Skip to main content
Matrix42 Self-Service Help Center

Tags Guide Part III: iPad, iPhone, iPod

Profile

Profiles for each device type are managed independently allowing separate configuration and management of profiles for each device type. When a device is provisioned, it will be provisioned with the profile configuration at the time the device was enrolled. When a profile change is made, new devices will receive the new configuration as well as devices that are currently managed and/or blocked. When any Profiles are changed, ensure the settings are correct as these will be applied immediately to all applicable devices. Please ensure you click on the Save or Save & Close button on the bottom right of the screen to commit your changes before selecting another page.

All Profiles which are marked with a star * are available for supervised devices

Exchange ActiveSync

Setting iPhone iPad iPod Description
Exchange ActiveSync Settings Enabled or Disabled Enabled or Disable Enabled or Disable Enables Profile
Label e.g. Imagoverum Exchange or e.g. {firstname} e.g. Imagoverum Exchange or e.g. {firstname} e.g. Imagoverum Exchange or e.g. {firstname} The Label for the Email Account as it appears on the device. 
Server Name e.g. outlook.office365.com  e.g. outlook.office365.com  e.g. outlook.office365.com  External Exchange Active Sync address 
Past Days of Mail to Sync
  • Unlimited
  • One Day
  • Three days
  • One week
  • Two weeks
  • One Month
  • Unlimited
  • One Day
  • Three days
  • One week
  • Two weeks
  • One Month
  • Unlimited
  • One Day
  • Three days
  • One week
  • Two weeks
  • One Month
Period of mail to synchronize to the device
Use SSL Enabled or Disabled Enabled or Disabled Enabled or Disabled If the URL for the External Mail Server is protected by an SSL Certificate then use SSL.
Use oAuth Enabled or Disabled Enabled or Disabled Not supported Enables and uses oAuth Authentication for Identity Providers on native mail client
Enable S/MIME signing Enabled or Disabled Enabled or Disabled Not supported If set to true, S/MIME Siging is enabled for this accounts. True requires a Certificate Authority Integration
Allow user to enable or disable S/MIME signing Enabled or Disabled Enabled or Disabled Not supported If set to true, the user can toggle S/MIME signing on or off in settings. True requires a Certificate Authority Integration
Enable S/MIME encryption by default Enabled or Disabled Enabled or Disabled Not supported If set to true, S/MIME encryptions is enabled by default. If "Enabled per-message encryption swith" option is false, this default cannot be changed by the user. True requires a Certificate Authority Integration
Allow user to enable or disable S/MIME encryption Enabled or Disabled Enabled or Disabled Not supported If set to true, the user can toogle the encryption by default setting. True requires a Certificate Authority Integration
Enable per-message encryption switch Enabled or Disabled Enabled or Disabled Not supported If set to true, displays the per-message encryption swith in the Mail Compose UI.
Allow the user to modify the S/MIME encryption certificate Enabled or Disabled Enabled or Disabled Not supported If set to true, the user can select the S/MIME encryption identity and encryption is enabled. 
Allow Mail to be Moved from This Account Enabled or Disabled Enabled or Disabled Enabled or Disabled If disabled, prevents the user forwarding emails from Corporate Email using a secondary email account
Allow Applications access to this email account Enabled or Disabled Enabled or Disabled Enabled or Disabled If disabled, prevents the user from using this email account in third-party apps to forward content
Allow Recent Address Syncing Enabled or Disabled Enabled or Disabled Enabled or Disabled If disabled, no email addresses are replicated for contacts that were recently used but do not exist in the standard Contacts list.
Use Custom Username Variable e.g. {CustLdapVar0} or support@imagoverum.com e.g. {CustLdapVar0} or support@imagoverum.com e.g. {CustLdapVar0} or support@imagoverum.com Define a Custom Variable Attribute for the Username for the EAS Profile.
Use Custom Email Variable e.g. {CustLdapVar0} or tim.tober@imagoverum.com e.g. {CustLdapVar0} or tim.tober@imagoverum.com e.g. {CustLdapVar0} or tim.tober@imagoverum.com Define a Custom Variable Attribute for the Email Address for the EAS Profile.
Use Custom Password Variable e.g. {UserPassword} or Pa$$w0rd  e.g. {UserPassword} or Pa$$w0rd  e.g. {UserPassword} or Pa$$w0rd  Define a Custom Variable Attribute for the Email Password for the EAS Profile.
Enterprise Certificate Choose File Choose File Choose File Upload a certificate for certificate based authentication with one certificate
Certificate Password e.g. Pa$$w0rd e.g. Pa$$w0rd e.g. Pa$$w0rd Password for the certificate

Email

Setting iPhone iPad iPod Description
Email Settings Enabled or Disabled Enabled or Disabled Enabled or Disabled Enables Email Settings
Email Address e.g. {UserEmail} or support@imagoverum.com e.g. {UserEmail} or support@imagoverum.com e.g. {UserEmail} or support@imagoverum.com Defines Email Address of the Account
User Display Name e.g. {UserName} or Tim Tober e.g. {UserName} or Tim Tober e.g. {UserName} or Tim Tober Defines  Display Name of the User for this Email Account
Account Description e.g. Imagoverum Mail e.g. Imagoverum Mail e.g. Imagoverum Mail Defines Friendly Name of this Email Account
Account Type
  • IMAP
  • POP
  • IMAP
  • POP
  • IMAP
  • POP
Toggles between IMAP and POP Account Types
IMAP Path Prefix e.g INBOX e.g. INBOX e.g. INBOX Defines where to look for mail 
Allow Mail to be Moved from This Account Enabled or Disabled Enabled or Disabled Enabled or Disabled If disabled, prevents the user forwarding emails from Corporate Email using a secondary email account
Allow Applications access to this email account Enabled or Disabled Enabled or Disabled Enabled or Disabled If disabled, prevents the user from using this email account in third-party apps to forward content
Incoming Mail
Incoming Mail Server e.g. imap-mail.outlook.com or pop-mail.outlook.com e.g. imap-mail.outlook.com or pop-mail.outlook.com e.g. imap-mail.outlook.com or pop-mail.outlook.com  
Incoming Mail Port e.g. 995 e.g. 995 e.g. 995  
Incoming Mail Username        
Authentication
  • None
  • Password
  • MD5 Challenge-Response
  • NTLM
  • NTTP MD5 Digest
  • None
  • Password
  • MD5 Challenge-Response
  • NTLM
  • NTTP MD5 Digest
  • None
  • Password
  • MD5 Challenge-Response
  • NTLM
  • NTTP MD5 Digest
 
Embed User Password Enabled or Disabled Enabled or Disabled Enabled or Disabled  
Embed Custom Password Enabled or Disabled Enabled or Disabled Enabled or Disabled  
Use SSL Enabled or Disabled Enabled or Disabled Enabled or Disabled  
Outgoing Mail
Outgoing Mail Server e.g. imap-mail.outlook.com or pop-mail.outlook.com e.g. imap-mail.outlook.com or pop-mail.outlook.com e.g. imap-mail.outlook.com or pop-mail.outlook.com  
Outgoing Mail Port e.g. 995 e.g. 995 e.g. 995  
Outgoing Mail Username        
Authentication
  • None
  • Password
  • MD5 Challenge-Response
  • NTLM
  • NTTP MD5 Digest
  • None
  • Password
  • MD5 Challenge-Response
  • NTLM
  • NTTP MD5 Digest
  • None
  • Password
  • MD5 Challenge-Response
  • NTLM
  • NTTP MD5 Digest
 
Password Same As Incoming Enabled or Disabled Enabled or Disabled Enabled or Disabled  
Embed Custom Password Enabled or Disabled Enabled or Disabled Enabled or Disabled  
Use SSL Enabled or Disabled Enabled or Disabled Enabled or Disabled  

Passcode

Setting iPhone iPad iPod Description
Passcode Settings Enabled or Disabled Enabled or Disabled Enabled or Disabled Enables Passcode Settings
Allow Simple Enabled or Disabled Enabled or Disabled Enabled or Disabled Permit the use of repeating, ascending or descending characters
Require Alpha Numeric Enabled or Disabled Enabled or Disabled Enabled or Disabled Require passcode to contain at least one letter
Minimum Length 4-19 4-19 4-19 The smallest number of passcode characters allowed
Minimum Complex characters 1-4 1-4 1-4 Smallest number of non-alphanumeric characters allowed. If ‘Allow Simple’ is checked, then this configuration is disabled.
Maximum Passcode Age - 1-730 days or none 1-730 or empty 1-730 or empty 1-730 or empty How often passcode must be changed
Auto-lock (minutes) Never, 1,2,3,4,5 Never, 1,2,3,4,5 Never, 1,2,3,4,5 Device automatically locks due to inactivity after this time period
Passcode history (1-50 passcodes, or none) 1-50 or empty 1-50 or empty 1-50 or empty Number of unique passcodes required before reuse
Grace Period for Device Lock
  • Immediately
  • 1 Minute
  • 5 Minutes
  • 15 Minutes
  • Immediately
  • 1 Minute
  • 5 Minutes
  • 15 Minutes
  • Immediately
  • 1 Minute
  • 5 Minutes
  • 15 Minutes
Amount of time device screen can sleep before device locks
Maximum Failed Attempts 4-16 4-16 4-16 Number of passcode entry attempts allowed before the device is reset to factory settings

Restrictions

General

  Availability Options Requirements Description
Allow Automatic Sync while Roaming
  • iPhone
  • iPad
  • Enabled or Disabled
  • iOS 4
If false, disables global background fetch activity when an iOS phone is roaming. Available in iOS 4 and later.
Allow Camera
  • iPhone
  • iPad
  • iPod
  • Enabled or Disabled
  • iOS 4
If false, disables the camera, and its icon is removed from the Home screen. Users are unable to take photographs. This restriction is deprecated on unsupervised devices and will be supervised only in a future release. Available in iOS 4 and later.
Allow In App Purchase
  • iPhone
  • iPad
  • iPod
  • Enabled or Disabled
  • iOS 4
If false, prohibits in-app purchasing. Available in iOS 4 and later.
Allow Screen Capture
  • iPhone
  • iPad
  • iPod
  • User Enrollment
  • Enabled or Disabled
  • iOS 4
If false, disables saving a screenshot of the display and capturing a screen recording. It also disables the Classroom app from observing remote screens. Available in iOS 4 and later. Also available for user enrollment.
Allow Youtube
  • iPhone
  • iPad
  • iPod
  • Enabled or Disabled

 

If false, the YouTube application is disabled and its icon is removed from the Home screen. This restriction is ignored in iOS 6.0 and later because there is no built-in YouTube app. Please use the Application Blacklist policy instead.
Allow Voice Dialing
  • iPhone
  • iPad
  • iPod
  • Enabled or Disabled
  • iOS 4
If false, disables voice dialing if the device is locked with a passcode. Available in iOS 4 and later.
Allow Game Center Friends
  • iPhone
  • iPad
  • iPod
  • Enabled or Disabled
  • iOS 4.2.1
If false, prohibits adding friends to Game Center. As of iOS 13, requires a supervised device. Available in iOS 4.2.1 and later.
Allow iCloud Backup
  • iPhone
  • iPad
  • iPod
  • Enabled or Disabled
  • iOS 5
If false, disables backing up the device to iCloud. This restriction is deprecated on unsupervised devices and will be supervised only in a future release. Available in iOS 5 and later.
Allow iCloud Document Sync
  • iPhone
  • iPad
  • iPod
  • Enabled or Disabled
  • iOS 5
If false, disables document and key-value syncing to iCloud. As of iOS 13, this restriction requires a supervised device. Available in iOS 5 and later
Allow iCloud Key Value Sync
  • iPhone
  • iPad
  • iPod
  • Enabled or Disabled

