iOS policies

Last updated March 21st, 2023

This page describes the policies you can configure for iOS devices.

The availability of each policy varies depending on the OS version.

Some device settings apply exclusively to either the device or the user. For example, the Wi-Fi configuration applies to the entire device, while the single sign-on settings are specific to the user account. For shared iOS devices, enterprises often separate device and user settings into different Knox Manage profiles. A policy’s scope is determined by its policy channel, which can be:

Device channel — The policy applies to the entire device and to temporary sessions.
User channel — The policy applies to the user for the duration of their session. Each user can have different policies. Typically, Knox Manage profiles that use these policies are assigned to user groups rather than device groups.
Common — The policy can apply through either channel. In case of a collision, the policy value either combines or the last profile applied takes precedence.

System

Allows features such as camera, screen capture, and Siri.

For Shared iPad mode, all policies in this group are common.

Policy	Description	Supported system
Camera	Allows using the camera. Exclusive policy.	iOS 4.0 and higher
Screen capture	Allows use of the default screen capture function.	iOS 4.0 and higher User Enrollment
Siri	Allows using Siri.	iOS 5.0 and higher
> Siri on lock screen	Allows using Siri on the lock screen.	iOS 5.1 and higher User Enrollment
> Web search result on Siri	Allows showing the web search results on Siri.	iOS 7.0 and higher Supervised
> Profanity filter on Siri	Select to use the Profanity filter on Siri. Forced use — Users are forced to use the Profanity filter on Siri. User selection — Users are allowed to select whether to use the Profanity filter on Siri.	iOS 11.0 and higher Supervised
Force On-Device Only Dictation (Siri)	Disables cloud processing of the Siri dictation service, forcing it to compute on the device. Values Use Do Not Use (default)	iOS 14.5 and higher User Enrollment
Force On-Device Only Translation (Siri)	Disables cloud processing of the Siri translation service, forcing it to compute on the device. Values Use Do Not Use (default)	iOS 15 and higher User Enrollment
Submission of diagnosis and usage details	Allows submitting diagnostic results and usage information to the manufacturer. Personally identifiable or sensitive information is data masked.	iOS 6.0 and higher User Enrollment
Passbook on lock screen	Allows using the Passbook on the lock screen.	iOS 6.0 and higher
Control center on lock screen	Allows using the Control center on the lock screen.	iOS 7.0 and higher User Enrollment
Display notifications on lock screen	Allows displaying the notifications on the lock screen.	iOS 7.0 and higher User Enrollment
Display Today view on lock screen	Allows displaying the Today view on the lock screen.	iOS 7.0 and higher User Enrollment
Manual installation for profile	Allows manual installation of the Apple Configuration Profile.	iOS 6.0 and higher Supervised
Control editing account information	Allows editing the account information.	iOS 7.0 and higher Supervised
Automatic updates of certificate trust settings	Allows automatic updates of the certificate trust settings.	iOS 7.0 and higher
Delay OS Update	Allow users to delay software updates on their device. If this policy is set to Apply, you can specify how long the software update is delayed. Users do not see a software update until the specified number of days after the software update release date have elapsed.	iOS 11.3 and higher Supervised
Encryption for iTunes backup	Select to encrypt the iTunes backup. Forced use — Users are forced to encrypt. User selection — Users are allowed to select whether to encrypt iTunes data.	iOS 4.0 and higher User Enrollment
iTunes pairing	Allows iTunes connection with unauthorized PCs.	iOS 7.0 and higher Supervised
Apple Watch pairing	Allow users to pair their device with an Apple Watch. If the policy is set to Disallow, any currently paired Apple Watch is unpaired and the contents of the Watch are erased.	iOS 9.0 and higher Supervised
Wrist Detection on an Apple Watch	If the device is paired with an Apple Watch, the watch is forced to use Wrist Detection. When enabled, the Apple Watch automatically locks when removed from the device user's wrist. The watch must then be unlocked with its passcode or by the paired device. Values Allow Disallow (false)	iOS 8.2 and higher User Enrollment
Limit Ad tracking	Select to use the Limit Ad tracking. Forced use — Users are forced to use Limit Ad tracking. User selection — Users are allowed to select whether to use Limit Ad tracking.	iOS 7.0 and higher
Apple Personalized Advertising	Enables profiled advertising on the device. When turned off, profiled advertising is limited, but not disabled entirely. Values Allow (default) Disallow	iOS 14 and higher
Factory reset	Allows a device to factory reset.	iOS 8.0 and higher Supervised
Result of web search with Spotlight	Allows displaying the web search results from Spotlight search.	iOS 8.0 and higher
Block configuration	Allows users to configure any restrictions on the menus by activating the block menu function. If the policy is prohibited, the users cannot configure the device using the block menu function.	iOS 8.0 and higher Supervised
Change device name	Select to automatically change the device name to a mobile ID when updating the profile. For this policy, you can send a device command to set the device name as the mobile ID.	iOS 9.0 and higher Supervised
Bluetooth Modification	Allows modifying Bluetooth settings on the device.	iOS 11.0 and higher Supervised
Automatic Date and Time	Force enable the Set Automatically feature for Date and Time Settings. If this policy is set to Allow, users cannot disable this feature on their device. The device's time zone is updated only when the device can determine its location using a cellular connection or Wi-Fi with the location service enabled.	iOS 12.0 and higher Supervised
VPN Creation	Allows users to create VPN configurations.	iOS 11.0 and higher Supervised
Wallpaper Modification	Allows the device user to change the wallpaper. Values Allow (default) Disallow	iOS 9 and higher Supervised
Notification Modification	Allows the device user to change the notification settings. Values Allow (default) Disallow	iOS 9.3 and higher Supervised
New Device Proximity Setup	Disables the prompt to set up newly-detected nearby devices. Values Allow (default) Disallow	iOS 11 and higher Supervised
Unpaired External Boot to Recovery	Allows the device to be booted into recovery mode by another device that is unpaired. Values Allow Disallow (default)	iOS 14.5 and higher Supervised
Keyboard Shortcuts	Allows the device user to use key combinations and shortcuts. Values Allow (default) Disallow	iOS 9 and higher Supervised
Predictive Keyboard	Enables predictive text for the on-screen keyboard. Values Allow (default) Disallow	iOS 8.1.3 and higher Supervised
Auto Correction for Keyboard	Enables auto-correction for the on-screen keyboard. Values Allow (default) Disallow	iOS 8.1.3 and higher Supervised
Spell-check for keyboard	Enables automatic spell checking for the on-screen keyboard. Values Allow (default) Disallow	iOS 8.1.3 and higher Supervised
Definition Lookup for Keyboard	Allows the device user to look up the word definitions in the on-screen keyboard. Values Allow (default) Disallow	iOS 8.1.3 and higher Supervised
QuickPath Keyboard	Enables QuickPath typing. Values Allow (default) Disallow	iOS 13 and higher Supervised
Dictation	Allows the device user to enter text by dictating. Values Allow (default) Disallow	iOS 10.3 and higher Supervised

Connectivity

For Shared iPad mode, all policies in this group are common.

