Skip to main content
Cisco Meraki Documentation

Configuration Settings Payload - Restrictions

  1. Last updated
  2. Save as PDF

The restrictions payload is used to restrict device functionality, allowing the MDM administrator to granularly control enrolled devices. Device restrictions are categorized by platform and may have unique configuration requirements (such as camera usage on iOS 13 requiring device supervision). A full list of all device restrictions and their requirements can be found below. 

Cross-Platform Restrictions

Camera

  • Allow use of the camera - iOS, macOS, Android, and Windows

As of iOS 13 this feature requires device supervision

Device Functionality

  • Allow installing apps - Samsung KNOX devices and iOS 

As of iOS 13 this feature requires device supervision

  • Allow screen capture - iOS and macOS 10.14.4+
  • Allow device assistant (Siri/Cortana) - iOS and Windows
    • Allow Siri while locked - iOS

Apple Restrictions

Device Functionality

  • Allow voice dialing - iOS
  • Allow automatic sync when roaming - iOS
  • Allow Passbook notifications while locked - iOS
  • Allow in-app purchases - iOS
  • Allow iTunes file sharing services - macOS 10.13+
  • Force user to enter iTunes Store password for all purchases - iOS 5+
  • Show Control Center in lock screen - iOS 7+
  • Show Notification Center in lock screen - iOS 7+
  • Show Today view in lock screen - iOS 7+
  • Allow remote screen observation by the Classroom app - iOS 12+ and macOS 10.14.4+

Screenshots must be enabled for this feature to work

  • Do not containerize work data and contacts from unmanaged apps - iOS 7+

iOS can natively separate work and personal data and contacts. For more information, see our article on iOS containerization.

  • Do not containerize personal data and contacts from managed apps - iOS 7+

iOS can natively separate work and personal data and contacts. For more information, see our article on iOS containerization.

  • Allow Handoff - iOS 8+ and macOS 10.15+
  • Require passcode on outgoing AirPlay pairing requests - iOS 7.1+
  • Require passcode on incoming AirPlay pairing requests - iOS 7.1+
  • Force paired Apple Watch to use Wrist Detection - iOS 8.2+
  • Allow user to add App Clips - iOS 14+
  • Hide user visibility of non-OS Software Updates - macOS 11+
  • Disallow sharing of managed documents with AirDrop - iOS 9+
  • Allow pairing with Remote app or Control Center widget - tvOS 10.2+
  • Allow managed apps to write contacts to unmanaged contacts accounts - iOS 12+
  • Allow unmanaged apps to read from managed contacts accounts - iOS 12+
  • Allow server-side Siri logging - iOS 12.2+
  • Allow shared device temporary session - iOS 13.4+
  • Allow NFC - iOS and macOS
  • Allow Apple personalized advertising - iOS 14+

iCloud iOS & macOS

  • Allow iCloud Photo Library - iOS 9+ and macOS 10.12+

iCloud iOS

  • Allow backup of enterprise books - iOS 8+
  • Allow notes and highlights sync for enterprise books - iOS 8+
  • Allow photo stream - iOS 5+
  • Allow managed app to store data in iCloud - +iOS 8+

iCloud macOS

  • Allow Back to My Mac - macOS 10.12+
  • Allow Find My Mac - macOS 10.12+
  • Allow Bookmark sync - macOS 10.12+
  • Allow Mail sync - macOS 10.12+
  • Allow Calendar sync - macOS 10.12+
  • Allow Reminder sync - macOS 10.12+
  • Allow Address Book sync - macOS 10.12+
  • Allow Notes sync - macOS 10.12+
  • Allow desktop and document sync - macOS 10.12+ 

Security and Privacy

  • Allow diagnostic data to be sent to Apple - iOS 6+ and macOS 10.13+
  • Allow user to accept untrusted TLS certificates - iOS 5+
  • Force encrypted backup - iOS
  • Allow automatic updates to certificate trust settings - iOS 7+
  • Force limited ad tracking - iOS 7+
  • Allow Touch ID to unlock device - iOS 7+ and macOS 10.12.4+

