Device Management Profile

Restrictions

The payload for configuring restrictions on a device.

Properties

allowAccountModification
boolean

If  false, disables account modification. Requires a supervised device. Available in iOS 7 and later.

allowActivityContinuation
boolean

If false, disables activity continuation. Available in iOS 8 and later, and macOS 10.15 and later.

allowAddingGameCenterFriends
boolean

If false, prohibits adding friends to Game Center. As of iOS 13, requires a supervised device. Available in iOS 4.2.1 and later, and macOS 10.13 and later.

allowAirDrop
boolean

If false, disables AirDrop. Requires a supervised device. Available in iOS 7 and later, and macOS 10.13 and later.

allowAirPlayIncomingRequests
boolean

If false, disables incoming AirPlay requests. Requires a supervised device. Available in tvOS 10.2 and later.

allowAirPrint
boolean

If false, disables AirPrint.  Requires a supervised device. Available in iOS 11 and later.

allowAirPrintCredentialsStorage
boolean

If false, disables keychain storage of user name and password for AirPrint. Requires a supervised device. Available in iOS 11 and later.

allowAirPrintiBeaconDiscovery
boolean

If false, disables iBeacon discovery of AirPrint printers, which prevents spurious AirPrint Bluetooth beacons from phishing for network traffic. Requires a supervised device. Available in iOS 11 and later.

allowAppCellularDataModification
boolean

If false, disables changing settings for cellular data usage for apps. Requires a supervised device. Available in iOS 7 and later.

allowAppInstallation
boolean

If false, disables the App Store, and its icon is removed from the Home screen. Users are unable to install or update their apps. In iOS 10 and later, MDM commands can override this restriction. As of iOS 13, requires a supervised device. Available in iOS 4 and later.

allowAppRemoval
boolean

If false, disables removal of apps from an iOS device. Available in iOS 4.2.1 and later.

allowAssistant
boolean

If false, disables Siri. Available in iOS 5 and later. Also available for user enrollment.

allowAssistantUserGeneratedContent
boolean

If false, prevents Siri from querying user-generated content from the web. Requires a supervised device. Available in iOS 7 and later.

allowAssistantWhileLocked
boolean

If false, disables Siri when the device is locked. This restriction is ignored if the device doesn't have a passcode set. Available in iOS 5.1 and later. Also available for user enrollment.

allowAutoCorrection
boolean

If false, disables keyboard autocorrection. Requires a supervised device. Available in iOS 8.1.3 and later.

allowAutomaticAppDownloads
boolean

If false, prevents automatic downloading of apps purchased on other devices. This setting doesn't affect updates to existing apps. Requires a supervised device. Available in iOS 9 and later.

allowAutoUnlock
boolean

If false, disallows auto unlock. Available in macOS 10.12 and later.

allowBluetoothModification
boolean

If false, prevents modification of Bluetooth settings. Requires a supervised device. Available in iOS 11 and later.

allowBookstore
boolean

If false, disables Apple Books. Requires a supervised device. Available in iOS 6 and later.

allowBookstoreErotica
boolean

If false, the user can't download Apple Books media that is tagged as erotica. Available in iOS 6 and later, and tvOS 11.3 and later.

allowCamera
boolean

If false, disables the camera, and its icon is removed from the Home screen. Users are unable to take photographs. As of iOS 13, requires a supervised device. Available in iOS 4 and later, and macOS 10.11 and later.

allowCellularPlanModification
boolean

If false, users can't change any settings related to their cellular plan. Requires a supervised device. Available in iOS 11 and later.

allowChat
boolean

If false, disables the use of the Messages app with supervised devices. Requires a supervised device. Available in iOS 5 and later.

allowCloudAddressBook
boolean

If false, disables iCloud Address Book services. Available in macOS 10.12 and later.

allowCloudBackup
boolean

If false, disables backing up the device to iCloud. As of iOS 13, requires a supervised device. Available in iOS 5 and later.

allowCloudBookmarks
boolean

If false, disables iCloud Bookmark sync. Available in macOS 10.12 and later.

