Back to top

iOS policies

Last updated September 25th, 2024

This page describes the policies you can configure for iOS devices.

The availability of each policy varies depending on the OS version.

Some device settings apply exclusively to either the device or the user. For example, the Wi-Fi configuration applies to the entire device, while the single sign-on settings are specific to the user account. For shared iOS devices, enterprises often separate device and user settings into different Knox Manage profiles. A policy’s scope is determined by its policy channel, which can be:

  • Device channel — The policy applies to the entire device and to temporary sessions.
  • User channel — The policy applies to the user for the duration of their session. Each user can have different policies. Typically, Knox Manage profiles that use these policies are assigned to user groups rather than device groups.
  • Common — The policy can apply through either channel. In case of a collision, the policy value either combines or the last profile applied takes precedence.

System

Allows features such as camera, screen capture, and Siri.

For Shared iPad mode, all policies in this group are common.

Policy Description Supported system
Camera

Allows using the camera.

Exclusive policy.

iOS 4.0 and higher
Screen capture Allows use of the default screen capture function.

iOS 4.0 and higher

User Enrollment

Siri Allows using Siri. iOS 5.0 and higher
> Siri on lock screen Allows using Siri on the lock screen.

iOS 5.1 and higher

User Enrollment

> Web search result on Siri Allows showing the web search results on Siri.

iOS 7.0 and higher

Supervised

> Profanity filter on Siri

Select to use the Profanity filter on Siri.

  • Forced use — Users are forced to use the Profanity filter on Siri.
  • User selection — Users are allowed to select whether to use the Profanity filter on Siri.

iOS 11.0 and higher

Supervised

Force On-Device Only Dictation (Siri)

Disables cloud processing of the Siri dictation service, forcing it to compute on the device.

Values

  • Use
  • Do Not Use (default)

iOS 14.5 and higher

User Enrollment

Force On-Device Only Translation (Siri)

Disables cloud processing of the Siri translation service, forcing it to compute on the device.

Values

  • Use
  • Do Not Use (default)

iOS 15 and higher

User Enrollment

Submission of diagnosis and usage details

Allows submitting diagnostic results and usage information to the manufacturer.

Personally identifiable or sensitive information is data masked.

iOS 6.0 and higher

User Enrollment

Passbook on lock screen Allows using the Passbook on the lock screen. iOS 6.0 and higher
Control center on lock screen Allows using the Control center on the lock screen.

iOS 7.0 and higher

User Enrollment

Display notifications on lock screen Allows displaying the notifications on the lock screen.

iOS 7.0 and higher

User Enrollment

Display Today view on lock screen Allows displaying the Today view on the lock screen.

iOS 7.0 and higher

User Enrollment

Manual installation for profile Allows manual installation of the Apple Configuration Profile.

iOS 6.0 and higher

Supervised

Control editing account information Allows editing the account information.

iOS 7.0 and higher

Supervised

Automatic updates of certificate trust settings Allows automatic updates of the certificate trust settings. iOS 7.0 and higher
Delay OS Update Allow users to delay software updates on their device. If this policy is set to Apply, you can specify how long the software update is delayed. Users do not see a software update until the specified number of days after the software update release date have elapsed.

iOS 11.3 and higher

Supervised

Encryption for iTunes backup

Select to encrypt the iTunes backup.

  • Forced use — Users are forced to encrypt.
  • User selection — Users are allowed to select whether to encrypt iTunes data.

iOS 4.0 and higher

User Enrollment

iTunes pairing Allows iTunes connection with unauthorized PCs.

iOS 7.0 and higher

Supervised

Apple Watch pairing Allow users to pair their device with an Apple Watch. If the policy is set to Disallow, any currently paired Apple Watch is unpaired and the contents of the Watch are erased.

iOS 9.0 and higher

Supervised

Wrist Detection on an Apple Watch

If the device is paired with an Apple Watch, the watch is forced to use Wrist Detection. When enabled, the Apple Watch automatically locks when removed from the device user's wrist. The watch must then be unlocked with its passcode or by the paired device.

Values

  • Allow
  • Disallow (false)

iOS 8.2 and higher

User Enrollment

Limit Ad tracking

Select to use the Limit Ad tracking.

  • Forced use — Users are forced to use Limit Ad tracking.
  • User selection — Users are allowed to select whether to use Limit Ad tracking.
iOS 7.0 and higher
Apple Personalized Advertising

Enables profiled advertising on the device. When turned off, profiled advertising is limited, but not disabled entirely.

Values

  • Allow (default)
  • Disallow
iOS 14 and higher
Factory reset Allows a device to factory reset.

iOS 8.0 and higher

Supervised

Result of web search with Spotlight

Allows displaying the web search results from Spotlight search.

iOS 8.0 and higher
Block configuration Allows users to configure any restrictions on the menus by activating the block menu function. If the policy is prohibited, the users cannot configure the device using the block menu function.

iOS 8.0 and higher

Supervised

Change device name

Select to automatically change the device name to a mobile ID when updating the profile.

For this policy, you can send a device command to set the device name as the mobile ID.

iOS 9.0 and higher

Supervised

Bluetooth Modification Allows modifying Bluetooth settings on the device.

iOS 11.0 and higher

Supervised

Automatic Date and Time Force enable the Set Automatically feature for Date and Time Settings. If this policy is set to Allow, users cannot disable this feature on their device. The device's time zone is updated only when the device can determine its location using a cellular connection or Wi-Fi with the location service enabled.

iOS 12.0 and higher

Supervised

VPN Creation Allows users to create VPN configurations.

iOS 11.0 and higher

Supervised

Wallpaper Modification

Allows the device user to change the wallpaper.

Values

  • Allow (default)
  • Disallow

iOS 9 and higher

Supervised

Custom Wallpaper

Allows you to set a custom wallpaper on the device's home screen, lock screen, or both.

Values

  • Apply to lock screen (default)
  • Apply to the home screen
  • Apply to the home and lock screens

For devices running iOS 16 and higher or iPadOS 17 and higher, when you set a wallpaper for the first time, it is applied to both the lock screen and the home screen. After that, you can set wallpapers separately for each screen.

iOS 8 and higher

Supervised

Notification Modification

Allows the device user to change the notification settings.

Values

  • Allow (default)
  • Disallow

iOS 9.3 and higher

Supervised

New Device Proximity Setup

Disables the prompt to set up newly-detected nearby devices.

Values

  • Allow (default)
  • Disallow

iOS 11 and higher

Supervised

Unpaired External Boot to Recovery

Allows the device to be booted into recovery mode by another device that is unpaired.

Values

  • Allow
  • Disallow (default)

iOS 14.5 and higher

Supervised

Keyboard Shortcuts

Allows the device user to use key combinations and shortcuts.

Values

  • Allow (default)
  • Disallow

iOS 9 and higher

Supervised

Predictive Keyboard

Enables predictive text for the on-screen keyboard.

Values

  • Allow (default)
  • Disallow

iOS 8.1.3 and higher

Supervised

Auto Correction for Keyboard

Enables auto-correction for the on-screen keyboard.

Values

  • Allow (default)
  • Disallow

iOS 8.1.3 and higher

Supervised

Spell-check for keyboard

Enables automatic spell checking for the on-screen keyboard.

Values

  • Allow (default)
  • Disallow

iOS 8.1.3 and higher

Supervised

Definition Lookup for Keyboard

Allows the device user to look up the word definitions in the on-screen keyboard.

