Skip Navigation
Device Management Profile

Restrictions

The payload you use to configure restrictions on a device.
object Restrictions

Properties

allowAccountModification

If false, the system disables modification of accounts such as Apple IDs and Internet-based accounts such as Mail, Contacts, and Calendar. Available in iOS 7 and later, macOS 14 and later, and watchOS 10 and later. Requires a supervised device in iOS and watchOS.

allowActivityContinuation

If false, the system disables activity continuation. Available in iOS 8 and later, and macOS 10.15 and later. Support for this restriction on unsupervised devices and with managed Apple IDs is deprecated.

allowAddingGameCenterFriends

If false, the system prohibits adding friends to Game Center. Available in iOS 4.2.1 and later, and macOS 10.13 and later. Requires a supervised device in iOS 13 and later.

allowAirDrop

If false, the system disables AirDrop. Requires a supervised device. Available in iOS 7 and later, and macOS 10.13 and later.

allowAirPlayIncomingRequests

If false, the system disables incoming AirPlay requests. Available in macOS 12.3 and later, and tvOS 10.2 and later. Requires a supervised device in tvOS.

allowAirPrint

If false, the system disables AirPrint. Requires a supervised device. Available in iOS 11 and later.

allowAirPrintCredentialsStorage

If false, the system disables keychain storage of user name and password for AirPrint. Requires a supervised device. Available in iOS 11 and later.

allowAirPrintiBeaconDiscovery

If false, the system disables iBeacon discovery of AirPrint printers, which prevents spurious AirPrint Bluetooth beacons from phishing for network traffic. Requires a supervised device. Available in iOS 11 and later.

allowAppCellularDataModification

If false, the system disables changing settings for cellular data usage for apps. Requires a supervised device. Available in iOS 7 and later.

allowAppClips

If false, the system prevents a user from adding any App Clips, and removes any existing App Clips on the device. Requires a supervised device. Available in iOS 14.0 and later.

allowAppInstallation

If false, the system disables the App Store, and the system removes its icon from the Home screen. Users are unable to install or update their apps. This applies to App Store apps, marketplace apps, and locally installed apps (using Configurator, Xcode, etc).

In iOS 10 and later, MDM commands can override this restriction. Available in iOS 4 and later, and watchOS 10 and later. Requires a supervised device in iOS 13 and later, and watchOS.

allowApplePersonalizedAdvertising

If false, the system limits Apple personalized advertising. Available in iOS 14 and later, and macOS 12 and later.

allowAppRemoval

If false, the system disables removal of apps from an iOS device. This applies to App Store apps, marketplace apps, and locally installed apps (using Configurator, Xcode, etc).

Requires a supervised device. Available in iOS 4.2.1 and later, and watchOS 10 and later.

allowAppsToBeHidden

If false, disables the ability for the user to hide apps. It doesn’t affect the user’s ability to leave it in the App Library, while removing it from the home screen. Available in iOS 18 and later.

allowAppsToBeLocked

If false, disables the ability for the user to lock apps. Because hiding apps also requires locking them, disallowing locking also disallows hiding. Available in iOS 18 and later.

allowARDRemoteManagementModification

If false, the system prevents modifying the Remote Management Sharing setting in System Settings. Available in macOS 14 and later.

allowAssistant

If false, the system disables Siri. Available in iOS 5 and later, and macOS 14 and later. Also available for user enrollment.

allowAssistantUserGeneratedContent

If false, the system prevents Siri from querying user-generated content from the web. Requires a supervised device. Available in iOS 7 and later, and watchOS 10 and later.

allowAssistantWhileLocked

If false, the system disables Siri when the device is locked. The system ignores this restriction if the device doesn’t have a passcode set. Available in iOS 5.1 and later. Also available for user enrollment.

allowAutoCorrection

If false, the system disables keyboard autocorrection. Requires a supervised device. Available in iOS 8.1.3 and later.

allowAutoDim

If false, disables auto dim on iPads with OLED displays.Requires a supervised device in iOS. Available in iOS 17.4 and later.

allowAutomaticAppDownloads

If false, the system prevents automatic downloading of apps purchased on other devices. This setting doesn’t affect updates to existing apps. Requires a supervised device. Available in iOS 9 and later, and watchOS 10 and later.

allowAutomaticScreenSaver

If false, the system disables Apple TV’s automatic screen saver. Available in tvOS 15.4 and later.

allowAutoUnlock

If false, the system disallows auto unlock. Available in macOS 10.12 and later, and iOS 14.5 and later. Support for this restriction on unsupervised devices is deprecated.

allowBluetoothModification

If false, the system prevents modification of Bluetooth settings. Requires a supervised device. Available in iOS 11 and later.