allowCloudCalendar
boolean

If false, disables iCloud Calendar services. Available in macOS 10.12 and later.

allowCloudDesktopAndDocuments
boolean

If false, disables cloud desktop and document services. Available in macOS 10.12.4 and later.

allowCloudDocumentSync
boolean

If false, disables document and key-value syncing to iCloud. As of iOS 13, requires a supervised device. Available in iOS 5 and later, and macOS 10.11 and later.

allowCloudKeychainSync
boolean

If false, disables iCloud keychain synchronization. As of iOS 13, requires a supervised device. Available in iOS 7 and later, and macOS 10.12 and later.

allowCloudMail
boolean

If false, disables iCloud Mail services. Available in macOS 10.12 and later.

allowCloudNotes
boolean

If false, disables iCloud Notes services. Available in macOS 10.12 and later.

allowCloudPhotoLibrary
boolean

If false, disables iCloud Photo Library. Any photos not fully downloaded from iCloud Photo Library to the device are removed from local storage. Available in iOS 9 and later, and macOS 10.12 and later.

allowCloudReminders
boolean

If false, disables iCloud Reminder services. Available in macOS 10.12 and later.

allowContentCaching
boolean

If false, disables content caching. As of 10.13.4 this is included in the content caching payload. Available in macOS 10.13 and later.

allowContinuousPathKeyboard
boolean

If false, disables continuous path keyboard. Requires a supervised device. Available in iOS 13 and later.

allowDefinitionLookup
boolean

If false, disables definition lookup. Requires a supervised device. Available in iOS 8.1.3 and later.

allowDeviceNameModification
boolean

If false, prevents the device name from being changed. Requires a supervised device. Available in iOS 9 and later, and tvOS 11.0 and later.

allowDeviceSleep
boolean

If false, prevents device from sleeping. Requires a supervised device. Available in tvOS 13 and later.

allowDiagnosticSubmission
boolean

If false, prevents the device from automatically submitting diagnostic reports to Apple. Available in iOS 6 and later, and macOS 10.13 and later. Also available for user enrollment.

allowDiagnosticSubmissionModification
boolean

If false, disables changing the diagnostic submission and app analytics settings in the Diagnostics & Usage UI in Settings. Requires a supervised device. Available in iOS 9.3.2 and later.

allowDictation
boolean

If false, disallows dictation input. Requires a supervised device. Available in iOS 10.3 and later, and macOS 10.13 and later.

allowEnablingRestrictions
boolean

If false, disables the "Enable Restrictions" option in the Restrictions UI in Settings.

In iOS 12 or later, if false, disables the "Enable ScreenTime" option in the ScreenTime UI in Settings and disables ScreenTime if already enabled. Requires a supervised device. Available in iOS 8 and later.

allowEnterpriseAppTrust
boolean

If false, removes the Trust Enterprise Developer button in Settings > General > Profiles & Device Management, preventing apps from being provisioned by universal provisioning profiles. This restriction applies to free developer accounts. However, it doesn't apply to enterprise app developers who are trusted because their apps were pushed through MDM. It also doesn't revoke previously granted trust. Available in iOS 9 and later.

allowEnterpriseBookBackup
boolean

If false, disables backup of Enterprise books. Available in iOS 8 and later. Also available for user enrollment.

allowEnterpriseBookMetadataSync
boolean

If false, disables sync of Enterprise books, notes, and highlights. Available in iOS 8 and later. Also available for user enrollment.

allowEraseContentAndSettings
boolean

If false, disables the Erase All Content And Settings option in the Reset UI. Requires a supervised device. Available in iOS 8 and later.

allowESIMModification
boolean

If false, disables modifications to the eSIM setting. Requires a supervised device. Available in iOS 12.1 and later.

allowExplicitContent
boolean

If false, hides explicit music or video content purchased from the iTunes Store. Explicit content is marked as such by content providers, such as record labels, when sold through the iTunes Store. As of iOS 13, requires a supervised device. Available in iOS 4 and later, and tvOS 11.3 and later.

allowFindMyDevice
boolean

If false, disables Find My Device in the Find My app. Requires a supervised device. Available in iOS 13 and later.

