Tags Guide Part III: iPad, iPhone, iPod
Profile
Profiles for each device type are managed independently allowing separate configuration and management of profiles for each device type. When a device is provisioned, it will be provisioned with the profile configuration at the time the device was enrolled. When a profile change is made, new devices will receive the new configuration as well as devices that are currently managed and/or blocked. When any Profiles are changed, ensure the settings are correct as these will be applied immediately to all applicable devices. Please ensure you click on the Save or Save & Close button on the bottom right of the screen to commit your changes before selecting another page.
All Profiles which are marked with a star * are available for supervised devices
Exchange ActiveSync
| Setting | iPhone | iPad | iPod | Description |
|---|---|---|---|---|
| Exchange ActiveSync Settings | Enabled or Disabled | Enabled or Disabled | Enabled or Disabled | Enables the Profile. |
| Account Settings | ||||
| Label | e.g. Imagoverum Exchange or e.g. {firstname} | e.g. Imagoverum Exchange or e.g. {firstname} | e.g. Imagoverum Exchange or e.g. {firstname} | The Label for the Email Account as it appears on the device. |
| Server Name | e.g. outlook.office365.com | e.g. outlook.office365.com | e.g. outlook.office365.com | External Exchange Active Sync address. |
| Use SSL | Enabled or Disabled | Enabled or Disabled | Enabled or Disabled | If the URL for the External Mail Server is protected by an SSL Certificate then use SSL. |
| Use oAuth | Enabled or Disabled | Enabled or Disabled | Enabled or Disabled | Enables and uses oAuth Authentication for Identity Providers on native mail client. |
| Authentication | ||||
| Enterprise Certificate | Choose File | Choose File | Choose File | Upload a certificate for certificate based authentication with one certificate. This option is available if Enterprise Certificate is selected as Certificate Deployment Method. |
| Certificate Password | e.g. Pa$$w0rd | e.g. Pa$$w0rd | e.g. Pa$$w0rd | Input for the certificate password. This option is available if Enterprise Certificate is selected as Certificate Deployment Method. |
| Custom Variables | ||||
| Use Custom Username Variable | e.g. {CustLdapVar0} or support@imagoverum.com | e.g. {CustLdapVar0} or support@imagoverum.com | e.g. {CustLdapVar0} or support@imagoverum.com | Define a Custom Variable Attribute for the Username for the EAS Profile. |
| Use Custom Email Variable | e.g. {CustLdapVar0} or tim.tober@imagoverum.com | e.g. {CustLdapVar0} or tim.tober@imagoverum.com | e.g. {CustLdapVar0} or tim.tober@imagoverum.com | Define a Custom Variable Attribute for the Email Address for the EAS Profile. |
| Use Custom Password Variable | e.g. {UserPassword} or Pa$$w0rd | e.g. {UserPassword} or Pa$$w0rd | e.g. {UserPassword} or Pa$$w0rd | Define a Custom Variable Attribute for the Email Password for the EAS Profile. |
| Email Settings | ||||
| Past Days of Mail to Sync |
|
|
|
Period of mail to synchronize to the device. |
| Allow Mail Drop | Enabled or Disabled | Enabled or Disabled | Not supported | Allow the usage of Mail Drop. |
| Allow Mail to be Moved from This Account | Enabled or Disabled | Enabled or Disabled | Enabled or Disabled | If disabled, prevents the user forwarding emails from Corporate Email using a secondary email account. |
| Allow Applications access to this email account | Enabled or Disabled | Enabled or Disabled | Enabled or Disabled | If disabled, prevents the user from using this email account in third-party apps to forward content. |
| Allow Recent Address Syncing | Enabled or Disabled | Enabled or Disabled | Enabled or Disabled | If disabled, no email addresses are replicated for contacts that were recently used but do not exist in the standard Contacts list. |
| S/MIME | ||||
| Enable S/MIME signing | Enabled or Disabled | Enabled or Disabled | Not supported | If set to true, S/MIME Siging is enabled for this accounts. True requires a Certificate Authority Integration. |
| Allow user to enable or disable S/MIME signing | Enabled or Disabled | Enabled or Disabled | Not supported | If set to true, the user can toggle S/MIME signing on or off in settings. True requires a Certificate Authority Integration. |
| Enable S/MIME encryption by default | Enabled or Disabled | Enabled or Disabled | Not supported | If set to true, S/MIME encryptions is enabled by default. If "Enabled per-message encryption swith" option is false, this default cannot be changed by the user. True requires a Certificate Authority Integration. |
| Allow user to enable or disable S/MIME encryption | Enabled or Disabled | Enabled or Disabled | Not supported | If set to true, the user can toogle the encryption by default setting. True requires a Certificate Authority Integration. |
| Enable per-message encryption switch | Enabled or Disabled | Enabled or Disabled | Not supported | If set to true, displays the per-message encryption swith in the Mail Compose UI. |
| Allow the user to modify the S/MIME encryption certificate | Enabled or Disabled | Enabled or Disabled | Not supported | If set to true, the user can select the S/MIME encryption identity and encryption is enabled. |
| Setting | iPhone | iPad | iPod | Description |
|---|---|---|---|---|
| Email Settings | Enabled or Disabled | Enabled or Disabled | Enabled or Disabled | Enables Email Settings. |
| Email Address | e.g. {UserEmail} or support@imagoverum.com | e.g. {UserEmail} or support@imagoverum.com | e.g. {UserEmail} or support@imagoverum.com | Defines Email Address of the Account. |
| User Display Name | e.g. {UserName} or Tim Tober | e.g. {UserName} or Tim Tober | e.g. {UserName} or Tim Tober | Defines Display Name of the User for this Email Account. |
| Account Description | e.g. Imagoverum Mail | e.g. Imagoverum Mail | e.g. Imagoverum Mail | Defines Friendly Name of this Email Account. |
| Account Type |
|
|
|
Toggles between IMAP and POP Account Types. |
| IMAP Path Prefix | e.g INBOX | e.g. INBOX | e.g. INBOX | Defines where to look for mail. |
| Allow Mail to be Moved from This Account | Enabled or Disabled | Enabled or Disabled | Enabled or Disabled | If disabled, prevents the user forwarding emails from Corporate Email using a secondary email account. |
| Allow Applications access to this email account | Enabled or Disabled | Enabled or Disabled | Enabled or Disabled | If disabled, prevents the user from using this email account in third-party apps to forward content. |
| Allow Mail Drop | Enabled or Disabled | Enabled or Disabled | Not supported | Allow the usage of Mail Drop. |
| Incoming Mail | ||||
| Incoming Mail Server | e.g. imap-mail.outlook.com or pop-mail.outlook.com | e.g. imap-mail.outlook.com or pop-mail.outlook.com | e.g. imap-mail.outlook.com or pop-mail.outlook.com | |
| Incoming Mail Port | e.g. 995 | e.g. 995 | e.g. 995 | |
| Incoming Mail Username | ||||
| Authentication |
|
|
|
|
| Embed User Password | Enabled or Disabled | Enabled or Disabled | Enabled or Disabled | |
| Embed Custom Password | Enabled or Disabled | Enabled or Disabled | Enabled or Disabled | |
| Use SSL | Enabled or Disabled | Enabled or Disabled | Enabled or Disabled | |
| Outgoing Mail | ||||
| Outgoing Mail Server | e.g. imap-mail.outlook.com or pop-mail.outlook.com | e.g. imap-mail.outlook.com or pop-mail.outlook.com | e.g. imap-mail.outlook.com or pop-mail.outlook.com | |
| Outgoing Mail Port | e.g. 995 | e.g. 995 | e.g. 995 | |
| Outgoing Mail Username | ||||
| Authentication |
|
|
|
|
| Password Same As Incoming | Enabled or Disabled | Enabled or Disabled | Enabled or Disabled | |
| Embed Custom Password | Enabled or Disabled | Enabled or Disabled | Enabled or Disabled | |
| Use SSL | Enabled or Disabled | Enabled or Disabled | Enabled or Disabled | |
Passcode
With passcode settings, you can ensure that your users' managed devices are protected from unauthorized third-party access by requiring a passcode, for example. You can also set other security-related settings associated with the passcode configuration, such as the length and complexity of required passwords, or resetting the device to factory defaults after a certain number of failed attempts.
| Setting | iPhone | iPad | iPod | Description |
|---|---|---|---|---|
| Passcode Settings | Enabled or Disabled | Enabled or Disabled | Enabled or Disabled | Enables Passcode Settings. |
| Allow Simple | Enabled or Disabled | Enabled or Disabled | Enabled or Disabled | Permit the use of repeating, ascending or descending characters. |
| Require Alpha Numeric | Enabled or Disabled | Enabled or Disabled | Enabled or Disabled | Require passcode to contain at least one letter. |
| Minimum Length | 4-19 | 4-19 | 4-19 | The smallest number of passcode characters allowed. |
| Minimum Complex characters | 1-4 | 1-4 | 1-4 | Smallest number of non-alphanumeric characters allowed. If ‘Allow Simple’ is checked, then this configuration is disabled. |
| Maximum Passcode Age - 1-730 days or none | 1-730 or empty | 1-730 or empty | 1-730 or empty | How often passcode must be changed. |
| Auto-lock (minutes) | Never, 1,2,3,4,5 | Never, 1,2,3,4,5 | Never, 1,2,3,4,5 | Device automatically locks due to inactivity after this time period. |
| Passcode history (1-50 passcodes, or none) | 1-50 or empty | 1-50 or empty | 1-50 or empty | Number of unique passcodes required before reuse. |
| Grace Period for Device Lock |
|
|
|
Amount of time device screen can sleep before device locks. |
| Maximum Failed Attempts | 4-16 | 4-16 | 4-16 | Number of passcode entry attempts allowed before the device is reset to factory settings. |
Restrictions
Restrictions are usually simple on/off settings that extend the configuration options of your managed devices and increase the security options. By enabling or disabling them, users are either authorized or explicitly prohibited from configuring certain settings on the device.