Values

  • Allow (default)
  • Disallow

iOS 8.1.3 and higher

Supervised

QuickPath Keyboard

Enables QuickPath typing.

Values

  • Allow (default)
  • Disallow

iOS 13 and higher

Supervised

Dictation

Allows the device user to enter text by dictating.

Values

  • Allow (default)
  • Disallow

iOS 10.3 and higher

Supervised

Rapid Security Response Installation

Allows the installation of Rapid Security Responses on the device.

Values

  • Allow
  • Disallow

iOS 16 and higher

Supervised

Rapid Security Response Removal

Allows uninstallation of Rapid Security Responses from the device.

Values

  • Allow
  • Disallow

iOS 16 and higher

Supervised

iPhone Widgets on Mac Devices

Allows access to iPhone widgets on a Mac that is signed in to iCloud with the same Apple ID.

Values

  • Allow
  • Disallow

iOS 17 and higher

Supervised

Connectivity

For Shared iPad mode, all policies in this group are common.

Policy Description Supported system
USB Drive Access Allow users to access any connected USB devices using the Files app.

iOS 13.1 and higher

Supervised

Network Drive Access Allow users to access any connected USB devices using the Files app.

iOS 13.1 and higher

Supervised

USB Restricted Mode Allow the device to always connect to USB accessories while locked.

iOS 11.4.1 and higher

Supervised

NFC

Enables near-field communication (NFC) on the device.

Values

  • Allow (default)
  • Disallow

iOS 14.2 and higher

Supervised

Wi-Fi On Set whether to allow users to turn off Wi-Fi from Settings or Control Center on their device. When this policy is set to Allow, users cannot turn off Wi-Fi, even by entering or leaving Airplane mode. This option does not prevent users from selecting a Wi-Fi network to use.

iOS 13.0 and higher

Supervised

Connect Wi-Fi to Allowed Networks Only Whether to restrict Wi-Fi connections to an allowlist of network SSIDs specified by the Wi-Fi policy group.

iOS 14.5 and higher

Supervised

Personal Hotspot Modification Allow users to modify the personal hotspot settings on their device, including but not limited to hotspot name and password.

iOS 12.2 and higher

Supervised

Security

Configures the password settings.

For Shared iPad mode, all policies in this group are common.

Policy Description Supported system
Password policies Set to apply the password policy when the screen is locked.

iOS 4.0 and higher

User Enrollment

> Password strength

Set the password strength on the screen.

  • None — Set the password with a four digit number.
  • Numeric — Set the password using numbers
  • Must be alphanumeric — Set the password using alphanumeric characters.
  • Must include special characters — Set it so that the passwords must include alphanumeric and special characters.

iOS 4.0 and higher

User Enrollment

> Maximum Failed Login Attempts

Set the maximum number of incorrect password attempts before resetting the device to its factory settings.

The value can be between 0 - 10 times.

iOS 4.0 and higher

User Enrollment

> Minimum length

Set the minimum length of the password.

The value can be between 0 - 16 characters.

iOS 4.0 and higher

User Enrollment

> Expiration after (days)

Set the maximum number of days before the password must be reset.

The value can be between 0 - 730 days.

iOS 4.0 and higher

User Enrollment

> Manage password history (times)

Set the minimum number of new passwords that must be used before a user can reuse the previous password.

The value can be between 0 - 50 times.

iOS 4.0 and higher

User Enrollment

> Screenlock time (min)

Set the maximum inactive time before the screen of the device is locked. The maximum allowed time varies by device-type.

1, 3, and 4 minute intervals are available with iPhone. 10 and 15 minute intervals are available with iPad.

iOS 4.0 and higher

User Enrollment

> Screenlock grace period (min)

Set the time duration for device lock after turning off a device screen without entering the password.

Select 0 to lock the device immediately.

iOS 4.0 and higher

User Enrollment

Passcode modification Allows users to add, change, or remove the device passcode.

iOS 9.0 and higher

Supervised

> Biometric ID Modification Allows device users to change their Touch ID or Face ID authentication methods.

iOS 8.3 and higher

Supervised

Screen Unlock with Biometric ID Allows device users to use Touch ID or Face ID authentication methods to sign in to their device.

iOS 7.0 and higher

User Enrollment

Password Proximity Requests Allows requests to share passwords and other authentication from nearby devices using the AirDrop Passwords feature.

iOS 12.0 and higher

Supervised

Password Autofill

Allows users to use the Password Autofill feature as well as the passwords saved in Safari or other apps on their device.

When this policy is set to Disallow, the Automatic Strong Passwords policy is also disabled, and strong passwords are longer suggested to users. This option does not affect AutoFill for contact and credit card information in Safari.

iOS 12.0 and higher

Supervised

Force Authentication before Password Autofill

Forces users to authenticate their login on the device before passwords or credit card information is auto-filled in Safari and other apps. When this policy is set to Disallow, users can toggle this feature on or off in Settings on their device.

This option is only available on devices that support Face ID or Touch ID authentication.

iOS 11.0 and higher

Supervised

Password Sharing Allow users to share passwords with nearby devices using the Airdrop Passwords feature.

iOS 12.0 and higher

Supervised

Auto Unlock

Enables auto unlock.

iPhones running iOS 14.5 can't be unlocked by Apple Watches running watchOS 7.4.

Values

  • Allow (default)
  • Disallow

iOS 14.5 and higher

User Enrollment

App Restrictions

Allows using Gamer Center, iMessage, and YouTube, and also enables configuring options for application controls, such as installation and blocklist or allowlist.

For Shared iPad mode, all policies in this group are common.

Policy Description Supported system
App installation

Allows the installation of apps.

Apps can be installed through an EMM but not through iTunes.

iOS 4.0 and higher

iOS 13 and higher

Supervised

> Install Apps Using App Store

Allows using the App Store for app installation.

Apps can be installed through an EMM but not through iTunes.

iOS 9.0 and higher

Supervised

App uninstallation Allows apps to be deleted.

iOS 4.2.1 and higher

Supervised

Automatic App Download Allow apps purchased from other devices to be automatically downloaded. This option does not affect the updates to existing apps.

iOS 9.0 and higher

Supervised

iTunes Store Allows using the iTunes Store.

iOS 4.0 and higher

iOS 13 and higher

Supervised

> Explicit content on music and podcasts Allows the purchase of explicit content from the iTunes Store.

iOS 4.0 and higher

iOS 13 and higher

Supervised

> Require iTunes password for every purchase Select to require the iTunes Store password for every purchase made in the iTunes Store. iOS 6.0 and higher
Game Center Allows using Game Center.

iOS 6.0 and higher

Supervised

> Adding friends in Game Center Allows adding friends in Game Center.

iOS 4.2.1 and higher

iOS 13 and higher

Supervised

> Multiplayer games Allows multiplayer games in Game Center.

iOS 4.1 and higher

Supervised

iBookstore Allows iBookstore.

iOS 6.0 and higher

Supervised

Inappropriate content download on iBookstore Allows downloading unrated media content.

iOS 6.0 and higher

iMessage Allows using the messaging application.

iOS 5 and higher

Supervised

YouTube Allows using YouTube. iOS 5.1 and lower
Apple News

Enables the News app.

Values

  • Allow (default)
  • Disallow

iOS 9 and higher

Supervised

Apple Music Radio

Enables the Apple Music Radio service.