Policy	Description	Supported system
USB Drive Access	Allow users to access any connected USB devices using the Files app.	iOS 13.1 and higher Supervised
Network Drive Access	Allow users to access any connected USB devices using the Files app.	iOS 13.1 and higher Supervised
USB Restricted Mode	Allow the device to always connect to USB accessories while locked.	iOS 11.4.1 and higher Supervised
NFC	Enables near-field communication (NFC) on the device. Values Allow (default) Disallow	iOS 14.2 and higher Supervised
Wi-Fi On	Set whether to allow users to turn off Wi-Fi from Settings or Control Center on their device. When this policy is set to Allow, users cannot turn off Wi-Fi, even by entering or leaving Airplane mode. This option does not prevent users from selecting a Wi-Fi network to use.	iOS 13.0 and higher Supervised
Connect Wi-Fi to Allowed Networks Only	Whether to restrict Wi-Fi connections to an allowlist of network SSIDs specified by the Wi-Fi policy group.	iOS 14.5 and higher Supervised
Personal Hotspot Modification	Allow users to modify the personal hotspot settings on their device, including but not limited to hotspot name and password.	iOS 12.2 and higher Supervised

Security

Configures the password settings.

For Shared iPad mode, all policies in this group are common.

Policy	Description	Supported system
Password policies	Set to apply the password policy when the screen is locked.	iOS 4.0 and higher User Enrollment
> Password strength	Set the password strength on the screen. None — Set the password with a four digit number. Numeric — Set the password using numbers Must be alphanumeric — Set the password using alphanumeric characters. Must include special characters — Set it so that the passwords must include alphanumeric and special characters.	iOS 4.0 and higher User Enrollment
> Maximum Failed Login Attempts	Set the maximum number of incorrect password attempts before resetting the device to its factory settings. The value can be between 0 - 10 times.	iOS 4.0 and higher User Enrollment
> Minimum length	Set the minimum length of the password. The value can be between 0 - 16 characters.	iOS 4.0 and higher User Enrollment
> Expiration after (days)	Set the maximum number of days before the password must be reset. The value can be between 0 - 730 days.	iOS 4.0 and higher User Enrollment
> Manage password history (times)	Set the minimum number of new passwords that must be used before a user can reuse the previous password. The value can be between 0 - 50 times.	iOS 4.0 and higher User Enrollment
> Screenlock time (min)	Set the maximum inactive time before the screen of the device is locked. The maximum allowed time varies by device-type. 1, 3, and 4 minute intervals are available with iPhone. 10 and 15 minute intervals are available with iPad.	iOS 4.0 and higher User Enrollment
> Screenlock grace period (min)	Set the time duration for device lock after turning off a device screen without entering the password. Select 0 to lock the device immediately.	iOS 4.0 and higher User Enrollment
Passcode modification	Allows users to add, change, or remove the device passcode.	iOS 9.0 and higher Supervised
> Biometric ID Modification	Allows device users to change their Touch ID or Face ID authentication methods.	iOS 8.3 and higher Supervised
Screen Unlock with Biometric ID	Allows device users to use Touch ID or Face ID authentication methods to sign in to their device.	iOS 7.0 and higher User Enrollment
Password Proximity Requests	Allows requests to share passwords and other authentication from nearby devices using the AirDrop Passwords feature.	iOS 12.0 and higher Supervised
Password Autofill	Allows users to use the Password Autofill feature as well as the passwords saved in Safari or other apps on their device. When this policy is set to Disallow, the Automatic Strong Passwords policy is also disabled, and strong passwords are longer suggested to users. This option does not affect AutoFill for contact and credit card information in Safari.	iOS 12.0 and higher Supervised
Force Authentication before Password Autofill	Forces users to authenticate their login on the device before passwords or credit card information is auto-filled in Safari and other apps. When this policy is set to Disallow, users can toggle this feature on or off in Settings on their device. This option is only available on devices that support Face ID or Touch ID authentication.	iOS 11.0 and higher Supervised
Password Sharing	Allow users to share passwords with nearby devices using the Airdrop Passwords feature.	iOS 12.0 and higher Supervised
Auto Unlock	Enables auto unlock. iPhones running iOS 14.5 can't be unlocked by Apple Watches running watchOS 7.4. Values Allow (default) Disallow	iOS 14.5 and higher User Enrollment

App Restrictions

Allows using Gamer Center, iMessage, and YouTube, and also enables configuring options for application controls, such as installation and blocklist or allowlist.

For Shared iPad mode, all policies in this group are common.

Policy	Description	Supported system
App installation	Allows the installation of apps. Apps can be installed through an EMM but not through iTunes.	iOS 4.0 and higher iOS 13 and higher Supervised
> Install Apps Using App Store	Allows using the App Store for app installation. Apps can be installed through an EMM but not through iTunes.	iOS 9.0 and higher Supervised
App uninstallation	Allows apps to be deleted.	iOS 4.2.1 and higher Supervised
Automatic App Download	Allow apps purchased from other devices to be automatically downloaded. This option does not affect the updates to existing apps.	iOS 9.0 and higher Supervised
iTunes Store	Allows using the iTunes Store.	iOS 4.0 and higher iOS 13 and higher Supervised
> Explicit content on music and podcasts	Allows the purchase of explicit content from the iTunes Store.	iOS 4.0 and higher iOS 13 and higher Supervised
> Require iTunes password for every purchase	Select to require the iTunes Store password for every purchase made in the iTunes Store.	iOS 6.0 and higher
Game Center	Allows using Game Center.	iOS 6.0 and higher Supervised
> Adding friends in Game Center	Allows adding friends in Game Center.	iOS 4.2.1 and higher iOS 13 and higher Supervised
> Multiplayer games	Allows multiplayer games in Game Center.	iOS 4.1 and higher Supervised
iBookstore	Allows iBookstore.	iOS 6.0 and higher Supervised
Inappropriate content download on iBookstore	Allows downloading unrated media content.	iOS 6.0 and higher
iMessage	Allows using the messaging application.	iOS 5 and higher Supervised
YouTube	Allows using YouTube.	iOS 5.1 and lower
Apple News	Enables the News app. Values Allow (default) Disallow	iOS 9 and higher Supervised
Apple Music Radio	Enables the Apple Music Radio service. Values Allow (default) Disallow	iOS 9.3 and higher Supervised
Apple Podcasts	Enables the Podcast app. Values Allow (default) Disallow	iOS 8 and higher Supervised
Find Friends	Enables the Find My Friends feature in the Find My app. Values Allow (default) Disallow	iOS 13 and higher Supervised
Find Friends Modification	Allows the user to turn on Find My Friends. Values Allow (default) Disallow	iOS 7 and higher Supervised
Find My Device	Enables the Find My Device feature in the Find My app. Values Allow (default) Disallow	iOS 13 and higher Supervised
In-app purchase	Allows in-app purchases.	iOS 4.0 and higher
App Block/Allowlist Settings	Set to control the app installation policies. Both the blocklist and allowlist policies can be applied at the same time. If this policy is set with no apps, then no other apps except for the Knox Manage agent are allowed to install and run on the device.	iOS 4.0 and higher iOS 9.3 and higher Supervised
> App installation blocklist	Add apps to prohibit their installation. Blocked apps are deleted even if they were previously installed. To add an app, click Add, and then select apps on the Select Application screen. To delete an app, click next to the added app. An app that was added on the Application installation allowlist can't be added to the blocklist.	iOS 4.0 and higher iOS 9.3 and higher Supervised
> App installation allowlist	Add apps to allow their installation. Any apps not on the allowlist are deleted, even if they are not on the blocklist. To add an app, click Add, and then select apps on the Select Application screen. To delete an app, click next to the added app. An app that was added on the Application installation blocklist can't be added to the allowlist.	iOS 4.0 and higher iOS 9.3 and higher Supervised
Autonomous single app mode	Set to use Autonomous Single App Mode, which enables applications to use Single App Mode on request. This policy grants a permission to perform the Application Lock function.	iOS 7.0 and higher Supervised
> List of apps allowing auto single app mode	Add applications to autonomously enable or disable Single App Mode. To add an application, click Add, and then select applications on the Select Application screen. To delete an application, click next to the added application.	iOS 7.0 and higher Supervised
To trust company app	Allows trusted Company applications. Company applications installed before the policy was set are still allowed to run.	iOS 9 and higher
App Clips	Allows the use of App Clips on the device.	iOS 14.0 and higher Supervised
System App Removal	Allows users to remove system apps from their device.	iOS 11.0 and higher
Managed Apps to Write Contacts to Unmanaged Contacts Accounts	Allows managed apps to save contact data to unmanaged apps and contact accounts. By default, managed and unmanaged apps and accounts can't share contact data, so that sensitive or private contact information isn't exposed to potentially insecure apps.	iOS 12 and higher
Unmanaged Apps to Read Contacts from Managed Contacts Accounts	Allows unmanaged apps to read contact data stored in managed apps and managed contact accounts. By default, managed and unmanaged apps and accounts can't share contact data, so that sensitive or private contact information isn't exposed to potentially insecure apps.	iOS 12 and higher

