Tags
Xcitium Client Security (XCS) what test Remote Control by ITarian RDS Server RDS EDR AEP csv access scope Comodo dialog box Windows UAC user access rights verification phone number password reset security code forgot password Android threat history generates alert lock device Android devices Mac OS devices mobile devices passcode Lock log SIEM log forwarding log storage log storage settings scan profile Parental control FLS file-lookup server internet access rights Real-time scan default profiles pre-configured profiles pre-defined profiles customize profile clone profile Clone unknown MAC profile Linux profile cloud-based service Maintenance Window maintenance analysis tool UFH check policy test policy Virtual Appliances DNS Resolver register invite graphs Dynamic IP Dome shield Integration O365 Comodo Office 365 removal tool CCS removal tool Comodo Secure Email Gateway subscriptions service Dome Antispam Valkyrie report info web Comodo SWG tutorial policy DLP PAC file iboss Bluecoat Websense Comodo Dome ICAP Dome Agent traffic URL C1 account SWG portal SSL Encrypted Traffic Dome Cloud enable widget chart endpoint dashboard file groups Rules exceptions Wi-Fi networks Wi-Fi setup security restrictions iCloud auto containment containment settings virtual file system sandbox environment client access control local configuration Comodo Client Security Rebranding Communication Client Rebranding security client re-brand Comodo Clients application rules global rules Portsets port sets Firewall ruleset rule set rulesets global proxy server global proxy antivirus settings Client Proxy remote control tool Firewall protection firewall settings configuration file export profile PowerShell VBS script Windows Standard Account Endpoint Manager Client Communication (EMCC) server security clients updates vulnerable security patches installed Client Communication Communication Client (CC) submission Communication Client tray icon script OS Patch Third Party Patch Installation Uninstallation Discovery additional package External Device Control external ITarian remote Windows device apps signed-in logged-in identify License wizard on-boarding local Comodo Client Security Mac devices Linux devices MSP customers EM profile Mac OS profile MAC OS X device user device configuration profile copy invoice enrollment Logging Settings SIEM tool external server Account Security mobile console EM device owners ownership remove MAC third party application remote uninstallation software inventory duplicate Name Master Image Golden Image Bulk Installation Package Windows Operating Systems summary information local time External IP address OS summary Devices list MDM profile iOS push certificate create APNs Apple account portal APN Apple Push Notification search bar filter options customer device group group membership managed device trust rating old duplicates removal device name MAC address MSP (Managed Service Provider) Versions Marketing & Sales Customer Relationship Management (CRM) Enroll New Device New Ticket quick actions bar release notes security status activity status profile status Sales funnel Secure Internet Gateway application launch Two factor Time zone Language Lockout time Change Password tokens device enrollment User Groups Manage Profiles User List Management customer report customer assessment customers End-User forms auto response attachments time entry address support User Directory scripts Knowledgebase canned Banlist announcements Hostname mail delivery CommandLine Power Shell PowerShell interface File Explorer Commands Interface Remote devices Remote Tools Paranoid Mode Training Mode Custom Ruleset Safe Mode The charging flow edit contracts Charging Flowchart Global Asset Rates Charging Plans Contracts charges calculated Remove role Edit a role staff interface Exclusions data loss prevention (DLP) network discoveries ITarian Remote Access Tool Tarian Remote Access Tool inactive devices Device removal settings Portal Set-up Malware File Name Security Sub-System communication client UI settings Communication Client Tray remove a department ticket submission configure department synchronize department submit ticket distributing Bandwidths client updates device management Bandwidth conservation malware activity virus scope autoruns Proxy servers fallback flag Inactive discovered devices SNMP Apple Device Enrollment Program set up service explorer manually deploy Comodo EDR agent parent process multiple ticket selection selected tickets security events folder transfer discoveries network management remote folder TLS TLS1.2 pci dss pci compliance ITarian Portal Endpoint Manager vdi environment vdi clone environment instant clone documentation vendor notice security dashboard events resolution remote tool partner onboard unknown file hunter TLS Encryption procedure parameters pass profiles history performance metrics real time remote endpoints download browse service URL Security Components system Global Software Inventory 2 minutes Integrate intagrate Active Directory Portable Interception SSL enable reporting Rule Threat Protection Rule Advance spam Customize archived outgoing incoming administrator validate domains add Antispam type PCI data loss Location Network information start software session extensions appoinments resource connection computers Comodo Rescue Disk infected opportunity opportunities custom relationship management quote COMODO-CRM protect mac device email notifications registry COM Quarantined point system restore msi contained applications processes security client events Release date department registration particular os section Two Factor Authentication Login interface dashboard report generate Direct Download Link One drive Google drive HIPS mode cleanup automatic suspicious suspicious certificates shellcode injection detect Elevated Access system user access default charging groups move current malware list store push IP address ip installer acronis auto-remediation server machine icon Product Logos rebrand backup Device Control data Chromoting WebRTC ports Protocol skip offline manual time entries ticket assignee Help Guide Tour schedule Reschedule appointment unknown application protection Virtual Desktop Local Verdict server manage calculation cost configuration charging SD contract prepaid hours products classification inventory analyze Device list OS patches global search bar Tool bar Windows Defender Security Center file group white Citrix record SPF work billable time onsite email template template variables emails Gmail SMTP disable Add collaborators admin action Audit logs feature requests submit vote remotely Reset proxy swg secure web gateway dome error disk ticket detail page thread section tickets section internal notes Sub-help topic help topic features Application control white_list Patch Management child parent scheduled customized get to headers columns company restrict customer technician remote access list iOS devices field Reports iOS device APN Certificate MAC OS X options Linux block Comodo Client Communication (CCC) allow Comodo Client Security (CCS) network zones active component tray icon hide show packages additional install block port baseline installation package bulk implement restrict firewall endpoints security and communication global export virus import Database folders files define exclusions change staff admin rating check reassign assign permissions new role create for user of device enroll associated use how profile specific Removing Devices Uninstall windows profile Configuration templates latest version clients comodo file ratings monitoring custom All Devices Ratings Track widgets Agent valkyrie malware files Kill chain report automated establishing endpoint remote session Users prevent Android organization windows assets Mac OS billing identified threats Sort Closed inside Program executed containment service desk remote control Locally runs update scan antivirus SLA Business Hours control CCS Password access Client Auto Specific Device Response Application Third party Status View Logs intended devices alert fails Company Information Configure Verdict Patch Procedures Executable Comodo Internet Security ITSM Analysis Command Line Heuristic Filter Unrecognized Trusted File Rate Malicious Purge Calendar Device Exclusion USB Admin Panel Settings ticket Default system-wide Specific Path Details Monitor Multi Set Currency Connected Who Quick Actions Comparison Version Enterprise Managed Service Provider C1 Portal Remote management Comodo Remote Control ticket management staff panel assign tickets
More