Values

  • Allow (default)
  • Disallow

iOS 9.3 and higher

Supervised

Apple Podcasts

Enables the Podcast app.

Values

  • Allow (default)
  • Disallow

iOS 8 and higher

Supervised

Find Friends

Enables the Find My Friends feature in the Find My app.

Values

  • Allow (default)
  • Disallow

iOS 13 and higher

Supervised

Find Friends Modification

Allows the user to turn on Find My Friends.

Values

  • Allow (default)
  • Disallow

iOS 7 and higher

Supervised

Find My Device

Enables the Find My Device feature in the Find My app.

Values

  • Allow (default)
  • Disallow

iOS 13 and higher

Supervised

In-app purchase Allows in-app purchases. iOS 4.0 and higher
App Block/Allowlist Settings

Set to control the app installation policies. Both the blocklist and allowlist policies can be applied at the same time.

If this policy is set with no apps, then no other apps except for the Knox Manage agent are allowed to install and run on the device.

iOS 4.0 and higher

iOS 9.3 and higher

Supervised

> App installation blocklist

Add apps to prohibit their installation. Blocked apps are deleted even if they were previously installed.

  • To add an app, click Add, and then select apps on the Select Application screen.
  • To delete an app, click deletenext to the added app.

An app that was added on the Application installation allowlist can't be added to the blocklist.

iOS 4.0 and higher

iOS 9.3 and higher

Supervised

> App installation allowlist

Add apps to allow their installation. Any apps not on the allowlist are deleted, even if they are not on the blocklist.

  • To add an app, click Add, and then select apps on the Select Application screen.
  • To delete an app, click delete next to the added app.

An app that was added on the Application installation blocklist can't be added to the allowlist.

iOS 4.0 and higher

iOS 9.3 and higher

Supervised

Autonomous single app mode Set to use Autonomous Single App Mode, which enables applications to use Single App Mode on request. This policy grants a permission to perform the Application Lock function.

iOS 7.0 and higher

Supervised

> List of apps allowing auto single app mode

Add applications to autonomously enable or disable Single App Mode.

  • To add an application, click Add, and then select applications on the Select Application screen.
  • To delete an application, click delete next to the added application.

iOS 7.0 and higher

Supervised

To trust company app Allows trusted Company applications. Company applications installed before the policy was set are still allowed to run. iOS 9 and higher
App Clips Allows the use of App Clips on the device.

iOS 14.0 and higher

Supervised

System App Removal Allows users to remove system apps from their device. iOS 11.0 and higher
Managed Apps to Write Contacts to Unmanaged Contacts Accounts Allows managed apps to save contact data to unmanaged apps and contact accounts. By default, managed and unmanaged apps and accounts can't share contact data, so that sensitive or private contact information isn't exposed to potentially insecure apps. iOS 12 and higher
Unmanaged Apps to Read Contacts from Managed Contacts Accounts Allows unmanaged apps to read contact data stored in managed apps and managed contact accounts. By default, managed and unmanaged apps and accounts can't share contact data, so that sensitive or private contact information isn't exposed to potentially insecure apps. iOS 12 and higher
Marketplace App Installation

Allows installation of apps from sources other than Apple's App Store.

This policy is available in European Union (EU) only.

Values

  • Allow
  • Disallow

iOS 17.4 and higher

Supervised

Phone

Configures the phone settings, such as video calling and voice dialing.

For Shared iPad mode, all policies in this group are common.

Policy Description Supported system
Modification of cellular data settings for each application Allows modifying cellular data usage per application.

iOS 7.0 and higher

Supervised

FaceTime Allows video calling.

iOS 4.0 and higher

iOS 13.0 and higher

Supervised

Voice dialing Allows video dialing. iOS 4.0 and higher
Live Voicemail

Allows the real-time transcription of voice messages.

This policy is available in USA and Canada only.

iOS 17.2 and higher

Supervised

Background fetch for roaming Allows background fetch when roaming. iOS 4.0 and higher
eSIM Modification Allow users to modify the eSIM settings for their device.

iOS 12.1 and higher

Supervised

Preservation of eSim on Erase

Preserves the eSIM on a device when it's reset and its content erased using the Erase All Content and Settings option in Settings > General > Reset.

You can't use this policy to preserve an eSIM, if the Find My feature is used to erase the device.

iOS 17.2 and higher

Supervised

Cellular Plan Modification

Allows the device user to change settings related to their cellular plan.

Values

  • Allow (default)
  • Disallow

iOS 11 and higher

Supervised

Share

Allows the use of AirDrop and the transferring of data between managed applications and unmanaged applications.

Policy Description Supported system
Allow Open from Unmanaged to Managed Applications

Allows files in unmanaged apps and accounts to open in managed apps and accounts.

Values

  • Allow (default)
  • Disallow

iOS 7 and higher

User Enrollment

Allow Open from Managed to Unmanaged applications

Allows files in managed apps and accounts to open in unmanaged apps and accounts.

Values

  • Allow (default)
  • Disallow

iOS 7 and higher

User Enrollment

AirDrop Allows the use of AirDrop.

iOS 7.0 and higher

Supervised

Managed Pasteboard

Controls whether copying and pasting functionality respects the Allow Open From Unmanaged to Managed Apps and Allow Open From Managed to Unmanaged Apps policies. This policy helps secure the copying and pasting of content from managed to unmanaged apps.

Values

  • Allow
  • Disallow (default)
iOS 15 and higher
Consider AirDrop not managed Allows the sharing of managed documents when using AirDrop on the device.

iOS 9.0 and higher

Supervised

AirPrint

Enables AirPrint.

Values

  • Allow
  • Disallow

iOS 11 and higher

Supervised

AirPrint Credentials Storage

Enables storing the username and password in the keychain for AirPrint. Only available if the AirPrint policy is set to Allow.

Values

  • Allow (default)
  • Disallow

iOS 11 and higher

Supervised

Force AirPrint Trusted TLS Requirement

Requires trusted certificates for AirPrint when printing over TLS protocol. Only available if the AirPrint policy is set to Allow.

Values

  • Use
  • Do Not Use (default)

iOS 11 and higher

Supervised

AirPrint iBeacon Discovery

Enables iBeacon discovery of AirPrint printers. Turning on discovery may expose the device to spurious AirPrint Bluetooth beacons that phish for network traffic. Only available if the AirPrint policy is set to Allow.

Values

  • Allow (default)
  • Disallow

iOS 11 and higher

Supervised

Browser

Allows using the Safari browser and configuring its settings.

For Shared iPad mode, all policies in this group are common.

Policy Description Supported system
Safari Allows using Safari, the default iOS browser.

iOS 4.0 and higher

iOS 13.0 and higher

Supervised

Cookies

Set the cookies permission in Safari.

  • Disallow — Disallows accepting cookies.
  • Currently only connected websites are allowed — Allows accepting cookies from the currently connected sites.
  • Only visited websites are allowed — Allows accepting cookies from the visited sites.
  • Always — Always allows cookies.
iOS 4.0 and higher
JavaScript Allows JavaScript in Safari. iOS 4.0 and higher
Autofill Allows auto-completion of information that you enter on websites in Safari.

iOS 4.0 and higher

iOS 13.0 and higher

Supervised

Block pop-ups Allows blocking pop-ups in Safari. iOS 4.0 and higher
Untrusted TLS certificate Allows to accept untrusted TLS certificates. iOS 5.0 and higher
Web forgery warning

Shows a warning message about potentially fraudulent websites.

