Skip to content

App Restrictions

Overview

Restrictions allow you to block or limit specific device features and applications. They are enforced through configuration profiles and cannot be bypassed by the end user. Use restrictions to enforce security policies, reduce distractions, and prevent data leakage.

Restrictions are available on iOS, iPadOS, and macOS. Some restrictions are platform-specific.

Feature Restrictions

Control access to built-in device features and system apps.

RestrictioniOSiPadOSmacOSDescription
AllowCameraYesYesYesAllow use of the device camera
AllowSafariYesYesNoAllow Safari web browser
AllowFaceTimeYesYesYesAllow FaceTime video/audio calls
AllowAirDropYesYesYesAllow AirDrop file sharing
AllowAirPlayYesYesYesAllow AirPlay screen mirroring
AllowScreenShotYesYesNoAllow taking screenshots and screen recordings
AllowScreenRecordingYesYesYesAllow screen recording (iOS 14+, macOS)
AllowPassbookYesYesNoAllow Wallet and Apple Pay
AllowBookstoreYesYesNoAllow the Books (iBooks) app
AllowPodcastsYesYesNoAllow the Podcasts app
AllowNewsYesYesNoAllow the News app
AllowAppStoreYesYesYesAllow the App Store (install/update apps)
AllowAppStoreUIYesYesNoAllow browsing the App Store (install still controlled separately)
AllowAppRemovalYesYesNoAllow user to remove apps from the device
AllowAppInstallationYesYesNoAllow installing apps (via App Store or enterprise)
AllowAppCellularDataYesYesNoAllow apps to use cellular data
AllowDiagnosticSubmissionYesYesYesAllow sending diagnostic and usage data to Apple
AllowCloudBackupYesYesYesAllow iCloud backup
AllowCloudSyncYesYesYesAllow iCloud document and data sync
AllowCloudKeychainSyncYesYesYesAllow iCloud Keychain sync
AllowFindMyDeviceYesYesYesAllow Find My device location sharing
AllowFindMyFriendsYesYesYesAllow Find My Friends location sharing
AllowGameCenterYesYesNoAllow Game Center
AllowMultiplayerGamingYesYesNoAllow multiplayer gaming
AllowAddingGameCenterFriendsYesYesNoAllow adding Game Center friends
AllowCellularDataYesYesNoAllow cellular data usage entirely
AllowCellularVoiceRoamingYesYesNoAllow voice roaming on cellular networks
AllowCellularDataRoamingYesYesNoAllow data roaming on cellular networks
AllowPersonalHotspotYesYesNoAllow personal hotspot / tethering
AllowVPNCreationYesYesYesAllow user to configure VPN profiles manually
AllowEraseContentAndSettingsYesYesNoAllow the Erase All Content and Settings option
AllowUSBRestrictedModeYesYesNoRequire USB accessories to unlock (USB Restricted Mode)
AllowPasswordAutoFillYesYesNoAllow password autofill from iCloud Keychain
AllowPasswordSharingYesYesNoAllow AirDrop password sharing (iOS 12+)
AllowAutoUnlockNoNoYesAllow Apple Watch to unlock the Mac
AllowContentCachingNoNoYesAllow local content caching on macOS

Example

json
{
  "AllowCamera": false,
  "AllowSafari": false,
  "AllowFaceTime": false,
  "AllowAirDrop": false,
  "AllowScreenShot": false,
  "AllowAppStore": false,
  "AllowAppRemoval": false,
  "AllowCloudBackup": false,
  "AllowGameCenter": false,
  "AllowMultiplayerGaming": false
}

App Allow/Block List

Control which apps can run on the device by bundle identifier. This applies to both built-in and third-party apps.

FieldTypeDescription
AllowedAppBundleIDsstring[]List of bundle IDs that are allowed to run. All other apps are blocked.
BlockedAppBundleIDsstring[]List of bundle IDs that are blocked from running. All other apps are allowed.

You cannot set both AllowedAppBundleIDs and BlockedAppBundleIDs at the same time — choose one approach per Blueprint.

Common Bundle Identifiers

AppBundle ID
Safaricom.apple.mobilesafari
Cameracom.apple.camera
FaceTimecom.apple.facetime
Messagescom.apple.MobileSMS
Mailcom.apple.mobilemail
Calendarcom.apple.mobilecal
Photoscom.apple.mobileslideshow
Mapscom.apple.Maps
Musiccom.apple.Music
App Storecom.apple.AppStore
Settingscom.apple.Preferences
Clockcom.apple.mobiletimer
Calculatorcom.apple.calculator
Notescom.apple.mobilenotes
Reminderscom.apple.reminders
Voice Memoscom.apple.VoiceMemos
Healthcom.apple.Health
Walletcom.apple.Passbook
Bookscom.apple.iBooks
Podcastscom.apple.podcasts
Newscom.apple.news
Stockscom.apple.stocks
Weathercom.apple.weather
Zoomzoom.us
Slackcom.tinyspeck.chatlyio
Microsoft Teamscom.microsoft.teams
Microsoft Outlookcom.microsoft.Outlook