Phone

Configures the phone settings, such as video calling and voice dialing.

For Shared iPad mode, all policies in this group are common.

Policy	Description	Supported system
Modification of cellular data settings for each application	Allows modifying cellular data usage per application.	iOS 7.0 and higher Supervised
FaceTime	Allows video calling.	iOS 4.0 and higher iOS 13.0 and higher Supervised
Voice dialing	Allows video dialing.	iOS 4.0 and higher
Background fetch for roaming	Allows background fetch when roaming.	iOS 4.0 and higher
eSIM Modification	Allow users to modify the eSIM settings for their device.	iOS 12.1 and higher Supervised
Cellular Plan Modification	Allows the device user to change settings related to their cellular plan. Values Allow (default) Disallow	iOS 11 and higher Supervised

Allows the use of AirDrop and the transferring of data between managed applications and unmanaged applications.

Policy	Description	Supported system
Allow Open from Unmanaged to Managed Applications	Allows files in unmanaged apps and accounts to open in managed apps and accounts. Values Allow (default) Disallow	iOS 7 and higher User Enrollment
Allow Open from Managed to Unmanaged applications	Allows files in managed apps and accounts to open in unmanaged apps and accounts. Values Allow (default) Disallow	iOS 7 and higher User Enrollment
AirDrop	Allows the use of AirDrop.	iOS 7.0 and higher Supervised
Managed Pasteboard	Controls whether copying and pasting functionality respects the Allow Open From Unmanaged to Managed Apps and Allow Open From Managed to Unmanaged Apps policies. This policy helps secure the copying and pasting of content from managed to unmanaged apps. Values Allow Disallow (default)	iOS 15 and higher
Consider AirDrop not managed	Allows the sharing of managed documents when using AirDrop on the device.	iOS 9.0 and higher Supervised
AirPrint	Enables AirPrint. Values Allow Disallow	iOS 11 and higher Supervised
AirPrint Credentials Storage	Enables storing the username and password in the keychain for AirPrint. Only available if the AirPrint policy is set to Allow. Values Allow (default) Disallow	iOS 11 and higher Supervised
Force AirPrint Trusted TLS Requirement	Requires trusted certificates for AirPrint when printing over TLS protocol. Only available if the AirPrint policy is set to Allow. Values Use Do Not Use (default)	iOS 11 and higher Supervised
AirPrint iBeacon Discovery	Enables iBeacon discovery of AirPrint printers. Turning on discovery may expose the device to spurious AirPrint Bluetooth beacons that phish for network traffic. Only available if the AirPrint policy is set to Allow. Values Allow (default) Disallow	iOS 11 and higher Supervised

Browser

Allows using the Safari browser and configuring its settings.

For Shared iPad mode, all policies in this group are common.

Policy	Description	Supported system
Safari	Allows using Safari, the default iOS browser.	iOS 4.0 and higher iOS 13.0 and higher Supervised
Cookies	Set the cookies permission in Safari. Disallow — Disallows accepting cookies. Currently only connected websites are allowed — Allows accepting cookies from the currently connected sites. Only visited websites are allowed — Allows accepting cookies from the visited sites. Always — Always allows cookies.	iOS 4.0 and higher
JavaScript	Allows JavaScript in Safari.	iOS 4.0 and higher
Autofill	Allows auto-completion of information that you enter on websites in Safari.	iOS 4.0 and higher iOS 13.0 and higher Supervised
Block pop-ups	Allows blocking pop-ups in Safari.	iOS 4.0 and higher
Untrusted TLS certificate	Allows to accept untrusted TLS certificates.	iOS 5.0 and higher
Web forgery warning	Shows a warning message about potentially fraudulent websites. Forced use — Safari is forced to display a warning message. User selection — Users are allowed to select whether to use web forgery warning.	iOS 4.0 and higher User Enrollment

iCloud

Configures the iCloud settings, such as backup, iCloud photo library, and photo sharing.

For Shared iPad mode, all policies in this group are common.

Policy	Description	Supported system
Backup	Allows backing up the device data on iCloud.	iOS 5.0 and higher
Document synchronization	Allows synchronizing device documents on iCloud.	iOS 5.0 and higher iOS 13.0 and higher Supervised
Enterprise Book Backup	Enables the backup of books distributed by enterprises to iCloud. Values Allow (default) Disallow	iOS 8 and higher User Enrollment
Enterprise Books, Notes and Highlights Sync	Enables the syncing of metadata about enterprise books, such as notes and highlights, to iCloud. Values Allow (default) Disallow	iOS 8 and higher User Enrollment
iCloud Photo Library	Allows use of the iCloud Photo Library for uploading photos and videos on iCloud.	iOS 10 to 13
Photo stream	Allows using Photo Stream for storing personal photos on iCloud.	iOS 5.0 and higher
Photo sharing	Allows using Photo Sharing for sharing personal photos through iCloud.	iOS 6.0 and higher
Keychain synchronization	Allows synchronizing Keychain Synchronization on iCloud, which helps users to have consistent access to their user account, name, password, credit card number, email, contracts, schedule, and other user information on all their devices.	iOS 7.0 and higher
Managed app synchronization	Allows synchronizing managed applications installed by the Knox Manage server to save data on iCloud.	iOS 8.0 and higher User Enrollment
Handoff	Allows the use of Handoff, one of the Apple's Continuity features, to move and continue performing the same tasks seamlessly between devices through iCloud.	iOS 8.0 and higher

Media

Enables selecting a country to choose the level of media content, such as movies, TV shows, and applications.

For Shared iPad mode, all policies in this group are common.

