Restrictions (com.apple.applicationaccess)

If `false`, the system disables modification of accounts, such as Apple Accounts, and internet-based accounts, such as Mail, Contacts, and Calendar.

If `false`, the system disables activity continuation. Support for this restriction on unsupervised devices and with Managed Apple Accounts is deprecated. In a future release, this restriction will begin requiring supervision and will apply to personal Apple Accounts only.

If `false`, the system prohibits adding friends to Game Center. Requires a supervised device in iOS 13 and later.

If `false`, the system disables AirDrop.

If `false`, the system disables incoming AirPlay requests.

If `false`, the system disables AirPrint.

If `false`, the system disables Keychain storage of user name and password for AirPrint.

If `false`, the system disables iBeacon discovery of AirPrint printers, which prevents spurious AirPrint Bluetooth beacons from phishing for network traffic.

If `false`, the system disables changing settings for cellular data usage for apps.

If `false`, the system prevents a user from adding any App Clips, and removes any existing App Clips on the device.

If `false`, the system disables the App Store and removes its icon from the Home Screen. Users are unable to install or update their apps. This applies to App Store apps, marketplace apps, and locally installed apps (using Configurator, Xcode, and so forth). In iOS 10 and later, MDM commands can override this restriction. Requires a supervised device in iOS 13 and later.

If `false`, the system disables Apple Intelligence reports.

If `false`, the system limits Apple personalized advertising.

If `false`, the system disables removal of apps from an iOS device. This applies to App Store apps, marketplace apps, and locally installed apps (using Configurator, Xcode, and so forth).

If `false`, disables the ability for the user to hide apps. It doesn't affect the user's ability to leave it in the App Library, while removing it from the Home Screen.

If `false`, disables the ability for the user to lock apps. Because hiding apps also requires locking them, disallowing locking also disallows hiding.

If `false`, the system prevents modifying the Remote Management Sharing setting in System Settings.

If `false`, the system disables Siri.

If `false`, the system prevents Siri from querying user-generated content from the web.

If `false`, the system disables Siri when the device is locked. The system ignores this restriction if the device doesn't have a passcode set.

If `false`, the system disables keyboard autocorrection.

If `false`, disables auto dim on iPads with OLED displays.

If `false`, the system prevents automatic downloading of apps purchased on other devices. This setting doesn't affect updates to existing apps.

If `false`, the system disables Apple TV's automatic screen saver.

If `false`, the system disallows auto unlock. Support for this restriction on unsupervised devices is deprecated.

If `false`, the system prevents modification of Bluetooth settings.

If `false`, the system prevents modifying Bluetooth settings in System Settings.

If `false`, the system removes the Book Store tab from the Books app.

If `false`, the system prevents the user from downloading Apple Books media that's tagged as erotica. Support for this restriction on unsupervised devices is deprecated.

If `false`, disables call recording.

If `false`, the system disables the camera and removes its icon from the Home Screen, and users are unable to take photographs. Support for this restriction on unsupervised devices is deprecated.

If `false`, the system prevents users from changing settings related to their cellular plan (available only on select carriers).

If `false`, the system disables the use of iMessage with supervised devices. If the device supports text messaging, the user can still send and receive text messages.

If `false`, the system disables iCloud Contacts services.

If `false`, the system disables backing up the device to iCloud. Support for this restriction on unsupervised devices is deprecated.

If `false`, the system disables iCloud Bookmark sync.

If `false`, the system disables iCloud Calendar services.

If `false`, the system disables iCloud Desktop and Document services.

If `false`, the system disables document and key-value syncing to iCloud. Requires a supervised device in iOS 13 and later, and Shared iPad doesn't support it. Support for this restriction on unsupervised devices and with Managed Apple Accounts is deprecated.

If `false`, the system disallows iCloud Freeform services.

If `false`, the system disables iCloud Keychain synchronization. Support for this restriction on unsupervised devices and with Managed Apple Accounts is deprecated.

If `false`, the system disables iCloud Mail services.