  • Forced use — Safari is forced to display a warning message.
  • User selection — Users are allowed to select whether to use web forgery warning.

iOS 4.0 and higher

User Enrollment

iCloud

Configures the iCloud settings, such as backup, iCloud photo library, and photo sharing.

For Shared iPad mode, all policies in this group are common.

Policy Description Supported system
Backup Allows backing up the device data on iCloud. iOS 5.0 and higher
Document synchronization Allows synchronizing device documents on iCloud.

iOS 5.0 and higher

iOS 13.0 and higher

Supervised

Enterprise Book Backup

Enables the backup of books distributed by enterprises to iCloud.

Values

  • Allow (default)
  • Disallow

iOS 8 and higher

User Enrollment

Enterprise Books, Notes and Highlights Sync

Enables the syncing of metadata about enterprise books, such as notes and highlights, to iCloud.

Values

  • Allow (default)
  • Disallow

iOS 8 and higher

User Enrollment

iCloud Photo Library Allows use of the iCloud Photo Library for uploading photos and videos on iCloud. iOS 10 to 13
Photo stream Allows using Photo Stream for storing personal photos on iCloud. iOS 5.0 and higher
Photo sharing Allows using Photo Sharing for sharing personal photos through iCloud. iOS 6.0 and higher
Keychain synchronization Allows synchronizing Keychain Synchronization on iCloud, which helps users to have consistent access to their user account, name, password, credit card number, email, contracts, schedule, and other user information on all their devices. iOS 7.0 and higher
Managed app synchronization Allows synchronizing managed applications installed by the Knox Manage server to save data on iCloud.

iOS 8.0 and higher

User Enrollment

Handoff Allows the use of Handoff, one of the Apple's Continuity features, to move and continue performing the same tasks seamlessly between devices through iCloud. iOS 8.0 and higher

Media

Enables selecting a country to choose the level of media content, such as movies, TV shows, and applications.

For Shared iPad mode, all policies in this group are common.

Policy Description Supported system
Rating for each country

Select a country to set a rating level for media content, such as movies, TV shows, and applications, from the following list:

  • United States/United Kingdom/New Zealand/Japan/Ireland/Germany/France/Canada/Australia.
iOS 4.0 and higher
> Movies Set the maximum allowable movie rating. iOS 4.0 and higher
> TV Shows Set the maximum allowable TV show rating. iOS 4.0 and higher
> Apps Set the advertisement tracking restriction on the device. iOS 4.0 and higher

Wi-Fi

Configures Wi-Fi settings, such as SSID, security type, and proxy.

For Shared iPad mode, all policies in this group apply through the device channel.

Click add to add a configuration.

You can add or edit up to 20 configurations when you save the profile.

Policy Description
Configuration ID Assign a unique ID for each Wi-Fi setting.
Description Enter a description for each Wi-Fi setting.
Network name (SSID)

Enter the identifier of a wireless router to connect to.

You can also click Lookup to open the reference items list and select an item from it. The reference value is automatically entered.

Security Type

Specifies the access protocol used and whether certificates are required.

Values

  • WEP
  • WPA/WPA2
  • WPA2/WPA3
  • WPA3
  • For all individuals
  • Enterprise WEP
  • Enterprise WPA/WPA2
  • Enterprise WPA2/WPA3
  • Enterprise WPA3
  • For all enterprises
> WEP Set a password.
> WPA/WPA2
> WPA2/WPA3
> WPA3
> For all individuals
> Enterprise WEP

Configure the following items:

  • Protocol:

    • Permitted EAP Type — Select the EAP types to permit. You can select multiple types.
    • EAP-FAST — Configure the EAP-FAST options. Enable the next options by clicking the previous one.
    • A dynamic trust decision by the use — Select whether to use the option.
    • Allow direct connection(Proxy URL) — Select whether to use the option.
  • Authentication:

    • One-time password for connection — Check to enable.
    • Manual Input — Enter the user ID and Password for the Wi-Fi connection.
    • You can also click Lookup to open the reference items list and select an item from it. The reference value is automatically entered.
    • Connector interworking — Choose a connector from the User information Connector.
  • Trust:

    • Root Certificate — Select a Root Certificate to use.
> Enterprise WPA/WPA2
> Enterprise WPA2/WPA3
> Enterprise WPA3
> For all enterprises
Disable MAC Randomization (iOS 14 and later) Randomizes the device's MAC address when connected to the Wi-Fi network.
Hotspot Availability Check to enable Hotspot usage and configure its settings. If this policy is enabled, the device is connected to Wi-Fi access points that support Hotspot 2.0.
> Hotspot Domain Name Assign an identifier to the Wi-Fi hotspot service displayed on a device.
> Operator Name Assign the name of the network provider shown on the device.
> Roaming Consortium OI Add a Roaming Consortium organization ID to connect to.
> Network Access ID Add an ID to authenticate network access.
> Hotspot Operator Code

Add both the Mobile Country Code (MCC) and the Mobile Network Code (MNC).

For SK Telecom (a South Korean wireless telecom operator) devices, enter 45005.

Hidden Network Check the check box to hide the network from the list of available networks on the device. The SSID does not broadcast.
Auto Connect (iOS 5 and later)

Check the check box to use an automatic Wi-Fi connection.

This setting is for iOS 5 and higher.

Protocol

Specifies the permitted protocol for the Wi-Fi network.

This tab is enabled if the Security Type is selected as Enterprise WEP, Enterprise WPA/WPA2, or for all enterprises.

> Permitted EAP Type

Select more than one permitted protocol: TLS, LEAP, EAP-FAST, TTLS, PEAP, and EAP-SIM.

If TTLS is checked, select an extra protocol from the Internal Authentication Protocol.

> EAP-FAST

Select PAC protocols to use from the following:

  • Use PAC — Determines whether to use PAC.
  • PAC Deployment — Check the Use PAC option to enable it.
  • Anonymous PAC Deployment — Check PAC Deployment to enable it.
> A dynamic trust decision by use Allows using a dynamic trust decision by the user protocol.
> Allow direct connection (Proxy URL) Allows using the direct connection protocol.
Authentication Specifics the authentication of the Wi-Fi users. This tab is enabled if the Security Type is selected as Enterprise WEP, Enterprise WPA/WPA2, or for all enterprises
> One-time password for connection

Select to ask users to enter the password whenever Wi-Fi is connected.

  • If checked, the Auto Connect setting is automatically disabled.
  • If unchecked, the Auto Connect is automatically activated.

This setting is for iOS 5 and higher.

> User information input method

Specifies the user information used and whether certificates are required. Select an input method as follows:

  • Manual Input — Enter the user ID and Password for the Wi-Fi connection.
  • Connector interworking — Choose a connector from the User information Connector.

You can also click Lookup to open the reference items list and select an item from it when entering an ID for the Manual Input. The reference value is automatically entered.

> External ID

Assign an external ID for Manual Input.

This setting is available when either TTLS, PEAP, or EAP-FAST is selected.

> User Certificate Type

Select the user certificate type:

  • EMM Management Certificate — Register an external certificate on the Knox Manage server for each network setting, and then verify each network setting using that certificate. All users share this one certificate for each network setting.

