Introduction


Projects group devices or users with the applications and policies admins need provisioned. This article goes into detail about each policy supported by Ensemble MDM.


Policies

Kiosk Settings


While in kiosk mode, the device locks to the specified app. The home button is disabled and the device will always return to the app on wake up or restart.


PolicyDescriptionSupported Versions
Kiosk App's Bundle IdentifierThe device will be locked down to this application.

If an invalid Bundle ID is provided. The device will display the following message: "Guided Access app unavailable. Please contact your administrator"


iOS 6.0+

iPadOS 6.0+

Applications Allowed to Enter Kiosk ModeA list of  bundle IDs that can control when they enter or exit kiosk mode.

iOS 7.0+

iPadOS 7.0+


Kiosk Options
Disable Auto LockPrevents the device from automatically going to sleep.

iOS 6.0+

iPadOS 6.0+

Disable Device Rotation

Prevents the device screen from rotating when the device changes orientation.

iOS 6.0+

iPadOS 6.0+

Disable Ringer SwitchDisables the ringer switch.

When disabled, the ringer behavior depends on what position the switch was in when it was first disabled.		iOS 6.0+
iPadOS 6.0+
Disable Sleep / Wake ButtonDisables the side key which either puts the device to sleep or wakes it up depending on the current state of the device.iOS 6.0+
iPadOS 6.0+
Disable touchThe device will no longer respond to any input from the touch screen.iOS 6.0+
iPadOS 6.0+
Disable Volume ButtonPrevent the user from changing the volume through the volume keys.iOS 6.0+
iPadOS 6.0+


Accessibility policies must be set before entering kiosk mode. If any changes are desired after the devices are in kiosk mode, make sure to deploy the project without the Kiosk App's Bundle Identifier to leave the kiosk, then redeploy with all the updated settings.


Kiosk Accessibility Options
Enable Assistive Touch (1)Enables the Assistive Touch accessibility feature when the kiosk is started.iOS 6.0+
iPadOS 6.0+
Enable Invert Colors (2)Enables the Invert Colors accessibility feature when the kiosk is started.iOS 6.0+
iPadOS 6.0+
Enable Mono Audio (3)Enables the Mono Audio accessibility feature when the kiosk is started.iOS 6.0+
iPadOS 6.0+
Speak Selection (4)Enables the Speak Selection accessibility feature when the kiosk is started.iOS 6.0+
iPadOS 6.0+
Voice Control (5)Enables the Voice Control accessibility feature when the kiosk is started.iOS 6.0+
iPadOS 6.0+
Voice Over (6)Enables the Voice Over accessibility feature when the kiosk is started.iOS 6.0+
iPadOS 6.0+
Zoom (7)Enables the Zoom accessibility feature when the kiosk is started.iOS 6.0+
iPadOS 6.0+


Triple-click the side or home button to open the Accessibility Shortcuts menu, then tap the feature to turn it on or off.


Accessibility Shortcuts (8)
Assistive Touch (1)Adds Assistive Touch to the Accessibility Shortcuts menu.iOS 6.0+
iPadOS 6.0+
Invert Colors (2)Adds Invert Colors to the Accessibility Shortcuts menu.iOS 6.0+
iPadOS 6.0+
Voice Control (5)Adds Voice Control to the Accessibility Shortcuts menu.iOS 6.0+
iPadOS 6.0+
Voice Over (6)Adds Voice Over to the Accessibility Shortcuts menu.iOS 6.0+
iPadOS 6.0+
Zoom (7)Adds Zoom to the Accessibility Shortcuts menu.iOS 6.0+
iPadOS 6.0+
  1. Assistive Touch is an accessibility feature that allows users to control their device with gestures or taps instead of buttons.
  2. Invert colors is an accessibility feature that can make text easier to read. 
  3. Mono audio is an accessibility feature that makes the left and right speakers play the same content.
  4. Speak Selection is an accessibility feature that has the phone read selected text aloud.
  5. Voice control is an accessibility feature that allows the user to use spoken commands to perform gestures, interact with screen elements, dictate and edit text, and more.
  6. Voice Over is a gesture-based screen reader. When the user touches the screen or drags a finger over it, Voice Over speaks the name of the item the finger is on.
  7. Zoom is an accessibility feature that will magnify the screen.
  8. The Accessibility Shortcuts menu provides quick access to certain accessibility features and provides a quick way to enable or disable them.


Home Screen Layout

Shortcuts for applications, web clips and folders can be placed on the home screen or dock


Adding new shortcuts

New shortcuts can be added to home screen or dock by clicking the + icon at the upper right corner of the table or the + buttons on the preview.


Pages can have up to 24 shortcuts on them. The dock can have up to four shortcuts.


If a shortcut is created for an app or web clip that is not actually on the device, the shortcut will be skipped on the device home screen.


In order to manage shortcuts on the dock, at least one shortcut must be managed on the home screen.


Modifying shortcuts

Shortcuts can be modified from the Options button of the table or by clicking the shortcut on the preview and selecting Edit shortcut.


The order of the shortcuts in the preview can be modified by using the up and down arrows in the table.


Deleting shortcuts

Shortcuts can be deleted via Options in the table or by clicking the shortcut in the preview and selecting Delete shortcut.


Multiple pages

Add new pages via + next to the last Page tab and delete a page by clicking the x in that page tab. Multiple pages are not supported in the dock.



Folder Shortcuts

Access from Options | Manage Folder Contents (or via preview) of a Folder shortcuts


Navigate back with back button above preview


Up to nine shortcuts can be placed per page inside a folder.


Folders inside of folders are not supported.



Device Settings

PolicyDescriptionSupported Versions
Allow CameraIf disabled, the system prevents use of the camera, removes it's icon from the Home screen, and users are unable to take photographs.

*Note: The system may also hide the FaceTime application. Apps that rely on the camera may not work as expected.

iOS 4.0+

iPadOS 4.0+

Allow FaceTimeIf disabled, the system hides the FaceTime app.

*Note: If 'Allow Camera' is disabled, FaceTime may also be disabled / removed from the Home screen. 

iOS 4.0+

iPadOS 4.0+

Allow Screenshots and Screen RecordingIf disabled, the system prevents saving a screenshot of the display and capturing a screen recording.

This effectively disables the button combination for taking screenshot(s) and shows an error message to the user when attempting to screen record from the Control Center.

It also disables the Classroom app from observing remote screens.

iOS 4.0+

iPadOS 4.0+

Allow iMessage

If disabled, the system prevents the use of iMessage with supervised devices.


Additionally, any iMessage related settings are removed from the Messages section of Settings.


If the device supports text messaging, the user can still send and receive text / mms / group messages.

iOS 5.0+

iPadOS 5.0+

Allow Live Voicemail

If disabled, the system prevents live voicemail on the device.


Live Voicemail - lets you automatically see a real-time transcription as someone is leaving you a message. You can also pick up the call as they're leaving their voicemail.

iOS 17.2+

iPadOS 17.2+

Allow Screen Time

If disabled, the system prevents setting any options in the Screen Time section of Settings. This includes all 'Content & Privacy Restrictions' found in this section when Screen Time is enabled and setup.


Upon disabling, any Screen Time settings set prior will be overwritten and have no affect. 


*Note: The 'Enable Screen Time' option may still show up in Settings, but will be grayed out with the message: "Screen Time has been restricted."

iOS 8.0+

iPadOS 8.0+

Allow Modifying Device NameIf disabled, the system prevents the user from changing the device name in the About section of device Settings.

The name field in the About section becomes uneditable and the current device name will remain.

iOS 9.0+

iPadOS 9.0+

Allow Adding / Removing AccountsIf disabled, the system prevents the addition of Accounts in Account settings such as Apple IDs and Internet-based accounts such as Mail, Contacts, and Calendar. Also, Notes and Reminders.