Policy	Description	Supported system
Rating for each country	Select a country to set a rating level for media content, such as movies, TV shows, and applications, from the following list: United States/United Kingdom/New Zealand/Japan/Ireland/Germany/France/Canada/Australia.	iOS 4.0 and higher
> Movies	Set the maximum allowable movie rating.	iOS 4.0 and higher
> TV Shows	Set the maximum allowable TV show rating.	iOS 4.0 and higher
> Apps	Set the advertisement tracking restriction on the device.	iOS 4.0 and higher

Wi-Fi

Configures Wi-Fi settings, such as SSID, security type, and proxy.

For Shared iPad mode, all policies in this group apply through the device channel.

Click add to add a configuration.

You can add or edit up to 20 configurations when you save the profile.

Policy	Description
Configuration ID	Assign a unique ID for each Wi-Fi setting.
Description	Enter a description for each Wi-Fi setting.
Network name (SSID)	Enter the identifier of a wireless router to connect to. You can also click Lookup to open the reference items list and select an item from it. The reference value is automatically entered.
Security Type	Specifies the access protocol used and whether certificates are required. Values WEP WPA/WPA2 WPA2/WPA3 WPA3 For all individuals Enterprise WEP Enterprise WPA/WPA2 Enterprise WPA2/WPA3 Enterprise WPA3 For all enterprises
> WEP	Set a password.
> WPA/WPA2
> WPA2/WPA3
> WPA3
> For all individuals
> Enterprise WEP	Configure the following items: Protocol: Permitted EAP Type — Select the EAP types to permit. You can select multiple types. EAP-FAST — Configure the EAP-FAST options. Enable the next options by clicking the previous one. A dynamic trust decision by the use — Select whether to use the option. Allow direct connection(Proxy URL) — Select whether to use the option. Authentication: One-time password for connection — Check to enable. Manual Input — Enter the user ID and Password for the Wi-Fi connection. You can also click Lookup to open the reference items list and select an item from it. The reference value is automatically entered. Connector interworking — Choose a connector from the User information Connector. Trust: Root Certificate — Select a Root Certificate to use.
> Enterprise WPA/WPA2
> Enterprise WPA2/WPA3
> Enterprise WPA3
> For all enterprises
Disable MAC Randomization (iOS 14 and later)	Randomizes the device's MAC address when connected to the Wi-Fi network.
Hotspot Availability	Check to enable Hotspot usage and configure its settings. If this policy is enabled, the device is connected to Wi-Fi access points that support Hotspot 2.0.
> Hotspot Domain Name	Assign an identifier to the Wi-Fi hotspot service displayed on a device.
> Operator Name	Assign the name of the network provider shown on the device.
> Roaming Consortium OI	Add a Roaming Consortium organization ID to connect to.
> Network Access ID	Add an ID to authenticate network access.
> Hotspot Operator Code	Add both the Mobile Country Code (MCC) and the Mobile Network Code (MNC). For SK Telecom (a South Korean wireless telecom operator) devices, enter 45005.
Hidden Network	Check the check box to hide the network from the list of available networks on the device. The SSID does not broadcast.
Auto Connect (iOS 5 and later)	Check the check box to use an automatic Wi-Fi connection. This setting is for iOS 5 and higher.
Protocol	Specifies the permitted protocol for the Wi-Fi network. This tab is enabled if the Security Type is selected as Enterprise WEP, Enterprise WPA/WPA2, or for all enterprises.
> Permitted EAP Type	Select more than one permitted protocol: TLS, LEAP, EAP-FAST, TTLS, PEAP, and EAP-SIM. If TTLS is checked, select an extra protocol from the Internal Authentication Protocol.
> EAP-FAST	Select PAC protocols to use from the following: Use PAC — Determines whether to use PAC. PAC Deployment — Check the Use PAC option to enable it. Anonymous PAC Deployment — Check PAC Deployment to enable it.
> A dynamic trust decision by use	Allows using a dynamic trust decision by the user protocol.
> Allow direct connection (Proxy URL)	Allows using the direct connection protocol.
Authentication	Specifics the authentication of the Wi-Fi users. This tab is enabled if the Security Type is selected as Enterprise WEP, Enterprise WPA/WPA2, or for all enterprises
> One-time password for connection	Select to ask users to enter the password whenever Wi-Fi is connected. If checked, the Auto Connect setting is automatically disabled. If unchecked, the Auto Connect is automatically activated. This setting is for iOS 5 and higher.
> User information input method	Specifies the user information used and whether certificates are required. Select an input method as follows: Manual Input — Enter the user ID and Password for the Wi-Fi connection. Connector interworking — Choose a connector from the User information Connector. You can also click Lookup to open the reference items list and select an item from it when entering an ID for the Manual Input. The reference value is automatically entered.
> External ID	Assign an external ID for Manual Input. This setting is available when either TTLS, PEAP, or EAP-FAST is selected.
> User Certificate Type	Select the user certificate type: EMM Management Certificate — Register an external certificate on the Knox Manage server for each network setting, and then verify each network setting using that certificate. All users share this one certificate for each network setting. Navigate to Advanced > Certificate > External Certificate to register network settings for each purpose. Connector interworking — Verifies network settings using the user information obtained by applying the filter set for the connector. To verify the network settings on the device, you should set the Service Type as Profile Configuration(Certification ) when you register a connector in Advanced > System Integration > Directory Connector. To learn more about how to add a directory connector, see Connect to AD/LDAP. When you search for a user using the filter set for the connector, the user certificate (.p12 or .pfx) corresponding to the obtained user information is applied along with a profile, allowing you to use this certificate to verify the user. Issuing external CA — Register a certificate obtained from an external certificate authority to Advanced > Certificate > Certificate Template. Then, register a certificate template for each network setting and verify it as a user certificate. To learn more about how to add an external certificate, see Adding external certificates.
Trust	Specifies the required certificates. This tab is enabled if the Security Type selected is Enterprise WEP, Enterprise WPA/WPA2, or for all enterprises.
> Trusted certificate name	Add the name of the Trusted certificate.
> Root Certificate	Select a Root Certificate.
Proxy	Select a proxy server settings method. This setting is for iOS 5 and higher.
> Manual	Configure the proxy server manually. Proxy IP Address and Port — Enter the IP address of the proxy server and the port number used by the proxy server. User name — Enter the username for the proxy server. Proxy Authenticated User Password — Enter the password for the proxy server.
> Auto	Configure the proxy server automatically. Proxy Server URL — Enter the URL of the proxy server.
QoS Marking Policy	Configure QoS Marking to manage Wi-Fi network traffic. Values Use Do Not Use
> QoS Marking	Select to enable QoS Marking on the Wi-Fi network.
> Apple Audio & Video Calls	Select to manage Apple audio and video calls with QoS marking.
> Allowlisted Apps	Define an allowlist for apps that can use the Wi-Fi network. Click Add and select applications from the Select Application dialog.
Captive Bypass	Select to enable captive bypass for secure access to W-Fi. When enabled, authentication pages for public Wi-Fi networks are not automatically pushed to devices.

Exchange

Configures the settings of Microsoft Exchange ActiveSync accounts to synchronize data with it.

For Shared iPad mode, all policies in this group apply through the user channel.

These policies are compatible with User Enrollment.

Click add to add a configuration.

You can add or edit up to 20 configurations when you save the profile.