    Navigate to Advanced > Certificate > External Certificate to register network settings for each purpose.

  • Connector interworking — Verifies network settings using the user information obtained by applying the filter set for the connector. To verify the network settings on the device, you should set the Service Type as Profile Configuration(Certification ) when you register a connector in Advanced > System Integration > Directory Connector. To learn more about how to add a directory connector, see Connect to AD/LDAP.

    When you search for a user using the filter set for the connector, the user certificate (.p12 or .pfx) corresponding to the obtained user information is applied along with a profile, allowing you to use this certificate to verify the user.

  • Issuing external CA — Register a certificate obtained from an external certificate authority to Advanced > Certificate > Certificate Template.

    Then, register a certificate template for each network setting and verify it as a user certificate. To learn more about how to add an external certificate, see Adding external certificates.

Trust Specifies the required certificates. This tab is enabled if the Security Type selected is Enterprise WEP, Enterprise WPA/WPA2, or for all enterprises.
> Trusted certificate name Add the name of the Trusted certificate.
> Root Certificate Select a Root Certificate.
Proxy

Select a proxy server settings method.

This setting is for iOS 5 and higher.

> Manual

Configure the proxy server manually.

  • Proxy IP Address and Port — Enter the IP address of the proxy server and the port number used by the proxy server.
  • User name — Enter the username for the proxy server.
  • Proxy Authenticated User Password — Enter the password for the proxy server.
> Auto

Configure the proxy server automatically.

  • Proxy Server URL — Enter the URL of the proxy server.
QoS Marking Policy

Configure QoS Marking to manage Wi-Fi network traffic.

Values

  • Use
  • Do Not Use
> QoS Marking

Select to enable QoS Marking on the Wi-Fi network.

> Apple Audio & Video Calls

Select to manage Apple audio and video calls with QoS marking.

> Allowlisted Apps

Define an allowlist for apps that can use the Wi-Fi network. Click Add and select applications from the Select Application dialog.

Captive Bypass

Select to enable captive bypass for secure access to W-Fi.

When enabled, authentication pages for public Wi-Fi networks are not automatically pushed to devices.

Exchange

Configures the settings of Microsoft Exchange ActiveSync accounts to synchronize data with it.

For Shared iPad mode, all policies in this group apply through the user channel.

These policies are compatible with User Enrollment.

Click add to add a configuration.

You can add or edit up to 20 configurations when you save the profile.

Policy Description
Configuration ID Assign a unique ID for each Exchange setting.
Description Enter a description for each Exchange setting.
Office365

Allows to configure the Exchange settings.

This policy automatically populates the Exchange server address and the SSL option as Use.

User information input method Select an input method for entering user information.
> Manual Input

Select to manually enter the device user's email address, account ID, password, and whether to override the password.

You can also click Lookup to open the reference items list and select an item from it. The reference value is automatically entered.

> Connector interworking

Select to choose a connector from the User Information Connector list.

All the connectors are listed in Advanced > System Integration > Directory Connector.

> User information Select to access the exchange server using the registered Knox Manage email and ID. The password must be entered from the user's device.
Domain

Enter a domain address for the Exchange server.

You can also click Lookup to open the reference items list and select an item from it. The reference value is automatically entered.

Override Previous Password (iOS 14 or later) Overrides the device user's EAS password.
Host Enter the host name of the email server.
SSL

Set to use SSL for email encryption.

If Office 365 setting is used, the SSL option is automatically set to Use.

User certificate input method Select an input method for entering certificate information.
Use OAuth

Check this box to use the OAuth authentication method.

If the OAuth authentication method is set, device users are required to enter their password and re-authenticate in case of any policy changes.

> OAuth Sign URL Enter the signed OAuth URL provided to you by your network administrator.
> OAuth Token URL Enter the token OAuth URL provided to you by your network administrator.
> EMM Management Certificate

Register an external certificate on the Knox Manage server for each network setting, and then verify each network setting using that certificate. All users share this one certificate for each network setting.

Navigate to Advanced > Certificate > External Certificate to register network settings for each purpose.

  • User Certificate — Select a certificate to use from the User Certificate list.
> Connector interworking

Verifies network settings using the user information obtained by applying the filter set for the connector. To verify the network settings on the device, you should set the Service Type as Profile Configuration (Certification) when you register a connector in Advanced > System Integration > Directory Connector. To learn more about how to add a directory connector, see Connect to AD/LDAP.

When you search for a user using the filter set for the connector, the user certificate (.p12 or .pfx) corresponding to the obtained user information is applied along with a profile, allowing you to use this certificate to verify the user.

  • User certificate Connector — Select a connector to use from the User certificate Connector list.
> Issuing external CA

Register a certificate obtained from an external certificate authority to Advanced > Certificate > Certificate Template. Then, you register a certificate template for each network setting, and verify it as a user certificate. To learn more about how to add an external certificate, see Adding external certificates.

  • Issuing external CA — Select an external CA to use from the Issuing external CA list.
Sync Interval

Select the interval period to sync the past emails.

The sync interval and synchronization are in accordance with the email application settings.

Do not move message to other accounts Select to use the policy.
Available only on mail app Select to use the policy.
Do not sync the recently used email address Select to use the policy.
Activate S/MIME Check to activate and configure S/MIME functions for email security.
> S/MIME signing certificate input method

Select EMM Management Certificate or Connector interworking.

  • EMM Management Certificate — Register an external certificate on the Knox Manage server for each network setting, and then verify each network setting using that certificate. All users share this one certificate for each network setting.

    Navigate to Advanced > Certificate > External Certificate to register network settings for each purpose.

    When you search for a user using the filter set for the connector, the user certificate (P12 or PFX) corresponding to the obtained user information is applied along with a profile, allowing you to use this certificate to verify the user.

  • Connector interworking — Verifies network settings using the user information obtained by applying the filter set for the connector. To verify the network settings on the device, you should set the Service Type as Profile Configuration(Certification) when you register a connector in Advanced > System Integration > Directory Connector. To learn more about how to add a directory connector, see Connect to AD/LDAP.
> S/MIME Signing Certificate

Available only when EMM Management Certificate is selected.

Choose the signing certificate according to the S/MIME signing certificate input method.

> S/MIME signing certificate Connector

Available only when Connector interworking is selected

Choose the signing certificate connector according to the S/MIME signing certificate input method.

> S/MIME encryption certificate input method

Select EMM Management Certificate or Connector interworking.

  • EMM Management Certificate — Register an external certificate on the Knox Manage server for each network setting, and then verify each network setting using that certificate. All users share this one certificate for each network setting.

    Navigate to Advanced > Certificate > External Certificate to register network settings for each purpose.

  • Connector interworking — Verifies network settings using the user information obtained by applying the filter set for the connector. To verify the network settings on the device, you should set the Service Type as Profile Configuration(Certification) when you register a connector in Advanced > System Integration > Directory Connector. To learn more about how to add a directory connector, see Connect to AD/LDAP.

    When you search for a user using the filter set for the connector, the user certificate (P12 or PFX) corresponding to the obtained user information is applied along with a profile, allowing you to use this certificate to verify the user.

> S/MIME Encryption Certificate

Available only when EMM Management Certificate is selected.

Choose the Encryption Certificate according to the S/MIME encryption certificate input method.

> S/MIME signing certificate Connector

Available only when Connector interworking is selected

Choose the signing certificate connector according to the S/MIME signing certificate input method.