The "Add account..." option becomes un-interactable in the Account settings section. Settings related to each Account type are still able to be modified.   

iOS 7.0+

iPadOS 7.0+

Allow Submitting Diagnostic and Usage Data to AppleIf disabled, the system prevents the device from automatically submitting diagnostic reports to Apple.

iOS 6.0+

iPadOS 6.0+

Allow Modifying Diagnostic SettingsIf disabled, the system disables changing the diagnostic submission and app analytics settings in the Diagnostics & Usage UI in Settings.

iOS 9.3.2+

iPadOS 9.3.2+

Allow Mail Privacy ProtectionIf disabled, the system disables Mail Privacy Protection on the device.

iOS 15.2+

iPadOS 15.2+

Force Automatic Date and TimeIf disabled, the system enables the 'Set Automatically' feature in Date & Time and the user can’t disable it. The system updates the device’s time zone only when the device can determine its location using a cellular connection or Wi-Fi with location services enabled.

iOS 12.0+

iPadOS 12.0+


Lock Screen Settings
Allow Lock Screen Control Center

If disabled, the system prevents Control Center from appearing on the Lock screen.

iOS 7.0+

iPadOS 7.0+

Allow Lock Screen Notifications View

If disabled, the system disables the Notifications history view on the lock screen, so users can’t view past notifications.


However, they can still see notifications when they arrive.

iOS 7.0+

iPadOS 7.0+

Allow Lock Screen Today ViewIf disabled, the system disables the Today view in Notification Center on the lock screen.

iOS 7.0+

iPadOS 7.0+

Allow Lock Screen Apple Wallet NotificationsIf disabled, the system hides Passbook notifications from the lock screen.

iOS 6.0+

iPadOS 6.0+

Lock Screen MessageIf present, specifies optional text displayed in the login window and Lock screen. (for example, a message and asset tag information)

iOS 9.3+

iPadOS 9.3+


Device Wallpaper
Allow Modifying Wallpaper
If disabled, the system prevents changing the wallpaper.

The Wallpaper section is removed from Settings and the current device Wallpaper will remain.

iOS 9.0+

iPadOS 9.0+


Home Screen Wallpaper
Choose an image to be the home screen wallpaper of the device.

*Note: In iOS 16 and later, and iPadOS 17 and later, when you set the wallpaper for the first time, the system sets both the lock screen and home screen. After that, you can separately set each location.

*Images must first be uploaded to the company.

iOS 8.0+

iPadOS 8.0+


Lock Screen Wallpaper
Choose an image to be the lock screen wallpaper of the device.

*Note: In iOS 16 and later, and iPadOS 17 and later, when you set the wallpaper for the first time, the system sets both the lock screen and home screen. After that, you can separately set each location.

*Images must first be uploaded to the company.

iOS 8.0+

iPadOS 8.0+



Keyboard / Dictation Settings
Allow Predictive KeyboardsIf disabled, the system disables predictive keyboards.

iOS 8.1.3+

iPadOS 8.1.3+

Allow Text ReplacementIf disabled, the system disables text replacement.

Text replacement allows the user to setup a shortcut that will automatically expand into the word or phrase as they type it. (i.e. 'omw' becomes 'On my way!')

iOS 9.0+

iPadOS 9.0+

Allow Slide to TypeIf disabled, the system disables slide to type.

iOS 13.0+

iPadOS 13.0+

Allow Auto-correctionIf disabled, the system disables keyboard auto-correction.

iOS 8.1.3+

iPadOS 8.1.3+

Allow Spell Check

If disabled, the system disables the keyboard spell checker.

iOS 8.1.3+

iPadOS 8.1.3+

Allow Definition LookupIf disabled, the system disables definition lookup.

iOS 8.1.3+

iPadOS 9.0+

Allow DictationIf disabled, the system disallows dictation input.

iOS 10.3+

iPadOS 10.3+


Siri Settings
Allow SiriIf disabled, the system disables Siri.

iOS 5.0+

iPadOS 5.0+

Allow Siri while device is locked

If disabled, the system disables Siri when the device is locked.


The system ignores this restriction if the device doesn’t have a passcode set.

iOS 5.1+

iPadOS 5.1+

Allow Siri to show user-generated contentIf disabled, the system prevents Siri from querying user-generated content from the web.

iOS 7.0+

iPadOS 7.0+

Allow Siri suggestions to contain Spotlight internet search resultsIf disabled, the system disables Spotlight Internet search results in Siri Suggestions.

iOS 8.0+

iPadOS 8.0+

Force on-device only dictation

If enabled, the system disables connections to Siri servers for the purposes of dictation.


*Note: Policy 'Allow Dictation' must also be true.

iOS 14.5+

iPadOS 14.5+

Force on-device only translationIf enabled, the device won’t connect to Siri servers for the purposes of translation.

iOS 15.0+

iPadOS 15.0+

Force profanity filter for Siri suggestions and dictationIf enabled, the system forces the use of the profanity filter assistant.

iOS 11.0+

iPadOS 11.0+


Advertisement Settings
Allow Apple-personalized advertisingIf disabled, the system limits Apple personalized advertising.

iOS 14.0+

iPadOS 14.0+

Force limited ad trackingIf enabled, the system limits ad tracking. Additionally, it disables app tracking and the 'Allow Apps to Request to Track' setting.

iOS 7.0+

iPadOS 7.0+


Data Sharing Settings
Allow data from Managed Sources in Unmanaged DestinationsIf disabled, documents in managed apps and accounts only open in other managed apps and accounts.

iOS 7.0+

iPadOS 7.0+

Allow Managed Apps to write contacts to Unmanaged contact accounts

If enabled, the system allows managed apps to write contacts to unmanaged accounts.


If 'Allow data from Managed Sources in Unmanaged Destinations' is true, this restriction has no effect.

iOS 12.0+

iPadOS 12.0+

Allow Unmanaged apps to read contacts from Managed contact accounts

If enabled, the system allows unmanaged apps to read from managed contacts accounts.


If 'Allow data from Managed Sources in Unmanaged Destinations' is true, this restriction has no effect.

iOS 12.0+

iPadOS 12.0+

Allow data from Unmanaged sources in Managed destinationsIf disabled, documents in unmanaged apps and accounts only open in other unmanaged apps and accounts.

iOS 7.0+

iPadOS 7.0+

Require Managed PasteboardIf enabled, copy and paste functionality conforms to the above restrictions.

iOS 15.0+

iPadOS 15.0+


Advanced Settings
Allow over-the-air (OTA) PKI Updates

If disabled, the system disables over-the-air PKI updates.


Setting this restriction to false doesn’t disable CRL and OCSP checks.

iOS 7.0+

iPadOS 7.0+


Application Settings

App Store Settings
Allow installing AppsIf disabled, the system disables the App Store, and it's icon is removed from the Home screen. 

Users are effectively unable to install or update their apps.

This applies to App Store apps, marketplace apps, and locally installed apps (using Configurator, Xcode, etc).

MDM commands can override this restriction.

iOS 7.0+

iPadOS 7.0+


Allow installing Apps through the App Store
If disabled, the system disables the App Store, and it's icon is removed from the Home screen. 

However, users can continue to use host apps such as iTunes or Configurator to install or update their apps.

MDM commands can override this restriction.

*Note: if 'Allow installing Apps' is disabled, this policy has no affect.

iOS 9.0+

iPadOS 9.0+


Allow installing Apps through Alternative Marketplace
If disabled, the system prevents installation of alternative marketplace apps from the web and prevents any installed alternative marketplace apps from installing apps.

*Note: if 'Allow installing Apps' is disabled, this policy has no affect. 

iOS 17.4+

iPadOS 17.4+


Allow automatic install of apps purchased on other devices
If disabled, the system prevents automatic downloading of apps purchased on other devices. This setting doesn’t affect updates to existing apps.

*Note: if 'Allow installing Apps' is disabled, this policy has no affect. 

iOS 9.0+

iPadOS 9.0+


Allow In-app Purchases
If false, the system prohibits in-app purchasing.

iOS 4.0+

iPadOS 4.0+


Allow App Clips
If disabled, the system prevents a user from adding any App Clips, and removes any existing App Clips on the device.

