Menu

iOS policies

This section describes the policies you can configure for iOS devices.

The availability of each policy varies depending on the OS version.

Some device settings apply exclusively to either the device or the user. For example, the Wi-Fi configuration applies to the entire device, while the single sign-on settings are specific to the user account. For shared iOS devices, enterprises often separate device and user settings into different KM profiles. A policy's scope is determined by its policy channel, which can be:

  • Device channel — The policy applies to the entire device and to temporary sessions.
  • User channel — The policy applies to the user for the duration of their session. Each user can have different policies. Typically, KM profiles that use these policies are assigned to user groups rather than device groups.
  • Common — The policy can apply through either channel. In case of a collision, the policy value either combines or the last profile applied takes precedence.

System

Allows features such as camera, screen capture, and Siri.

For Shared iPad mode, all policies in this group are common.

Policy Description Supported system
Camera

Allows using the camera.

Exclusive policy.

iOS 4.0 and higher
Screen capture Allows use of the default screen capture function. iOS 4.0 and higher
Siri Allows using Siri. iOS 5.0 and higher
> Siri on lock screen Allows using Siri on the lock screen. iOS 5.1 and higher
> Web search result on Siri Allows showing the web search results on Siri.

iOS 7.0 and higher

Supervised

> Profanity filter on Siri

Select to use the Profanity filter on Siri.

  • Forced use — Users are forced to use the Profanity filter on Siri.
  • User selection — Users are allowed to select whether to use the Profanity filter on Siri.

iOS 11.0 and higher

Supervised

Force On-Device Only Dictation (Siri)

Disables cloud processing of the Siri dictation service, forcing it to compute on the device.

Values

  • Use
  • Do Not Use (default)
iOS 14.5 and higher
Force On-Device Only Translation (Siri)

Disables cloud processing of the Siri translation service, forcing it to compute on the device.

Values

  • Use
  • Do Not Use (default)
iOS 15 and higher
Submission of diagnosis and usage details

Allows submitting diagnostic results and usage information to the manufacturer.

NOTE — Personally identifiable or sensitive information is data masked.
iOS 6.0 and higher
Passbook on lock screen Allows using the Passbook on the lock screen. iOS 6.0 and higher
Control center on lock screen Allows using the Control center on the lock screen. iOS 7.0 and higher
Display notifications on lock screen Allows displaying the notifications on the lock screen. iOS 7.0 and higher
Display Today view on lock screen Allows displaying the Today view on the lock screen. iOS 7.0 and higher
Manual installation for profile Allows manual installation of the Apple Configuration Profile.

iOS 6.0 and higher

Supervised

Control editing account information Allows editing the account information.

iOS 7.0 and higher

Supervised

Automatic updates of certificate trust settings Allows automatic updates of the certificate trust settings. iOS 7.0 and higher
Delay OS Update Allow users to delay software updates on their device. If this policy is set to Apply, you can specify how long the software update is delayed. Users do not see a software update until the specified number of days after the software update release date have elapsed.

iOS 11.3 and higher

Supervised

Encryption for iTunes backup

Select to encrypt the iTunes backup.

  • Forced use — Users are forced to encrypt.
  • User selection — Users are allowed to select whether to encrypt iTunes data.
iOS 4.0 and higher
iTunes pairing Allows iTunes connection with unauthorized PCs.

iOS 7.0 and higher

Supervised

Apple Watch pairing Allow users to pair their device with an Apple Watch. If the policy is set to Disallow, any currently paired Apple Watch is unpaired and the contents of the Watch are erased.

iOS 9.0 and higher

Supervised

Wrist Detection on an Apple Watch

If the device is paired with an Apple Watch, the watch is forced to use Wrist Detection. When enabled, the Apple Watch automatically locks when removed from the device user's wrist. The watch must then be unlocked with its passcode or by the paired device.

Values

  • Allow
  • Disallow (false)
iOS 8.2 and higher
Limit Ad tracking

Select to use the Limit Ad tracking.

  • Forced use — Users are forced to use Limit Ad tracking.
  • User selection — Users are allowed to select whether to use Limit Ad tracking.
iOS 7.0 and higher
Apple Personalized Advertising

Enables profiled advertising on the device. When turned off, profiled advertising is limited, but not disabled entirely.

Values

  • Allow (default)
  • Disallow
iOS 14 and higher
Factory reset Allows a device to factory reset.

iOS 8.0 and higher

Supervised

Result of web search with Spotlight

Allows displaying the web search results from Spotlight search.

iOS 8.0 and higher
Block configuration Allows users to configure any restrictions on the menus by activating the block menu function. If the policy is prohibited, the users cannot configure the device using the block menu function.

iOS 8.0 and higher

Supervised

Change device name

Select to automatically change the device name to a mobile ID when updating the profile.

For this policy, you can send a device command to set the device name as the mobile ID.

iOS 9.0 and higher

Supervised

Bluetooth Modification Allows modifying Bluetooth settings on the device.

iOS 11.0 and higher

Supervised

Automatic Date and Time Force enable the Set Automatically feature for Date and Time Settings. If this policy is set to Allow, users cannot disable this feature on their device. The device's time zone is updated only when the device can determine its location using a cellular connection or Wi-Fi with the location service enabled.

iOS 12.0 and higher

Supervised

VPN Creation Allows users to create VPN configurations.

iOS 11.0 and higher

Supervised

Wallpaper Modification

Allows the device user to change the wallpaper.

Values

  • Allow (default)
  • Disallow

iOS 9 and higher

Supervised

Notification Modification

Allows the device user to change the notification settings.

Values

  • Allow (default)
  • Disallow

iOS 9.3 and higher

Supervised

New Device Proximity Setup

Disables the prompt to set up newly-detected nearby devices.

Values

  • Allow (default)
  • Disallow

iOS 11 and higher

Supervised

Unpaired External Boot to Recovery

Allows the device to be booted into recovery mode by another device that is unpaired.

Values

  • Allow
  • Disallow (default)

iOS 14.5 and higher

Supervised

Interface

For Shared iPad mode, all policies in this group are common.

Policy Description Supported system
USB Drive Access Allow users to access any connected USB devices using the Files app.

iOS 13.1 and higher

Supervised

Network Drive Access Allow users to access any connected USB devices using the Files app.

iOS 13.1 and higher

Supervised

USB Restricted Mode Allow the device to always connect to USB accessories while locked.

iOS 11.4.1 and higher

Supervised

NFC

Enables near-field communication (NFC) on the device.

