Mobile Manager

Mobile Manager Policies

Introduction to Policies

When creating policies you can use variables for commonly-used device and user fields instead of entering them manually. When a policy is sent to a user, these variables will be automatically populated with the user’s data.

The table below lists the user and device variables supported by Lightspeed Systems Mobile Manager.

Variable Definition
Device Variables
%os_version% The commonly-used OS version of the device
%imei% The International Mobile Station Equipment Identity (IMEI) number (used to identify mobile phones on GSM, UMTS, LTE, and iDEN networks) of the device
%serial_number% The device’s serial number
User Variables
%email% The user’s email address
%first_name% The user’s first name
%full_name% The user’s full name
%last_name% The user’s last name
%username% The user’s user name
%user_enrollment_url% The user’s web clip enrollment URL
%asset_tag% The user’s asset tag

 

Variables can be used in any text field.
For example, if you enter %email% in the Mail or Exchange ActiveSync Email Address field, it will be automatically populated with every user’s email address. In addition, you can also combine variables with text. For example, if you entered %first_name%’s email account in the Mail’s Account description field, it would combine the user’s first name with email account (e.g., John’s email account).

You can use multiple variables in a single field.
For example, if you entered %full_name%(%os_version%) the username and OS version would be automatically populated with data from the user’s device (e.g., John Doe(7.1)).

The number of profiles configured to each policy appears next to the policy name.

Restrictions

Profile restrictions allow you to set access for content and apps on your mobile devices managed by Lightspeed Systems Mobile Manager. For example, you can allow or prevent the use of cameras on all mobile devices.

To view, edit, or delete restrictions policies:

  • 1. To view, edit, or delete restrictions policies for the entire organization, navigate to the dashboard home page. To view, edit, or delete restrictions policies for a group or sub group, navigate to that group or sub group.
  • 2. Click Policies.
  • 3. Click Restrictions. The following will be displayed:

Restrictions

 

Field Description OS Supported
Allow use of camera Select this option to allow cameras on mobile devices. On iOS6+ devices this will remove the camera-related apps (Camera, Photo Booth, FaceTime) from the home screen.  iOS6+
Android
Windows 10
Allow screen capture Select this option to allow screen shots on mobile devices  iOS6+
Allow remote screen observation Select this option to allow remote screen observation. The Allow screen capture restriction must also be turned on for this to work.  iOS9.3+
Allow use of iMessage Select this option to allow iMessage on devices.
Note: This feature is only supported on supervised devices
iOS6+
Supervise
Allow iBook store Select this option to allow iBookstore on iOS devices.
Note: This feature is only supported on supervised devices
iOS6+
Supervise
Allow explicit sexual content in iBook store Select this option to allow purchases of explicit content (including erotica) from the iBookstore on iOS devices.
Note: This feature is only supported on supervised devices
iOS6+
Supervise
Allow Passbook while device is locked Select this option to allow the Passbook on a locked iOS device iOS6+
Allow voice dialing Select this option to allow voice dialing on devices iOS6+
Allow location service  Specifies whether to allow app access to the Location service. Windows 10
Allow Android location reporting Enable to allow location reporting on Android devices. Android
Android location – time interval Allows you to specify how often location is reported. Android
Android location – distance traveled Allows you to set a minimum distance that must be traveled before a report is generated. Android
Bluetooth device name Sets the local Bluetooth device name. Windows 10
Allow bluetooth advertising Specifies whether the device can send out Bluetooth advertisements. Windows 10
Allow bluetooth discovery Specifies whether other Bluetooth-enabled devices can discover the device. Windows 10
Allow bluetooth modification This restriction will lock the devices’ bluetooth state at the time it is applied. Turn bluetooth on/off on the device and then apply this restriction to keep the setting. iOS 10+
Supervise
Allow media auto play Allows the user to change Auto Play settings. Windows 10
Allow manually removing enrollment Specifies whether to allow the runtime configuration agent to remove provisioning packages. Windows 10
Allow storage card  Controls whether the user is allowed to use the storage card for device storage. This setting prevents programmatic access to the storage card. Windows 10
Allow Siri/Cortana Select this option to allow Siri on iOS devices or Cortana on Windows 10 devices. iOS6+
Windows 10
Allow Siri while locked Select this option to allow Siri to be used on iOS devices while they are locked.
Note: This option will be ignored if no passcode has been set.
iOS6+
Enable Siri profanity filter Select this option to enable the Siri profanity filter
(Note: This feature is only supported on supervised devices.)
iOS6+
Supervise
Allow Siri user-generated content Select this option to enable Siri to query user-generated content from the web on devices (including content from Wikipedia, Twitter, and Bing)
(Note: This feature is only supported on supervised devices.)
iOS7+
Supervise
Allow installing apps using Apple Configurator and iTunes Select this option to allow users to use Host apps (iTunes, Configurator) to install or update their apps iOS6+
Allow installing apps using app store Select this option to allow users to install apps from the app store using their own iTunes accounts. iOS9+
Supervise
Allow automatic app downloads Select this option to allow automatic downloading of apps purchased on other devices. Does not affect updates to existing apps. iOS9+
Supervise
Allow removing apps Select this option to allow users to uninstall apps managed by Mobile Manager on their devices
Note: This feature is only supported on supervised devices.
iOS6+
Supervise
Allow In-App Purchase Select this option to allow users to make in-app purchases iOS6+
Require iTunes password for all purchases Select this option to require an iTunes password for all purchases iOS5+
Allow Game Center Select this option to allow the Apple Game Center on iOS devices
Note: This feature is only supported on supervised devices.
iOS6+
Supervise
Allow iCloud backup Select this option to allow iCloud backups on mobile devices. Please use this with caution since this could involve saving your organization’s data on systems you don’t control. iOS6+
Allow iCloud document sync Select this option to allow iCloud document syncing on iOS devices. Please use this with caution since this could involve saving your organization’s documents on systems you don’t control. iOS6+
Allow iCloud keychain sync Select this option to allow iCloud Keychain syncing on iOS devices. Please use this with caution since this could involve saving your organization’s Keychain data on systems you don’t control. iOS7+
Allow iCloud managed apps sync Select this option to allow iCloud managed app syncing on iOS devices. Please use this with caution since this could involve saving your organization’s managed apps on systems you don’t control. iOS8+
Allow iCloud book notes and highlights sync Select this option to allow iCloud book notes and highlights syncing on iOS devices. Please use this with caution since this could involve saving your organization’s book notes and highlights on systems you don’t control. iOS8+
Allow iCloud photo sharing Select this option to allow iCloud photo sharing on iOS devices. Please use this with caution since this could involve saving your organization’s photographs on systems you don’t control. iOS6+
Allow iCloud photo library Select this option to allow iCloud photo library sharing on iOS devices. Please use this with caution since this could involve saving your organization’s photographs on systems you don’t control. iOS9+
Allow Photo Stream Select this option to allow iOS photo stream on iOS devices. Please use this with caution since this could involve saving your organization’s photographs on systems you don’t control.
Note: Disabling Photo Stream can cause data loss.
iOS6+
Allow automatic sync while roaming Select this option to allow automatic syncing on devices. If this option is disabled then devices will only sync when they are accessed by users, which can save on roaming costs. iOS6+
Force encrypted backups Select this option to require force encrypted backups on devices. This can help ensure that backups are protected even if the server that hosts the backups is compromised iOS6+
Backup managed books Select this option to allow encrypted backups of managed books on devices iOS8+
Allow untrusted TLS certificates Select this option to let users accept untrusted TLS certificates. Please note an untrusted certificate could indicate the presence of a “man in the middle” attack.
Note: See Apple’s KB article HT 5012 iOS 8: List of available trusted root certificates for information about the certificate trust policies for iOS
iOS6+
Allow diagnostic setting modification Select this option to allow the modification of diagnostic settings iOS9.3.2+
Send diagnostic and usage data to Apple Select this option to send diagnostic usage data from iOS devices to Apple
Note: Some organizations may consider diagnostics data to be sensitive
iOS6+
Allow installing profiles Select this option to allow the installation of configuration profiles and certificates on devices
(Note: This feature is only supported on supervised devices.)
iOS6+
Supervise
Allow account modification Select this option to allow account modifications on devices
(Note: This feature is only supported on supervised devices.)
iOS7+
Supervise
Allow AirDrop Select this option to allow AirDrop on devices
(Note: This feature is only supported on supervised devices.)
iOS7+
Supervise
Allow app cellular data modification Select this option to enable changes to cellular data usage for apps on devices
(Note: This feature is only supported on supervised devices.)
iOS7+
Supervise
Allow find my friends modification Select this option to enable Find My Friends on devices. Please note if you disable this feature you can no longer enable or disable location services.
(Note: This feature is only supported on supervised devices.)
iOS7+
Supervise
Allow finger-print for unlock Select this option to enable Touch ID to unlock devices iOS7+
Allow modifying passcode Select this option to allow users to add, change, or remove device passcodes. iOS9+
Supervise
Allow modifying Touch ID fingerprints Select this option to allow users to add, change, or remove Touch ID fingerprints. iOS8+
Supervise
Allow modifying wallpaper Select this option to allow users to modify the wallpaper on the device. iOS9+
Supervise
Allow modifying device name Select this option to allow users to add, change, or remove the device name. iOS9+
Supervise
Allow keyboard shortcuts Select this option to allow users to use keyboard shortcuts. iOS9+
Supervise
Allow pairing with Apple Watch Select this option to allow users to pair the device with an Apple Watch. iOS9+
Supervise
Force Apple Watch wrist detection Select this option to require a passcode to unlock a paired Apple Watch when it has been removed from the user’s wrist. iOS9+
Allow trusting new enterprise app authors Select this option to allow apps to be installed via MDM without requiring the user to “trust” the app developer. Note that enabling this setting can also allow users to “sideload” potentially unwanted apps. iOS9+
Require passcode when AirPlay pairing Select this option to require a passcode for AirPlay pairing (mirroring)
(Note: This feature is only supported on supervised devices.)
iOS7+
Supervise
Allow request to pair Apple TV with iOS Remote app Select this option to allow the paring of Apple TV with remote apps iOS 10.2+
Supervise
Require all devices pairing to this Apple TV to use a password Select this option to require a passcode for AirPlay pairing (mirroring) with this Apple TV. Apple TV
Allow host pairing Select this option to enable host pairing on devices. Please note if you do not enable this feature pairing with the supervision host will not be affected. In addition, if no supervision host certificate has been configured all pairing will be disabled
(Note: This feature is only supported on supervised devices.)
iOS7+
Supervise
Allow dictation Select this option to enableto use voice to enter text on your device. iOS10+
Supervise
WiFi Whitelisting This restriction allows iOS devices to be restricted into only using WiFi networks configured from the MDM or Apple Configurator. If there are no WiFi networks configured on the device, the restriction is removed from the device and it can then connect to available networks. If the only WiFi profiles on the device are networks that the device cannot reach, the device will have no connection to the internet and will not be receive MDM activities. Due to this, in order to use the restriction, it must first be enabled under Settings > General. If it is not enabled, the WiFi Whitelisting restriction will not be sent to the device. iOS10+
Supervise
Allow lock screen control center Select this option to allow the Control Center to be displayed on the lock screen. You may want to disable this feature if you’re concerned about potentially sensitive data in the Control Center iOS7+
Allow toasts (notifications) Specifies whether to allow toast notifications above the device lock screen. Windows 10
Allow lock screen notifications view Select this option to allow the Notification Center to be displayed on the lock screen. You may want to disable this feature if you’re concerned about potentially sensitive data in Notifications iOS7+
Allow lock screen today view Select this option to allow the Today view in Notification Center to be displayed on the lock screen. You may want to disable this feature if you’re concerned about potentially sensitive data in the Today View iOS7+
Allow opening documents from managed apps in unmanaged apps Select this option to only open documents from managed apps and accounts in other managed apps and accounts iOS7+
Allow opening documents from unmanaged apps in managed apps Select this option to only open documents from unmanaged apps and accounts in managed apps and accounts iOS7+
Treat AirDrop as unmanaged destination Select this option to cause AirDrop to be considered an unmanaged drop target. iOS9+
Allow OTA-PKI updates Select this option to allow over-the-air public key infrastructure (OTA-PKI) updates on devices iOS7+
Force limit Ad tracking Select this option to limit ad tracking on devices iOS7+
Allow YouTube Select this option to allow YouTube on devices iOS5 Only
Allow use of iTunes store Select this option to allow iTunes purchases from the iTunes store. If this option is disabled then the iTunes Store icon will be removed from the device iOS6+
Allow use of Podcasts Select this option to allow podcasts on the device.
Note: This feature is only supported on supervised devices
iOS7+
Supervise
Allow use of the News app Select this option to allow the News app. iOS9+
Supervise
Allow Apple Music Select this option to allow use of the iTunes Music Store. iOS9+
Supervise
Allow radio Select this option to allow use of iTunes Radio. iOS9+
Supervise
Allow use of the Safari browser Select this option to allow the use of the Safari browser on iOS devices. If this option is disabled then the Safari icon will be removed from the device and users will not be able to open web clips.
Note: Go to iTunes to learn more about the Lightspeed Systems Mobile Filter iOS app, which is a browser application that regulates and monitors web browsing when used in conjunction with Lightspeed Systems Web Filter for schools.
iOS6+
Enable autofill Select this option to enable auto fill on devices. If a device is lost or stolen autofill data could potentially be accessed iOS6+
Windows 8
Force fraud warning Select this option to force fraud warnings when users visit known fraudulent websites iOS6+
Windows 8
Enable JavaScript Select this option to enable JavaScript on devices
Note: Since JavaScript is very commonly used disabling this feature could make it difficult for users to browse the web
iOS6+
Allow pop-ups Select this option to allow pop-ups on devices iOS6+
Accept cookies Select Never, From visited sites, or Always from the dropdown list to configure the cookie settings on devices iOS6+
Ratings region Select Australia, Canada, France, Germany, Ireland, New Zealand, South Africa, United Kingdom, or United States from the dropdown list to set the country iOS6+
Movies Select the following from the dropdown list to set maximum allowable movie ratings level. The choices vary depending on the ratings region you selected above.