 

 
Allow Photo Stream
  • iPhone
  • iPad
  • iPod
  • Enabled or Disabled
  • iOS 5
If false, disables Photo Stream. Available in iOS 5 and later.
Allow Untrusted SSL Certificates
  • iPhone
  • iPad
  • iPod
  • Enabled or Disabled
  • iOS 5
If false, automatically rejects untrusted HTTPS certificates without prompting the user. Available in iOS 5.0 and later.
Force iTunes Password Prompt
  • iPhone
  • iPad
  • iPod
  • Enabled or Disabled
  • iOS 6
If true, forces the user to enter their iTunes password for each transaction. Available in iOS 6 and later.
Force Encrypted Backup
  • iPhone
  • iPad
  • iPod
  • User Enrollment
  • Enabled
  • iOS 4
If true, encrypts all backups. Available in iOS 4 and later. Also available for user enrollment.
Allow Siri While Locked
  • iPhone
  • iPad
  • iPod
  • User Enrollment
  • Enabled or Disabled
  • iOS 5.1
If false, disables Siri when the device is locked. This restriction is ignored if the device doesn't have a passcode set. Available in iOS 5.1 and later. Also available for user enrollment.
Allow Diagnostic Data to be Sent to Apple
  • iPhone
  • iPad
  • iPod
  • Enabled or Disabled
  • iOS 6
If false, prevents the device from automatically submitting diagnostic reports to Apple. Available in iOS 6 and later. Also available for user enrollment.
Allow Passbook While Locked
  • iPhone
  • iPad
  • iPod
  • Enabled or Disabled
  • iOS 6
If false, hides Passbook notifications from the lock screen. Available in iOS 6 and later.
Allow Shared Photo Stream
  • iPhone
  • iPad
  • iPod
  • Enabled or Disabled
  • iOS 6
If false, disables Shared Photo Stream. Available in iOS 6 and later.
Allow Cloud Keychain Sync
  • iPhone
  • iPad
  • iPod
  • Enabled or Disabled
  • iOS 7
If false, disables iCloud keychain synchronization. This restriction is deprecated on unsupervised devices and will be supervised only in a future release. Available in iOS 7 and later.
Allow Lock Screen Control Center
  • iPhone
  • iPad
  • iPod
  • User Enrollment
  • Enabled or Disabled
  • iOS 7
If false, prevents Control Center from appearing on the Lock screen. Available in iOS 7 and later. Also available for user enrollment.
Allow Lock Screen Notifications View
  • iPhone
  • iPad
  • iPod
  • User Enrollment
  • Enabled or Disabled
  • iOS 7
If false, disables the Notifications history view on the lock screen, so users can't view past notifications. However, they can still see notifications when they arrive. Available in iOS 7 and later. Also available for user enrollment.
Allow Lock Screen Today View
  • iPhone
  • iPad
  • iPod
  • User Enrollment
  • Enabled or Disabled
  • iOS 7
If false, disables the Today view in Notification Center on the lock screen. Available in iOS 7 and later. Also available for user enrollment.
Allow Open In From Managed to Unmanaged Apps
  • iPhone
  • iPad
  • iPod
  • User Enrollment
  • Enabled or Disabled
  • iOS 7
If false, documents in managed apps and accounts only open in other managed apps and accounts. Available in iOS 7 and later. Also available for user enrollment.
Allow Open In From Unmanaged to Managed Apps
  • iPhone
  • iPad
  • iPod
  • User Enrollment
  • Enabled or Disabled
  • iOS 7
If false, documents in unmanaged apps and accounts only open in other unmanaged apps and accounts. Available in iOS 7 and later. Also available for user enrollment.
Allow OTA PKI Updates
  • iPhone
  • iPad
  • iPod
  • Enabled or Disabled
  • iOS 7
If false, disables over-the-air PKI updates. Setting this restriction to false doesn't disable CRL and OCSP checks.  Available in iOS 7 and later.
Force Limited Ad Tracking
  • iPhone
  • iPad
  • iPod
  • Enabled or Disabled
  • iOS 7
If true, limits ad tracking. Available in iOS 7 and later.
Allow Fingerprint For Unlock
  • iPhone
  • iPad
  • iPod
  • Enabled or Disabled
  • iOS 7
If false, prevents Touch ID or Face ID from unlocking a device. Available in iOS 7 and later.
Allow Activity Continuation
  • iPhone
  • iPad
  • iPod
  • Enabled or Disabled
  • iOS 8
If false, disables activity continuation. Available in iOS 8 and later.
Allow Managed Apps Cloud Sync
  • iPhone
  • iPad
  • iPod
  • User Enrollment
  • Enabled or Disabled
  • iOS 8
If false, prevents managed apps from using iCloud sync. Available in iOS 8 and later. Also available for user enrollment.
Force Airdrop to be considered Unmanaged
  • iPhone
  • iPad
  • iPod
  • User Enrollment
  • Enabled or Disabled
  • iOS 9
If true, causes AirDrop to be considered an unmanaged drop target. Available in iOS 9 and later. Also available for user enrollment.
Force Apple Watch Wrist Detection
  • iPhone
  • iPad
  • iPod
  • User Enrollment
  • Enabled or Disabled
  • iOS 8.2
If true, forces a paired Apple Watch to use Wrist Detection. Available in iOS 8.2 and later. Also available for user enrollment.
Allow iCloud Photo Library
  • iPhone
  • iPad
  • iPod
  • Enabled or Disabled
  • iOS 9
If false, disables iCloud Photo Library. Any photos not fully downloaded from iCloud Photo Library to the device are removed from local storage. Available in iOS 9 and later.

Supervised

  Availability Options Requirements Description
Allow Game Center
  • iPhone
  • iPad
  • iPod
  • Enabled or Disabled
  • iOS 6
If false, disables Game Center, and its icon is removed from the Home screen. Requires a supervised device. Available in iOS 6 and later.
Allow iBookstore
  • iPhone
  • iPad
  • iPod
  • Enabled or Disabled
  • iOS 6
If false, disables Apple Books. Requires a supervised device. Available in iOS 6 and later.
Allow iBookstore Erotica
  • iPhone
  • iPad
  • iPod
  • Enabled or Disabled
  • iOS 6
If false, the user can't download Apple Books media that is tagged as erotica. Available in iOS 6 and later.
Allow Configuratio   n Profile Installation
  • iPhone
  • iPad
  • iPod
  • Enabled or Disabled
  • iOS 6
If false, prohibits the user from installing configuration profiles and certificates interactively. Requires a supervised device. Available in iOS 6 and later.
Allow iMessage
  • iPhone
  • iPad
  • iPod
  • Enabled or Disabled
  • iOS 6
If false, users can’t send or receive messages using iMessage. If the device supports text messaging, the user can still send and receive text messages. If the device doesn’t support text messaging, the Messages icon is removed from the Home screen. Available in iOS 6.0 and later.
Allow Explicit Music and Podcasts
  • iPhone
  • iPad
  • iPod
  • Enabled or Disabled
  • iOS 4
If false, hides explicit music or video content purchased from the iTunes Store. Explicit content is marked as such by content providers, such as record labels, when sold through the iTunes Store. As of iOS 13, requires a supervised device. Available in iOS 4 and later.
Allow iTunes
  • iPhone
  • iPad
  • iPod
  • Enabled or Disabled
  • iOS 4
If false, disables the iTunes Music Store, and its icon is removed from the Home screen. Users cannot preview, purchase, or download content. As of iOS 13, requires a supervised device. Available in iOS 4 and later.
Allow Safari
  • iPhone
  • iPad
  • iPod
  • Enabled or Disabled
  • iOS 4
If false, disables the Safari web browser app, and its icon is removed from the Home screen. This setting also prevents users from opening web clips. As of iOS 13, requires a supervised device. Available in iOS 4 and later.
Enable Autofill
  • iPhone
  • iPad
  • iPod
  • Enabled or Disabled
  • iOS 4
If false, disables Safari AutoFill for passwords, contact info, and credit cards and also prevents the Keychain from being used for AutoFill. Though third-party password managers are allowed and apps can use AutoFill. As of iOS 13, requires a supervised device. Available in iOS 4 and later.
Enable Javascript
  • iPhone
  • iPad
  • iPod
  • Enabled or Disabled
  • iOS 4
If false, Safari doesn't execute JavaScript. Available in iOS 4 and later.
Allow Popup
  • iPhone
  • iPad
  • iPod
  • Enabled or Disabled
  • iOS 4
If false, Safari doesn't allow pop-up windows. Available in iOS 4 and later.
Force Fraud Warning
  • iPhone
  • iPad
  • iPod
  • User Enrollment
  • Enabled or Disabled
  • iOS 4
If true, enables Safari fraud warning. Available in iOS 4 and later. Also available for user enrollment.
Accept Cookies
  • iPhone
  • iPad
  • iPod
  • Always
  • Never
  • From Visited Sites
  • iOS 4
This value defines the conditions under which the device accepts cookies. The user-facing settings changed in iOS 11, although the possible values remain the same. Available in iOS 4 and later.
Allow Siri
  • iPhone
  • iPad
  • iPod
  • User Enrollment
  • Enabled or Disabled
  • iOS 5
If false, disables Siri. Available in iOS 5 and later. Also available for user enrollment.
Allow Facetime
  • iPhone
  • iPad
  • iPod
  • Enabled or Disabled
  • iOS 4
If false, hides the FaceTime app. As of iOS 13, requires a supervised device. Available in iOS 4 and later.
Allow Multiplayer Gaming
  • iPhone
  • iPad
  • iPod
  • Enabled or Disabled
  • iOS 4.1
If false, prohibits multiplayer gaming. Requires a supervised device. Available in iOS 4.1 and later.
Allow Cellular Data Modification
  • iPhone
  • iPad
  • iPod
  • Enabled or Disabled
  • iOS 7
If false, disables changing settings for cellular data usage for apps. Requires a supervised device. Available in iOS 7 and later.
Allow Find My Friends Modification
  • iPhone
  • iPad
  • iPod
  • Enabled or Disabled
  • iOS 7
If false, disables changes to Find My Friends. Requires a supervised device. Available in iOS 7 and later.
Allow Host Pairing
  • iPhone
  • iPad
  • iPod
  • Enabled or Disabled
  • iOS 7
If false, disables host pairing with the exception of the supervision host. If no supervision host certificate has been configured, all pairing is disabled. Host pairing lets the administrator control if an iOS device can pair with a host Mac or PC. Requires a supervised device. Available in iOS 7 and later.
Allow AirDrop
  • iPhone
  • iPad
  • iPod
  • Enabled or Disabled
  • iOS 7
If false, disables AirDrop. Requires a supervised device. Available in iOS 7 and later.
Allow App Removal
  • iPhone
  • iPad
  • iPod
  • Enabled or Disabled
  • iOS 4.2.1
If false, disables removal of apps from an iOS device. Requires a supervised device. Available in iOS 4.2.1 and later.
Allow Activation Lock
  • iPhone
  • iPad
  • iPod
  • Enabled or Disabled