Values

  • Allow (default)
  • Disallow

iOS 14.2 and higher

Supervised

Wi-Fi On Set whether to allow users to turn off Wi-Fi from Settings or Control Center on their device. When this policy is set to Allow, users cannot turn off Wi-Fi, even by entering or leaving Airplane mode. This option does not prevent users from selecting a Wi-Fi network to use.

iOS 13.0 and higher

Supervised

Connect Wi-Fi to Allowed Networks Only Whether to restrict Wi-Fi connections to an allowlist of network SSIDs specified by the Wi-Fi policy group.

iOS 14.5 and higher

Supervised

Personal Hotspot Modification Allow users to modify the personal hotspot settings on their device, including but not limited to hotspot name and password.

iOS 12.2 and higher

Supervised

Security

Configures the password settings.

For Shared iPad mode, all policies in this group are common.

Policy Description Supported system
Password policies Set to apply the password policy when the screen is locked.
> Password strength

Set the password strength on the screen.

  • None — Set the password with a four digit number.
  • Numeric — Set the password using numbers
  • Must be alphanumeric — Set the password using alphanumeric characters.
  • Must include special characters — Set it so that the passwords must include alphanumeric and special characters.
iOS 4.0 and higher
> Maximum Failed Login Attempts

Set the maximum number of incorrect password attempts before resetting the device to its factory settings.

The value can be between 0 - 10 times.

iOS 4.0 and higher
> Minimum length

Set the minimum length of the password.

The value can be between 0 - 16 characters.

iOS 4.0 and higher
> Expiration after (days)

Set the maximum number of days before the password must be reset.

The value can be between 0 - 730 days.

iOS 4.0 and higher
> Manage password history (times)

Set the minimum number of new passwords that must be used before a user can reuse the previous password.

The value can be between 0 - 50 times.

iOS 4.0 and higher
> Screenlock time (min)

Set the maximum inactive time before the screen of the device is locked. The maximum allowed time varies by device-type.

NOTE — 1, 3, and 4 minute intervals are available with iPhone. 10 and 15 minute intervals are available with iPad.
iOS 4.0 and higher
> Screenlock grace period (min)

Set the time duration for device lock after turning off a device screen without entering the password.

NOTE — Select 0 to lock the device immediately.
iOS 4.0 and higher
Passcode modification Allows users to add, change, or remove the device passcode.

iOS 9.0 and higher

Supervised

> Biometric ID Modification Allows device users to change their Touch ID or Face ID authentication methods.

iOS 8.3 and higher

Supervised

Screen Unlock with Biometric ID Allows device users to use Touch ID or Face ID authentication methods to log in to their device. iOS 7.0 and higher
Password Proximity Requests Allows requests to share passwords and other authentication from nearby devices using the AirDrop Passwords feature.

iOS 12.0 and higher

Supervised

Password Autofill

Allows users to use the Password Autofill feature as well as the passwords saved in Safari or other apps on their device.

NOTE — When this policy is set to Disallow, the Automatic Strong Passwords policy is also disabled, and strong passwords are longer suggested to users. This option does not affect AutoFill for contact and credit card information in Safari.

iOS 12.0 and higher

Supervised

Force Authentication before Password Autofill

Forces users to authenticate their login on the device before passwords or credit card information is auto-filled in Safari and other apps. When this policy is set to Disallow, users can toggle this feature on or off in Settings on their device.

NOTE — This option is only available on devices that support Face ID or Touch ID authentication.

iOS 11.0 and higher

Supervised

Password Sharing Allow users to share passwords with nearby devices using the Airdrop Passwords feature.

iOS 12.0 and higher

Supervised

Auto Unlock

Enables auto unlock.

NOTE — iPhones running iOS 14.5 can't be unlocked by Apple Watches running watchOS 7.4.

Values

  • Allow (default)
  • Disallow
iOS 14.5 and higher

Application

Allows using Gamer Center, iMessage, and YouTube, and also enables configuring options for application controls, such as installation and blocklist or allowlist.

For Shared iPad mode, all policies in this group are common.

Policy Description Supported system
App installation

Allows the installation of apps.

NOTE — Apps can be installed through an EMM but not through iTunes.

iOS 4.0 and higher

iOS 13 and higher

Supervised

> Install Apps Using App Store

Allows using the App Store for app installation.

NOTE — Apps can be installed through an EMM but not through iTunes.

iOS 9.0 and higher

Supervised

App uninstallation Allows apps to be deleted.

iOS 4.2.1 and higher

Supervised

Automatic App Download Allow apps purchased from other devices to be automatically downloaded. This option does not affect the updates to existing apps.

iOS 9.0 and higher

Supervised

iTunes Store Allows using the iTunes Store.

iOS 4.0 and higher

iOS 13 and higher

Supervised

> Explicit content on music and podcasts Allows the purchase of explicit content from the iTunes Store.

iOS 4.0 and higher

iOS 13 and higher

Supervised

> Require iTunes password for every purchase Select to require the iTunes Store password for every purchase made in the iTunes Store. iOS 6.0 and higher
Game Center Allows using Game Center.

iOS 6.0 and higher

Supervised

> Adding friends in Game Center Allows adding friends in Game Center.

iOS 4.2.1 and higher

iOS 13 and higher

Supervised

> Multiplayer games Allows multiplayer games in Game Center.

iOS 4.1 and higher

Supervised

iBookstore Allows iBookstore.

iOS 6.0 and higher

Supervised

Inappropriate content download on iBookstore Allows downloading unrated media content.

iOS 6.0 and higher

iMessage Allows using the messaging application.

iOS 5 and higher

Supervised

YouTube Allows using YouTube. iOS 5.1 and lower
Find friends Modification Allows the Find My Friends function.

iOS 7.0 and higher

Supervised

In-app purchase Allows in-app purchases. iOS 4.0 and higher
App Block/Allowlist Settings

Set to control the app installation policies. Both the blocklist and allowlist policies can be applied at the same time.

NOTE — If the this policy is set with no apps, then no other apps except for the Knox Manage agent are allowed to install and run on the device.

iOS 4.0 and higher

iOS 9.3 and higher

Supervised

> App installation blocklist

Add apps to prohibit their installation. Blocked apps are deleted even if they were previously installed.