> S/MIME Enable Per Message Switch Check the check box to enable S/MIME per message.
Control Calendar App Toggles whether Exchange configures and syncs account data to the Calendar app, and whether the device user can also configure it. At least one app in this policy cluster must be set to Enable App.
Control Contacts App Toggles whether Exchange configures and syncs account data to the Contacts app, and whether the device user can also configure it. At least one app in this policy cluster must be set to Enable App.
Control Mail App Toggles whether Exchange configures and syncs account data to the Mail app, and whether the device user can also configure it. At least one app in this policy cluster must be set to Enable App.
Control Note App Toggles whether Exchange configures and syncs account data to the Note app, and whether the device user can also configure it. At least one app in this policy cluster must be set to Enable App.
Control Reminder App Toggles whether Exchange configures and syncs account data to the Reminder app, and whether the device user can also configure it. At least one app in this policy cluster must be set to Enable App.

VPN

Configures Virtual Private Networks (VPNs) on iOS devices.

For Shared iPad mode, all policies in this group apply through the device channel.

These policies are compatible with User Enrollment.

You can configure the VPN settings to connect to a private network through a public network. Click add to add a configuration.

You can add or edit up to 20 configurations when you save the profile.

Policy Description
Configuration ID Assign a unique ID for the VPN setting.
Description Enter a description for the VPN setting.
Connection Type

Select a connection type and enter the parameters. Required parameters vary depending on the selected connection type.

  • L2TP — Set the Shared Security and Send All Traffic options.
  • PPTP — Set the Encryption Step and Send All Traffic options.
  • IPSec (Cisco) — Enter the items depending on the selected device authentication type:
    • If Device Authentication is set to certificate, set Domain/Host Pattern, and Action for it. Then, select a User certification input method and set to Include User PIN when a device is authenticated.
    • If Device Authentication is set to Shared Security/Group Name, set Group Name and Shared Security options. Then, set to Use mixed authentication and Password Request when a device is connected with VPN.
  • Cisco AnyConnect — Set the Group Name option.
  • Juniper SSL — Set the Realm and Role options.
  • Ivanti Secure Access (Pulse Secure) — Set the Realm and Role options.
  • F5 SSL
  • SonicWALL Mobile Connect — Set the Login Group or Domain options.
  • Aruba VIA
  • Check Point Mobile VPN
  • Open VPN
  • IKEv2 — For IKEv2, see Configuring VPN IKEv2 connection.
Server Address Enter the IP address, host name, or URL of the VPN server that the device needs to access.
VPN Application Allocation

Select applications that are allowed to connect to a VPN automatically.

Click Add and select applications. And then, click OK.

Safari Domain

Select URLs that are allowed to connect to a VPN automatically on Safari.

Enter a domain address, and then Click add.

VPN type for each app

Select a VPN type for each application.

  • packet-tunnel — for app-layer tunneling
  • app-proxy — for packet-layer tunneling
User Connection Authentication Type Select an authentication type for user connection between Password and RSA SecurID.
User Information Input Method

Select an input method for entering user information.

  • Manual Input — Enter the user ID and Password for VPN connection.

    You can also click Lookup to open the reference items list and select an item from it. The reference value is automatically entered.

  • Connector interworking — Choose a connector from the User information Connector. All the connectors registered in Advanced > System Integration > Directory are listed in the User information Connector.
  • User Information — Use the user information registered in Knox Manage to access VPN.
ID

Set an ID for the VPN settings.

You can also click Lookup to open the reference items list and select an item from it. The reference value is automatically entered.

Password

Set a password for the VPN settings.

You can also click Lookup to open the reference items list and select an item from it. The reference value is automatically entered.

User certificate input method

Select an input method for entering certificate information.

  • EMM Management Certificate — Register an external certificate on the Knox Manage server for each network setting, and then verify each network setting using that certificate.

    All users share this one certificate for each network setting. Navigate to Advanced > Certificate > External Certificate to register network settings for each purpose.

  • User certificate — Select a certificate to use from the User Certificate list.
  • Connector interworking — Verifies network settings using the user information obtained by applying the filter set for the connector. To verify the network settings on the device, you should set the Service Type as Profile Configuration (Certification) when you register a connector in Advanced > System Integration > Directory Connector. To learn more about how to add a directory connector, see Connect to AD/LDAP. When you search for a user using the filter set for the connector, the user certificate (.p12 or .pfx) corresponding to the obtained user information is applied along with a profile, allowing you to use this certificate to verify the user.
  • User Information Connector — Select a connector to use from the User certificate Connector list.
  • Issuing external CA — Register a certificate obtained from an external certificate authority to Advanced > Certificate > Certificate Template. Then, you register a certificate template for each network setting, and verify it as a user certificate. To learn more about how to add an external certificate, see Adding external certificates.
  • Issuing External CA — Select an external CA to use from the Issuing external CA list.

User certificate input method appears only when certificate is selected in the user connection authentication type or in the device authentication.

Proxy Settings

Select the setting for the proxy server.

  • Manual — Enter the proxy IP address and port number. Then, assign a user name and proxy authenticated user password.
  • Auto — Enter the proxy server URL address.
Per-App VPN

Configure VPN settings for apps on a device. You can configure per-app VPN for connection types other than L2TP and PPTP.

Values

  • Use
  • Do Not Use
> Safari Domain

Select URLs that are allowed to connect to a per-app VPN automatically on Safari.

> VPN Type for Each App

Select the VPN type to use for apps.

Values

  • packet-tunnel
  • app-proxy
> Associated Domains

Add domains, through which network traffic is routed, for a per-app VPN.

> Excluded Domains

Add domains that are excluded from a per-app VPN.

> On-Demand Match App

Enable to automatically connect apps to VPN when they initiate a network connection. This applies for apps that use Per-App VPN.

Values

  • Use
  • Do Not Use

Configuring VPN IKEv2 connection

If the connection type is set to IKEv2, you can configure the setting as follows:

  1. Set the VPN auto connection settings.

    • VPN auto connection (Only devices allowed by director) — Keeps VPN activated on the device.
    • Allow users to deactivate auto connection — Allows users to deactivate auto connection on the device.
    • Use the same tunnel for both cellular and Wi-Fi — Configure the VPN connection information to be used by both networks. To use different tunnels for configurations for cellular and Wi-Fi, click the Cellular and Wi-Fi tabs and enter the VPN connection information.
    • If a profile has more than two VPN settings with VPN auto connection checked, the profile is not installed on the device.
  2. Enter the following information:

Item Description
Server address Enter the IP address, host name, or URL of the VPN server.
Local identifier

Enter the value to identify the IKEv2 client in the following format:

  • FQDN, UserFQDN, Address, and ASN1DN
Remote identifier

Enter the value in the following format:

  • FQDN, UserFQDN, Address, and ASN1DN
System authentication

Select a VPN authentication method:

  • Security sharing — Enter the security sharing password.
  • Certificate — Select a user certificate input method. Then enter the common name of the server certificate issuer and the common name of the server certificate.
EAP activation

Determines if EAP is activated. If activated, select

  • Certificate — Select a user certificate input method.
  • Password — Enter the user ID and Password.
Dead Peer Detection speed

Set the interval for checking the usability of the VPN equipment.

Check whether the resource should change or the content should be modified.

Encryption algorithm

Choose the Encryption algorithm.

