App Restrictions
Overview
Restrictions allow you to block or limit specific device features and applications. They are enforced through configuration profiles and cannot be bypassed by the end user. Use restrictions to enforce security policies, reduce distractions, and prevent data leakage.
Restrictions are available on iOS, iPadOS, and macOS. Some restrictions are platform-specific.
Feature Restrictions
Control access to built-in device features and system apps.
| Restriction | iOS | iPadOS | macOS | Description |
|---|---|---|---|---|
AllowCamera | Yes | Yes | Yes | Allow use of the device camera |
AllowSafari | Yes | Yes | No | Allow Safari web browser |
AllowFaceTime | Yes | Yes | Yes | Allow FaceTime video/audio calls |
AllowAirDrop | Yes | Yes | Yes | Allow AirDrop file sharing |
AllowAirPlay | Yes | Yes | Yes | Allow AirPlay screen mirroring |
AllowScreenShot | Yes | Yes | No | Allow taking screenshots and screen recordings |
AllowScreenRecording | Yes | Yes | Yes | Allow screen recording (iOS 14+, macOS) |
AllowPassbook | Yes | Yes | No | Allow Wallet and Apple Pay |
AllowBookstore | Yes | Yes | No | Allow the Books (iBooks) app |
AllowPodcasts | Yes | Yes | No | Allow the Podcasts app |
AllowNews | Yes | Yes | No | Allow the News app |
AllowAppStore | Yes | Yes | Yes | Allow the App Store (install/update apps) |
AllowAppStoreUI | Yes | Yes | No | Allow browsing the App Store (install still controlled separately) |
AllowAppRemoval | Yes | Yes | No | Allow user to remove apps from the device |
AllowAppInstallation | Yes | Yes | No | Allow installing apps (via App Store or enterprise) |
AllowAppCellularData | Yes | Yes | No | Allow apps to use cellular data |
AllowDiagnosticSubmission | Yes | Yes | Yes | Allow sending diagnostic and usage data to Apple |
AllowCloudBackup | Yes | Yes | Yes | Allow iCloud backup |
AllowCloudSync | Yes | Yes | Yes | Allow iCloud document and data sync |
AllowCloudKeychainSync | Yes | Yes | Yes | Allow iCloud Keychain sync |
AllowFindMyDevice | Yes | Yes | Yes | Allow Find My device location sharing |
AllowFindMyFriends | Yes | Yes | Yes | Allow Find My Friends location sharing |
AllowGameCenter | Yes | Yes | No | Allow Game Center |
AllowMultiplayerGaming | Yes | Yes | No | Allow multiplayer gaming |
AllowAddingGameCenterFriends | Yes | Yes | No | Allow adding Game Center friends |
AllowCellularData | Yes | Yes | No | Allow cellular data usage entirely |
AllowCellularVoiceRoaming | Yes | Yes | No | Allow voice roaming on cellular networks |
AllowCellularDataRoaming | Yes | Yes | No | Allow data roaming on cellular networks |
AllowPersonalHotspot | Yes | Yes | No | Allow personal hotspot / tethering |
AllowVPNCreation | Yes | Yes | Yes | Allow user to configure VPN profiles manually |
AllowEraseContentAndSettings | Yes | Yes | No | Allow the Erase All Content and Settings option |
AllowUSBRestrictedMode | Yes | Yes | No | Require USB accessories to unlock (USB Restricted Mode) |
AllowPasswordAutoFill | Yes | Yes | No | Allow password autofill from iCloud Keychain |
AllowPasswordSharing | Yes | Yes | No | Allow AirDrop password sharing (iOS 12+) |
AllowAutoUnlock | No | No | Yes | Allow Apple Watch to unlock the Mac |
AllowContentCaching | No | No | Yes | Allow local content caching on macOS |
Example
{
"AllowCamera": false,
"AllowSafari": false,
"AllowFaceTime": false,
"AllowAirDrop": false,
"AllowScreenShot": false,
"AllowAppStore": false,
"AllowAppRemoval": false,
"AllowCloudBackup": false,
"AllowGameCenter": false,
"AllowMultiplayerGaming": false
}App Allow/Block List
Control which apps can run on the device by bundle identifier. This applies to both built-in and third-party apps.
| Field | Type | Description |
|---|---|---|
AllowedAppBundleIDs | string[] | List of bundle IDs that are allowed to run. All other apps are blocked. |
BlockedAppBundleIDs | string[] | List of bundle IDs that are blocked from running. All other apps are allowed. |
You cannot set both AllowedAppBundleIDs and BlockedAppBundleIDs at the same time — choose one approach per Blueprint.