How to setup restrictions for iOS devices via Endpoint Manager profile

Release Time
07/01/2020
Views
none

Click ‘Configuration Templates’ > ‘Profiles’ > open an iOS profile > open the ‘Restrictions’ section

  • The 'Restrictions' section of an iOS profile lets you define limitations for various user activities. Examples include use of camera, installing and uninstalling apps, connecting to Wi-Fi hot spots, in-app purchases, using iCloud backup and more.
     
  • The activities are grouped under various categories, like Device Functionality, Security and Privacy, Content Ratings, Applications and iCloud.

Set restrictions in an iOS profile

Get App Identifier for iOS applications

Related topics

Set restrictions in an iOS profile

  • Login to ITarian
     
  • Click 'Applications' > 'Endpoint Manager'
     
  • Click ‘Configuration Templates’ > ‘Profiles’
     
  • Open the iOS profile applied to your target devices
     
    • Open the 'Restrictions' tab, if it has been added already, then click 'Edit'

      Or
       
    • Click 'Add Profile Section' > 'Restrictions', if it hasn't yet been added:



      The restrictions are grouped under the following categories. Click the links below for descriptions of the options under respective categories:
       
    • Device Functionality
       
    • Security and Privacy
       
    • Content Ratings
       
    • Applications
       
    • iCloud
       
  • Click 'Save' after configuring the options for your settings to take effect on the devices to which the profile Is applied.

Device Functionality


Allow installing apps - The user can install or update apps from the Apple App Store. If left unchecked, the 'App Store' icon is removed from the device's home screen.

Allow app uninstall - The user can uninstall applications from the device.

Allow use of the iMessage - The user can quickly and easily chat over iMessage or SMS/MMS.

Allow camera - The user can to take photos, videos or use FaceTime (if enabled). If left unchecked, the camera icon is removed from the device and camera is disabled.

Allow face time - The user can use FaceTime. Applies only if 'Allow Camera' is enabled.

Allow Personal Hotspot - The user can setup Wi-Fi hot-spots from their device and allow other devices to connect.

Allow screen shot - The user take screenshots on their device.