App Clip - A small part of an app that lets you perform a task quickly without having to launch the application. Usually done through QR code / NFC tag scanning. App Clips can also be found for certain locations in Maps, on the web through Safari, or sent via Messages.

iOS 14.0+

iPadOS 14.0+


Allow trust of unknown App authors
If disabled, the system removes the Trust Enterprise Developer button in Settings > General > Profiles & Device Management, which prevents provisioning apps by universal provisioning profiles.

This restriction applies to free developer accounts or Enterprise apps that weren't installed via the MDM.

However, it doesn’t apply to enterprise app developers, because they’re trusted and the system installed their apps through MDM. It also doesn’t revoke previously granted trust.

iOS 9.0+

iPadOS 9.0+


Allow App Removal
If disabled, the system disables removal of apps from the device.

This also applies to App Store apps, marketplace apps, and locally installed apps (using Configurator, Xcode, etc).

iOS 4.2.1+

iPadOS 4.2.1+


Allow System App Removal If disabled, the system disables the removal of system apps from the device.

iOS 11.0+

iPadOS 11.0+



Application Settings
Allow Apple Music
If disabled, the system disables the Music service, i.e. removes the 'Home' tab from the Apple Music app.

iOS 9.3+

iPadOS 9.3+


Allow Apple Music RadioIf disabled, the system disables Apple Music Radio, i.e. removes the 'Radio' tab from the Apple Music app.

iOS 9.3+

iPadOS 9.3+


Allow Apple iTunes
If disabled, the system disables the iTunes Music Store, and the system removes its icon from the Home screen.

Users can’t preview, purchase, or download content.

iOS 4.0+

iPadOS 4.0+


Allow Explicit Content on Apple iTunes
If disabled, the system hides explicit music or video content purchased from the iTunes Store. Additionally, explicit content is unable to be purchased.

The system marks explicit content as such by content providers, such as record labels, when sold through the iTunes Store.


*Note: if 'Allow Apple iTunes' is disabled, this policy has no affect.

iOS 4.0+

iPadOS 4.0+


Allow Bookstore
If disabled, the system removes the Book Store tab from the Books app.

iOS 6.0+

iPadOS 6.0+


Allow Explicit Content on Bookstore
If disabled, the system prevents the user from downloading Apple Books media that’s tagged as erotica.

*Note: if 'Allow Bookstore' is disabled, this policy has no affect.

iOS 6.0+

iPadOS 6.0+


Allow Game Center
If disabled, the system disables Game Center, and the system removes its icon from the Home screen. The Game Center section is also removed from Settings. 

iOS 6.0+

iPadOS 6.0+


Allow Multiplayer Gaming
If disabled, the system prohibits multiplayer gaming.

*Note: if 'Allow Game Center' is disabled, this policy has no affect.

iOS 4.1+

iPadOS 4.1+


Allow adding Game Center Friends
If disabled, the system prohibits adding friends to Game Center.

*Note: if 'Allow Game Center' is disabled, this policy has no affect.

iOS 4.2.1+

iPadOS 4.2.1+


Allow Podcasts
If disabled, the system disables the Podcasts app and removes its icon from the Home screen.

iOS 8.0+

iPadOS 8.0+


Allow News
If disabled, the system disables the News app and removes its icon from the Home screen.

iOS 9.0+

iPadOS 9.0+


Allow Find My Devices
If disabled, the system disables the 'Find My Device' tab in the Find My app.

iOS 13.0+

iPadOS 13.0+

Allow Find My Friends
If disabled, the system disables the 'Find My Friends' tab in the Find My app.

iOS 13.0+

iPadOS 13.0+


Allow modifying Find My Friends Settings
If disabled, the system disables changes to Find My Friends settings from within the Find My app. 

iOS 7.0+

iPadOS 7.0+



Notification Settings
Allow modifying Notification Settings
If disabled, the system disables the ability for the user to modify notification settings.

iOS 9.3+

iPadOS 9.3+


App Notification Settings

  • Configure Notification Settings on a per-application level.


App Notification Settings (per app)
Bundle IdentifierThe bundle identifier of the app to which to apply these notification settings.

iOS 9.3+

iPadOS 9.3+


Notifications Enabled
If enabled, notifications for this app are enabled.

iOS 9.3+

iPadOS 9.3+


Enable Badges
If enabled, notification badges for this app are enabled.

iOS 9.3+

iPadOS 9.3+


Enable Critical Alerts
If enabled, critical alerts that can ignore 'Do Not Disturb' and ringer settings for this app are enabled.

iOS 12.0+

iPadOS 12.0+


Enable SoundsIf enabled, notification sounds for this app are enabled. iOS 9.3+

iPadOS 9.3+

Alert Type The type of alert for notifications of this app.

None: No alert banner.

Temporary Banner: Alert banner that disappears after a few seconds.

Persistent Banner: Alert banner that remains on the screen until user dismisses it.
iOS 9.3+

iPadOS 9.3+


Grouping TypeThe type of grouping for notifications of this app.

Automatic: Group notifications into app-specified groups.

By app: Group notifications into one group per app.

None: No grouping of notifications for this app.

iOS 12.0+

iPadOS 12.0+


Preview TypeThe type of preview for this app's notifications. This key overrides the value at Settings>Notifications>Show Previews.

Always: Notification previews will be shown when the device is locked and unlocked.

When Unlocked: Previews will only be shown when the device is unlocked.

Never: Previews will never be shwon.

iOS 14.0+

iPadOS 14.0+


Show in Car PlayIf enabled, notifications for this application are enabled in Car Play.

iOS 12.0+

iPadOS 12.0+


Show in Lock ScreenIf enabled, notifications for this application are enabled on the device lock screen.iOS 9.3+

iPadOS 9.3+


Show in Notification Center
If enabled, notifications for this application are enabled in the Notification Center.iOS 9.3+

iPadOS 9.3+



Safari Settings
Allow Safari
If disabled, the system prevents usage of the Safari web browser app, and the removes its icon from the Home screen.

This setting also prevents users from opening web clips.

iOS 4.0+

iPadOS 4.0+


Allow Safari Autofill FeaturesIf disabled, the system prevents the Safari AutoFill feature for passwords, contact info, and credit cards and also prevents using the Keychain for AutoFill.

iOS 4.0+

iPadOS 4.0+


Allow Safari to execute JavaScriptIf disabled, the system prevents Safari from executing JavaScript. Certain web pages may not work as expected.

iOS 4.0+

iPadOS 4.0+


Allow Safari PopupsIf disabled, Safari doesn't allow pop-up windows.

iOS 4.0+

iPadOS 4.0+

Allow users to accept untrusted TLS certificatesIf disabled, the system automatically rejects untrusted HTTPS certificates without prompting the user.

iOS 5.0+

iPadOS 5.0+


Force Safari Fraud Warning
If enabled, the system enables Safari fraud warning.

iOS 4.0+

iPadOS 4.0+


Accept Cookies
Defines the conditions under which the device accepts cookies.

iOS 4.0+

iPadOS 4.0+



Classroom App Settings
Allow Remote Screen Observation
If disabled, the system disables remote screen observation by the Classroom app.

*Note: If the policy 'Allow screenshots and screen recording' is disallowed, the Classroom app doesn’t observe remote screens.

iOS 12.0+

iPadOS 12.0+


Force unprompted Screen ObservationIf enabled, and 'Allow Students to Modify Screen Observation Permissions' is also true in the Education configuration profile, a student enrolled in a managed course through the Classroom app automatically gives permission to that course teacher’s requests to observe the student’s screen without prompting the student.

