With the Restrictions configuration you define restrictions for devices
- Login to Sophos Central by Admin account
- If you do not have an Admin account, create a Sophos Central account
- Mobile -> CONFIGURE -> Profiles, policies -> iOS -> Create -> Device profile
- Enter Name and click Add configuration
- Choose Restrictions and click Next. With Restrictions, you will define restrictions for devices
- Device
Allow app installation: If the check box is cleared, the App Store is unavailable and its icon is removed from the Home screen. Users can’t install or update apps from the App Store or Apple Configurator
Allow app installation from device UI: If the check box is cleared, the App Store is unavailable and its icon is removed from the Home screen. Users can still install or update apps from Apple Configurator
Allow use of camera: If the check box is cleared, the camera is unavailable and the Camera icon is removed from the Home screen. Users cannot take pictures, record videos, or use FaceTime
Allow Facetime: Users can place or receive FaceTime video calls
Allow screen capture: Users can take a screenshot of the display
Allow automatic sync while roaming: If the check box is cleared, devices that are roaming will only sync when the user accesses an account
Allow Siri: If the check box is cleared, users cannot use Siri, voice commands, or dictation
Allow Siri while device is locked: If the check box is cleared, users must unlock their device by entering their password before they use Siri
Allow Siri querying content from the web: If the check box is cleared, Siri does not query content from the web
Force Siri explicit language filter: If the check box is cleared, the Siri filter for explicit language is not enforced on the device
Allow voice dialing while device is locked: If the check box is cleared, users cannot dial by using voice commands when the device is locked by a password
Allow Passbook while device is locked: Passbook notifications are displayed when the device is locked
Allow in-app purchase: Users can make in-app purchases
Force user to enter store password for all purchases: Users must enter their Apple ID password to make any purchase. If the check box is cleared, there is a brief grace period during which users can make subsequent purchases without having to enter their password again
Allow multiplayer gaming: Users can play multi-player games in Game Center
Allow Game Center: If the check box is cleared, Game Center is unavailable
Allow adding Game Center friends: Users can add friends in Game Center
Allow find my friends modification: If the check box is cleared, modifications to the Find my Friends app are unavailable
Allow host pairing: If the check box is cleared, host pairing is turned off with the exception of the supervision host. If no supervision host certificate is configured, all pairing is turned off
Allow pairing with Apple Watch: If the check box is cleared, users cannot pair the device with an Apple Watch. Any currently paired Apple Watch is unpaired
Allow AirDrop: Content sharing with AirDrop is turned on
Allow Control Center on lock screen: If the check box is cleared, the Control Center is unavailable when the device screen is locked
Allow Notification Center on lock screen: If the check box is cleared, the Notification Center is unavailable when the device screen is locked
Allow Today view on lock screen: If the check box is cleared, the Today view is unavailable when the device screen is locked
Allow News: The News app is available
Allow over-the-air PKI updates: Over-the-air PKI updates are possible
Allow iBooks Store: Users can purchase books in iBooks
Allow explicit sexual content in iBooks Store: If the check box is cleared, explicit sexual content through iBooks Store is blocked
Allow user to install configuration profiles: Users can install configuration profiles
Allow iMessage: Users can use iMessage to send or receive text messages
Allow app removal: Users can uninstall apps from the device
Allow system app removal: Users can uninstall system apps from the device
Allow erase all contents and settings: If the check box is cleared, the Erase all Content And Settings option in the Reset UI is unavailable
Allow internet search result for Spotlight: If the check box is cleared, Spotlight does not return internet search results
Allow enabling of restrictions option: If the check box is cleared, the Enable Restrictions option in the Reset UI is unavailable
Allow Handoff: Users can use the Apple Continuity feature Handoff. With Handoff, users can start to work on a document, email or message on one device and continue from another device
Allow device name modification: Users can change the device name
Allow wallpaper modification: Users can change the wallpaper
Allow keyboard shortcuts: Users can use keyboard shortcuts
Allow dictation for keyboard input: Users can turn on dictation in the keyboard settings
Allow automatic app download: If the check box is cleared, the automatic downloading of apps purchased on other devices is turned off. This does not affect updates to existing apps
Allow Apple Music: Users can access the Apple Music library
Allow Apple Music Radio: Users can access Apple Music Radio
Allow modification of Bluetooth settings: Users can modify the Bluetooth settings
Allow VPN creation: Users can add VPN configurations
Force automatic date and time: The iOS Date & Time setting Set Automatically is turned on and can’t be turned off by the user
iOS software update delay: The number of days that an update of the iOS software is delayed after its release date. Enter a value between 0 (no delay) and 90
- Company data
