Introduction
An unsupervised project provides limited control over devices and the user of the device can remove or override the policies at any time. These projects are used for personal or BYOD (Bring Your Own Device) scenarios, wherein the device owner retains more control over the device.
Unlike supervised devices, unsupervised devices are setup via a URL on user owned devices that have already gone through the setup wizard and an application user account must be used to manage the device.
For more information on this, please see our knowledgebase article regarding Application Users.
Policies
Device Settings
| Policy | Description | Supported Versions |
|---|---|---|
| Allow Screenshots and Screen Recording | If disabled, the system prevents saving a screenshot of the display and capturing a screen recording. This effectively disables the button combination for taking screenshot(s) and shows an error message to the user when attempting to screen record from the Control Center. It also disables the Classroom app from observing remote screens. | iOS 4.0+ iPadOS 4.0+ |
| Allow Submitting Diagnostic and Usage Data to Apple | If disabled, the system prevents the device from automatically submitting diagnostic reports to Apple. | iOS 6.0+ iPadOS 6.0+ |
| Siri Settings | ||
|---|---|---|
| Allow Siri | If disabled, the system disables Siri. | iOS 5.0+ iPadOS 5.0+ |
| Allow Siri while device is locked | If disabled, the system disables Siri when the device is locked. The system ignores this restriction if the device doesn’t have a passcode set. | iOS 5.1+ iPadOS 5.1+ |
| Force on-device only dictation | If enabled, the system disables connections to Siri servers for the purposes of dictation. *Note: Policy 'Allow Dictation' must also be true. | iOS 14.5+ iPadOS 14.5+ |
| Force on-device only translation | If enabled, the device won’t connect to Siri servers for the purposes of translation. | iOS 15.0+ iPadOS 15.0+ |
| Data Sharing Settings | ||
|---|---|---|
| Allow data from Managed Sources in Unmanaged Destinations | If disabled, documents in managed apps and accounts only open in other managed apps and accounts. | iOS 7.0+ iPadOS 7.0+ |
| Allow Managed Apps to write contacts to Unmanaged contact accounts | If enabled, the system allows managed apps to write contacts to unmanaged accounts. If 'Allow data from Managed Sources in Unmanaged Destinations' is true, this restriction has no effect. | iOS 12.0+ iPadOS 12.0+ |
| Allow Unmanaged apps to read contacts from Managed contact accounts | If enabled, the system allows unmanaged apps to read from managed contacts accounts. If 'Allow data from Managed Sources in Unmanaged Destinations' is true, this restriction has no effect. | iOS 12.0+ iPadOS 12.0+ |
| Allow data from Unmanaged sources in Managed destinations | If disabled, documents in unmanaged apps and accounts only open in other unmanaged apps and accounts. | iOS 7.0+ iPadOS 7.0+ |
| Require Managed Pasteboard | If enabled, copy and paste functionality conforms to the above restrictions. | iOS 15.0+ iPadOS 15.0+ |
| Advanced Settings | ||
|---|---|---|
| Allow updating the certificate trust database | If disabled, the system disables over-the-air PKI updates. Apple devices include a number of preinstalled root certificates from various Certification Authorities (CAs), and validate the trust for these root certificates. These digital certificates can be used to securely identify a client or server, and to encrypt the communication between them using the public and private key pair. A certificate contains a public key, information about the client (or server), and is signed (verified) by a CA. OTA PKI updates allow for the remote management of certificates if any of the preinstalled root certificates become compromised. Note: Setting this restriction to false doesn't disable CRL and OCSP checks. | iOS 7.0+ iPadOS 7.0+ |
Application Settings
App Store Settings |
| Allow trust of unknown App authors | If disabled, the system removes the Trust Enterprise Developer button in Settings > General > Profiles & Device Management, which prevents provisioning apps by universal provisioning profiles. This restriction applies to free developer accounts or Enterprise apps that weren't installed via the MDM. However, it doesn’t apply to enterprise app developers, because they’re trusted and the system installed their apps through MDM. It also doesn’t revoke previously granted trust. | iOS 9.0+ iPadOS 9.0+ |