  • United States: Don’t Allow Movies, G, PG, PG-13, R, NC-17, or Allow All Movies
  • United Kingdom: Don’t Allow Movies, U, Uc, PG, 12, 12A, 15, 18, or Allow All Movies
  • Australia: Don’t Allow Movies, G, PG, M, MA15+, R18+, or Allow All Movies
  • Canada: Don’t Allow Movies, G, PG, 14A, 18A, R, or Allow All Movies
  • France: Don’t Allow Movies, -10, -12, -16, -18, or Allow All Movies
  • Germany: Don’t Allow Movies, ab 0 Jahren, ab 6 Jahren, ab 12 Jahren, ab 16 Jahren, ab 18 Jahren, or Allow All Movies
  • Ireland: Don’t Allow Movies, G, PG, 12, 15, 16, 18, or Allow All Movies
  • New Zealand: Don’t Allow Movies, G, PG, M, R13, R15, R16, R18, R, RP6, or Allow All Movies
  • South Africa: Don’t Allow Movies, PG, 10, 13, 16, 18, or Allow All Movies
iOS6+
TV Shows Select the following from the dropdown list to set the maximum allowable ratings level for TV shows. The choices vary depending on the ratings region you selected above.

  • United States: Don’t Allow TV Shows, TV-Y, TV-Y17, TV-G, TV-PG, TV-14, TV-MA, or Allow All TV Shows
  • United Kingdom: Don’t Allow TV Shows, Caution, or Allow All TV Shows
  • Canada: Don’t Allow TV Shows, C, C8, G, PG, 14+, 18+, or Allow All TV Shows
  • France: Don’t Allow TV Shows, -10, -12, -16, -18, or Allow All TV Shows
  • Germany: Don’t Allow TV Shows, ab 0 Jahren, ab 6 Jahren, ab 12 Jahren, ab 16 Jahren, ab 18 Jahren, or Allow All TV Shows
  • Ireland: Don’t Allow TV Shows, G, Ch, YA, PS, MA, or Allow All TV Shows
  • New Zealand: Don’t Allow TV Shows, G, PGR, AO, or Allow All TV Shows
  • South Africa: Don’t Allow TV Shows or Allow All TV Shows
iOS6+
Apps Select Don’t Allow Apps, 4+, 9+, 12+, 17+, or Allow All Apps from the dropdown list to set a maximum allowable rating levels of apps users can download and install iOS6+
Allow explicit content When disabled, explicit music or video content purchased from the iTunes Store is hidden. Explicit content is marked as such by content providers, such as record labels, when sold through the iTunes Store. iOS6+
Allow erase all content and settings Select this option to allow users to erase all contents and settings
Note: This feature is only supported on supervised devices
iOS8+
Supervise
Allow spotlight to return internet results Select this option to allow Internet results in Spotlight
Note: This feature is only supported on supervised devices
iOS8+
Supervise
Allow enabling restrictions Select this option to allow users to enable restrictions
Note: This feature is only supported on supervised devices
iOS8+
Supervise
Allow handoff Select this option to allow handoff on devices iOS8+
Allow use of Dictionary Select this option to allow the built-in iOS dictionary
Note: This feature requires iOS 8.1.3 or higher in supervised mode
iOS8+
Supervise
Allow predictive keyboard Select this option to allow the iOS predictive keyboard (QuickType) feature
Note: This feature requires iOS 8.1.3 or higher
iOS8+
Supervise
Allow auto correction Select this option to allow the iOS autocorrection feature
Note: This feature requires iOS 8.1.3 or higher in supervised mode
iOS8+
Supervise
Allow spell check Select this option to allow the iOS spell check feature
Note: This feature requires iOS 8.1.3 or higher in supervised mode
iOS8+
Supervise
Autonomous single app mode permitted app ids Select this option and then click the plus sign (+) and enter an app identifier (for example, com.apple.mobilesafari) or select an installed app from the dropdown list for an app that will autonomously enter Single App Mode. Use the minus sign (-) to delete an app identifier. iOS7+
Supervise
Internet scripting Select this option to enable Internet scripting. (Disabling Internet scripting can cause problems with Windows validation.) Windows 8.1+
Internet plugins Select this option to enable Internet plugins Windows 8.1+
Internet popups blocked Select this option to block Internet popups Windows 8.1+
Always send Do Not Track header Select this option to always send do not track headers Windows 8.1+
Go to intranet for single word Select this option to use a single word entry as search criteria in OneBox Windows 8.1+
Diagnostics Submission Select this option to enable diagnostics submissions Windows 8.1+
Data Roaming Select this option to enable data roaming Windows 8.1+
Intranet security zone Select this option to enable Internet security zones Windows 8.1+
Internet security zone From the dropdown list select the Internet zone security level, which can be High, Medium-high, or Medium Windows 8.1+
Intranet security zone From the dropdown list select the intranet security zone level, which can be High, Medium-high, Medium, Medium-low, or Low Windows 8.1+
Trusted sites security zone From the dropdown list select the trusted sites security zone, which can be High, Medium-high, Medium, Medium-low, or Low Windows 8.1+
Restricted sites level From the dropdown list select the restricted security level, which can be High, Medium-high, Medium, Medium-low, or Low Windows 8.1+
Is Microsoft Account Optional Select this option to make Microsoft accounts optional to use Microsoft App deployment Program (ADP) apps. Windows 8.1+
Enable Windows Parental Controls. Select this option to enable parental control on devices. EOBO
Windows 8.1+
Logging Enabled Select this option to enable logging on a device. EOBO
Windows 8.1+
Hourly Restrictions Select this option to allow hourly restrictions. EOBO
Windows 8.1+
Override Requests Select this option to enable override requests. EOBO
Windows 8.1+
App Restrictions Select this option to enable app restrictions. EOBO
Windows 8.1+
Allow games Select this option to allow games. EOBO
Windows 8.1+
Allow unrated Games Select this option to allow unrated games. EOBO
Windows 8.1+
Maximum allowed game rating Select the following from the dropdown to select the maximum allowed game rating for the device. The choices vary depending on the ratings region (in the iOS and Apple TV table above) you selected.