allowFindMyFriends
boolean

If false, disables Find My Friends in the Find My app. Requires a supervised device. Available in iOS 13 and later.

allowFindMyFriendsModification
boolean

If false, disables changes to Find My Friends. Requires a supervised device. Available in iOS 7 and later.

allowFingerprintForUnlock
boolean

If false, prevents Touch ID from unlocking a device. Available in iOS 7 and later, and macOS 10.12.4 and later.

allowFingerprintModification
boolean

If true, allows the user to modify Touch ID. Requires a supervised device. Available in iOS 8.3 and later.

allowGameCenter
boolean

If false, disables Game Center, and its icon is removed from the Home screen. Requires a supervised device. Available in iOS 6 and later, and macOS 10.13 and later.

allowGlobalBackgroundFetchWhenRoaming
boolean

If false, disables global background fetch activity when an iOS phone is roaming. Available in iOS 4 and later.

allowHostPairing
boolean

If false, disables host pairing with the exception of the supervision host. If no supervision host certificate has been configured, all pairing is disabled. Host pairing lets the administrator control which devices an iOS 7 device can pair with. Requires a supervised device. Available in iOS 7 and later.

allowInAppPurchases
boolean

If false, prohibits in-app purchasing. Available in iOS 4 and later.

allowiTunes
boolean

If false, disables the iTunes Music Store, and its icon is removed from the Home screen. Users cannot preview, purchase, or download content. As of iOS 13, requires a supervised device. Available in iOS 4 and later.

allowiTunesFileSharing
boolean

If false, disables iTunes file sharing services. Available in macOS 10.13 and later.

allowKeyboardShortcuts
boolean

If false, disables keyboard shortcuts. Requires a supervised device. Available in iOS 9 and later.

allowLockScreenControlCenter
boolean

If false, prevents Control Center from appearing on the Lock screen. Available in iOS 7 and later. Also available for user enrollment.

allowLockScreenNotificationsView
boolean

If false, disables the Notifications history view on the lock screen, so users can't view past notifications. However, they can still see notifications when they arrive. Available in iOS 7 and later. Also available for user enrollment.

allowLockScreenTodayView
boolean

If false, disables the Today view in Notification Center on the lock screen. Available in iOS 7 and later. Also available for user enrollment.

allowManagedAppsCloudSync
boolean

If false, prevents managed apps from using iCloud sync. Available in iOS 8 and later. Also available for user enrollment.

allowManagedToWriteUnmanagedContacts
boolean

If true, managed apps can write contacts to unmanaged contacts accounts. If allowOpenFromManagedToUnmanaged is true, this restriction has no effect. If this restriction is set to true, you must install the payload through MDM. Available in iOS 12 and later.

allowMultiplayerGaming
boolean

If false, prohibits multiplayer gaming. As of iOS 13, requires a supervised device. Available in iOS 4.1 and later, and macOS 10.13 and later.

allowMusicService
boolean

If false, disables the Music service, and the Music app reverts to classic mode. Requires a supervised device. Available in iOS 9.3 and later, and macOS 10.12 and later.

allowNews
boolean

If false, disables News. Requires a supervised device. Available in iOS 9 and later.

allowNotificationsModification
boolean

If false, disables modification of notification settings. Requires a supervised device. Available in iOS 9.3 and later.

allowOpenFromManagedToUnmanaged
boolean

If false, documents in managed apps and accounts only open in other managed apps and accounts. Available in iOS 7 and later. Also available for user enrollment.

allowOpenFromUnmanagedToManaged
boolean

If false, documents in unmanaged apps and accounts only open in other unmanaged apps and accounts. Available in iOS 7 and later. Also available for user enrollment.

allowOTAPKIUpdates
boolean

If false, disables over-the-air PKI updates. Setting this restriction to false doesn't disable CRL and OCSP checks.  Available in iOS 7 and later.

allowPairedWatch
boolean

If false, disables pairing with an Apple Watch. Any currently paired Apple Watch is unpaired and the watch's content is erased. Requires a supervised device. Available in iOS 9 and later.

allowPassbookWhileLocked
boolean

If false, hides Passbook notifications from the lock screen. Available in iOS 6 and later.

allowPasscodeModification
boolean

If false, prevents the device passcode from being added, changed, or removed.