allowBluetoothSharingModification

If false, the system prevents modifying Bluetooth settings in System Settings. Available in macOS 14 and later.

allowBookstore

If false, the system removes the Book Store tab from the Books app. Requires a supervised device. Available in iOS 6 and later and macOS 15 and later.

allowBookstoreErotica

If false, the system prevents the user from downloading Apple Books media that’s tagged as erotica. Available in iOS 4.0 and later, macOS 15 and later, and tvOS 17 and later. Support for this restriction on unsupervised devices is deprecated.

allowCallRecording

If false, disables call recording. Available in iOS 18 and later.

allowCamera

If false, the system disables the camera and removes its icon from the Home screen, and users are unable to take photographs. Available in iOS 4 and later, macOS 10.11 and later, and tvOS 17 and later. Support for this restriction on unsupervised devices is deprecated.

allowCellularPlanModification

If false, the system prevents users from changing settings related to their cellular plan (only available on select carriers). Requires a supervised device. Available in iOS 11 and later.

allowChat

If false, the system disables the use of iMessage with supervised devices. If the device supports text messaging, the user can still send and receive text messages. Requires a supervised device. Available in iOS 5 and later.

allowCloudAddressBook

If false, the system disables iCloud Address Book services. Available in macOS 10.12 and later.

allowCloudBackup

If false, the system disables backing up the device to iCloud. Available in iOS 5 and later. Support for this restriction on unsupervised devices is deprecated.

allowCloudBookmarks

If false, the system disables iCloud Bookmark sync. Available in macOS 10.12 and later.

allowCloudCalendar

If false, the system disables iCloud Calendar services. Available in macOS 10.12 and later.

allowCloudDesktopAndDocuments

If false, the system disables iCloud Desktop and Document services. Available in macOS 10.12.4 and later.

allowCloudDocumentSync

If false, the system disables document and key-value syncing to iCloud. Available in iOS 5 and later, and macOS 10.11 and later. Requires a supervised device in iOS 13 and later, and Shared iPad doesn’t support it. Support for this restriction on unsupervised devices and with managed Apple IDs is deprecated.

allowCloudFreeform

If false, the system disallows iCloud Freeform services. Available in macOS 14 and later.

allowCloudKeychainSync

If false, the system disables iCloud keychain synchronization. Available in iOS 7 and later, and macOS 10.12 and later. Support for this restriction on unsupervised devices and with managed Apple IDs is deprecated.

allowCloudMail

If false, the system disables iCloud Mail services. Available in macOS 10.12 and later.

allowCloudNotes

If false, the system disables iCloud Notes services. Available in macOS 10.12 and later.

allowCloudPhotoLibrary

If false, the system disables iCloud Photo Library. The system removes any photos from local storage that aren’t fully downloaded from iCloud Photo Library to the device. Available in iOS 9 and later, and macOS 10.12 and later. Support for this restriction on unsupervised devices and with managed Apple IDs is deprecated.

allowCloudPrivateRelay

If false, the system disables iCloud Private Relay. Available in iOS 15 and later, and in macOS 12 and later. Requires a supervised device in iOS. Support for this restriction on unsupervised devices and with managed Apple IDs is deprecated.

allowCloudReminders

If false, the system disables iCloud Reminder services. Available in macOS 10.12 and later.

allowContentCaching

If false, the system disables content caching. Available in macOS 10.13 and later.

allowContinuousPathKeyboard

If false, the system disables QuickPath keyboard. Requires a supervised device. Available in iOS 13 and later.

allowDefaultBrowserModification

If false, disables default browser preference modification. The MDM Settings command to set the default browser preference will still work when this is applied. Available in iOS 18.2 and later, and visionOS 2.2 and later.

allowDefinitionLookup

If false, the system disables definition lookup. Available in iOS 8.1.3 and later, and macOS 10.11 and later. Requires a supervised device on iOS.

allowDeviceNameModification

If false, the system prevents the user from changing the device name. Available in iOS 9 and later, macOS 14 and later, and tvOS 11.0 and later. Requires a supervised device in iOS and tvOS.

allowDeviceSleep

If false, the system prevents the device from automatically sleeping. Requires a supervised device. Available in tvOS 13 and later.

allowDiagnosticSubmission

If false, the system prevents the device from automatically submitting diagnostic reports to Apple. Available in iOS 6 and later, and macOS 10.13 and later. Also available for user enrollment.

allowDiagnosticSubmissionModification

If false, the system disables changing the diagnostic submission and app analytics settings in the Diagnostics & Usage UI in Settings. Requires a supervised device. Available in iOS 9.3.2 and later.

allowDictation

If false, the system disallows dictation input. Available in iOS 10.3 and later, and macOS 10.13 and later. Requires a supervised device in iOS.