  • United States: Early Childhood, Everyone, Everyone 10+, Teen, Mature, or Adults Only
  • United Kingdom: 3+, 7+, 12+, 16+, or 18+
  • Australia: G, PG, M, M15+, or R18+.
  • Canada: Early Childhood, Everyone, Everyone 10+, Teen, Mature, or Adults Only
  • France: 3+, 7+, 12+, 16+, or 18+
  • Germany: Everyone, 6+, 12+, 16+, or No Youth
  • Ireland: 3+, 7+, 12+, 16+, or 18+
  • New Zealand: G, PG, M, R13, R15, R16, or R18
  • South Africa: Children, 13 or older, 16 or older, or 18 or older.
EOBO
Windows 8.1+

Remember: Click the Save button to save any changes you make.

OS X

To view, edit, or delete OS X policies:

  • 1. To view, edit, or delete OS X policies for the entire organization, navigate to the dashboard home page. To view, edit, or delete OS X policies for a group or sub group, navigate to that group or sub group.
  • 2. Click Policies.
  • 3. Click OS X. The following will be displayed:

OSX

Configurable OS X policy fields

CD’s allowedSelect this option to allow the use of CDs.OS X

Field Description OS Supported
Restrict system preferences Select this option to prevent modifications to the System Preferences. OS X
Allow use of Game Center Select this option to allow the Apple Game Center on OS X devices. OS X
Allow multiplayer gaming Select this option to allow multiplayer gaming OS X
Allow adding Game Center friends Select this option to allow users to add Game Center friends OS X
Allow Game Center account modification Select this option to allow users to modify their Game Center accounts. OS X
Allow App Store app adoption Select this option to allow users to users to use the Mac App Store. OS X
Require admin password to install or update apps Select this option to require an admin’s password to install or update apps. OS X
Restrict App Store to software updates only Select this option to restrict the use of the Mac App Store to updates only. OS X
Restrict which apps are allowed to launch Select this option to only allow specific apps to be launched on OS X devices. If you enable this option the following sub-options will be displayed:

  • Allowed Apps – Select the allowed apps from the dropdown list or click the plus sign (+) and enter an app identifier (for example, “Safari.app“). Use the minus sign () to delete an app identifier.
  • Allow apps to launch from these folders – Click the plus sign (+) and enter an allowed folder (for example, “/Applications“). Use the minus sign () to delete an allowed folder.
  • Disallow apps to launch from these folders – Click the plus sign (+) and enter a disallowed folder (for example, “/Documents“). Use the minus sign () to delete a disallowed folder.
    Note: If you chose to restrict by the “/Applications/” folder, it can have adverse effects to the extent that it will disable a lot of basic functionality of the OS X device, which would require admin rights to override.
OS X
Allow AirDrop Select this option to allow AirDrop on devices. OS X
Internal disks allowed Select this option to allow the use of internal drives (for example, an internal CD/DVD SuperDrive). OS X
Internal disks require authentication Select this option to require authentication to use internal drives (for example, an internal CD/DVD SuperDrive). OS X
Internal disks read-only Select this option to put internal drives (for example, an internal CD/DVD SuperDrive) in read-only mode. OS X
External disks allowed Select this option to allow the use of external drives. OS X
External disks require authentication Select this option to require authentication to use external drives. OS X
External disks read-only Select this option to put external drives in read-only mode. OS X
Disk images allowed Select this option to allow the use of disk images. OS X
Disk images require authentication Select this option to require authentication to use disk images. OS X
Disk images read-only Select this option to put disk images in read-only mode. OS X
DVD-RAM allowed Select this option to allow the use of DVD-RAM drives. OS X
DVD-RAM require authentication Select this option to require authentication to use DVD-RAM drives. OS X
DVD-RAM read-only Select this option to put DVD-RAM drives in read-only mode. OS X
CD’s require authentication Select this option to require authentication to use CDs. OS X
DVD’s allowed Select this option to allow the use of DVDs. OS X
DVD’s require authentication Select this option to require authentication to use DVDs. OS X
Recordable disks allowed Select this option to allow the use of all types of recordable disks. OS X
Recordable disks require authentication Select this option to require authentication to use any type of recordable disk. OS X
Eject at logout Select this option to eject all disks (both physical and virtual) when users log off. OS X
Share using AirDrop Select this option to allow sharing using AirDrop. OS X
Share using Facebook Select this option to allow sharing using Facebook. OS X
Share using Twitter Select this option to allow sharing using Twitter. OS X
Share using Mail Select this option to allow sharing using Mac Mail. OS X
Share using Messages Select this option to allow sharing using the Messages application. OS X
Share using video services (Flickr, Vimeo, Tudou and Youku) Select this option to allow sharing using popular video sites Flickr, Vimeo, Tudou, and Youku. OS X
Share using iPhoto Select this option to allow sharing using iPhoto. OS X
Share using Aperture Select this option to allow sharing using Apple Aperture. OS X
Share using Reading list Select this option to allow sharing using Safari’s Reading List feature. OS X
Share using Sina weibo Select this option to allow sharing using the Sina Weibo micro blogging site. OS X
Automatically enable new sharing services Select this option to automatically allow new sharing websites and services as they come online. OS X
Desktop wallpaper locked Select this option to lock an OS X device to a specific image. If you enable this option the following sub-option will be displayed:

  • Desktop wallpaper path (leave blank to keep current) – Enter the path of the image (for example, “/Library/Desktop Pictures“) or leave this field blank to lock the device to the current desktop image.
OS X

 

Remember: Click the Save button to save any changes you make.

Windows Defender

These settings allow you to control the behavior of Windows Defender on managed Windows devices. Windows Defender protects devices against viruses, malware, spyware and other malicious software.

These options are available for Windows 10.

To view, edit, or delete Windows Defender policies:

  • 1. To view, edit, or delete Windows Defender policies for the entire organization, navigate to the dashboard home page. To view, edit, or delete Windows Defender policies for a group or sub group, navigate to that group or sub group.
  • 2. Click Policies.
  • 3. Click Windows Defender. The following will be displayed:

Windows Defender

Tip: One example of how this helps IT is “Allowing Full Scan on Network Drives” — something you would generally not want end users to be able to do. If end users thought they were doing the “safe” thing by scanning these network files, this could have a significantly negative impact.

Configurable Windows Defender parameters:

  • Allow cloud-based protection – To best protect your PC, Windows Defender will send information to Microsoft about any problems it finds. Microsoft will analyze that information, learn more about problems affecting you and other customers, and offer improved solutions.
  • Allow archive scanning – Indicates whether to scan archive files, such as .zip and .cab files, for malicious and unwanted software.
  • Allow behavior monitoring – Indicates whether to enable behavior monitoring to protect against unknown exploits.
  • Allow email scanning – Indicates whether Windows Defender parses the mailbox and mail files, according to their specific format, in order to analyze mail bodies and attachments. Windows Defender supports several formats, including .pst, .dbx, .mbx, .mime, and .binhex.
  • Allow full scan on mapped drives – Indicates whether to scan mapped network drives.
  • Allow full scan on removable drives – Indicates whether to scan for malicious and unwanted software in removable drives, such as flash drives, during a full scan.
  • Allow intrusion prevention functionality – Indicates whether to configure network protection against exploitation of known vulnerabilities.
  • Allow IOAV protection – Indicates whether Windows Defender scans all downloaded files and attachments.
  • Allow on access protection – Allows or disallows Windows Defender On Access Protection functionality.
  • Allow real-time protection – Indicates whether to use real-time protection. Recommended
  • Allow scanning network files – Indicates whether to scan for network files. It is not recommended to scan network files.
  • Allow script scanning – Specifies whether to disable the scanning of scripts during malware scans.
  • Allow user to launch defender – Allows or disallows user access to the Windows Defender UI. If disallowed, all Windows Defender notifications will also be suppressed.
  • Average CPU percentage for scans – Specifies the maximum percentage CPU usage for a scan. The acceptable values for this parameter are: integers from 5 through 100, and the value 0, which disables CPU throttling. Windows Defender does not exceed the percentage of CPU usage that you specify. The default value is 50.
  • Days to retain cleaned malware – Specifies the number of days to keep items in the Quarantine folder. If you specify a value of zero or do not specify a value for this parameter, items stay in the Quarantine folder indefinitely.
  • Real-time scan direction – Specifies scanning configuration for incoming and outgoing files on NTFS volumes.
  • Scan type – Specifies the scan type to use during a scheduled scan.
  • Scheduled quick scan time – Specifies the time of day, as the number of minutes after midnight, to perform a scheduled quick scan. The time refers to the local time on the computer.
  • Scheduled scan day – Specifies the day of the week on which to perform a scheduled scan. Alternatively, specify everyday for a scheduled scan or never.
  • Scheduled scan time – Specifies the time of day, as the number of minutes after midnight, to perform a scheduled scan. The time refers to the local time on the computer.
  • Update signature interval (hours) – Specifies the interval, in hours, at which to check for definition updates. The acceptable values for this parameter are: integers from 1 through 24. If you do not specify a value for this parameter, Windows Defender checks at the default interval.
  • Sample submission – Specifies how Windows Defender checks for user consent for certain samples. If consent has previously been granted, Windows Defender submits the samples.

Remember: Click the Save button to save any changes you make.

Windows Update

These settings allow you to control the behavior of Windows Update on managed Windows devices.

These options are available for Windows 10.