This restriction is ignored by Shared iPads. Requires a supervised device. Available in iOS 9 and later, and macOS 10.13 and later.

allowPasswordAutoFill
boolean

If false, disables the AutoFill Passwords feature in iOS and the user isn't prompted to use a saved password in Safari or in apps. This restriction also disables Automatic Strong Passwords, and strong passwords are no longer suggested to users. Requires a supervised device. Available in iOS 12 and later, and macOS 10.14 and later.

allowPasswordProximityRequests
boolean

If false, disables requesting passwords from nearby devices. Requires a supervised device. Available in iOS 12 and later, macOS 10.14 and later, and tvOS 12 and later.

allowPasswordSharing
boolean

If false, disables sharing passwords with the Airdrop Passwords feature. Requires a supervised device. Available in iOS 12 and later, and macOS 10.14 and later.

allowPersonalHotspotModification
boolean

If false, disables modifications of the personal hotspot setting. Requires a supervised device. Available in iOS 12.2 and later.

allowPhotoStream
boolean

If false, disables Photo Stream. Available in iOS 5 and later.

allowPodcasts
boolean

If false, disables podcasts. Requires a supervised device. Available in iOS 8 and later.

allowPredictiveKeyboard
boolean

If false, disables predictive keyboards. Requires a supervised device. Available in iOS 8.1.3 and later.

allowProximitySetupToNewDevice
boolean

If false, disables the prompt to set up new devices that are nearby. Requires a supervised device. Available in iOS 11 and later.

allowRadioService
boolean

If false, disables Apple Music Radio. Requires a supervised device. Available in iOS 9.3 and later.

allowRemoteAppPairing
boolean

If false, disables pairing Apple TV for use with the Remote app or Control Center widget. Requires a supervised device. Available in tvOS 10.2 and later.

allowRemoteScreenObservation
boolean

If false, disables remote screen observation by the Classroom app. Nest this key beneath allowScreenShot as a subrestriction. If allowScreenShot is set to false, the Classroom app doesn't observe remote screens. Requires a supervised device. Available in iOS 12 and later, and macOS 10.14.4 and later.

allowSafari
boolean

If false, disables the Safari web browser app, and its icon is removed from the Home screen. This setting also prevents users from opening web clips. As of iOS 13, requires a supervised device. Available in iOS 4 and later.

allowScreenShot
boolean

If false, disables saving a screenshot of the display and capturing a screen recording. It also disables the Classroom app from observing remote screens. Available in iOS 4 and later, and macOS 10.14.4 and later. Also available for user enrollment.

allowSharedStream
boolean

If false, disables  Photo Stream. Available in iOS 6 and later.

allowSpellCheck
boolean

If false, disables keyboard spell-check. Requires a supervised device. Available in iOS 8.1.3 and later.

allowSpotlightInternetResults
boolean

If false, disables Spotlight Internet search results. Available in iOS 8 and later, and macOS 10.11 and later.

allowSystemAppRemoval
boolean

If false, disables the removal of system apps from the device. Requires a supervised device. Available in iOS 11 and later.

allowUIAppInstallation
boolean

If false, disables the App Store, and its icon is removed from the Home screen. However, users may continue to use host apps (iTunes, Configurator) to install or update their apps.

In iOS 10 and later, MDM commands can override this restriction. Requires a supervised device. Available in iOS 9 and later.

allowUIConfigurationProfileInstallation
boolean

If false, prohibits the user from installing configuration profiles and certificates interactively. Requires a supervised device. Available in iOS 6 and later.

allowUnmanagedToReadManagedContacts
boolean

If true, unmanaged apps can read from managed contacts accounts. If allowOpenFromManagedToUnmanaged is true, this restriction has no effect. If this restriction is set to true, you must install the payload through MDM. Available in iOS 12 and later. Also available for user enrollment.

allowUntrustedTLSPrompt
boolean

If false, automatically rejects untrusted HTTPS certificates without prompting the user. Available in iOS 5 and later.