Safari Settings |
| Allow Safari to execute JavaScript | If disabled, the system prevents Safari from executing JavaScript. Certain web pages may not work as expected. | iOS 4.0+ iPadOS 4.0+ |
| Allow users to accept untrusted TLS certificates | If disabled, the system automatically rejects untrusted HTTPS certificates without prompting the user. | iOS 5.0+ iPadOS 5.0+ |
| Force Safari Fraud Warning | If enabled, the system enables Safari fraud warning. | iOS 4.0+ iPadOS 4.0+ |
Update Settings
Backup / iCloud Settings |
Force Encrypted Backups | If enabled, the system encrypts all backups. | iOS 4.0+ iPadOS 4.0+ |
| Allow iCloud to sync Managed App data | If disabled, the system prevents managed apps from using iCloud sync. | iOS 8.0+ iPadOS 8.0+ |
| Allow iCloud to backup Enterprise Managed Books | If disabled, the system disables backup of Enterprise books. | iOS 8.0+ iPadOS 8.0+ |
Allow iCloud to sync Enterprise Managed Books, Notes, and Highlights | If disabled, the system disables sync of Enterprise books, notes, and highlights. | iOS 8.0+ iPadOS 8.0+ |
Security Settings
Password Settings |
| Require Device Password | If true, the system forces the user to enter a Password / PIN for Device Unlock. | iOS 4.0+ iPadOS 4.0+ |
| Require Alphanumeric Password | If true, the system requires additional alphabetic characters instead of only numeric characters. | iOS 4.0+ iPadOS 4.0+ |
| Allow Simple Password | If false, the system prevents use of a simple password. A simple password contains repeated characters, or increasing or decreasing characters (such as 123 or CBA). | iOS 4.0+ iPadOS 4.0+ |
| Minimum Password Length | The minimum overall length of the password. This value is independent of the value for 'Minimum Complex Characters'. Min: 0, Max: 16 | iOS 4.0+ iPadOS 4.0+ |
| Minimum Complex Characters | The minimum number of complex characters that a password needs to contain. A complex character is a character other than a number or a letter, such as &, %, $, and #. The system ignores this property for User Enrollments.' Min: 0, Max: 4 | iOS 4.0+ iPadOS 4.0+ |
| Minimum Successive Unique Passwords | This value defines N, where the new password must be unique within the last N entries of the device's password history. Min: 1, Max: 50 | iOS 4.0+ iPadOS 4.0+ |
| Maximum Password Age (In Days) | The number of days for which the password can remain unchanged. After this number of days, the system forces the user to change the password before it unlocks the device.' Min: 0, Max: 730 (2 years) | iOS 4.0+ iPadOS 4.0+ |
| Maximum Failed Attempts | The number of allowed failed attempts to enter the password at the device’s lock screen. After six failed attempts, the system imposes a time delay before a password can be entered again. The delay increases with each attempt. When this number is exceeded in iOS, the system wipes the device. Min: 2, Max: 11 | iOS 4.0+ iPadOS 4.0+ |
| Maximum Inactivity before Device Lock (In Minutes) | The maximum number of minutes for which the device can be idle without the user unlocking it, before the system locks it. When this limit is reached, the system locks the device and the password is required to unlock it. The user can edit this setting, but the value can’t exceed this value. When set on User Enrolled devices, the never option in the Settings UI is removed. Min: 0, Max: 15 | iOS 4.0+ iPadOS 4.0+ |
| Maximum Grace Period for Device Unlock (In Minutes) | After enforcing passcode restrictions, a countdown begins. During this grace period, the user receives a prompt to change their passcode when they return to the Home screen, however, they can dismiss the prompt and continue working. After the grace period elapses, the user must change the passcode to launch any application on the device, including built-in applications. The default is grace period is 0 minutes, which requires th user to change the password immediately. Min: 0, Max: None | iOS 4.0+ iPadOS 4.0+ |
Certificate Settings
