![Full Logo.png]](https://help.devicie.com/hs-fs/hubfs/Full%20Logo.png?height=30&name=Full%20Logo.png){kind=small}
iOS Supervised High Security Configuration
Overview:
The iOS Supervised High provides a highly secure baseline for corporately owned iOS devices. It is recommended for devices used by specific users or groups who are uniquely high risk (for example, users who handle highly sensitive data where unauthorized disclosure causes considerable material loss to the organization).
Intune Description:
High security configuration for a corporately owned, enterprise iOS mobile device.
Scope:
This template should be applied to iOS devices.
Policy Impact Areas:
When deployed, this policy will impact:
- Block App Store and iCloud backups (while forcing encrypted backups).
- Impact / limit functionality of Siri, AirDrop, iTunes and Find My Friends.
-
Enforcing device reset after 5 repeated failed sign-in attempts.
Deployment Notes:
-
Pre-Deployment Considerations:
-
Ensure devices are wiped prior to deployment.
- Ensure devices are managed by Apple Business Manager.
-
-
Post-Deployment Validation:
-
Verify lock screen timeout (5 minutes) and password length enforcement (6+ characters).
-
Known Issues and Resolutions
-
Issue 1: Block setting up new nearby devices
-
Resolution: No resolution - just known consideration
-
Configuration Settings:
|
Name |
Value |
|
App Store, Doc Viewing, Gaming |
|
|
All enrollment types |
|
|
Block viewing corporate documents in unmanaged apps |
Yes |
|
Allow unmanaged apps to read from managed contacts accounts |
Not configured |
|
Treat AirDrop as an unmanaged destination |
Yes |
|
Block viewing non-corporate documents in corporate apps |
Not configured |
|
Allow copy/paste to be affected by managed open-in |
Yes |
|
Device enrollment and automated device enrollment |
|
|
Require iTunes Store password for all purchases |
Not configured |
|
Block in-app purchases |
Not configured |
|
Block download of explicit sexual content in Apple Books |
Not configured |
|
Allow managed apps to write contacts to unmanaged contacts accounts |
Yes |
|
Ratings region |
No region configured |
|
Automated device enrollment |
|
|
Block App store |
Yes |
|
Block installing apps using App Store |
Not configured |
|
Block automatic app downloads |
Not configured |
|
Block playback of explicit music, podcast, and iTunes U |
Yes |
|
Block adding Game Center friends |
Yes |
|
Block Game Center |
Yes |
|
Block multiplayer gaming in the Game Center |
Yes |
|
Block access to network drive in Files app |
Yes |
|
Autonomous Single App Mode |
|
|
Automated device enrollment |
|
|
App name |
|
|
Built-in apps |
|
|
All enrollment types |
|
|
Block Siri |
Yes |
|
Block Siri while device is locked |
Yes |
|
Require Safari fraud warnings |
Yes |
|
Device enrollment and automated device enrollment |
|
|
Block internet search results from Spotlight |
Not configured |
|
Safari cookies |
Not configured |
|
Block Safari JavaScript |
Not configured |
|
Block Safari pop-ups |
Not configured |
|
Block Siri for dictation |
Yes |
|
Block Siri for translation |
Yes |
|
Automated device enrollment |
|
|
Block camera |
Not configured |
|
Block FaceTime |
Not configured |
|
Require Siri profanity filter |
Not configured |
|
Block user-generated content in Siri |
Not configured |
|
Block Apple News |
Not configured |
|
Block Apple Books |
Not configured |
|
Block iMessage |
Not configured |
|
Block Podcasts |
Not configured |
|
Music service |
Not configured |
|
Block iTunes Radio |
Not configured |
|
Block iTunes store |
Yes |
|
Block Find My iPhone |
Not configured |
|
Block Find My Friends |
Yes |
|
Block user modification to the Find My Friends settings |
Yes |
|
Block removal of system apps from device |
Not configured |
|
Block Safari |
Not configured |
|
Block Safari Autofill |
Yes |
|
Cloud and Storage |
|
|
All enrollment types |
|
|
Force encrypted backup |
Yes |
|
Block managed apps from storing data in iCloud |
Yes |
|
Block backup of enterprise books |
Yes |
|
Block notes and highlights sync for enterprise books |
Yes |
|
Device enrollment and automated device enrollment |
|
|
Block iCloud Photos sync |
Not configured |
|
Block iCloud Photo Library |
Not configured |
|
Block My Photo Stream |
Not configured |
|
Block Handoff |
Yes |
|
Automated device enrollment |
|
|
Block iCloud backup |
Yes |
|
Block iCloud document and data sync |
Yes |
|
Block iCloud Keychain sync |
Yes |
|
Block iCloud Private Relay |
Not configured |
|
Connected devices |
|
|
All enrollment types |
|
|
Force Apple Watch wrist detection |
Yes |
|
Device enrollment and automated device enrollment |
|
|
Require AirPlay outgoing requests pairing password |
Yes |
|
Block Apple Watch auto unlock |
Yes |
|
Automated device enrollment |
|
|
Block AirDrop |
Yes |
|
Block pairing with Apple Watch |
Not configured |
|
Block modifying Bluetooth settings |
Not configured |
|
Block pairing with non-Configurator hosts |
Yes |
|
Block AirPrint |
Yes |
|
Block storage of AirPrint credentials in Keychain |
Block |
|
Require AirPrint to destinations with trusted certificates |
Yes |
|
Block iBeacon discovery of AirPrint printers |
Yes |
|
Block setting up new nearby devices |
Yes |
|
Block access to USB drive in Files app |
Yes |
|
Disable near-field communication (NFC) |
Not configured |
|
