Sophos Mobile: Manage all functions of the iOS device

With the Restrictions configuration you define restrictions for devices

  • Login to Sophos Central by Admin account
  • If you do not have an Admin account, create a Sophos Central account
  • Mobile -> CONFIGURE -> Profiles, policies -> iOS -> Create -> Device profile

 

  • Enter Name and click Add configuration

 

  • Choose Restrictions and click Next. With Restrictions, you will define restrictions for devices

 

  • Device

Allow app installation: If the check box is cleared, the App Store is unavailable and its icon is removed from the Home screen. Users can’t install or update apps from the App Store or Apple Configurator

Allow app installation from device UI: If the check box is cleared, the App Store is unavailable and its icon is removed from the Home screen. Users can still install or update apps from Apple Configurator

Allow use of camera: If the check box is cleared, the camera is unavailable and the Camera icon is removed from the Home screen. Users cannot take pictures, record videos, or use FaceTime

Allow Facetime: Users can place or receive FaceTime video calls

Allow screen capture: Users can take a screenshot of the display

Allow automatic sync while roaming: If the check box  is cleared, devices that are roaming will only sync when the user accesses an account

Allow Siri: If the check box is cleared, users cannot use Siri, voice commands, or dictation

Allow Siri while device is locked: If the check box is cleared, users must unlock their device by entering their password before they use Siri

Allow Siri querying content from the web: If the check box is cleared, Siri does not query content from the web

Force Siri explicit language filter: If the check box is  cleared, the Siri filter for explicit language is not enforced on the device

Allow voice dialing while device is locked: If the check box is cleared, users cannot dial by using voice commands when the device is locked by a password

Allow Passbook while device is locked: Passbook notifications are displayed when the device is locked

Allow in-app purchase: Users can make in-app purchases

Force user to enter store password for all purchases: Users must enter their Apple ID password to make any purchase. If the check box is cleared, there is a brief grace period during which users can make subsequent purchases without having to enter their password again

Allow multiplayer gaming: Users can play multi-player games in Game Center

Allow Game Center: If the check box is cleared, Game Center is unavailable

Allow adding Game Center friends: Users can add friends in Game Center

Allow find my friends modification: If the check box is cleared, modifications to the Find my Friends app are unavailable

Allow host pairing: If the check box is cleared, host pairing is turned off with the exception of the supervision host. If no supervision host certificate is configured, all pairing is turned off

Allow pairing with Apple Watch: If the check box is cleared, users cannot pair the device with an Apple Watch. Any currently paired Apple Watch is unpaired

Allow AirDrop: Content sharing with AirDrop is turned on

Allow Control Center on lock screen: If the check box is cleared, the Control Center is unavailable when the device screen is locked

Allow Notification Center on lock screen: If the check box is cleared, the Notification Center is unavailable when the device screen is locked

Allow Today view on lock screen: If the check box is cleared, the Today view is unavailable when the device screen is locked

Allow News: The News app is available

Allow over-the-air PKI updates: Over-the-air PKI updates are possible

Allow iBooks Store: Users can purchase books in iBooks

Allow explicit sexual content in iBooks Store: If the check box is cleared, explicit sexual content through iBooks Store is blocked

Allow user to install configuration profiles: Users can install configuration profiles

Allow iMessage: Users can use iMessage to send or receive text messages

Allow app removal: Users can uninstall apps from the device

Allow system app removal: Users can uninstall system apps from the device

Allow erase all contents and settings: If the check box is cleared, the Erase all Content And Settings option in the Reset UI is unavailable

Allow internet search result for Spotlight: If the check box is cleared, Spotlight does not return internet search results

Allow enabling of restrictions option: If the check box is cleared, the Enable Restrictions option in the Reset UI is unavailable

Allow Handoff: Users can use the Apple Continuity feature Handoff. With Handoff, users can start to work on a document, email or message on one device and continue from another device

Allow device name modification: Users can change the device name

Allow wallpaper modification: Users can change the wallpaper

Allow keyboard shortcuts: Users can use keyboard shortcuts

Allow dictation for keyboard input: Users can turn on dictation in the keyboard settings

Allow automatic app download: If the check box is cleared, the automatic downloading of apps purchased on other devices is turned off. This does not affect updates to existing apps

Allow Apple Music: Users can access the Apple Music library

Allow Apple Music Radio: Users can access Apple Music Radio

Allow modification of Bluetooth settings: Users can modify the Bluetooth settings

Allow VPN creation: Users can add VPN configurations

Force automatic date and time: The iOS Date & Time setting Set Automatically is turned on and can’t be turned off by the user

iOS software update delay: The number of days that an update of the iOS software is delayed after its release date. Enter a value between 0 (no delay) and 90

 

  • Company data

Allow documents to be shared only within managed apps/accounts: This restricts the opening of documents with apps or accounts managed by Sophos Mobile, for example a corporate email account. If users have an email account managed by Sophos Mobile and apps managed by Sophos Mobile on their devices, attachments from the managed email account can only be opened with managed apps. In this way you can prevent corporate documents from being opened in unmanaged apps. If you turn this setting off, the next two settings are disabled. Contacts from managed accounts can be shared with unmanaged apps