Policy	Description
Configuration ID	Assign a unique ID for each Exchange setting.
Description	Enter a description for each Exchange setting.
Office365	Allows to configure the Exchange settings. This policy automatically populates the Exchange server address and the SSL option as Use.
User information input method	Select an input method for entering user information.
> Manual Input	Select to manually enter the device user's email address, account ID, password, and whether to override the password. You can also click Lookup to open the reference items list and select an item from it. The reference value is automatically entered.
> Connector interworking	Select to choose a connector from the User Information Connector list. All the connectors are listed in Advanced > System Integration > Directory Connector.
> User information	Select to access the exchange server using the registered Knox Manage email and ID. The password must be entered from the user's device.
Domain	Enter a domain address for the Exchange server. You can also click Lookup to open the reference items list and select an item from it. The reference value is automatically entered.
Override Previous Password (iOS 14 or later)	Overrides the device user's EAS password.
Host	Enter the host name of the email server.
SSL	Set to use SSL for email encryption. If Office 365 setting is used, the SSL option is automatically set to Use.
User certificate input method	Select an input method for entering certificate information.
Use OAuth	Check this box to use the OAuth authentication method. If the OAuth authentication method is set, device users are required to enter their password and re-authenticate in case of any policy changes.
> OAuth Sign URL	Enter the signed OAuth URL provided to you by your network administrator.
> OAuth Token URL	Enter the token OAuth URL provided to you by your network administrator.
> EMM Management Certificate	Register an external certificate on the Knox Manage server for each network setting, and then verify each network setting using that certificate. All users share this one certificate for each network setting. Navigate to Advanced > Certificate > External Certificate to register network settings for each purpose. User Certificate — Select a certificate to use from the User Certificate list.
> Connector interworking	Verifies network settings using the user information obtained by applying the filter set for the connector. To verify the network settings on the device, you should set the Service Type as Profile Configuration (Certification) when you register a connector in Advanced > System Integration > Directory Connector. To learn more about how to add a directory connector, see Connect to AD/LDAP. When you search for a user using the filter set for the connector, the user certificate (.p12 or .pfx) corresponding to the obtained user information is applied along with a profile, allowing you to use this certificate to verify the user. User certificate Connector — Select a connector to use from the User certificate Connector list.
> Issuing external CA	Register a certificate obtained from an external certificate authority to Advanced > Certificate > Certificate Template. Then, you register a certificate template for each network setting, and verify it as a user certificate. To learn more about how to add an external certificate, see Adding external certificates. Issuing external CA — Select an external CA to use from the Issuing external CA list.
Sync Interval	Select the interval period to sync the past emails. The sync interval and synchronization are in accordance with the email application settings.
Do not move message to other accounts	Select to use the policy.
Available only on mail app	Select to use the policy.
Do not sync the recently used email address	Select to use the policy.
Activate S/MIME	Check to activate and configure S/MIME functions for email security.
> S/MIME signing certificate input method	Select EMM Management Certificate or Connector interworking. EMM Management Certificate — Register an external certificate on the Knox Manage server for each network setting, and then verify each network setting using that certificate. All users share this one certificate for each network setting. Navigate to Advanced > Certificate > External Certificate to register network settings for each purpose. When you search for a user using the filter set for the connector, the user certificate (P12 or PFX) corresponding to the obtained user information is applied along with a profile, allowing you to use this certificate to verify the user. Connector interworking — Verifies network settings using the user information obtained by applying the filter set for the connector. To verify the network settings on the device, you should set the Service Type as Profile Configuration(Certification) when you register a connector in Advanced > System Integration > Directory Connector. To learn more about how to add a directory connector, see Connect to AD/LDAP.
> S/MIME Signing Certificate	Available only when EMM Management Certificate is selected. Choose the signing certificate according to the S/MIME signing certificate input method.
> S/MIME signing certificate Connector	Available only when Connector interworking is selected Choose the signing certificate connector according to the S/MIME signing certificate input method.
> S/MIME encryption certificate input method	Select EMM Management Certificate or Connector interworking. EMM Management Certificate — Register an external certificate on the Knox Manage server for each network setting, and then verify each network setting using that certificate. All users share this one certificate for each network setting. Navigate to Advanced > Certificate > External Certificate to register network settings for each purpose. Connector interworking — Verifies network settings using the user information obtained by applying the filter set for the connector. To verify the network settings on the device, you should set the Service Type as Profile Configuration(Certification) when you register a connector in Advanced > System Integration > Directory Connector. To learn more about how to add a directory connector, see Connect to AD/LDAP. When you search for a user using the filter set for the connector, the user certificate (P12 or PFX) corresponding to the obtained user information is applied along with a profile, allowing you to use this certificate to verify the user.
> S/MIME Encryption Certificate	Available only when EMM Management Certificate is selected. Choose the Encryption Certificate according to the S/MIME encryption certificate input method.
> S/MIME signing certificate Connector	Available only when Connector interworking is selected Choose the signing certificate connector according to the S/MIME signing certificate input method.
> S/MIME Enable Per Message Switch	Check the check box to enable S/MIME per message.
Control Calendar App	Toggles whether Exchange configures and syncs account data to the Calendar app, and whether the device user can also configure it. At least one app in this policy cluster must be set to Enable App.
Control Contacts App	Toggles whether Exchange configures and syncs account data to the Contacts app, and whether the device user can also configure it. At least one app in this policy cluster must be set to Enable App.
Control Mail App	Toggles whether Exchange configures and syncs account data to the Mail app, and whether the device user can also configure it. At least one app in this policy cluster must be set to Enable App.
Control Note App	Toggles whether Exchange configures and syncs account data to the Note app, and whether the device user can also configure it. At least one app in this policy cluster must be set to Enable App.
Control Reminder App	Toggles whether Exchange configures and syncs account data to the Reminder app, and whether the device user can also configure it. At least one app in this policy cluster must be set to Enable App.

VPN

Configures Virtual Private Networks (VPNs) on iOS devices.

For Shared iPad mode, all policies in this group apply through the device channel.

These policies are compatible with User Enrollment.

You can configure the VPN settings to connect to a private network through a public network. Click add to add a configuration.

You can add or edit up to 20 configurations when you save the profile.