allowEnablingRestrictions

If false, the system disables the Enable Restrictions option in the Restrictions UI in Settings. If false in iOS 12 and later, the system disables the Enable ScreenTime option in the ScreenTime UI in Settings and disables ScreenTime if already enabled. Requires a supervised device. Available in iOS 8 and later.

allowEnterpriseAppTrust

If false, the system removes the Trust Enterprise Developer button in Settings > General > Profiles & Device Management, which prevents provisioning apps by universal provisioning profiles. This restriction applies to free developer accounts. However, it doesn’t apply to enterprise app developers, because they’re trusted and the system installed their apps through MDM. It also doesn’t revoke previously granted trust. Available in iOS 9 and later.

allowEnterpriseBookBackup

If false, the system disables backup of Enterprise books. Available in iOS 8 and later. Also available for user enrollment.

allowEnterpriseBookMetadataSync

If false, the system disables sync of Enterprise books, notes, and highlights. Available in iOS 8 and later. Also available for user enrollment.

allowEraseContentAndSettings

If false, the system disables the Erase All Content and Settings option in the Reset UI. Available in iOS 8 and later, and macOS 12 and later. Requires a supervised device in iOS.

allowESIMModification

If false, the system disables modifications to carrier plan related settings. Requires a supervised device. Available in iOS 11 and later.

allowESIMOutgoingTransfers

If false, prevents the transfer of an eSIM from the device on which the restriction is installed to a different device. Requires a supervised device. Available in iOS 18 and later.

allowExplicitContent

If false, the system hides explicit music or video content purchased from the iTunes Store. The system marks explicit content as such by content providers, such as record labels, when sold through the iTunes Store. Explicit content in the News and Podcast apps is also hidden.

Available in iOS 4.0 and later, macOS 15 and later, and tvOS 11.3 and later. Requires a supervised device in iOS 13 and later. Support for this restriction on unsupervised devices is deprecated.

allowExternalIntelligenceIntegrations

If false, disables the use of external, cloud-based intelligence services with Siri. On iOS, this restriction is temporarily allowed on unsupervised and user enrollments. In a future release, this restriction will require supervision, and will be ignored on non-supervised devices. Available in iOS 18.2 and later, and macOS 15.2 and later.

allowExternalIntelligenceIntegrationsSignIn

If false, forces external intelligence providers into anonymous mode. If a user is already signed in to an external intelligence provider, applying this restriction will cause them to be signed out when the next request is attempted. Available in iOS 18.2 and later, and macOS 15.2 and later.

allowFileSharingModification

If false, the system prevents modifying File Sharing setting in System Settings. Available in macOS 14 and later.

allowFilesNetworkDriveAccess

If false, the system prevents connecting to network drives in the Files app. Requires a supervised device. Available in iOS 13.1 and later.

allowFilesUSBDriveAccess

If false, the system prevents connecting to any connected USB devices in the Files app. Requires a supervised device. Available in iOS 13.1 and later.

allowFindMyDevice

If false, the system disables Find My Device in the Find My app. Requires a supervised device. Available in iOS 13 and later, and macOS 10.15 and later.

allowFindMyFriends

If false, the system disables Find My Friends in the Find My app. Requires a supervised device. Available in iOS 13 and later, and macOS 10.15 and later.

allowFindMyFriendsModification

If false, the system disables changes to Find My Friends. Requires a supervised device. Available in iOS 7 and later.

allowFingerprintForUnlock

If false, the system prevents Touch ID or Face ID from unlocking a device. Available in iOS 7 and later, and macOS 10.12.4 and later. Support for this restriction on unsupervised devices is deprecated.

allowFingerprintModification

If false, the system prevents the user from modifying Touch ID or Face ID. Available in iOS 8.3 and later, and macOS 14 and later. Requires a supervised device in iOS.

allowGameCenter

If false, the system disables Game Center, and the system removes its icon from the Home screen. Available in iOS 6 and later, and macOS 10.13 and later. Requires a supervised device in iOS.

allowGenmoji

If false, prohibits creating new Genmoji. Requires a supervised device. Available in iOS 18 and later.

allowGlobalBackgroundFetchWhenRoaming

If false, the system disables global background fetch activity when an iOS phone is roaming. Available in iOS 4 and later. Support for this restriction on unsupervised devices is deprecated.

allowHostPairing

If false, the system disables host pairing with the exception of the supervision host. If there’s no configured supervision host certificate, the system disables all pairing. Host pairing lets the administrator control if an iOS device can pair with a host Mac or PC. Requires a supervised device. Available in iOS 7 and later.

allowImagePlayground

If false, prohibits the use of image generation. Requires a supervised device. Available in iOS 18 and later and macOS 15 and later.

allowImageWand

If false, prohibits the use of Image Wand. Requires a supervised device. Available in iOS 18 and later.