To view, edit, or delete Windows Update policies:

  • 1. To view, edit, or delete Windows Update policies for the entire organization, navigate to the dashboard home page. To view, edit, or delete Windows Update policies for a group or sub group, navigate to that group or sub group.
  • 2. Click Policies.
  • 3. Click Windows Update. The following will be displayed:

Windows Update

Field Values OS Supported
Update method Options:

  • Notify user
  • Auto download only
  • Auto install and restart
  • Auto install and restart at specific time
  • Auto install and restart without user control
  • Disable automatic updates
Windows 10
Scheduled install day Options:

  • Everyday
  • Monday … Sunday
Windows 10
Scheduled install time Options:

  • 00:00 … 03:00 … 23:00 hrs
Windows 10
Allow custom update server OffTo deploy Windows update packages from a network location, rather than from the official Windows Update website, turn this option On, then enter the URL for the update server in the Update Service URL field below. Windows 10
Allow non-Microsoft signed updates OffTo update other applications, and not just Windows, turn this option On. Updates will be sourced from the location specified in the Update Service URL field below. Windows 10
Update service URL Enter the URL or IP Address for the update service in this field. Windows 10
Defer non-security upgrades OffTo conserve bandwidth, turn this option On to configure Windows Update to send security patches only. Windows 10

Passcode

To view, edit, or delete profile passcode settings:

  • To view, edit, or delete profile passcode policies for the entire organization navigate to the dashboard home page. To view, edit, or delete profile passcode policies for a group or sub group navigate to that group or sub group.
  • Click Policies.
  • Click Passcode. The following will be displayed:

Passcode

Configurable passcode parameters:

Field Description OS Supported
Allow simple value Select (check) this option to allow a simple value, which is defined as containing repeating characters, increasing characters (for example, “abcdef”, “789”), or decreasing characters (for example, “654”, “fedcba”) iOS6+, OS X
Disallow convenience logon Select (check) this option to the ability to prevent convenience logons Windows 8.1
Password complexity From the dropdown list select the password complexity (Require Lowercase, Require Uppercase, Require Numbers, or Require Non-Alphanumeric) Windows 8.1
Require alphanumeric value Select (check) this option to require an alphanumeric value iOS6+, OS X
Minimum passcode length Select 0 (the default) through 10 from the dropdown list to set the number of characters in the passcode iOS6+, Android, OS X, Windows 8.1
Minimum number of complex characters Select 0 (the default) through 4 from the dropdown list to set the number of complex characters (a mix of lowercase letters, uppercase letters, digits, and non alphanumeric characters) in the passcode iOS6+, Android, OS X, Windows
Auto Lock Select Never (the default), 1 minute2 minutes3 minutes4 minutes5 minutes, 10 minutes, or 15 minutes from the dropdown list to set mobile device auto lock iOS6+, Android, OS X, Windows
Maximum passcode age Enter 1 through 730 or none to set the maximum passcode age in days iOS6+, Android, OS X, Windows 8.1
Passcode history Enter 1 through 50 or none to set the number of passcodes stored in the database history iOS6+, Android, OS X, Windows 8.1
Grace period for device lock Select Immediately (the default), 1 minute, 5 minutes15 minutes1 hour, or 4 hours from the dropdown list to set the grace period for mobile device lockouts before users can try to log in again iOS6+, OS X
Maximum number of failed attempts Select 2 through 10 (the default) from the dropdown list to set the maximum number of times users can enter an incorrect passcode before they are locked out iOS6+, Android, OS X, Windows 8.1

Remember: Click the Save button to save any changes you make.

Wi-Fi

To view, edit, or delete Wi-Fi policies on mobile devices:

  • To view, edit, or delete Wi-Fi policies for the entire organization, navigate to the dashboard home page. To view, edit, or delete Wi-Fi policies for a group or sub group, navigate to that group or sub group.
  • Click Policies.
  • Click Wi-Fi.
  • If there are no current Wi-Fi policies, click Add New. The following will be displayed:

Wifi

The configurable Wi-Fi settings are described below.

Field Description Proxy Setup OS Supported
SSID Enter the SSID of the Wi-Fi network to be used None, Manual, Automatic iOS6+, Android, OS X, Windows 8.1, Apple TV
Hidden network Select (check) this option to set the target network as open and broadcasting None, Manual, Automatic iOS6+, Android, OS X, Windows 8.1, Apple TV
Auto join Select (check) this option to automatically join wireless networks None, Manual, Automatic iOS, Android, OS X, Windows 8.1, Apple TV
Auto switch Select (check) this option to automatically switch to a more preferred network when ones comes in range None Windows 8.1
Cache user data Select (check) this option to cache users’ credentials for future requests None Windows 8.1
PMK cache mode Select (check) this option to enable Pairwise Master Key (PMK) caching None Windows 8.1
Authentication method From the dropdown list select the type of credentials used for authentication, which can be Machine or User, User, Machine, or Guest None Windows 8.1
Proxy setup Select None (the default), Manual, or Automatic from the dropdown list to configure proxies to be used with this network None, Manual, Automatic iOS6+, Android, OS X, Apple TV
Validate Proxy Toggle this option on or off in order to force proxy validation.

Note: Disabling the new Validate proxy option allows you to save a local address without validation. This can result in an incorrect entry causing all devices receiving this policy to lose connection to the network, forcing a device reset to regain network connectivity.

Manual iOS6+, Android, OS X, Apple TV
Proxy server Enter the host name or IP address of proxy server Manual iOS6+, Android, OS X, Apple TV
Proxy port Enter the port number for the proxy server Manual iOS6+, Android, OS X, Apple TV
User name Enter the user name used to connect to the proxy server Manual iOS6+, Android, OS X, Apple TV
Password Enter the password used to authenticate with the proxy server Manual iOS6+, Android, OS X, Apple TV
Proxy PAC URL Enter the Proxy Auto Configuration (PAC) URL used to retrieve proxy settings Automatic iOS6+, Android, OS X, Apple TV
Security type Select None (the default), Private PSK, WEP PersonalWPA / WPA2 PersonalAnyWEP EnterpriseWPA / WPA2 Enterprise, or Any (Enterprise) from the dropdown list to set the wireless network encryption to use when connecting None, Manual, Automatic iOS6+, Android, OS X, Windows 8.1, Apple TV
Pass key Enter the pass key to connect to the wireless network None, Manual, Automatic iOS6+, Android, OS X, Windows 8.1, Apple TV
Identity certificate From the dropdown list select the SCEP policy.
Note: Before you can use this feature you must first configure a SCEP policy and then set the security type to any of the enterprise types, and then enable at least one of the following:
EAP-TLS
EAP-TTLS
EAP-PEAP
EAP-FAST
None iOS 6+
Single sign on Check (select) this option to enable single sign on None iOS 6+, OS X, Apple TV
Single sign on Setting From the dropdown list select when the Windows users should authenticate, which can be PreLogon or PostLogon None Windows 8.1
Federal Information Processing Standards (FIPS) Check (select) this option to enable Federal Information Processing Standards (FIPS) None Windows 8.1
fips hex Enter a 40-digit SHA-1 hexadecimal string for FIPS if enabled above None Windows 8.1
EAP-TLS Check (select) this option to enable the Extensible Authentication Protocol (EAP) Transport Layer Security (TLS) authentication type None, Manual, Automatic iOS6+, OS X, Windows 8.1, Apple TV
EAP-LEAP Check (select) this option to enable the Extensible Authentication Protocol (EAP) Cisco Lightweight Extensible Authentication Protocol (LEAP) authentication type None, Manual, Automatic iOS6+, OS X, Apple TV
EAP-SIM Check (select) this option to enable the Extensible Authentication Protocol (EAP) GSM Subscriber Identity Module (SIM) authentication type None, Manual, Automatic iOS6+, OS X, Apple TV
EAP-TTLS Check (select) this option to enable the Extensible Authentication Protocol (EAP) Tunneled Transport Layer Security (TTLS) authentication type None, Manual, Automatic iOS6+, OS X, Apple TV
EAP-AKA Check (select) this option to enable the Extensible Authentication Protocol (EAP) Universal Mobile Telecommunications System (UMTS) Authentication and Key Agreement (AKA) authentication type None, Manual, Automatic iOS6+, OS X, Apple TV
EAP-PEAP Check (select) this option to enable the Extensible Authentication Protocol (EAP) Protected Extensible Authentication Protocol (PEAP) authentication type None, Manual, Automatic iOS6+, OS X, Apple TV
EAP-MS-CHAP v2 Check (select) this option to enable Extensible Authentication Protocol (EAP) Microsoft Challenge Handshake Authentication Protocol (CHAP) v2 None Windows 8.1
EAP-FAST Check (select) this option to enable the Extensible Authentication Protocol (EAP) Cisco Flexible Authentication via Secure Tunneling (FAST) authentication type None, Manual, Automatic iOS6+, OS X, Apple TV
Fast reconnect Check (select) this option to enable fast reconnect None Windows 8.1
Use winlogon credentials Check (select) this option to enable the use of winlogon user credentials None Windows 8.1
Disable user prompt for server validations Check (select) this option to enable server validations without the need of server input None Windows 8.1
Enable quarantine checks Check (select) this option to perform Network Access Protection (NAP) checks None Windows 8.1
Require crypto binding Check (select) this option to make PEAP authenticate with servers that do not support crypto-binding None Windows 8.1
Different Username Check (select) this option to allow TLS to use a user name other than the name that appears on the certificate. None Windows 8.1
Use PAC Select (check) this option to use Proxy Auto Configuration (PAC) None, Manual, Automatic iOS6+, OS X, Apple TV
Provision PAC Select (check) this option to enable Proxy Auto Configuration (PAC) provisioning None, Manual, Automatic iOS6+, OS X, Apple TV
Provision PAC Anonymously Select (check) this option to enable anonymous Proxy Auto Configuration (PAC) provisioning None, Manual, Automatic iOS6+, OS X, Apple TV
Username Enter the username for the account None, Manual, Automatic iOS6+, OS X, Apple TV
User password Enter the password for the account None, Manual, Automatic iOS6+, OS X, Apple TV
TTLS Inner Authentication From the dropdown list select the TTLS inner authentication method, which can PAP(Password Authentication Protocol), CHAP (Challenge Handshake Authentication Protocol), MSCHAP (Microsoft CHAP), or MSCHAPv2 None, Manual, Automatic iOS6+, OS X, Apple TV
Outer identity Enter the optional outer identity authentication method None, Manual, Automatic iOS6+, OS X, Apple TV

Note:

Click the Save button to save any changes you make.