 

 
Allow Podcasts
  • iPhone
  • iPad
  • iPod
  • Enabled or Disabled
  • iOS 8
If false, disables podcasts. Requires a supervised device. Available in iOS 8 and later.
Allow Definition Lookup
  • iPhone
  • iPad
  • iPod
  • Enabled or Disabled
  • iOS 8.1.3
If false, disables definition lookup. Requires a supervised device. Available in iOS 8.1.3 and later.
Allow Predictive Keyboard
  • iPhone
  • iPad
  • iPod
  • Enabled or Disabled
  • iOS 8.1.3
If false, disables predictive keyboards. Requires a supervised device. Available in iOS 8.1.3 and later.
Allow Auto Correction
  • iPhone
  • iPad
  • iPod
  • Enabled or Disabled
  • iOS 8.1.3
If false, disables keyboard autocorrection. Requires a supervised device. Available in iOS 8.1.3 and later.
Allow Spell Check
  • iPhone
  • iPad
  • iPod
  • Enabled or Disabled
  • iOS 8.1.3
If false, disables keyboard spell-check. Requires a supervised device. Available in iOS 8.1.3 and later.
Allow UI App Installation
  • iPhone
  • iPad
  • iPod
  • Enabled or Disabled
  • iOS 9
If false, disables the App Store, and its icon is removed from the Home screen. However, users may continue to use host apps (iTunes, Configurator) to install or update their apps. Requires a supervised device. Available in iOS 9 and later.
Allow Keyboard Shortcuts
  • iPhone
  • iPad
  • iPod
  • Enabled or Disabled
  • iOS 9
If false, disables keyboard shortcuts. Requires a supervised device. Available in iOS 9 and later.
Allow Apple Watch Pairing
  • iPhone
  • iPad
  • iPod
  • Enabled or Disabled
  • iOS 9
If false, disables pairing with an Apple Watch. Any currently paired Apple Watch is unpaired and the watch's content is erased. Requires a supervised device. Available in iOS 9 and later.
Allow Changing Device Name
  • iPhone
  • iPad
  • iPod
  • Enabled or Disabled
  • iOS 9
If false, prevents the device name from being changed. Requires a supervised device. Available in iOS 9 and later.
Allow Wallpaper Modification
  • iPhone
  • iPad
  • iPod
  • Enabled or Disabled
  • iOS 9
If false, prevents wallpaper from being changed. Requires a supervised device. Available in iOS 9 and later.
Allow Automatic App Downloads
  • iPhone
  • iPad
  • iPod
  • Enabled or Disabled
  • iOS 9
If false, prevents automatic downloading of apps purchased on other devices. This setting doesn't affect updates to existing apps. Requires a supervised device. Available in iOS 9 and later.
Allow Enterprise App Trusts
  • iPhone
  • iPad
  • iPod
  • Enabled or Disabled
  • iOS 9
If false, removes the Trust Enterprise Developer button in Settings > General > Profiles & Device Management, preventing apps from being provisioned by universal provisioning profiles. This restriction applies to free developer accounts. However, it doesn't apply to enterprise app developers who are trusted because their apps were pushed through MDM. It also doesn't revoke previously granted trust. Available in iOS 9 and later.
Allow Notifications Modification
  • iPhone
  • iPad
  • iPod
  • Enabled or Disabled
  • iOS 9.3
If false, disables modification of notification settings. Requires a supervised device. Available in iOS 9.3 and later.
Allow Bluetooth Modification
  • iPhone
  • iPad
  • iPod
  • Enabled or Disabled
  • iOS 11
If false, prevents modification of Bluetooth settings. Requires a supervised device. Available in iOS 11 and later.
Allow Passcode Modification
  • iPhone
  • iPad
  • iPod
  • Enabled or Disabled
  • iOS 9
If false, prevents the device passcode from being added, changed, or removed. This restriction is ignored by Shared iPads. Requires a supervised device. Available in iOS 9 and later.
Allow App Store
  • iPhone
  • iPad
  • iPod
  • Enabled or Disabled
  • iOS 4
If false, disables the App Store, and its icon is removed from the Home screen. Users are unable to install or update their apps. In iOS 10 and later. As of iOS 13, this restriction requires a supervised device. Available in iOS 4 and later.
Allow Account Modification
  • iPhone
  • iPad
  • iPod
  • Enabled or Disabled
  • iOS 7
If false, disables account modification. Requires a supervised device. Available in iOS 7 and later.
Allow Erase Content And Settings
  • iPhone
  • iPad
  • iPod
  • Enabled or Disabled
  • iOS 8
If false, disables the Erase All Content And Settings option in the Reset UI. Requires a supervised device. Available in iOS 8 and later.
Allow Spotlight Internet Results
  • iPhone
  • iPad
  • iPod
  • Enabled or Disabled
  • iOS 8
If false, disables Spotlight Internet search results in Siri Suggestions. Available in iOS 8 and later.
Allow Enabling Restrictions
  • iPhone
  • iPad
  • iPod
  • Enabled or Disabled
  • iOS 8
If false, disables the "Enable Restrictions" option in the Restrictions UI in Settings. In iOS 12 or later, if false, disables the "Enable ScreenTime" option in the ScreenTime UI in Settings and disables ScreenTime if already enabled. Requires a supervised device. Available in iOS 8 and later.
Only join Wi-Fi networks installed by profiles (iOS 10.3+)
  • iPhone
  • iPad
  • iPod
  • Enabled or Disabled
  • iOS 10.3
If true, the device can join Wi-Fi networks only if they were set up through a configuration profile. Requires a supervised device. Available in iOS 10.3 and later.
Allow Dictation (iOS 10.3+)
  • iPhone
  • iPad
  • iPod
  • Enabled or Disabled
  • iOS 10.3
If false, disallows dictation input. Requires a supervised device. Available in iOS 10.3 and later.
Allow Hotspot Modification
  • iPhone
  • iPad
  • Enabled or Disabled
  • iOS 12.2
If false, disables modifications of the personal hotspot setting. Requires a supervised device. Available in iOS 12.2 and later.
Allow Find My Device
  • iPhone
  • iPad
  • Enabled or Disabled
  • iOS 13
  • iPadOS 13
If false, disables Find My Device in the Find My app. Requires a supervised device. Available in iOS 13 and later.
Allow Find My Friends
  • iPhone
  • iPad
  • Enabled or Disabled
  • iOS 13
  • iPadOS 13
If false, disables Find My Friends in the Find My app. Requires a supervised device. Available in iOS 13 and later.
Allow QuickPath Keyboard
  • iPhone
  • iPad
  • Enabled or Disabled
  • iOS 13
  • iPadOS 13
If false, disables QuickPath keyboard. Requires a supervised device. Available in iOS 13 and later.
Force Wi-Fi Power On
  • iPhone
  • iPad
  • Enabled or Disabled
  • iOS 13
  • iPadOS 13
If true, prevents Wi-Fi from being turned off in Settings or Control Center, even by entering or leaving Airplane Mode. It does not prevent selecting which Wi-Fi network to use. Requires a supervised device. Available in iOS 13.0 and later.
Allow Files Network Drive Access 
  • iPhone
  • iPad
  • Enabled or Disabled
  • iOS 13
  • iPadOS 13
If false, prevents connecting to network drives in the Files app. Requires a supervised device. Available in iOS 13.1 and later.
Allow Files USB Drive Access 
  • iPhone
  • iPad
  • Enabled or Disabled
  • iOS 13
  • iPadOS 13
If false, prevents connecting to any connected USB devices in the Files app. Requires a supervised device. Available in iOS 13.1 and later.

Virtual Private Network

General

Setting iPhone iPad iPod Description
VPN Settings Enabled or Disabled Enabled or Disabled Enabled or Disabled Enables VPN Settings
VPN Type 
  • Cisco Legacy AnyConnect
  • Cisco AnyConnect
  • Juniper SSL
  • F5 Access Legacy
  • F5 Access
  • Cisco (IPSec)
  • SonicWall Mobile Connect
  • Check Point Mobile VPN
  • Custom SSL
  • Cisco Legacy AnyConnect
  • Cisco AnyConnect
  • Juniper SSL
  • F5 Access Legacy
  • F5 Access
  • Cisco (IPSec)
  • SonicWALL Mobile Connect
  • Check Point Mobile VPN
  • Custom SSL
  • Cisco Legacy AnyConnect
  • Cisco AnyConnect
  • Juniper SSL
  • F5 Access Legacy
  • F5 Access
  • Cisco (IPSec)
  • SonicWALL Mobile Connect
  • Check Point Mobile VPN
  • Custom SSL
Type of connection enabled by this policy. Application(s) needs to be installed on the device. 
Connection Name e.g. Imagoverum VPN e.g. Imagoverum VPN e.g. Imagoverum VPN Display name of the connection displayed on the device
Server Address e.g. vpn.imagoverum.com  e.g. vpn.imagoverum.com e.g. vpn.imagoverum.com Host name or IP address for Server
Authentication Type
  • Certificate
  • Password
  • Shared Secret/Group Name (Cisco IPSec only)
  • Certificate
  • Password
  • Shared Secret/Group Name (Cisco IPSec only)
  • Certificate
  • Password
  • Shared Secret/Group Name (Cisco IPSec only)

Authentication type for connection. Certificate as selections requires a Certification Authority Integration

Cache user password

Enabled or Disabled

Enabled or Disabled

Enabled or Disabled

Silverback will take the captured user password from the enrollment for authentication

App specific settings

Setting iPhone iPad iPod Description
Cisco AnyConnect
Group e.g. Mobile Device Users e.g. Mobile Device Users e.g. Mobile Device Users Group for authenticating the connection
Juniper SSL
Realm e.g. Mobile Users e.g. Mobile Users e.g. Mobile Users Realm for authentication the connection
Role e.g. Mobile Device Users e.g. Mobile Device Users e.g. Mobile Device Users Role for authentication the connection
Custom SSL
Identifier e.g. com.imagoverum.intranet e.g. com.imagoverum.intranet e.g. com.imagoverum.intranet Identifier for the custom SSL VPN in reverse DNS format
SonicWall Mobile 
Login Group or Domain e.g. CORP e.g. CORP e.g. CORP Login Group or Domain for authenticating the connection. 
IPSec (Cisco) with Certificate
Include User PIN Enabled or Disabled* Enabled or Disabled* Enabled or Disabled*

Request PIN during connection and send with authentication.