General
| Availability | Options | Requirements | Description | |
|---|---|---|---|---|
| App Store & iTunes | ||||
| Allow Enterprise Book Backup |
|
|
|
If false, disables backup of Enterprise books. Available in iOS 8 and later. Also available for user enrollment. |
| Allow Enterprise Book Sync |
|
|
|
If false, disables sync of Enterprise books, notes, and highlights. Available in iOS 8 and later. Also available for user enrollment. |
| Allow Bookstore Erotica |
|
|
|
If false, the user can't download Apple Books media that is tagged as erotica. Available in iOS 6 and later. |
| Force Encrypted Backup |
|
|
|
If true, encrypts all backups. Available in iOS 4 and later. Also available for user enrollment. |
| Force iTunes Password Prompt |
|
|
|
If true, forces the user to enter their iTunes password for each transaction. Available in iOS 6 and later. |
| Applications | ||||
| Allow In App Purchase |
|
|
|
If false, prohibits in-app purchasing. Available in iOS 4 and later. |
| Allow Youtube |
|
|
|
If false, the YouTube application is disabled and its icon is removed from the Home screen. This restriction is ignored in iOS 6.0 and later because there is no built-in YouTube app. Please use the Application Blacklist policy instead. |
| iCloud | ||||
| Allow iCloud Keychain Sync |
|
|
|
If false, disables iCloud keychain synchronization. This restriction is deprecated on unsupervised devices and will be supervised only in a future release. Available in iOS 7 and later. |
| Allow iCloud Backup |
|
|
|
If false, disables backing up the device to iCloud. This restriction is deprecated on unsupervised devices and will be supervised only in a future release. Available in iOS 5 and later. |
| Allow iCloud Document Sync |
|
|
|
If false, disables document and key-value syncing to iCloud. As of iOS 13, this restriction requires a supervised device. Available in iOS 5 and later |
| Allow iCloud Photo Library |
|
|
|
If false, disables iCloud Photo Library. Any photos not fully downloaded from iCloud Photo Library to the device are removed from local storage. Available in iOS 9 and later. |
| Allow Managed Apps Cloud Sync |
|
|
|
If false, prevents managed apps from using iCloud sync. Available in iOS 8 and later. Also available for user enrollment. |
| Allow Photo Stream |
|
|
|
If false, disables Photo Stream. Available in iOS 5 and later. |
| Allow Shared Photo Stream |
|
|
|
If false, disables Shared Photo Stream. Available in iOS 6 and later. |
| Lock Screen | ||||
| Allow Lock Screen Control Center |
|
|
|
If false, prevents Control Center from appearing on the Lock screen. Available in iOS 7 and later. Also available for user enrollment. |
| Allow Lock Screen Notifications View |
|
|
|
If false, disables the Notifications history view on the lock screen, so users can't view past notifications. However, they can still see notifications when they arrive. Available in iOS 7 and later. Also available for user enrollment. |
| Allow Lock Screen Today View |
|
|
|
If false, disables the Today view in Notification Center on the lock screen. Available in iOS 7 and later. Also available for user enrollment. |
| Allow Passbook While Locked |
|
|
|
If false, hides Passbook notifications from the lock screen. Available in iOS 6 and later. |
| Allow Siri While Locked |
|
|
|
If false, disables Siri when the device is locked. This restriction is ignored if the device doesn't have a passcode set. Available in iOS 5.1 and later. Also available for user enrollment. |
| Allow Voice Dialing |
|
|
|
If false, disables voice dialing if the device is locked with a passcode. Available in iOS 4 and later. |
| Managed Open-In | ||||
| Allow Managed Apps Write Contacts to Unmanaged |
|
|
|
If true, managed apps can write contacts to unmanaged contacts accounts. If Allow Open In from Managed to Unmanaged Apps is true, this restriction has no effect. Available in iOS 12 and later. |
| Allow Open In From Managed to Unmanaged Apps |
|
|
|
If false, documents in managed apps and accounts only open in other managed apps and accounts. Available in iOS 7 and later. Also available for user enrollment. |
| Allow Open In From Unmanaged to Managed Apps |
|
|
|
If false, documents in unmanaged apps and accounts only open in other unmanaged apps and accounts. Available in iOS 7 and later. Also available for user enrollment. |
| Force Managed Pasteboard |
|
|
|
With Managed Pasteboard settings, Apple provides the ability to apply the same restrictions to the copy and paste functionality, meaning that information copied from corporate apps cannot be pasted in unmanaged apps and/or the reverse. |
|
Allow Unmanaged Apps to Read Managed Contacts |
|
|
|
If true, unmanaged apps can read from managed contacts accounts. If Allow Open In from Managed to Unmanaged Apps is true is true, this restriction has no effect. Available in iOS 12 and later. Also available for user enrollment. |
| Force Airdrop to be considered Unmanaged |
|
|
|
If true, causes AirDrop to be considered an unmanaged drop target. Available in iOS 9 and later. Also available for user enrollment. |
| Network & Connection | ||||
| Allow Automatic Sync while Roaming |
|
|
|
If false, disables global background fetch activity when an iOS phone is roaming. Available in iOS 4 and later. |
| Force AirPlay Outgoing Requests Pairing Password |
|
|
|
If true, forces all devices receiving AirPlay requests from this device to use a pairing password. Available in iOS 7.1 and later. Also available for user enrollment. |
| Force Apple Watch Wrist Detection |
|
|
|
If true, forces a paired Apple Watch to use Wrist Detection. Available in iOS 8.2 and later. Also available for user enrollment. |
| Force Preserve eSIM On Erase |
|
|
|
If enabled, the system preserves eSIM when it erases the device due to too many failed password attempts or the Erase All Content and Settings option in Settings > General > Reset. The system doesn’t preserve eSIM if Find My initiates erasing the device. |
| Security & Privacy | ||||
| Allow Apple Personalized Advertising |
|
|
|
Turning off personalized adds will limits Apple’s ability to deliver relevant ads to you but will not reduce the number of ads the user receives. |
| Allow Diagnostic Data to be Sent to Apple |
|
|
|
If false, prevents the device from automatically submitting diagnostic reports to Apple. Available in iOS 6 and later. Also available for user enrollment. |
| Allow Fingerprint For Unlock |
|
|
|
If false, prevents Touch ID or Face ID from unlocking a device. Available in iOS 7 and later. |
| Allow OTA PKI Updates |
|
|
|
If false, disables over-the-air PKI updates. Setting this restriction to false doesn't disable CRL and OCSP checks. Available in iOS 7 and later. |
| Allow Untrusted TLS Certificates |
|
|
|
If false, automatically rejects untrusted HTTPS certificates without prompting the user. Available in iOS 5.0 and later. |
| Allow Auto Unlock |
|
|
|
Prevents the usage of the auto unlock capability. |
| Force Limited Ad Tracking |
|
|
|
If true, limits ad tracking. Available in iOS 7 and later. |
| Siri | ||||
| Force On-Device Only Dictation |
|
|
|
You can use dictation instead of your keyboard to enter text with many apps and features that use the keyboard on your iPhone, iPad, or iPod touch running iOS 14.5 or iPadOS 14.5. This setting prevents dictated content from being sent to Siri servers for processing. |
| Shared Devices & Classroom | ||||
| Allow Shared Device Temporary Sessions |
|
|
|
If false, temporary sessions are not available on Shared iPad. Available in iOS 13.4 and later. |
| System Settings | ||||
| Allow Activity Continuation |
|
|
|
If false, disables activity continuation. Available in iOS 8 and later. |
| Allow Camera |
|
|
|
If false, disables the camera, and its icon is removed from the Home screen. Users are unable to take photographs. This restriction is deprecated on unsupervised devices and will be supervised only in a future release. Available in iOS 4 and later. |
| Allow Live Voicemail |
|
|
|
If deactivated, the system disables live voicemail on the device. |
| Allow Screen Capture |
|
|
|
If false, disables saving a screenshot of the display and capturing a screen recording. It also disables the Classroom app from observing remote screens. Available in iOS 4 and later. Also available for user enrollment. |
| Allow Remote Screen Observation |
|
|
|
If false, disables remote screen observation by the Classroom app. If Allow Screen Capture is set to false, the Classroom app doesn't observe remote screens. Required a supervised device until iOS 13. Available in iOS 12 and later. |
| Force On-Device Translation |
|
|
|
If enabled, the system disables connections to Siri servers for the purposes of dictation. Available in iOS 14.5 and later. |
Supervised
| Availability | Options | Requirements | Description | |
|---|---|---|---|---|
| App Store & iTunes | ||||
| Allow Automatic App Downloads |
|
|
|
If disabled, prevents automatic downloading of apps purchased on other devices. This setting doesn't affect updates to existing apps. Requires a supervised device. Available in iOS 9 and later. |
| Allow App Installation |
|
|
|
If disabled, disables the App Store, and its icon is removed from the Home screen. Users are unable to install or update their apps. In iOS 10 and later, MDM commands can override this restriction. As of iOS 13, this restriction requires a supervised device. Available in iOS 4 and later. |
| Allow Bookstore |
|
|
|
If disabled, disables Apple Books. Requires a supervised device. Available in iOS 6 and later. |
| Allow Explicit Content |
|
|
|
If disabled, hides explicit music or video content purchased from the iTunes Store. Explicit content is marked as such by content providers, such as record labels, when sold through the iTunes Store. As of iOS 13, requires a supervised device. Available in iOS 4 and later. |
| Allow iTunes |
|
|
|
If disabled, disables the iTunes Music Store, and its icon is removed from the Home screen. Users cannot preview, purchase, or download content. As of iOS 13, requires a supervised device. Available in iOS 4 and later. |
| Applications | ||||
| Allow App Clips |
|
|
|
Allows/Prevents users to download a smaller version of an app to do a specific task. |
| Allow App Removal |
|
|
|
If disabled, disables removal of apps from an iOS device. Requires a supervised device. Available in iOS 4.2.1 and later. |
| Allow Apple Music Radio |
|
|
|
If disabled, disables Apple Music Radio. Requires a supervised device. Available in iOS 9.3 and later. |
| Allow Facetime |
|
|
|
If disabled, hides the FaceTime app. As of iOS 13, requires a supervised device. Available in iOS 4 and later. |
| Allow Marketplace App Installation |
|
|
|
If disabled, the system prevents alternative marketplace apps from being installed from the web and prevents installed alternative marketplace apps from installing apps. Available in iOS 17.4 and later. Requires a supervised device. |
| Allow Podcasts |
|
|
|
If disabled, disables podcasts. Requires a supervised device. Available in iOS 8 and later. |
| Allow System Apps Removal |
|
|
|
If disabled, disables the removal of system apps from the device. Requires a supervised device. Available in iOS 11 and later. |
| Allow UI App Installation |
|
|
|
If disabled, disables the App Store, and its icon is removed from the Home screen. However, users may continue to use host apps (iTunes, Configurator) to install or update their apps. In iOS 10 and later, MDM commands can override this restriction. Requires a supervised device. Available in iOS 9 and later. |
| Allow Widgets on a Mac |
|
|
|
Disallows iPhone widgets on a Mac that has signed in the same AppleID for iCloud. |
| Maximum Age Rating For Allowed App Content |
|
|
|
The maximum level of app content allowed on the device. Available in iOS 4 and later. |
| Maximum Age Rating For Allowed Movie Content |
|
|
|
The maximum level of movie content allowed on the device. Available in iOS 4 and later. |
| Maximum Age Rating For Allowed TV Content |
|
|
|
The maximum level of TV content allowed on the device. Available in iOS 4 and later. |
| Ratings Region |
|
|
The region that profile tools use to display the proper ratings for the given region. | |
| Game Center | ||||
| Allow Game Center |
|
|
|
If disabled, disables Game Center, and its icon is removed from the Home screen. Requires a supervised device. Available in iOS 6 and later. |
| Allow Game Center Friends |
|
|
|
If disabled, prohibits adding friends to Game Center. As of iOS 13, requires a supervised device. Available in iOS 4.2.1 and later. |
| Allow Multiplayer Gaming |
|
|
|
If disabled, prohibits multiplayer gaming. Requires a supervised device. Available in iOS 4.1 and later. |
| iCloud | ||||
| Allow private iCloud Relay |
|
|
|
iCloud Private Relay is an internet privacy service offered as a part of an iCloud+ subscription that allows users connect to and browse the web more privately and securely. If false, prevents user from using private iCloud Relay. |
| Keyboard | ||||
| Allow Auto Correction |
|
|
|
If disabled, disables keyboard autocorrection. Requires a supervised device. Available in iOS 8.1.3 and later. |
| Allow Keyboard Shortcuts |
|
|
|
If disabled, disables keyboard shortcuts. Requires a supervised device. Available in iOS 9 and later. |
| Allow Predictive Keyboard |
|
|
|
If disabled, disables predictive keyboards. Requires a supervised device. Available in iOS 8.1.3 and later. |
| Allow QuickPath Keyboard |
|
|
|
If disabled, disables QuickPath keyboard. Requires a supervised device. Available in iOS 13 and later. |
| Allow Spell Check |
|
|
|
If disabled, disables keyboard spell-check. Requires a supervised device. Available in iOS 8.1.3 and later. |
| Network & Connection | ||||