Allow global background fetch when roaming - Select this to allow various apps in the device to sync and fetch data from cloud when in roaming mode abroad.

Allow assistant - Users can use Siri voice commands and dictation.

Allow assistant while Locked - Users can use Siri even when the device is locked. Applies only if  'Allow Assistant' is enabled.

Allow assistant user generated content - Users can use Siri to query user-generated content from the internet or device. 

Forces the use of the profanity filter assistant - Imposes profanity filter to Siri. The voice command, dictation and other Siri features are filtered accordingly.

Allow voice dialing – The user can dial their phone using voice commands, even if the phone is locked with a passcode.

Allow passbook while locked - Passbook notifications are shown even when the device is locked.

Allow in app purchases – The user can make in-app purchases, that is buying paid versions of apps, products or services, subscriptions and more, by tapping options in running applications, using real currency.

Force iTunes store password entry – The user needs to enter his/her iTunes password for every transaction with Apple store.

Allow multiplayer gaming – User can play  games with their friends in Game Center, an online multiplayer social gaming network

Allow adding Game Center friends - User can add friends to their Game Center account.

Allow account modification - User can add/remove accounts like Apple account, mail accounts and more, on the device. Applies only to iOS 7+ and supervised devices.

Allow air drop - User can use Air Drop to send and receive photos, documents, and more with other nearby Apple devices. Applies only to iOS 7+ and supervised devices.

Allow find my friends modification – User can use the  Find My Friends feature to track locations of their friends, children and more. Applies only to iOS 7+ and supervised devices.

Allow fingerprint for unlock - Enable Touch ID to allow user to unlock his/her device using finger print. Applies only to iOS 7+ and supervised devices.

Allow Game Center - Users can access Game Center. Applies only to iOS 7+ and supervised devices.

Allow host pairing – Host pairing lets you control which devices the managed iOS device can pair with.

  • Enabled - The device can pair with other computers and devices
     
  • Disabled - The device cannot pair with any other device than the supervision device. If supervision host certificate has not been configured, the device cannot pair with a supervision device too.

        Applies only to iOS 7+ and supervised devices.

Allow lock screen control center – Show 'Control Center' widget on the lock screen. Applies only to iOS 7+ and supervised devices.

Allow lock screen notifications view – Enable notifications history view on the lock screen, that allows user to view past notifications. If disabled, users will still be able to view notifications when they arrive. Applies only to iOS 7+ and supervised devices.

Allow lock screen today view - Show 'Today View' in Notification Center on the lock screen. Applies only to iOS 7+ and supervised devices.

Allow OTAPKI updates – Device can receive over-the-air public key infrastructure (OTAPKI) updates. The device can still perform certificate revocation list (CRL) and online certificate status protocol (OCSP) checks, even if this option is disabled. Applies only to iOS 7+ and supervised devices.

Allow UI configuration profile installation - User can locally install configuration profiles and certificates using the graphical user interface (UI) on the device. Applies only to iOS 7+ and supervised devices.

Force limit ad tracking - Prohibit users from ad tracking activities on the devices. Applies only to iOS 7+ devices.

Force Wifi Whitelisting – The device can connect only to the allowed Wi-Fi networks/hotspots, defined in the profile. Connection to any other Wi-Fi network is prohibited.

  • You can add allowed Wi-Fi networks to the Wi-Fi section of the profile
     
  • Click 'Configuration Templates' > 'Profiles' > click on the iOS profile > 'Add new section' > 'Wi-Fi'
     
  • See How to specify allowed Wi-Fi networks for iOS devices for help to do this
     
  • Please ensure at least one Wi-Fi network is added to the Wi-Fi section of the profile, if 'Force Wifi Whitelisting ' is enabled. Else the device will not be able to connect to any Wi-Fi networks.
     
  • A notification is shown in the 'Wi-Fi' section of the profile if 'Force Wifi Whitelisting ' is enabled:




Forces all devices receiving AirPlay requests from this device to use a pairing password – User should enter a password for pairing while sending AirPlay requests to any other device.

Allow managed applications from using cloud sync - User can restrict managed apps backing up any data to iCloud, while still allowing it for user downloaded apps.

Allow the "Erase All Content And Settings" option in the Reset UI – Shows 'Erase All Content And Settings' option in the 'Reset' screen on the device. The user can choose to remove his/her personal information: credit or debit card, photos, contacts, music, or apps while resetting the device. Applies only to supervised devices.