If `false`, the system disables iCloud Notes services.

If `false`, the system disables iCloud Photo Library. The system removes any photos from local storage that aren't fully downloaded from iCloud Photo Library to the device. Support for this restriction on unsupervised devices and with Managed Apple Accounts is deprecated.

If `false`, the system disables iCloud Private Relay. Support for this restriction on unsupervised devices and with Managed Apple Accounts is deprecated.

If `false`, the system disables iCloud Reminder services.

If `false`, the system disables content caching. This restriction is not supported on the user channel.

If `false`, the system disables QuickPath keyboard.

If `false`, disables default browser preference modification. The MDM Settings command to set the default browser preference still works when applying this.

If `false`, disables default calling app preference modification. The MDM Settings command to set the default calling app preference still works when applying this.

If `false`, disables default messaging app preference modification. The MDM Settings command to set the default messaging app preference still works when applying this.

If `false`, the system disables definition lookup.

If `false`, the system prevents the user from changing the device name.

If `false`, the system prevents the device from automatically sleeping.

If `false`, the system prevents the device from automatically submitting diagnostic reports to Apple.

If `false`, the system disables changing the diagnostic submission and app analytics settings in the Diagnostics & Usage UI in Settings.

If `false`, the system disallows dictation input.

If present, the system exempts apps with bundle IDs in the array from the `allowCamera` restriction. The system doesn't grant these apps access to the camera automatically; they're only exempted from the `allowCamera` restriction. This key has no effect when the camera isn't restricted. Multiple payloads combine using an intersect operation. Requires a supervised device.

An array of strings, but currently restricted to a single element. If present, Apple Intelligence allows use of only the given external integration workspace ID, and requires a sign-in to make requests. The user is required to sign in to integrations that support signing in. Multiple payloads combine using an intersect operation. This means the allowed set of workspace IDs can become the empty set if multiple payloads specify conflicting values.

If `false`, the system disables the Enable Restrictions option in the Restrictions UI in Settings. If `false` in iOS 12 and later, the system disables the Enable ScreenTime option in the ScreenTime UI in Settings and disables ScreenTime if already enabled.

If `false`, the system removes the Trust Enterprise Developer button in Settings > General > VPN & Device Management, which prevents provisioning apps by universal provisioning profiles. This restriction applies to free developer accounts and enterprise app developers that aren't implicitly trusted by apps that install through MDM. This restriction doesn't revoke previously granted trust.

If `false`, the system disables backup of Enterprise books.

If `false`, the system disables sync of Enterprise books, notes, and highlights.

If `false`, the system disables the Erase All Content and Settings option in the Reset UI.

If `false`, the system disables modifications of eSIMs.

If `false`, prevents the transfer of an eSIM from the device on which the restriction is installed to a different device.

If `false`, the system hides explicit music or video content purchased from the iTunes Store. The system marks explicit content as such by content providers, such as record labels, when sold through the iTunes Store. Explicit content in the News and Podcast apps is also hidden. Requires a supervised device in iOS 13 and later. Support for this restriction on unsupervised devices is deprecated.

If `false`, disables the use of external, cloud-based intelligence services with Siri. In iOS, this restriction is temporarily allowed on unsupervised and user enrollments. In a future release, this restriction will require supervision, and will be ignored on unsupervised devices.

If `false`, forces external intelligence providers into anonymous mode. If a user is already signed in to an external intelligence provider, applying this restriction signs them out when attempting the next request.

If `false`, the system prevents modifying File Sharing setting in System Settings.

If `false`, the system prevents connecting to network drives in the Files app.

If `false`, the system prevents connecting to any connected USB devices in the Files app.

If `false`, the system disables Find My Device in the Find My app.

If `false`, the system disables Find My Friends in the Find My app.

If `false`, the system disables changes to Find My Friends.

If `false`, the system prevents Touch ID, Face ID, or Optic ID from unlocking a device. Support for this restriction on unsupervised devices is deprecated.