*Only available if Certificate is selected as Authentication Type

Group Name 

 

e.g. mygroup1 e.g. mygroup1 e.g. mygroup1

Group Identifier for the connection

*Only available if Certificate is selected as Authentication Type

Shared Secret e.g. v+NkxY9LLZvwj4qCC2o/gGrWDF2d21jL e.g. v+NkxY9LLZvwj4qCC2o/gGrWDF2d21jL e.g. v+NkxY9LLZvwj4qCC2o/gGrWDF2d21jL

Shared secret for the connection

*Only available if Certificate is selected as Authentication Type

Use Hybrid Authentication Enabled or Disabled* Enabled or Disabled* Enabled or Disabled*

Authenticate using secret, name, and server-side certificate

*Only available if Certificate is selected as Authentication Type

Prompt for Password Enabled or Disabled* Enabled or Disabled* Enabled or Disabled* Prompt user for password on the device
Custom SSL 
Custom Data
  • Key
  • Value
  • Key
  • Value
  • Key
  • Value
Keys and string values for custom data

VPN specific settings

Setting iPhone iPad iPod Description
VPN On Demand
Enable VPN on Demand

Enabled or Disabled

Enabled or Disabled

Enabled or Disabled

Add Domain and host names that will establish a VPN
Match Domain or Host
  • e.g. int.imagoverum.com
  • e.g. int.imagoverum.com
  • e.g. int.imagoverum.com
Define matching domains or host names to use VPN on Demand
On Demand Action
  • Always establish
  • Never establish
  • Established if needed 
  • Always establish
  • Never establish
  • Established if needed 
  • Always establish
  • Never establish
  • Established if needed 

Defines the VPN behavior for the specified domains or host names.

Always establish: The specified domains will trigger a VPN connection

Established if needed: The specified domains should trigger a VPN connection attempt

Never establish: The specified domains will not trigger a VPN connection nor be accessible through an existing VPN connection

Per-App VPN
Enable Per-App VPN

Enabled or Disabled

Enabled or Disabled

Enabled or Disabled

Activates the the App Layer VPN settings configuration in general.
Enable Dial On-Demand for Apps

Enabled or Disabled

Enabled or Disabled

Enabled or Disabled

Enable this feature to add and assign applications to the App Layer VPN settings configuration
Application

Add and remove applications here.

Please enable the Apps Feature within the Tag and add applications, which will then be selectable

Add and remove applications here.

Please enable the Apps Feature within the Tag and add applications, which will then be selectable

Add and remove applications here.

Please enable the Apps Feature within the Tag and add applications, which will then be selectable

Add here applications, which will be included into the App-Layer VPN settings configuration. Settings will apply when the application is installed. 
Safari Domains
Enable Safari Domains Enabled or Disabled Enabled or Disabled Enabled or Disabled Will add Safari and Web into included apps for Per-App VPN
Safari Domain Add and remove domains here, e.g. imagoverum.com  Add and remove domains here, e.g. imagoverum.com  Add and remove domains here, e.g. imagoverum.com  Add multiple domains to Safari and Web for Per-App VPN

Proxy specific settings

Setting iPhone iPad iPod Description
Proxy Type
  • None
  • Manual
  • Automatic
  • None
  • Manual
  • Automatic
  • None
  • Manual
  • Automatic
Configures proxies to be used with this VPN connection
Proxy Server URL e.g. 10.0.0.100 e.g. 10.0.0.100 e.g. 10.0.0.100 Host name or IP address for the proxy server
Proxy Server FQDN e.g. proxy.imagoverum.com e.g. proxy.imagoverum.com e.g. proxy.imagoverum.com Fully Qualified Domain Name for the proxy server
Proxy Port e.g. 8080 e.g. 8080 e.g. 8080 Port for the proxy server
Use Individual Usernames Enabled or Disabled Enabled or Disabled Enabled or Disabled If enabled, individual usernames will be used to connect to the proxy
Group Username e.g. service_vpn e.g. service_vpn e.g. service_vpn User name used to connect to the proxy
Group Password e.g. Pa$$w0rd e.g. Pa$$w0rd e.g. Pa$$w0rd Password use to authenticate with the proxy

Private APN

If you have a Private Access Point Name (APN) for your SIM Cards, then Silverback has the ability to configure this for you on the managed devices.

Setting iPhone iPad iPod Description
Private APN Settings Enabled or Disabled Enabled or Disabled not available Enables the Private APN Feature on Selected Devices.
Name e.g. VFD2 Web e.g VFD2 Web not available The name of the carrier access point
Username e.g. User e.g User not available The username to connect to the access point
Password e.g. Pa$$w0rd e.g. Pa$$w0rd not available The password to connect to the access point
Server e.g web.vodafone.com e.g. web.vodafone.com not available The fully qualified address of the proxy server
Port e.g. 8080 e.g. 8080 not available APN Port

Wi-Fi 

Silverback has the ability to pre-populate multiple Wi-Fi settings on your devices, so the user does not need to know the password for these networks themselves.

  • Click New WiFi profile
Setting iPhone iPad iPod Description
Wi-Fi Settings Enabled or Disabled Enabled or Disabled Enabled or Disabled Enables the sending of Wi-Fi settings
SSID e.g. Corporate Wi-Fi e.g. Corporate Wi-Fi e.g. Corporate Wi-Fi Service Set Identifier of the wireless network
Security Type
  • WEP
  • WPA2
  • Any Personal
  • WPA2 Enterprise
  • Any Enterprise
  • WEP
  • WPA2
  • Any Personal
  • WPA2 Enterprise
  • Any Enterprise
  • WEP
  • WPA2
  • Any Personal
  • WPA2 Enterprise
  • Any Enterprise
Defines the used Wireless network encryption
Hidden Network Enabled or Disabled Enabled or Disabled Enabled or Disabled Enable if the target network is not open or hidden
Automatically Join Enabled or Disabled Enabled or Disabled Enabled or Disabled The device will automatically join the Wi-Fi network
Password e.g. Pa$$w0rd e.g. Pa$$w0rd e.g. Pa$$w0rd Password for authenticating to the wireless network
Proxy
  • Proxy Type (None, Auto, Manual)
  • Server
  • Port
  • Individual Usernames or pre-defined Username
  • Individual Passwords or pre-defined Password
  • PAC URL
  • Proxy Type (None, Auto, Manual)
  • Server
  • Port
  • Individual Usernames or pre-defined Username
  • Individual Passwords or pre-defined Password
  • PAC URL
  • Proxy Type (None, Auto, Manual)
  • Server
  • Port
  • Individual Usernames or pre-defined Username
  • Individual Passwords or pre-defined Password
  • PAC URL
Ensures the device talks to the necessary Proxy
WPA2 Enterprise & Any Enterprise Only
Protocols
  • TLS
  • LEAP
  • TTLS
  • PEAP
  • EAP-FAST
  • EAP-SIM

 

  • Use Pac
  • Provision PAC
  • Provision PAC Anonymously
  • TLS
  • LEAP
  • TTLS
  • PEAP
  • EAP-FAST
  • EAP-SIM

 

  • Use Pac
  • Provision PAC
  • Provision PAC Anonymously
  • TLS
  • LEAP
  • TTLS
  • PEAP
  • EAP-FAST
  • EAP-SIM

 

  • Use Pac
  • Provision PAC
  • Provision PAC Anonymously
Defines the protocol utilized by encryption type and the PAC configuration
Authentication
  • Use Per-connection Password
  • Use Individual Username
    • Use User Password
  • Use Individual Client Certificates
    • Individual Client Certificate subject
    • Populate into Active Directory
  • Add Certificate
    • Certificate Template Name
    • Requester Name LDAP Attribute
    • Agent Certificate 
  • Use Per-connection Password
  • Use Individual Username
    • Use User Password
  • Use Individual Client Certificates
    • Individual Client Certificate subject
    • Populate into Active Directory
  • Add Certificate
    • Certificate Template Name
    • Requester Name LDAP Attribute
    • Agent Certificate 
  • Use Per-connection Password
  • Use Individual Username
    • Use User Password
  • Use Individual Client Certificates
    • Individual Client Certificate subject
    • Populate into Active Directory
  • Add Certificate

Defines the used authentication mechanism

Please Refer to: Certification Authority Integration  Guide for Certificate Based Authentication

Trust
  • Allow Trust Exceptions
  • Add or Remove Server
  • Add Certificate
  • Remove Certificates
  • Allow Trust Exceptions
  • Add or Remove Server
  • Add Certificate
  • Remove Certificates
  • Allow Trust Exceptions
  • Add or Remove Server
  • Add Certificate
  • Remove Certificates
Defines Trusted certificates

Wallpaper*

Define a custom Home Screen and Lock screen for your iOS supervised devices. 

Setting iPhone iPad iPod Description
Lock Screen Enabled Enabled not available Enables customs Lock Screen on devices. 
Choose File Choose File not available

Upload custom Lock Screen

Supported file types are: *.jpg and *.png

Home Screen Enabled Enabled not available Enables customs Lock Screen on devices. 
Choose File Enabled not available

Upload custom Lock Screen

Supported file types are: *.jpg and *.png

Application Lock*

Through the use of the Application Lock feature, you can now ‘Lock’ a specific App to the screen of the device, meaning that the user cannot minimize or close the specified App from the screen. Another common name for this functionality is the kiosk mode or single app purpose mode. 

Setting iPhone iPad iPod Description
Application Lock Enabled or Disabled Enabled or Disabled Enabled or Disabled Enables Application Lock
App Identifier e.g. com.apple.mobilesafari or com.syncdog.matrix42.securecontainer e.g. com.apple.mobilesafari or com.syncdog.matrix42.securecontainer e.g. com.apple.mobilesafari or com.syncdog.matrix42.securecontainer The Identification String of the App that you want ‘Locked’ to the screen. Compare the Lockdown area to find out the necessary Bundle ID
Options
Disable Touch Enabled or Disabled Enabled or Disabled Enabled or Disabled Disables the users’ ability to interact with the screen
Disable Device Rotation Enabled or Disabled Enabled or Disabled Enabled or Disabled Disables the screen orientation change
Disable Volume Buttons Enabled or Disabled Enabled or Disabled Enabled or Disabled Disables the hardware volume buttons on the device
Disable Ringer Switch Enabled or Disabled Enabled or Disabled Enabled or Disabled Disables the hardware ringer switch on the device
Disable Sleep Wake Button Enabled or Disabled Enabled or Disabled Enabled or Disabled Disables the hardware power button
Disable Auto Lock Enabled or Disabled Enabled or Disabled Enabled or Disabled Controls whether the device will automatically lock screen
Enable Voice Over Enabled or Disabled Enabled or Disabled Enabled or Disabled Forces the voice over feature on the device
Enable Zoom Enabled or Disabled Enabled or Disabled Enabled or Disabled Forces the zoom feature on the device
Enable Invert Colors Enabled or Disabled Enabled or Disabled Enabled or Disabled Forces the inverted colors feature on the device
Enable Assistive Touch Enabled or Disabled Enabled or Disabled Enabled or Disabled Enables the assistive touch menu for one handed operation on the device
Enable Speak Selection Enabled or Disabled Enabled or Disabled Enabled or Disabled Enables the speak selection control on the device
Enable Mono Audio Enabled or Disabled Enabled or Disabled Enabled or Disabled Forces the mono audio on the device
User Enabled Options
Voice Over Enabled or Disabled Enabled or Disabled Enabled or Disabled Allows the user to control voice over
Zoom Enabled or Disabled Enabled or Disabled Enabled or Disabled Allows the user to control zoom
Invert Colors Enabled or Disabled Enabled or Disabled Enabled or Disabled Allows the user to control color inversion
Assistive Touch Enabled or Disabled Enabled or Disabled Enabled or Disabled Allows the user to control voice over

Updating Application Lock Apps  

Applications locked in Single App Mode cannot be updated due to a restriction in iOS. In Silverback a workflow is implemented that allows for these apps to be updated. This means that when you attempt to update a Single App Mode Locked app, the system will automatically disable Single App Mode and attempt to update the app. The system will continue to attempt this until the application is updated. The number of attempts to check this is determined by a setting in the Settings Administration page. To increase or decrease the amount of maximum check times perform the following steps:

  • Login as Settings Administrator
  • Navigate to MDM Payload
  • Change the value for iOS Single App Mode Re-enablement Automation Workflow (not recommended)

Manual Override of Application Lock

In some scenarios its necessary to force an individual device to enable or disable Single App Mode for troubleshooting. This can be done from the device info pop-up for a device that has Single App Mode settings applied. Note that once the device checks in, it may lock or unlock again based on it’s Tag settings.