Policy	Description
Configuration ID	Assign a unique ID for the VPN setting.
Description	Enter a description for the VPN setting.
Connection Type	Select a connection type and enter the parameters. Required parameters vary depending on the selected connection type. L2TP — Set the Shared Security and Send All Traffic options. PPTP — Set the Encryption Step and Send All Traffic options. IPSec (Cisco) — Enter the items depending on the selected device authentication type: If Device Authentication is set to certificate, set Domain/Host Pattern, and Action for it. Then, select a User certification input method and set to Include User PIN when a device is authenticated. If Device Authentication is set to Shared Security/Group Name, set Group Name and Shared Security options. Then, set to Use mixed authentication and Password Request when a device is connected with VPN. Cisco AnyConnect — Set the Group Name option. Juniper SSL — Set the Realm and Role options. SonicWALL Mobile Connect — Set the Login Group or Domain options. IKEv2 — For IKEv2, see Configuring VPN IKEv2 connection.
Server Address	Enter the IP address, host name, or URL of the VPN server that the device needs to access.
VPN Application Allocation	Select applications that are allowed to connect to a VPN automatically. Click Add and select applications. And then, click OK.
Safari Domain	Select URLs that are allowed to connect to a VPN automatically on Safari. Enter a domain address, and then Click .
VPN type for each app	Select a VPN type for each application. packet-tunnel — for app-layer tunneling app-proxy — for packet-layer tunneling
User Connection Authentication Type	Select an authentication type for user connection between Password and RSA SecurID.
User Information Input Method	Select an input method for entering user information. Manual Input — Enter the user ID and Password for VPN connection. You can also click Lookup to open the reference items list and select an item from it. The reference value is automatically entered. Connector interworking — Choose a connector from the User information Connector. All the connectors registered in Advanced > System Integration > Directory are listed in the User information Connector. User Information — Use the user information registered in Knox Manage to access VPN.
ID	Set an ID for the VPN settings. You can also click Lookup to open the reference items list and select an item from it. The reference value is automatically entered.
Password	Set a password for the VPN settings. You can also click Lookup to open the reference items list and select an item from it. The reference value is automatically entered.
User certificate input method	Select an input method for entering certificate information. EMM Management Certificate — Register an external certificate on the Knox Manage server for each network setting, and then verify each network setting using that certificate. All users share this one certificate for each network setting. Navigate to Advanced > Certificate > External Certificate to register network settings for each purpose. User certificate — Select a certificate to use from the User Certificate list. Connector interworking — Verifies network settings using the user information obtained by applying the filter set for the connector. To verify the network settings on the device, you should set the Service Type as Profile Configuration (Certification) when you register a connector in Advanced > System Integration > Directory Connector. To learn more about how to add a directory connector, see Connect to AD/LDAP. When you search for a user using the filter set for the connector, the user certificate (.p12 or .pfx) corresponding to the obtained user information is applied along with a profile, allowing you to use this certificate to verify the user. User Information Connector — Select a connector to use from the User certificate Connector list. Issuing external CA — Register a certificate obtained from an external certificate authority to Advanced > Certificate > Certificate Template. Then, you register a certificate template for each network setting, and verify it as a user certificate. To learn more about how to add an external certificate, see Adding external certificates. Issuing External CA — Select an external CA to use from the Issuing external CA list. User certificate input method appears only when certificate is selected in the user connection authentication type or in the device authentication.
Proxy Settings	Select the setting for the proxy server. Manual — Enter the proxy IP address and port number. Then, assign a user name and proxy authenticated user password. Auto — Enter the proxy server URL address.
Per-App VPN	Configure VPN settings for apps on a device. You can configure per-app VPN for connection types other than L2TP and PPTP. Values Use Do Not Use
> Safari Domain	Select URLs that are allowed to connect to a per-app VPN automatically on Safari.
> VPN Type for Each App	Select the VPN type to use for apps. Values packet-tunnel app-proxy
> Associated Domains	Add domains, through which network traffic is routed, for a per-app VPN.
> Excluded Domains	Add domains that are excluded from a per-app VPN.
> On-Demand Match App	Enable to automatically connect apps to VPN when they initiate a network connection. This applies for apps that use Per-App VPN. Values Use Do Not Use

Configuring VPN IKEv2 connection

If the connection type is set to IKEv2, you can configure the setting as follows:

Set the VPN auto connection settings.
- VPN auto connection (Only devices allowed by director) — Keeps VPN activated on the device.
- Allow users to deactivate auto connection — Allows users to deactivate auto connection on the device.
- Use the same tunnel for both cellular and Wi-Fi — Configure the VPN connection information to be used by both networks. To use different tunnels for configurations for cellular and Wi-Fi, click the Cellular and Wi-Fi tabs and enter the VPN connection information.
- If a profile has more than two VPN settings with VPN auto connection checked, the profile is not installed on the device.
Enter the following information:

Item	Description
Server address	Enter the IP address, host name, or URL of the VPN server.
Local identifier	Enter the value to identify the IKEv2 client in the following format: FQDN, UserFQDN, Address, and ASN1DN
Remote identifier	Enter the value in the following format: FQDN, UserFQDN, Address, and ASN1DN
System authentication	Select a VPN authentication method: Security sharing — Enter the security sharing password. Certificate — Select a user certificate input method. Then enter the common name of the server certificate issuer and the common name of the server certificate.
EAP activation	Determines if EAP is activated. If activated, select Certificate — Select a user certificate input method. Password — Enter the user ID and Password.
Dead Peer Detection speed	Set the interval for checking the usability of the VPN equipment. Check whether the resource should change or the content should be modified.
Encryption algorithm	Choose the Encryption algorithm. IKE SA — DES, 3DES, AES-128, AES-256, AES-128-GCM, AES- 256 GCM Sub SA — DES, 3DES, AES-128, AES-256, AES-128-GCM, AES-256-GCM
Integrity algorithm	Choose the Integrity algorithm. IKE SA — SHA1-96, SHA1-160, SHA2-256, SHA2-384, SHA2-512 Sub SA — SHA1-96, SHA1-160, SHA2-256, SHA2-384, SHA2-512
Diffie Hellman group	Select the group to be used for Diffie Hellman algorithm. IKE SA — 0, 1, 2, 5, 14, 15, 16, 17, 18, 19, 20, 21 Sub SA — 0, 1, 2, 5, 14, 15, 16, 17, 18, 19, 20, 21
Time (min)	Enter the session expiration period. IKE SA — Between 10 and 14440. The default value is 14440. Sub SA — Between 10 and 14440. The default value is 14440.
Enable NAT keepalive while the device is in sleep mode	Enable NAT Keepalive and set the interval for Keepalive. This item is for iOS 10 to 13.
NAT keepalive interval	Set NAT KeepAlive intervals in seconds. The default value is 20 seconds. This item is for iOS 10 to 13.
Use IPv4/IPv6 internal subnet properties	Select to use the IPv4/IPv6 internal subnet attribute of IKEv2. This item is for iOS 10 to 13.
Disable portability and multi-homing	Select to deactivate portability and multi-homing (MOBIKE). This item is for iOS 10 to 13.
Disable redirect	Select to disable IKEv2 connection redirection. This item is for iOS 10 to 13.
Enable a perfect forward secrecy	Select to enable PFS (Perfect Forward Secrecy) This item is for iOS 10 to 13.
Voice mail box / AirPrint	Select the allowed traffic range when using Voicemails and AirPrint. Allow traffic to goes through tunnel/Allow traffic outside tunnel/Drop traffic
Captive web sheet traffic outside of VPN tunnel	Allows captive web sheet traffic outside the VPN tunnel.
Captive Network App bundle identifier	Enter the Captive Network App bundle identifier to allow and click to disallow this item.

Certificate

Allows using new certificate authority (CA) certificates and configuring the certificate settings.

For Shared iPad mode, all policies in this group apply through the device channel.

These policies are compatible with User Enrollment.

Click add to add a configuration.

You can add or edit up to 20 configurations when you save the profile.

Policy	Description
Configuration ID	Assign a unique ID for each certificate setting.
Description	Enter a description for each certificate setting.
Certificate category	Select a certification category. CA Certificate — Select a certificate to use from the CA certificate list. Among the certificates registered in Advanced > Certificate > External Certificate, those with the Purpose set as CA Cert and the Type set as Root are included on the list. User certificate — Select a certificate to use from the User Certificate list. Among the certificates registered in Advanced > Certificate > External Certificate, those with the Purpose set as CA Cert and the Type set as User are included on the list.

Policy

Description

Configuration ID

Assign a unique ID for each certificate setting.