If `false`, the system prevents the user from modifying Touch ID or Face ID.

If `false`, the system disables Game Center, and the system removes its icon from the Home Screen.

If `false`, prohibits creating new Genmoji.

If `false`, the system disables global background fetch activity when an iOS phone is roaming. Support for this restriction on unsupervised devices is deprecated.

If `false`, the system disables host pairing with the exception of the supervision host. If there's no configured supervision host certificate, the system disables all pairing. Host pairing lets the administrator control whether an iOS device can pair with a host Mac or PC.

If `false`, prohibits the use of image generation.

If `false`, prohibits the use of Image Wand.

If `false`, the system prohibits in-app purchasing. Support for this restriction on unsupervised devices is deprecated.

If `false`, the system prevents modifying the Internet Sharing setting in System Settings.

If `false`, prohibits the use of iPhone Mirroring. In macOS, this prevents the Mac from mirroring any iPhone. In iOS, this prevents the iPhone from mirroring to any Mac.

If `false`, the system disallows iPhone widgets on a Mac that signs in with the same Apple Account for iCloud.

If `false`, the system disables the iTunes Music Store and removes its icon from the Home Screen. Users can't preview, purchase, or download content. Requires a supervised device in iOS 13 and later.

If `false`, the system disables iTunes file sharing services.

If `false`, the system disables keyboard shortcuts.

If present, the system only shows or can launch apps with bundle IDs in the array. Include the value `com.apple.webapp` to allow all webclips. This applies to App Store apps, marketplace apps, and locally installed apps (using Configurator, Xcode, and so forth).

If `false`, the system disables live voicemail on the device.

If `false`, the system prevents creating users in System Settings.

If `false`, the system prevents Control Center from appearing on the Lock Screen.

If `false`, the system disables the Notifications history view on the Lock Screen, so users can't view past notifications. However, they can still see notifications when they arrive.

If `false`, the system disables the Today view in Notification Center on the Lock Screen.

If `false`, the system disables Mail Privacy Protection on the device.

If `false`, disables smart replies in Mail.

If `false`, disables the ability to create summaries of email messages manually. This doesn't affect automatic summary generation.

If `false`, the system prevents managed apps from using iCloud sync.

If `true`, the system allows managed apps to write contacts to unmanaged accounts. If `allowOpenFromManagedToUnmanaged` is `true`, this restriction has no effect. > Important: > Use MDM to install profiles that contain this restriction.

If `false`, the system prevents installation of alternative marketplace apps from the web and prevents any installed alternative marketplace apps from installing apps.

If `false`, prevents modification of Media Sharing settings.

If `false`, the system prohibits multiplayer gaming.

If `false`, the system disables the Music service, and the Music app reverts to classic mode.

If `false`, the system disables News.

If `false`, the system disables NFC.

If `false`, disables transcription in Notes.

If `false`, disables transcription summarization in Notes.

If `false`, the system disables modification of notification settings.

If `false`, documents in managed apps and accounts open only in other managed apps and accounts.

If `false`, documents in unmanaged apps and accounts open only in other unmanaged apps and accounts.

If `false`, the system disables over-the-air PKI updates. Setting this restriction to `false` doesn't disable CRL and OCSP checks.

If `false`, the system disables pairing with an Apple Watch, and the system unpairs any currently paired Apple Watch and erases its content.

If `false`, the system hides Passbook notifications from the Lock Screen.

If `false`, the system prevents adding, changing, or removing the passcode. The system ignores this restriction on Shared iPad.

If `false`, the system disables: - The AutoFill Passwords feature in iOS, with Keychain and third-party password managers - Prompting the user to use a saved password in Safari or in apps - Automatic strong passwords - Suggesting strong passwords to users However, if `false`, the system doesn't prevent AutoFill for contact info and credit cards in Safari.

If `false`, the system disables requesting passwords from nearby devices.

If `false`, the system disables sharing passwords with the AirDrop passwords feature, or with the Passwords app.