  • To add an app, click Add, and then select apps on the Select Application screen.
  • To delete an app, click delete next to the added app.
NOTE — An app that was added on the Application installation allowlist can't be added to the blocklist.

iOS 4.0 and higher

iOS 9.3 and higher

Supervised

> App installation allowlist

Add apps to allow their installation. Any apps not on the allowlist are deleted, even if they are not on the blocklist.

  • To add an app, click Add, and then select apps on the Select Application screen.
  • To delete an app, click delete next to the added app.
NOTE — An app that was added on the Application installation blocklist can't be added to the allowlist.

iOS 4.0 and higher

iOS 9.3 and higher

Supervised

Autonomous single app mode Set to use Autonomous Single App Mode, which enables applications to use Single App Mode on request. This policy grants a permission to perform the Application Lock function.

iOS 7.0 and higher

Supervised

> List of apps allowing auto single app mode

Add applications to autonomously enable or disable Single App Mode.

  • To add an application, click Add, and then select applications on the Select Application screen.
  • To delete an application, click delete next to the added application.

iOS 7.0 and higher

Supervised

To trust company app Allows trusted Company applications. Company applications installed before the policy was set are still allowed to run. iOS 9 and higher
App Clips Allows the use of App Clips on the device.

iOS 14.0 and higher

Supervised

System App Removal Allows users to remove system apps from their device. iOS 11.0 and higher
Managed Apps to Write Contacts to Unmanaged Contacts Accounts Allows managed apps to save contact data to unmanaged apps and contact accounts. By default, managed and unmanaged apps and accounts can't share contact data, so that sensitive or private contact information isn't exposed to potentially insecure apps. iOS 12 and higher
Unmanaged Apps to Read Contacts from Managed Contacts Accounts Allows unmanaged apps to read contact data stored in managed apps and managed contact accounts. By default, managed and unmanaged apps and accounts can't share contact data, so that sensitive or private contact information isn't exposed to potentially insecure apps. iOS 12 and higher

Phone

Configures the phone settings, such as video calling and voice dialing.

For Shared iPad mode, all policies in this group are common.

Policy Description Supported system
Modification of cellular data settings for each application Allows modifying cellular data usage per application.

iOS 7.0 and higher

Supervised

FaceTime Allows video calling.

iOS 4.0 and higher

iOS 13.0 and higher

Supervised

Voice dialing Allows video dialing. iOS 4.0 and higher
Background fetch for roaming Allows background fetch when roaming. iOS 4.0 and higher
eSIM Modification Allow users to modify the eSIM settings for their device.

iOS 12.1 and higher

Supervised

Cellular Plan Modification

Allows the device user to change settings related to their cellular plan.

Values

  • Allow (default)
  • Disallow

iOS 11 and higher

Supervised

Share

Allows the use of AirDrop and the transferring of data between managed applications and unmanaged applications.

Policy Description Supported system
Allow Open from Unmanaged to Managed Applications

Allows files in unmanaged apps and accounts to open in managed apps and accounts.

Values

  • Allow (default)
  • Disallow
iOS 7 and higher
Allow Open from Managed to Unmanaged applications

Allows files in managed apps and accounts to open in unmanaged apps and accounts.

Values

  • Allow (default)
  • Disallow
iOS 7 and higher
AirDrop Allows the use of AirDrop.

iOS 7.0 and higher

Supervised

Managed Pasteboard

Controls whether copying and pasting functionality respects the Allow Open From Unmanaged to Managed Apps and Allow Open From Managed to Unmanaged Apps policies. This policy helps secure the copying and pasting of content from managed to unmanaged apps.

Values

  • Allow
  • Disallow (default)
iOS 15 and higher
Consider AirDrop not managed Allows the sharing of managed documents when using AirDrop on the device.

iOS 9.0 and higher

Supervised

Browser

Allows using the Safari browser and configuring its settings.

For Shared iPad mode, all policies in this group are common.

Policy Description Supported system
Safari Allows using Safari, the default iOS browser.

iOS 4.0 and higher

iOS 13.0 and higher

Supervised

Cookies

Set the cookies permission in Safari.

  • Disallow — Disallows accepting cookies.
  • Currently only connected websites are allowed — Allows accepting cookies from the currently connected sites.
  • Only visited websites are allowed — Allows accepting cookies from the visited sites.
  • Always — Always allows cookies.
iOS 4.0 and higher
JavaScript Allows JavaScript in Safari. iOS 4.0 and higher
Autofill Allows auto-completion of information that you enter on websites in Safari.

iOS 4.0 and higher

iOS 13.0 and higher

Supervised

Block pop-ups Allows blocking pop-ups in Safari. iOS 4.0 and higher
Untrusted TLS certificate Allows to accept untrusted TLS certificates. iOS 5.0 and higher
Web forgery warning

Shows a warning message about potentially fraudulent websites.

  • Forced use — Safari is forced to display a warning message.
  • User selection — Users are allowed to select whether to use web forgery warning.
iOS 4.0 and higher

iCloud

Configures the iCloud settings, such as backup, iCloud photo library, and photo sharing.

For Shared iPad mode, all policies in this group are common.

Policy Description Supported system
Backup Allows backing up the device data on iCloud. iOS 5.0 and higher
Document synchronization Allows synchronizing device documents on iCloud.

iOS 5.0 and higher

iOS 13.0 and higher

Supervised

iCloud Photo Library Allows use of the iCloud Photo Library for uploading photos and videos on iCloud. iOS 10 to 13
Photo stream Allows using Photo Stream for storing personal photos on iCloud. iOS 5.0 and higher
Photo sharing Allows using Photo Sharing for sharing personal photos through iCloud. iOS 6.0 and higher
Keychain synchronization Allows synchronizing Keychain Synchronization on iCloud, which helps users to have consistent access to their user account, name, password, credit card number, email, contracts, schedule, and other user information on all their devices. iOS 7.0 and higher
Managed app synchronization Allows synchronizing managed applications installed by the Knox Manage server to save data on iCloud. iOS 8.0 and higher
Handoff Allows the use of Handoff, one of the Apple's Continuity features, to move and continue performing the same tasks seamlessly between devices through iCloud. iOS 8.0 and higher

Media

Enables selecting a country to choose the level of media content, such as movies, TV shows, and applications.

For Shared iPad mode, all policies in this group are common.