Description

Enter a description for each certificate setting.

Certificate category

Select a certification category.

CA Certificate — Select a certificate to use from the CA certificate list. Among the certificates registered in Advanced > Certificate > External Certificate, those with the Purpose set as CA Cert and the Type set as Root are included on the list.
User certificate — Select a certificate to use from the User Certificate list. Among the certificates registered in Advanced > Certificate > External Certificate, those with the Purpose set as CA Cert and the Type set as User are included on the list.

SSO

Configures the SSO (Single Sign On) settings for one-click access to all applications.

For Shared iPad mode, all policies in this group apply through the user channel.

SSO (Single Sign On) service offers one-click access to all of the applications without additional authentication. Click add to add a configuration.

You can add or edit up to 20 configurations when you save the profile.

Policy	Description
Configuration ID	Assign a unique ID for each SSO setting.
Description	Enter a description for each SSO setting.
Account Name	Enter the name that shows on the device.
Principal Name	Enter the principal name.
Realm	Enter a domain name that is able to use SSO. You must enter the name in upper case letters.
URL Prefixes	Enter a URL to be accessed with SSO. Click , enter a URL, and then Click .
App Identifier	Enter the bundle ID of an application that you can use through SSO. If there is no application added on the list, SSO can be used for all applications. Click , enter the bundle ID of an application, and then Click .

Cellular

Configure the cellular network settings and control how the device accesses the cellular network. If an APN was already set, the cellular configuration is not applied.

For Shared iPad mode, all policies in this group apply through the device channel.

Click add to add a configuration.

You can add or edit only one configuration when you save the profile.

Policy	Description
Configuration ID	Assign a unique ID for each cellular setting.
Description	Enter a description for each cellular setting.
AttachAPN	Configure the settings for an Attach APN. Name — Enter the name for the setting. You can also click Lookup to open the reference items list and select an item from it. The reference value is automatically entered. Authentication Method — Choose PAP or CHAP. Username — Enter the user name for user authentication. Password — Enter the password for user authentication.
APNs	Configure the setting for an APN. Name — Enter the name for the setting. You can also click Lookup to open the reference items list and select an item from it. The reference value is automatically entered. Authentication Method — Choose PAP or CHAP. Username — Enter the user name for user authentication. Password — Enter the password for user authentication. Proxy Server — Enter the IP address of a proxy server. Proxy Server Port — Enter the port number of a proxy server.

AirPrint

Configures the AirPrint settings to enable computers to automatically detect an AirPrint printer.

For Shared iPad mode, all policies in this group apply through the device channel.

These policies are compatible with User Enrollment.

You can add a printer to the AirPrint list on the device and configure devices and printers that exist on different networks conveniently. Click add to add a configuration.

You can add or edit only one configuration when you save the profile.

Policy

Description

Configuration ID

Assign a unique ID for each setting.

Description

Enter a description for each setting.

AirPrint Printer List

Add printers that support AirPrint.

Click drop down , enter an IP address and a resource path, and then click add .

For the resource path, you can enter what's below:

printers/Canon_MG5300_series
printers/Xerox_Phaser_7600
ipp/print
Epson_IPP_Printer

Font

Allows the delivering of new fonts to devices.

For Shared iPad mode, all policies in this group apply through the device channel.

These policies are compatible with User Enrollment.

Click add to add a configuration.

You can add or edit up to 20 configurations when you save the profile.

Policy	Description
Configuration ID	Assign a unique ID for each font setting.
Description	Enter a description for each font setting.
Font	Add a font to use on the device. Click Add and add a font.

Policy

Description

Configuration ID

Assign a unique ID for each font setting.

Description

Enter a description for each font setting.

Font

Add a font to use on the device.

Click Add and add a font.

WebClip

Configures the display of web shortcuts on an iOS device.

These policies are compatible with User Enrollment.

Click add to add a configuration.

You can add or edit up to 20 configurations when you save the profile.

Policy	Description
Configuration ID	Assign a unique ID for each web clip setting.
Description	Enter a description for each web clip setting.
Label	Enter a web clip name to be displayed on the device home screen.
URL	Enter a web clip URL address.
Removable	Check the check box to allow users to delete the web clip account settings.
Icon	Click Add, and then click Browse to select an icon that is displayed on the user's device home screen. Then click OK to add. The icon must be 59 x 60 px and in the PNG file format. A white square image is displayed if no icon is selected.
Full Screen	Opens the Web Clip as a web app without browser features—no navigation buttons, address bar, search bar, or bookmark features. This mode is similar to full-screen mode in a web browser.

Home Screen Layout

Configures the apps, web clips, and folders that can display on the home screen of a device.

Click add to add a configuration.

You can add or edit only one configuration when you save the profile.

Policy	Description
Configuration ID	Assign a unique ID for each home screen setting.
Description	Enter a description for each home screen setting.
Dock	Select Apply to configure the dock area on the home screen.
App List	Add apps or web clips to the home screen layout.
> Add App	Search for and add the apps to display on the dock.
> Add WebClip App	Search for and add the web clips to display on the dock.
Page	Add apps, web clips, and folders on the page. You can create a maximum of 20 pages.
> Add App	Search for and add the apps to display on the page.
> Add WebClip App	Search for and add the web clips to display on the page.
> Add Folder & App	Create folders and specify the apps and web clips to display in the folder.

App Lock

Configures the functions of an application that is locked down on a supervised device.

For Shared iPad mode, all policies in this group apply through the device channel.

Click add to add a configuration.

You can add or edit only one configuration when you save the profile.

Policy	Description
Configuration ID	Assign a unique ID for each application lock setting.
Description	Enter a description for each application lock setting.
App Bundle ID	Enter the application bundle ID to identify applications.
Set Application	If the Application Block or Allow list Settings are set and an app lock setting is applied to one or more apps, the App Lock app is automatically added to the Allowlist.
Options	Check the box to configure the application lock options.
> Touch Screen	Allows device touchscreen mode.
> Screen Rotation	Enables using the landscape or portrait mode of the device screen.
> Volume Button	Enables adjusting the volume.
> Ringer Switch	Enables the easy on and off ringer mode through a ringer switch.
> Power Button	Allows turning the device on or off through the power button.
> Auto Lock	Enables automatically locking the device after a fixed amount of time through auto lock.
> VoiceOver	Turn on voice over for a screen-reading feature.
> Zoom In/Out	Turn on the zoom feature to configure easy zooming on the screen display.
> Invert Colors	Turn on color inversion to show colors on the device screen as their complementary colors.
> Assistive Touch	Allows virtual home button to perform multiple actions on the screen with a simple tab.
> Speak Selection	Turn on say optional item to select a text to be read aloud.
> Mono Audio	Turn on Mono Audio to play both audio channels in one ear using a headset.
User Enabled Options	Check the box to configure user enabled options.
> VoiceOver	Enables Voice over for the screen-reading feature.
> Voice Control	Allows the device to be controlled with Siri voice commands. When enabled, the device user cannot turn off voice control.
> Zoom In/Out	Allows for configuring the easy zoom in and out feature on the display.
> Invert Colors	Allows color inversion to display colors on the device screen as their complementary colors.
> Assistive Touch	Allows virtual home button to perform multiple actions on the screen with a simple tab.