allowInAppPurchases

If false, the system prohibits in-app purchasing. Available in iOS 4 and later. Support for this restriction on unsupervised devices is deprecated.

allowInternetSharingModification

If false, the system prevents modifying the Internet Sharing setting in System Settings. Available in macOS 14 and later.

allowiPhoneMirroring

If false, prohibits the use of iPhone Mirroring. When used on macOS, this prevents the Mac from mirroring any iPhone. When used on iOS, this prevents the iPhone from mirroring to any Mac. Requires a supervised device. Available in iOS 18 and later and macOS 15 and later.

allowiPhoneWidgetsOnMac

If false, the system disallows iPhone widgets on a Mac that has signed in the same Apple ID for iCloud. Requires a supervised device. Available on iOS 17 and later.

allowiTunes

If false, the system disables the iTunes Music Store, and the system removes its icon from the Home screen. Users can’t preview, purchase, or download content. Available in iOS 4 and later. Requires a supervised device in iOS 13 and later.

allowiTunesFileSharing

If false, the system disables iTunes file sharing services. Available in macOS 10.13 and later.

allowKeyboardShortcuts

If false, the system disables keyboard shortcuts. Requires a supervised device. Available in iOS 9 and later.

allowListedAppBundleIDs

If present, the system only shows or can launch apps with bundle IDs in the array. Include the value com.apple.webapp to allow all webclips. This applies to App Store apps, marketplace apps, and locally installed apps (using Configurator, Xcode, etc).

Requires a supervised device. Available in iOS 15 and later, and tvOS 15 and later.

allowLiveVoicemail

If false, the system disables live voicemail on the device.

Requires a supervised device. Available in iOS 17.2 and later.

allowLocalUserCreation

If false, the system prevents creating new users in System Settings. Available in macOS 14 and later.

allowLockScreenControlCenter

If false, the system prevents Control Center from appearing on the Lock screen. Available in iOS 7 and later. Also available for user enrollment.

allowLockScreenNotificationsView

If false, the system disables the Notifications history view on the lock screen, so users can’t view past notifications. However, they can still see notifications when they arrive. Available in iOS 7 and later. Also available for user enrollment.

allowLockScreenTodayView

If false, the system disables the Today view in Notification Center on the lock screen. Available in iOS 7 and later. Also available for user enrollment.

allowMailPrivacyProtection

If false, the system disables Mail Privacy Protection on the device. Requires a supervised device. Available in iOS 15.2 and later.

allowMailSummary

If false, disables the ability to create summaries of email messages manually. This doesn’t affect automatic summary generation. Available in iOS 18.1 and later.

allowManagedAppsCloudSync

If false, the system prevents managed apps from using iCloud sync. Available in iOS 8 and later. Also available for user enrollment.

allowManagedToWriteUnmanagedContacts

If true, the system allows managed apps to write contacts to unmanaged accounts. If allowOpenFromManagedToUnmanaged is true, this restriction has no effect. Available in iOS 12 and later.

allowMarketplaceAppInstallation

If false, the system prevents installation of alternative marketplace apps from the web and prevents any installed alternative marketplace apps from installing apps. Available in iOS 17.4 and later. Requires a supervised device

allowMediaSharingModification

If false, prevents modification of Media Sharing settings. Available in macOS 15.1 and later.

allowMultiplayerGaming

If false, the system prohibits multiplayer gaming. Available in iOS 4.1 and later, and macOS 10.13 and later. Requires a supervised device in iOS.

allowMusicService

If false, the system disables the Music service, and the Music app reverts to classic mode. Requires a supervised device. Available in iOS 9.3 and later, and macOS 10.12 and later.

allowNews

If false, the system disables News. Requires a supervised device. Available in iOS 9 and later.

allowNFC

If false, the system disables NFC. Requires a supervised device. Available in iOS 14.2 and later.

allowNotificationsModification

If false, the system disables modification of notification settings. Requires a supervised device. Available in iOS 9.3 and later.

allowOpenFromManagedToUnmanaged

If false, documents in managed apps and accounts only open in other managed apps and accounts. Available in iOS 7 and later. Also available for user enrollment.

allowOpenFromUnmanagedToManaged

If false, documents in unmanaged apps and accounts only open in other unmanaged apps and accounts. Available in iOS 7 and later. Also available for user enrollment.

allowOTAPKIUpdates

If false, the system disables over-the-air PKI updates. Setting this restriction to false doesn’t disable CRL and OCSP checks. Available in iOS 7 and later.

allowPairedWatch

If false, the system disables pairing with an Apple Watch, and the system unpairs any currently paired Apple Watch and erases its content. Requires a supervised device. Available in iOS 9 and later.

allowPasscodeModification

If false, the system prevents adding, changing, or removing the passcode. The system ignores this restriction on Shared iPad. Available in iOS 9 and later, and macOS 10.13 and later. Requires a supervised device in iOS.

allowPassbookWhileLocked

If false, the system hides Passbook notifications from the lock screen. Available in iOS 6 and later.

allowPasswordAutoFill

If false, the system disables:

  • The AutoFill Passwords feature in iOS, with Keychain and third-party password managers

  • Prompting the user to use a saved password in Safari or in apps

  • Automatic strong passwords

  • Suggesting strong passwords to users

However, if false, the system doesn’t prevent AutoFill for contact info and credit cards in Safari.