Ratings Region

  • Australia - iOS and tvOS 11.3+ 
  • Canada - iOS and tvOS 11.3+
  • France - iOS and tvOS 11.3+
  • Germany - iOS and tvOS 11.3+
  • Ireland - iOS and tvOS 11.3+
  • Japan - iOS and tvOS 11.3+
  • New Zealand - iOS and tvOS 11.3+
  • United Kingdom - iOS and tvOS 11.3+
  • United States - iOS and tvOS 11.3+

Allowed Content Ratings 

Specify allowed ratings for the following content - iOS and tvOS 11.3+

  • Movies
    • Do not allow movies 
    • G
    • PG
    • PG-13
    • R
    • NC-17
    • Allow all movies 
  • TV Shows
    • Do not allow TV shows 
    • TV-Y
    • TV-7
    • TV-G
    • TV-PG
    • TV-14
    • TV-MA
    • Allow all TV shows 
  • Apps
    • Do not allow apps
    • 4+ 
    • 9+
    • 12+
    • 17+
    • Allow all apps 

Software Updates

  • Delay OS software updates - iOS 11.3+ Supervised, macOS 10.13+, and tvOS 12.2+

iOS Supervised Restrictions 

Applications

  • Allow app removal - iOS
  • Allow use of iTunes Store - iOS

As of iOS 13, this restriction requires a supervised device.

  • Allow use of Safari - iOS

As of iOS 13, this restriction requires a supervised device.

  • Enable autofill - iOS and macOS 10.13+
  • Force fraud warning - iOS
  • Enable javascript - iOS
  • Allow popups - iOS
  • Allow FaceTime - iOS
  • Allow iMessage - iOS 6+
  • Allow Game Center - iOS 6+ and macOS 10.13+
  • Allow Bookstore - iOS 6+
  • Allow Bookstore erotica iOS and tvOS 11.3+
  • Allow Podcasts - iOS 8+
  • Allow App Store - iOS 9+
  • Allow News app - iOS 9+
  • Allow Apple Music - iOS 9.3+
  • Allow Apple Music Radio - iOS 9.3+

Allowed Single App Mode 

Apps listed here are allowed to place themselves in Single App Mode autonomously. It does not restrict which apps can be manually placed into Single App Mode.

Show or Hide Apps

  • Allow all apps 
  • Do not allow the following apps 
  • Only allow the following apps 

Device Functionality 

  • Allow UI configuration profile installation - iOS 6+

Supervised devices can be configured to not allow the installation of configuration profiles or certificates interactively.

  • Allow adding Game Center friends - iOS and macOS 10.13+
  • Allow modifying account settings - iOS 7+
  • Allow AirDrop - iOS 7+ and macOS 10.13+
  • Allow changes to cellular data usage for apps - iOS 7+
  • Allow user-generated content in Siri - iOS 7+
  • Allow Find My Device in the Find My app - iOS 13+
  • Allow Find My Friends in the Find My app - iOS 13+
  • Allow modifying Find My Friends settings - iOS 7+
  • Allow host pairing - iOS 7+
  • Allow multiplayer gaming - iOS and macOS 10.13+

As of iOS 13, this restriction requires a supervised device.

  • Force Wi-Fi power on - iOS 13+
  • Enable Siri profanity filter - iOS
  • Allow Files Network Drive Access - iOS 13+
  • Allow Files USB Drive Access - iOS 13+
  • Allow configuring restrictions - iOS 8+
  • Allow Erase All Content and Settings - iOS 8+
  • Allow Internet results in Spotlight - iOS 8+ and macOS 10.11+
  • Allow keyboard auto-correction - iOS 8.1.3+
  • Allow keyboard spell-check - iOS 8.1.3+
  • Allow definition lookup - iOS 8.1.3+ and macOS 10.11.2+
  • Allow predictive keyboard - iOS 8.1.3+
  • Allow continuous path keyboard - iOS 13+
  • Allow keyboard shortcuts - iOS 9+
  • Allow pairing with Apple Watch - iOS 9+
  • Allow modification of passcode settings - iOS 9+ and macOS 10.13+

Do not disable this setting if there is a passcode policy set.

