![Full Logo.png]](https://help.devicie.com/hs-fs/hubfs/Full%20Logo.png?height=30&name=Full%20Logo.png){kind=small}
iOS Personal Enhanced Security Configuration
Overview:
The iOS Personal Enhanced provides a strong baseline for organizations to uplift security for their personally owned iOS devices.
Intune Description:
Enhanced security configuration for a personally owned, iOS mobile device.
Scope:
This template should be applied to iOS devices.
Policy Impact Areas:
When deployed, this policy will impact:
- Enforcing encrypted backups.
- Impact / limit functionality of Siri.
-
Enforcing device reset after 10 repeated failed sign-in attempts.
Deployment Notes:
-
Pre-Deployment Considerations:
-
None at this time.
-
-
Post-Deployment Validation:
-
Verify lock screen timeout (5 minutes) and password length enforcement (6+ characters).
-
Known Issues and Resolutions
-
Issue 1: None at this time
-
Resolution: N/A
-
Configuration Settings:
|
Name |
Value |
|
App Store, Doc Viewing, Gaming |
|
|
All enrollment types |
|
|
Block viewing corporate documents in unmanaged apps |
Yes |
|
Allow unmanaged apps to read from managed contacts accounts |
Not configured |
|
Treat AirDrop as an unmanaged destination |
Yes |
|
Block viewing non-corporate documents in corporate apps |
Not configured |
|
Allow copy/paste to be affected by managed open-in |
Not configured |
|
Device enrollment and automated device enrollment |
|
|
Require iTunes Store password for all purchases |
Not configured |
|
Block in-app purchases |
Not configured |
|
Block download of explicit sexual content in Apple Books |
Not configured |
|
Allow managed apps to write contacts to unmanaged contacts accounts |
Yes |
|
Ratings region |
No region configured |
|
Automated device enrollment |
|
|
Block App store |
Not configured |
|
Block installing apps using App Store |
Not configured |
|
Block automatic app downloads |
Not configured |
|
Block playback of explicit music, podcast, and iTunes U |
Not configured |
|
Block adding Game Center friends |
Not configured |
|
Block Game Center |
Not configured |
|
Block multiplayer gaming in the Game Center |
Not configured |
|
Block access to network drive in Files app |
Not configured |
|
Autonomous Single App Mode |
|
|
Automated device enrollment |
|
|
App name |
|
|
Built-in apps |
|
|
All enrollment types |
|
|
Block Siri |
Not configured |
|
Block Siri while device is locked |
Yes |
|
Require Safari fraud warnings |
Yes |
|
Device enrollment and automated device enrollment |
|
|
Block internet search results from Spotlight |
Not configured |
|
Safari cookies |
Not configured |
|
Block Safari JavaScript |
Not configured |
|
Block Safari pop-ups |
Not configured |
|
Block Siri for dictation |
Yes |
|
Block Siri for translation |
Yes |
|
Automated device enrollment |
|
|
Block camera |
Not configured |
|
Block FaceTime |
Not configured |
|
Require Siri profanity filter |
Not configured |
|
Block user-generated content in Siri |
Not configured |
|
Block Apple News |
Not configured |
|
Block Apple Books |
Not configured |
|
Block iMessage |
Not configured |
|
Block Podcasts |
Not configured |
|
Music service |
Not configured |
|
Block iTunes Radio |
Not configured |
|
Block iTunes store |
Not configured |
|
Block Find My iPhone |
Not configured |
|
Block Find My Friends |
Not configured |
|
Block user modification to the Find My Friends settings |
Not configured |
|
Block removal of system apps from device |
Not configured |
|
Block Safari |
Not configured |
|
Block Safari Autofill |
Not configured |
|
Cloud and Storage |
|
|
All enrollment types |
|
|
Force encrypted backup |
Yes |
|
Block managed apps from storing data in iCloud |
Yes |
|
Block backup of enterprise books |
Yes |
|
Block notes and highlights sync for enterprise books |
Yes |
|
Device enrollment and automated device enrollment |
|
|
Block iCloud Photos sync |
Not configured |
|
Block iCloud Photo Library |
Not configured |
|
Block My Photo Stream |
Not configured |
|
Block Handoff |
Not configured |
|
Automated device enrollment |
|
|
Block iCloud backup |
Not configured |
|
Block iCloud document and data sync |
Not configured |
|
Block iCloud Keychain sync |
Not configured |
|
Block iCloud Private Relay |
Not configured |
|
Connected devices |
|
|
All enrollment types |
|
|
Force Apple Watch wrist detection |
Yes |
|
Device enrollment and automated device enrollment |
|
|
Require AirPlay outgoing requests pairing password |
Not configured |
|
Block Apple Watch auto unlock |
Not configured |
|
Automated device enrollment |
|
|
Block AirDrop |
Not configured |
|
Block pairing with Apple Watch |
Not configured |
|
Block modifying Bluetooth settings |
Not configured |
|
Block pairing with non-Configurator hosts |
Not configured |
|
Block AirPrint |
Not configured |
|
Block storage of AirPrint credentials in Keychain |
Not configured |
|
Require AirPrint to destinations with trusted certificates |
Not configured |
|
Block iBeacon discovery of AirPrint printers |
Not configured |
|
Block setting up new nearby devices |
Not configured |
|
Block access to USB drive in Files app |
Not configured |
|
Disable near-field communication (NFC) |
Not configured |
|
Allow users to boot devices into recovery mode with unpaired devices |
Not configured |
|
Domains |
|
|
Unmarked email domains |
|
|
Unmarked email domains |