Available in iOS 12 and later, and macOS 10.14 and later. Requires a supervised device in iOS.

allowPasswordProximityRequests

If false, the system disables requesting passwords from nearby devices. Available in iOS 12 and later, macOS 10.14 and later, and tvOS 12 and later. Requires a supervised device in iOS and tvOS.

allowPasswordSharing

If false, the system disables sharing passwords with the Airdrop Passwords feature. Available in iOS 12 and later, and macOS 10.14 and later. Requires a supervised device in iOS.

allowPersonalHotspotModification

If false, the system disables modifications of the personal hotspot setting. Requires a supervised device. Available in iOS 12.2 and later.

allowPersonalizedHandwritingResults

If false, prevents the system from generating text in the user’s handwriting. Requires a supervised device. Available in iOS 18 and later.

allowPodcasts

If false, the system disables podcasts. Requires a supervised device. Available in iOS 8 and later.

allowPredictiveKeyboard

If false, the system disables predictive keyboards. Requires a supervised device. Available in iOS 8.1.3 and later.

allowPrinterSharingModification

If false, the system prevents modifying Printer Sharing settings in System Settings. Available in macOS 14 and later.

allowProximitySetupToNewDevice

If false, disables the prompt to set up new devices that are nearby. Requires a supervised device. Available in iOS 11 and later.

allowRadioService

If false, the system disables Apple Music Radio. Requires a supervised device. Available in iOS 9.3 and later.

allowRapidSecurityResponseInstallation

If false, the system prohibits installation of rapid security responses. Available in iOS 16 and later, and macOS 13 and later.

allowRapidSecurityResponseRemoval

If false, the system prohibits removal of rapid security responses. Available in iOS 16 and later, and macOS 13 and later.

allowRCSMessaging

If false, prevents the use of RCS messaging. Available in iOS 18.1 and later.

allowRemoteAppleEventsModification

If false, the system prevents modifying Remote Apple Events Sharing settings in System Settings. Available in macOS 14 and later.

allowRemoteAppPairing

If false, the system disables pairing Apple TV for use with the Remote app or Control Center widget. Requires a supervised device. Available in tvOS 10.2 and later.

allowRemoteScreenObservation

If false, the system disables remote screen observation by the Classroom app. Nest this key beneath allowScreenShot as a subrestriction. If allowScreenShot is false, the Classroom app doesn’t observe remote screens. Available in iOS 12 and later, and macOS 10.14.4 and later. Requires a supervised device until iOS 13 and macOS 10.15. Allowed for user enrollments in macOS 12 and later.

allowSafari

If false, the system disables the Safari web browser app, and the system removes its icon from the Home screen. This setting also prevents users from opening web clips. As of iOS 13, requires a supervised device. Available in iOS 4 and later.

allowScreenShot

If false, the system disables saving a screenshot of the display and capturing a screen recording. It also disables the Classroom app from observing remote screens. Available in iOS 4 and later, and macOS 10.14.4 and later. Also available for user enrollment.

allowSharedDeviceTemporarySession

If false, the system makes temporary sessions unavailable on Shared iPad. Available in iOS 13.4 and later.

allowSharedStream

If false, the system disables Shared Photo Stream. Available in iOS 6 and later. Support for this restriction on unsupervised devices is deprecated.

allowSpellCheck

If false, the system disables the keyboard spell checker. Requires a supervised device. Available in iOS 8.1.3 and later.

allowSpotlightInternetResults

If false, the system disables Spotlight Internet search results in Siri Suggestions. Available in iOS 8 and later, and macOS 10.11 and later. Support for this restriction on unsupervised devices is deprecated.

allowStartupDiskModification

If false, the system prevents modification of Startup Disk settings in System Settings. Available in macOS 14 and later.

allowSystemAppRemoval

If false, the system disables the removal of system apps from the device. Requires a supervised device. Available in iOS 11 and later.

allowTimeMachineBackup

If false, the system prevents modification of Time Machine settings in System Settings. Available in macOS 14 and later.

allowUIAppInstallation

If false, the system disables the App Store, and the systems removes its icon from the Home screen. However, users can continue to use host apps such as iTunes or Configurator to install or update their apps.