Policy Description Supported system
Rating for each country

Select a country to set a rating level for media content, such as movies, TV shows, and applications, from the following list:

  • United States/United Kingdom/New Zealand/Japan/Ireland/Germany/France/Canada/Australia.
iOS 4.0 and higher
> Movies Set the maximum allowable movie rating. iOS 4.0 and higher
> TV Shows Set the maximum allowable TV show rating. iOS 4.0 and higher
> Apps Set the advertisement tracking restriction on the device. iOS 4.0 and higher

Wi-Fi

Configures Wi-Fi settings, such as SSID, security type, and proxy.

For Shared iPad mode, all policies in this group apply through the device channel.

You can add more Wi-Fi policy sets by clicking add.

Policy Description
Configuration ID Assign a unique ID for each Wi-Fi setting.
Description Enter a description for each Wi-Fi setting.
Network name (SSID)

Enter the identifier of a wireless router to connect to.

You can also click Lookup to open the reference items list and select an item from it. The reference value is automatically entered.

Security Type Specifies the access protocol used and whether certificates are required.
> WEP Set a password.
> WPA/WPA2
> For all individuals
> Enterprise WEP

Configure the following items:

  • Protocol:
    • Permitted EAP Type — Select the EAP types to permit. You can select multiple types.
    • EAP-FAST — Configure the EAP-FAST options. Enable the next options by clicking the previous one.
    • A dynamic trust decision by the user — Select whether to use the option.
    • Allow direct connection(Proxy URL) — Select whether to use the option.
  • Authentication:
    • One-time password for connection — Check to enable.
    • Manual Input — Enter the user ID and Password for the Wi-Fi connection.
    • You can also click Lookup to open the reference items list and select an item from it. The reference value is automatically entered.
    • Connector interworking — Choose a connector from the User information Connector.
  • Trust:
    • Root Certificate — Select a Root Certificate to use.
> Enterprise WPA/WPA2
> For all enterprises
MAC Randomization Randomizes the device's MAC address when connected to the Wi-Fi network.
Hotspot Availability Check to enable Hotspot usage and configure its settings. If this policy is enabled, the device is connected to Wi-Fi access points that support Hotspot 2.0.
> Hotspot Domain Name Assign an identifier to the Wi-Fi hotspot service displayed on a device.
> Operator Name Assign the name of the network provider shown on the device.
> Roaming Consortium OI Add a Roaming Consortium organization ID to connect to.
> Network Access ID Add an ID to authenticate network access.
> Hotspot Operator Code

Add both the Mobile Country Code (MCC) and the Mobile Network Code (MNC).

NOTE — For SK Telecom (a South Korean wireless telecom operator) devices, enter 45005.
Hidden Network Check the check box to hide the network from the list of available networks on the device. The SSID does not broadcast.
Auto Connect (iOS 5 and above)

Check the check box to use an automatic Wi-Fi connection.

NOTE — This setting is for iOS 5 and higher.
Protocol

Specifies the permitted protocol for the Wi-Fi network.

NOTE — This tab is enabled if the Security Type is selected as Enterprise WEP, Enterprise WPA/WPA2, or for all enterprises.
> Permitted EAP Type

Select more than one permitted protocol: TLS, LEAP, EAP-FAST, TTLS, PEAP, and EAP-SIM.

NOTE — If TTLS is checked, select an extra protocol from the Internal Authentication Protocol.
> EAP-FAST

Select PAC protocols to use from the following:

  • Use PAC — Determines whether to use PAC.
  • PAC Deployment — Check the Use PAC option to enable it.
  • Anonymous PAC Deployment — Check PAC Deployment to enable it.
> A dynamic trust decision by user Allows using a dynamic trust decision by the user protocol.
> Allow direct connection (Proxy URL) Allows using the direct connection protocol.
Authentication Specifics the authentication of the Wi-Fi users. This tab is enabled if the Security Type is selected as Enterprise WEP, Enterprise WPA/WPA2, or for all enterprises
> One-time password for connection

Select to ask users to enter the password whenever Wi-Fi is connected.

  • If checked, the Auto Connect setting is automatically disabled.
  • If unchecked, the Auto Connect is automatically activated.
NOTE — This setting is for iOS 5 and higher.
> User information input method

Specifies the user information used and whether certificates are required. Select an input method as follows:

  • Manual Input — Enter the user ID and Password for the Wi-Fi connection.
  • Connector interworking — Choose a connector from the User information Connector.

You can also click Lookup to open the reference items list and select an item from it when entering an ID for the Manual Input. The reference value is automatically entered.

> External ID

Assign an external ID for Manual Input.

NOTE — This setting is available when either TTLS, PEAP, or EAP-FAST is selected.
> User Certificate Type

Select the user certificate type:

  • EMM Management Certificate — Register an external certificate on the Knox Manage server for each network setting, and then verify each network setting using that certificate. All users share this one certificate for each network setting.

    NOTE — Navigate to Advanced > Certificate > External Certificate to register network settings for each purpose.
  • Connector interworking — Verifies network settings using the user information obtained by applying the filter set for the connector. To verify the network settings on the device, you should set the Service Type as Profile Configuration(Certification) when you register a connector in Advanced > System Integration > Directory Connector. To learn more about how to add a directory connector, see Adding sync services.

    When you search for a user using the filter set for the connector, the user certificate (.p12 or .pfx) corresponding to the obtained user information is applied along with a profile, allowing you to use this certificate to verify the user.

  • Issuing external CA — Register a certificate obtained from an external certificate authority to Advanced > Certificate > Certificate Template.

    Then, register a certificate template for each network setting and verify it as a user certificate. To learn more about how to add an external certificate, see Adding external certificates.

Trust Specifies the required certificates. This tab is enabled if the Security Type selected is Enterprise WEP, Enterprise WPA/WPA2, or for all enterprises.
> Trusted certificate name Add the name of the Trusted certificate.
> Root Certificate Select a Root Certificate.
Proxy

Select a proxy server settings method.

NOTE — This setting is for iOS 5 and higher.
> Manual

Configure the proxy server manually.

  • Proxy IP Address and Port — Enter the IP address of the proxy server and the port number used by the proxy server.
  • User name — Enter the username for the proxy server.
  • Proxy Authenticated User Password — Enter the password for the proxy server.
> Auto

Configure the proxy server automatically.