Allow documents to be shared only within managed apps/accounts: This restricts the opening of documents with apps or accounts managed by Sophos Mobile, for example a corporate email account. If users have an email account managed by Sophos Mobile and apps managed by Sophos Mobile on their devices, attachments from the managed email account can only be opened with managed apps. In this way you can prevent corporate documents from being opened in unmanaged apps. If you turn this setting off, the next two settings are disabled. Contacts from managed accounts can be shared with unmanaged apps
Allow managed apps to write contacts to unmanaged accounts: Managed apps can write contacts to unmanaged accounts
Allow unmanaged apps to read contacts from managed accounts: Unmanaged apps can read contacts from managed accounts
Allow documents to be shared only within unmanaged apps/accounts: This restricts the opening of documents with apps/accounts not managed by Sophos Mobile, for example a private email account. If users have an email account and apps not managed by Sophos Mobile on their devices, attachments from the unmanaged email account can only be opened with unmanaged apps. In this way you can prevent personal documents from being opened in managed apps
Force AirDrop documents to be used as unmanaged documents: AirDrop is considered an unmanaged drop target
Allow managed apps to sync with iCloud: Managed apps can use iCloud synchronization
Allow backup for enterprise books: Enterprise books are backed up
Allow enterprise books notes and highlights sync: Enterprise books notes and highlights are synchronized
- Applications
Allow use of the iTunes Store: If the check box is cleared, the iTunes Store is unavailable and its icon is removed from the Home screen. Users cannot preview, purchase or download content
Allow use of Safari: If the check box is cleared, the Safari web browser is unavailable and its icon is removed from the Home screen. This also prevents users from opening Web Clips
Enable auto-fill: If the check box is cleared, Safari does not auto-fill web forms with previously entered information
Force fraud warning: The Safari security setting to warn the user when they visit a suspected phishing website is always turned on
Block pop-ups: The Safari pop-up blocker is turned on
Allow JavaScript in browser: Web pages can execute JavaScript code on the device
Accept cookies: In this field, you specify if Safari accepts cookies. When you allow cookies, you can specify if only cookies from the current site, from previously visited sites, or from all sites are accepted
Allow modification of cellular data usage per app: Users can change the cellular data usage per app
Allowed apps / Forbidden apps: You can specify either Allowed apps or Forbidden apps. Select the desired option from the first list and then select the app group containing the apps that should be allowed or forbidden from the second list
- iCloud
Allow backup: Users can back up their devices to iCloud
Allow document sync: Users can store documents and app configuration data in iCloud
Allow Photo Stream: Users can upload photos to My Photo Stream
Allow iCloud Photo Library: Users can use iCloud Photo Library
Allow shared photo streams: Users can invite others to view their photo streams and can view photo streams shared by others
Allow iCloud Keychain sync: Users can use iCloud Keychain to synchronize passwords across their iPhones, iPads, and Macs. If the check box is cleared, iCloud Keychain data is only stored locally on the device
- Security and privacy
Allow diagnostic data to be sent to Apple: If the check box is cleared, iOS diagnostic information is not sent to Apple
Allow user to accept untrusted TLS certificates: If the check box is cleared, users are not asked if they want to trust certificates that cannot be verified. This setting applies to Safari and to Mail contacts and Calendar accounts
Trust enterprise apps: Enterprise apps are trusted
Allow password modification: Users can add, change or remove the device password
Allow account modification: If the check box is cleared, users cannot modify accounts. The Accounts menu is unavailable
Allow Touch ID to unlock device: If the check box is cleared, the device can’t be unlocked by Touch ID
Force limit ad-tracking: Anonymous user data apps used for targeting ads are no longer provided
Force encrypted backups: Users must encrypt backups in iTunes
Force configured Wi-Fi networks: Devices can only connect to Wi-Fi networks that have been configured by a Sophos Mobileprofile
Allow AirPrint: Users can send files to AirPrint-enabled printers
Allow AirPrint credentials storage: The AirPrint user name and password can be stored in the system keychain
Allow iBeacon discovery of AirPrint printers: The device uses iBeacon to discover AirPrint devices
Force trusted certificates for AirPrint over TLS: AirPrint over TLS is rejected if the AirPrint device uses an untrusted certificate
Allow Quick Start transfer to new device: The user can transfer data from the device to a new device, using the Quick Start feature of the iOS Setup Assistant
Allow password auto-fill: If the check box is cleared, the iOS AutoFill Passwords setting, which lets users use a saved password in Safari or other apps, is disabled. This also disables the automatic suggestion of strong passwords
Request Wi-Fi passwords from nearby devices: The device requests passwords from nearby devices when setting up a Wi-Fi connection
Allow AirDrop password sharing: Users can share passwords from iOS Password Manager with other users via AirDrop
- Content ratings
Allow explicit music and podcasts: If the check box is cleared, explicit music or video content is hidden in the iTunes Store. Explicit content is flagged by content providers, for example record labels, when listed on the iTunes Store
-> Click Apply
- MANAGE -> Devices -> Choose device which you want to apply that policy
- Choose Profiles -> Click Install profile
- Choose policy and Click OK
Leave a Reply