Mail

To view, edit, or delete mail policies:

  • 1. To view, edit, or delete mail policies for the entire organization, navigate to the dashboard home page. To view, edit, or delete mail policies for a group or sub group, navigate to that group or sub group.
  • 2. Click Policies.
  • 3. Click Mail.
  • 4. If there are no current Mail policies, click Add New. The following will be displayed:

Mail

Configurable mail fields:

Field Description OS Supported
Account Description Enter the display name of the account iOS6+, Windows
Account type Select the protocol accessing the email account from the dropdown list, which can be IMAP (the default) or POP iOS6+, Windows
IMAP Path Prefix Optional. Enter the path prefix for the account iOS6+, Windows
User Display Name Enter user display name for the account iOS6+, Windows
Email address Enter the email address for the account iOS6+, Windows
Do not allow user to move messages from this account Select (check) this option to prevent users from moving messages from this account iOS6+, Windows
Exclude this account from address Recent syncing Select (check) this option to include the account on this device with address Recent syncing iOS6+, Windows
Send outgoing mail from this account using mail app only Select (check) this option to let users use mail apps other than the default mail app iOS6+, Windows
Enable S/MIME Select (check) this option to enable Secure/Multipurpose Internet Mail Extensions (S/MIME) iOS6+, Windows
Signing certificate From the dropdown list select the certificate used to sign messages sent from this account.
Note: Before you can use this feature you must first configure a SCEP policy and then enable S/MIME
iOS6+
Encryption certificate From the dropdown list select the certificate used to decrypt messages sent to this account.
Note: Before you can use this feature you must first configure a SCEP policy and then enable S/MIME
iOS6+
Incoming Email server Enter the hostname or IP address for the incoming mail server iOS6+, Windows
Incoming Port Number Enter the port number for the incoming email server iOS6+, Windows
Incoming User Name Enter the user name used to connect to the server for incoming mail iOS6+, Windows
Incoming Authentication Type Select the authentication method for the incoming mail server from the dropdown list, which can be None (the default), PasswordMD5-Challenge-ResponseNTLM, or HTTP MD5 Digest iOS6+, Windows
Incoming Password Enter the password for the incoming email server iOS6+, Windows
Retrieve emails through SSL Select (check) this option to allow the retrieval of emails without SSL for the incoming mail server iOS6+, Windows
Outgoing Email Server Enter the hostname or IP address for the outgoing mail server iOS6+, Windows
Outgoing Port Number Enter the port number for the outgoing email server iOS6+, Windows
Outgoing User Name Enter the user name used to connect to the server for outgoing mail iOS6+, Windows
Outgoing Authentication type Select the authentication method for the outgoing mail server from the dropdown list, which can be None (the default), PasswordMD5-Challenge-ResponseNTLM, or HTTP MD5 Digest iOS6+, Windows
Outgoing password same as incoming Select (check) this option to set the outgoing password the same as the incoming password iOS6+, Windows
Outgoing Password Enter the password for the outgoing email server iOS6+, Windows
Send emails through SSL Select (check) this option to allow the retrieval of emails without SSL for the outgoing mail server iOS6+, Windows

Exchange ActiveSync

To view, edit, or delete Microsoft Exchange ActiveSync policies:

  • 1. To view, edit, or delete Exchange ActiveSync policies for the entire organization, navigate to the dashboard home page. To view, edit, or delete Exchange ActiveSync policies for a group or sub group, navigate to that group or sub group.
  • 2. Click Policies.
  • 3. Click Exchange ActiveSync.
  • 4. If there are no current Exchange ActiveSync policies click Add New. The following will be displayed:

Exchange Activesync

Configurable Microsoft Exchange ActiveSync fields:

Field Description OS Supported
Connection Type Exchange ActiveSync or Exchange Web Services iOS6+, OS X
Display Name How the name will be displayed to others) iOS6+, OS X
Email Address Enter the email address of the account iOS6+, Windows, OS X
Internal Exchange ActiveSync host Enter the Microsoft Exchange server name or IP address for the Exchange ActiveSync host iOS6+, Windows, OS X
Use SSL Select (check) this option to allow access to the Exchange ActiveSync server without SSL iOS6+, Windows, OS X
User Enter the user name for the account with domain\username iOS6+, Windows, OS X
Password Enter the password for the account iOS6+, Windows, OS X
Past days of mail to sync Select the number of past days of mail to synchronize from the dropdown list, which can be No Limit (the default), 1 day, 3 days, 1 week, 2 weeks, or 1 month iOS6+, Windows, OS X
Authentication Credential Select the certificate used to sign and/or decrypt messages sent from this account.
Note: Before you can use this feature you must first configure a SCEP policy and then enable S/MIME
iOS6+
Do not allow user to move messages from this account Select (check) this option to prevent users from moving messages from this account iOS6+, Windows, OS X
Exclude this account from recent address syncing Select (check) this option to include the account on this device with address Recent syncing iOS6+, Windows, OS X
Send outgoing mail from this account using mail app only Select (check) this option to let users use mail apps other than the default mail app iOS6+, Windows, OS X
Enable S/MIME Select (check) this option to enable Secure/Multipurpose Internet Mail Extensions (S/MIME) iOS6+, Windows, OS X

Google Accounts

Google Accounts can be added through Mobile Manager on iOS 9.3 devices. This allows you to easily remotely assign specific Google Accounts to specific devices.

Within the Mobile Manager interface, navigate to Policies and click on Google Accounts.

Google Accounts

Click Add New in the right hand corner. Fill out the required fields and click Save to add the account.

Google Accounts2

 

Note: You can add multiple Google accounts at once by utilizing payload variables. Each Google payload sets up a Google email address as well as any other Google services that the user enables after authentication. You can use various payload variables (such as %email%) to securely fill the Google Accounts fields. You can learn more about Google’s payload variables here

LDAP

To view, edit, or delete Lightweight Directory Access Protocol (LDAP) policies:

Note:

LDAP policies are only supported on iOS6+ and OS X devices.

  • 1. To view, edit, or delete LDAP policies for the entire organization, navigate to the dashboard home page. To view, edit, or delete LDAP policies for a group or sub group, navigate to that group or sub group.
  • 2. Click Policies.
  • 3. Click LDAP.
  • 4. If there are no current LDAP policies click Add New.

LDAP

Configurable LDAP settings:

Field Description OS Supported
Description Enter a meaningful description of the LDAP server iOS6+, OS X
Username Enter the username for this LDAP account iOS6+, OS X
Password Enter the password for this LDAP account iOS6+, OS X
Hostname Enter the LDAP hostname or IP address iOS6+, OS X
Use SSL Check (select) Use SSL to enable Secure Socket Layer (SSL) for this LDAP connection iOS6+, OS X
Search Settings Click the plus sign to create a search string or click the minus sign to delete one. Perform the following to create a new search string:

  • 1. Click the plus sign.
  • 2. Enter a meaningful description.
  • 3. From the dropdown select the search scope (Base, One Level, or Subtree).
  • 4. Enter the search base (for example, “ou=Kindergarten, o=My School”).
iOS6+, OS X

Calendar

To view, edit, or delete calendar (CalDav) policies:

    • 1. To view, edit, or delete calendar policies for the entire organization, navigate to the dashboard home page. To view, edit, or delete CalDav policies for a group or sub group, navigate to that group or sub group.
    • 2. Click Policies.
    • 3. Click Calendar. The following will be displayed:

Calendar

    • 4. To create a new CalDav policy click Add New. The following will be displayed:

Calendar2

Configurable calendar (CalDav) fields:

Field Description OS Supported
Account description Enter the display name for the account iOS6+, Windows
Account hostname Enter the CalDav host name or IP address for the account iOS6+, Windows
Account username Enter the CalDav user name iOS6+, Windows
Account password Enter the CalDav password for the account iOS6+, Windows
Use SSL Select (check) this option to disable SSL communication with the CalDav server iOS6+, Windows
Account port Enter the CalDav server port number iOS6+, Windows
Principal URL Enter the principal URL for the CalDav account iOS6+, Windows

Contacts

To view, edit, or delete contact (CardDav) policies:

    • 1. To view, edit, or delete contact policies for the entire organization, navigate to the dashboard home page. To view, edit, or delete contact policies for a group or sub group, navigate to that group or sub group.
    • 2. Click Policies.
    • 3. Click Contacts. The following will be displayed:

Contacts

    • 4. To create a new Contacts policy click Add New. The following will be displayed:

Contacts2

Configurable contacts (CardDav) fields:

Field Description OS Supported
Account description Enter the display name for the account. iOS6+, Windows, OS X 10.8+ (Mountain Lion)
Account hostname Enter the CardDav host name or IP address for the account iOS6+, Windows, OS X 10.8+ (Mountain Lion)
Account username Enter the CardDav user name iOS6+, Windows, OS X 10.8+ (Mountain Lion)
Account password Enter the CardDav password for the account iOS6+, Windows, OS X 10.8+ (Mountain Lion)
Use SSL Select (check) this option to disable SSL communication with the CardDav server iOS6+, Windows, OS X 10.8+ (Mountain Lion)
Account port Enter the CardDav server port number iOS6+, Windows, OS X 10.8+ (Mountain Lion)
Principal URL Enter the principal URL for the CardDav account iOS6+, Windows, OS X 10.8+ (Mountain Lion)

Shared Documents

Use this section to configure access to documents stored on an OS X server.

To view, edit, or delete Shared Documents policies:

  • 1. To view, add, edit, or delete Shared Documents for the entire organization, navigate to the dashboard home page. To view, add, edit, or delete Shared Documents for a group or sub group, navigate to that group or sub group.
  • 2. Click Policies.
  • 3. Click Shared Documents. The following will be displayed:

Shared Documents

  • 4. To create a new Shared Documents policy click Add New. The following will be displayed:

Shared Documents 2

 Configurable Shared Documents parameters

Field Description OS Supported
Description  Enter a description for the document iOS 9 +
Hostname  Enter the hostname of the OS X server iOS 9 +
Username  Enter the username to log into the OS X server iOS 9 +
Password  Enter the password associated with the login username iOS 9 +
Port  Enter the port number to connect to the OS X server iOS 9 +

Subscribed Calendars

To view, edit, or delete subscribed calendars policies:

  • 1. To view, edit, or delete calendar subscription policies for the entire organization, navigate to the dashboard home page. To view, edit, or delete calendar subscription policies for a group or sub group, navigate to that group or sub group.
  • 2. Click Policies.
  • 3. Click Subscribed Calendars.
  • 4. To add a new subscribed calendars policy click Add New. The following will be displayed:

Subscribed Calendars

Configurable calendar subscription settings:

Field Description OS Supported
Description Enter a description for the calendar subscription iOS6+
URL Enter the URL for the calendar file iOS6+
User Enter a user name for this calendar subscription iOS6+
Password Enter a password for this calendar subscription iOS6+
Use SSL Select (check) this option to disable SSL communication with the calendar server iOS6+

Wallpaper

Note: This policy only works on supervised devices.

To view, edit, or delete profile Wallpaper settings:

To view, edit, or delete profile wallpaper policies for the entire organization navigate to the dashboard home page. To view, edit, or delete profile wallpaper policies for a group or sub group navigate to that group or sub group.