| Allow Apple Watch Pairing |
|
|
|
If disabled, disables pairing with an Apple Watch. Any currently paired Apple Watch is unpaired and the watch's content is erased. Requires a supervised device. Available in iOS 9 and later. |
| Allow Cellular Plan Modification |
|
|
|
If disabled, users can't change any settings related to their cellular plan. Requires a supervised device. Available in iOS 11 and later. |
| Allow eSIM Modification |
|
|
|
If disabled, disables modifications to the eSIM setting. Requires a supervised device. Available in iOS 12.1 and later. |
| Allow Files Network Drive Access |
|
|
|
If disabled, prevents connecting to network drives in the Files app. Requires a supervised device. Available in iOS 13.1 and later. |
| Allow Files USB Drive Access |
|
|
|
If disabled, prevents connecting to any connected USB devices in the Files app. Requires a supervised device. Available in iOS 13.1 and later. |
| Allow Host Pairing |
|
|
|
If disabled, disables host pairing with the exception of the supervision host. If no supervision host certificate has been configured, all pairing is disabled. Host pairing lets the administrator control if an iOS device can pair with a host Mac or PC. Requires a supervised device. Available in iOS 7 and later. |
| Allow USB Restricted Mode |
|
|
|
If disabled, allows the device to always connect to USB accessories while locked. Requires a supervised device. Available in iOS 11.4.1 and later. |
| Allow VPN Creation |
|
|
|
If disabled, disables the creation of VPN configurations. Requires a supervised device. Available in iOS 11 and later. |
| Allow NFC |
|
|
|
Users can’t use built-in NFC hardware in compatible devices running iOS 14.2 or later. |
| Force Wi-Fi Power On |
|
|
|
If enabled, prevents Wi-Fi from being turned off in Settings or Control Center, even by entering or leaving Airplane Mode. It does not prevent selecting which Wi-Fi network to use. Requires a supervised device. Available in iOS 13.0 and later. |
| Only join Wi-Fi networks installed by profiles |
|
|
|
If enabled, the device can join Wi-Fi networks only if they were set up through a configuration profile. Requires a supervised device. Available in iOS 10.3 and later. |
| Printing | ||||
| Allow AirPrint |
|
|
|
If disabled, disables AirPrint. Requires a supervised device. Available in iOS 11 and later. |
| Allow AirPrint Credentials Storage |
|
|
|
If disabled, disables keychain storage of user name and password for AirPrint. Requires a supervised device. Available in iOS 11 and later. |
| Allow AirPrint iBeacon Discovery |
|
|
|
If disabled, disables iBeacon discovery of AirPrint printers, which prevents spurious AirPrint Bluetooth beacons from phishing for network traffic. Requires a supervised device. Available in iOS 11 and later. |
| Force AirPrint Trusted TLS Requirement |
|
|
|
If enabled, requires trusted certificates for TLS printing communication. Requires a supervised device. Available in iOS 11 and later. |
| Safari | ||||
| Allow Safari |
|
|
|
If disabled, disables the Safari web browser app, and its icon is removed from the Home screen. This setting also prevents users from opening web clips. As of iOS 13, requires a supervised device. Available in iOS 4 and later. |
| Enable Autofill |
|
|
|
If disabled, disables Safari AutoFill for passwords, contact info, and credit cards and also prevents the Keychain from being used for AutoFill. Though third-party password managers are allowed and apps can use AutoFill. As of iOS 13, requires a supervised device. Available in iOS 4 and later. |
| Enable Javascript |
|
|
|
If disabled, Safari doesn't execute JavaScript. Available in iOS 4 and later. |
| Allow Popup |
|
|
|
If disabled, Safari doesn't allow pop-up windows. Available in iOS 4 and later. |
| Force Fraud Warning |
|
|
|
If enabled, enables Safari fraud warning. Available in iOS 4 and later. Also available for user enrollment. |
| Accept Cookies |
|
|
|
This value defines the conditions under which the device accepts cookies. The user-facing settings changed in iOS 11, although the possible values remain the same. Available in iOS 4 and later. |
| Security & Privacy | ||||
| Allow Activation Lock |
|
|
|
Allows or disallows the device to enable the activation lock. Changing the Activation Lock restriction will only take affect before the Apple ID has been added to the device. Please refer to Activation Lock and Bypassing for additional information. |
| Allow Diagnostic Data to be Modificated |
|
|
|
If disabled, disables changing the diagnostic submission and app analytics settings in the Diagnostics & Usage UI in Settings. Requires a supervised device. Available in iOS 9.3.2 and later. |
| Allow Enterprise App Trusts |
|
|
|
If disabled, removes the Trust Enterprise Developer button in Settings > General > Profiles & Device Management, preventing apps from being provisioned by universal provisioning profiles. This restriction applies to free developer accounts. However, it doesn't apply to enterprise app developers who are trusted because their apps were pushed through MDM. It also doesn't revoke previously granted trust. Available in iOS 9 and later. |
| Allow Find My Device |
|
|
|
If disabled, disables Find My Device in the Find My app. Requires a supervised device. Available in iOS 13 and later. |
| Allow Find My Friends |
|
|
|
If disabled, disables Find My Friends in the Find My app. Requires a supervised device. Available in iOS 13 and later. |
| Allow Fingerprint Modification |
|
|
|
If disabled, prevents the user from modifying Touch ID or Face ID. Requires a supervised device. Available in iOS 8.3 and later. |
| Allow Password AutoFill |
|
|
|
If disabled, disables the AutoFill Passwords feature in iOS (with Keychain and third-party password managers) and the user isn't prompted to use a saved password in Safari or in apps. This restriction also disables Automatic Strong Passwords, and strong passwords are no longer suggested to users. It does not prevent AutoFill for contact info and credit cards in Safari. Requires a supervised device. Available in iOS 12 and later, and macOS 10.14 and later. |
| Allow Password Proximity Requests |
|
|
|
If disabled, disables requesting passwords from nearby devices. Requires a supervised device. Available in iOS 12 and later. |
| Allow Password Sharing |
|
|
|
If disabled, disables sharing passwords with the Airdrop Passwords feature. Requires a supervised device. Available in iOS 12 and later. |
| Allow Proximity Setup to New Devices |
|
|
|
If disabled, disables the prompt to set up new devices that are nearby. Requires a supervised device. Available in iOS 11 and later. |
| Allow Rapid Security Response Installation |
|
|
|
Allows to disable the Rapid Security Response mechanism. |
| Allow Rapid Security Response Removal |
|
|
|
Blocks the end-user from being able to remove the Rapid Security Response mechanism. |
| Allow Siri Internet Results |
|
|
|
If disabled, disables Spotlight Internet search results in Siri Suggestions. Available in iOS 8 and later. |
| Force Authentication Before AutoFill |
|
|
|
If enabled, the user must authenticate before passwords or credit card information can be autofilled in Safari and Apps. If this restriction isn't enforced, the user can toggle this feature in Settings. Only supported on devices with Face ID or Touch ID. Requires a supervised device. Available in iOS 11 and later. |
| Shared Device & Classroom | ||||
| Force Classroom Automatically Join Classes |
|
|
|
If enabled, automatically gives permission to the teacher's requests without prompting the student. Requires a supervised device. Available in iOS 11 and later. |
| Force Classroom Requests Permission to Leave Classes |
|
|
|
If enabled, a student enrolled in an unmanaged course through Classroom requests permission from the teacher when attempting to leave the course. Requires a supervised device. Available in iOS 11.3 and later. |
| Force Classroom Unprompted Apps and Device Lock |
|
|
|
If enabled, allows the teacher to lock apps or the device without prompting the student. Requires a supervised device. Available in iOS 11 and later. |
| Force Classroom Unprompted Screen Observation |
|
|
|
If enabled and Allow Remote Screen Observation is also true in, a student enrolled in a managed course via the Classroom app automatically gives permission to that course teacher's requests to observe the student's screen without prompting the student. Requires a supervised device. Available in iOS 11 and later. |
| Siri | ||||
| Allow Siri User-Generated Content |
|
|
|
If disabled, prevents Siri from querying user-generated content from the web. Requires a supervised device. Available in iOS 7 and later. |
| Allow Siri |
|
|
|
If disabled, disables Siri. Available in iOS 5 and later. Also available for user enrollment. |
| Force Assistant Profanity Filter |
|
|
|
If enabled, forces the use of the profanity filter assistant. Requires a supervised device. Available in iOS 11 and later. |
| System Settings | ||||
| Allow AirDrop |
|
|
|
If disabled, disables AirDrop. Requires a supervised device. Available in iOS 7 and later. |
| Allow Account Modification |
|
|
|
If disabled, disables account modification. Requires a supervised device. Available in iOS 7 and later. |
| Allow Bluetooth Modification |
|
|
|
If disabled, prevents modification of Bluetooth settings. Requires a supervised device. Available in iOS 11 and later. |
| Allow Cellular Data Modification |
|
|
|
If disabled, disables changing settings for cellular data usage for apps. Requires a supervised device. Available in iOS 7 and later. |
| Allow Changing Device Name |
|
|
|
If disabled, prevents the device name from being changed. Requires a supervised device. Available in iOS 9 and later. |
| Allow Configuration Profile Installation |
|
|
|
If disabled, prohibits the user from installing configuration profiles and certificates interactively. Requires a supervised device. Available in iOS 6 and later. |
| Allow Definition Lookup |
|
|
|
If disabled, disables definition lookup. Requires a supervised device. Available in iOS 8.1.3 and later. |
| Allow Dictation |
|
|
|
If disabled, disallows dictation input. Requires a supervised device. Available in iOS 10.3 and later. |
| Allow Screen Time Information |
|
|
|
In iOS 12 or later, if disabled, disables the Enable ScreenTime option in the ScreenTime UI in Settings and disables ScreenTime if already enabled. Requires a supervised device. Available in iOS 8 and later. Prior to iOS 12 it disables the Enable Restrictions option in the Restrictions UI in Settings. |
| Allow Erase Content And Settings |
|
|
|
If disabled, disables the Erase All Content And Settings option in the Reset UI. Requires a supervised device. Available in iOS 8 and later. |
| Allow Find My Friends Modification |
|
|
|
If disabled, disables changes to Find My Friends. Requires a supervised device. Available in iOS 7 and later. |
| Allow Hotspot Modification |
|
|
|
If disabled, disables modifications of the personal hotspot setting. Requires a supervised device. Available in iOS 12.2 and later. |
| Allow iMessage |
|
|
|
If disabled, users can’t send or receive messages using iMessage. If the device supports text messaging, the user can still send and receive text messages. If the device doesn’t support text messaging, the Messages icon is removed from the Home screen. Available in iOS 6.0 and later. |
| Allow Music Service |
|
|
|
If disabled, disables the Music service, and the Music app reverts to classic mode. Requires a supervised device. Available in iOS 9.3 and later. |
| Allow News |
|
|
|
If disabled, disables News. Requires a supervised device. Available in iOS 9 and later. |
| Allow Notifications Modification |
|
|
|
If disabled, disables modification of notification settings. Requires a supervised device. Available in iOS 9.3 and later. |
| Allow Passcode Modification |
|
|
|
If disabled, prevents the device passcode from being added, changed, or removed. This restriction is ignored by Shared iPads. Requires a supervised device. Available in iOS 9 and later. |
| Allow Wallpaper Modification |
|
|
|
If disabled, prevents wallpaper from being changed. Requires a supervised device. Available in iOS 9 and later. |
| Allow Recovery Mode From an Unpaired Host |
|
|
|
iPhone, iPod touch, and iPad previously allowed any external host computer to start a device in Recovery Mode, which meant that the host computer could completely erase the device and restore the operating system. iOS 14.5 and iPadOS 14.5 now prevent this behaviour by default. |
| Force Set Date and Time Automatically |
|
|
|
If enabled, enables the Set Automatically feature in Date & Time and can't be disabled by the user. The device's time zone is updated only when the device can determine its location using a cellular connection or Wi-Fi with location services enabled. Requires a supervised device. Available in iOS 12 and later. |
Virtual Private Network
General
| Setting | iPhone | iPad | iPod | Description |
|---|---|---|---|---|
| VPN Settings | Enabled or Disabled | Enabled or Disabled | Enabled or Disabled | Enables VPN Settings. |
| VPN Type |
|
|
|
Type of connection enabled by this policy. Application(s) needs to be installed on the device. |
| Connection Name | e.g. Imagoverum VPN | e.g. Imagoverum VPN | e.g. Imagoverum VPN | Display name of the connection displayed on the device. |
| Server Address | e.g. vpn.imagoverum.com | e.g. vpn.imagoverum.com | e.g. vpn.imagoverum.com | Host name or IP address for Server. |
| Authentication Type |
|
|
|
Authentication type for connection. Certificate as selections requires a Certification Authority Integration. |
| Cache user password |
Enabled or Disabled |
Enabled or Disabled |
Enabled or Disabled |