| Certificate Revocation |
| Certificates Enabled for Certificate Revocation | An array of certificates that the system checks for revocation. Specifying a certificate authority (CA) enables revocation checking for all certificates chaining up to that CA. It’s not necessary to specify trusted root certificates because they’re implicitly specified. | iOS 14.2+ iPadOS 14.2+ |
| Certificate Transparency |
| Certificates Disabled for Certificate Transparency | A list of certificates for which certificate transparency is disabled. One of the following conditions needs to be met to disable certificate transparency enforcement when this policy is set: The hash is of the server certificate’s subjectPublicKeyInfo. The hash is of a subjectPublicKeyInfo that appears in a CA certificate in the certificate chain; the CA certificate is constrained through the X.509v3 nameConstraints extension. One or more directoryName nameConstraints are present in the permittedSubtrees, and the directoryName contains an organizationName attribute. The hash is of a subjectPublicKeyInfo that appears in a CA certificate in the certificate chain. The CA certificate has one or more organizationName attributes in the certificate Subject, and the server’s certificate contains the same number of organizationName attributes, in the same order, and with byte-for-byte identical values. | iOS 12.1.1+ iPadOS 12.1.1+ |
| Domains Disabled for Certificate Transparency | An array of strings that represent the domains to exclude from certificate transparency enforcement. The system supports using a leading period (.) to signify subdomains. However, the system doesn’t support wildcards. If you include a leading period, the domain can’t be a top-level domain, such as .com and .co.uk. | iOS 12.1.1+ iPadOS 12.1.1+ |
Connectivity Settings
WI-FI Configuration |
Manage WI-FI configuration | This loads a WIFI network in a device so it can cannect automatically when in range. | iOS 4.0+ iPadOS 4.0+ |
VPN Settings |
| Manage VPN Configuration | Use VPN Configurations to enter the VPN settings for connecting to your network. Note: Settings you specify in the configuration profile can’t be modified by users. | iOS 4.0+ iPadOS 4.0+ |
| Use App-Layer VPN Configurations for per-app VPN behavior, which only applies to VPN services of type VPN, IPsec, and IKEv2. All the properties of VPN apply to the top level of this profile as well. | iOS 4.0+ iPadOS 4.0+ |
Apple Watch Settings |
| Force Apple Watch Wrist detection | If this policy is enabled, the user cannot turn off Wrist detection. Wrist detection is used to automatically lock the watch when it's removed from your wrist. | iOS 4.0+ iPadOS 4.0+ |
Sharing Settings |
Initiate a temporary session on a Shared iPad (Shared iPad allows more than one user to sign in to an iPad.) by tapping Guest at the login screen - no username or password is necessary. When the guest logs out, all their data—including browsing history—is deleted. In a temporary session, any user can unlock and access the iPad without a password. Note: because there isn't a Managed Apple Account: - apps that use or require iCloud or cloud-based storage may not be supported. - users can’t sign in to Messages or the App Store. - Purchased books can’t be assigned in a temporary session on Shared iPad | iOS 4.0+ iPadOS |
Airplay Settings |
Require password on first outgoing AirPlay pairing | If this policy is enabled, the device being streamed to will display a code for the managed device to enter before streaming. If the target device requires a passcode on first connection, the passcode will be required even if this policy is disabled. Note: the target device may have stricter requirements for pairing. such as requiring the passcode on every connection or requiring a password (see Device Passwords below). | iOS 4.0+ iPadOS 4.0+ |
| Airplay Device Passwords |
| Airplay Device Passwords | If present, sets passwords for known Airplay destinations | iOS 7.0+ iPadOS 7.0+ |
AirDrop Settings |
| Treat AirDrop as Unmanaged Destination | If enabled, thisPrevents managed apps from using AirDrop to send data. | iOS 4.0+ iPadOS 4.0+ |
| AirPrint Settings |
| AirPrint Printers | If present, these AirPrint printers are presented to the user. | iOS 7.0+ iPadOS 7.0+ |