*Note: If the policy 'Allow Remote Screen Observation' is disabled, this setting has no affect.

iOS 11.0+

iPadOS 11.0+


Allow locking Apps / Device without prompting
If enabled, the system allows the teacher to lock apps or the device without prompting the student.

iOS 11.0+

iPadOS 11.0+


Automatically join classes without promptingIf enabled, the system automatically gives permission to the teacher’s requests to join without prompting the student.

iOS 11.0+

iPadOS 11.0+


Require Teacher permission to leave Unmanaged ClassesIf enabled, a student enrolled in an unmanaged course through Classroom needs to request permission from the teacher to leave the course.

iOS 11.3+

iPadOS 11.3+



Education Configuration
Organization NameThe organization’s display name. The system displays this name in the iOS login screen.

iOS 9.3+

iPadOS 9.3+


Organization UUIDThe organization’s UUID identifier. This identifier can be any valid UUID. All teacher and student devices that need to communicate with one another must have the same organization UUID, particularly if they originated from different Device Enrollment Programs.

iOS 9.3+

iPadOS 9.3+


User Identifier 
The unique string that identifies the user of this device within the organization.

iOS 9.3+

iPadOS 9.3+


Allow Students to Modify Screen Observation Permissions
If enabled, the system allows students enrolled in managed classes to modify their teacher’s permissions for screen observation on their device.

iOS 9.3+

iPadOS 9.3+


Identity Certificate 
The UUID of an identity certificate payload within the same profile to use for performing client authentication with other devices.

This property supports PKCS12 certificates.

Required to configure the Classroom app. Has no effect on the configuration of the Shared iPad login screen.

iOS 9.3+

iPadOS 9.3+


Resource Identity Certificate
The UUID of an identity certificate payload within the same profile that the system uses to perform client authentication when fetching additional resources, such as student images.

If set, the system uses this key to configure both Classroom and the Shared iPad login screen. If not set, the system uses MDM client identity.

iOS 9.3+

iPadOS 9.3+


Leader Certificate(s)
The array of UUIDs referring to certificate payloads within the same profile that the system uses to authorize leader peer certificate identities.

This array needs to contain all necessary certificates to validate the entire chain of trust. Leader certificates needs to have the common name prefix leader, which is case insensitive.

This property doesn’t support identity payloads or PKCS12 certificates.

Required when configuring a student device for Classroom, and ignored when configuring an instructor device. Has no effect on the configuration of the Shared iPad login screen.

iOS 9.3+

iPadOS 9.3+


Member Certificate(s)
The array of UUIDs referring to certificate payloads within the same profile that the system uses to authorize group member peer certificate identities.

This array must contain all certificates needed to validate the entire chain of trust. Member certificates must have the common name prefix member (case insensitive). This property doesn’t support identity payloads or PKCS12 certificates.

Required when configuring a student device for Classroom, and ignored when configuring an instructor device. Has no effect on the configuration of the Shared iPad login screen.

iOS 9.3+

iPadOS 9.3+


Departments
For shared iPad profiles: The array of dictionaries that defines which departments the system displays in the Shared iPad login screen.

If set, the system uses this key to configure both Classroom and the Shared iPad login screen.

iOS 9.3+

iPadOS 9.3+


Device Groups
For leader/teacher profiles: The array of dictionaries that defines which device groups the leader can assign devices to. Not included in member payloads.

iOS 9.3+

iPadOS 9.3+


Groups
For shared iPad profiles: The array of dictionaries that defines which groups the user can select in the login window.

For leader/teacher profiles: The array of dictionaries that defines the groups that the user can control.

For member/student profiles: The array of dictionaries that defines the groups where the user is a member.

iOS 9.3+

iPadOS 9.3+


Users
For shared iPad profiles: The array of dictionaries that define the users that the system displays in the iOS login window.

For leader/teacher profiles: The array of dictionaries that define users that are members of the teacher’s groups.

For member/student profiles: The array of dictionaries that needs to contain the definition of the user specified in the UserIdentifier key. With one-to-one member devices, this key should include only the device user and the teacher but not other class members.

iOS 9.3+

iPadOS 9.3+



Blocked Apps

  • If present, the system prevents showing or launching apps with bundle IDs in this list.
  • Include the value com.apple.webapp to restrict all webclips.
  • This applies to App Store apps, marketplace apps, and locally installed apps (using Configurator, Xcode, etc).

    *Note: Denying system apps may disable other functionality. For example, denying the App Store app may prevent users from accepting the terms and conditions for the user-based Volume Purchase Program (VPP).


            Supported Versions:

                iOS 15.0+
                iPadOS 15.0+



Allowed Apps

  • If present, the system only shows or can launch apps with bundle IDs in this list.
  • The Settings and Phone app will also be enabled in addition to apps on this list.
  • Include the value com.apple.webapp to allow all webclips.
  • This applies to App Store apps, marketplace apps, and locally installed apps (using Configurator, Xcode, etc).

            Supported Versions:

                iOS 15.0+
                iPadOS 15.0+


Allowed content ratings - Apps

  • The maximum level of app content allowed on the device. 
  • Apps that have a higher designated rating are hidden from the App Store and removed from the Home Screen if installed.
  • Pre-installed (first party) apps may ignore this restriction.         


            Supported Versions:

                iOS 4.0+
                iPadOS 4.0+


Media Settings
Ratings RegionThe region for which to display the proper content ratings.

iOS 4.0+

iPadOS 4.0+


Allowed content ratings - Movies
The maximum level of movie content allowed on the device.


Movie content with a higher designated rating are hidden from the Apple TV app, and removed from the 'Library' section if installed prior to setting this policy.

iOS 4.0+

iPadOS 4.0+


Allowed content ratings - TV Shows
The maximum level of TV content allowed on the device.


TV Show content with a higher designated rating are hidden from the Apple TV app, and removed from the 'Library' section if installed prior to setting this policy.

iOS 4.0+

iPadOS 4.0+



Update Settings


Update Settings
Defer Software Updates
If enabled, the system delays user visibility of software updates.

The default delay is 30 days unless you set 'Defer Software Updates Delay (in days)' to another value.


See below.


iOS 11.3+

iPadOS 11.3+


Defer Software Updates Delay (in days)
How many days to delay a software update on the device. With this restriction in place, the user doesn’t see a software update until the specified number of days after the software update release date.

iOS 11.3+

iPadOS 11.3+

Allow Rapid Security Response Installation
If disabled, the system prohibits installation of rapid security responses.

iOS 16.0+

iPadOS 16.0+

Allow Rapid Security Response Removal
If disabled, the system prohibits removal of rapid security responses.

iOS 16.0+

iPadOS 16.0+


Backup / iCloud Settings
Force Encrypted Backups
If enabled, the system encrypts all backups.

iOS 4.0+

iPadOS 4.0+

Allow iCloud Backup
If disabled, the system disables backing up the device to iCloud.

The option to "Back Up This Device' becomes unavailable in System Settings.

iOS 5.0+

iPadOS 5.0+

Allow iCloud Drive / Document sync
If disabled, the system disables iCloud Document and Drive syncing to iCloud.


iCloud Drive is removed from the list of Apps using iCloud (found in the iCloud section of System Settings).


*Note: Re-enabling this policy after it has been disabled will require the user physically turn iCloud Drive back on in the list of Apps using iCloud (found in the iCloud section of System Settings). 


Has no affect on Shared iPad.

iOS 5.0+

iPadOS 5.0+


Allow iCloud Keychain sync
If disabled, the system disables iCloud Passwords and keychain synchronization.

*Note: Re-enabling this policy after it has been disabled will require the user physically turn Passwords and Keychain back on in the list of Apps using iCloud (found in the iCloud section of System Settings). 

iOS 7.0+

iPadOS 7.0+

Allow iCloud to sync Managed App dataIf disabled, the system prevents managed apps from using iCloud sync.

iOS 8.0+

iPadOS 8.0+

Allow iCloud to backup Enterprise Managed BooksIf disabled, the system disables backup of Enterprise books.

iOS 8.0+

iPadOS 8.0+

Allow iCloud to sync Enterprise Managed Books, Notes, and Highlights
If disabled, the system disables sync of Enterprise books, notes, and highlights.

iOS 8.0+

iPadOS 8.0+

Allow iCloud Photo Sharing
If disabled, the system disables Photo Sharing and joining shared photo libraries.

iOS 6.0+

iPadOS 6.0+

Allow iCloud Photo Library
If disabled, the system disables iCloud Photo Library.