  • IKE SA — DES, 3DES, AES-128, AES-256, AES-128-GCM, AES- 256 GCM
  • Sub SA — DES, 3DES, AES-128, AES-256, AES-128-GCM, AES-256-GCM
Integrity algorithm

Choose the Integrity algorithm.

  • IKE SA — SHA1-96, SHA1-160, SHA2-256, SHA2-384, SHA2-512
  • Sub SA — SHA1-96, SHA1-160, SHA2-256, SHA2-384, SHA2-512
Diffie Hellman group

Select the group to be used for Diffie Hellman algorithm.

  • IKE SA — 0, 1, 2, 5, 14, 15, 16, 17, 18, 19, 20, 21
  • Sub SA — 0, 1, 2, 5, 14, 15, 16, 17, 18, 19, 20, 21
Time (min)

Enter the session expiration period.

  • IKE SA — Between 10 and 14440. The default value is 14440.
  • Sub SA — Between 10 and 14440. The default value is 14440.
Enable NAT keepalive while the device is in sleep mode

Enable NAT Keepalive and set the interval for Keepalive.

This item is for iOS 10 to 13.

NAT keepalive interval

Set NAT KeepAlive intervals in seconds. The default value is 20 seconds.

This item is for iOS 10 to 13.

Use IPv4/IPv6 internal subnet properties

Select to use the IPv4/IPv6 internal subnet attribute of IKEv2.

This item is for iOS 10 to 13.

Disable portability and multi-homing

Select to deactivate portability and multi-homing (MOBIKE).

This item is for iOS 10 to 13.

Disable redirect

Select to disable IKEv2 connection redirection.

This item is for iOS 10 to 13.

Enable a perfect forward secrecy

Select to enable PFS (Perfect Forward Secrecy)

This item is for iOS 10 to 13.

Voice mail box / AirPrint

Select the allowed traffic range when using Voicemails and AirPrint.

  • Allow traffic to goes through tunnel/Allow traffic outside tunnel/Drop traffic
Captive web sheet traffic outside of VPN tunnel Allows captive web sheet traffic outside the VPN tunnel.
Captive Network App bundle identifier Enter the Captive Network App bundle identifier to allow and click to disallow this item.

Certificate

Allows using new certificate authority (CA) certificates and configuring the certificate settings.

For Shared iPad mode, all policies in this group apply through the device channel.

These policies are compatible with User Enrollment.

Click add to add a configuration.

You can add or edit up to 20 configurations when you save the profile.

Policy Description
Configuration ID Assign a unique ID for each certificate setting.
Description Enter a description for each certificate setting.
Certificate category

Select a certification category.

  • CA Certificate — Select a certificate to use from the CA certificate list. Among the certificates registered in Advanced > Certificate > External Certificate, those with the Purpose set as CA Cert and the Type set as Root are included on the list.
  • User certificate — Select a certificate to use from the User Certificate list. Among the certificates registered in Advanced > Certificate > External Certificate, those with the Purpose set as CA Cert and the Type set as User are included on the list.

SSO

Configures the SSO (Single Sign On) settings for one-click access to all applications.

For Shared iPad mode, all policies in this group apply through the user channel.

SSO (Single Sign On) service offers one-click access to all of the applications without additional authentication. Click add to add a configuration.

You can add or edit up to 20 configurations when you save the profile.

Policy Description
Configuration ID Assign a unique ID for each SSO setting.
Description Enter a description for each SSO setting.
Account Name Enter the name that shows on the device.
Principal Name Enter the principal name.
Realm Enter a domain name that is able to use SSO. You must enter the name in upper case letters.
URL Prefixes

Enter a URL to be accessed with SSO.

Click drop down, enter a URL, and then Click add.

App Identifier

Enter the bundle ID of an application that you can use through SSO. If there is no application added on the list, SSO can be used for all applications.

Click drop down, enter the bundle ID of an application, and then Click add.

Cellular

Configure the cellular network settings and control how the device accesses the cellular network. If an APN was already set, the cellular configuration is not applied.

For Shared iPad mode, all policies in this group apply through the device channel.

Click add to add a configuration.

You can add or edit only one configuration when you save the profile.

Policy Description
Configuration ID Assign a unique ID for each cellular setting.
Description Enter a description for each cellular setting.
AttachAPN

Configure the settings for an Attach APN.

  • Name — Enter the name for the setting. You can also click Lookup to open the reference items list and select an item from it. The reference value is automatically entered.
  • Authentication Method — Choose PAP or CHAP.
  • Username — Enter the user name for user authentication.
  • Password — Enter the password for user authentication.
APNs

Configure the setting for an APN.

  • Name — Enter the name for the setting. You can also click Lookup to open the reference items list and select an item from it. The reference value is automatically entered.
  • Authentication Method — Choose PAP or CHAP.
  • Username — Enter the user name for user authentication.
  • Password — Enter the password for user authentication.
  • Proxy Server — Enter the IP address of a proxy server.
  • Proxy Server Port — Enter the port number of a proxy server.

AirPrint

Configures the AirPrint settings to enable computers to automatically detect an AirPrint printer.

For Shared iPad mode, all policies in this group apply through the device channel.

These policies are compatible with User Enrollment.

You can add a printer to the AirPrint list on the device and configure devices and printers that exist on different networks conveniently. Click add to add a configuration.

You can add or edit only one configuration when you save the profile.

Policy Description
Configuration ID Assign a unique ID for each setting.
Description Enter a description for each setting.
AirPrint Printer List

Add printers that support AirPrint.

Click drop down, enter an IP address and a resource path, and then click add.

For the resource path, you can enter what's below:

  • printers/Canon_MG5300_series
  • printers/Xerox_Phaser_7600
  • ipp/print
  • Epson_IPP_Printer

Font

Allows the delivering of new fonts to devices.

For Shared iPad mode, all policies in this group apply through the device channel.

These policies are compatible with User Enrollment.

Click add to add a configuration.

You can add or edit up to 20 configurations when you save the profile.

Policy Description
Configuration ID Assign a unique ID for each font setting.
Description Enter a description for each font setting.
Font

Add a font to use on the device.

Click Add and add a font.

WebClip

Configures the display of web shortcuts on an iOS device.

These policies are compatible with User Enrollment.

Click add to add a configuration.

You can add or edit up to 20 configurations when you save the profile.

Policy Description
Configuration ID Assign a unique ID for each web clip setting.
Description Enter a description for each web clip setting.
Label Enter a web clip name to be displayed on the device home screen.
URL Enter a web clip URL address.
Removable Check the check box to allow users to delete the web clip account settings.
Icon

Click Add, and then click Browse to select an icon that is displayed on the user's device home screen. Then click OK to add.

  • The icon must be 59 x 60 px and in the PNG file format.
  • A white square image is displayed if no icon is selected.
Full Screen Opens the Web Clip as a web app without browser features—no navigation buttons, address bar, search bar, or bookmark features. This mode is similar to full-screen mode in a web browser.

Home Screen Layout

Configures the apps, web clips, and folders that can display on the home screen of a supervised device.

Click add to add a configuration.

You can add or edit only one configuration when you save the profile.