Example — Allow Only Specific Apps

json
{
  "AllowedAppBundleIDs": [
    "com.apple.mobilemail",
    "com.apple.mobilecal",
    "com.apple.mobilesafari",
    "com.microsoft.Outlook",
    "com.microsoft.teams"
  ]
}

Example — Block Specific Apps

json
{
  "BlockedAppBundleIDs": [
    "com.apple.camera",
    "com.apple.facetime",
    "zoom.us"
  ]
}

iCloud Restrictions

Control iCloud services independently of the general feature flags above.

RestrictioniOSiPadOSmacOSDescription
AllowCloudBackupYesYesYesBlock iCloud device backup
AllowCloudSyncYesYesYesBlock iCloud document and data sync
AllowCloudKeychainSyncYesYesYesBlock iCloud Keychain
AllowCloudDesktopAndDocumentsYesYesYesBlock iCloud Desktop & Documents sync (macOS)
AllowCloudPhotoLibraryYesYesYesBlock iCloud Photos
AllowCloudPrivateRelayYesYesYesBlock iCloud Private Relay (iOS 15+, macOS 12+)
AllowFindMyDeviceYesYesYesBlock Find My device
AllowFindMyFriendsYesYesYesBlock Find My Friends

Cellular Data Restrictions

Control cellular data usage on iOS and iPadOS devices.

RestrictionDescription
AllowCellularDataMaster toggle for all cellular data
AllowCellularDataRoamingBlock data roaming to avoid unexpected charges
AllowCellularVoiceRoamingBlock voice roaming
AllowPersonalHotspotBlock tethering / personal hotspot
AllowAppCellularDataAllow apps to use cellular data for network access
AllowCellularDataForAppStoreAllow App Store downloads over cellular
AllowCellularDataForSafariAllow Safari over cellular

Game Center Restrictions

Control Game Center and multiplayer features on iOS and iPadOS.

RestrictionDescription
AllowGameCenterBlock Game Center entirely
AllowMultiplayerGamingBlock multiplayer gaming (local and online)
AllowAddingGameCenterFriendsBlock adding friends in Game Center
AllowGameCenterNearbyMultiplayerBlock nearby multiplayer discovery

Screen Recording and Media Restrictions

RestrictioniOSiPadOSmacOSDescription
AllowScreenShotYesYesNoBlock screenshots
AllowScreenRecordingYesYesYesBlock screen recording
AllowScreenViewingYesYesYesBlock screen sharing/viewing (AirPlay mirroring)
AllowAirPlayYesYesYesBlock AirPlay streaming
AllowAirPlayOutgoingRequestsYesYesYesBlock sending AirPlay requests to other devices
AllowMusicServiceYesYesYesBlock Apple Music streaming service
AllowPodcastsYesYesNoBlock the Podcasts app

macOS-Specific Restrictions

RestrictionDescription
AllowAutoUnlockBlock Apple Watch unlocking the Mac
AllowContentCachingBlock local content caching
AllowPasswordProximityAutoFillBlock auto-fill from nearby devices
AllowPasswordSharingBlock password sharing via AirDrop
AllowDiagnosticSubmissionBlock diagnostic data submission
AllowCloudDesktopAndDocumentsBlock iCloud Desktop & Documents sync
AllowiCloudMailBlock iCloud Mail
AllowiCloudRemindersBlock iCloud Reminders sync
AllowiCloudBookmarksBlock iCloud Bookmarks sync
AllowiCloudNotesBlock iCloud Notes sync
AllowiCloudCalendarsBlock iCloud Calendars sync
AllowiCloudContactsBlock iCloud Contacts sync

Best Practices

  • Start with a blocklist, not an allowlist. Block the few features that violate policy (camera, AirDrop, Game Center) rather than trying to enumerate every allowed app. Switch to an allowlist only when the device is strictly single-purpose (kiosk, dedicated device).
  • Test on a small group first. Restrictions like blocking the camera or disabling screenshots can break workflows you did not anticipate. Deploy to a pilot group before rolling out broadly.
  • Combine with other Blueprint settings. Pair restrictions with passcode policy, VPN, and security configurations for defense in depth.
  • Document your bundle IDs. When using AllowedAppBundleIDs or BlockedAppBundleIDs, maintain a list of bundle IDs for your organization's apps. Bundle IDs can change with app updates.
  • Do not mix allow and block lists. A Blueprint cannot set both AllowedAppBundleIDs and BlockedAppBundleIDs simultaneously. Pick one strategy per Blueprint.

Released under the MIT License