If `false`, the system disables modifications of the personal hotspot setting.

If false, prevents the system from generating text in the user's handwriting.

If `false`, the system disables Photo Stream.

If `false`, the system disables podcasts.

If `false`, the system disables predictive keyboards.

If `false`, the system prevents modifying Printer Sharing settings in System Settings.

If `false`, disables the prompt to set up new devices that are nearby.

If `false`, the system disables Apple Music Radio.

If `false`, the system prohibits installation of Background Security Improvements.

If `false`, the system prohibits removal of Background Security Improvements.

If `false`, prevents the use of RCS messaging.

If `false`, the system prevents modifying Remote Apple Events Sharing settings in System Settings.

If `false`, the system disables pairing Apple TV for use with the Control Center widget.

If `false`, the system disables remote screen observation by the Classroom app. Nest this key beneath `allowScreenShot` as a subrestriction. If `allowScreenShot` is `false`, the Classroom app doesn't observe remote screens. Requires a supervised device until iOS 13 and macOS 10.15. Allowed for user enrollments in macOS 12 and later.

If `false`, the system disables the Safari web browser app, and the system removes its icon from the Home Screen. This setting also prevents users from opening web clips. Requires a supervised device in iOS 13 and later.

If `false`, the system disables the ability to clear browsing history in Safari.

If `false`, the system disables the ability to use private browsing in Safari.

If `false`, the system disables the ability to summarize content in Safari.

If `false`, the system prohibits the connection to and use of satellite services.

If `false`, the system disables saving a screenshot of the display and capturing a screen recording. It also disables the Classroom app from observing remote screens.

If `false`, the system makes temporary sessions unavailable on Shared iPad.

If `false`, the system disables Shared Photo Stream. Support for this restriction on unsupervised devices is deprecated.

If `false`, the system disables the keyboard spell checker.

If `false`, the system disables Spotlight Internet search results in Siri Suggestions. Support for this restriction on unsupervised devices is deprecated.

If `false`, the system prevents modification of Startup Disk settings in System Settings.

If `false`, the system disables the removal of system apps from the device.

If `false`, the system prevents modification of Time Machine settings in System Settings. This restriction is not supported on the user channel.

If `false`, the system disables the App Store and removes its icon from the Home Screen. However, users can continue to install or update their apps either locally (via Configurator, Xcode, and so forth), or using alternative marketplace apps. In iOS 10 and later, MDM commands can override this restriction.

If `false`, the system prohibits the user from installing configuration profiles and certificates interactively.

If `false`, the system disables Universal Control.

If `true`, the system allows unmanaged apps to read from managed contacts accounts. If `allowOpenFromManagedToUnmanaged` is `true`, this restriction has no effect. > Important: > Use MDM to install profiles that contain this restriction.

If `true`, the system allows unpaired devices to boot devices into recovery.

If `false`, the system automatically rejects untrusted HTTPS certificates without prompting the user.

If `false`, the system allows iOS devices to always connect to USB accessories while locked. In macOS, allows new USB and Thunderbolt accessories, and SD cards to connect without authorization. If the system has Lockdown mode enabled, it ignores this value. This restriction is not supported on the user channel.

If `false`, the system hides the FaceTime app. Requires a supervised device in iOS 13 and later.

If `false`, disables the ability for a remote FaceTime session to request control of the device.

If `false`, the system disables visual intelligence summarization.

If `false`, the system disables voice dialing if the device is locked with a passcode.

If `false`, the system allows only managed apps to create VPN configurations. Prior to iOS 18, the system also allows unmanaged apps to create VPN configurations.

If `false`, the system prevents changing the wallpaper.

If `false`, the device prevents installation of apps directly from the web.

If `false`, disables Apple Intelligence writing tools.

If present, the system allows apps identified by the bundle IDs listed in the array to autonomously enter Single App Mode.

Use `blockedAppBundleIDs` instead.