  • 1. Click Policies.
  • 2. Click Wallpaper. The following will be displayed:

Wallpaper

Configurable wallpaper parameters

Field Description OS Supported
Wallpaper Click Select wallpaper to choose and upload an image file from disk. iOS 6 +
Supervised
Location Options:

  • – Both
  • – Lock Screen
  • – Home Screen
iOS 6 +
Supervised

Note: Wallpapers can be removed under Settings > Wallpaper Management. 

Web Shortcuts

With Web Shortcut policies you can push web clips to devices. These web shortcuts appear as Icons on the devices that users can tap to access a URL. They can be used for device enrollment and as a way for younger students to access websites without entering a URL.

To view, edit, or delete web clip policies:

  • 1. To view, edit, or delete web clip policies for the entire organization, navigate to the dashboard home page. To view, edit, or delete web clip policies for a group or sub group, navigate to that group or sub group.
  • 2. Click Policies.
  • 3. Click Web Clips.
  • 4. If necessary, click On Campus to configure an internal Web Clips policy or click Global (the default) to configure a global Web Clips policy.
  • 5. To add a new web clip profile click Add New. The following will be displayed:

Web Shortcuts

Configurable web shortcut parameters:

Field Description OS Supported
Label Enter the name of the label used to describe the web shortcut iOS6+, OS X, Windows 8.1, LMA Agent
URL Enter the URL to be displayed when the web shortcut is opened
Note: You can use the %user_enrollment_url% variable in this field. See Policy Variables for more information.
iOS6+, OS X, Windows 8.1, LMA Agent
Removable Select (check) this option to enable removal of the web shortcut iOS6+
Icon Click Select Icon to add a custom icon to this Web Shortcut.
Note: See below for detailed steps to add a custom icon.
iOS6+, OS X

Creating a Custom Web Clip Icon

Follow the steps below to create a custom Icon for iOS6+ and OS X Web Shortcuts. Please note that on iOS6+ devices the custom Icon will be replaced by the website’s Icon once it has been visited.

  • 1. Follow the steps above to configure a new Web Shortcut.
  • 2. In the Icon row click Select Icon.

Web Shortcuts 2

The following will be displayed:

Web Shortcuts 3

 

  • 3. Perform one of the following:
    • Use an existing Icon: Select an existing Icon and then click Select. Proceed to Step 4.
    • Upload a new Icon: Click Upload. The following will be displayed.

MM-webclips4

    • Drag and drop the Icon or click Browse to search for the icon on your computer. If you clicked Browse select the Icon and then click Choose.
    • Click Add.
  • 4. Click Save. The custom Icon will be displayed in the Icon row next to the Select Icon button as shown below.

Web Shortcuts 4

Note: Some Websites have an “Apple Touch” Icon built coded by default. This will override the custom icon setup in mobile mangager option.

Global Proxy

By configuring a global proxy using a web filter, such as the Lightspeed Systems Rocket, you can ensure that content is filtered for users whenever or wherever they are.

Note: This policy only works on supervised devices.

To view, edit, or delete a global HTTP proxy policies:

  • 1. To view, edit, or delete global proxy policies for the entire organization, navigate to the dashboard home page. To view, edit, or delete global proxy policies for a group or sub group, navigate to that group or sub group.
  • 2. Click Policies.
  • 3. Click Global Proxy. The following will be displayed:

Configurable global HTTP proxy parameters:

Field Description Proxy Type OS Supported
Type From the dropdown list select the type of global proxy, which can be Auto or Manual Auto, Manual iOS6+ (supervised)
Validate Proxy  The Validate Proxy switch provides the option to bypass PAC File validation. Manual iOS6+ (supervised)
Server Enter the IP address of the proxy server. For the Rocket enter the FQDN that is accessible internally and externally. In addition, you should install the SSL certificate from the Rocket appliance since some SSL sites will not work if the certificate is not installed as a trusted root authority
Note: See the Configuring Server Roles Rocket manual page for information about configuring a Rocket appliance as a proxy server.
Manual iOS6+ (supervised)
Port Enter the port number for the proxy server Manual iOS6+ (supervised)
User name Enter the user name to authenticate the proxy server Manual iOS6+ (supervised)
Password Enter the password to authenticate the proxy server Manual iOS6+ (supervised)
PAC File URL Enter the URL for the Proxy Automatic Configuration (PAC) file that will automatically select the proxy server Auto iOS6+ (supervised)
Bypass proxy if PAC unreachable. Check (select) this option to let devices bypass the proxy if the PAC file is unreachable Auto iOS7+ (supervised)
Bypass proxy for captive login. Check (select) this option to let devices bypass the proxy for captive logins Auto, Manual iOS7+ (supervised)

App Lock

App lock policies lock a device to a single application. The app lock policy disables the home button and forces the device to return to the application upon a wake up or reboot.

Note: This policy only works on supervised devices.

Note:If App lock is not present then the other restrictions/options will not be applied. This is how Apple designed it.

Tip: Deploy the app “LockApp.ipa” on managed iOS devices. You’ll then be able to put LockApp into Single App Mode on lost or stolen devices, to prevent the device from being used until it is recovered. Download LockApp.ipa here: http://lightspeed-apps.s3.amazonaws.com/lockapp/lockapp.ipa

To view, edit, or delete an app lock policy:

    • 1. To view, edit, or delete app lock policies for the entire organization, navigate to the dashboard home page. To view, edit, or delete app lock policies for a group, sub group, or user navigate to that group, sub group, or user.
    • 2. Click Policies.
    • 3. Click App Lock. The following will be displayed:

App Lock

  • 4. If necessary, click On Campus to configure an internal App Lock policy or click Global (the default) to configure a global App Lock policy.

Configurable App Lock fields:

Field Description OS Supported
Application Select the application you want to lock the device to or None (no application) from the dropdown list. iOS6+ (supervised)
Disable touch screen Check (select) this option to disable the touch screen iOS7+ (supervised)
Disable device rotation sensing Check (select) this option to disable rotation sensing iOS7+ (supervised)
Disable volume buttons Check (select) this option to disable the volume buttons iOS7+ (supervised)
Disable use of ringer switch Check (select) this option to disable the ringer switch iOS7+ (supervised)
Disable sleep/wake button Check (select) this option to disable the sleep/wake button iOS7+ (supervised)
Disable auto lock Check (select) this option to disable auto lock iOS7+ (supervised)
Enable VoiceOver Check (select) this option to enable voice over iOS7+ (supervised)
Allow VoiceOver adjustment Check (select) this option to enable voice over adjustment. Users need to triple-click the Home button to make adjustments iOS7+ (supervised)
Enable zoom Check (select) this option to enable zoom iOS7+ (supervised)
Allow zoom adjustment Check (select) this option to enable zoom adjustment. Users need to triple-click the Home button to make adjustments iOS7+ (supervised)
Enable invert colors Check (select) this option to enable inverting colors iOS7+ (supervised)
Allow invert colors adjustment Check (select) this option to enable invert colors adjustment. Users need to triple-click the Home button to make adjustments iOS7+ (supervised)
Enable AssistiveTouch Check (select) this option to enable the assistant touch iOS7+ (supervised)
Allow AssistiveTouch adjustment Check (select) this option to enable AssistiveTouch adjustment. Users need to triple-click the Home button to make adjustments iOS7+ (supervised)
Enable speak selection Check (select) this option to enable speak selection iOS7+ (supervised)
Enable mono audio Check (select) this option to enable mono audio iOS7+ (supervised)

App Permissions

Note: This policy only works on supervised devices.

The App Permissions policy allows you to select any app from the iOS App Store and “remove” it from all of your supervised iOS devices that are running 9.3 or higher (in addition, the feature supports the removal of some built-in apps.) The command does not uninstall the app, instead, it hides it from view so that it cannot be opened.

This feature gives you complete control over the apps your users can access! Want to force your users to only use Chrome? You can hide the default Safari browser! Have a list of apps that you want blocked, such as Snapchat, Facebook, and other popular apps? Block them all!

You can access the feature by navigating to Mobile Manager and clicking on App Permissions.

ap1

The following screen will appear. Click Add New to add a new App Permission.

ap2

The following screen will appear. Click Search App to search for an app to block.

ap3

The following screen will appear. Search for any app in the search box. In our example, we searched for Garageband. Click the app you wish to block from the results list.

ap4

You will now see the App displayed to the left of the Search Apps button. In order to block the app, simply toggle the Block App button by clicking it. Click Save. Repeat this process for every app you wish to block.

ap5

The following built-in apps can be hidden with App Permissions:

  • Stocks
  • Home
  • Photo booth
  • Weather
  • Mail
  • Notes
  • News
  • Music
  • iTunes Store
  • Reminders
  • Maps
  • Compass
  • Tips
  • Voice memos
  • Contacts
  • Find friends
  • Find iPhone
  • iTunes u
  • iMovie
  • Watch
  • iTunes Store
  • Calculator
  • Podcasts
  • FaceTime
  • TV

The following built-in apps currently cannot be hidden with App Permissions:

  • Camera (can be blocked with the Allow use of Camera Restriction)
  • Messages
  • Health
  • Photos
  • Wallet
  • Game Center
  • App Store (can be blocked with the Allow installing apps using appstore Restriction)
  • Clock
  • Settings
  • Phone

APN / Cellular

With APN policies you can set the Wi-Fi Access Point Name on mobile devices. This can be particularly useful if you want mobile devices to use Wi-Fi instead of a cellular network.

To view, edit, or delete Access Point Name (APN) policies:

Note:

This feature only applies to iOS6+. In addition, APNs are not always modifiable. And in the United States you must have an unlocked phone for this to work.

    • 1. To view, edit, or delete APN policies for the entire organization, navigate to the dashboard home page. To view, edit, or delete APN policies for a group or sub group, navigate to that group or sub group.
    • 2. Click Policies.
    • 3. Click APN. The following will be displayed:
    • 4. To assign a new APN policy click Add New. The following will be displayed:

Configurable APN settings:

Field Description OS Supported
Access point name (APN) Enter the name of the General Packet Radio Service (GPRS) carrier access point iOS6+
Authentication type From the dropdown list select the authentication type, which can PAP (Password Authentication Protocol) or CHAP (Challenge Handshake Authentication Protocol) iOS7+
User name Enter the user name used to connect to the access point. If this is left blank then the user will be prompted for it during profile installation. iOS6+
Password Enter an optional password used to authenticate with the proxy server iOS6+
Proxy server Enter the host name or IP address of proxy server iOS6+
Proxy port Enter the port number for the proxy server iOS6+
IP Version Select whether to use IPv4 or IPv6 iOS10+
IP Version while roaming Select whether to use IPv4 or IPv6 iOS10+
IP Version while domestic roaming Select whether to use IPv4 or IPv6 iOS10+

AirPlay

AirPlay lets users stream audio and video from their iOS devices to external devices. To view, edit, or delete AirPlay policies:

Note: AirPlay policies are only supported on iOS 7+ devices and OS X devices.