|
|
Managed Safari web domains |
|
|
Web Domain URL |
|
|
Safari password domains |
|
|
Domain URL |
|
|
General |
|
|
All enrollment types |
|
|
Block sending diagnostic and usage data to Apple |
Yes |
|
Block screenshots and screen recording |
Not configured |
|
Device enrollment and automated device enrollment |
|
|
Block untrusted TLS certificates |
Yes |
|
Block over-the-air PKI updates |
Not configured |
|
Force limited ad tracking |
Not configured |
|
Block trusting new enterprise app authors |
Yes |
|
Limit Apple personalized advertising |
Not configured |
|
Automated device enrollment |
|
|
Block modification of diagnostics settings |
Not configured |
|
Block remote AirPlay, view screen by Classroom app, and screen sharing |
Not configured |
|
Allow Classroom app to perform AirPlay and view screen without prompting |
Not configured |
|
Block modification of account settings |
Not configured |
|
Block Screen Time |
Not configured |
|
Block users from erasing all content and settings on device |
Not configured |
|
Block modification of device name |
Not configured |
|
Block modification of notifications settings |
Not configured |
|
Block modification of Wallpaper |
Not configured |
|
Block configuration profile changes |
Not configured |
|
Allow activation lock |
Not configured |
|
Block removing apps |
Not configured |
|
Block app clips |
Not configured |
|
Allow USB accessories while device is locked |
Not configured |
|
Force automatic date and time |
Not configured |
|
Require teacher permission to leave Classroom app unmanaged classes |
Not configured |
|
Allow Classroom to lock to an app and lock the device without prompting |
Not configured |
|
Allow students to automatically join Classroom classes without prompting |
Not configured |
|
Block VPN creation |
Not configured |
|
Block modification of eSIM settings |
Not configured |
|
Defer software updates |
Not configured |
|
Delay default visibility of software updates |
|
|
Keyboard and dictionary |
|
|
Automated device enrollment |
|
|
Block word definition lookup |
Not configured |
|
Block predictive keyboards |
Not configured |
|
Block auto-correction |
Not configured |
|
Block spell check |
Not configured |
|
Block keyboard shortcuts |
Not configured |
|
Block dictation |
Not configured |
|
Block QuickPath |
Not configured |
|
Locked Screen Experience |
|
|
All enrollment types |
|
|
Block Control Center access in lock screen |
Not configured |
|
Block Notification Center access in lock screen |
Yes |
|
Block Today view in lock screen |
Yes |
|
Device enrollment and automated device enrollment |
|
|
Block Wallet notifications in lock screen |
Not configured |
|
Password |
|
|
All enrollment types |
|
|
Require password |
Yes |
|
Device enrollment and automated device enrollment |
|
|
Block simple passwords |
Yes |
|
Required password type |
Numeric |
|
Number of non-alphanumeric characters in password |
Not configured |
|
Minimum password length |
6 |
|
Number of sign-in failures before wiping device |
10 |
|
Maximum minutes after screen lock before password is required |
5 minutes |
|
Maximum minutes of inactivity until screen locks |
5 minutes |
|
Password expiration (days) |
|
|
Prevent reuse of previous passwords |
|
|
Block Touch ID and Face ID unlock |
Not configured |
|
Automated device enrollment |
|
|
Block passcode modification |
Not configured |
|
Block modification of Touch ID fingerprints and Face ID faces |
Not configured |
|
Block password AutoFill |
Not configured |
|
Block password proximity requests |
Not configured |
|
Block password sharing |
Not configured |
|
Require Touch ID or Face ID authentication for AutoFill of password or credit card information |
Not configured |
|
Restricted Apps |
|
|
Device enrollment and automated device enrollment |
|
|
Type of restricted apps list |
Not configured |
|
Apps list |
|
|
Shared iPad |
|
|
Automated device enrollment |
|
|
Block Shared iPad temporary sessions |
Not configured |
|
Show or Hide Apps |
|
|
Automated device enrollment |
|
|
Type of apps list |
Not configured |
|
Apps list |
|
|
Wireless |
|
|
Device enrollment and automated device enrollment |
|
|
Block data roaming |
Not configured |
|
Block global background fetch while roaming |
Not configured |
|
Block voice dialing while device is locked |
Yes |
|
Block voice roaming |
Not configured |
|
Block personal hotspot |
Not configured |
|
Add managed iOS apps that should not be allowed to use any cellular data. |
|
|
Block use of cellular data |
Not configured |
|
Block use of cellular data when roaming |
|
|
Block use of cellular data when roaming |
Not configured |
|
Automated device enrollment |
|
|
Block changes to app cellular data usage settings |
Not configured |
|
Block changes to cellular plan settings |
Not configured |
|
Block modification of personal hotspot |
Not configured |
|
Require joining Wi-Fi networks only using configuration profiles |
Not configured |
|
Require Wi-Fi always on |
Not configured |
|
Require devices to use Wi-Fi networks set up via configuration profiles |
Not configured |
|
Devicie Template Name |
PROD-iOS Personal Enhanced Security Configuration |
|
Default Intune Deployed Name |
PROD-iOS Personal Enhanced Security Configuration |
|
Version |
1.0 |
|
Template Last Updated |
Jul 8, 2025 |
|
Document Last Updated: |
Jul 21, 2025 |