only)
Restrict Siri from using abusive languages. By default, use of profanity filter is forced.
Allow Spotlight internet results
(Supervised only)
Disable this option to block results from the internet. Spotlight is a feature which brings up the definition for terms from Oxford dictionary, Wikipedia etc. and searches across the device for files. Allowed by default.
Allow modifying restrictions
(Supervised only)
Allow users to enable restrictions from the device Settings. Allowed by default.
Allow passcode modification
(Supervised iOS 9.0+)
Can be used when the device is corporate-owned and you don’t want the employees to change its passcode. Allowed by default.
Allow Device name modification
(Supervised iOS 9.0+)
Allows the user to change the device name under SettingsGeneralAbout. Allowed by default.
Allow Wallpaper modification
(Supervised iOS 9.0+)
Allow users from changing the device wallpaper, useful in the case where the admin already have a wallpaper set from Policiesselect an existing policy or create a new oneiOS SettingsWallpaper. Allowed by default.
Allow Notification Modification
(Supervised iOS 9.3+)
Disable to block users from modifying device’s notification settings. Allowed by default.

Restrictions based on Content Rating

Restriction Description
Allow explicit music, podcasts, & iTunes U Allow users to access adult-rated music and podcast, and iTunes U services (free courses for colleges). Allowed by default.
Allow iBooks store erotica Allow access to adult-rated content in iBooks store. Disallowed by default.
Rating region Select the rating region to show the region-based rating for movies, TV shows and apps (shown in the next section). The available rating regions are United States, Australia, Canada, Germany, France, Ireland, Japan, New Zealand and the United Kingdom.

Available Content Rating

Movie and TV show ratings differ with rating region. The ratings displayed here are based on the rating region you set above. In every region you choose, you may allow or disallow all movies and TV shows.

Movie Ratings

Region Rating Description
United States G Movies that are meant for a general audience.
PG Recommended parental guidance since some material might be inappropriate for children.
PG-13 Recommended parental guidance for those aged below 13.
R Restricted content, recommended parental guidance for under 17.
NC-17 Strictly restricted to adults (17 or above). No children are allowed.
Australia G Suitable for all audiences.
PG Parental guidance is required for children below 15.
M Content is not recommended for children under 15, but is not restricted to 15 and above.
MA-15+ Audience below 15 should be accompanied by adults.
R-18+ Restricted to 18 and above.
Canada G Viewable for a general audience.
PG Parental guidance is suggested.
14A Audiences under 14 are allowed if accompanied by an adult.
18A Audiences under 18 are allowed if accompanied by an adult.
R Restricted to adults (18 and above).
Germany Ohne Altersbeschränkung Unrestricted content.
Freigegeben ab 6 Jahren Content suitable for all 6 or above.
Freigegeben ab 12 Jahren Content suitable for all aged 12 or above.
Freigegeben ab 16 Jahren Content suitable for all aged 16 or above.
Keine Jugendfreigabe Content suitable for all aged 18 or above.
France 10 Not suitable for those aged under 10.
12 Not suitable for those aged under 12.
16 Not suitable for those aged under 16.
18 Not suitable for those aged under 18.
Ireland G Intended for a general audience.
PG Parental guidance recommended.
12 Content strictly for aged 12 or above.
15 Content strictly for aged 15 or above.
16 Content strictly for aged 16 or above.
18 Content strictly for aged 18 or above.
Japan G Suitable for all.
PG-12 Under 12 are allowed only if accompanied by parents.
R-15 Content strictly for 15 or above.
R-18 Content strictly for 18 or above.
New Zealand G Content which is suitable for a general audience.
PG Parental guidance required for younger audience.
M All above 10 are permitted to view the content.
R13 Restricted to 13 and above.
R15 Restricted to 15 and above.
R16 Restricted to 16 and above.
R18 Restricted to 18 and above.
R Restricted to a certain class of people.
RP16 Younger audience (under 16) are permitted only if accompanied by a parent.
United Kingdom U Universal – suitable for all ages.
Uc Suitable for children.
PG Required parental guidance for under 8.
12 Strictly restricted to 12 or above.
12A Restricted to 12 or above unless accompanied by an adult.
15 Strictly restricted to 15 or above.
18 Strictly restricted to 18 or above.

TV Show Ratings

Region Rating Description
United States TV-Y Appropriate for young audience.
TV-Y7 Appropriate for young audience of age 7 or above.
TV-G Content appropriate for general audience (everyone).
TV-PG Appropriate if there is parental guidance. Such content may not be appropriate for all ages.
TV-14 Appropriate for 14 years of age or above.
TV-MA Content not suitable for audience with 17 years of age or below.
Australia P Content for preschoolers (no ads in-between).
C Content that can be viewed by children (14 years of age or less).
G Suitable for general audience.
PG Viewers should be accompanied by parental guidance.
M TV programs for Mature (15+ aged) audience, medium impact.
MA15+ TV programs for matured audiences, strong impact.
AV15+ Content with adult violence. Recommended viewing for those aged 15 or above.
Canada C Suitable for children below 8.
C8 Suitable for children, 8 years or older.
G Content can be viewed by a general audience.
PG Content can be viewed with parental guidance.
14+ Contains content which can be viewed by ages 14 and above.
18+ Contains content which are not meant for audience below 18 years of age.
Germany ab 0 Jahren Suitable for all ages.
ab 6 Jahren Suitable for ages 6 and above.
ab 12 Jahren Suitable for ages 12 and above.
ab 16 Jahren Suitable for ages 16 and above.
ab 18 Jahren Suitable for ages 18 and above.
France Déconseillé aux moins de 10 ans Not suitable for those aged under 10.
Déconseillé aux moins de 12 ans Not suitable for those aged under 12.
Déconseillé aux moins de 16 ans Not suitable for those aged under 16.
Déconseillé aux moins de 18 ans Not suitable for those aged under 18.
Ireland GA Content of the TV show are meant to be viewed by a general audience.
Ch Content for children. Suitable for ages 5 to 10.
YA Suitable for young adults (ages 10 to 13).
PS Suitable for ages 14 to 17. Younger audiences can be allowed to view the content with parental supervision.
MA Suitable for ages 18 and up.
Japan Explicit Allowed Not suitable for minors.
New Zealand G TV shows meant for general audience.
PGR Shows which are meant to be viewed with parental guidance.
AO Adults only content.
United Kingdom Caution Caution for adult content.

App Ratings

Apps have the same ratings for every region. The options available to you include: Don’t allow any apps, 4+, 9+, 12+, 17+, Allow all apps.

How to Associate the Policies to Device/Groups?

There are two ways by which you can associate restrictions to the devices in bulk. The first option is from within the policy configuration page. Click on Policy Targets+ Add Devices and select the devices to which the current policy is to be associated with. Save the policy afterward.

From the same tab, it is possible to associate the restrictions to device groups, users or user groups.

To associate devices after you saved the restriction policy, check the policy you need to get associated with the devices, select Associate Targets from Manage, and add all those devices which are applicable.

Desktop or Mobile, Hexnode MDM Got You Covered!