Allow users to boot devices into recovery mode with unpaired devices |
Not configured |
|
Domains |
|
|
Unmarked email domains |
|
|
Unmarked email domains |
|
|
Managed Safari web domains |
|
|
Web Domain URL |
|
|
Safari password domains |
|
|
Domain URL |
|
|
General |
|
|
All enrollment types |
|
|
Block sending diagnostic and usage data to Apple |
Yes |
|
Block screenshots and screen recording |
Yes |
|
Device enrollment and automated device enrollment |
|
|
Block untrusted TLS certificates |
Yes |
|
Block over-the-air PKI updates |
Not configured |
|
Force limited ad tracking |
Not configured |
|
Block trusting new enterprise app authors |
Yes |
|
Limit Apple personalized advertising |
Not configured |
|
Automated device enrollment |
|
|
Block modification of diagnostics settings |
Not configured |
|
Block remote AirPlay, view screen by Classroom app, and screen sharing |
Not configured |
|
Allow Classroom app to perform AirPlay and view screen without prompting |
Not configured |
|
Block modification of account settings |
Yes |
|
Block Screen Time |
Not configured |
|
Block users from erasing all content and settings on device |
Yes |
|
Block modification of device name |
Not configured |
|
Block modification of notifications settings |
Not configured |
|
Block modification of Wallpaper |
Not configured |
|
Block configuration profile changes |
Yes |
|
Allow activation lock |
Yes |
|
Block removing apps |
Yes |
|
Block app clips |
Not configured |
|
Allow USB accessories while device is locked |
Not configured |
|
Force automatic date and time |
Yes |
|
Require teacher permission to leave Classroom app unmanaged classes |
Not configured |
|
Allow Classroom to lock to an app and lock the device without prompting |
Not configured |
|
Allow students to automatically join Classroom classes without prompting |
Not configured |
|
Block VPN creation |
Yes |
|
Block modification of eSIM settings |
Yes |
|
Defer software updates |
Not configured |
|
Delay default visibility of software updates |
|
|
Keyboard and dictionary |
|
|
Automated device enrollment |
|
|
Block word definition lookup |
Not configured |
|
Block predictive keyboards |
Not configured |
|
Block auto-correction |
Not configured |
|
Block spell check |
Not configured |
|
Block keyboard shortcuts |
Not configured |
|
Block dictation |
Not configured |
|
Block QuickPath |
Not configured |
|
Locked Screen Experience |
|
|
All enrollment types |
|
|
Block Control Center access in lock screen |
Not configured |
|
Block Notification Center access in lock screen |
Yes |
|
Block Today view in lock screen |
Yes |
|
Device enrollment and automated device enrollment |
|
|
Block Wallet notifications in lock screen |
Not configured |
|
Password |
|
|
All enrollment types |
|
|
Require password |
Yes |
|
Device enrollment and automated device enrollment |
|
|
Block simple passwords |
Yes |
|
Required password type |
Numeric |
|
Number of non-alphanumeric characters in password |
Not configured |
|
Minimum password length |
6 |
|
Number of sign-in failures before wiping device |
5 |
|
Maximum minutes after screen lock before password is required |
5 minutes |
|
Maximum minutes of inactivity until screen locks |
5 minutes |
|
Password expiration (days) |
365 |
|
Prevent reuse of previous passwords |
5 |
|
Block Touch ID and Face ID unlock |
Not configured |
|
Automated device enrollment |
|
|
Block passcode modification |
Not configured |
|
Block modification of Touch ID fingerprints and Face ID faces |
Not configured |
|
Block password AutoFill |
Yes |
|
Block password proximity requests |
Yes |
|
Block password sharing |
Yes |
|
Require Touch ID or Face ID authentication for AutoFill of password or credit card information |
Yes |
|
Restricted Apps |
|
|
Device enrollment and automated device enrollment |
|
|
Type of restricted apps list |
Not configured |
|
Apps list |
|
|
Shared iPad |
|
|
Automated device enrollment |
|
|
Block Shared iPad temporary sessions |
Not configured |
|
Show or Hide Apps |
|
|
Automated device enrollment |
|
|
Type of apps list |
Not configured |
|
Apps list |
|
|
Wireless |
|
|
Device enrollment and automated device enrollment |
|
|
Block data roaming |
Not configured |
|
Block global background fetch while roaming |
Not configured |
|
Block voice dialing while device is locked |
Yes |
|
Block voice roaming |
Not configured |
|
Block personal hotspot |
Not configured |
|
Add managed iOS apps that should not be allowed to use any cellular data. |
|
|
Block use of cellular data |
Not configured |
|
Block use of cellular data when roaming |
|
|
Block use of cellular data when roaming |
Not configured |
|
Automated device enrollment |
|
|
Block changes to app cellular data usage settings |
Not configured |
|
Block changes to cellular plan settings |
Not configured |
|
Block modification of personal hotspot |
Not configured |
|
Require joining Wi-Fi networks only using configuration profiles |
Not configured |
|
Require Wi-Fi always on |
Not configured |
|
Require devices to use Wi-Fi networks set up via configuration profiles |
Not configured |
|
Devicie Template Name |
PROD-iOS Supervised High Security Configuration |
|
Default Intune Deployed Name |
PROD-iOS Supervised High Security Configuration |
|
Version |
1.0 |
|
Template Last Updated |
Jul 8, 2025 |
|
Document Last Updated: |
Jul 21, 2025 |