Silverback will take the captured user password from the enrollment for authentication. |
App specific settings
| Setting | iPhone | iPad | iPod | Description |
|---|---|---|---|---|
| Cisco AnyConnect | ||||
| Group | e.g. Mobile Device Users | e.g. Mobile Device Users | e.g. Mobile Device Users | Group for authenticating the connection. |
| Juniper SSL | ||||
| Realm | e.g. Mobile Users | e.g. Mobile Users | e.g. Mobile Users | Realm for authentication the connection. |
| Role | e.g. Mobile Device Users | e.g. Mobile Device Users | e.g. Mobile Device Users | Role for authentication the connection. |
| Custom SSL | ||||
| Identifier | e.g. com.imagoverum.intranet | e.g. com.imagoverum.intranet | e.g. com.imagoverum.intranet | Identifier for the custom SSL VPN in reverse DNS format. |
| SonicWall Mobile | ||||
| Login Group or Domain | e.g. CORP | e.g. CORP | e.g. CORP | Login Group or Domain for authenticating the connection. |
| IPSec (Cisco) with Certificate | ||||
| Include User PIN | Enabled or Disabled* | Enabled or Disabled* | Enabled or Disabled* |
Request PIN during connection and send with authentication. Available if Certificate is selected as Authentication Type. |
|
Group Name
|
e.g. mygroup1 | e.g. mygroup1 | e.g. mygroup1 |
Group Identifier for the connection. Available if Certificate is selected as Authentication Type. |
| Shared Secret | e.g. v+NkxY9LLZvwj4qCC2o/gGrWDF2d21jL | e.g. v+NkxY9LLZvwj4qCC2o/gGrWDF2d21jL | e.g. v+NkxY9LLZvwj4qCC2o/gGrWDF2d21jL |
Shared secret for the connection. Available if Certificate is selected as Authentication Type. |
| Use Hybrid Authentication | Enabled or Disabled* | Enabled or Disabled* | Enabled or Disabled* |
Authenticate using secret, name, and server-side certificate. Available if Certificate is selected as Authentication Type. |
| Prompt for Password | Enabled or Disabled* | Enabled or Disabled* | Enabled or Disabled* | Prompt user for password on the device. |
| Custom SSL | ||||
| Custom Data |
|
|
|
Keys and string values for custom data. |
VPN specific settings
| Setting | iPhone | iPad | iPod | Description |
|---|---|---|---|---|
| VPN On Demand | ||||
| Enable VPN on Demand |
Enabled or Disabled |
Enabled or Disabled |
Enabled or Disabled |
Add Domain and host names that will establish a VPN. |
| Match Domain or Host |
|
|
|
Define matching domains or host names to use VPN on Demand. |
| On Demand Action |
|
|
|
Defines the VPN behavior for the specified domains or host names. Always establish: The specified domains will trigger a VPN connection. Established if needed: The specified domains should trigger a VPN connection attempt. Never establish: The specified domains will not trigger a VPN connection nor be accessible through an existing VPN connection. |
| Per-App VPN | ||||
| Enable Per-App VPN |
Enabled or Disabled |
Enabled or Disabled |
Enabled or Disabled |
Activates the the App Layer VPN settings configuration in general. |
| Enable Dial On-Demand for Apps |
Enabled or Disabled |
Enabled or Disabled |
Enabled or Disabled |
Enable this feature to add and assign applications to the App Layer VPN settings configuration. |
| Application |
Add and remove applications here. Please enable the Apps Feature within the Tag and add applications, which will then be selectable |
Add and remove applications here. Please enable the Apps Feature within the Tag and add applications, which will then be selectable |
Add and remove applications here. Please enable the Apps Feature within the Tag and add applications, which will then be selectable |
Add here applications, which will be included into the App-Layer VPN settings configuration. Settings will apply when the application is installed. |
| Safari Domains | ||||
| Enable Safari Domains | Enabled or Disabled | Enabled or Disabled | Enabled or Disabled | Will add Safari and Web into included apps for Per-App VPN. |
| Safari Domain | Add and remove domains here, e.g. imagoverum.com | Add and remove domains here, e.g. imagoverum.com | Add and remove domains here, e.g. imagoverum.com | Add multiple domains to Safari and Web for Per-App VPN. |
Proxy specific settings
| Setting | iPhone | iPad | iPod | Description |
|---|---|---|---|---|
| Proxy Type |
|
|
|
Configures proxies to be used with this VPN connection. |
| Proxy Server URL | e.g. 10.0.0.100 | e.g. 10.0.0.100 | e.g. 10.0.0.100 | Host name or IP address for the proxy server. |
| Proxy Server FQDN | e.g. proxy.imagoverum.com | e.g. proxy.imagoverum.com | e.g. proxy.imagoverum.com | Fully Qualified Domain Name for the proxy server. |
| Proxy Port | e.g. 8080 | e.g. 8080 | e.g. 8080 | Port for the proxy server. |
| Use Individual Usernames | Enabled or Disabled | Enabled or Disabled | Enabled or Disabled | If enabled, individual usernames will be used to connect to the proxy. |
| Group Username | e.g. service_vpn | e.g. service_vpn | e.g. service_vpn | User name used to connect to the proxy. |
| Group Password | e.g. Pa$$w0rd | e.g. Pa$$w0rd | e.g. Pa$$w0rd | Password use to authenticate with the proxy. |
Private APN
If you have a Private Access Point Name (APN) for your SIM Cards, then Silverback has the ability to configure this for you on the managed devices.
| Setting | iPhone | iPad | iPod | Description |
|---|---|---|---|---|
| Private APN Settings | Enabled or Disabled | Enabled or Disabled | not available | Enables the Private APN Feature on Selected Devices. |
| Name | e.g. VFD2 Web | e.g VFD2 Web | not available | The name of the carrier access point. |
| Username | e.g. User | e.g User | not available | The username to connect to the access point. |
| Password | e.g. Pa$$w0rd | e.g. Pa$$w0rd | not available | The password to connect to the access point. |
| Server | e.g web.vodafone.com | e.g. web.vodafone.com | not available | The fully qualified address of the proxy server. |
| Port | e.g. 8080 | e.g. 8080 | not available | APN Port. |
Wi-Fi
Silverback offers the ability to pre-populate multiple Wi-Fi Profile and settings on your devices, so the user does not need to know the password for these networks. If you having a WPA Enterprise protected network (e.g. with a RADIUS Server), please refer to WPA Enterprise Settings for additional information.
| Setting | iPhone | iPad | iPod | Description |
|---|---|---|---|---|
| General Settings | ||||
| Wi-Fi Settings | Enabled or Disabled | Enabled or Disabled | Enabled or Disabled | Enables the sending of Wi-Fi settings. |
| SSID | e.g. Corporate Wi-Fi | e.g. Corporate Wi-Fi | e.g. Corporate Wi-Fi | Service Set Identifier of the wireless network. |
| Security Type |
|
Defines the used Wireless network encryption. | ||
| Hidden Network | Enabled or Disabled | Enabled or Disabled | Enabled or Disabled | Enable if the target network is not open or hidden. |
| Automatically Join | Enabled or Disabled | Enabled or Disabled | Enabled or Disabled | The device will automatically join the Wi-Fi network. |
| Disable Captive Network Detection (Hotspot 2.0) | Enabled or Disabled | Enabled or Disabled | Enabled or Disabled | If enabled, Captive Network detection will be bypassed when the device connects to the network. |
| Disable MAC Address Randomization | Enabled or Disabled | Enabled or Disabled | Enabled or Disabled |
Ensures that the Wi-Fi Profile will be installed with the disabled Private Address option, which prevents a randomization of the device's MAC Address. Using a private address helps to reduce tracking of devices across different Wi-Fi network. |
| Password (only Personal) | e.g. Pa$$w0rd | e.g. Pa$$w0rd | e.g. Pa$$w0rd | Password for authenticating to the wireless network. |
| Proxy Settings | ||||
| Proxy |
|
|
|
Ensures the device talks to the necessary Proxy. Review WPA Enterprise Settings for additional information. |
| Protocol Settings (only Enterprise) | ||||
| Accepted EAP Types |
|
|
|
Defines the protocol utilized by encryption type. Review WPA Enterprise Settings for additional information. |
| Protected Access Credentials |
|
|
|
Defines the PAC configuration. |
| Authentication Settings (only Enterprise) | ||||
| Allow Two Rands | Enabled or Disabled | Enabled or Disabled | Enabled or Disabled | Allow authenticating to server providing only two RAND values (EAP-SIM). |
| Username and Password |
|
|
|
Defines the used authentication mechanism. Review WPA Enterprise Settings for additional information. |
| Certificate-based authentication |
|
Defines the used authentication mechanism. Please refer to: Certification Authority Integration Guide for Certificate Based Authentication. |
||
| Trust Settings (only Enterprise) | ||||
| Trust |
|
|
|
Defines Trusted certificates. Review WPA Enterprise Settings for additional information. |
| Network Type Settings | ||||
| Network Type |
|
|
|
Defines the Network Type and configures the network to appear as legacy or Passpoint Hotspot. Passpoint (Hotspot 2.0) is supported for the following security types:
|
| Fast Lane QoS Marking Settings | ||||
| Fast Lane QoS Marking |
|
|
|
Allows for Cisco customers to use fast lane Quality of Service (QOS) marking to prioritize network bandwidth for business critical apps. |
Wallpaper*
Define a custom Home Screen and Lock screen for your iOS supervised devices.
| Setting | iPhone | iPad | iPod | Description |
|---|---|---|---|---|
| Lock Screen | Enabled | Enabled | Enabled | Enables customs Lock Screen on devices. |
| Choose File | Choose File | Choose File |
Upload a custom Lock Screen. Supported file types are: *.jpg and *.png |
|
| Home Screen | Enabled | Enabled | Enabled | Enables customs Lock Screen on devices. |
| Choose File | Enabled | Choose File |
Upload a custom Lock Screen. Supported file types are: *.jpg and *.png |
Application Lock*
Through the use of the Application Lock feature, you can now ‘Lock’ a specific App to the screen of the device, meaning that the user cannot minimize or close the specified App from the screen. Another common name for this functionality is the kiosk mode or single app purpose mode. Please refer to Single App Mode for iOS and iPadOS devices for additional information.
| Setting | iPhone | iPad | iPod | Description |
|---|---|---|---|---|
| Application Lock | Enabled or Disabled | Enabled or Disabled | Enabled or Disabled | Enables Application Lock. |
| App Identifier | e.g. com.apple.mobilesafari | e.g. com.apple.mobilesafari | e.g. com.apple.mobilesafari | The Identification String of the App that you want ‘Locked’ to the screen. |
| Options | ||||
| Disable Touch | Enabled or Disabled | Enabled or Disabled | Enabled or Disabled | Disables the users’ ability to interact with the screen. |
| Disable Device Rotation | Enabled or Disabled | Enabled or Disabled | Enabled or Disabled | Disables the screen orientation change. |
| Disable Volume Buttons | Enabled or Disabled | Enabled or Disabled | Enabled or Disabled | Disables the hardware volume buttons on the device. |
| Disable Ringer Switch | Enabled or Disabled | Enabled or Disabled | Enabled or Disabled | Disables the hardware ringer switch on the device. |
| Disable Sleep Wake Button | Enabled or Disabled | Enabled or Disabled | Enabled or Disabled | Disables the hardware power button. |
| Disable Auto Lock | Enabled or Disabled | Enabled or Disabled | Enabled or Disabled | Controls whether the device will automatically lock screen. |
| Enable Voice Over | Enabled or Disabled | Enabled or Disabled | Enabled or Disabled | Forces the voice over feature on the device. |
| Enable Zoom | Enabled or Disabled | Enabled or Disabled | Enabled or Disabled | Forces the zoom feature on the device. |
| Enable Invert Colors | Enabled or Disabled | Enabled or Disabled | Enabled or Disabled | Forces the inverted colors feature on the device. |
| Enable Assistive Touch | Enabled or Disabled | Enabled or Disabled | Enabled or Disabled | Enables the assistive touch menu for one handed operation on the device. |
| Enable Speak Selection | Enabled or Disabled | Enabled or Disabled | Enabled or Disabled | Enables the speak selection control on the device. |
| Enable Mono Audio | Enabled or Disabled | Enabled or Disabled | Enabled or Disabled | Forces the mono audio on the device. |
| User Enabled Options | ||||
| Voice Over | Enabled or Disabled | Enabled or Disabled | Enabled or Disabled | Allows the user to control voice over. |
| Zoom | Enabled or Disabled | Enabled or Disabled | Enabled or Disabled | Allows the user to control zoom. |
| Invert Colors | Enabled or Disabled | Enabled or Disabled | Enabled or Disabled | Allows the user to control color inversion. |
| Assistive Touch | Enabled or Disabled | Enabled or Disabled | Enabled or Disabled | Allows the user to control voice over. |
Updating Application Lock Apps
Applications locked in Single App Mode cannot be updated due to a restriction in iOS. In Silverback a workflow is implemented that allows for these apps to be updated. This means that when you attempt to update a Single App Mode Locked app, the system will automatically disable Single App Mode and attempt to update the app. The system will continue to attempt this until the application is updated. The number of attempts to check this is determined by a setting in the Settings Administration page. To increase or decrease the amount of maximum check times perform the following steps:
- Login as Settings Administrator
- Navigate to MDM Payload
- Change the value for iOS Single App Mode Re-enablement Automation Workflow (not recommended)
Manual Override of Application Lock
In some scenarios its necessary to force an individual device to enable or disable Single App Mode for troubleshooting. This can be done from the device info pop-up for a device that has Single App Mode settings applied. Note that once the device checks in, it may lock or unlock again based on it’s Tag settings.