Admin_Guide_SB_028.png

Lock Screen Message*

For supervised devices this payload allows administrators to configure Custom Lock Screen Messages. This feature allows placing additional information on the devices lock screen. As an example, you as an administrator could place useful information like the serial number, the device user or the managed by information.

Use System Variables, e.g. {SerialNumber} to display Serial Number on the lock screen. 

Setting Options Description
Lock Screen Message Enabled or Disabled Enables the Shared Device configuration profile to display Lock Screen messages
Lock Screen Footnote
  • e.g. Managed by Matrix42
  • e.g. Device Owner: {firstname} {lastname}

Add here the footnote displayed in the login window and lock screen. On current iOS13 devices the Lock Screen Footnote is placed on the bottom left. Supported on iOS 9.3+

Asset Tag Information
  • e.g. Device Owner: {firstname} {lastname}
  • e.g. Serial Number: {SerialNumber}

Add here the asset tag information for the device, displayed in the login window and lock screen. On current iOS13 devices the Asset Tag is placed on the bottom right. Supported on iOS 9.3+

Notification Control*

Notification Control specifies the restriction enforced notification settings for apps, using their bundle identifiers. It is supported on iOS 9.3 and later for supervised devices, only. This control offers Administrators the capability to define specific per app notifications on the device. Notifications can be disabled at all or can be permitted to options like sounds only or disallow them in CarPlay. To configure Notification Settings navigate to iOS or iPadOS Profiles in a Tag  and press New Notification Setting. 

Setting Options Description
App Store Country e.g. Germany Country where the application will be searched
App name e.g. Microsoft Teams Name of the application
Bundle Id e.g. com.microsoft.skype.teams Unique application identifier
Settings
Allow Notifications Enabled or Disabled  Allows or disallows notifications for this app
Show in Notification Center Enabled or Disabled  Allows or disallows notifications to be shown in notification center
Sounds Enabled or Disabled  Allows or disallows sounds for this app
Badge App Icon Enabled or Disabled  Allows or disallows badges for this app
Show on Lock Screen Enabled or Disabled  Allows or disallows notifications shown in the lock screen
Show in CarPlay Enabled or Disabled  Allows or disallows notifications shown in CarPlay
Critical Alerts Enabled or Disabled  Allows or disallows an app to mark a notification as a critical notification that will ignore Do Not Disturb and ringer settings.
Banner Style
  • None
  • Temporary Banner
  • Persistent Banner 
Type of alert for notifications for this app
Notification Grouping
  • Automatic
  • By app
  • off

The type of grouping for notifications for this app:

  • Automatic - group notifications into app-specified groups. (Default)
  • By app - group notifications into one group.
  • Off - do not group notifications

Global HTTP Proxy*

Enabling the Global HTTP Proxy will force all Network Traffic through a designated proxy server.

Setting iPhone iPad iPod Description
Global HTTP Proxy Enabled or Disabled Enabled or Disabled Enabled or Disabled Enables the Global HTTP proxy
Proxy Type
  • Manual
  • Automatic
  • Manual
  • Automatic
  • Manual
  • Automatic
Allows the administrator to select a proxy type
Server e.g. http:// proxy.imagoverum.com or 192.168.0.101 e.g. http:// proxy.imagoverum.com or 192.168.0.101 e.g. http:// proxy.imagoverum.com or 192.168.0.101 The FQDN or IP address of the proxy server
Port e.g. 80 or 443 e.g. 80 or 443 e.g. 80 or 443 The port of the proxy server
Individual Usernames Enabled or Disabled Enabled or Disabled Enabled or Disabled Controls the user ability to enter their own credentials
Username e.g. Proxyuser e.g. Proxyuser e.g. Proxyuser Allows the administrator to define the group username
Password e.g. Pa$$w0rd e.g. Pa$$w0rd e.g. Pa$$w0rd Allows the administrator to define the group password
PAC URL e.g. http:// proxy.imagoverum.com/proxy.pac or 192.168.0.101/proxy.pac e.g. http:// proxy.imagoverum.com/proxy.pac or 192.168.0.101/proxy.pac e.g. http:// proxy.imagoverum.com/proxy.pac or 192.168.0.101/proxy.pac Allows the administrator to specify the location of the PAC script

Web Content Filter*

Web Content Filter settings allow the administrator to control URLs accessible on the iOS7+ devices from Safari.

Setting iPhone iPad iPod Description
Enable Filter Enabled or Disabled Enabled or Disabled Enabled or Disabled

Enables the Web Content Filter on the devices. This function evaluates each web page as it is loaded and attempts to identify and block content not suitable for children. The search algorithm is complex and may vary from release to release, but it is basically looking for adult language, i.e. swearing and sexually explicit language.

Permitted URLs Used only when Filter is set to true. Otherwise, this field is ignored. Each entry contains a URL that is accessible whether the automatic filter allows access or not.
Whitelisted Bookmarks

If any URLs are specified in this matrix, the user can tab into Safari's address bar and will see these bookmarks. All other manually entered URLs will be blocked

The folders are to be specified like: \Root Folder\Subfolder

Blacklisted URLs The URLs specified in this matrix are not accessible on the device.

Certificate Trusts

Setting iPhone iPad iPod Description
Certificate Settings   Enabled or Disabled Enabled or Disabled Enabled or Disabled Enables Certificate Settings in this Tag
Add Root Certificate Choose File Choose File Choose File Select and Upload Root Certificate
Certificate Password e.g. Pa$$w0rd e.g. Pa$$w0rd e.g. Pa$$w0rd Defines Password for Root Certificate
Root Certificates e.g. CN=Imagoverum Root, OU=Imagoverum, OU=IV, O=Imagoverum, S=German, C=DE e.g. CN=Imagoverum Root, OU=Imagoverum, OU=IV, O=Imagoverum, S=German, C=DE e.g. CN=Imagoverum Root, OU=Imagoverum, OU=IV, O=Imagoverum, S=German, C=DE Displays uploaded certificates details
Add Root Certificate Choose File Choose File Choose File Select and Upload Root Certificate
Certificate Password e.g. Pa$$w0rd e.g. Pa$$w0rd e.g. Pa$$w0rd Defines Password for Root Certificate
Intermediate Certificates e.g. CN=Imagoverum Intermediate, OU=Imagoverum, OU=IV, O=Imagoverum, S=German, C=DE e.g. CN=Imagoverum Intermediate, OU=Imagoverum, OU=IV, O=Imagoverum, S=German, C=DE e.g. CN=Imagoverum Intermediate, OU=Imagoverum, OU=IV, O=Imagoverum, S=German, C=DE Displays uploaded certificates details

Single Sign On

With Single Sign On you can leverage Kerberos as a network authentication protocol. Kerberos, as the most commonly deployed Single Sign On technology uses Data Encryption Standard to encrypt user credentials. Organizations using directory services such as Active Directory usually have a Kerberos system already in place. Single Sign On is supported for devices running iOS 7.0 or later versions. It is possible to use a Certificate-Based Authentication to ensure users are not required to sign in even once.

Configuration

Setting iPhone iPad iPod Description
Display Name e.g. Imagoverum e.g. Imagoverum e.g. Imagoverum Reference name for the SSO Profile
Kerberos Realm e.g. IMAGOVERUM.COM e.g. IMAGOVERUM.COM e.g. IMAGOVERUM.COM Defines the Kerberos realm name. It is usually the DNS domain name and should properly be capitalized
Principal Name e.g. {firstname}.{lastname} e.g. {firstname}.{lastname} e.g. {firstname}.{lastname} Defines the Kerberos principal name. It will used as a unique specification to identify users and or services.
Use Client Certificate Enabled or Disabled Enabled or Disabled Enabled or Disabled Select if a client certificate should be used for the authentication

Certificate Name

e.g. User_SSO e.g. User_SSO e.g. User_SSO Defines the certificate name and is an optional field

Certificate Type

  • Certificate Authority
  • Enterprise
  • Certificate Authority
  • Enterprise
  • Certificate Authority
  • Enterprise
Option to choose if the certificate will be an individual user certificate or if a global enterprise certificate should be used. 
Certificate Authority
Certificate Authority Address e.g. ca.imagoverum.com\domain-server-CA e.g. ca.imagoverum.com\domain-server-CA e.g. ca.imagoverum.com\domain-server-CA Specifies the Certificate Authority address
Template Name e.g. SilverbackUser e.g. SilverbackUser e.g. SilverbackUser Defines the template for creating individual user certificates
Subject Name e.g. u_{firstname}.{lastname}_SSO e.g. u_{firstname}.{lastname}_SSO e.g. u_{firstname}.{lastname}_SSO Defines the subject name for the individual user certificate. System Variables leverages the individual subject name
Subject Alternate Name e.g. u_{firstname}.{lastname}_SSO e.g. u_{firstname}.{lastname}_SSO e.g. u_{firstname}.{lastname}_SSO Defines the subject alternate name for the individual user certificate. System Variables leverages the individual subject name
Enterprise
Certificate Authority PKCS12 File e.g. enterprise_sso.pfx  e.g. enterprise_sso.pfx  e.g. enterprise_sso.pfx  Option to upload the global enterprise certificate in a pkcs12 format
Certificate Password e.g. Pa$$w0rd e.g. Pa$$w0rd e.g. Pa$$w0rd Defines the certificate password
Limit this account to specific URL Patterns Enabled or Disabled Enabled or Disabled Enabled or Disabled Enables the limitation to specific URL patterns
URL Pattern e.g. http://www.imagoverum.com/ e.g. http://www.imagoverum.com/ e.g. http://www.imagoverum.com/

List of URLs prefixes that must be matched to use this account for Kerberos authentication over HTTP.

The URL postfixes must match as well.

Limit this account to specific App Ids Enabled or Disabled Enabled or Disabled Enabled or Disabled Enables the limitation to specific applications
App Identifier e.g. com.microsoft.sharepoint e.g. com.microsoft.sharepoint e.g. com.microsoft.sharepoint List of app identifiers that are allowed to use this login. If this field missing, this login matches all app identifiers. 