The system removes any photos from local storage that aren’t fully downloaded from iCloud Photo Library to the device.

iOS 9.0+

iPadOS 9.0+


Allow iCloud Private Relay
If disabled, the system disables iCloud Private Relay.

iOS 15.0+

iPadOS 15.0+


Security Settings

Security Settings
Allow Factory ResetIf disabled, the system disables the 'Erase All Content and Settings' option in the Reset section of options.

iOS 8.0+

iPadOS 8.0+


Allow Booting into Recovery from Unpaired Device
If enabled, the system allows unpaired (untrusted) devices to boot device into recovery.

iOS 14.5+

iPadOS 14.5+

Allow User Installation of Configuration ProfilesIf disabled, the system prohibits the user from installing configuration profiles and certificates interactively.

When you set this restriction, users can't install profiles from email messages or websites. This includes the profile that enrolls the device in the iOS Beta Software Program. It also prevents users from enabling beta updates in Settings. You can still use Apple Configurator or MDM to install profiles on the devices you manage. 

iOS 6.0+

iPadOS 6.0+


Allow setting up new nearby iOS devices
If disabled, disables the prompt to set up new devices that are nearby.


*Note: This policy has no affect during device setup, as the profile is installed after setup.

iOS 11.0+

iPadOS 11.0+



Password Restrictions
Allow modifying Password
If disabled, the system prevents users from adding, changing, or removing the password. The 'Face ID & Passcode' section becomes hidden in system settings. Any settings applied before this are applied.

*Note: The system ignores this restriction on Shared iPad.

iOS 9.0+

iPadOS 9.0+


Allow modifying Touch ID Fingerprint / Face ID
If disabled, the system prevents the user from modifying Touch ID or Face ID settings.

iOS 8.3+

iPadOS 8.3+


Allow Touch ID Fingerprint / Face ID for Device Unlock
If disabled, the system prevents Touch ID or Face ID from unlocking a device.

iOS 7.0+

iPadOS 7.0+


Allow Password Autofill
If disabled, the system disables:

-The AutoFill Passwords feature in iOS, with Keychain and third-party password managers.

-Prompting the user to use a saved password in Safari or in apps.

-Automatic strong passwords.

-Suggesting strong passwords to users.

However, If disabled, the system doesn’t prevent AutoFill for contact info and credit cards in Safari.

iOS 12.0+

iPadOS 12.0+


Require Touch ID / Face ID Authentication for Password Autofill
If enabled, the user needs to authenticate before the system can autofill passwords or credit card information in Safari and apps.

If this restriction isn’t enforced, the user can toggle this feature in Settings.

Only supported on devices with Face ID or Touch ID.

iOS 11.0+

iPadOS 11.0+


Allow Apple Watch to Auto-unlock Device
If disabled, the system disallows auto unlock via paired Apple Watch.

iOS 14.5+

iPadOS 14.5+


Allow Proximity-based Password Sharing Requests
If disabled, the system disables requesting passwords from nearby devices.

iOS 12.0+

iPadOS 12.0+


Allow Password SharingIf disabled, the system disables sharing passwords with the Airdrop Passwords feature.


Password Settings
Require Device Password
If enabled, the system forces the user to enter a Password / PIN for Device Unlock.

iOS 4.0+

iPadOS 4.0+


Require Alphanumeric Password
If enabled, the system requires additional alphabetic characters instead of only numeric characters.

iOS 4.0+

iPadOS 4.0+

Allow Simple Password
If disabled, the system prevents use of a simple password. A simple password contains repeated characters, or increasing or decreasing characters (such as 123 or CBA).

iOS 4.0+

iPadOS 4.0+


Minimum Password Length
The minimum overall length of the password. This value is independent of the value for 'Minimum Complex Characters'.

Min: 0, Max: 16

iOS 4.0+

iPadOS 4.0+


Minimum Complex Characters
The minimum number of complex characters that a password needs to contain.

A complex character is a character other than a number or a letter, such as &, %, $, and #.

The system ignores this property for User Enrollments.'

Min: 0, Max: 4

iOS 4.0+

iPadOS 4.0+


Minimum Successive Unique Passwords
This value defines N, where the new password must be unique within the last N entries of the device's password history.

Min: 1, Max: 50

iOS 4.0+

iPadOS 4.0+


Maximum Password Age (in days)
The number of days for which the password can remain unchanged.

After this number of days, the system forces the user to change the password before it unlocks the device.'

Min: 0, Max: 730 (2 years)

iOS 4.0+

iPadOS 4.0+


Maximum Failed Attempts
The number of allowed failed attempts to enter the password at the device’s lock screen.

After six failed attempts, the system imposes a time delay before a password can be entered again. The delay increases with each attempt.

When this number is exceeded in iOS, the system wipes the device.

Min: 2, Max: 11

iOS 4.0+

iPadOS 4.0+


Maximum Inactivity before Device Lock (in minutes)
The maximum number of minutes for which the device can be idle without the user unlocking it, before the system locks it. When this limit is reached, the system locks the device and the password is required to unlock it.

The user can edit this setting, but the value can’t exceed this value.

When set on User Enrolled devices, the never option in the Settings UI is removed.

Min: 0, Max: 15

iOS 4.0+

iPadOS 4.0+


Maximum Grace Period for Device Unlock (in minutes)
The maximum grace period, in minutes, to unlock the phone without entering a password.

The default is 0, which is no grace period and requires a password immediately.

Min: 0, Max: None

iOS 4.0+

iPadOS 4.0+



Certificate Settings


Connectivity Settings

Connectivity Settings
Allow USB Restricted Mode  
If disabled, the system allows iOS devices to always connect to USB accessories while locked.

If the system has Lockdown mode enabled, it ignores this value.

iOS 11.4.1+

iPadOS 11.4.1+


Allow Files USB Drive Access 
If disabled, the system prevents connecting to any connected USB devices in the Files app.

iOS 13.1+

iPadOS 13.1+



Allow Files Network Drive Access

If disabled, the system prevents connecting to network drives in the Files app.

iOS 13.1+

iPadOS 13.1+



Allow NFC / ApplePay


If disabled, the system disables NFC.

*Note: ApplePay requires NFC enabled.

iOS 14.2+

iPadOS 14.2+



 

Allow Host Pairing


If disabled, the system disables host pairing with the exception of the supervision host.

If there’s no configured supervision host certificate, the system disables all pairing.

Host pairing lets the administrator control if an iOS device can pair with a host Mac or PC.

iOS 7.0+

iPadOS

 7.0+


Allow modifying Bluetooth Settings


If disabled, the system prevents modification of Bluetooth settings. 

iOS 11.0+

iPadOS

 11.0+



WI-FI Network Settings

Force Wi-Fi Power On

If enabled, the system prevents turning off the Wi-Fi radio from the Control Center, from within System Settings, and when entering airplane mode.
 It doesn’t prevent selecting which Wi-Fi network to use.

iOS 13.0+

iPadOS 13.0+



Join only Wi-Fi networks installed by Configuration Profile


If enabled, the system limits the device to only join Wi-Fi networks set up through a configuration profile.


*Warning: If the device is not connected to Wi-Fi / cellular data, a Factory Data Reset may be required to restore Wi-Fi connection.

iOS 14.5+

iPadOS 14.5+



WI-FI Configuration

Manage WI-FI configuration 

This loads a WIFI network in a device so it can connect automatically when in range.

iOS 4.0+

iPadOS 4.0+



VPN Settings
Allow modifying VPN Configurations   If disabled, the system disallows the creation of VPN configurations.
Existing VPN configurations may still be modified, but cannot be deleted.

iOS 4.0+

iPadOS 4.0+


Manage VPN Configuration
Add, remove, or edit VPN Configurations.

iOS 4.0+

iPadOS 4.0+



Manage App-Layer VPN configurations


iOS 4.0+

iPadOS

 4.0+


Manage VPN Configurations

Setting Up an IKEv2 VPN

Navigate to Policies > Connectivity Settings
Scroll down to VPN Settings
Click Manage VPN Configurations
Click the plus (+) in the top-right corner of the Manage VPN Configurations dialog.