Global HTTP Proxy

Configures a global HTTP proxy to direct all HTTP traffic through a designated proxy server.

For Shared iPad mode, all policies in this group apply through the device channel.

Click add to add a configuration.

You can add or edit only one configuration when you save the profile.

Policy	Description
Configuration ID	Assign a unique ID for each global HTTP proxy setting.
Description	Enter a description for each global HTTP proxy setting.
Proxy Type	Select and enter the corresponding items depending on the proxy type.
> Manual	Proxy Server and Port — Enter the IP address of a proxy server and the port number of the proxy server. Username — Enter the username for user authentication Password — Enter the password for user authentication.
> Auto	Proxy PAC URL — Enter the URL of the PAC file that defines the proxy configuration. Proxy PAC Fallback Allowed (iOS 7 or above) — Check the check box to allow a direct connection from the user device if the PAC connection fails.
Proxy Captive Login Allowed (iOS 7 or above)	Check the check box to allow the device to bypass the proxy server to display the login page for captive networks.

AirPlay

Configures the AirPlay settings to allow iOS devices to share content.

For Shared iPad mode, all policies in this group apply through the device channel.

Except the Allowlist (Supervised) policy, these policies are all compatible with User Enrollment.

These policies support devices with iOS 7 or above. Click add to add a configuration.

You can add or edit only one configuration when you save the profile.

Policy	Description
Configuration ID	Assign a unique ID for each AirPlay setting.
Description	Enter a description for each AirPlay setting.
Allowlist (Supervised)	Add an AirPlay device ID to the allowlist so that it is displayed on the user's device. Click , enter a device ID, and then Click .
Passwords	Add an AirPlay device password. Click , enter a device name and password, and then Click .

Web Content Filter

Configures the Web Content Filter payloads for the device, which control access to web pages.

For Shared iPad mode, all policies in this group apply through the device channel.

Click add to add a configuration.

You can add or edit only one configuration when you save the profile.

Policy	Description	Supported system
Configuration ID	Specifies a unique identifier for the payload. Values Enter an ID.	iOS 7 and higher Supervised
Description	Specifies the description of the payload. Values Enter a description.	iOS 7 and higher Supervised
Auto Filter Enabled	Enables auto-filtering of URLs. Values Selected — Enables the Permitted URLs policy. Deselected (default)	iOS 7 and higher Supervised
Permitted URLs	Specifies an allowlist of URLs on the device. If the Allowlisted Bookmarks policy is set, then this list has no effect. Values To add a URL, enter it and Click . To remove a URL, Click . URLs must start with the http:// or https:// scheme. Wildcards (*) aren't supported.	iOS 7 and higher Supervised
Blocklisted URLs	Specifies a blocklist of URLs on the device. If the Allowlisted Bookmarks policy is set, then this list has no effect. Values To add a URL, enter it and Click . To remove a URL, Click . URLs must start with the http:// or https:// scheme. Wildcards (*) aren't supported.	iOS 7 and higher Supervised
Allowlisted Bookmarks	Specifies a list of bookmarks on the device, and uses them to define an allowlist of URLs. If this policy is set, then the Permitted Bookmarks and Blocklisted URLs policies have no effect. Values To add a bookmark: Enter the following: URL — The path to the web page. Title — The name of the bookmark. Bookmark Path — The folder name for the bookmark. Click . To remove a bookmark, Click . URLs must start with the http:// or https:// scheme. Wildcards (*) aren't supported.	iOS 7 and higher Supervised

Policy

Description

Supported system

Configuration ID

Specifies a unique identifier for the payload.

Values

Enter an ID.

iOS 7 and higher

Supervised

Description

Specifies the description of the payload.

Values

Enter a description.

iOS 7 and higher

Supervised

Auto Filter Enabled

Enables auto-filtering of URLs.

Values

Selected — Enables the Permitted URLs policy.
Deselected (default)

iOS 7 and higher

Supervised

Permitted URLs

Specifies an allowlist of URLs on the device. If the Allowlisted Bookmarks policy is set, then this list has no effect.

Values

To add a URL, enter it and Click add . To remove a URL, Click delete .

URLs must start with the http:// or https:// scheme. Wildcards (*) aren't supported.

iOS 7 and higher

Supervised

Blocklisted URLs

Specifies a blocklist of URLs on the device. If the Allowlisted Bookmarks policy is set, then this list has no effect.

Values

To add a URL, enter it and Click add . To remove a URL, Click delete .

URLs must start with the http:// or https:// scheme. Wildcards (*) aren't supported.

iOS 7 and higher

Supervised

Allowlisted Bookmarks

Specifies a list of bookmarks on the device, and uses them to define an allowlist of URLs. If this policy is set, then the Permitted Bookmarks and Blocklisted URLs policies have no effect.

Values

To add a bookmark:

Enter the following:
- URL — The path to the web page.
- Title — The name of the bookmark.
- Bookmark Path — The folder name for the bookmark.
Click .

To remove a bookmark, Click delete .

URLs must start with the http:// or https:// scheme. Wildcards (*) aren't supported.

iOS 7 and higher

Supervised

Managed domains

Specifies URLs or subdomains to allow downloading content from these domains without any restrictions.

For Shared iPad mode, all policies in this group apply through the user channel.

Set managed domains and protect corporate data. You can control what apps can open documents downloaded from corporate domains using Safari. These policies support the devices with iOS 8 and higher in Supervised mode. Click add to add a configuration.

You can add or edit only one configuration when you save the profile.

Policy	Description
Configuration ID	Assign a unique ID for each setting.
Description	Enter a description for each setting.
Email domains	Add a domain to specify as a corporate domain for emails. Click , enter a URL, and then Click .
Web domains	Add a domain to specify a corporate domain for the web. Click , enter a URL, and then Click .

Network Usage Rules

Configures network usage rules to control which applications can access data or when the device is roaming.

For Shared iPad mode, all policies in this group apply through the device channel.

Configure network usage rules to allow data roaming and cellular data for applications. Click add to add a configuration.

You can add or edit up to 20 configurations when you save the profile.

Policy	Description
Configuration ID	Assign a unique ID for each setting.
Description	Enter a description for each setting.
Managed app Network Settings	Add an application and allow cellular data and data roaming. Click , add an application, set the data settings, and then Click .
SIM Network Settings (iOS 13 or later)	Enables Wi-Fi Assist based on the SIM card identifier (ICCID). You can add multiple SIMs as needed. Use Default System enables Wi-Fi Assist, letting OS switch to using cellular data when Wi-Fi signal strength is poor. Use Cellular Data forces cellular data use at all times. Supported on iOS 13 and higher devices.

Is this page helpful?

iOS policies

System

Values

Values

Values

Values

Values

Values

Values

Values

Values

Values

Values

Values

Values

Values

Values

Connectivity

Values

Security

Values

App Restrictions

Values

Values

Values

Values

Values

Values

Phone

Values

Share

Values

Values

Values

Values

Values

Values

Values

Browser

iCloud

Values

Values

Media

Wi-Fi

Values

Values

Exchange

VPN

Values

Values

Values

Configuring VPN IKEv2 connection

Certificate

SSO

Cellular

AirPrint

Font

WebClip

Home Screen Layout

App Lock

Global HTTP Proxy

AirPlay

Web Content Filter

Values

Values

Values

Values

Values

Values

Managed domains

Network Usage Rules

On this page