Policy Description
Configuration ID Assign a unique ID for each home screen setting.
Description Enter a description for each home screen setting.
Dock Select Apply to configure the dock area on the home screen.
App List Add apps or web clips to the home screen layout.
> Add App Search for and add the apps to display on the dock.
> Add WebClip App Search for and add the web clips to display on the dock.
Page Add apps, web clips, and folders on the page. You can create a maximum of 20 pages.
> Add App Search for and add the apps to display on the page.
> Add WebClip App Search for and add the web clips to display on the page.
> Add Folder & App Create folders and specify the apps and web clips to display in the folder.

App Lock

Configures the functions of an application that is locked down on a supervised device.

For Shared iPad mode, all policies in this group apply through the device channel.

Click add to add a configuration.

You can add or edit only one configuration when you save the profile.

Policy Description
Configuration ID Assign a unique ID for each application lock setting.
Description Enter a description for each application lock setting.
App Bundle ID Enter the application bundle ID to identify applications.
Set Application The App Lock settings only apply when the selected apps have been installed on the device in advance.
Options Check the box to configure the application lock options.
> Touch Screen Allows device touchscreen mode.
> Screen Rotation Enables using the landscape or portrait mode of the device screen.
> Volume Button Enables adjusting the volume.
> Ringer Switch Enables the easy on and off ringer mode through a ringer switch.
> Power Button Allows turning the device on or off through the power button.
> Auto Lock Enables automatically locking the device after a fixed amount of time through auto lock.
> VoiceOver Turn on voice over for a screen-reading feature.
> Zoom In/Out Turn on the zoom feature to configure easy zooming on the screen display.
> Invert Colors Turn on color inversion to show colors on the device screen as their complementary colors.
> Assistive Touch Allows virtual home button to perform multiple actions on the screen with a simple tab.
> Speak Selection Turn on say optional item to select a text to be read aloud.
> Mono Audio Turn on Mono Audio to play both audio channels in one ear using a headset.
User Enabled Options Check the box to configure user enabled options.
> VoiceOver Enables Voice over for the screen-reading feature.
> Voice Control Allows the device to be controlled with Siri voice commands. When enabled, the device user cannot turn off voice control.
> Zoom In/Out Allows for configuring the easy zoom in and out feature on the display.
> Invert Colors Allows color inversion to display colors on the device screen as their complementary colors.
> Assistive Touch Allows virtual home button to perform multiple actions on the screen with a simple tab.

Global HTTP Proxy

Configures a global HTTP proxy to direct all HTTP traffic through a designated proxy server.

For Shared iPad mode, all policies in this group apply through the device channel.

Click add to add a configuration.

You can add or edit only one configuration when you save the profile.

Policy Description
Configuration ID Assign a unique ID for each global HTTP proxy setting.
Description Enter a description for each global HTTP proxy setting.
Proxy Type Select and enter the corresponding items depending on the proxy type.
> Manual
  • Proxy Server and Port — Enter the IP address of a proxy server and the port number of the proxy server.
  • Username — Enter the username for user authentication
  • Password — Enter the password for user authentication.
> Auto
  • Proxy PAC URL — Enter the URL of the PAC file that defines the proxy configuration.
  • Proxy PAC Fallback Allowed (iOS 7 or above) — Check the check box to allow a direct connection from the user device if the PAC connection fails.
Proxy Captive Login Allowed (iOS 7 or above) Check the check box to allow the device to bypass the proxy server to display the login page for captive networks.

AirPlay

Configures the AirPlay settings to allow iOS devices to share content.

For Shared iPad mode, all policies in this group apply through the device channel.

Except the Allowlist (Supervised) policy, these policies are all compatible with User Enrollment.

These policies support devices with iOS 7 or above. Click add to add a configuration.

You can add or edit only one configuration when you save the profile.

Policy Description
Configuration ID Assign a unique ID for each AirPlay setting.
Description Enter a description for each AirPlay setting.
Allowlist (Supervised)

Add an AirPlay device ID to the allowlist so that it is displayed on the user's device.

Click drop down, enter a device ID, and then Click add.

Passwords

Add an AirPlay device password.

Click drop down, enter a device name and password, and then Click add.

Web Content Filter

Configures the Web Content Filter payloads for the device, which control access to web pages.

For Shared iPad mode, all policies in this group apply through the device channel.

Click add to add a configuration.

You can add or edit only one configuration when you save the profile.

Policy Description Supported system
Configuration ID

Specifies a unique identifier for the payload.

Values

Enter an ID.

iOS 7 and higher

Supervised

Description

Specifies the description of the payload.

Values

Enter a description.

iOS 7 and higher

Supervised

Auto Filter Enabled

Enables auto-filtering of URLs.

Values

  • Selected — Enables the Permitted URLs policy.
  • Deselected (default)

iOS 7 and higher

Supervised

Permitted URLs

Specifies an allowlist of URLs on the device. If the Allowlisted Bookmarks policy is set, then this list has no effect.

Values

To add a URL, enter it and Click add. To remove a URL, Click delete.

URLs must start with the http:// or https:// scheme. Wildcards (*) aren't supported.

iOS 7 and higher

Supervised

Blocklisted URLs

Specifies a blocklist of URLs on the device. If the Allowlisted Bookmarks policy is set, then this list has no effect.

Values

To add a URL, enter it and Click add. To remove a URL, Click delete.

URLs must start with the http:// or https:// scheme. Wildcards (*) aren't supported.

iOS 7 and higher

Supervised

Allowlisted Bookmarks

Specifies a list of bookmarks on the device, and uses them to define an allowlist of URLs. If this policy is set, then the Permitted Bookmarks and Blocklisted URLs policies have no effect.

Values

To add a bookmark:

  1. Enter the following:
    • URL — The path to the web page.
    • Title — The name of the bookmark.
    • Bookmark Path — The folder name for the bookmark.
  2. Click add.

To remove a bookmark, Click delete.

URLs must start with the http:// or https:// scheme. Wildcards (*) aren't supported.

iOS 7 and higher

Supervised

Managed domains

Specifies URLs or subdomains to allow downloading content from these domains without any restrictions.

For Shared iPad mode, all policies in this group apply through the user channel.

Set managed domains and protect corporate data. You can control what apps can open documents downloaded from corporate domains using Safari. These policies support the devices with iOS 8 and higher in Supervised mode. Click add to add a configuration.

You can add or edit only one configuration when you save the profile.

Policy Description
Configuration ID Assign a unique ID for each setting.
Description Enter a description for each setting.
Email domains

Add a domain to specify as a corporate domain for emails.

Click drop down, enter a URL, and then Click add.

Web domains

Add a domain to specify a corporate domain for the web.

Click drop down, enter a URL, and then Click add.

Network Usage Rules

Configures network usage rules to control which applications can access data or when the device is roaming.

For Shared iPad mode, all policies in this group apply through the device channel.

Configure network usage rules to allow data roaming and cellular data for applications. Click add to add a configuration.

You can add or edit up to 20 configurations when you save the profile.

Policy Description
Configuration ID Assign a unique ID for each setting.
Description Enter a description for each setting.
Managed app Network Settings

Add an application and allow cellular data and data roaming.

Click drop down, add an application, set the data settings, and then Click add.

SIM Network Settings (iOS 13 or later) Enables Wi-Fi Assist based on the SIM card identifier (ICCID). You can add multiple SIMs as needed. Use Default System enables Wi-Fi Assist, letting OS switch to using cellular data when Wi-Fi signal strength is poor. Use Cellular Data forces cellular data use at all times. Supported on iOS 13 and higher devices.

Is this page helpful?