  • Allow modification of device name - iOS 9+ and tvOS 11+
  • Keep device name up-to-date with Dashboard - iOS 9+

The device name cannot be set from Dashboard if "Allow modification of device name" is disabled.

  • Allow modification of wallpaper - iOS 9+ and macOS 10.13+
  • Allow automatic downloading of apps purchased on other devices - iOS 9+
  • Automatically trust enterprise apps - iOS 9+
  • Allow changes to Notifications settings - iOS 9.3+
  • Allow modification of diagnostic submission and app analytics settings - iOS 9.3.2+
  • Allow modification of Bluetooth settings - iOS 10+
  • Allow dictation input - iOS 10.3+ and macOS 10.13+
  • Enforce SSID whitelisting - iOS 10.3+

Devices may only connect to networks that were set up in a configuration profile

  • Allow AirPrint - iOS 11+
  • Allow credential storage for AirPrint - iOS 11+
  • Require trusted certificates for TLS printing communication - iOS 11+
  • Allow iBeacon discovery of AirPrint printers - iOS 11+
  • Allow removal of system apps - iOS 11+
  • Allow creation of VPN configurations - iOS 11+
  • Enable USB Restricted Mode - iOS 11.3+

If disabled you will not need to enter a passcode to connect to a USB accessory. As of iOS 13, this restriction requires a supervised device.

  • Turn the Date & Time 'Set Automatically' feature to ON and disallow user disabling - iOS 12+ and tvOS 12.2+
  • Allow users to use saved passwords in Safari and AutoFill Passwords feature - iOS 12+ and macOS 10.14+

As of iOS 13, this restriction requires a supervised device.

  • Allow users device to request passwords from nearby devices - iOS 12+, macOS 10.14+, and tvOS 12+
  • Allow users to share their passwords with the Airdrop Passwords feature - iOS 12+, macOS 10.14+, and tvOS 12+
  • Allow users to add or remove a cellular plan to the eSIM on the device - iOS 12.1+
  • Allow users to modify the personal hotspot setting - iOS 12.2+

iCloud iOS

  • Allow document sync - Ios and macOS 10.11+

As of iOS 13, this restriction requires a supervised device.

  • Allow cloud Keychain sync - iOS 7+ and macOS 10.12+

As of iOS 13, this restriction requires a supervised device.

iCloud iOS & macOS

  • Allow backup - iOS 5+

As of iOS 13, this restriction requires a supervised device.

Content Ratings

  • Allow explicit music and podcasts - iOS and tvOS 11.3+

As of iOS 13, this restriction requires a supervised device.

Apple Education

  • Force Classroom to automatically join classes - iOS 11+ and macOS 10.14.4+

If true, automatically gives permission to the teacher's requests without prompting the student.

  • Require permission to leave classes - iOS 11.3+ and macOS 10.14.4+

If true, a student enrolled in an unmanaged course through Classroom requests permission from the teacher when attempting to leave the course.

  • Allow unprompted App and Device Lock - iOS 11+ macOS 10.14.4+

If true, allows the teacher to lock apps or the device without prompting the student.

  • Automatically grant observation permission to teachers using Classroom app - iOS 11+ and macOS 10.14.4+

If true and Allow MDM to automatically approve screen observation is also true in the Education payload, a student enrolled in a managed course via the Classroom app automatically gives permission to that course teacher's requests to observe the student's screen without prompting the student.

Windows 10 Restrictions 

Device Functionality 

  • Allow WiFi
  • Allow Bluetooth
  • Allow use of external storage card
  • Encrypt device internal storage