Allow managed apps to write contacts to unmanaged accounts: Managed apps can write contacts to unmanaged accounts

Allow unmanaged apps to read contacts from managed accounts: Unmanaged apps can read contacts from managed accounts

Allow documents to be shared only within unmanaged apps/accounts: This restricts the opening of documents with apps/accounts not managed by Sophos Mobile, for example a private email account. If users have an email account and apps not managed by Sophos Mobile on their devices, attachments from the unmanaged email account can only be opened with unmanaged apps. In this way you can prevent personal documents from being opened in managed apps

Force AirDrop documents to be used as unmanaged documents: AirDrop is considered an unmanaged drop target

Allow managed apps to sync with iCloud: Managed apps can use iCloud synchronization

Allow backup for enterprise books: Enterprise books are backed up

Allow enterprise books notes and highlights sync: Enterprise books notes and highlights are synchronized

 

  • Applications

Allow use of the iTunes Store: If the check box is cleared, the iTunes Store is unavailable and its icon is removed from the Home screen. Users cannot preview, purchase or download content

Allow use of Safari: If the check box is cleared, the Safari web browser is unavailable and its icon is removed from the Home screen. This also prevents users from opening Web Clips

Enable auto-fill: If the check box is cleared, Safari does not auto-fill web forms with previously entered information

Force fraud warning: The Safari security setting to warn the user when they visit a suspected phishing website is always turned on

Block pop-ups: The Safari pop-up blocker is turned on

Allow JavaScript in browser: Web pages can execute JavaScript code on the device

Accept cookies: In this field, you specify if Safari accepts cookies. When you allow cookies, you can specify if only cookies from the current site, from previously visited sites, or from all sites are accepted

Allow modification of cellular data usage per app: Users can change the cellular data usage per app

Allowed apps / Forbidden apps: You can specify either Allowed apps or Forbidden apps. Select the desired option from the first list and then select the app group containing the apps that should be allowed or forbidden from the second list

 

  • iCloud

Allow backup: Users can back up their devices to iCloud

Allow document sync: Users can store documents and app configuration data in iCloud

Allow Photo Stream: Users can upload photos to My Photo Stream

Allow iCloud Photo Library: Users can use iCloud Photo Library

Allow shared photo streams: Users can invite others to view their photo streams and can view photo streams shared by others

Allow iCloud Keychain sync: Users can use iCloud Keychain to synchronize passwords across their iPhones, iPads, and Macs. If the check box is cleared, iCloud Keychain data is only stored locally on the device

 

  • Security and privacy

Allow diagnostic data to be sent to Apple: If the check box is cleared, iOS diagnostic information is not sent to Apple

Allow user to accept untrusted TLS certificates: If the check box is cleared, users are not asked if they want to trust certificates that cannot be verified.  This setting applies to Safari and to Mail contacts and Calendar accounts

Trust enterprise apps: Enterprise apps are trusted

Allow password modification: Users can add, change or remove the device password

Allow account modification: If the check box is cleared, users cannot modify accounts. The Accounts menu is unavailable

Allow Touch ID to unlock device: If the check box is cleared, the device can’t be unlocked by Touch ID

Force limit ad-tracking: Anonymous user data apps used for targeting ads are no longer provided

Force encrypted backups: Users must encrypt backups in iTunes

Force configured Wi-Fi networks: Devices can only connect to Wi-Fi networks that have been configured by a Sophos Mobileprofile

Allow AirPrint: Users can send files to AirPrint-enabled printers

Allow AirPrint credentials storage: The AirPrint user name and password can be stored in the system keychain

Allow iBeacon discovery of AirPrint printers: The device uses iBeacon to discover AirPrint devices

Force trusted certificates for AirPrint over TLS: AirPrint over TLS is rejected if the AirPrint device uses an untrusted certificate

Allow Quick Start transfer to new device: The user can transfer data from the device to a new device, using the Quick Start feature of the iOS Setup Assistant

Allow password auto-fill: If the check box is cleared, the iOS AutoFill Passwords setting, which lets users use a saved password in Safari or other apps, is disabled. This also disables the automatic suggestion of strong passwords

Request Wi-Fi passwords from nearby devices: The device requests passwords from nearby devices when setting up a Wi-Fi connection

Allow AirDrop password sharing: Users can share passwords from iOS Password Manager with other users via AirDrop

 

  • Content ratings

Allow explicit music and podcasts: If the check box is cleared, explicit music or video content is hidden in the iTunes Store.  Explicit content is flagged by content providers, for example record labels, when listed on the iTunes Store

-> Click Apply

 

  • MANAGE -> Devices -> Choose device which you want to apply that policy

 

  • Choose Profiles -> Click Install profile

 

  • Choose policy and Click OK

Be the first to comment

Leave a Reply

Your email address will not be published.


*