Network Settings
APN Configuration |
| Name | The access point name. | iOS 7.0+ iPadOS 7.0+ |
| Authentication Type | The authentication type for logging in. Can be CHAP or PAP. | iOS 7.0+ iPadOS 7.0+ |
| Username | The user name for the APN. | iOS 7.0+ iPadOS 7.0+ |
| Password | The user’s password for the APN. | iOS 7.0+ iPadOS 7.0+ |
| Proxy Server | The proxy server’s address. | iOS 7.0+ iPadOS 7.0+ |
| Proxy Port | The proxy server’s port number. | iOS 7.0+ iPadOS 7.0+ |
| Enable XLAT464 | XLAT464 is an IPv6 transition technology | iOS 7.0+ iPadOS 7.0+ |
| Supported IP Version | The Internet Protocol versions that the system supports while on the network. | iOS 7.0+ iPadOS 7.0+ |
| Supported IP Version while Roaming | The Internet Protocol versions that the system supports while roaming. | iOS 7.0+ iPadOS 7.0+ |
| Supported IP Version while Domestic Roaming | The Internet Protocol versions that the system supports while domestic roaming | iOS 7.0+ iPadOS 7.0+ |
| Is Default APN | If true, the system makes this the Default APN Configuration and creates an attach APN from these values. Only one APN can be made default. | iOS 7.0+ iPadOS 7.0+ |
| Name | The name of the private network configuration data set | iOS 17.0+ iPadOS 17.0+ |
| Cellular Data Preferred | Set to true to prefer this private network over Wi-Fi. | iOS 17.0+ iPadOS 17.0+ |
| Enable NR Standalone | Set to true if this private network is NR Standalone. | iOS 17.0+ iPadOS 17.0+ |
| Version Number | The version number of this dataset that the system uses to track updates. | iOS 17.0+ iPadOS 17.0+ |
| Geofences | A list of up to 1000 geofences for private networks. Geofencing is only used on iPhone. | iOS 17.0+ |
Network Usage Rules |
| Application Rules | This policy dictates if an application is Allowed or Not Allowed to use Cellular Data or Data while roaming | iOS 17.0+ iPadOS 17.0+ |
SIM Rules | This Policy Allows you to load an ICCID (Number on a SIM card) you can control whether the SIM can use a WIFI network or not for Data connections. | iOS 17.0+ iPadOS 17.0+ |
Account Settings
Account Settings |
| Calendar Accounts | Use this section to provide account settings for connecting to a CalDAV-compliant calendar server. These accounts are added enrolled devices. As with Exchange accounts, users need to manually enter information you omit from the profile, such as their account password, when the profile is installed. | iOS 4.0+ iPadOS 4.0+ |
| Subscribed Calendar Accounts | Use this section to add read-only calendar subscriptions to the Calendar app. | iOS 4.0+ iPadOS 4.0+ |
| Contact Accounts | Use this section to provide account settings for connecting to the CardDAV-compliant contact server. If you omit any account information, users need to enter it manually when the profile is installed. | iOS 4.0+ iPadOS 4.0+ |
| Google Accounts | This policy will add the google account to the device, but the end user will have to enter the password to log into the google account. | iOS 9.3+ iPadOS 9.3+ |
| LDAP accounts | Use this section to configure LDAP settings to enable corporate directory services for enrolled devices. These settings are specific for connecting to an LDAPv3 directory. Note: LDAP connections don’t initiate a VPN connection; if the VPN hasn’t been established by another app, such as Safari, the LDAP lookup fails. | iOS 4.0+ iPadOS 4.0+ |
| Exchange ActiveSync (EAS) Accounts | Use this section to enter the user’s settings for your Microsoft Exchange Server. You can create a profile for a particular user by specifying the user name, hostname, and email address, or you can provide just the hostname; users are prompted to fill in the other values when they install the profile. In iOS 14 and iPadOS 14, or later, Exchange accounts configured for OAuth and Microsoft cloud-based services (such as Office365 or outlook.com) are automatically upgraded to use Microsoft’s OAuth 2.0 authentication service. | iOS 4.0+ iPadOS 4.0+ |
| Mail Accounts | Once all the IMAP or POP settings are all filled out correctly related to the email account you're trying to load onto the device ,the email will be loaded into the Mail app of the IOS device. | iOS 4.0+ iPadOS 4.0+ |