Notification Settings*
Notification Control specifies the restriction enforced notification settings for apps, using their bundle identifiers. It is supported on iOS 9.3 and later for supervised devices, only. This control offers Administrators the capability to define specific per app notifications on the device. Notifications can be disabled at all or can be permitted to options like sounds only or disallow them in CarPlay. To configure Notification Settings navigate to iPhone, iPod or iPad Profiles in a Tag and press New Notification Setting.
| Setting | Options | Description |
|---|---|---|
| App Store Country | e.g. Germany | Country where the application will be searched. |
| App name | e.g. Microsoft Teams | Name of the application. |
| Bundle Id | e.g. com.microsoft.skype.teams | Unique application identifier. |
| Settings | ||
| Allow Notifications | Enabled or Disabled | Allows or disallows notifications for this app. |
| Show in Notification Center | Enabled or Disabled | Allows or disallows notifications to be shown in notification center. |
| Sounds | Enabled or Disabled | Allows or disallows sounds for this app. |
| Badge App Icon | Enabled or Disabled | Allows or disallows badges for this app. |
| Show on Lock Screen | Enabled or Disabled | Allows or disallows notifications shown in the lock screen. |
| Show in CarPlay | Enabled or Disabled | Allows or disallows notifications shown in CarPlay. |
| Critical Alerts | Enabled or Disabled | Allows or disallows an app to mark a notification as a critical notification that will ignore Do Not Disturb and ringer settings. |
| Banner Style |
|
Type of alert for notifications for this app. |
| Show Preview |
|
The type previews for notifications.
|
| Notification Grouping |
|
The type of grouping for notifications for this app:
|
Lock Screen Message*
For supervised devices this payload allows administrators to configure Custom Lock Screen Messages. This feature allows placing additional information on the devices lock screen. As an example, you as an administrator could place useful information like the serial number, the device user or the managed by information.
Use System Variables, e.g. {SerialNumber} to display Serial Number on the lock screen.
| Setting | Options | Description |
|---|---|---|
| Lock Screen Message | Enabled or Disabled | Enables the Shared Device configuration profile to display Lock Screen messages. |
| Lock Screen Footnote |
|
Add here the footnote displayed in the login window and lock screen. On iOS13 devices the Lock Screen Footnote is placed on the bottom left. Supported on iOS 9.3+. |
| Asset Tag Information |
|
Add here the asset tag information for the device, displayed in the login window and lock screen. On current iOS13 devices the Asset Tag is placed on the bottom right. Supported on iOS 9.3+. |
Global HTTP Proxy*
Enabling the Global HTTP Proxy will force all Network Traffic through a designated proxy server.
| Setting | iPhone | iPad | iPod | Description |
|---|---|---|---|---|
| Global HTTP Proxy | Enabled or Disabled | Enabled or Disabled | Enabled or Disabled | Enables the Global HTTP proxy |
| Proxy Type |
|
|
|
Allows the administrator to select a proxy type. |
| Server | e.g. http:// proxy.imagoverum.com or 192.168.0.101 | e.g. http:// proxy.imagoverum.com or 192.168.0.101 | e.g. http:// proxy.imagoverum.com or 192.168.0.101 | The FQDN or IP address of the proxy server. |
| Port | e.g. 80 or 443 | e.g. 80 or 443 | e.g. 80 or 443 | The port of the proxy server. |
| Individual Usernames | Enabled or Disabled | Enabled or Disabled | Enabled or Disabled | Controls the user ability to enter their own credentials. |
| Username | e.g. Proxyuser | e.g. Proxyuser | e.g. Proxyuser | Allows the administrator to define the group username. |
| Password | e.g. Pa$$w0rd | e.g. Pa$$w0rd | e.g. Pa$$w0rd | Allows the administrator to define the group password. |
| PAC URL | e.g. http:// proxy.imagoverum.com/proxy.pac or 192.168.0.101/proxy.pac | e.g. http:// proxy.imagoverum.com/proxy.pac or 192.168.0.101/proxy.pac | e.g. http:// proxy.imagoverum.com/proxy.pac or 192.168.0.101/proxy.pac | Allows the administrator to specify the location of the PAC script. |
Web Content Filter*
Web Content Filter settings allow the administrator to control URLs accessible on the iOS7+ devices from browser and web views. Please refer to Web Content Filter for iOS and iPadOS for additional information.
| Setting | iPhone | iPad | iPod | Description |
|---|---|---|---|---|
| Enable Filter | Enabled or Disabled | Enabled or Disabled | Enabled or Disabled | Enables the Web Content Filter on the devices. This function evaluates each web page as it is loaded and attempts to identify and block content not suitable for children. The search algorithm is complex and may vary from release to release, but it is basically looking for adult language, i.e. swearing and sexually explicit language. |
| Permitted URLs |
|
|
|
Used only when Filter is set to true. Otherwise, this field is ignored. Each entry contains a URL that is accessible whether the automatic filter allows access or not. |
| Whitelisted Bookmarks |
|
|
|
If any URLs are specified in this matrix, the user can tab into Safari's address bar and will see these bookmarks. All other manually entered URLs will be blocked. The folders are to be specified like: \Root Folder\Subfolder |
| Blacklisted URLs |
|
|
|
The URLs specified in this matrix are not accessible on the device. |
Single Sign On
With Single Sign On you can leverage Kerberos as a network authentication protocol. Kerberos, as the most commonly deployed Single Sign On technology uses Data Encryption Standard to encrypt user credentials. Organizations using directory services such as Active Directory usually have a Kerberos system already in place. Single Sign On is supported for devices running iOS 7.0 or later versions. It is possible to use a Certificate-Based Authentication to ensure users are not required to sign in even once.
Configuration
| Setting | iPhone | iPad | iPod | Description |
|---|---|---|---|---|
| Display Name | e.g. Imagoverum | e.g. Imagoverum | e.g. Imagoverum | Reference name for the SSO Profile. |
| Kerberos Realm | e.g. IMAGOVERUM.COM | e.g. IMAGOVERUM.COM | e.g. IMAGOVERUM.COM | Defines the Kerberos realm name. It is usually the DNS domain name and should properly be capitalized. |
| Principal Name | e.g. {firstname}.{lastname} | e.g. {firstname}.{lastname} | e.g. {firstname}.{lastname} | Defines the Kerberos principal name. It will used as a unique specification to identify users and or services. |
| Use Client Certificate | Enabled or Disabled | Enabled or Disabled | Enabled or Disabled | Select if a client certificate should be used for the authentication. |
|
Certificate Name |
e.g. User_SSO | e.g. User_SSO | e.g. User_SSO | Defines the certificate name and is an optional field. |
|
Certificate Type |
|
|
|
Option to choose if the certificate will be an individual user certificate or if a global enterprise certificate should be used. |
| Certificate Authority | ||||
| Certificate Authority Address | e.g. ca.imagoverum.com\domain-server-CA | e.g. ca.imagoverum.com\domain-server-CA | e.g. ca.imagoverum.com\domain-server-CA | Specifies the Certificate Authority address. |
| Template Name | e.g. SilverbackUser | e.g. SilverbackUser | e.g. SilverbackUser | Defines the template for creating individual user certificates. |
| Subject Name | e.g. u_{firstname}.{lastname}_SSO | e.g. u_{firstname}.{lastname}_SSO | e.g. u_{firstname}.{lastname}_SSO | Defines the subject name for the individual user certificate. System Variables leverages the individual subject name. |
| Subject Alternate Name | e.g. u_{firstname}.{lastname}_SSO | e.g. u_{firstname}.{lastname}_SSO | e.g. u_{firstname}.{lastname}_SSO | Defines the subject alternate name for the individual user certificate. System Variables leverages the individual subject name. |
| Enterprise | ||||
| Certificate Authority PKCS12 File | e.g. enterprise_sso.pfx | e.g. enterprise_sso.pfx | e.g. enterprise_sso.pfx | Option to upload the global enterprise certificate in a pkcs12 format. |
| Certificate Password | e.g. Pa$$w0rd | e.g. Pa$$w0rd | e.g. Pa$$w0rd | Defines the certificate password. |
| Limit this account to specific URL Patterns | Enabled or Disabled | Enabled or Disabled | Enabled or Disabled | Enables the limitation to specific URL patterns. |
| URL Pattern | e.g. http://www.imagoverum.com/ | e.g. http://www.imagoverum.com/ | e.g. http://www.imagoverum.com/ |
List of URLs prefixes that must be matched to use this account for Kerberos authentication over HTTP. The URL postfixes must match as well. |
| Limit this account to specific App Ids | Enabled or Disabled | Enabled or Disabled | Enabled or Disabled | Enables the limitation to specific applications. |
| App Identifier | e.g. com.microsoft.sharepoint | e.g. com.microsoft.sharepoint | e.g. com.microsoft.sharepoint | List of app identifiers that are allowed to use this login. If this field missing, this login matches all app identifiers. |
Additional Information
- Each entry in the URL Pattern array must contain a URL prefix. Only URLs that begin with one of the strings in this account are allowed to access the Kerberos ticket. URL matching patterns must include the scheme—for example, http://www.imagoverum.com/. If a matching pattern does not end in /, a / is appended to it.
- The URL matching patterns must begin with either http:// or https://. A simple string match is performed, so the URL prefix http://www.imagoverum.com/ does not match http://www.imagoverum.com:80/.
- With iOS 9.0 or later, however, a single wildcard * may be used to specify all matching values. For example, http://*.imagoverum.com/ will match both http://store.imagoverum.com/ and http://www.imagoverum.com.
- The patterns http://.com and https://.com match all HTTP and HTTPS URLs, respectively.