In iOS 10 and later, MDM commands can override this restriction. Requires a supervised device. Available in iOS 9 and later, and watchOS 10 and later.

allowUIConfigurationProfileInstallation

If false, the system prohibits the user from installing configuration profiles and certificates interactively. Available in iOS 6 and later, and macOS 13 and later. Requires a supervised device in iOS.

allowUniversalControl

If false, the system disables Universal Control. Available in macOS 13 and later.

allowUnmanagedToReadManagedContacts

If true, the system allows unmanaged apps to read from managed contacts accounts. If allowOpenFromManagedToUnmanaged is true, this restriction has no effect. Available in iOS 12 and later.

allowUnpairedExternalBootToRecovery

If true, the system allows unpaired devices to boot devices into recovery. Requires a supervised device. Available in iOS 14.5 and later.

allowUntrustedTLSPrompt

If false, the system automatically rejects untrusted HTTPS certificates without prompting the user. Available in iOS 5 and later.

allowUSBRestrictedMode

If false, the system allows iOS devices to always connect to USB accessories while locked. On macOS, allows new USB and Thunderbolt accessories and SD cards to connect without authorization. If the system has Lockdown mode enabled, it ignores this value. Available in iOS 11.4.1 and later, and macOS 13 and later. Requires a supervised device in iOS.

allowVideoConferencing

If false, the system hides the FaceTime app. Available in iOS 4 and later. Requires a supervised device in iOS 13 and later.

allowVPNCreation

If false, the system disables the creation of VPN configurations. Requires a supervised device. Available in iOS 11 and later.

allowWallpaperModification

If false, the system prevents changing the wallpaper. Available in iOS 9 and later, and macOS 10.13 and later. Requires a supervised device in iOS.

allowWebDistributionAppInstallation

If false, the device prevents installation of apps directly from the web. Available in iOS 17.5 and later.

allowWritingTools

If false, disables Apple Intelligence writing tools. Requires a supervised device. Available in iOS 18 and later and macOS 15 and later.

autonomousSingleAppModePermittedAppIDs

If present, the system allows apps identified by the bundle IDs listed in the array to autonomously enter Single App Mode. Requires a supervised device. Available in iOS 7 and later.

blockedAppBundleIDs

If present, the system prevents showing or launching apps with bundle IDs in the array. Include the value com.apple.webapp to restrict all webclips. This applies to App Store apps, marketplace apps, and locally installed apps (using Configurator, Xcode, etc).

Requires a supervised device. Available in iOS 15 and later, and tvOS 15 and later.

enforcedFingerprintTimeout

The value, in seconds, after which the fingerprint unlock requires a password to authenticate. The default value is 48 hours. Available in macOS 12 and later.

enforcedSoftwareUpdateDelay

How many days to delay a software update on the device. With this restriction in place, the user doesn’t see a software update until the specified number of days after the software update release date. The restrictions forceDelayedAppSoftwareUpdates and forceDelayedSoftwareUpdates use this value. Available in iOS 11.3 and later, macOS 10.13.4 and later, and tvOS 12.2 and later. Requires a supervised device in iOS and tvOS.

enforcedSoftwareUpdateMinorOSDeferredInstallDelay

This restriction allows the administrator to set how many days to delay a minor OS software update on the device. When this restriction is in place, the user see a software update only after the specified delay after the release of the software update. This value controls the delay for forceDelayedSoftwareUpdates. Available in macOS 11.3 and later.

enforcedSoftwareUpdateMajorOSDeferredInstallDelay

This restriction allows the administrator to set how many days to delay a major software upgrade on the device. When this restriction is in place, the user sees a software upgrade only after the specified delay after the release of the software upgrade. This value controls the delay for forceDelayedMajorSoftwareUpdates. Available in macOS 11.3 and later.

enforcedSoftwareUpdateNonOSDeferredInstallDelay

This restriction allows the administrator to set how many days to delay an app software update on the device. When this restriction is in place, the user sees a non-OS software update only after the specified delay after the release of the software. This value controls the delay for forceDelayedAppSoftwareUpdates. Available in macOS 11.3 and later.

forceAirDropUnmanaged

If true, the system considers AirDrop to be an unmanaged drop target. Available in iOS 9 and later. Also available for user enrollment.

forceAirPlayIncomingRequestsPairingPassword

If true, the system forces all devices sending AirPlay requests to this device to use a pairing password. Available in tvOS 6.2 and later. This key isn’t supported in tvOS 10.2 and later. Use the AirPlay Security Payload instead.

forceAirPlayOutgoingRequestsPairingPassword

If true, the system forces all devices receiving AirPlay requests from this device to use a pairing password. Available in iOS 7.1 and later. Also available for user enrollment.