Additional Information 

  • Each entry in the URL Pattern array must contain a URL prefix. Only URLs that begin with one of the strings in this account are allowed to access the Kerberos ticket. URL matching patterns must include the scheme—for example, http://www.imagoverum.com/. If a matching pattern does not end in /, a / is appended to it.
  • The URL matching patterns must begin with either http:// or https://. A simple string match is performed, so the URL prefix http://www.imagoverum.com/ does not match http://www.imagoverum.com:80/.
  • With iOS 9.0 or later, however, a single wildcard * may be used to specify all matching values. For example, http://*.imagoverum.com/ will match both http://store.imagoverum.com/ and http://www.imagoverum.com.
  • The patterns http://.com and https://.com match all HTTP and HTTPS URLs, respectively.
  • The App Identifier array must contain strings that match app bundle IDs. These strings may be exact matches (com.mycompany.myapp, for example) or may specify a prefix match on the bundle ID by using the * wildcard character. The wildcard character must appear after a period character (.), and may appear only once, at the end of the string (com.mycompany.*, for example). When a wildcard is included, any app whose bundle ID begins with the prefix is granted access to the account

App Portal

The Application portal is where devices can access Enterprise applications and recommended Third Party applications via a web clip icon. To enable access to the Application portal for end users and push the app portal web clip icon to devices, ensure App Portal Enabled box is ticked.

Setting iPhone iPad iPod Description
App Portal   Enabled or Disabled Enabled or Disabled   Enabled or Disabled   Enables and pushes the App Portal Icon to enrolled devices.

To customize the App Portal navigate to Admin > App Portal  

Managed Domains

Setting iPhone iPad iPod Description
Domain Types  
  • Email Domains
  • Safari Domains
  • Email Domains
  • Safari Domains
  • Email Domains
  • Safari Domains

Email Domains: Email addresses not matching any of these domains will be marked in Mail

Safari Domains: URL patterns of domains from which documents will be considered managed

Domain Settings e.g. imagoverum.com e.g. imagoverum.com e.g. imagoverum.com Defines the Email or Safari Domain

Custom Profiles

Custom Profiles can be created with the Apple Configurator 2 on a MacOS device and imported into Silverback.

Use Custom Profiles if you miss a setting or a configuration that Silverback does not covers, but has an availability in Apple Configurator 2. 

  • Click New Custom Profile
Setting iPhone iPad iPod Description
Name   e.g. CalDAV Profile e.g. CalDAV Profile e.g. CalDAV Profile Display Name for the Custom Profile
Description e.g. Custom CalDAV Profile e.g. Custom CalDAV Profile e.g. Custom CalDAV Profile Description for the Custom Profile
Mobileconfig File Choose File Choose File Choose File Uploads the *.mobileconfig file

Web Clips

Silverback allows administrators to push down Internet shortcuts to their Managed Devices, giving users easy access to the websites the administrator wants.

  • Click New Web Clip
Setting iPhone iPad iPod Description
Web Clip Name   e.g. Matrix42 e.g. Matrix42 e.g. Matrix42 Web Clip Display Name 
Link e.g. https://www.matrix42.com e.g. https://www.matrix42.com e.g. https://www.matrix42.com Target URL for the Web Clip
Removable Enabled or Disabled Enabled or Disabled Enabled or Disabled Give the user the option to remove the shortcut from the device
Precomposed Icon Enabled or Disabled Enabled or Disabled Enabled or Disabled If disabled, iOS adds the gloss effect to the icon when displaying on the device.
Full Screen Enabled or Disabled Enabled or Disabled Enabled or Disabled Hides the Safari Browser Interface, displaying the website in Full Screen.
Icon File Choose File Choose File Choose File A button for uploading a Custom Icon. Support File Type: *.png

Home Screen Layout 

Home Screen layout allows Administrators to organize app icons across supervised iOS devices.  A unified layout of interfaces makes switching between devices easier and users and support can expects apps to be in the same location on their devices. Apps which aren't used very often can be moved maybe to page 2 or 3 on the devices. 

Device Type iPhone iPad iPod
Availability available available not available

Configure Home Screen Layout

  • Enable Home Screen Layout 
  • Enter a Profile Name
  • Right-Click Dock 
  • Click Add Application

Now you have a couple of options:

  • Add Application
  • Add Folder
Add Application Description Handling
iOS delivers a couple of pre-installed or native applications with the operating systems. You can select them from here Type as an example Phone, afterwards all results are shown with Phone in the name: e.g. Find iPhone and Phone. Click on the application icon to select the desired app
Select from App Store We implemented a direct search in Silverback, so that you can search for any app which is listed in the public App Store Type as an example Matrix42 and you will see all Matrix42 related applications. Companion, M2Mobile and  M42 Secure Container. Click on the application icon to select the desired app
Enter the Bundle ID of application This field will be auto filled after selecting the desired App by select from native applications or from App Store. If you distributed any Enterprise app, then enter here the Bundle ID of your Enterprise App Will be filled automatically or needs to be entered manually when adding an Enterprise app to Home Screen Layout
Enter the name of application This field will be auto filled after selecting the desired App by select from native applications or from App Store. You can rename the application if you want but be aware that the Name is only visible in the Tag, the Application name on the devices will stay in the original name. Will be filled automatically or can be entered or adjusted for convenience.  

Ensure that you enter just applications that you will deploy with Silverback to your device fleet or native application. So every application, excluding native applications, should be available in App Portal section in Silverback. 

Add Folder Description
Here you can enter the name of the folder you want to create on your Home Screen Layout. Afterwards you can add with Add Application apps that will be organized in this folder. The name you will enter here will be the name of the folder on every included device. 

Each folder contains as well pages. By default Silverback will create the Folder Page 1 as default. Right Click Folder Page 1 to add applications to that page. 

  • Right Click Pages
  • Click Add
  • Right Click Page 1
  • Add here in the same way applications and/or folders. 
  • Proceed with creating pages and adding applications and/or folders
  • For ordering everything just drag & drop folders or applications. 
  • Click Save

Some quick notes:

  • Dock allows to add and assign overall 6 applications or folders
  • Pages section allows to create overall 20 pages
  • Each page allows to add 24 applications or folders 
  • If Dock or Pages are fully loaded it is not possible to drag & drop apps or folders into the right position. Remove one app or folder and rearranging is again possible
  • Apps that have not been assigned a screen position and apps that have been installed on the device manually will appear after the assigned apps
  • Once a home screen layout has been applied, the app icon layout cannot be modified on the device itself. 
  • If two or more Home Screen Layout profiles are assigned to one device, the latest edited will win
  • Shortcuts can be used
    • Rename (F2)
    • Delete (Del)
    • Add Application (Shift + A)
    • Add Folder (Shift + F)
    • Add Page (Shift + P)

Policy

With Policy or Policies Administrators have the ability to enforce rules with Silverback, such as enforcing what Apps are installed on the devices, what Cellular Networks the device is on through to enforcing the Serial Numbers of the devices as they are enrolled into the system. These are the environmental conditions that Silverback will continue to monitor for and ‘police’ for any devices that are associated with the Tag.

OS Version Compliance 

Administrators have the ability to control which OS versions are allowed within their environment. To allow an OS version, simply ensure the checkbox next to the respective OS version is ticked. Enrolling a device with a disabled OS version will result in the device automatically being blocked.

  • Alert Administrators: When the checkbox is checked, all administrators will receive an email when a device that violates OS compliance is detected, or when a new OS version is discovered.
  • Automatically Approve New OS Versions: When an OS platform is enrolled to Silverback for the first time, the OS is automatically added to the list. By default, unknown OS platforms are disabled and relevant devices will be blocked. To automatically authorize new OS versions as they are discovered, ensure the checkbox is ticked.

Use this feature where you do not want devices to be automatically blocked when a user upgrades their device to a new future OS version that is released by their software vendor.

OS Updates*

A common question that you may face is how can we prevent our devices from updating updating to the latest version of iOS and how can we test the new iOS update before all of our users will install it?  Often, organizations wish to check the latest iOS release, verifying that the business-related apps they use will continue to function properly on the devices used by their organization. Starting with iOS 11.3 and for supervised devices Apple began to offer the possibility to specify a number of days to delay software updates, with a maximum of 90 days. With this option enabled, the user of the device will not see a software update until the specified number of days has passed since the release.

Setting iPhone iPad iPod Description
Defer Operating System updates for X Enabled or Disabled Enabled or Disabled not available Enables the deferral of operating system updates
Days 1-90 1-90 not available Defines the time period of how long updates will be deferred

Create different Tags with different values to allow new OS updates in waves.  Here is an example how it could look like: 

  • Do not use the feature for the internal IT or MDM department.
  • Enable and restrict set the policy for Pilot Users to 14 days
  • Enable and restrict set the policy for non-critical departments to 30 days
  • For critical department use the maximum value of 90 days.  

Hardware Compliance 

Administrators have the ability to enforce a hardware compliance policy through Silverback. Simply uncheck the boxes for hardware types that should not be supported and any devices that match the hardware type and are managed by Silverback will be blocked. The list of hardware types is managed via the Device Types option in the Admin Tab of the Silverback Console. If a mapping from device type to hardware type exists, the hardware type will be displayed in the hardware compliance list. When a Device Manufacturer release a new version of their hardware the model numbers may not be known by Silverback, in this case Silverback will ‘learn’ them and store them as ‘Unknown’ in the Device Types section under the Admin Tab where the Administrator can update them manually. To allow these devices into your system you enable the ‘Unknown’ checkbox option. This will allow the device into your Silverback Environment and you can later re-classify this device type in the Admin > Device Types section.

  • Alert Administrators:  When the  checkbox is checked it will ensure that administrators receive an email when a device that violates hardware compliance is detected.

Application Blacklist

For iOS devices offers two different ways to create an Application Blacklist. The first one is the Silverback blacklist where the system periodically detects installed applications and in combination with the Lockdown policy Administrators can decide what to do with a device that violates the configuration. The second way is for supervised devices where Administrators easily can decide which application should be visible on the device or which applications should not be installed on devices if the public app store is open for end user. 

Silverback Blacklist

Silverback maintains a blacklist of application names to ensure the detection and management of devices with blacklisted applications. The blacklist works by matching application names of applications on devices against the strings in the blacklist. The blacklist employs a case-insensitive substring search algorithm to determine policy violations.

To add an application to the blacklist

  • Enter the Application Name you want to blacklist (WhatsApp) 
  • Click Add
  • Notice the info message: This application name has been blacklisted successfully.

Configure Lockdown Policies to take decisions if Silverback detects an blacklist violation 

Enforce blacklist/whitelist* 

For supervised devices Silverback offers the ability to blacklist/whitelist applications directly, so that dependent on the configuration these application will be hidden or whitelisted for end users. 

System Apps

Use the All button on the right or select each application manually.

Activity

Game Center Phone

Apple Heart Study

GarageBand Photo Booth

Apple Store

Health Photos

Apple Support

Home Playgrounds

Apple TV Remote

iBooks Podcasts

Apple Watch

iCloud Drive Reminders

App Store

iMovie Remote
Calculator iTunes Connect Safari
Calendar iTunes Store Shortcuts
Camera iTunes U Shortcuts (iOS 13)
Classroom Keynote Siri
Clips Logic Remote Stocks
Clock Mail Tips
Companion Maps Trailers
Compass Measure TV
Contacts Messages Videos
FaceTime Music Voice Memos
Feedback Assistant Music Memos Wallet
Files News Weather
Find iPhone Notes Web Clips
Find My (iOS 13) Numbers WWDC
Find My Friends Pages  
Apps 

To add any app that is not listed in System Apps area just enter the Bundle ID and click Add. In case that Apple delivers new applications between Silverback Releases take a look at this application list: Apple Bundle Identifiers. From time to time the native Apple App Bundle Identifiers will be published

For all other applications: 

If the app is in the App Store.