- The App Identifier array must contain strings that match app bundle IDs. These strings may be exact matches (com.mycompany.myapp, for example) or may specify a prefix match on the bundle ID by using the * wildcard character. The wildcard character must appear after a period character (.), and may appear only once, at the end of the string (com.mycompany.*, for example). When a wildcard is included, any app whose bundle ID begins with the prefix is granted access to the account
App Portal
The Application portal is where devices can access Enterprise applications and recommended Third Party applications via a web clip icon. To enable access to the Application portal for end users and push the app portal web clip icon to devices, ensure App Portal Enabled box is ticked.
| Setting | iPhone | iPad | iPod | Description |
|---|---|---|---|---|
| App Portal | Enabled or Disabled | Enabled or Disabled | Enabled or Disabled | Enables and pushes the App Portal Icon to enrolled devices. |
To customize the App Portal navigate to Admin > App Portal
Managed Domains
| Setting | iPhone | iPad | iPod | Description |
|---|---|---|---|---|
| Domain Types |
|
|
|
Email Domains: Email addresses not matching any of these domains will be marked in Mail. Safari Domains: URL patterns of domains from which documents will be considered managed. |
| Domain Settings | e.g. imagoverum.com | e.g. imagoverum.com | e.g. imagoverum.com | Defines the Email or Safari Domain. |
Certificate Trusts
| Setting | iPhone | iPad | iPod | Description |
|---|---|---|---|---|
| Certificate Settings | Enabled or Disabled | Enabled or Disabled | Enabled or Disabled | Enables Certificate Settings in this Tag. |
| Add Root Certificate | Choose File | Choose File | Choose File | Select and Upload Root Certificate. |
| Certificate Password | e.g. Pa$$w0rd | e.g. Pa$$w0rd | e.g. Pa$$w0rd | Defines Password for Root Certificate. |
| Root Certificates | e.g. CN=Imagoverum Root, OU=Imagoverum, OU=IV, O=Imagoverum, S=German, C=DE | e.g. CN=Imagoverum Root, OU=Imagoverum, OU=IV, O=Imagoverum, S=German, C=DE | e.g. CN=Imagoverum Root, OU=Imagoverum, OU=IV, O=Imagoverum, S=German, C=DE | Displays uploaded certificates details. |
| Add Root Certificate | Choose File | Choose File | Choose File | Select and Upload Root Certificate. |
| Certificate Password | e.g. Pa$$w0rd | e.g. Pa$$w0rd | e.g. Pa$$w0rd | Defines Password for Root Certificate. |
| Intermediate Certificates | e.g. CN=Imagoverum Intermediate, OU=Imagoverum, OU=IV, O=Imagoverum, S=German, C=DE | e.g. CN=Imagoverum Intermediate, OU=Imagoverum, OU=IV, O=Imagoverum, S=German, C=DE | e.g. CN=Imagoverum Intermediate, OU=Imagoverum, OU=IV, O=Imagoverum, S=German, C=DE | Displays uploaded certificates details. |
Classroom
Classroom is an app for iPad and Mac that helps you guide learning, share work, and manage student devices. You can launch a specific app, website, or textbook page on any iPad in the class, share documents between teacher and students, or share student work on a TV, monitor, or projector using Apple TV. Classroom Configuration with Silverback for iPads is the payload for configuring users, groups, and departments within an educational scenario. Apple Classroom can be configured in two main ways: Shared iPad or 1-to-1 iPad. The classroom profile in Silverback supports the 1-to-1 scenario and the manual configuration of the classroom profile. In this scenario you don't need accounts on Apple School Manager or Managed Apple IDs and your users will always be keeping the same device with them. Please refer to Classroom Configuration for additional information.
| Device Type | iPhone | iPad | iPod |
|---|---|---|---|
| Availability | not available | available | not available |
Custom Profiles
Custom Profiles are a very helpful option to configure additional payloads for your managed devices. You can utilize the Apple Configurator 2 to create custom profiles in a *.mobileconfig format. Additionally, you might create or receive a custom XML from a third-party vendor, like for the Cisco Security Connector Umbrella Setup. Depending on the format or the way how you create or receive the profile, you can either upload the *.mobileconfig to Silverback or add the XML content into the provided section inside the profile. Created profiles with the Apple Configurator 2 can easily be adjusted by replacing the file type to *.txt (e.g., on Windows 10) or opening these files directly with the Text Editor (e.g., on macOS devices). System Variables are supported in the Use XML option or by uploading a *.mobileconfig file that contains a System Variable. Silverback will adjust the XML or the mobileconfig on the fly and convert the System Variables to the individual values and install this payload with the desired content on your devices.
- Click New Custom Profile
| Setting | iPhone | iPad | iPod | Description |
|---|---|---|---|---|
| Name | e.g. CalDAV Profile | e.g. CalDAV Profile | e.g. CalDAV Profile | Display Name for the Custom Profile. |
| Description | e.g. Custom CalDAV Profile | e.g. Custom CalDAV Profile | e.g. Custom CalDAV Profile | Description for the Custom Profile. |
| Use XML | Enabled or Disabled | Enabled or Disabled | Enabled or Disabled | Use this option if have a profile that is not saved as a *.mobileconfig file. |
| XML Text |
e.g.
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>PayloadContent</key>
<array>
<dict>
<key>AssetTagInformation</key>
<string>{SerialNumber} </string>
<key>IfLostReturnToMessage</key>
<string>Imagoverum</string>
<key>PayloadDescription</key>
<string>Configures ownership information for a shared device</string>
<key>PayloadDisplayName</key>
<string>Lock Screen Message</string>
<key>PayloadIdentifier</key>
<string>com.apple.shareddeviceconfiguration.BAB86918-4FC6-45EE-9BC6-76FC358A115A</string>
<key>PayloadType</key>
<string>com.apple.shareddeviceconfiguration</string>
<key>PayloadUUID</key>
<string>BAB86918-4FC6-45EE-9BC6-76FC358A115A</string>
<key>PayloadVersion</key>
<integer>1</integer>
</dict>
</array>
<key>PayloadDisplayName</key>
<string>Lock Screen Message</string>
<key>PayloadIdentifier</key>
<string>MacBook-Pro.943FF4CE-7A2B-4D4A-9507-1D9000D873B7</string>
<key>PayloadOrganization</key>
<string>Imagoverum</string>
<key>PayloadRemovalDisallowed</key>
<false/>
<key>PayloadType</key>
<string>Configuration</string>
<key>PayloadUUID</key>
<string>22A0F143-8A4A-49AE-BF2B-6BBAA7D14FC6</string>
<key>PayloadVersion</key>
<integer>1</integer>
</dict>
</plist>
|
Enter in the section your custom profile content in case it is not saved as a*.mobileconfig file. The example shows a Lock Screen Message profile created with Apple Configurator 2 and opened with TextEdit. | ||
| Mobileconfig File | Choose File | Choose File | Choose File | Uploads the *.mobileconfig file. |
Web Clips
Silverback allows administrators to push down Internet shortcuts to their Managed Devices, giving users easy access to the websites the administrator wants.
- Click New Web Clip
| Setting | iPhone | iPad | iPod | Description |
|---|---|---|---|---|
| Web Clip Name | e.g. Matrix42 | e.g. Matrix42 | e.g. Matrix42 | Web Clip Display Name. |
| Link | e.g. https://www.matrix42.com | e.g. https://www.matrix42.com | e.g. https://www.matrix42.com | Target URL for the Web Clip. |
| Removable | Enabled or Disabled | Enabled or Disabled | Enabled or Disabled | Give the user the option to remove the shortcut from the device. |
| Precomposed Icon | Enabled or Disabled | Enabled or Disabled | Enabled or Disabled | If disabled, iOS adds the gloss effect to the icon when displaying on the device. |
| Full Screen | Enabled or Disabled | Enabled or Disabled | Enabled or Disabled | Hides the Safari Browser Interface, displaying the website in Full Screen. |
| Icon File | Choose File | Choose File | Choose File |
Button for uploading a custom icon. Supported File Type: *.png |
Home Screen Layout
The Home Screen layout allows Administrators to organize app icons and Web Clips across supervised iOS and iPadOS devices. A unified layout of interfaces makes switching between devices easier and users and support can expects apps to be in the same location on their devices. Apps which aren't used very often can be organized into folders and moved as an example to page 2 or 3 on the devices. Please refer to Home Screen Layout Configuration for additional information.
Policy
With Policy or Policies Administrators have the ability to enforce rules with Silverback, such as enforcing what Apps are installed on the devices, what Cellular Networks the device is on through to enforcing the Serial Numbers of the devices as they are enrolled into the system. These are the environmental conditions that Silverback will continue to monitor for and ‘police’ for any devices that are associated with the Tag.
OS Version Compliance
Administrators have the ability to control which OS versions are allowed within their environment. To allow an OS version, simply ensure the checkbox next to the respective OS version is ticked. Enrolling a device with a disabled OS version will result in the device automatically being blocked.
- Alert Administrators: When the checkbox is checked, all administrators will receive an email when a device that violates OS compliance is detected, or when a new OS version is discovered.
- Automatically Approve New OS Versions: When an OS platform is enrolled to Silverback for the first time, the OS is automatically added to the list. By default, unknown OS platforms are disabled and relevant devices will be blocked. To automatically authorize new OS versions as they are discovered, ensure the checkbox is ticked.
Use this feature where you do not want devices to be automatically blocked when a user upgrades their device to a new future OS version that is released by their software vendor.
OS Updates*
A common question that you may face is how can we prevent our devices from updating updating to the latest version of iOS and how can we test the new iOS update before all of our users will install it? Often, organizations wish to check the latest iOS release, verifying that the business-related apps they use will continue to function properly on the devices used by their organization. Starting with iOS 11.3 and for supervised devices Apple began to offer the possibility to specify a number of days to delay software updates, with a maximum of 90 days. With this option enabled, the user of the device will not see a software update until the specified number of days has passed since the release.
| Setting | iPhone | iPad | iPod | Description |
|---|---|---|---|---|
| Defer Operating System updates for X | Enabled or Disabled | Enabled or Disabled | not available | Enables the deferral of operating system updates. |
| Days | 1-90 | 1-90 | not available | Defines the time period of how long updates will be deferred. |
Create different Tags with different values to allow new OS updates in waves. Here is an example how it could look like:
- Do not use the feature for the internal IT or MDM department.
- Enable and restrict set the policy for Pilot Users to 14 days
- Enable and restrict set the policy for non-critical departments to 30 days
- For critical department use the maximum value of 90 days.
Hardware Compliance
Administrators have the ability to enforce a hardware compliance policy through Silverback. Simply uncheck the boxes for hardware types that should not be supported and any devices that match the hardware type and are managed by Silverback will be blocked. The list of hardware types is managed via the Device Types option in the Admin Tab of the Silverback Console. If a mapping from device type to hardware type exists, the hardware type will be displayed in the hardware compliance list. When a Device Manufacturer release a new version of their hardware the model numbers may not be known by Silverback, in this case Silverback will ‘learn’ them and store them as ‘Unknown’ in the Device Types section under the Admin Tab where the Administrator can update them manually. To allow these devices into your system you enable the ‘Unknown’ checkbox option. This will allow the device into your Silverback Environment and you can later re-classify this device type in the Admin > Device Types section.
- Alert Administrators: When the checkbox is checked it will ensure that administrators receive an email when a device that violates hardware compliance is detected.
Application Blacklist
For iOS and iPadOS devices, administrators have two different ways to create an Application Blacklist. The first one is the Silverback blacklist, where the system periodically detects installed applications. In combination with the Lockdown policy, Administrators can decide what action should apply to a device that violates the configuration. The second method is the Enforced blacklist/whitelist for supervised devices where Administrators can easily decide which application should be visible on the device or which applications should not be installed on devices if the public app store is open for users. Please refer to Application Black- and Whitelisting for additional information.
Silverback Blacklist
Silverback maintains a blacklist of application names to ensure the detection and management of devices with blacklisted applications. The blacklist works by matching application names of applications on devices against the strings in the blacklist. The blacklist employs a case-insensitive substring search algorithm to determine policy violations.
To add an application to the blacklist
- Enter the Application Name you want to blacklist (WhatsApp)
- Click Add
- Notice the info message: This application name has been blacklisted successfully.
Configure Lockdown Policies to take decisions if Silverback detects an blacklist violation
Enforced blacklist/whitelist*
For supervised devices, Silverback offers the ability to blacklist/whitelist applications directly, so that dependent on the configuration these application will be hidden or whitelisted for users. Please refer to Enforced Blacklist Whitelist for iOS and iPadOS for additional information.