allowUSBRestrictedMode
boolean

If true, allows the device to always connect to USB accessories while locked. Requires a supervised device. Available in iOS 11.4.1 and later.

allowVideoConferencing
boolean

If false, disables video conferencing. As of iOS 13, requires a supervised device. Available in iOS 4 and later.

allowVoiceDialing
boolean

If false, disables voice dialing if the device is locked with a passcode. Available in iOS 4 and later.

allowVPNCreation
boolean

If false, disables the creation of VPN configurations. Requires a supervised device. Available in iOS 11 and later.

allowWallpaperModification
boolean

If false, prevents wallpaper from being changed. Requires a supervised device. Available in iOS 9 and later, and macOS 10.13 and later.

allowWiFiPowerModification
boolean

If false, prevents modifying the Wi-Fi state. Requires a supervised device. Available in iOS 13 and later.

autonomousSingleAppModePermittedAppIDs
[string]

If present, allows apps identified by the bundle IDs listed in the array to autonomously enter Single App Mode. Requires a supervised device. Available in iOS 7 and later.

blacklistedAppBundleIDs
[string]

If present, prevents bundle IDs listed in the array from being shown or launchable. Include the value com.apple.webapp to blacklist all webclips. Requires a supervised device. Available in iOS 9.3 and later, and tvOS 11.0 and later.

enforcedSoftwareUpdateDelay
integer

Sets how many days to delay a software update on the device. With this restriction in place, the user doesn't see a software update until the specified number of days after the software update release date. Requires a supervised device. Available in iOS 11.3 and later, macOS 10.13.4 and later, and tvOS 12.2 and later.

forceAirDropUnmanaged
boolean

If true, causes AirDrop to be considered an unmanaged drop target. Available in iOS 9 and later. Also available for user enrollment.

forceAirPlayIncomingRequestsPairingPassword
boolean

If true, forces all devices sending AirPlay requests to this device to use a pairing password. Available in Apple TV Software 6.2 and later. This key isn't supported in tvOS 10.2 and later. Use the AirPlay Security Payload instead.

forceAirPlayOutgoingRequestsPairingPassword
boolean

If true, forces all devices receiving AirPlay requests from this device to use a pairing password. Available in iOS 7.1 and later. Also available for user enrollment.

forceAirPrintTrustedTLSRequirement
boolean

If true, requires trusted certificates for TLS printing communication. Requires a supervised device. Available in iOS 11 and later.

forceAssistantProfanityFilter
boolean

If true, forces the use of the profanity filter assistant. Requires a supervised device. Available in iOS 11 and later.

forceAuthenticationBeforeAutoFill
boolean

If true, the user must authenticate before passwords or credit card information can be autofilled in Safari and Apps. If this restriction isn't enforced, the user can toggle this feature in Settings. Only supported on devices with Face ID or Touch ID. Requires a supervised device. Available in iOS 11 and later.

forceAutomaticDateAndTime
boolean

If true, enables the Set Automatically feature in Date & Time and can't be disabled by the user.  The device's time zone is updated only when the device can determine its location using a cellular connection or Wi-Fi with location services enabled. Requires a supervised device. Available in iOS 12 and later, and tvOS 12.2 and later.

forceClassroomAutomaticallyJoinClasses
boolean

If true, automatically gives permission to the teacher's requests without prompting the student. Requires a supervised device. Available in iOS 11 and later, and macOS 10.14.4 and later.

forceClassroomRequestPermissionToLeaveClasses
boolean

If true, a student enrolled in an unmanaged course through Classroom requests permission from the teacher when attempting to leave the course. Requires a supervised device. Available in iOS 11.3 and later, and macOS 10.14.4 and later.

forceClassroomUnpromptedAppAndDeviceLock
boolean

If true, allows the teacher to lock apps or the device without prompting the student. Requires a supervised device. Available in iOS 11 and later, and macOS 10.14.4 and later.