  • Proxy Server URL — Enter the URL of the proxy server.

Exchange

Configures the settings of Microsoft Exchange ActiveSync accounts to synchronize data with it.

For Shared iPad mode, all policies in this group apply through the user channel.

You can add more Exchange policy sets by clicking add.

Policy Description
Configuration ID Assign a unique ID for each Exchange setting.
Description Enter a description for each Exchange setting.
Office365

Allows to configure the Exchange settings.

NOTE — This policy automatically populates the Exchange server address and the SSL option as Use.
User information input method Select an input method for entering user information.
> Manual Input

Select to manually enter the device user's email address, account ID, password, and whether to override the password.

You can also click Lookup to open the reference items list and select an item from it. The reference value is automatically entered.

> Connector interworking

Select to choose a connector from the User Information Connector list.

NOTE — All the connectors are listed in Advanced > System Integration > Directory Connector.
> User information Select to access the exchange server using the registered Knox Manage email and ID. The password must be entered from the user's device.
Domain

Enter a domain address for the Exchange server.

You can also click Lookup to open the reference items list and select an item from it. The reference value is automatically entered.

Override Previous Password (iOS 14 or later) Overrides the device user's EAS password.
Host Enter the host name of the email server.
SSL

Set to use SSL for email encryption.

NOTE — If Office 365 setting is used, the SSL option is automatically set to Use.
User certificate input method Select an input method for entering certificate information.
Use OAuth Check this box to use the OAuth authentication method.
> OAuth Sign URL Enter the signed OAuth URL provided to you by your network administrator.
> OAuth Token URL Enter the token OAuth URL provided to you by your network administrator.
> EMM Management Certificate

Register an external certificate on the Knox Manage server for each network setting, and then verify each network setting using that certificate. All users share this one certificate for each network setting.

NOTE — Navigate to Advanced > Certificate > External Certificate to register network settings for each purpose.
  • User Certificate — Select a certificate to use from the User Certificate list.
> Connector interworking

Verifies network settings using the user information obtained by applying the filter set for the connector. To verify the network settings on the device, you should set the Service Type as Profile Configuration (Certification) when you register a connector in Advanced > System Integration > Directory Connector. To learn more about how to add a directory connector, see Adding sync services.

When you search for a user using the filter set for the connector, the user certificate (.p12 or .pfx) corresponding to the obtained user information is applied along with a profile, allowing you to use this certificate to verify the user.

  • User certificate Connector — Select a connector to use from the User certificate Connector list.
> Issuing external CA

Register a certificate obtained from an external certificate authority to Advanced > Certificate > Certificate Template. Then, you register a certificate template for each network setting, and verify it as a user certificate. To learn more about how to add an external certificate, see Adding external certificates.

  • Issuing external CA — Select an external CA to use from the Issuing external CA list.
Sync Interval

Select the interval period to sync the past emails.

NOTE — The sync interval and synchronization are in accordance with the email application settings.
Do not move message to other accounts Select to use the policy.
Available only on mail app Select to use the policy.
Do not sync the recently used email address Select to use the policy.
Activate S/MIME Check to activate and configure S/MIME functions for email security.
> S/MIME signing certificate input method

Select EMM Management Certificate or Connector interworking.

  • EMM Management Certificate — Register an external certificate on the Knox Manage server for each network setting, and then verify each network setting using that certificate. All users share this one certificate for each network setting.

    NOTE — Navigate to Advanced > Certificate > External Certificate to register network settings for each purpose.

    When you search for a user using the filter set for the connector, the user certificate (P12 or PFX) corresponding to the obtained user information is applied along with a profile, allowing you to use this certificate to verify the user.

  • Connector interworking — Verifies network settings using the user information obtained by applying the filter set for the connector. To verify the network settings on the device, you should set the Service Type as Profile Configuration(Certification) when you register a connector in Advanced > System Integration > Directory Connector. To learn more about how to add a directory connector, see Adding sync services.
> S/MIME Signing Certificate

Available only when EMM Management Certificate is selected.

Choose the signing certificate according to the S/MIME signing certificate input method.

> S/MIME signing certificate connector

Available only when Connector interworking is selected

Choose the signing certificate connector according to the S/MIME signing certificate input method.

> S/MIME encryption certificate input method

Select EMM Management Certificate or Connector interworking.

  • EMM Management Certificate — Register an external certificate on the Knox Manage server for each network setting, and then verify each network setting using that certificate. All users share this one certificate for each network setting.

    NOTE — Navigate to Advanced > Certificate > External Certificate to register network settings for each purpose.
  • Connector interworking — Verifies network settings using the user information obtained by applying the filter set for the connector. To verify the network settings on the device, you should set the Service Type as Profile Configuration(Certification) when you register a connector in Advanced > System Integration > Directory Connector. To learn more about how to add a directory connector, see Adding sync services.

    When you search for a user using the filter set for the connector, the user certificate (P12 or PFX) corresponding to the obtained user information is applied along with a profile, allowing you to use this certificate to verify the user.

> S/MIME Encryption Certificate

Available only when EMM Management Certificate is selected.

Choose the Encryption Certificate according to the S/MIME encryption certificate input method.

> S/MIME signing certificate connector

Available only when Connector interworking is selected

Choose the signing certificate connector according to the S/MIME signing certificate input method.

> S/MIME Enable Per Message Switch Check the check box to enable S/MIME per message.
Control Calendar App Toggles whether Exchange configures and syncs account data to the Calendar app, and whether the device user can also configure it. At least one app in this policy cluster must be set to Enable App.
Control Contacts App Toggles whether Exchange configures and syncs account data to the Contacts app, and whether the device user can also configure it. At least one app in this policy cluster must be set to Enable App.
Control Mail App Toggles whether Exchange configures and syncs account data to the Mail app, and whether the device user can also configure it. At least one app in this policy cluster must be set to Enable App.
Control Note App Toggles whether Exchange configures and syncs account data to the Note app, and whether the device user can also configure it. At least one app in this policy cluster must be set to Enable App.
Control Reminder App Toggles whether Exchange configures and syncs account data to the Reminder app, and whether the device user can also configure it. At least one app in this policy cluster must be set to Enable App.

VPN

Configures Virtual Private Networks (VPNs) on iOS devices.

For Shared iPad mode, all policies in this group apply through the device channel.

You can configure the VPN settings to connect to a private network through a public network. You can add more VPN policy sets by clicking add.