System Apps
Use the All button on the right or select each application manually.
|
Activity |
GarageBand | Phone* |
|
Apple Heart Study |
Health | Photo Booth |
|
Apple Store |
Home | Photos |
|
Apple Support |
iBooks | Playgrounds |
|
Apple TV Remote |
iCloud Drive | Podcasts |
|
Apple Watch |
iMovie | Reminders |
|
App Store |
iTunes Connect | Remote |
| Calculator | iTunes Store | Safari |
| Calendar | iTunes U | Shortcuts |
| Camera | Keynote | Shortcuts (iOS 13) |
| Classroom | Logic Remote | Siri |
| Clips | Magnifier | Stocks |
| Clock | Tips | |
| Companion | Maps | Translate |
| Compass | Measure | Trailers |
| Contacts | Messages | TV |
| FaceTime | Music | Videos |
| Files | Music Memos | Voice Memos |
| Find iPhone | News | Wallet |
| Find My (iOS 13) | Notes | Weather |
| Find My Friends | Numbers | Web Clips |
| Game Center | Pages | WWDC |
* In newer iOS versions, the Phone application can no longer be disabled. If the application is selected in the blacklist configuration, the profile installation returns an error and will fail and none of the selected applications will be disabled.
Apps
To add any app that is not listed in System Apps area just enter the Bundle ID and click Add. In case that Apple delivers new applications between Silverback Releases take a look at this application list: Apple Bundle Identifiers. From time to time the native Apple App Bundle Identifiers will be published
For all other applications:
If the app is in the App Store:
- Navigate to the App Portal Tab
- Select either iPhone, iPad or iPod
- Press New Application
- Ensure that as Type App Store is selected
- In the Name field, just start entering the application name until your desired application is listed
- Now you can note down the Bundle ID below the application name
If you have the .ipa file directly:
- Copy the .ipa file and rename the extension to .zip. (So e.g. application.ipa will become application.zip)
- Unzip the zip file. You will get a new folder named like the zip file.
- Search for the file iTunesMetadata.plist in that new folder.
- Open the file with a text editor and search for softwareVersionBundleId. The value should look something like com.fastviewer.ifastviewer.
Lockdown
The Lockdown screen allows you to determine what device compliance policies are enabled and what action should automatically occur when a violation is detected. Each policy is enabled/disabled through their associated checkbox. Enabling a lockdown policy ensures that the device is inspected to ensure it is compliant with that policy during the initial enrollment as well as at regular intervals as defined by the ‘Perform check every’ drop down.
Lockdown Actions
| Action | Description |
|---|---|
| No action | No action is performed on the device; however alerting administrators may be performed if configured. |
| Lock | A lock command is sent to the device which will lock the screen of the device. |
| Block | The device is blocked, and the device is moved to the blocked devices table. |
| Delete Business Data | Deletes the device and removes all corporate data. |
| Factory Wipe | The device is hard reset to factory default settings. |
| Reapply | This will re-apply the iOS and iPadOS setting that disables the ability for the device to roam for voice or data. The setting is forced upon the user. For application black list in particular, this will prevent the application from launching or being installed on the device. |
| Alert administrator | Emails are sent to all administrators notifying them of the policy violation when it is detected. |
| Exclude Home Network | Allows the Administrator to disable roaming alerts for devices roaming on Home Networks. |
| Allow Home Networks | Allow Home Network’ checkbox allows the user to roam on Home Networks without triggering lockdown action. |
Lockdown Policies
| Policy | General | iPhone | iPad | iPod | Description |
|---|---|---|---|---|---|
| Enforce SIM Authentication | Enabled or Disabled |
|
|
not available | The first SIM Silverback detects on a managed device will be considered the ‘canonical’ SIM. Any subsequent changes to the SIM (e.g. removal of the SIM from the device or changing the SIM on the device) are considered a policy violation. |
| Enforce Application Blacklist |
Enabled or Disabled Either Blacklist or Whitelist |
|
|
|
See the blacklist section for more information on this configuration. The blacklist can be enabled or disabled from this screen. |
| Enforce Application Whitelist |
Enabled or Disabled Either Blacklist or Whitelist |
|
|
|
Application Whitelist will ensure that each device has only applications approved by a system administrator that reside in the Silverback App Portal. Whitelist is derived from the Application Name. Ensure applications in the App Portal are labelled correctly prior to enabling Application Whitelist. |
| Enforce Hardware Authentication | Enabled or Disabled |
|
|
|
Hardware authentication can be enabled or disabled from this screen. See the hardware authentication for more information on this configuration. |
| Cost Control Settings | |||||
| Send Roaming Alerts | Enabled or Disabled | No actions available | No actions available | not available |
Enabling this will send an alert to all Silverback Administrators when a device starts Roaming for any reason (Voice/Data). |
| Enforce Data Roaming Policy | Enabled or Disabled |
|
|
not available |
You can choose which lockdown action to apply when a device has data roaming enabled. Availability of this setting on the device is dependent on the Carrier. |
| Enforce Voice Roaming Policy |
Enabled or Disabled Enforce Data Roaming Policy will activate this setting |
|
|
not available | Voice Roaming is when the device has Voice Roaming Enabled = YES on the device. Availability of this setting on the device is dependent on the Carrier. |
| Enforce Home Networks Policy | Enabled or Disabled |
|
|
not available | Enables the ‘Home Networks’ policy, meaning Silverback Admins can specify what data networks are classed as ‘Home Networks’. |
| Home Networks |
Add Enforce Home Networks Policy will activate this grid |
e.g. Imagoverum Wi-Fi | e.g. Imagoverum Wi-Fi | not available | This grid is where Silverback Administrators can specify their ‘Home Networks’. |
Companion
Companion extends end point security into a secure workspace for your users. Users can store and edit files locally within the application, ensuring that these documents are kept securely and cannot be accessed by other applications or users. Companion also allows users and administrators to manage data usage on the device and configure policy settings around this.
General
| Setting | Description |
|---|---|
| Bookmarks | Displays a list of added Bookmarks being pushed to Companion. |
| SharePoint Sites | Displays a list of added SharePoint Website URLs being pushed to Companion. |
| Certificates | Displays a list of added certificates that can be configured and then assigned to Bookmarks and SharePoint Sites. |
| Bulk Message | Sends a message to all Companion users within the given tag. |
| Silversync | Configures File Sync Settings for Companion based on configured Silversync Feature. |
Add Bookmarks
- Click Bookmarks
- Click New Bookmark
- Fill in the following values
| Setting | iPhone | iPad | iPod | Description |
|---|---|---|---|---|
| Label | e.g. Imagoverum Intranet | e.g. Imagoverum Intranet | e.g. Imagoverum Intranet | Display Name of the bookmark. |
| URL | e.g. https://intranet.imagoverum.com | e.g. https://intranet.imagoverum.com | e.g. https://intranet.imagoverum.com | Website Address for the Bookmark. |
| Icon File | Choose File | Choose File | Choose File | Supported file type = *.png. |
| Authentication | Enabled or Disabled | Enabled or Disabled | Enabled or Disabled | Enables or disables authentication options for the Bookmark. |
| Authentication Type |
|
|
|
Choose between Basic and Kerberos for Authentication. |
| Username | e.g. {UserName} or tim.tober@imagoverum.com | e.g. {UserName} or tim.tober@imagoverum.com | e.g. {UserName} or tim.tober@imagoverum.com | Variable or Username to use for authentication. |
| Use User Password | Enabled or Disabled | Enabled or Disabled | Enabled or Disabled | If available, send the user’s password with the settings. |
| Certificate | Select certificate | Select certificate | Select certificate | Displays uploaded Certificates in Certificates section . |
- Click Save
Add SharePoint Sites
- Click Sharepoint Sites
- Click Sharepoint Site
- Fill in the following values
| Setting | iPhone | iPad | iPod | Description |
|---|---|---|---|---|
| Label | e.g. Imagoverum Sharepoint | e.g. Imagoverum Sharepoint | e.g. Imagoverum Sharepoint | Display Name of the Sharepoint Site |
| URL | e.g. https://imagoverum.sharepoint.com | e.g. https://imagoverum.sharepoint.com | e.g. https://imagoverum.sharepoint.com | Sharepoint Site Address |
| Authentication Type |
|
|
|
Office 365 authentication is only available for Office 365. Webforms authentication requires the user to type their credentials in the web view. Basic authentication sends the credentials of the user in the Authorization header. Form authentication is a headless authentication method for Sharepoint site configured for Form Based Authentication. Client Certificate - Basic will provide a specified certificate to the user to use in conjunction with Basic authentication. Client Certificate - Kerberos will provide a specified certificate to the user to use in conjunction with Kerberos authentication. |
| Access Model |
|
|
|
The Access Model that should be used. Sharepoint 2013 Access Model is recommended for best experience. |
| Content Refresh Interval (hours) | e.g. 4 | e.g. 4 | e.g. 4 | The Interval for check Sharepoint for Updates. |
| Username | e.g. {UserName} or tim.tober@imagoverum.com | e.g. {UserName} or tim.tober@imagoverum.com | e.g. {UserName} or tim.tober@imagoverum.com | Field to specify the Username. Custom LDAP attributes can be used in this field. |
| Use User Password | Enabled or Disabled | Enabled or Disabled | Enabled or Disabled | Specifies that the client should automatically use the User’s Password. This is only available when Password is Cached or on initial enrollment. |
| Certificate | Select Certificate | Select Certificate | Select Certificate |
Displays uploaded Certificates in Certificates section when Authentication Type is set to Client Certificate. |
Add Certificates
- Click Certificates
- Click New Certificate
- Fill in the following values
| Setting | iPhone | iPad | iPod | Description |
|---|---|---|---|---|
| Certificate Name | e.g. Web Authentication | e.g. Web Authentication | e.g. Web Authentication | A name that will be used to identify the Certificate settings. |
| Certificate Type |
|
|
|
Determine if the Certificate is from an Enterprise (single PKCS12 Certificate) or Certificate Authority (Certificate is generated per user). |
| Enterprise | ||||
| Certificate Authority PKCS12 File | Choose File | Choose File | Choose File | A PKCS12 Certificate that will be used to generate client certificates for devices. |
| Certificate Password | e.g. Pa$$w0rd | e.g. Pa$$w0rd | e.g. Pa$$w0rd | The password for the PKCS12 Certificate Authority Certificate. |
| Certificate Authority | ||||
| Certificate Authority Address | e.g. https://ca01.imagoverum.com/CADemo01 | e.g. https://ca01.imagoverum.com/CADemo01 | e.g. https://ca01.imagoverum.com/CADemo01 | Network address for the Certificate Authority. |
| Template Name | e.g. Web Authentication | e.g. Web Authentication | e.g. Web Authentication | The template name to be used for Certificate Requests. |
| Subject Name | e.g. {firstname} {lastname} | e.g. {firstname} {lastname} | e.g. {firstname} {lastname} | Subject Name of the certificate. |
| Subject Alternate Name | e.g. {UserName} | e.g. {UserName} | e.g. {UserName} | Subject Alternate Name of the certificate. |
- Click Save
Send Bulk Message
Companion can receive Text-Based Messages sent from the Silverback Administrator Console in the form of an App Notification when the app is minimized.