forceClassroomUnpromptedScreenObservation
boolean

If true and ScreenObservationPermissionModificationAllowed is also true in the Education payload, a student enrolled in a managed course via the Classroom app automatically gives permission to that course teacher's requests to observe the student's screen without prompting the student. Requires a supervised device. Available in iOS 11 and later, and macOS 10.14.4 and later.

forceDelayedSoftwareUpdates
boolean

If true, delays user visibility of software updates. In macOS, seed build updates are allowed, without delay. Requires a supervised device. Available in iOS 11.3 and later, macOS 10.13 and later, and tvOS 12.2 and later.

forceEncryptedBackup
boolean

If true, encrypts all backups. Available in iOS 4 and later. Also available for user enrollment.

forceITunesStorePasswordEntry
boolean

If true, forces the user to enter their iTunes password for each transaction. Available in iOS 6 and later.

forceLimitAdTracking
boolean

If true, limits ad tracking. Available in iOS 7 and later.

forceWatchWristDetection
boolean

If true, forces a paired Apple Watch to use Wrist Detection. Available in iOS 8.2 and later. Also available for user enrollment.

forceWiFiWhitelisting
boolean

If true, the device can join Wi-Fi networks only if they were set up through a configuration profile. Requires a supervised device. Available in iOS 10.3 and later.

ratingApps
integer

The maximum level of app content allowed on the device. Available in iOS 4 and later, and tvOS 11.3 and later.

Possible values (with the US description of the rating level):

  • 1000: All

  • 600: 17+

  • 300: 12+

  • 200: 9+

  • 100: 4+

  • 0: None

ratingMovies
integer

The maximum level of movie content allowed on the device. Available in iOS 4 and later, and tvOS 11.3 and later.

Possible values (with the US description of the rating level):

  • 1000: All

  • 500: NC-17

  • 400: R

  • 300: PG-13

  • 200: PG

  • 100: G

  • 0: None 

ratingRegion
string

The two-letter key that profile tools use to display the proper ratings for the given region. This data is not recognized or reported by the client.

ratingTVShows
integer

The maximum level of TV content allowed on the device. Available in iOS 4 and later, and tvOS 11.3 and later.

Possible values (with the US description of the rating level):

  • 1000: All

  • 600: TV-MA

  • 500: TV-14

  • 400: TV-PG

  • 300: TV-G

  • 200: TV-Y7

  • 100: TV-Y

  • 0: None 

safariAcceptCookies
number

This value defines the conditions under which the device accepts cookies. The user-facing settings changed in iOS 11, although the possible values remain the same. Available in iOS 4 and later.

0: Prevent Cross-Site Tracking and Block All Cookies are enabled and the user canʼt disable either setting. 


1 or 1.5: Prevent Cross-Site Tracking is enabled and the user canʼt disable it. Block All Cookies is not enabled, although the user can enable it. 


2: Prevent Cross-Site Tracking is enabled and BlockAll Cookies is not enabled. The user can toggle either setting.

safariAllowAutoFill
boolean

If false, disables Safari autofill. As of iOS 13, requires a supervised device. Available in iOS 4 and later, and macOS 10.13 and later.

safariAllowJavaScript
boolean

If false, Safari doesn't execute JavaScript. Available in iOS 4 and later.

safariAllowPopups
boolean

If false, Safari doesn't allow pop-up windows. Available in iOS 4 and later.

safariForceFraudWarning
boolean

If true, enables Safari fraud warning. Available in iOS 4 and later. Also available for user enrollment.

whitelistedAppBundleIDs
[string]

If present, allows only bundle IDs listed in the array to be shown or launchable. Include the value com.apple.webapp to whitelist all webclips. Requires a supervised device. Available in iOS 9.3 and later, and tvOS 11.0 and later.

allowFilesUSBDriveAccess
boolean

Discussion

Specify com.apple.applicationaccess as the payload type.

Profile Availability

Device Channel

iOS, macOS, Shared iPad, tvOS

User Channel

macOS, Shared iPad

Allow Manual Install

iOS, macOS, tvOS

Requires Supervision

-

Requires User Approved MDM

-

Allowed in User Enrollment

iOS

Allow Multiple Payloads

iOS, macOS, Shared iPad, tvOS