Policy Description
Configuration ID Assign a unique ID for the VPN setting.
Description Enter a description for the VPN setting.
Connection type

Select a connection type and enter the parameters. Required parameters vary depending on the selected connection type.

  • L2TP — Set the Shared Security and Send All Traffic options.
  • PPTP — Set the Encryption Step and Send All Traffic options.
  • IPSec (Cisco) — Enter the items depending on the selected device authentication type:
    • If Device Authentication is set to certificate, set Domain/Host Pattern, and Action for it. Then, select a User certification input method and set to Include User PIN when a device is authenticated.
    • If Device Authentication is set to Shared Security/Group Name, set Group Name and Shared Security options. Then, set to Use mixed authentication and Password Request when a device is connected with VPN.
  • Cisco AnyConnect — Set the Group Name option.
  • Juniper SSL — Set the Realm and Role options. If this option is selected, Pulse secure VPN, a new VPN, is supported and previous Juniper Pulse versions are not supported.
  • SonicWALL Mobile Connect — Set the Login Group or Domain options.
  • IKEv2 — For IKEv2, see Configuring VPN IKEv2 connection.
Server address Enter the IP address, host name, or URL of the VPN server that the device needs to access.
VPN Application Allocation

Select applications that are allowed to connect to a VPN automatically.

Click Add and select applications. And then, click OK.

Safari Domain

Select URLs that are allowed to connect to a VPN automatically on Safari.

Enter a domain address, and then click add.

VPN type for each app

Select a VPN type for each application.

  • packet-tunnel — for app-layer tunneling
  • app-proxy — for packet-layer tunneling
User Connection Authentication Type Select an authentication type for user connection between Password and RSA SecurID.
User information input method

Select an input method for entering user information.

  • Manual Input — Enter the user ID and Password for VPN connection.

    You can also click Lookup to open the reference items list and select an item from it. The reference value is automatically entered.

  • Connector interworking — Choose a connector from the User information Connector. All the connectors registered in Advanced > System Integration > Directory are listed in the User information Connector.
  • User Information — Use the user information registered in Knox Manage to access VPN.
ID

Set an ID for the VPN settings.

You can also click Lookup to open the reference items list and select an item from it. The reference value is automatically entered.

Password

Set a password for the VPN settings.

You can also click Lookup to open the reference items list and select an item from it. The reference value is automatically entered.

User certificate input method

Select an input method for entering certificate information.

  • EMM Management Certificate — Register an external certificate on the Knox Manage server for each network setting, and then verify each network setting using that certificate.

    NOTE — All users share this one certificate for each network setting. Navigate to Advanced > Certificate > External Certificate to register network settings for each purpose.
  • User certificate — Select a certificate to use from the User Certificate list.
  • Connector interworking — Verifies network settings using the user information obtained by applying the filter set for the connector. To verify the network settings on the device, you should set the Service Type as Profile Configuration (Certification) when you register a connector in Advanced > System Integration > Directory Connector. To learn more about how to add a directory connector, see Adding sync services. When you search for a user using the filter set for the connector, the user certificate (.p12 or .pfx) corresponding to the obtained user information is applied along with a profile, allowing you to use this certificate to verify the user.
  • User Information Connector — Select a connector to use from the User certificate Connector list.
  • Issuing external CA — Register a certificate obtained from an external certificate authority to Advanced > Certificate > Certificate Template. Then, you register a certificate template for each network setting, and verify it as a user certificate. To learn more about how to add an external certificate, see Adding external certificates.
  • Issuing External CA — Select an external CA to use from the Issuing external CA list.
NOTE — User certificate input method appears only when certificate is selected in the user connection authentication type or in the device authentication.
Proxy Settings

Select the setting for the proxy server.

  • Manual — Enter the proxy IP address and port number. Then, assign a user name and proxy authenticated user password.
  • Auto — Enter the proxy server URL address.

Configuring VPN IKEv2 connection

If the connection type is set to IKEv2, you can configure the setting as follows:

  1. Set the VPN auto connection settings.

    • VPN auto connection (Only devices allowed by director) — Keeps VPN activated on the device.
    • Allow users to deactivate auto connection — Allows users to deactivate auto connection on the device.
    • Use the same tunnel for both cellular and Wi-Fi — Configure the VPN connection information to be used by both networks. To use different tunnels for configurations for cellular and Wi-Fi, click the Cellular and Wi-Fi tabs and enter the VPN connection information.
    • If a profile has more than two VPN settings with VPN auto connection checked, the profile is not installed on the device.
  2. Enter the following information:

    Item Description
    Server address Enter the IP address, host name, or URL of the VPN server.
    Local identifier

    Enter the value to identify the IKEv2 client in the following format:

    • FQDN, UserFQDN, Address, and ASN1DN
    Remote identifier

    Enter the value in the following format:

    • FQDN, UserFQDN, Address, and ASN1DN
    System authentication

    Select a VPN authentication method:

    • Security sharing — Enter the security sharing password.
    • Certificate — Select a user certificate input method. Then enter the common name of the server certificate issuer and the common name of the server certificate.
    EAP activation

    Determines if EAP is activated. If activated, select

    • Certificate — Select a user certificate input method.
    • Password — Enter the user ID and Password.
    Dead Peer Detection speed

    Set the interval for checking the usability of the VPN equipment.

    NOTE — Check whether the resource should change or the content should be modified.
    Encryption algorithm

    Choose the Encryption algorithm.

    • IKE SA — DES, 3DES, AES-128, AES-256, AES-128-GCM, AES- 256 GCM
    • Sub SA — DES, 3DES, AES-128, AES-256, AES-128-GCM, AES-256-GCM
    Integrity algorithm

    Choose the Integrity algorithm.

    • IKE SA — SHA1-96, SHA1-160, SHA2-256, SHA2-384, SHA2-512
    • Sub SA — SHA1-96, SHA1-160, SHA2-256, SHA2-384, SHA2-512
    Diffie Hellman group

    Select the group to be used for Diffie Hellman algorithm.

    • IKE SA — 0, 1, 2, 5, 14, 15, 16, 17, 18, 19, 20, 21
    • Sub SA — 0, 1, 2, 5, 14, 15, 16, 17, 18, 19, 20, 21
    Time (min)

    Enter the session expiration period.