If you have the .ipa file directly

  • Copy the .ipa file and rename the extension to .zip. (So e.g. SecureContainer.ipa will become SecureContainer.zip)
  • Unzip the zip file. You will get a new folder named like the zip file.
  • Search for the file iTunesMetadata.plist in that new folder.
  • Open the file with a text editor and search for softwareVersionBundleId. For Matrix42 Secure Container this looks like this and is com.syncdog.matrix42.securecontainer

Lockdown

The Lockdown screen allows you to determine what device compliance policies are enabled and what action should automatically occur when a violation is detected. Each policy is enabled/disabled through their associated checkbox. Enabling a lockdown policy ensures that the device is inspected to ensure it is compliant with that policy during the initial enrollment as well as at regular intervals as defined by the ‘Perform check every’ drop down.

Lockdown Actions

Action Description
No action No action is performed on the device; however alerting administrators may be performed if configured.
Lock A lock command is sent to the device which will lock the screen of the device. 
Block The device is blocked, and the device is moved to the blocked devices table. 
Wipe The device is hard reset to factory default settings.
Reapply This will re-apply the iOS Setting that disables the ability for the device to roam for voice or data. The setting is forced upon the user.  For application black list in particular, this will prevent the application from launching or being installed on the device.
Alert administrator Emails are sent to all administrators notifying them of the policy violation when it is detected. 
Exclude Home Network Allows the Administrator to disable roaming alerts for devices roaming on Home Networks
Allow Home Networks Allow Home Network’ checkbox allows the user to roam on Home Networks without triggering lockdown action.

Lockdown Policies

Policy  General iPhone iPad iPod Description
Enforce SIM Authentication Enabled or Disabled
  • No action
  • Lock 
  • Block
  • Delete Business Data
  • Factory Wipe
  • No action
  • Lock 
  • Block
  • Delete Business Data
  • Factory Wipe
not available The first SIM Silverback detects on a managed device will be considered the ‘canonical’ SIM. Any subsequent changes to the SIM (e.g. removal of the SIM from the device or changing the SIM on the device) are considered a policy violation.
Enforce Application Blacklist

Enabled or Disabled

Either Blacklist or Whitelist

  • No action
  • Lock 
  • Block
  • Delete Business Data
  • Factory Wipe
  • No action
  • Lock 
  • Block
  • Delete Business Data
  • Factory Wipe
  • No action
  • Lock 
  • Block
  • Factory Wipe

See the blacklist section for more information on this configuration. The blacklist can be enabled or disabled from this screen.

Enforce Application Whitelist

Enabled or Disabled

Either Blacklist or Whitelist

  • No action
  • Lock 
  • Block
  • Delete Business Data
  • Factory Wipe
  • No action
  • Lock 
  • Block
  • Delete Business Data
  • Factory Wipe
  • No action
  • Lock 
  • Block
  • Factory Wipe

Application Whitelist will ensure that each device has only applications approved by a system administrator that reside in the Silverback App Portal. Whitelist is derived from the Application Name. Ensure applications in the App Portal are labelled correctly prior to enabling Application Whitelist.

Enforce Hardware Authentication Enabled or Disabled
  • No action
  • Lock 
  • Block
  • Delete Business Data
  • Factory Wipe
  • No action
  • Lock 
  • Block
  • Delete Business Data
  • Factory Wipe
  • No action
  • Lock 
  • Block
  • Factory Wipe
Hardware authentication can be enabled or disabled from this screen. See the hardware authentication for more information on this configuration.
Cost Control Settings
Send Roaming Alerts Enabled or Disabled No actions available No actions available not available

Enabling this will send an alert to all Silverback Administrators when a device starts Roaming for any reason (Voice/Data).

Enforce Data Roaming Policy Enabled or Disabled
  • No action
  • Lock 
  • Block
  • Factory Wipe
  • Delete Business Data
  • Reapply
  • No action
  • Lock 
  • Block
  • Factory Wipe
  • Delete Business Data
  • Reapply
not available

You can choose which lockdown action to apply when a device has data roaming enabled. Availability of this setting on the device is dependent on the Carrier.

Enforce Voice Roaming Policy

Enabled or Disabled

Enforce Data Roaming Policy will activate this setting

  • No action
  • Lock 
  • Block
  • Factory Wipe
  • Delete Business Data
  • Reapply
  • No action
  • Lock 
  • Block
  • Factory Wipe
  • Delete Business Data
  • Reapply
not available Voice Roaming is when the device has Voice Roaming Enabled = YES on the device. Availability of this setting on the device is dependent on the Carrier.
Enforce Home Networks Policy Enabled or Disabled
  • No action 
  • Block
  • Factory Wipe
  • No action 
  • Block
  • Factory Wipe
not available Enables the ‘Home Networks’ policy, meaning Silverback Admins can specify what data networks are classed as ‘Home Networks’.
Home Networks

Add

Enforce Home Networks  Policy will activate this grid

e.g. Imagoverum Wi-Fi e.g. Imagoverum Wi-Fi not available This grid is where Silverback Administrators can specify their ‘Home Networks’.

Companion

Companion extends end point security into a secure workspace for your users. Users can store and edit files locally within the application, ensuring that these documents are kept securely and cannot be accessed by other applications or users. Companion also allows users and administrators to manage data usage on the device and configure policy settings around this.

General 

Setting Description
Bookmarks Displays a list of added Bookmarks being pushed to Companion
SharePoint Sites Displays a list of added SharePoint Website URLs being pushed to Companion
Certificates Displays a list of added certificates that can be configured and then assigned to Bookmarks and SharePoint Sites
Bulk Message Sends a message to all Companion users within the given tag.
Silversync Configures File Sync Settings for Companion based on configured Silversync Feature
Add Bookmarks
  • Click Bookmarks
  • Click New Bookmark
  • Fill in the following values
Setting iPhone iPad iPod Description
Label e.g. Imagoverum Intranet e.g. Imagoverum Intranet e.g. Imagoverum Intranet Display Name of the bookmark
URL e.g. https://intranet.imagoverum.com e.g. https://intranet.imagoverum.com e.g. https://intranet.imagoverum.com Website Address for the Bookmark
Icon File Choose File Choose File Choose File Supported file type = *.png
Authentication Enabled or Disabled Enabled or Disabled Enabled or Disabled Enables or disables authentication options for the Bookmark
Authentication Type
  • Client Certificate - Basic
  • Client Certificate - Kerberos
  • Client Certificate - Basic
  • Client Certificate - Kerberos
  • Client Certificate - Basic
  • Client Certificate - Kerberos
Choose between Basic and Kerberos for Authentication
Username e.g. {UserName} or tim.tober@imagoverum.com e.g. {UserName} or tim.tober@imagoverum.com e.g. {UserName} or tim.tober@imagoverum.com Variable or Username to use for authentication
Use User Password Enabled or Disabled Enabled or Disabled Enabled or Disabled If available, send the user’s password with the settings
Certificate Select certificate Select certificate Select certificate Displays uploaded Certificates in Certificates section 
  • Click Save
Add SharePoint Sites
  • Click Sharepoint Sites
  • Click Sharepoint Site
  • Fill in the following values
Setting iPhone iPad iPod Description
Label   e.g. Imagoverum Sharepoint e.g. Imagoverum Sharepoint e.g. Imagoverum Sharepoint Display Name of the Sharepoint Site
URL e.g. https://imagoverum.sharepoint.com e.g. https://imagoverum.sharepoint.com e.g. https://imagoverum.sharepoint.com Sharepoint Site Address
Authentication Type
  • Office365
  • Web Forms
  • Basic Authentication
  • Form Authentication
  • Client Certificate - Basic
  • Client Certificate - Kerberos
  • Office365
  • Web Forms
  • Basic Authentication
  • Form Authentication
  • Client Certificate - Basic
  • Client Certificate - Kerberos
  • Office365
  • Web Forms
  • Basic Authentication
  • Form Authentication
  • Client Certificate - Basic
  • Client Certificate - Kerberos

Office 365 authentication is only available for Office 365

Webforms authentication requires the user to type their credentials in the web view

Basic authentication sends the credentials of the user in the Authorization header

Form authentication is a headless authentication method for Sharepoint site configured for Form Based Authentication

Client Certificate - Basic will provide a specified certificate to the user to use in conjunction with Basic authentication

Client Certificate - Kerberos will provide a specified certificate to the user to use in conjunction with Kerberos authentication
Access Model
  • Sharepoint 2013 REST
  • Sharepoint 2010 REST
  • Sharepoint 2013 REST
  • Sharepoint 2010 REST
  • Sharepoint 2013 REST
  • Sharepoint 2010 REST
The Access Model that should be used.
Sharepoint 2013 Access Model is recommended for best experience.
Content Refresh Interval (hours) e.g. 4 e.g. 4 e.g. 4 The Interval for check Sharepoint for Updates.
Username e.g. {UserName} or tim.tober@imagoverum.com e.g. {UserName} or tim.tober@imagoverum.com e.g. {UserName} or tim.tober@imagoverum.com Field to specify the Username.
Custom LDAP attributes can be used in this field.
Use User Password Enabled or Disabled Enabled or Disabled Enabled or Disabled Specifies that the client should automatically use the User’s Password. This is only available when Password is Cached or on initial enrollment
Certificate Select Certificate Select Certificate Select Certificate

Displays uploaded Certificates in Certificates section when Authentication Type is set to Client Certificate

Add Certificates
  • Click Certificates
  • Click New Certificate
  • Fill in the following values
Setting iPhone iPad iPod Description
Certificate Name   e.g. Web Authentication e.g. Web Authentication e.g. Web Authentication A name that will be used to identify the Certificate settings
Certificate Type
  • Enterprise
  • Certificate Authority
  • Enterprise
  • Certificate Authority
  • Enterprise
  • Certificate Authority
Determine if the Certificate is from an Enterprise (single PKCS12 Certificate) or Certificate Authority (Certificate is generated per user)
Enterprise
Certificate Authority PKCS12 File Choose File Choose File Choose File A PKCS12 Certificate that will be used to generate client certificates for devices.
Certificate Password e.g. Pa$$w0rd e.g. Pa$$w0rd e.g. Pa$$w0rd The password for the PKCS12 Certificate Authority Certificate
Certificate Authority
Certificate Authority Address e.g.  https://ca01.imagoverum.com/CADemo01  e.g.  https://ca01.imagoverum.com/CADemo01  e.g.  https://ca01.imagoverum.com/CADemo01  Network address for the Certificate Authority
Template Name e.g. Web Authentication e.g. Web Authentication e.g. Web Authentication The template name to be used for Certificate Requests
Subject Name e.g. {firstname} {lastname} e.g. {firstname} {lastname} e.g. {firstname} {lastname} Subject Name of the certificate
Subject Alternate Name e.g. {UserName} e.g. {UserName} e.g. {UserName} Subject Alternate Name of the certificate 
  • Click Save 
Send Bulk Message

Companion can receive Text-Based Messages sent from the Silverback Administrator Console in the form of an App Notification when the app is minimized.