Spotlight will return Internet search results - The 'Spotlight' feature on the device provides suggestions from the internet, iTunes, and the App Store for the user to quickly find any file, documents, emails, apps contacts and more on the device. Supervised devices only.

Allow the "Enable Restrictions" option in the Restrictions UI in Settings – Enables the  'Enable Restrictions' setting in the 'Restrictions' user interface of the 'Settings' screen. The user can configure various restriction settings and parental control from the 'Restrictions' interface. Applies to iOS 8+ and supervised devices only,

  • For iOS 12 or later - If 'Restrictions' setting is replaced by 'ScreenTime'

Allow activity continuation – Enables the 'Handoff'' feature on the device. The handoff feature enables user to continue their on-going activities on different iOS devices in which they have signed-in with the same Apple account.

Allow backed up enterprise books - User can save iBooks to iCloud and control synchronization. Notes and highlights made to the enterprise books are synced to the backup.

Allow podcasts - User can receive their favourite podcasts. Applies only to supervised devices with iOS 8 and later versions.

Allow definition lookup - User can use spell check and dictionary lookup features on the device. Applies only to supervised devices with iOS 8 and later versions.

Allow predictive keyboard - Users can enable or disable the predictive keyboard feature. Applies only to supervised devices with iOS 8.1.3 and later versions.

Allow keyboard auto-correction - User can enable or disable auto-correct feature when typing. Applies only to supervised devices with iOS 8.1.3 and later versions.

Allow keyboard spell-check – User can enable/disable keyboard spell check feature. Applies only to supervised devices with iOS 8.1.3 and later versions.

Paired Apple Watch will be forced to use wrist detection - If an Apple Watch is paired with the device, the device forces the Apple Watch to enable Wrist Detection. Applies only to iOS 8.2 and later versions.

Allow music service and music - Lets third-party apps to add music to user's iCloud music library. Applies only to iOS 9.0 and later versions and supervised.

Allow iCloud Photo Library – User can use the iCloud Photo Library and upload photos and videos. Applies only to supervised devices with iOS 9 and later versions.

Allow News  - User can subscribe to news services. Applies only to supervised devices with iOS 9.0 and later versions.

Causes AirDrop to be considered an unmanaged drop target - Airdrop on the device will be treated as an unmanaged destination for file transfers. Applies only to iOS 9.0 and later versions.

Enable the App Store on the home screen - Shows the AppStore icon on the home screen of the device.

Allow keyboard shortcuts - User can create and use keyboard shortcuts for typing snippets. Applies only to supervised devices with iOS 9.0 and later versions.

Allow pairing with an Apple Watch - User can pair the device with an Apple Watch. Applies only to supervised devices with iOS 9.0 and later versions.

Allow device passcode from being added, changed, or removed – User can create and modify screen lock passcodes for the device. Applies only to supervised devices with iOS 9.0 and later versions.

Allow device name modification – User can change the device name. Applies only to supervised devices with iOS 9.0 and later versions.

Allow wallpaper modification - User can change wallpapers displayed on the device. Applies only to supervised devices with iOS 9.0 and later versions.

Allow automatic download applications - Applications in the device can automatically download and install apps and updates. Applies only to supervised devices with iOS 9.0 and later versions.

Allow enterprise application trust - 'Trusted' status is automatically applied to enterprise applications. Applies only to devices with iOS 9.0 and later versions.

Allow enterprise application trust modification - Users can manually change the Trust status of enterprise applications. Applies only to supervised devices with iOS 9.0 and later versions.

Allow radio service - User can use Apple Music Radio on the device. Applies only to supervised devices with iOS 9.3 and later versions.

Allow notifications modification - User can modify 'Apple Push Notifications' settings on the device. Applies only to supervised devices with iOS 9.3 and later versions.

Whitelisted application bundles - Add applications to the app whitelist. The applications in the whitelist are skipped from security checks during installation and usage.

  • Enter the App bundle ID of the application to be added to the whitelist.
     
  • See the explanation at the end of this page for more details on obtaining the App bundle ID.
  • Click the variables button to insert dynamic values. See this page for help to create and manage custom variables.
     
  • Click the  button to add more applications.
     
  • Click the   button to remove an app.

Note: This feature is available only for supervised devices with iOS 9.3 and later versions.

Blacklisted application bundles - Add applications to the app blacklist. The applications in the blacklist will not be allowed to be installed or used.

  • Enter the App bundle ID of the application to be added to the blacklist.
  • See the explanation at the end of this page for more details on obtaining the App bundle ID.
  • Click the variables button  to insert dynamic values. See this page for help to create and manage custom variables.
     