forceAirPrintTrustedTLSRequirement

If true, the system requires trusted certificates for TLS printing communication. Requires a supervised device. Available in iOS 11 and later.

forceAssistantProfanityFilter

If true, the system forces the use of the profanity filter assistant. Available in iOS 11 and later, and macOS 10.13 and later. Requires a supervised device in iOS.

forceAuthenticationBeforeAutoFill

If true, the user needs to authenticate before the system can autofill passwords or credit card information in Safari and apps. If this restriction isn’t enforced, the user can toggle this feature in Settings. Only supported on devices with Face ID or Touch ID. Requires a supervised device. Available in iOS 11 and later.

forceAutomaticDateAndTime

If true, the system enables the Set Automatically feature in Date & Time and the user can’t disable it. The system updates the device’s time zone only when the device can determine its location using a cellular connection or Wi-Fi with location services enabled. Requires a supervised device. Available in iOS 12 and later, and tvOS 12.2 and later.

forceBypassScreenCaptureAlert

If true, then the system bypasses the presentation of a screen capture alert. Available in macOS 15.1 and later.

forceClassroomAutomaticallyJoinClasses

If true, the system automatically gives permission to the teacher’s requests without prompting the student. Requires a supervised device. Available in iOS 11 and later, and macOS 10.14.4 and later.

forceClassroomRequestPermissionToLeaveClasses

If true, a student enrolled in an unmanaged course through Classroom needs to request permission from the teacher to leave the course. Requires a supervised device. Available in iOS 11.3 and later, and macOS 10.14.4 and later.

forceClassroomUnpromptedAppAndDeviceLock

If true, the system allows the teacher to lock apps or the device without prompting the student. Requires a supervised device. Available in iOS 11 and later, and macOS 10.14.4 and later.

forceClassroomUnpromptedScreenObservation

If true and ScreenObservationPermissionModificationAllowed is also true in the Education payload, a student enrolled in a managed course through the Classroom app automatically gives permission to that course teacher’s requests to observe the student’s screen without prompting the student. Requires a supervised device. Available in iOS 11 and later, and macOS 10.14.4 and later.

forceDelayedAppSoftwareUpdates

If true, the system delays user visibility of non-OS software updates. Requires a supervised device. Control visibility of operating system updates through forceDelayedSoftwareUpdates. The delay is 30 days unless you set enforcedSoftwareUpdateDelay to another value. Available in macOS 11 and later.

forceDelayedMajorSoftwareUpdates

If true, the system delays user visibility of major OS updates. Available in macOS 11.3 and later.

forceDelayedSoftwareUpdates

If true, the system delays user visibility of software updates. In macOS, the system allows seed build updates without delay. The delay is 30 days unless you set enforcedSoftwareUpdateDelay to another value. Available in iOS 11.3 and later, macOS 10.13 and later, and tvOS 12.2 and later. Requires a supervised device in iOS and tvOS.

forceEncryptedBackup

If true, the system encrypts all backups. Available in iOS 4 and later. Also available for user enrollment.

forceLimitAdTracking

If true, the system limits ad tracking. Additionally, it disables app tracking and the Allow Apps to Request to Track setting. Available in iOS 7 and later.

forceOnDeviceOnlyDictation

If true, the system disables connections to Siri servers for the purposes of dictation. Available in iOS 14.5 and later, macOS 14 and later, and watchOS 10 and later. Also available for user enrollment.

forceOnDeviceOnlyTranslation

If true, the device won’t connect to Siri servers for the purposes of translation. Available in iOS 15 and later. Also available for user enrollment.

forcePreserveESIMOnErase

If true, the system preserves eSIM when it erases the device due to too many failed password attempts or the Erase All Content and Settings option in Settings > General > Reset. Requires a supervised device. Available in iOS 17.2 and later.

forceWatchWristDetection

If true, the system forces a paired Apple Watch to use Wrist Detection. Available in iOS 8.2 and later. Also available for user enrollment.

forceWiFiToAllowedNetworksOnly

If true, the system limits the device to only join Wi-Fi networks set up through a configuration profile. Requires a supervised device. Available in iOS 14.5 and later.

forceWiFiPowerOn

If true, the system prevents turning off Wi-Fi in Settings or Control Center, even by entering or leaving Airplane Mode. It doesn’t prevent selecting which Wi-Fi network to use. Requires a supervised device. Available in iOS 13.0 and later.

ratingApps

The maximum level of app content allowed on the device. Preinstalled (first party) apps ignore this restriction. Available in iOS 4.0 and later, macOS 15 and later, and tvOS 11.3 and later. Support for this restriction on unsupervised devices is deprecated.