Step 1: General Settings

  1. For Display Name, enter a name for your VPN connection(e.g., "My VPN").

  2. In the VPN Type dropdown, select IKEv2.

  3. Leave the VPN Subtype field empty unless instructed otherwise by your VPN service provider.

  4. Click Next to continue.


Step 2: Authentication Settings (IKEv2 Settings)

You'll need to configure one of the following methods based on your VPN.

  • Server Address: Input the VPN server address provided to you by your VPN service provider.

  • Server Identifier: Enter the same address as the Server Address unless instructed otherwise.

  • 2a. Username and Password (EAP-only Authentication)

    • If your VPN service provides a username and password for authentication:

    • Select None for Authentication Method.

    • Check the box for Enable EAP-only Authentication.

    • Enter your EAP Authentication Username and EAP Authentication Password provided by your VPN service.

    • Proceed to Step 3.

  • 2b. Shared Secret (Pre-shared key for IKEv2

    • If your VPN uses a shared secret for authentication:

    • In the Authentication Method dropdown, select Shared-Secret.

    • Enter the shared secret (PSK) provided by your VPN service into the Shared Secret field.

    • Leave the EAP-only Authentication box unchecked.

    • Proceed to Step 3.

  • 2c. Certificate-based Authentication

    • If your VPN uses certificates:

    • In the Authentication Method dropdown, select Certificate.

    • Ensure that your certificate is added to the project certificates table.

    • Under Identity Certificate, choose the correct certificate.

    • If EAP-TLS is required, check the box for EAP-only Authentication, otherwise leave it unchecked.

    • Proceed to Step 3.

Step 3: DNS Settings

  • If your VPN service provider has given you DNS server details:

  • Select the DNS Protocol (if provided).

  • Note: In the following fields, press TAB or ENTER after each entry to confirm it.

  • Enter any Search Domains (typically the Server Address from the previous steps).

  • Enter the Server Addresses (e.g., 1.1.1.1, 1.0.0.1).

  • Input the Domain Name or Supplemental Match Domain if specified by your VPN service.

Step 4: Proxy Settings (Optional)

  • If your VPN service requires the use of a proxy:

  • Check the Enable HTTP Proxy or Enable HTTPS Proxy as applicable.

  • Enter the HTTP/S Proxy server URL and HTTP/S Proxy Port.

  • Enter any Supplemental Match Domains as required.

  • You may leave these unchecked if your VPN does not use a proxy.

Step 5: Review and Save

  1. Review all the settings you've entered to ensure accuracy.

  2. Click Save to finalize the VPN configuration.

Setting Up an IPSec VPN


Step 1: General Settings

  1. For Display Name, enter a name for your VPN connection (e.g., "My VPN").
  2. In the VPN Type dropdown, select IPSec.
  3. Leave the VPN Subtype field empty unless otherwise instructed by your VPN service provider
  4. Click Next to continue.


Step 2: Authentication Settings (IPSec Settings)

  • You'll need to configure one of the following methods based on your VPN.
  • Server Address: Input the VPN server address provided to you by your VPN service provider.
  • 2a. Username and Pre-shared Key (PSK)
    • If your VPN requires a username and secret or pre-shared key for authentication:
    • Check the box to Enable XAUTH.
    • Enter the Username and Password provided by your VPN service.
    • Optionally check Prompt for Password to be prompted for the password each time you connect.
    • From the Authentication Method dropdown select Shared-Secret.
    • Enter the Group Name. If not provided, enter "default".
    • Enter the pre-shared key or secret into Shared Secret.
    • Proceed to Step 3.
  • 2b. Certificate-based Authentication
    • If your VPN uses certificate based authentication:
    • Check the box to Enable XAUTH.
    • Enter the Username and Password provided by your VPN service.
    • Optionally check Prompt for Password to be prompted for the password each time you connect.
    • From the Authentication Method dropdown select Certificate.
    • Select the Certificate associated with your VPN service.
      Certificates may be added in Company > Content > Certificates.
      Add the certificate to your project in the Certificates menu.


Step 3: DNS Settings

  • If your VPN service provider has given you DNS server details:
  • Select the DNS Protocol (if provided).
  • Note: In the following fields, press TAB or ENTER after each entry to confirm it.
  • Enter any Search Domains (typically the Server Address from the previous steps).
  • Enter the Server Addresses (e.g., 1.1.1.1, 1.0.0.1).
  • Input the Domain Name or Supplemental Match Domain if specified by your VPN service.


Step 4: Proxy Settings (Optional)

  • If your VPN service requires the use of a proxy:
  • Check the Enable HTTP Proxy or Enable HTTPS Proxy as applicable.
  • Enter the HTTP/S Proxy server URL and HTTP/S Proxy Port.
  • Enter any Supplemental Match Domains as required.
  • You may leave these unchecked if your VPN does not use a proxy.


Step 5: Review and Save

  1. Review all the settings you've entered to ensure accuracy.
  2. Click Save** to finalize the VPN configuration.



Apple Watch Settings
Allow Apple Watch Pairing   Disable this to prevent the managed device from pairing with an Apple watch.

iOS 4.0+

iPadOS 4.0+


Force Apple Watch Wrist detection
 If this policy is enabled, the user cannot turn off Wrist detection. Wrist detection is used to automatically lock the watch when it's removed from your wrist. 

iOS 4.0+

iPadOS 4.0+


Sharing Settings
Allow HandOff
   

If disabled, Handoff will be disabled in settings and the user cannot enable it.


Handoff lets you start something one one device and instantly pick it up on other devices using your iCloud account. The app you need appears in the app switcher and in the Dock on a Mac.


iOS 4.0+

iPadOS 4.0+


Allow iPhone Widget on Shared Mac 
If this is disabled, a Mac using the same iCloud account, cannot display widgets from this iPhone on the desktop.

From the shared Mac | System Settings | Desktop & Dock | Widgets, if the disabled iPhone is selected, the Mac still cannot select a widget from it to add to the desktop. Any existing widgets will disappear from the desktop if this is policy is disabled.

iOS 4.0+

iPadOS 4.0+



Allow Shared iPad Temporary Sessions

Initiate a temporary session on a Shared iPad (Shared iPad allows more than one user to sign in to an iPad.) by tapping Guest at the login screen - no username or password is necessary.


When the guest logs out, all their data—including browsing history—is deleted. In a temporary session, any user can unlock and access the iPad without a password.


Note: because there isn't a Managed Apple Account:

- apps that use or require iCloud or cloud-based storage may not be supported.

- users can’t sign in to Messages or the App Store.

- Purchased books can’t be assigned in a temporary session on Shared iPad

iOS 4.0+

iPadOS


Airplay Settings

Require password on first outgoing AirPlay pairing
 		If this policy is enabled, the device being streamed to will display a code for the managed device to enter before streaming. If the target device requires a passcode on first connection, the passcode will be required even if this policy is disabled.

Note: the target device may have stricter requirements for pairing.   such as requiring the passcode on every connection or requiring a password (see Device Passwords below).

iOS 4.0+

iPadOS 4.0+


 Device Allow List 
Create a list of devices that the managed device is allowed to stream to. Other nearby devices will not appear in device selection list when attempting to use AirPlay.

iOS 4.0+

iPadOS 4.0+



Device Passwords 

Devices that support AirPlay can be configured to require a password. Include that password with the device name here to allow the managed device to connect without requiring the user to enter the password.

iOS 4.0+

iPadOS


Apple TV Remote
Allowed Apple TVsCreate a list of Apple TVs (MACAddress and device name) the Apple TV remote application on these managed devices can connect to.

iOS 4.0+

iPadOS



AirDrop Settings

Allow AirDrop
   		AirDrop allows an Apple devices to share and receive photos, documents and more with nearby Apple devices. If this policy is disabled, the device cannot send or receive any data via AirDrop.

iOS 4.0+

iPadOS 4.0+


Treat AirDrop as Unmanaged Destination
If enabled, thisPrevents managed apps from using AirDrop to send data.

iOS 4.0+

iPadOS 4.0+



Network Settings

Cellular Settings
Allow modifying Personal Hotspot
This disables/Allows the ability to manually modify the Hotspot settings of the device.

iOS 4.0+

iPadOS 4.0+


Allow modifying Cellular Plan Settings 
Disabling this prevents the user from using the Network Selection option under Cellular settings.

iOS 4.0+

iPadOS 4.0+



Allow modifying Application Cellular Data Usage Settings

 This disables/allows the ability to toggle on and off application data usage in the cellular settings of the device.

iOS 4.0+

iPadOS 4.0+


Allow automatic sync while roaming

If not allowed, background syncing will be disabled while roaming.

iOS 4.0+

iPadOS 4.0+

Allow modifying eSIM Settings
Disables/Allows eSIM settings to be accessible in the cellular settings of the device

iOS 11.0+

iPadOS 11.0+

Force Preserve eSIM on Factory Reset 

If true, the system preserves eSIM when it erases the device due to too many failed password attempts or the Erase All Content and Settings option in Settings > General > Reset.