  • Click the  button to add more applications.
     
  • Click the   button to remove an app.

Note: This feature is available only for Supervised devices with iOS 9.3 and later versions.

Security and Privacy


 

  • Allow diagnostic submission -  The device automatically submits diagnostic reports to Apple.
     
  • Allow untrusted TLS prompt – The user will be prompted every time if they want to trust unverified certificates. This setting applies to Calendar accounts, Contacts, Safari and Mail.
     
  • Force encrypted backup – All backup data from the device to iTunes will be automatically encrypted. If not enabled, the user can choose whether or not to encrypt the backup.

Content Ratings


Allow explicit music and podcasts - Content providers of iTunes flag their explicit content for easy identification.

  • If enabled, explicit content including music and video will be shown in iTunes store instead of being hidden, on the device.

Allow iBookstore - User can access iBookstore, an online bookstore from Apple. Applies only to supervised devices.

Allow iBookstore erotica - User can download media tagged as erotica from iBooks. Applies only to supervised devices with versions prior to iOS 6.1.

Rating region - Select the region whose content ratings are to be followed, from the drop-down.

Rating movies - Choose the content rating to be allowed for watching movies.

Rating TV Shows - Choose the content rating to be allowed for watching the TV shows.

Rating apps - Choose the rating to be allowed for using apps.

Applications


Allow use of  iTunes Store - Users can access iTunes store. If disabled, iTunes store will not be available on the device.

Allow Safari - Users can use Safari for browsing internet. If disabled,  the Safari browser app will not be available on the device.

Allow auto fill - The 'auto-fill' feature is enabled for Safari, to automatically fill details such as user name, password, credit card details and so on in web forms.

Allow java script - Java script features are supported by Safari.

Allow popups - Popups are allowed in Safari.

Force fraud warning - Safari displays alerts to users when visiting websites that are identified as compromised or fraudulent.

Accept cookies - Select the option on when Safari can accept cookies, from the drop-down. The available options:

  • Always
     
  • Never
     
  • From visited site

Allow app cellular data modification - User can modify cellular data usage settings for individual apps on the device. Applies only to supervised devices with iOS 7 or later versions.

Allow open from Managed to Unmanaged – Permits data transfer from managed apps to unmanaged apps. Applies only to iOS 7 and later versions.

Allow open from Unmanaged to Managed – Permits data transfer from unmanaged apps to managed apps. Applies only to iOS 7 and later versions.

Autonomous single app mode permitted app bundle IDs - iOS apps built with the functionality of single App Lock, can provoke App Lock for them under certain scenarios in Autonomous single app mode.

  • Specify the apps for which the mode can be enabled, by entering their App bundle IDs.
  • See the explanation at the end of this page for more details on obtaining the App bundle ID.
  • Click the variables button  to insert dynamic values. See this page for help to create and manage custom variables.
     
  • Click the  button to add more applications.
     
  • Click the  button to remove a field.

Note: This feature applies only to supervised devices with iOS 7 or later versions.

iCloud


 

  • Allow cloud keychain sync -  The Apple Keychain data on the device will be periodically synced to iCloud. Applies only to iOS 7 and later versions.
     
  • Allow cloud backup – User can backup their data on iCloud. Applies only to iOS 7 and later versions.
     
  • Allow cloud document sync - User can synchronize documents on their device with iCloud. Applies only to iOS 7 and later versions.
     
  • Allow photo stream - User can use the Photo Stream feature on the device. Applies only to iOS 7 and later versions.
     
  • Allow shared stream - Users can share and view photos in Photo Stream. Applies only to iOS 7 and later versions.

Get App Identifier for iOS applications

App Store Application:

1. Find the iTunes Store download URL of the app. Example: https://itunes.apple.com/us/app/cmdm/id807480077?mt=8.

2. Copy the number after the id in the URL. (Here it is: 807480077).

3. Open https://itunes.apple.com/lookup?id=807480077 where you replace the ID with the one you looked up.

4. Search the output for "bundleID". In this example: "bundleId":"com.comodo.cmdm.client". So the Bundle ID is com.comodo.cmdm.client

Enterprise Application:

The App bundle ID can be viewed from the App Details screen of the App.

1. Click 'Application Store' from the left and choose 'iOS Store'

2. Click on the app from the list displayed at the right


The 'Application ID' field shows the bundle ID of the app.

Related topics:

How to specify allowed Wi-Fi networks for iOS devices