Possible values, with the US description of the rating level:

1000

All

600

17+

300

12+

200

9+

100

4+

0

None

ratingMovies

The maximum level of movie content allowed on the device. Available in iOS 4.0 and later, macOS 15 and later, and tvOS 11.3 and later. Support for this restriction on unsupervised devices is deprecated.

Possible values, with the US description of the rating level:

1000

All

500

NC-17

400

R

300

PG-13

200

PG

100

G

0

None

ratingRegion

The two-letter key that profile tools use to display the proper ratings for the given region. The client doesn’t recognize or report this data. Available in iOS 4.0 and later, macOS 10.7 and later, and tvOS 9 and later.

ratingTVShows

The maximum level of TV content allowed on the device. Available in iOS 4.0 and later, macOS 15 and later, and tvOS 11.3 and later. Support for this restriction on unsupervised devices is deprecated.

Possible values, with the US description of the rating level:

1000

All

600

TV-MA

500

TV-14

400

TV-PG

300

TV-G

200

TV-Y7

100

TV-Y

0

None

requireManagedPasteboard

If true, copy and paste functionality conforms to the allowOpenFromManagedToUnmanaged and allowOpenFromUnmanagedToManaged restrictions. Also available for user enrollment.

safariAcceptCookies

Defines the conditions under which the device accepts cookies. The user-facing settings changed in iOS 11, although the possible values remain the same. Available in iOS 4 and later. Support for this restriction on unsupervised devices is deprecated. Allowed values:

0

Enables Prevent Cross-Site Tracking and Block All Cookies, and the user canʼt disable either setting.

1 or 1.5

Enables Prevent Cross-Site Tracking, and the user canʼt disable it. Doesn’t enable Block All Cookies, but the user can enable it.

2

Enables Prevent Cross-Site Tracking but doesn’t enable Block All Cookies. The user can toggle either setting.

safariAllowAutoFill

If false, the system disables Safari AutoFill for passwords, contact info, and credit cards and also prevents using the Keychain for AutoFill. As of iOS 13, requires a supervised device. Available in iOS 4 and later, and macOS 10.13 and later.

safariAllowJavaScript

If false, Safari doesn’t execute JavaScript. Available in iOS 4 and later.

safariAllowPopups

If false, Safari doesn’t allow pop-up windows. Available in iOS 4 and later. Support for this restriction on unsupervised devices is deprecated.

safariForceFraudWarning

If true, the system enables Safari fraud warning. Available in iOS 4 and later. Also available for user enrollment.

allowPhotoStream
Deprecated 

If false, the system disables Photo Stream. Available in iOS 5 and later.

allowVoiceDialing
Deprecated 

If false, the system disables voice dialing if the device is locked with a passcode. Available in iOS 4 and later.

blacklistedAppBundleIDs
Deprecated 

Use blockedAppBundleIDs instead.

forceITunesStorePasswordEntry
Deprecated 

If true, the system forces the user to enter their iTunes password for each transaction. Available in iOS 6 and later.

whitelistedAppBundleIDs
Deprecated 

Use allowListedAppBundleIDs instead.

forceWiFiWhitelisting
Deprecated 

Use forceWiFiToAllowedNetworksOnly instead.

Discussion

Specify com.apple.applicationaccess as the payload type.

Profile Availability

Device Channel

iOS, macOS, Shared iPad, tvOS, watchOS

User Channel

macOS, Shared iPad

Allow Manual Install

iOS, macOS, Shared iPad, tvOS, watchOS

Requires Supervision

-

Requires User Approved MDM

-

Allowed in User Enrollment

iOS, macOS, Shared iPad

Allow Multiple Payloads

iOS, macOS, Shared iPad, tvOS, watchOS

Profile Example

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>PayloadContent</key>
    <array>
        <dict>
            <key>allowActivityContinuation</key>
            <false/>
            <key>blockedAppBundleIDs</key>
            <array>
                <string>com.apple.mobilesafari</string>
            </array>
            <key>ratingApps</key>
            <integer>500</integer>
            <key>PayloadIdentifier</key>
            <string>com.example.myrestrictionspayload</string>
            <key>PayloadType</key>
            <string>com.apple.applicationaccess</string>
            <key>PayloadUUID</key>
            <string>53bec1be-ffec-4f88-acbd-b02aee8f04a9</string>
            <key>PayloadVersion</key>
            <integer>1</integer>
        </dict>
    </array>
    <key>PayloadDisplayName</key>
    <string>Restrictions</string>
    <key>PayloadIdentifier</key>
    <string>com.example.myprofile</string>
    <key>PayloadType</key>
    <string>Configuration</string>
    <key>PayloadUUID</key>
    <string>6020206c-12c2-4ada-987a-dd4c560ca73a</string>
    <key>PayloadVersion</key>
    <integer>1</integer>
</dict>
</plist>
Current page is Restrictions