*Note: The system doesn’t preserve eSIM if the Find My app initiates erasing the device.

iOS 17.2+

iPadOS 17.2+


APN Configuration
Name
The access point name.

iOS 7.0+

iPadOS 7.0+

Authentication TypeThe authentication type for logging in. Can be CHAP or PAP.

iOS 7.0+

iPadOS 7.0+

UsernameThe user name for the APN.

iOS 7.0+

iPadOS 7.0+

PasswordThe user’s password for the APN.

iOS 7.0+

iPadOS 7.0+

Proxy ServerThe proxy server’s address.

iOS 7.0+

iPadOS 7.0+

Proxy PortThe proxy server’s port number.

iOS 7.0+

iPadOS 7.0+

Enable XLAT464XLAT464 is an IPv6 transition technology

iOS 7.0+

iPadOS 7.0+

Supported IP VersionThe Internet Protocol versions that the system supports while on the network.

iOS 7.0+

iPadOS 7.0+

Supported IP Version while RoamingThe Internet Protocol versions that the system supports while roaming.

iOS 7.0+

iPadOS 7.0+

Supported IP Version while Domestic RoamingThe Internet Protocol versions that the system supports while domestic roaming

iOS 7.0+

iPadOS 7.0+

Is Default APNIf true, the system makes this the Default APN Configuration and creates an attach APN from these values.

Only one APN can be made default.

iOS 7.0+

iPadOS 7.0+



                                                                                 Network Usage Rules

Application Rules
This policy dictates if an application is Allowed or Not Allowed to use Cellular Data or Data while roaming

iOS 17.0+

iPadOS 17.0+


SIM Rules

This Policy Allows you to load an ICCID (Number on a SIM card) you can control whether the SIM can use a WIFI network or not for Data connections. 

iOS 17.0+

iPadOS 17.0+



Web Content Filtering

  • Use the Web Content Filter section to choose which websites the device can view. You can automatically filter out adult content, and then permit or deny access to specific sites. You can also set up a device so that it can view only specific websites and create bookmarks for those websites.  
  • Filter Type: Defines the type of filter, built-in or plug-in. In macOS, the system only supports the plug-in value.
    • Built-in: Simple filtering mechanism for filtering web content. This may also restrict access in Safari to clearing the browsing history and website data.
    • Plug-in: More advanced filtering mechanism for filtering web content. Requires a third-party application installed on the device.


                                                                                 Web Content Filtering: Built-in

Enable Auto Filter
-Web Content filter is Controlled by Apple. 
-If enabled, access to URLs that are flagged as adult are prohibited. Otherwise, addresses listed in 'Permitted URLs' ignore the filter and are allowed. 
-Limits access to many adult websites automatically.

iOS 7.0+

iPadOS 7.0+

Permitted URLs

-A list of URLs that are accessible whether or not the automatic filter allows access.

-'Enable Auto Filter' must be enabled to use this feature.

-Add URLs to this list to permit access to certain websites, even if they’re considered adult by the automatic filter.

-If you leave this list empty, access is permitted to all nonadult websites except for those listed in Denied URLs.

iOS 7.0+

iPadOS 7.0+

Deny List URLs-URLs found in this list are prohibited regardless of the state of the Auto Filter and what's permitted under 'Permitted URLs'.

iOS 7.0+

iPadOS 7.0+


Allow List Bookmarks

-A list of web addresses that define the pages that the user can bookmark or visit.


-This policy adds any URLs in the list to the browser’s bookmarks.


-The browser prevents the user from visiting any sites not bookmarked.


-The number of bookmarks on the allow list should be limited to about 500.


iOS 7.0+

iPadOS 7.0+



                                                                                 Web Content Filtering: Plug-in

Display NameThe display name for this filtering configuration. This will be shown under Device Management for the Web Content Filter in System Settings.

iOS 7.0+

iPadOS 7.0+


Plug-in Bundle Identifier

The bundle Identifier of the plug-in that provides filtering service.


Applications need to be added to the project to show up here.


Alternatively, Consult your filtering solution vendor to determine what to specify for this value.


iOS 7.0+

iPadOS 7.0+


Server AddressThe server address, which may be the IP address, hostname, or URL for the service.

Consult your filtering solution vendor to determine what to specify for this value.

iOS 7.0+

iPadOS 7.0+


OrganizationThe name of the Organization to pass to the third-party plug-in.

iOS 7.0+

iPadOS 7.0+


User NameThe user name for the service.

iOS 7.0+

iPadOS 7.0+


PasswordThe password for the service.

iOS 7.0+

iPadOS 7.0+


CertificateThe certificate within the same profile that the system uses to authenticate the user to this service.

Certificates need to be added to the project for this option to show.

iOS 7.0+

iPadOS 7.0+


Filter Web TrafficIf enabled, the system enables filtering web traffic on all device internet browsers through the third-party plug-in.

iOS 7.0+

iPadOS 7.0+


Filter SocketsIf enabled, the system enables filtering socket traffic through the third-party plug-in. 

iOS 7.0+

iPadOS 7.0+


Filter Data Provider Bundle IdentifierThe bundle identifier string of the filter data provider system extension.

This identifies the filter data provider when the filter starts running.

Consult your filtering solution vendor to determine what to specify for this value.

iOS 7.0+

iPadOS 7.0+


Filter Data Provider Designated Requirements

The designated requirement string that the system embeds in the code signature of the filter data provider system extension.


This string identifies the filter data provider when the filter starts running.


Consult your filtering solution vendor to determine what to specify for this value. 

iOS 7.0+

iPadOS 7.0+


Vendor ConfigThe custom dictionary that the filtering service plug-in needs.


Consult your filtering solution vendor to determine what to specify for this value.

iOS 7.0+

iPadOS 7.0+



Global HTTP Proxy

  • Use the Global HTTP Proxy payload to specify a proxy for all HTTP traffic to and from an iPhone, iPad, Mac computer, or Apple TV device that’s enrolled in an MDM solution.
    • If you choose Manual proxy type, you need the proxy server address—including its port and optionally a user name and password—for logging in to the proxy server. 

    • If you choose Auto proxy type, you can enter a proxy auto-config (PAC) URL.

                                                                        Global HTTP Proxy Settings - Manual


Proxy Server		This is where you input the IP address to the proxy server. This is the address you use to connect to the Proxy server where the rules are set by your admin to filter the content. The proxy server is not controlled by Ensemble, it is a separate Entity/service from Ensemble. 

iOS 6.0+

iPadOS 6.0+

Proxy PortThis tells the proxy server which port to process/filter the data though. This is required when connecting to a proxy server

iOS 6.0+

iPadOS 6.0+


UsernameThe user name used to authenticate to the proxy server. This may be required if you are connecting to a Private Proxy Server to filter web content.

iOS 6.0+

iPadOS 6.0+


PasswordThe password used to authenticate to the proxy server. This may be required if you are connecting to a Private Proxy Server to filter web content.

iOS 6.0+

iPadOS 6.0+


Allow Proxy Bypass for Captive Portal Logins
If enabled, allows the device to bypass the proxy server to display the login page for captive networks.

iOS 6.0+

iPadOS 6.0+



                                                                       Global HTTP Proxy Settings - Automatic

Proxy PAC URL

The URL of the PAC file that defines the proxy configuration.