    • IKE SA — Between 10 and 14440. The default value is 14440.
    • Sub SA — Between 10 and 14440. The default value is 14440.
    Enable NAT keepalive while the device is in sleep mode

    Enable NAT Keepalive and set the interval for Keepalive.

    NOTE — This item is for iOS 10 to 13.
    NAT keepalive interval

    Set NAT KeepAlive intervals in seconds. The default value is 20 seconds.

    NOTE — This item is for iOS 10 to 13.
    Use IPv4/IPv6 internal subnet properties

    Select to use the IPv4/IPv6 internal subnet attribute of IKEv2.

    NOTE — This item is for iOS 10 to 13.
    Disable portability and multi-homing

    Select to deactivate portability and multi-homing (MOBIKE).

    NOTE — This item is for iOS 10 to 13.
    Disable redirect

    Select to disable IKEv2 connection redirection.

    NOTE — This item is for iOS 10 to 13.
    Enable a perfect forward secrecy

    Select to enable PFS (Perfect Forward Secrecy)

    NOTE — This item is for iOS 10 to 13.
    Voice mail box / AirPrint

    Select the allowed traffic range when using Voicemails and AirPrint.

    • Allow traffic to goes through tunnel/Allow traffic outside tunnel/Drop traffic
    Captive web sheet traffic outside of VPN tunnel Allows captive web sheet traffic outside the VPN tunnel.
    Captive Network App bundle identifier Enter the Captive Network App bundle identifier to allow and click to disallow this item.

Certificate

Allows using new certificate authority (CA) certificates and configuring the certificate settings.

For Shared iPad mode, all policies in this group apply through the device channel.

You can add more certificate policy sets by clicking add.

Policy Description
Configuration ID Assign a unique ID for each certificate setting.
Description Enter a description for each certificate setting.
Certificate category

Select a certification category.

  • CA Certificate — Select a certificate to use from the CA certificate list. Among the certificates registered in Advanced > Certificate > External Certificate, those with the Purpose set as CA Cert and the Type set as Root are included on the list.
  • User certificate — Select a certificate to use from the User Certificate list. Among the certificates registered in Advanced > Certificate > External Certificate, those with the Purpose set as CA Cert and the Type set as User are included on the list.

SSO

Configures the SSO (Single Sign On) settings for one-click access to all applications.

For Shared iPad mode, all policies in this group apply through the user channel.

SSO (Single Sign On) service offers one-click access to all of the applications without additional authentication. You can add more SSO policy sets by clicking add.

Policy Description
Configuration ID Assign a unique ID for each SSO setting.
Description Enter a description for each SSO setting.
Account Name Enter the name that shows on the device.
Principal Name Enter the principal name.
Realm Enter a domain name that is able to use SSO. You must enter the name in upper case letters.
URL Prefixes

Enter a URL to be accessed with SSO.

Click drop down, enter a URL, and then click add.

App Identifier

Enter the bundle ID of an application that you can use through SSO. If there is no application added on the list, SSO can be used for all applications.

Click drop down, enter the bundle ID of an application, and then click add.

Cellular

Configure the cellular network settings and control how the device accesses the cellular network. If an APN was already set, the cellular configuration is not applied.

For Shared iPad mode, all policies in this group apply through the device channel.

You can add more cellular policy sets by clicking add.

Policy Description
Configuration ID Assign a unique ID for each cellular setting.
Description Enter a description for each cellular setting.
AttachAPN

Configure the settings for an Attach APN.

  • Name — Enter the name for the setting. You can also click Lookup to open the reference items list and select an item from it. The reference value is automatically entered.
  • Authentication Method — Choose PAP or CHAP.
  • Username — Enter the user name for user authentication.
  • Password — Enter the password for user authentication.
APNs

Configure the setting for an APN.

  • Name — Enter the name for the setting. You can also click Lookup to open the reference items list and select an item from it. The reference value is automatically entered.
  • Authentication Method — Choose PAP or CHAP.
  • Username — Enter the user name for user authentication.
  • Password — Enter the password for user authentication.
  • Proxy Server — Enter the IP address of a proxy server.
  • Proxy Server Port — Enter the port number of a proxy server.

AirPrint

Configures the AirPrint settings to enable computers to automatically detect an AirPrint printer.

For Shared iPad mode, all policies in this group apply through the device channel.

You can add a printer to the AirPrint list on the device and configure devices and printers that exist on different networks conveniently. You can add more AirPrint policy sets by clicking add.

Policy Description
Configuration ID Assign a unique ID for each setting.
Description Enter a description for each setting.
AirPrint Printer List

Add printers that support AirPrint.

Click drop down, enter an IP address and a resource path, and then click add.

For the resource path, you can enter what's below:

  • printers/Canon_MG5300_series
  • printers/Xerox_Phaser_7600
  • ipp/print
  • Epson_IPP_Printer

Font

Allows the delivering of new fonts to devices.

For Shared iPad mode, all policies in this group apply through the device channel.

You can add more font policy sets by clicking add.

Policy Description
Configuration ID Assign a unique ID for each font setting.
Description Enter a description for each font setting.
Font

Add a font to use on the device.

Click Add and add a font.

WebClip

Configures the display of web shortcuts on an iOS device.

For Shared iPad mode, all policies in this group apply through the user channel.

You can add more WebClip policy sets by clicking add.

Policy Description
Configuration ID Assign a unique ID for each web clip setting.
Description Enter a description for each web clip setting.
Label Enter a web clip name to be displayed on the device home screen.
URL Enter a web clip URL address.
Removable Check the check box to allow users to delete the web clip account settings.
Icon

Click Add, and then click Browse to select an icon that is displayed on the user's device home screen. Then click OK to add.

  • The icon must be 59 x 60 px and in the PNG file format.
  • A white square image is displayed if no icon is selected.
Full Screen Opens the Web Clip as a web app without browser features—no navigation buttons, address bar, search bar, or bookmark features. This mode is similar to full-screen mode in a web browser.

App Lock

Configures the functions of an application that is locked down on a supervised device.

For Shared iPad mode, all policies in this group apply through the device channel.

You can add more App Lock policy sets by clicking add.

