iOS Personal Enhanced Security Configuration

Overview:

The iOS Personal Enhanced provides a strong baseline for organizations to uplift security for their personally owned iOS devices.

Intune Description:

Enhanced security configuration for a personally owned, iOS mobile device.

Scope:

This template should be applied to iOS devices.

Policy Impact Areas:

When deployed, this policy will impact:

Enforcing encrypted backups.
Impact / limit functionality of Siri.
Enforcing device reset after 10 repeated failed sign-in attempts.

Deployment Notes:

Pre-Deployment Considerations:
- None at this time.
Post-Deployment Validation:
- Verify lock screen timeout (5 minutes) and password length enforcement (6+ characters).

Known Issues and Resolutions

Issue 1: None at this time
- Resolution: N/A

Configuration Settings:

Name	Value
*App Store, Doc Viewing, Gaming*
*All enrollment types*
Block viewing corporate documents in unmanaged apps	Yes
Allow unmanaged apps to read from managed contacts accounts	Not configured
Treat AirDrop as an unmanaged destination	Yes
Block viewing non-corporate documents in corporate apps	Not configured
Allow copy/paste to be affected by managed open-in	Not configured
*Device enrollment and automated device enrollment*
Require iTunes Store password for all purchases	Not configured
Block in-app purchases	Not configured
Block download of explicit sexual content in Apple Books	Not configured
Allow managed apps to write contacts to unmanaged contacts accounts	Yes
Ratings region	No region configured
*Automated device enrollment*
Block App store	Not configured
Block installing apps using App Store	Not configured
Block automatic app downloads	Not configured
Block playback of explicit music, podcast, and iTunes U	Not configured
Block adding Game Center friends	Not configured
Block Game Center	Not configured
Block multiplayer gaming in the Game Center	Not configured
Block access to network drive in Files app	Not configured
*Autonomous Single App Mode*
*Automated device enrollment*
App name
*Built-in apps*
*All enrollment types*
Block Siri	Not configured
Block Siri while device is locked	Yes
Require Safari fraud warnings	Yes
*Device enrollment and automated device enrollment*
Block internet search results from Spotlight	Not configured
Safari cookies	Not configured
Block Safari JavaScript	Not configured
Block Safari pop-ups	Not configured
Block Siri for dictation	Yes
Block Siri for translation	Yes
*Automated device enrollment*
Block camera	Not configured
Block FaceTime	Not configured
Require Siri profanity filter	Not configured
Block user-generated content in Siri	Not configured
Block Apple News	Not configured
Block Apple Books	Not configured
Block iMessage	Not configured
Block Podcasts	Not configured
Music service	Not configured
Block iTunes Radio	Not configured
Block iTunes store	Not configured
Block Find My iPhone	Not configured
Block Find My Friends	Not configured
Block user modification to the Find My Friends settings	Not configured
Block removal of system apps from device	Not configured
Block Safari	Not configured
Block Safari Autofill	Not configured
*Cloud and Storage*
*All enrollment types*
Force encrypted backup	Yes
Block managed apps from storing data in iCloud	Yes
Block backup of enterprise books	Yes
Block notes and highlights sync for enterprise books	Yes
*Device enrollment and automated device enrollment*
Block iCloud Photos sync	Not configured
Block iCloud Photo Library	Not configured
Block My Photo Stream	Not configured
Block Handoff	Not configured
*Automated device enrollment*
Block iCloud backup	Not configured
Block iCloud document and data sync	Not configured
Block iCloud Keychain sync	Not configured
Block iCloud Private Relay	Not configured
*Connected devices*
*All enrollment types*
Force Apple Watch wrist detection	Yes
*Device enrollment and automated device enrollment*
Require AirPlay outgoing requests pairing password	Not configured
Block Apple Watch auto unlock	Not configured
*Automated device enrollment*
Block AirDrop	Not configured
Block pairing with Apple Watch	Not configured
Block modifying Bluetooth settings	Not configured
Block pairing with non-Configurator hosts	Not configured
Block AirPrint	Not configured
Block storage of AirPrint credentials in Keychain	Not configured
Require AirPrint to destinations with trusted certificates	Not configured
Block iBeacon discovery of AirPrint printers	Not configured
Block setting up new nearby devices	Not configured
Block access to USB drive in Files app	Not configured
Disable near-field communication (NFC)	Not configured
Allow users to boot devices into recovery mode with unpaired devices	Not configured
*Domains*
*Unmarked email domains*
Unmarked email domains
*Managed Safari web domains*