Starting in iOS 13 and macOS 10.15, only URLs that begin with http:// or https:// are allowed.


iOS 6.0+

iPadOS 6.0+


Allow Proxy PAC FallbackIf enabled, allows connecting directly to the destination if the proxy autoconfiguration (PAC) file is unreachable.

iOS 6.0+

iPadOS 6.0+


Allow Proxy Bypass for Captive Portal LoginsIf enabled, allows the device to bypass the proxy server to display the login page for captive networks.

iOS 6.0+

iPadOS 6.0+



Account Settings


Calendar Accounts

  • Use the Calendar Accounts to provide account settings for connecting to a CalDAV-compliant calendar server. 
  • These accounts are added to devices enrolled in Ensemble. 
  • As with Exchange accounts, users need to manually enter information you omit from the profile, such as their account password, when the profile is installed.  
 Account Settings - Calendar Accounts
Host NameThe server address, IP address or fully qualified domain name (FQDN) of the CalDAV server.

iOS 4.0+

iPadOS 4.0+

Principal URLThe base URL of the CalDAV server.

iOS 4.0+

iPadOS 4.0+

PortThe port number of the CalDAV server. This may be required if connecting to a server that is privately hosted on the same network, or if not using the default CalDAV server port.

iOS 4.0+

iPadOS 4.0+

UsernameThe user name to authenticate with the CalDAV account.

iOS 4.0+

iPadOS 4.0+

PasswordThe password to authenticate with the CalDAV account.

iOS 4.0+

iPadOS 4.0+

DescriptionThe display name for the CalDAV account.

iOS 4.0+

iPadOS 4.0+

Use SSLIf enabled, the system enables SSL authentication for this account. You must provide a certificate to login.

iOS 4.0+

iPadOS 4.0+


Subscribed Calendar Accounts

  • You can use Subscribed Calendars  settings for devices enrolled in Ensemble for connecting to a CalDAV-compliant calendar server.
  • The main difference between Calendar Accounts is that Subscribed Calendars are read-only subscriptions in the Calendar app. 
Account Settings - Subscribed Calendar Accounts
Host NameThe server address, IP address or fully qualified domain name (FQDN) of the CalDAV server.

iOS 4.0+

iPadOS 4.0+

UsernameThe user name to authenticate with the CalDAV account.

iOS 4.0+

iPadOS 4.0+

PasswordThe password to authenticate with the CalDAV account.

iOS 4.0+

iPadOS 4.0+

DescriptionThe display name for the CalDAV account.

iOS 4.0+

iPadOS 4.0+

Use SSLIf enabled, the system enables SSL authentication for this account. You must provide a certificate to login.

iOS 4.0+

iPadOS 4.0+


Contact Accounts

  • Use Contact Accounts to provide account settings for connecting to the CardDAV-compliant contact server. 
  • The address book of enrolled devices will be updated with the Contacts of the CardDAV contact client. 
  • If you omit the account information, users need to enter it manually when the profile is installed.


Account Settings - Contact Accounts
Host NameThe server address, IP address or fully qualified domain name (FQDN) of the CardDAV server.

iOS 4.0+

iPadOS 4.0+

Principal URLThe base URL of the CardDAV server.

iOS 4.0+

iPadOS 4.0+

PortThe port number of the CardDAV server. This may be required if connecting to a server that is privately hosted on the same network, or if not using the default CardDAV server port.

iOS 4.0+

iPadOS 4.0+

UsernameThe user name to authenticate with the CardDAV account.

iOS 4.0+

iPadOS 4.0+

PasswordThe password to authenticate with the CardDAV account.

iOS 4.0+

iPadOS 4.0+

DescriptionThe display name for the CardDAV account.

iOS 4.0+

iPadOS 4.0+

Use SSLIf enabled, the system enables SSL authentication for this account. You must provide a certificate to login.

iOS 4.0+

iPadOS 4.0+

Audio Call Bundle IdentifierThe bundle identifier for the default application that handles audio calls to contacts from this account.

iOS 4.0+

iPadOS 4.0+


Google Accounts 

  • Configure Google Accounts settings to specify pre-populating enrolled devices with Google account(s). 
Account Settings - Google Accounts
Email AddressThe full Google email address for the account.

iOS 9.3+

iPadOS 9.3+

Account NameThe full user name for the Google account. This is the user name that appears when you send a mail message.

iOS 9.3+

iPadOS 9.3+

Account DescriptionA description of the Google account, which appears in Mail and Settings.

iOS 9.3+

iPadOS 9.3+

Audio Call Bundle Identifier

You can select a default app to be used when calling contacts from this account.


iOS 9.3+

iPadOS 9.3+


LDAP Accounts


Exchange ActiveSync (EAS) Accounts 


Mail Accounts

  • Use this section to configure mail accounts for enrolled devices. 
  • POP or IMAP mail accounts are supported.  


Account Settings - Mail Accounts
General Settings
Account Type
The mail protocol to use for the account. IMAP or POP

iOS 4.0+

iPadOS 4.0+

Email AddressThe full email address for the account. If omitted, the device prompts for the user for it during profile installation.

iOS 4.0+

iPadOS 4.0+

Account NameThe full user name for the account. The system displays this name in sent messages.

iOS 4.0+

iPadOS 4.0+

DescriptionA user-visible description of the email account, shown in the Mail and Settings Applications.

iOS 4.0+

iPadOS 4.0+

Restrict Account to Apple Mail appIf enabled, prevents this account from sending mail in any app other than the Apple Mail app.

iOS 4.0+

iPadOS 4.0+

Prevent moving Mail from Account / Replying from Account other than recipientIf enabled, the system prevents moving messages from out of this email account into another account. This setting also prevents forwarding or replying from an account other than the recipient of the message.

iOS 4.0+

iPadOS 4.0+

Allow Mail DropIf enabled, the system enables this account to use Mail Drop.    

iOS 4.0+

iPadOS 4.0+

Disable Account from Syncing Recent Addresses

If enabled, the system excludes this account from Recent Addresses syncing.

iOS 4.0+

iPadOS 4.0+

Incoming Mail Server
Server Host NameThe incoming mail server host name.

iOS 4.0+

iPadOS 4.0+

Server PortThe incoming mail server port number. If not set, the system uses the default port for a given protocol.

iOS 4.0+

iPadOS 4.0+

Username

The user name for the email account, usually the same as the email address up to the “@” character.


If not set and the account requires authentication for incoming email, the device prompts the user for this string during interactive profile installation in Settings or System Preferences.

iOS 4.0+

iPadOS 4.0+

Server Authentication TypeThe authentication scheme for incoming mail.

iOS 4.0+

iPadOS 4.0+

PasswordThe password for the incoming mail server. The system only uses this password with encrypted profiles.

iOS 4.0+

iPadOS 4.0+

IMAP Path PrefixThe path prefix for the IMAP mail server.

iOS 4.0+

iPadOS 4.0+

Use SSLIf enabled, the system enables SSL for authentication on the incoming mail server.

iOS 4.0+

iPadOS 4.0+

Outgoing Mail Server
Server Host NameThe outgoing mail server host name.

iOS 4.0+

iPadOS 4.0+

Server PortThe outgoing mail server port number. If not set, the system uses the default port for a given protocol.

iOS 4.0+

iPadOS 4.0+

Username

The user name for the email account, usually the same as the email address up to the “@” character.


If not set and the account requires authentication for outgoing email, the device prompts the user for this string during interactive profile installation in Settings or System Preferences.


iOS 4.0+

iPadOS 4.0+

Server Authentication TypeThe authentication scheme for outgoing mail.

iOS 4.0+

iPadOS 4.0+

PasswordThe password for the outgoing mail server. The system only uses this password with encrypted profiles.

iOS 4.0+

iPadOS 4.0+

Use SSLIf enabled, the system enables SSL for authentication on the outgoing mail server.

iOS 4.0+

iPadOS 4.0+

Encryption