- Click Bulk Message
- Enter the Message Text
- Click Send
Silversync
Configures File Sync Settings for Companion based on configured Silversync Feature.
| Settings | iPhone | iPad | iPod | Description |
|---|---|---|---|---|
| Allow File Sync | Enabled or Disabled | Enabled or Disabled | Enabled or Disabled | Allows File Sync. |
| Disable on Blocked | Enabled or Disabled | Enabled or Disabled | Enabled or Disabled | Disables File Sync for blocked devices. |
| Allow Sync on Cellular Data | Enabled or Disabled | Enabled or Disabled | Enabled or Disabled | Allow Sync when device uses Cellular. |
| Cellular Data File Size Limit | e.g. 10 | e.g. 10 | e.g. 10 | Restricts file sizes in MB when device uses Cellular. |
| Allow Email of Files | Enabled or Disabled | Enabled or Disabled | Enabled or Disabled | Allows to Email File types via Email. |
| Allow Opening Files Into Other Apps | Enabled or Disabled | Enabled or Disabled | Enabled or Disabled | Allows opening files into other apps on device. |
- Click Save
Settings
| Setting | iPhone | iPad | iPod | Description |
|---|---|---|---|---|
| Companion Enabled | Enabled or Disabled | Enabled or Disabled | Enabled or Disabled |
Enables Companion Configuration in general. |
| Install Companion App Store | Enabled or Disabled | Enabled or Disabled | Enabled or Disabled |
Installs current available Companion application from Apple App Store. |
| Use Device Based VPP deployment | Enabled or Disabled | Enabled or Disabled | Enabled or Disabled |
When you want to use distribution via Volume Purchase Program enable this setting. But first be enabled for VPP and buy some Companion Licenses in Apple Business Manager. |
| EpiC Settings | ||||
| Secure Enrollment | Enabled or Disabled | Enabled or Disabled | Enabled or Disabled |
Secure enrollment ensures that devices are kept as blocked until a modification check is accomplished through Companion. This setting will block devices permanently if Companion is distributed through App Store or Volume Purchase Program. |
| Offline Grace Period | e.g. 30 | e.g. 30 | e.g. 30 | Companion modules will be blocked if the device doesn’t check in during this period. The value is days. |
| Custom Epic Text | e.g. This is a free form text | e.g. This is a free form text | e.g. This is a free form text | Configure custom text to be displayed to the user. |
| Show Blocked Reasons | Enabled or Disabled | Enabled or Disabled | Enabled or Disabled | Configures whether the user is told why they have been blocked. If this is disabled the user is not told why, just that they are blocked. |
| Allow Automated Unblocking | Enabled or Disabled | Enabled or Disabled | Enabled or Disabled | Companion can allow users to rectify a block where it was triggered by a policy violation. For example if the user violated an application blacklist, they may remove the app and then scan with Companion to automatically become unblocked. |
| Browser Settings | ||||
| Allow URL Bar | Enabled or Disabled | Enabled or Disabled | Enabled or Disabled | |
| Disable on Blocked | Enabled or Disabled | Enabled or Disabled | Enabled or Disabled | |
| File Settings | ||||
| Allow Files | Enabled or Disabled | Enabled or Disabled | Enabled or Disabled | Determines whether the Files module is available to the users. |
| Disable on Blocked | Enabled or Disabled | Enabled or Disabled | Enabled or Disabled | Disables the Files module when Silverback blocks the device. |
| Require PIN | Enabled or Disabled | Enabled or Disabled | Enabled or Disabled | Determines whether the users are required to have a PIN code protecting Companion. |
| Allow Email Out | Enabled or Disabled | Enabled or Disabled | Enabled or Disabled | Allow the user to email files out of Companion or not. |
| Data Cost Control Settings | ||||
| Allow Usage | Enabled or Disabled | Enabled or Disabled | Enabled or Disabled | Determines whether the Data Usage module is available to the users. |
| Disable on Blocked | Enabled or Disabled | Enabled or Disabled | Enabled or Disabled | Disables the Data Usage module when Silverback blocks the device. |
| Allow User to Change Settings | Enabled or Disabled | Enabled or Disabled | Enabled or Disabled | Allow the user to change settings within the Companion Client. If not, the administrator must define settings. |
| Rollover Day | 1-31 | 1-31 | 1-31 | Determines the day for the Data Usage to be reset on the device. |
| Local Data Cost Control | ||||
| Allow User to Reset Usage | Enabled or Disabled | Enabled or Disabled | Enabled or Disabled | Allow the user the ability to reset their local Data Usage within the Companion client. |
| Data Allowance (MB) | e.g. 2048 | e.g. 2048 | e.g. 2048 | The Amount of local Cellular Data the user is allowed, until the user is alerted and the configured action is performed. |
| Action on Local Data Limit Reached |
|
|
|
The MDM action that is carried out when the local data limit is reached. |
| Alert Administrators | Enabled or Disabled | Enabled or Disabled | Enabled or Disabled | Determines whether the administrative e-mail alert is sent out when a device reached the data limit. |
| Consumed Usage Alert Treshold | 0%-100% in 5% steps | 0%-100% in 5% steps | 0%-100% in 5% steps | Determines the threshold value for the local Data Allowance usage alert. When this threshold is reached, the user receives a notification on the device. |
| Roaming Data Cost Control | ||||
| Allow User to Reset Usage | Enabled or Disabled | Enabled or Disabled | Enabled or Disabled | Allow the user the ability to reset their roaming Data Usage within the Companion client. |
| Roaming Data Allowance (MB) | e.g. 100 | e.g. 100 | e.g. 100 | The Amount of roaming Cellular Data the user is allowed, until the user is alerted and the configured action is performed. |
| Action on Roaming Data Limited Reached |
|
|
|
The MDM action that is carried out when the roaming data limit is reached. |
| Alert Administrators | Enabled or Disabled | Enabled or Disabled | Enabled or Disabled | Determines whether the administrative e-mail alert is sent out when a device reached the data limit. |
| Consumed Roaming Usage Alert Treshold | 0%-100% in 5% steps | 0%-100% in 5% steps | 0%-100% in 5% steps | Determines the threshold value for the roaming Data Allowance usage alert. When this threshold is reached, the user receives a notification on the device. |
| Licence Message Settings | ||||
| Invalid Licence Message | e.g. You have no valid License. Please contact your System Administrator | e.g. You have no valid License. Please contact your System Administrator | e.g. You have no valid License. Please contact your System Administrator | The text message displayed on the users’ devices. |
Network Usage Rules
On iOS devices, roaming and cellular data can be enabled or disabled for managed applications either on a per-app basis, or through the use of wildcard bundle identifiers. Managed applications are either distributed with Silverback or has Take management if the app is already installed checkbox enabled in the App Portal.
| Setting | iPhone | Ipad | iPod | Description |
|---|---|---|---|---|
| App Identifier Match | e.g. com.netflix.Netflix or com.netflix.* | e.g. com.netflix.Netflix or com.netflix.* | e.g. com.netflix.Netflix or com.netflix.* | Bundle ID that should receive the Network Usage Rule. When entering an App Identifier, a list of applications that Silverback is aware of will be presented. |
| Allow Cellular | Enabled or Disabled | Enabled or Disabled | Enabled or Disabled | Whether the application is allowed to use cellular data. |
| Allow Roaming | Enabled or Disabled | Enabled or Disabled | Enabled or Disabled | Whether the application is allowed to use roaming data. |
After adding Network Usage Rules use Edit button for quick editing (save with Accept button) or use Remove button to remove the application(s).
Computer Objects
Creates Computer Objects in your Active Directory. You may already be familiar with the automatic creation of Computer Objects after a Computers joins your Active Directory. Silverback can do the same and has the ability to create Computer Objects during the Enrollment on your behalf. For this functionality configure the following settings:
| Setting | iPhone | iPad | Description |
|---|---|---|---|
| Enabled | Enabled or Disabled | Enabled or Disabled | If enabled, Computer Objects will be created. |
| Computer name prefix | e.g. iPhone-{DeviceId} | e.g. {SerialNumber} | Defines the Computer Name. You can use a Prefix and fill it with a variable, but ensure that Computer Names are limited to 15 characters. All Silverback Variables but we recommend to take one of the examples. |
| Organizational unit | e.g. OU=Silverback,DC=imagoverum.com,DC=com | e.g. OU=iPads,DC=imagoverum.com,DC=com | Defines the location, where Computer Objects should be created. |
| Domain Administrator | e.g. administrator@imagoverum.com | e.g Imagoverum\Administrator | Administrator credentials are required to create Computer Objects. Please enter your UPN or SamAccountName. |
| Password | e.g Pa$$w0rd | e.g. Pa$$w0rd | Administrator credentials are required to create Computer Objects. Please enter your Administrator password. |
Time Zone
Silverback offers several different ways to change the time zone on your managed devices or to define which time zone should be set on all Apple platforms. Firstly, iOS, iPadOS and Apple TV offer the ability for supervised devices to remotely set the time zone with a one-time command. The alternative option is to define a policy where Silverback checks the target and actual status at each device check-in based on the device's reported information and, if there is a discrepancy, resets the time zone to the one defined in the policy. For additional information please refer to Set and configure Time Zones for Apple devices.
Apps
The Apps Feature Section is how Administrators can automate the distribution of Device Apps for specific groups of users. Before you can begin assigning Apps to the Tag you first need to have the uploaded into the Silverback App Portal. Once you have Apps in the Silverback App Portal, they can be distributed using the Apps Feature associated with your Tag.
App Types
Three different App Types are available for iOS devices:
| Type | Description |
|---|---|
| Enterprise | Applications owned by an Organization with *.ipa file. |
| App Store | Applications from public Apple App Store. |
| VPP | Applications purchased via Volume Purchase Program. |
Assign Apps
Once Apps are uploaded into the Silverback App Portal Tab, they can be distributed to devices via a Tag they have been associated with.
- Navigate to Apps
- Click Assign More Apps
- Select any applications from the shown Assign Applications page
- Click Add Selected Apps
Overview
Already assigned applications are displayed in the Apps section of any Tag with the following columns:
| Column | Description |
|---|---|
| Type | Displays the app type, either Enterprise, App Store or VPP. |
| Name | Displays the application name. |
| Version | Displays the application version for Enterprise Apps |
| Description | Displays the application description given in App Portal. |
| Remaining VPP | The remaining number of VPP licenses for this app. |
| Total VPP | The total amount of VPP licenses for this app. |
| Manage VPP | From there you are able to add and remove old VPP Redemption files. |
| Manage Config | Click edit to change deployment options. |
| Remove | Removes the App from the Tag. |
Change Deployment Options
By default configurations will be inherit from the App Portal. To customize the settings perform the following steps for each application.
- Click the Edit button in the Manage Config column
- Update Deployment Options
- Click Save
When you add an application to a Tag that has an enabled Auto Population, be aware that the changes affects immediately after adding the application to the Tag. So, if your application has enabled as an example the App Management option Automatically push to managed devices, and you add this application into an Auto Population enabled Tag, devices will get instant a push with the application configuration that is inherit from the App Portal, as it is the default configuration. In this scenario you might run into an accidental automatic installation of applications. When you want to add applications to a Tag with enabled Auto Population tag, either disable temporary the Auto Population or ensure as an example that the Application has a not set the Automatically push to managed devices option in the App Portal.
Content
The Content Tab is where content locations are provided for users. These are defined at a Tag level which means only users in this Tag will receive these content settings in their M42Mobile app (deprecated) or Matrix42 Documents application.
Content Provider
The following content providers can be configured for the M42Mobile App (deprecated) or the Matrix42 Documents application. The Username and Password fields support system variables, so you can dynamically configure them for all users.
| Content Provider | Settings | M42Mobile (deprecated) | Matrix42 Documents |
|---|---|---|---|
| Silversync |
|
Supported, but the M42Mobile application is deprecated. | Supported with automatic configuration, please refer to the Silversync Guide for additional information. |
| Box |
|
Supported, but the M42Mobile application is deprecated. | Not supported |
| Dropbox |
|
Supported, but the M42Mobile application is deprecated. | Not supported |
| GoogleDrive |
|
Supported, but the M42Mobile application is deprecated. | Supported with manual configuration. Please refer to Matrix42 Documents for additional information. |
| OneDrive |
|
Supported, but the M42Mobile application is deprecated. | Supported with manual configuration. Please refer to Matrix42 Documents for additional information. |
| ownCloud |
|
Supported, but the M42Mobile application is deprecated. | Not supported |
| Sharepoint |
|
Supported, but the M42Mobile application is deprecated. | Supported with automatic configuration, please refer to the Silversync Guide and to to Matrix42 Documents for additional information. |
Silversync Server Locations
For assigning content with Silversync, there are generally two ways to do this:
| Add Content | Requirement | Description |
|---|---|---|
| Selecting the folders from the Content Tree | Server Based Authentication | Expand and collapse folders if you want to assign content at a level down in the file system. |
| Typing in file paths manually | User based Authentication | Assign the content manually by typing in file paths. |
To add content manually:
- Click Add
- Enter the path directly
- C:\SilversyncContent\users\{UserName}
- \\NetworkShare\SilversyncFiles\Everybody
It’s important to note that these paths support system variables. In the example above “{UserName}” will be replaced with that unique user’s username. This is useful for mapping to a home drive network share for example.