Web Domain URL
*Safari password domains*
Domain URL
*General*
*All enrollment types*
Block sending diagnostic and usage data to Apple	Yes
Block screenshots and screen recording	Not configured
*Device enrollment and automated device enrollment*
Block untrusted TLS certificates	Yes
Block over-the-air PKI updates	Not configured
Force limited ad tracking	Not configured
Block trusting new enterprise app authors	Yes
Limit Apple personalized advertising	Not configured
*Automated device enrollment*
Block modification of diagnostics settings	Not configured
Block remote AirPlay, view screen by Classroom app, and screen sharing	Not configured
Allow Classroom app to perform AirPlay and view screen without prompting	Not configured
Block modification of account settings	Not configured
Block Screen Time	Not configured
Block users from erasing all content and settings on device	Not configured
Block modification of device name	Not configured
Block modification of notifications settings	Not configured
Block modification of Wallpaper	Not configured
Block configuration profile changes	Not configured
Allow activation lock	Not configured
Block removing apps	Not configured
Block app clips	Not configured
Allow USB accessories while device is locked	Not configured
Force automatic date and time	Not configured
Require teacher permission to leave Classroom app unmanaged classes	Not configured
Allow Classroom to lock to an app and lock the device without prompting	Not configured
Allow students to automatically join Classroom classes without prompting	Not configured
Block VPN creation	Not configured
Block modification of eSIM settings	Not configured
Defer software updates	Not configured
Delay default visibility of software updates
*Keyboard and dictionary*
*Automated device enrollment*
Block word definition lookup	Not configured
Block predictive keyboards	Not configured
Block auto-correction	Not configured
Block spell check	Not configured
Block keyboard shortcuts	Not configured
Block dictation	Not configured
Block QuickPath	Not configured
*Locked Screen Experience*
*All enrollment types*
Block Control Center access in lock screen	Not configured
Block Notification Center access in lock screen	Yes
Block Today view in lock screen	Yes
*Device enrollment and automated device enrollment*
Block Wallet notifications in lock screen	Not configured
*Password*
*All enrollment types*
Require password	Yes
*Device enrollment and automated device enrollment*
Block simple passwords	Yes
Required password type	Numeric
Number of non-alphanumeric characters in password	Not configured
Minimum password length	6
Number of sign-in failures before wiping device	10
Maximum minutes after screen lock before password is required	5 minutes
Maximum minutes of inactivity until screen locks	5 minutes
Password expiration (days)
Prevent reuse of previous passwords
Block Touch ID and Face ID unlock	Not configured
*Automated device enrollment*
Block passcode modification	Not configured
Block modification of Touch ID fingerprints and Face ID faces	Not configured
Block password AutoFill	Not configured
Block password proximity requests	Not configured
Block password sharing	Not configured
Require Touch ID or Face ID authentication for AutoFill of password or credit card information	Not configured
*Restricted Apps*
*Device enrollment and automated device enrollment*
Type of restricted apps list	Not configured
Apps list
*Shared iPad*
*Automated device enrollment*
Block Shared iPad temporary sessions	Not configured
*Show or Hide Apps*
*Automated device enrollment*
Type of apps list	Not configured
Apps list
*Wireless*
*Device enrollment and automated device enrollment*
Block data roaming	Not configured
Block global background fetch while roaming	Not configured
Block voice dialing while device is locked	Yes
Block voice roaming	Not configured
Block personal hotspot	Not configured
*Add managed iOS apps that should not be allowed to use any cellular data.*
Block use of cellular data	Not configured
*Block use of cellular data when roaming*
Block use of cellular data when roaming	Not configured
*Automated device enrollment*
Block changes to app cellular data usage settings	Not configured
Block changes to cellular plan settings	Not configured
Block modification of personal hotspot	Not configured
Require joining Wi-Fi networks only using configuration profiles	Not configured
Require Wi-Fi always on	Not configured
Require devices to use Wi-Fi networks set up via configuration profiles	Not configured

Devicie Template Name	PROD-iOS Personal Enhanced Security Configuration
Default Intune Deployed Name	PROD-iOS Personal Enhanced Security Configuration
Version	1.0
Template Last Updated	Jul 8, 2025
Document Last Updated:	Jul 21, 2025