If present, the system prevents showing or launching apps with bundle IDs in the array. Include the value `com.apple.webapp` to restrict all webclips. This applies to App Store apps, marketplace apps, and locally installed apps (using Configurator, Xcode, and so forth). > Note: > Denying system apps may disable other functionality. For example, denying the App Store app may prevent users from accepting the terms and conditions for the user-based Volume Purchase Program (VPP).

An array of strings representing ICCIDs of cellular plans. The device prevents use of any matching cellular networks in iMessage and FaceTime. The array must contain no more than 4 ICCID strings.

An array of strings representing ICCIDs of cellular plans. The device prevents use of any matching cellular networks with RCS messaging. The array must contain no more than 4 ICCID strings.

The value, in seconds, after which the fingerprint unlock requires a password to authenticate. The default value is 48 hours.

How many days to delay a software update on the device. With this restriction in place, the user doesn't see a software update until the specified number of days after the software update release date. The restrictions `forceDelayedAppSoftwareUpdates` and `forceDelayedSoftwareUpdates` use this value.

This restriction allows the administrator to set the number of days to delay a major software upgrade on the device. When this restriction is in place, the user sees a software upgrade only after the specified delay after the release of the software upgrade. This value controls the delay for `forceDelayedMajorSoftwareUpdates`.

This restriction allows the administrator to set the number of days to delay a minor OS software update on the device. When this restriction is in place, the user sees a software update only after the specified delay after the release of the software update. This value controls the delay for `forceDelayedSoftwareUpdates`.

This restriction allows the administrator to set the number of days to delay an app software update on the device. When this restriction is in place, the user sees a non-OS software update only after the specified delay after the release of the software. This value controls the delay for `forceDelayedAppSoftwareUpdates`.

If `true`, the system considers AirDrop to be an unmanaged drop target.

If `true`, the system forces all devices sending AirPlay requests to this device to use a pairing password. This key isn't supported in tvOS 10.2 and later. Use the AirPlay Security Payload instead.

If `true`, the system forces all devices receiving AirPlay requests from this device to use a pairing password.

If `true`, the system requires trusted certificates for TLS printing communication.

If `true`, the system forces the use of the profanity filter for Siri and dictation. Requires a supervised device in iOS.

If `true`, the user needs to authenticate before the system can autofill passwords or credit card information in Safari and apps. If this restriction isn't enforced, the user can toggle this feature in Settings. Only supported on devices with Face ID or Touch ID.

If `true`, the system enables the Set Automatically feature in Date & Time and the user can't disable it. The system updates the device's time zone only when the device can determine its location using a cellular connection or Wi-Fi with location services enabled.

If `true`, then the system bypasses the presentation of a screen capture alert.

If `true`, the system automatically gives permission to the teacher's requests without prompting the student.

If `true`, a student enrolled in an unmanaged course through Classroom needs to request permission from the teacher to leave the course.

If `true`, the system allows the teacher to lock apps or the device without prompting the student.

If `true` and `ScreenObservationPermissionModificationAllowed` is also `true` in the Education payload, a student enrolled in a managed course through the Classroom app automatically gives permission to that course teacher's requests to observe the student's screen without prompting the student.

If `true`, the system delays user visibility of non-OS software updates. Control visibility of operating system updates through `forceDelayedSoftwareUpdates`. The delay is 30 days unless you set `enforcedSoftwareUpdateDelay` to another value.

If `true`, the system delays user visibility of major OS updates.

If `true`, the system delays user visibility of software updates. In macOS, the system allows seed build updates without delay. The delay is 30 days unless you set `enforcedSoftwareUpdateDelay` to another value.

If `true`, the system encrypts all backups.

If `true`, the system forces the user to enter their iTunes password for each transaction.

If `true`, the system limits ad tracking. Additionally, it disables app tracking and the Allow Apps to Request to Track setting.

If `true`, the system disables connections to Siri servers for the purposes of dictation.

If `true`, the device can't connect to Siri servers for the purposes of translation.

