iOS Policies Using Apple Configurator
iOS-Policies
- Create policy configuration
- Create passcode policies
- Restricting app usage – Add apps to the deny or allow list
Create policy configuration
Depending on the setup method, you have different policies available.
- If you want to create a new policy for iOS/iPadOS, first proceed as described here.
- Select iOS/iPadOS as the policy you want to add.
- You can use the filter to display the existing policies, depending on the enrollment method. The Reset to defaults button resets all changes you have made to the default settings.
Note! Select the Device Enrollment filter if you are using devices that were embedded via Device Enrollment but are not supervised. For supervised devices that have been embedded via Device Enrollment, use the Supervised Devices filter. For devices embedded via ADE, also select the Supervised Devices filter. User Enrollment is selected when using private iOS devices.
- First enter a name for the policy in the field below as well as an description (upper arrow in illus.).
- Now, select the desired option(s), in the example, the checkbox Allow iTunes Store has been disabled (lower arrow in illus.).
Note! For information on the content of the specific policies, refer to the Apple manual. You can also find information about new policies from iOS 16 here.
- Select the appropriate policy and click on Assign.
- Now select the users, groups or devices to whom you would like to assign the policy.
Note! When assigning directives, be sure to follow the instructions in our Help article Special conditions when assigning multiple policies.
Note! You can also assign the policies under Administration→ Users or Groups.
- The outcome in the example: The apps iTunes Store will be deactivated on the device.
Note! On iOS Supervised Devices the users don’t need to confirm the installation of apps pushed.
Create passcode policies
Here you can define the criteria according to which a device passcode may be created by users (see illus.). As soon as you set a check mark in the Force passcode checkbox, the selection of a minimum passcode length, a maximum passcode age, a maximum number of failed attempts and a passcode history is mandatory.
Note! If you activate Force passcode in the policy, the Allow modifying passcode policy must also be set so that the user can change the passcode on the device.
Note! Please note that for devices registered via User Enrollment, a six-digit passcode must be used by the user when selecting Force passcode, regardless of the criteria you have specified.
Force Passcode
If you enforce the use of a passcode, you can also configure the following settings:
- Require alphanumeric value: Check the box if you want users to use strings consisting of letters and numbers for their passwords.
- Allow simple value: Select this checkbox if users are allowed to use a simple value for their password. Simple value allowed. A simple passcode contains repeating characters or consecutive characters, such as 123 or CBA.
- Minimum number of complex characters: Set the minimum number of complex characters that a passcode must contain. A complex character is a character that is not a number or letter, such as &, %, $, and #.
- Minimum password length: Set the minimum total length of the password.
- Automatic lock time (min): Set the maximum number of minutes the device can be idle without the user unlocking it. When this limit is reached, the system locks the device and requires the passcode to be entered to unlock it. The user can edit this setting, but the value cannot exceed the maximum value set here.
- Maximum grace period for device lock: Set the maximum amount of time in minutes that the phone can be unlocked without entering a passcode.
- Passcode validity (1-730 days, or none): Specify how long the password can remain unchanged before it must be renewed. After this number of days has elapsed, the system forces the user to change the passcode.
- Maximum number of failed logins: Set the number of failed passcode attempts that the system allows the user before it erases or locks the device. After six failed attempts, the device imposes a time delay before the user can enter a passcode again. The time delay increases with each failed attempt.
- Passcode history (1-50, or none): Specify how often a new password/passcode must be changed before an old one can be used again.
Restricting app usage – Add apps to the deny or allow list
Note! You can also find detailed information on this in our help article How to place default iOS apps on the deny list or allow list .
- The Restrict App Usage option allows you to restrict access to apps from the App Store.
- Select whether you want to prohibit certain apps (Do not allow some apps) or whether you want to allow only certain apps (Only allow some apps).
- For this purpose, click on Search (lower arrow in illus.) to search for the desired app in the app store and then select Add. The corresponding Bundle ID will then be automatically inserted under Application Bundle IDs (upper arrow in illus.).
- Select the appropriate policy and click on Assign.
- Now select the users, groups or devices to whom you would like to assign the policy.
Note! When assigning directives, be sure to follow the instructions in our Help article Special conditions when assigning multiple policies.
Note! You can also assign the policies under Administration→ Users or Groups.
- The outcome in the example: The Game Center app has been disabled on the device. Although the Facebook app can be downloaded from the app store, it is nonetheless disabled on the device (and not visible to the user).
iOS Policies Using Apple Configurator
If you select this option, you can import iOS policies which you configure with Apple Configurator.
- Then upload the file (*.mobileconfig) by clicking on Select File.
- Select the appropriate policy and click on Assign.
- Now select the users, groups or devices to whom you would like to assign the policy.
Note! You can also assign the policies under Administration→ Users or Groups.
Note! If you create multiple configuration profiles and assign them to different users, groups or devices, all profiles will be used. The special features of assigning multiple policies do not apply in this case.