Common Bundle Identifiers
| App | Bundle ID |
|---|---|
| Safari | com.apple.mobilesafari |
| Camera | com.apple.camera |
| FaceTime | com.apple.facetime |
| Messages | com.apple.MobileSMS |
com.apple.mobilemail | |
| Calendar | com.apple.mobilecal |
| Photos | com.apple.mobileslideshow |
| Maps | com.apple.Maps |
| Music | com.apple.Music |
| App Store | com.apple.AppStore |
| Settings | com.apple.Preferences |
| Clock | com.apple.mobiletimer |
| Calculator | com.apple.calculator |
| Notes | com.apple.mobilenotes |
| Reminders | com.apple.reminders |
| Voice Memos | com.apple.VoiceMemos |
| Health | com.apple.Health |
| Wallet | com.apple.Passbook |
| Books | com.apple.iBooks |
| Podcasts | com.apple.podcasts |
| News | com.apple.news |
| Stocks | com.apple.stocks |
| Weather | com.apple.weather |
| Zoom | zoom.us |
| Slack | com.tinyspeck.chatlyio |
| Microsoft Teams | com.microsoft.teams |
| Microsoft Outlook | com.microsoft.Outlook |
Example — Allow Only Specific Apps
{
"AllowedAppBundleIDs": [
"com.apple.mobilemail",
"com.apple.mobilecal",
"com.apple.mobilesafari",
"com.microsoft.Outlook",
"com.microsoft.teams"
]
}Example — Block Specific Apps
{
"BlockedAppBundleIDs": [
"com.apple.camera",
"com.apple.facetime",
"zoom.us"
]
}iCloud Restrictions
Control iCloud services independently of the general feature flags above.
| Restriction | iOS | iPadOS | macOS | Description |
|---|---|---|---|---|
AllowCloudBackup | Yes | Yes | Yes | Block iCloud device backup |
AllowCloudSync | Yes | Yes | Yes | Block iCloud document and data sync |
AllowCloudKeychainSync | Yes | Yes | Yes | Block iCloud Keychain |
AllowCloudDesktopAndDocuments | Yes | Yes | Yes | Block iCloud Desktop & Documents sync (macOS) |
AllowCloudPhotoLibrary | Yes | Yes | Yes | Block iCloud Photos |
AllowCloudPrivateRelay | Yes | Yes | Yes | Block iCloud Private Relay (iOS 15+, macOS 12+) |
AllowFindMyDevice | Yes | Yes | Yes | Block Find My device |
AllowFindMyFriends | Yes | Yes | Yes | Block Find My Friends |
Cellular Data Restrictions
Control cellular data usage on iOS and iPadOS devices.
| Restriction | Description |
|---|---|
AllowCellularData | Master toggle for all cellular data |
AllowCellularDataRoaming | Block data roaming to avoid unexpected charges |
AllowCellularVoiceRoaming | Block voice roaming |
AllowPersonalHotspot | Block tethering / personal hotspot |
AllowAppCellularData | Allow apps to use cellular data for network access |
AllowCellularDataForAppStore | Allow App Store downloads over cellular |
AllowCellularDataForSafari | Allow Safari over cellular |
Game Center Restrictions
Control Game Center and multiplayer features on iOS and iPadOS.
| Restriction | Description |
|---|---|
AllowGameCenter | Block Game Center entirely |
AllowMultiplayerGaming | Block multiplayer gaming (local and online) |
AllowAddingGameCenterFriends | Block adding friends in Game Center |
AllowGameCenterNearbyMultiplayer | Block nearby multiplayer discovery |
Screen Recording and Media Restrictions
| Restriction | iOS | iPadOS | macOS | Description |
|---|---|---|---|---|
AllowScreenShot | Yes | Yes | No | Block screenshots |
AllowScreenRecording | Yes | Yes | Yes | Block screen recording |
AllowScreenViewing | Yes | Yes | Yes | Block screen sharing/viewing (AirPlay mirroring) |
AllowAirPlay | Yes | Yes | Yes | Block AirPlay streaming |
AllowAirPlayOutgoingRequests | Yes | Yes | Yes | Block sending AirPlay requests to other devices |
AllowMusicService | Yes | Yes | Yes | Block Apple Music streaming service |
AllowPodcasts | Yes | Yes | No | Block the Podcasts app |
macOS-Specific Restrictions
| Restriction | Description |
|---|---|
AllowAutoUnlock | Block Apple Watch unlocking the Mac |
AllowContentCaching | Block local content caching |
AllowPasswordProximityAutoFill | Block auto-fill from nearby devices |
AllowPasswordSharing | Block password sharing via AirDrop |
AllowDiagnosticSubmission | Block diagnostic data submission |
AllowCloudDesktopAndDocuments | Block iCloud Desktop & Documents sync |
AllowiCloudMail | Block iCloud Mail |
AllowiCloudReminders | Block iCloud Reminders sync |
AllowiCloudBookmarks | Block iCloud Bookmarks sync |
AllowiCloudNotes | Block iCloud Notes sync |
AllowiCloudCalendars | Block iCloud Calendars sync |
AllowiCloudContacts | Block iCloud Contacts sync |
Best Practices
- Start with a blocklist, not an allowlist. Block the few features that violate policy (camera, AirDrop, Game Center) rather than trying to enumerate every allowed app. Switch to an allowlist only when the device is strictly single-purpose (kiosk, dedicated device).
- Test on a small group first. Restrictions like blocking the camera or disabling screenshots can break workflows you did not anticipate. Deploy to a pilot group before rolling out broadly.
- Combine with other Blueprint settings. Pair restrictions with passcode policy, VPN, and security configurations for defense in depth.
- Document your bundle IDs. When using
AllowedAppBundleIDsorBlockedAppBundleIDs, maintain a list of bundle IDs for your organization's apps. Bundle IDs can change with app updates. - Do not mix allow and block lists. A Blueprint cannot set both
AllowedAppBundleIDsandBlockedAppBundleIDssimultaneously. Pick one strategy per Blueprint.