  • Click Bulk Message
  • Enter the Message Text
  • Click Send
Silversync

Configures File Sync Settings for Companion based on configured Silversync Feature. 

Settings iPhone iPad iPod Description
Allow File Sync Enabled or Disabled Enabled or Disabled Enabled or Disabled Allows File Sync
Disable on Blocked Enabled or Disabled Enabled or Disabled Enabled or Disabled Disables File Sync for blocked devices
Allow Sync on Cellular Data Enabled or Disabled Enabled or Disabled Enabled or Disabled Allow Sync when device uses Cellular
Cellular Data File Size Limit e.g. 10 e.g. 10 e.g. 10 Restricts file sizes in MB when device uses Cellular
Allow Email of Files Enabled or Disabled Enabled or Disabled Enabled or Disabled Allows to Email File types via Email
Allow Opening Files Into Other Apps Enabled or Disabled Enabled or Disabled Enabled or Disabled Allows opening files into other apps on device
  • Click Save

Settings

Setting iPhone iPad iPod Description
Companion Enabled Enabled or Disabled Enabled or Disabled Enabled or Disabled

Enables Companion Configuration in general

Install Companion App Store Enabled or Disabled Enabled or Disabled Enabled or Disabled

Installs current available Companion application from Apple App Store

Use Device Based VPP deployment Enabled or Disabled Enabled or Disabled Enabled or Disabled

When you want to use distribution via Volume Purchase Program enable this setting.

But first be enabled for VPP and buy some Companion Licenses in Apple Business Manager. 

EpiC Settings
Secure Enrollment Enabled or Disabled Enabled or Disabled Enabled or Disabled Enables Secure Enrollment for devices
Offline Grace Period e.g. 30 e.g. 30 e.g. 30 Companion modules will be blocked if the device doesn’t check in during this period. The value is days
Custom Epic Text e.g. This is a free form text e.g. This is a free form text e.g. This is a free form text Configure custom text to be displayed to the user
Show Blocked Reasons Enabled or Disabled Enabled or Disabled Enabled or Disabled Configures whether the user is told why they have been blocked. If this is disabled the user is not told why, just that they are blocked
Allow Automated Unblocking Enabled or Disabled Enabled or Disabled Enabled or Disabled Companion can allow users to rectify a block where it was triggered by a policy violation. For example if the user violated an application blacklist, they may remove the app and then scan with Companion to automatically become unblocked
Browser Settings
Allow URL Bar Enabled or Disabled Enabled or Disabled Enabled or Disabled  
Disable on Blocked Enabled or Disabled Enabled or Disabled Enabled or Disabled  
File Settings
Allow Files Enabled or Disabled Enabled or Disabled Enabled or Disabled Determines whether the Files module is available to the users
Disable on Blocked Enabled or Disabled Enabled or Disabled Enabled or Disabled Disables the Files module when Silverback blocks the device
Require PIN Enabled or Disabled Enabled or Disabled Enabled or Disabled Determines whether the users are required to have a PIN code protecting Companion
Allow Email Out Enabled or Disabled Enabled or Disabled Enabled or Disabled Allow the user to email files out of Companion or not
Data Cost Control Settings
Allow Usage Enabled or Disabled Enabled or Disabled Enabled or Disabled Determines whether the Data Usage module is available to the users
Disable on Blocked Enabled or Disabled Enabled or Disabled Enabled or Disabled Disables the Data Usage module when Silverback blocks the device
Allow User to Change Settings Enabled or Disabled Enabled or Disabled Enabled or Disabled Allow the user to change settings within the Companion Client. If not, the administrator must define settings
Rollover Day 1-31 1-31 1-31 Determines the day for the Data Usage to be reset on the device
Local Data Cost Control
Allow User to Reset Usage Enabled or Disabled Enabled or Disabled Enabled or Disabled Allow the user the ability to reset their local Data Usage within the Companion client
Data Allowance (MB) e.g. 2048 e.g. 2048 e.g. 2048 The Amount of local Cellular Data the user is allowed, until the user is alerted and the configured action is performed
Action on Local Data Limit Reached
  • No Action
  • Lock
  • Block
  • Wipe
  • No Action
  • Lock
  • Block
  • Wipe
  • No Action
  • Lock
  • Block
  • Wipe
The MDM action that is carried out when the local data limit is reached
Alert Administrators Enabled or Disabled Enabled or Disabled Enabled or Disabled Determines whether the administrative e-mail alert is sent out when a device reached the data limit
Consumed Usage Alert Treshold 0%-100% in 5% steps 0%-100% in 5% steps 0%-100% in 5% steps Determines the threshold value for the local Data Allowance usage alert. When this threshold is reached, the user receives a notification on the device
Roaming Data Cost Control
Allow User to Reset Usage Enabled or Disabled Enabled or Disabled Enabled or Disabled Allow the user the ability to reset their roaming Data Usage within the Companion client
Roaming Data Allowance (MB) e.g. 100 e.g. 100 e.g. 100 The Amount of roaming Cellular Data the user is allowed, until the user is alerted and the configured action is performed
Action on Roaming Data Limited Reached
  • No Action
  • Lock
  • Block 
  • Wipe
  • Reapply
  • No Action
  • Lock
  • Block 
  • Wipe
  • Reapply
  • No Action
  • Lock
  • Block 
  • Wipe
  • Reapply
The MDM action that is carried out when the roaming data limit is reached
Alert Administrators Enabled or Disabled Enabled or Disabled Enabled or Disabled Determines whether the administrative e-mail alert is sent out when a device reached the data limit
Consumed Roaming Usage Alert Treshold 0%-100% in 5% steps 0%-100% in 5% steps 0%-100% in 5% steps Determines the threshold value for the roaming Data Allowance usage alert. When this threshold is reached, the user receives a notification on the device
Licence Message Settings
Invalid Licence Message e.g. You have no valid License. Please contact your System Administrator e.g. You have no valid License. Please contact your System Administrator e.g. You have no valid License. Please contact your System Administrator The text message displayed on the users’ devices

Network Usage Rules

On iOS devices, roaming and cellular data can be enabled or disabled for managed applications either on a per-app basis, or through the use of wildcard bundle identifiers. Managed applications are either distributed with Silverback or has Take management if the app is already installed checkbox enabled in the App Portal. 

Setting iPhone Ipad iPod Description
App Identifier Match e.g. com.netflix.Netflix or com.netflix.* e.g. com.netflix.Netflix or com.netflix.* e.g. com.netflix.Netflix or com.netflix.* Bundle ID that should receive the Network Usage Rule. When entering an App Identifier, a list of applications that Silverback is aware of will be presented
Allow Cellular Enabled or Disabled Enabled or Disabled Enabled or Disabled Whether the application is allowed to use cellular data
Allow Roaming Enabled or Disabled Enabled or Disabled Enabled or Disabled Whether the application is allowed to use roaming data

After adding Network Usage Rules use Edit button for quick editing (save with Accept button) or use Remove button to remove the application(s). 

Computer Objects

Create Computer Objects in your Active Directory. You may already be familiar with the automatic creation of Computer Objects after a Computers joins your Active Directory.  Silverback can do the same and has the ability to create Computer Objects during the Enrollment on your behalf. For this functionality configure the following settings: 

Setting iPhone iPad Description
Enabled Enabled or Disabled Enabled or Disabled If enabled, Computer Objects will be created
Computer name prefix e.g. iPhone-{DeviceId} e.g. {SerialNumber}  Defines the Computer Name. You can use a Prefix and fill it with a variable, but ensure that Computer Names are limited to 15 characters. All Silverback Variables but we recommend to take one of the examples. 
Organizational unit e.g. OU=Silverback,DC=imagoverum.com,DC=com e.g. OU=iPads,DC=imagoverum.com,DC=com Defines the location, where Computer Objects should be created
Domain Administrator e.g. administrator@imagoverum.com e.g Imagoverum\Administrator Administrator credentials are required to create Computer Objects. Please enter your UPN or SamAccountName
Password e.g Pa$$w0rd e.g. Pa$$w0rd Administrator credentials are required to create Computer Objects. Please enter your Administrator password

Apps 

The Apps Feature Section is how Administrators can automate the distribution of Device Apps for specific groups of users. Before you can begin assigning Apps to the Tag you first need to have the uploaded into the Silverback App Portal. Once you have Apps in the Silverback App Portal, they can be distributed using the Apps Feature associated with your Tag.

App Types

Three different App Types are available for iOS devices:

Type Description
Enterprise Applications owned by an Organization with *.ipa file
App Store Applications from public Apple App Store
VPP Applications bought via Volume Purchase Program


Assign Apps 

Once Apps are uploaded into the Silverback App Portal Tab, they can be distributed to devices via a Tag they have been associated with.

  • Navigate to Apps
  • Click Assign More Apps
  • Select any applications from the shown Assign Applications page 
  • Click Add Selected Apps 

Overview

Already assigned applications are displayed in the Apps section of any Tag with the following columns: 

Column Description
Type Displays the app type, either Enterprise, App Store or VPP
Name Displays the application name
Version Displays the application version for Enterprise Apps
Description Displays the application description given in App Portal
Remaining VPP The remaining number of VPP licenses for this app
Total VPP The total amount of VPP licenses for this app
Manage VPP From there you are able to add and remove old VPP Redemption files.
Manage Config Click edit to change deployment options
Remove Removes the App from the Tag

Change Deployment Options 

By default configurations will be inherit from the App Portal. To customize the settings perform the following steps for each application.

  • Click the Edit button in the Manage Config column
  • Update Deployment Options
  • Click Save

Content

The Content Tab is where content locations are provided for users. These are defined at a Tag level which means only users in this Tag will receive these content settings in their M42Mobile app.

Content Provider

The following content providers can be configured for the M42Mobile App. The Username and Password fields support system variables, so you can dynamically configure these for all users.

Content Provider Settings
Silversync
  • Name
  • Notes
  • Silversync Server Locations
Box
  • Name
  • Notes
  • Username
  • Password
  • Custom Values
Dropbox
  • Name
  • Notes
  • Username
  • Password
  • Custom Values
GoogleDrive
  • Name
  • Notes
  • Username
  • Password
  • Custom Values
OneDrive
  • Name
  • Notes
  • Username
  • Password
  • Custom Values
ownCloud
  • Name
  • Notes
  • Username
  • Password
  • Server URL
  • Custom Values
Sharepoint 
  • Name
  • Notes
  • Username
  • Password
  • Server URL
  • Access Model 
    • Sharepoint 2010
    • Sharepoint 2013
  • Authentication Mode
    • Basic
    • Forms
    • WebForms
    • Office365
  • Custom Values

Silversync Server Locations

For assigning content with Silversync, there are generally two ways to do this: 

Add Content Requirement Description
Selecting the folders from the Content Tree Server Based Authentication Expand and collapse folders if you want to assign content at a level down in the file system
Typing in file paths manually User based Authentication Assign the content manually by typing in file paths.

To add content manually:

  • Click Add
  • Enter the path directly
    • C:\SilversyncContent\users\{UserName}
    • \\NetworkShare\SilversyncFiles\Everybody 

It’s important to note that these paths support system variables. In the example above “{UserName}” will be replaced with that unique user’s username. This is useful for mapping to a home drive network share for example. 

  • Was this article helpful?