Policy Description
Configuration ID Assign a unique ID for each application lock setting.
Description Enter a description for each application lock setting.
App Bundle ID Enter the application bundle ID to identify applications.
Set Application If the Application Block or Allow list Settings are set and an app lock setting is applied to one or more apps, the App Lock app is automatically added to the Allowlist.
Options Check the box to configure the application lock options.
> Touch Screen Allows device touchscreen mode.
> Screen Rotation Enables using the landscape or portrait mode of the device screen.
> Volume Button Enables adjusting the volume.
> Ringer Switch Enables the easy on and off ringer mode through a ringer switch.
> Power Button Allows turning the device on or off through the power button.
> Auto Lock Enables automatically locking the device after a fixed amount of time through auto lock.
> VoiceOver Turn on voice over for a screen-reading feature.
> Zoom In/Out Turn on the zoom feature to configure easy zooming on the screen display.
> Invert Colors Turn on color inversion to show colors on the device screen as their complementary colors.
> Assistive Touch Allows virtual home button to perform multiple actions on the screen with a simple tab.
> Speak Selection Turn on say optional item to select a text to be read aloud.
> Mono Audio Turn on Mono Audio to play both audio channels in one ear using a headset.
User Enabled Options Check the box to configure user enabled options.
> VoiceOver Enables Voice over for the screen-reading feature.
> Voice Control Allows the device to be controlled with Siri voice commands. When enabled, the device user cannot turn off voice control.
> Zoom In/Out Allows for configuring the easy zoom in and out feature on the display.
> Invert Colors Allows color inversion to display colors on the device screen as their complementary colors.
> Assistive Touch Allows virtual home button to perform multiple actions on the screen with a simple tab.

Global HTTP Proxy

Configures a global HTTP proxy to direct all HTTP traffic through a designated proxy server.

For Shared iPad mode, all policies in this group apply through the device channel.

You can add more global HTTP policy sets by clicking add.

Policy Description
Configuration ID Assign a unique ID for each global HTTP proxy setting.
Description Enter a description for each global HTTP proxy setting.
Proxy Type Select and enter the corresponding items depending on the proxy type.
> Manual
  • Proxy Server and Port — Enter the IP address of a proxy server and the port number of the proxy server.
  • Username — Enter the username for user authentication
  • Password — Enter the password for user authentication.
> Auto
  • Proxy PAC URL — Enter the URL of the PAC file that defines the proxy configuration.
  • Proxy PAC Fallback Allowed (iOS 7 or above) — Check the check box to allow a direct connection from the user device if the PAC connection fails.
Proxy Captive Login Allowed (iOS 7 or above) Check the check box to allow the device to bypass the proxy server to display the login page for captive networks.

AirPlay

Configures the AirPlay settings to allow iOS devices to share content.

For Shared iPad mode, all policies in this group apply through the device channel.

These policies support devices with iOS 7 or above. You can add more AirPlay policy sets by clicking add.

Policy Description
Configuration ID Assign a unique ID for each AirPlay setting.
Description Enter a description for each AirPlay setting.
Allowlist (Supervised)

Add an AirPlay device ID to the allowlist so that it is displayed on the user's device.

Click drop down, enter a device ID, and then click add.

Passwords

Add an AirPlay device password.

Click drop down, enter a device name and password, and then click add.

Web Content Filter

Configures the Web Content Filter payloads for the device, which control access to web pages.

Click add to add a payload.

For Shared iPad mode, all policies in this group apply through the device channel.

Policy Description Supported system
Configuration ID

Specifies a unique identifier for the payload.

Values

Enter an ID.

iOS 7 and higher

Supervised

Description

Specifies the description of the payload.

Values

Enter a description.

iOS 7 and higher

Supervised

Auto Filter Enabled

Enables auto-filtering of URLs.

Values

  • Selected — Enables the Permitted URLs policy.
  • Deselected (default)

iOS 7 and higher

Supervised

Permitted URLs

Specifies an allowlist of URLs on the device. If the Allowlisted Bookmarks policy is set, then this list has no effect.

Values

To add a URL, enter it and click add. To remove a URL, click delete.

URLs must start with the http:// or https:// scheme. Wildcards (*) aren't supported.

iOS 7 and higher

Supervised

Blocklisted URLs

Specifies a blocklist of URLs on the device. If the Allowlisted Bookmarks policy is set, then this list has no effect.

Values

To add a URL, enter it and click add. To remove a URL, click delete.

URLs must start with the http:// or https:// scheme. Wildcards (*) aren't supported.

iOS 7 and higher

Supervised

Allowlisted Bookmarks

Specifies a list of bookmarks on the device, and uses them to define an allowlist of URLs. If this policy is set, then the Permitted Bookmarks and Blocklisted URLs policies have no effect.

Values

To add a bookmark:

  1. Enter the following:
    • URL — The path to the web page.
    • Title — The name of the bookmark.
    • Bookmark Path — The folder name for the bookmark.
  2. Click add.

To remove a bookmark, click delete.

URLs must start with the http:// or https:// scheme. Wildcards (*) aren't supported.

iOS 7 and higher

Supervised

Managed domains

Specifies URLs or subdomains to allow downloading content from these domains without any restrictions.

For Shared iPad mode, all policies in this group apply through the user channel.

Set managed domains and protect corporate data. You can control what apps can open documents downloaded from corporate domains using Safari. These policies support the devices with iOS 8 and higher in Supervised mode. You can add more managed domains policy sets by clicking add.

Policy Description
Configuration ID Assign a unique ID for each setting.
Description Enter a description for each setting.
Email domains

Add a domain to specify as a corporate domain for emails.

Click drop down, enter a URL, and then click add.

Web domains

Add a domain to specify a corporate domain for the web.

Click drop down, enter a URL, and then click add.

Network Usage Rules

Configures network usage rules to control which applications can access data or when the device is roaming.

For Shared iPad mode, all policies in this group apply through the device channel.

Configure network usage rules to allow data roaming and cellular data for applications. You can add more network usage rules policy sets by clicking add.

Policy Description
Configuration ID Assign a unique ID for each setting.
Description Enter a description for each setting.
Managed app Network Settings

Add an application and allow cellular data and data roaming.

Click drop down, add an application, set the data settings, and then click add.

SIM Network Settings (iOS 13 or later) Enables Wi-Fi Assist based on the SIM card identifier (ICCID). You can add multiple SIMs as needed. Use Default System enables Wi-Fi Assist, letting OS switch to using cellular data when Wi-Fi signal strength is poor. Use Cellular Data forces cellular data use at all times. Supported on iOS 13 and higher devices.