If `true`, the system preserves eSIM when it erases the device due to too many failed password attempts or the Erase All Content and Settings option in Settings > General > Reset. > Note: > The system doesn't preserve eSIM if Find My initiates erasing the device.

If `true`, the system forces a paired Apple Watch to use Wrist Detection.

If `true`, the system prevents turning off Wi-Fi in Settings or Control Center, even by entering or leaving Airplane Mode. It doesn't prevent selecting which Wi-Fi network to use. and later.

If `true`, the system limits the device to only join Wi-Fi networks set up through a configuration profile.

Use `forceWiFiToAllowedNetworksOnly` instead.

The maximum level of app content allowed on the device. Preinstalled (first-party) apps ignore this restriction. Possible values, with the U.S. description of the rating level: - `1000`: All - `600`: 17+ - `300`: 12+ - `200`: 9+ - `100`: 4+ - `0`: None Age bands and the number of discrete age values vary by region, but the values are consistent across regions. For example, in a region that defines rating level 14+, its value is guaranteed to be larger than 300 (12+) and smaller than 600 (17+). Also, the value of rating level 15+ is guaranteed to be larger than the assigned value of rating level 14+. For more information about age ratings, see [Age ratings values and definitions](https://developer.apple.com/help/app-store-connect/reference/age-ratings-values-and-definitions). Examples of values in other regions include: - `1000`: All - `621`: 21+ - `620`: 20+ - `619`: 19+ - `618`: 18+ - `600`: 17+ - `416`: 16+ - `415`: 15+ - `314`: 14+ - `313`: 13+ - `300`: 12+ - `211`: 11+ - `210`: 10+ - `200`: 9+ - `108`: 8+ - `107`: 7+ - `106`: 6+ - `105`: 5+ - `100`: 4+ - `3`: 3+ - `2`: 2+ - `1`: 1+ - `0`: None This restriction will require supervision in a future release.

If present, the system exempts apps with bundle IDs in the array from age-based rating restrictions. The system uses intersection combine rules to combine multiple payloads and any exceptions that parental control apps provide, including ScreenTime.

The maximum level of movie content allowed on the device. Support for this restriction on unsupervised devices is deprecated. Possible values, with the U.S. description of the rating level: - `1000`: All - `500`: NC-17 - `400`: R - `300`: PG-13 - `200`: PG - `100`: G - `0`: None

The two-letter key that profile tools use to display the proper ratings for the given region. The client doesn't recognize or report this data.

The maximum level of TV content allowed on the device. Support for this restriction on unsupervised devices is deprecated. Possible values, with the U.S. description of the rating level: - `1000`: All - `600`: TV-MA - `500`: TV-14 - `400`: TV-PG - `300`: TV-G - `200`: TV-Y7 - `100`: TV-Y - `0`: None

If `true`, copy-and-paste functionality is limited by the `allowOpenFromManagedToUnmanaged` and `allowOpenFromUnmanagedToManaged` restrictions.

Defines the conditions under which the device accepts cookies. The user-facing settings changed in iOS 11, although the possible values remain the same. Support for this restriction on unsupervised devices is deprecated. Allowed values: - `0`: Enables Prevent Cross-Site Tracking and Block All Cookies, and the user canʼt disable either setting. - `1` or `1.5`: Enables Prevent Cross-Site Tracking, and the user canʼt disable it. Doesn't enable Block All Cookies, but the user can enable it. - `2`: Enables Prevent Cross-Site Tracking, but doesn't enable Block All Cookies. The user can toggle either setting.

If `false`, the system disables Safari AutoFill for passwords, contact info, and credit cards, and also prevents using the Keychain for AutoFill. Requires a supervised device in iOS 13 and later. > Note: > The system still allows third-party password managers, and apps can use AutoFill.

If `false`, Safari doesn't execute JavaScript. This restriction will require supervision in a future release.

If `false`, Safari doesn't allow pop-up windows. Support for this restriction on unsupervised devices is deprecated.

If `true`, the system enables Safari fraud warning.

Use `allowListedAppBundleIDs` instead.