  • 1. To view, edit, or delete AirPlay policies for the entire organization, navigate to the dashboard home page. To view, edit, or delete AirPlay policies for a group or sub group, navigate to that group or sub group.
  • 2. Click Policies.
  • 3. Click AirPlay. The following will be displayed:

AirPlay

  • 4. If necessary, click On Campus to configure an internal AirPlay policy or click Global (the default) to configure a global AirPlay policy.

Configurable AirPlay settings:

Field Description OS Supported
Whitelist Click the plus sign (+) and enter the device ID in the format XX:XX:XX:XX:XX:XX for the AirPlay destination device. Use the minus sign () to delete destination devices.
Note: This feature is only supported on supervised devices.
iOS7+
Passwords Click the plus sign (+) and enter passwords for the AirPlay destination devices you entered above. Use the minus sign () to delete a password. iOS7+

AirPrint

AirPrint lets users print wirelessly from their iOS devices. To view, edit, or delete AirPrint policies:

Note: AirPrint policies are only supported on iOS 7+ devices and OS X devices.

  • 1. To view, edit, or delete AirPrint policies for the entire organization, navigate to the dashboard home page. To view, edit, or delete AirPrint policies for a group or sub group, navigate to that group or sub group.
  • 2. Click Policies.
  • 3. Click AirPrint. The following will be displayed:

AirPrint

  • 4. If necessary, click On Campus to configure an internal AirPrint policy or click Global (the default) to configure a global AirPrint policy.

Configurable AirPrint settings:

Field Description OS Supported
Printers Click the plus sign (+) and enter the IP address and Bonjour Resource Path (for example, printers/Canon_MG5300_series) of the printer. Use the minus sign () to delete a printer. iOS7+

Single Sign On

Single Sign On (SSO) allows user credentials to be used across apps. To view, edit, or delete SSO policies:

Note:

SSO policies are only supported on iOS 7+ devices.

  • 1. To view, edit, or delete SSO policies for the entire organization, navigate to the dashboard home page. To view, edit, or delete SSO policies for a group or sub group, navigate to that group or sub group.
  • 2. Click Policies.
  • 3. Click Single Sign On. The following will be displayed:

Single Sign On

Configurable SSO settings:

Field Description OS Supported
Name Enter a display name for the SSO account iOS7+
Principal Name Enter the Kerberos principal name, which will be in all apps supporting SSO iOS7+
Identity certificate From the dropdown list select the SCEP policy.
Note: Before you can use this feature you must first configure a SCEP policy
iOS 7+
Realm Enter the Kerberos realm name, which will be in all apps supporting SSO iOS7+
URL Patterns Click the plus sign (+) and enter a URL prefix that must be matched to use this SSO account for Kerberos authentication over HTTP. Use the minus sign () to delete a URL prefix iOS7+
App Identifiers Click the plus sign (+) and enter an app identifier (for example, com.apple.mobilesafari) or select an installed app from the dropdown list for an app that will be allowed to use SSO. Use the minus sign () to delete an app identifier.
Note: If this field is blank then all apps that can use SSO will be allowed to use it.
iOS7+

Web Content Filter

Note: This policy only works on supervised devices.

Note: On devices running iOS 9.1 or newer, use the Web Filter for iOS app to filter devices on and off the network. Refer to Web Filter for iOS for detailed setup instructions.

On devices running iOS 7 or newer, admins can also use Web Content Filter policies to create lists of permitted URLs, blocked URLs, or both, on .

To view, edit, or delete Web Content Filter policies:

Note:

These Web Content Filter policies in Mobile Manager do not affect policies created in Lightspeed Systems Web Filter product, and vice versa.

  • 1. To view, edit, or delete Web Content Filter policies for the entire organization, navigate to the dashboard home page. To view, edit, or delete Web Content Filter policies for a group or sub group, navigate to that group or sub group.
  • 2. Click Policies.
  • 3. Click Web Content Filter. The following will be displayed:

Web Content Filter

Configurable Web Content Filter settings:

Note:

iOS 7+ devices must be supervised.

Field Description OS Supported
Filter Type
  • Built-in – Filter using Allowed Websites, Permitted URLs, Blacklisted URLs settings.
  • Plug-in – Filter using the Web Filter for iOS.
Built-in: iOS7+ (supervised)Plug-in: iOS 9.1+ (supervised)
Rocket Server Name/IP
  • Plug-in – Enter the IP address or host name for your Rocket server.
iOS 9.1+ (supervised)
Username
  • Plug-in – Enter %username% to use the value in the .plist file.
iOS 9.1+ (supervised)
Allowed Websites
  • Built-in – From the dropdown list select Limit Adult Content or Specific Websites Only.

Setting this field to Limit Adult Content lets admins populate the Permitted URLs, Blacklisted URLs, or both fields. Setting this field to Specific Websites Only lets admins restrict access to URLs entered in the Permitted URLs field while blocking all others. Please note you must enable this field to use the Permitted URLs and Blacklisted URLs fields.

iOS7+ (supervised)
Allowed URLs
  • Plug-in – Only works with Plug-in

Click Select to upload a .txt file containing full or wildcarded URLs which will not be web filtered. Each URL should be on a separate line.

iOS7+ (supervised)
Permitted URLs
  • Built-in – Click the plus sign (+) and enter a URL that you want to allow. Use the minus sign () to delete a permitted URL.
iOS7+ (supervised)
Blacklisted URLs
  • Built-in – Click the plus sign (+) and enter a URL you want to block. Use the minus sign () to delete a blocked URL.
iOS7+ (supervised)
Block file downloads from the web Enable this setting to prevent users from downloading files. EOBO Windows 8.1+
Filter level
  • Off – no filtering
  • Warn on adult – allow all websites but show a warning when a site contains suspected adult content.
  • Online communication – block adult websites but allow social networking, chat, and email sites.
  • General interest – allow websites except those with adult content.
  • Designed for children – only allow websites designed specifically for children.
  • Allow list only – block all websites except those that are on your allow list.
EOBO Windows 8.1+
Block unrated sites Enable this setting to prevent users from visiting websites that have not voluntarily provided content rating information to the user’s web browser. EOBO Windows 8.1+

Web Domains

Admins can use Web Domain policies to restrict users to opening documents from managed web domains you set on this page to only open in managed apps (known as “Managed Open In”). This can help admins separate documents controlled by managed apps from documents associated with non managed apps, which may be the users’ personal documents.

  • 1. To view, edit, or delete Web Domains policies for the entire organization, navigate to the dashboard home page. To view, edit, or delete Web Domains policies for a group or sub group, navigate to that group or sub group.
  • 2. Click Policies.
  • 3. Click Web Domains. The following will be displayed:

Web Domains

  • 4. If necessary, click On Campus to configure an internal Web Domains policy or click Global (the default) to configure a global Web Domains policy.

Configurable Web Domains settings:

Field Description OS Supported
Web Domains Enable this option to enter web domains below. iOS8+ (supervised), OS X 10.10+
URL Click the plus sign (+) and enter the URL of a web domain. Use the minus sign () to delete the URL of a web domain. iOS8+ (supervised), OS X 10.10+

Email Domains

Admins can use Email Domain policies to highlight emails in red that are not in your user-configured email domains list. This can be particularly helpful for security purposes.

  • 1. To view, edit, or delete Email Domains policies for the entire organization, navigate to the dashboard home page. To view, edit, or delete Email Domains policies for a group or sub group, navigate to that group or sub group.
  • 2. Click Policies.
  • 3. Click Email Domains. The following will be displayed:

Email Domains

  • 4. If necessary, click On Campus to configure an internal Email Domains policy or click Global (the default) to configure a global Email Domains policy.

Configurable Email Domains settings:

Field Description OS Supported
Email Domain Enable this option to enter email domains you do not want to be highlighted in red below. iOS8+ (supervised), OS X 10.10+
Email Domain Click the plus sign (+) and enter an email domain that you do not want to highlight in red. Use the minus sign () to delete an email domain. iOS8+ (supervised), OS X 10.10+

VPN

Use VPN policies to configure how devices connect to and use VPNs (Virtual Private Networks):

  • 1. To view, edit, or delete VPN policies for the entire organization, navigate to the dashboard home page. To view, edit, or delete VPN policies for a group or sub group, navigate to that group or sub group.
  • 2. Click Policies.
  • 3. Click VPN.
  • 4. If necessary, click Add New. The following will be displayed:

VPN

Configurable VPN settings:

Field Description Connection Type OS Supported
Connection Name Enter the name of the VPN connection, which will be displayed on the device. All iOS6+, OS X, Windows 8.1
Connection Type From the dropdown list select the VPN connection type, which can be L2TP (Layer 2 Tunneling Protocol), PPTP (Point-to-Point Tunneling Protocol), IPSec (Cisco) (Cisco Internet Protocol Security), F5 (Windows 8.1), SonicWALL (Windows 8.1), Juniper (Windows 8.1), or Checkpoint (Windows 8.1). All iOS6+, OS X, Windows 8.1
Server Enter the hostname or IP address of the VPN server. All iOS6+, OS X, Windows 8.1
Account Enter the user name that will be used to authenticate the VPN connection. L2TP, PPTP, IPSec iOS6+, OS X
User Authentication From the dropdown list select the user authentication type, which can be Password or RSASecurID. L2TP, PPTP iOS6+, OS X
Machine Authentication From the dropdown list select the user authentication type, which can be Shared Secret / Group or Certificate (if SCEP has been configured). IPSec iOS6+, OS X
Password Enter the password for the VPN connection. L2TP, PPTP, IPSec iOS6+, OS X
Identity certificate From the dropdown list select the SCEP policy.
Note: Before you can use this feature you must first configure a SCEP policy and then set the Machine Authentication to Certificate
L2TP, PPTP, IPSec iOS 6+, OS X
Shared Secret Enter the shared secret for the VPN connection. L2TP, IPSec iOS6+, OS X
Encryption Level From the dropdown list select the level of data encryption applied to the connection, which can be None, Automatic (the default), or Maximum (128-bit). PPTP, IPSec iOS6+, OS X
Group Name Enter the Group identifier for the connection. IPSec iOS6+, OS X
Send All Traffic Check (select) this option to route al traffic through this VPN connection. L2TP, PPTP iOS6+, OS X, Windows 8.1
Proxy Type From the dropdown list select the proxy type for the VPN connection, which can be None, Manual, or Automatic. L2TP, PPTP, IPSec iOS6+, OS X
DNS Suffix Enter the DNS suffix for the DNS server. F5, SonicWALL, Juniper, Checkpoint Windows 8.1
DNS Servers Use the plus sign to add the hostname or IP address for a DNS server and or use the minus to remove a DNS server. F5, SonicWALL, Juniper, Checkpoint Windows 8.1
Remember credentials Enable this option to remember DNS credentials. F5, SonicWALL, Juniper, Checkpoint Windows 8.1
Auto trigger enable Enable this option to enable auto trigger, which will enable credential VPN connections without user interaction. F5, SonicWALL, Juniper, Checkpoint Windows 8.1
Use split tunneling Enable this option to allow split tunneling, which lets users access public and private networks at the same time using the same connection. F5, SonicWALL, Juniper, Checkpoint Windows 8.1
Max idle time (0 will disable) Enter the amount of time (in seconds) to disconnect an idle VPN connection.
Note: Entering 0 will disable this feature.
F5, SonicWALL, Juniper, Checkpoint Windows 8.1

Font

To view, edit, or delete Font settings:

To view, edit, or delete profile font policies for the entire organization navigate to the dashboard home page. To view, edit, or delete profile font policies for a group or sub group navigate to that group or sub group.

  • Click Policies.
  • Click Font. The following will be displayed:

Font

Configurable font parameters:

Field Description OS Supported
Font Click Add New to select and upload a TTF or OTF font file to send to devices. iOS 6
iOS 7

Conference Room Display

The Conference Room Display polict allows you to set a message that will appear on-screen when in Conference Room Display mode on Supervised Apple TV devices.

Lock Screen Message

Note: This policy only works on supervised devices.

Use this section to configure both the lock and login screen messages on Supervised iOS devices.

SCEP

Use Simple Certificate Enrollment Protocol (SCEP) policies to allow iOS 6+ devices to obtain certificates from SCEP servers:

Note:

SCEP policies are only supported on iOS 6+ devices.

  • 1. To view, edit, or delete SCEP policies for the entire organization, navigate to the dashboard home page. To view, edit, or delete SCEP policies for a group or sub group, navigate to that group or sub group.
  • 2. Click Policies.
  • 3. Click SCEP.
  • 4. If necessary, click Add New. The following will be displayed:

SCEP

How Mobile Manager Manages SCEP

The SCEP payload (policy) is not like the other Mobile Manager policies in that when you add a SCEP policy it will not actually get sent to the device on its own. Instead, the SCEP policy needs to be referenced in any of the following policies — VPN, Mail, Exchange ActiveSync, Wi-Fi, and Single Sign On.

In those policies you will see a dropdown menu listing all the available SCEP policies by name from that group and parent groups. When the SCEP policy is referenced in one of those other policies the SCEP policy will then be sent to the device.

Configurable SCEP settings:

Field Description OS Supported
Server URL Enter the base URL (DNS name) for the SCEP server (for example, http://scepserver.yourschool.edu/certsrv/mscep/mscep.dll) iOS6+
Name Enter the name of the Certificate Authority (CA) that is proving the certificate (for example, CA-IDENT). iOS6+
Subject Enter the representation of an X.500 name (for example, O=YourOrganization,OU=YourSchool,CN=iPads). iOS6+
Subject Alternative Name Type If needed, enter a subject alternative name (SAN) to place on the CSEP server. iOS6+
Retries From the dropdown list select the number of times to poll the SCEP server, which can be 0 through 10. (The default is 3.) iOS6+
Retry Delay From the dropdown select the number of seconds to wait between poll attempts, which can be which can be 0 through 10. (The default is 10.) iOS6+
Challenge Enter a challenge password, which can be used to automatically authenticate an enrollment request. iOS6+
Key Size From the dropdown select the key size (in bits), which can be 1024 (the default) or 2048. iOS6+
Use as digital signature Use the slider to enable or disable the use of a digital signature. iOS6+
Use as key encipherment Use the slider to enable or disable the use of key encipherments. iOS6+
CA Fingerprint Enter a hex string to use as a CA fingerprint. iOS6+

Certifciates

Use the Certificates page to install root and identity certificates on devices. Please note users will not be able to modify these settings on their devices once the configuration profile is installed. To view, edit, or delete Certificate policies:

Note:

Certificate policies are only supported on iOS 6+ and OS X devices.

1. To view, edit, or delete Certificate policies for the entire organization, navigate to the dashboard home page. To view, edit, or delete Certificate policies for a group or sub group, navigate to that group or sub group.

2. Click Policies.

3. Click Certificates. The following will be displayed:

4. Click Add New. The following will be displayed. Then click Select Certificate.

5. Click Select Certificate. The following will be displayed.

6. Click the certificate you want to use and proceed to Step 12, or click Upload to upload a new certificate. The following will be displayed.

7. In the Certificate Name field enter a meaningful name for the certificate.

8. The Certificate Password field is for pkcs12 identity certificates. These certificates are password protected by the creator, so Mobile Manager needs the password to both open and inspect the contents during upload and Mobile Manager sends the password along with the certificate to the device so the device can open the certificate to inspect it and install it.

9. Browse for or drag and drop the certificate file.

10. Click Add.

11. Click the certificate file you just added.

12. Click Select.

System Rule

To view, edit, or delete System Rule policies:

Note:

Users will not be able to modify System Rule settings on their devices once the configuration profile is installed.

  • 1. To view, edit, or delete System Rule profiles for the entire organization navigate to the dashboard home page. To view, edit, or delete System Rule profiles for a group or sub group navigate to that group or sub group.
  • 2. Click Policies.
  • 3. Click System Rule. The following will be displayed.

System Rule

  • 4. If necessary, click On Campus to configure an internal System Rule policy or click Global (the default) to configure a global System Rule policy.

Configurable System Rule settings:

Field Description OS Supported
Requirement Enter the policy requirement, which must follow the syntax described in Apple’s Code Signing Requirement Language. OS X 10.8+
Comment Optional. Enter a comment for the System Policy UI. OS X 10.8+
Expiration Optional. Enter the expiration date for rule(s) being processed. OS X 10.8+
Operation Type Optional. Enter an operation type, which can be execute (the default), operation:install, or operation:isopen. OS X 10.8+

System Managed

To view, edit, or delete System Managed policies:

Note:

Users will not be able to modify System Managed settings on their devices once the configuration profile is installed.

  • 1. To view, edit, or delete System Managed profiles for the entire organization navigate to the dashboard home page. To view, edit, or delete System Managed profiles for a group or sub group navigate to that group or sub group.
  • 2. Click Policies.
  • 3. Click System Managed. The following will be displayed.

System Management

  • 4. If necessary, click On Campus to configure an internal System Managed policy or click Global (the default) to configure a global System Managed policy.

Configurable System Managed settings:

Field Description OS Supported
Disable ‘Open’ Menu Option for Untrusted Apps Check (select) this option disable the option that lets users open and install untrusted apps. OS X 10.8+

System Control

To view, edit, or delete System Control policies:

Note:

Users will not be able to modify System Control (OS X Gatekeeper) settings on their devices once the configuration profile is installed.

  • 1. To view, edit, or delete System Control profiles for the entire organization navigate to the dashboard home page. To view, edit, or delete System Control profiles for a group or sub group navigate to that group or sub group.
  • 2. Click Policies.
  • 3. Click System Control. The following will be displayed.

System Control

  • 4. If necessary, click On Campus to configure an internal System Control policy or click Global (the default) to configure a global System Control policy.

Configurable System Control settings:

Field Description OS Supported
Allow App Installs from From the dropdown select where apps can be downloaded and installed from, which can be App Store Only, App Store and Identified Developers, Anywhere. OS X 10.8+

Chrome

Chrome policies allow you to set access for content and apps on your mobile devices managed by Mobile Manager. For example, you can allow or prevent the use of cameras on all mobile devices.

To view, edit, or delete Chrome policies:

  • 1. To view, edit, or delete restrictions policies for the entire organization, navigate to the dashboard home page. To view, edit, or delete restrictions policies for a group or sub group, navigate to that group or sub group.
  • 2. Click Policies.
  • 3. Click Chrome. The following will be displayed:

Chrome

 

Configurable policy fields

Field Description
App Cache Clears websites’ appcache data
Browser Cache Clears the browser’s cache. Note: when removing data, this clears the entire cache.
Cookies Whether to allow cookies and other local data to be set by websites.
Downloads Whether to allow sites to download multiple files automatically.
File Systems Clears websites’ file system data.
Form Data (autofill) Clears the browser’s stored form data (autofill).
Browser History Clears the browser’s history.
Indexed DB Clears websites’ IndexedDB data.
Local Storage Data Clears websites’ local storage data.
Browser Passwords Clears the browser’s stored passwords.
Plugin Data Clears plugins’ data.
Server-bound certificates Clears server-bound certificates
Web SQL Clears websites’ WebSQL data.

Remember: Click the Save button to save any changes you make.

Timed Policies

Overview

Administrators can create temporary policies that will expire after a set amount of time. For example, you can lock iOS devices to an app for a set period of time. This can be useful if you want to lock devices to a particular app (the My Big Campus app, for example) during a test.

You can create timed policies for the following policies only:

Configuring a Timed Policy

Follow the steps below to configure a timed policy. Please note if there is a current timed policy in a parent group you will not be able to configure a timed policy. You must go to the parent group to make any changes.

    • 1. Navigate to the group where you want to configure a timed policy.
    • 2. Click Timed Policies.
    • 3. Click the policy (Restrictions, Passcode, OS X, Web Clips, App Lock, APN / Cellular, System Rule, or System Control) you want to configure.
    • 4. If you want to configure an internal policy, click On Campus.

Note: On Campus policies are not supported on Passcode and APN/Cellular policies.

    • 5. Click Add New.
    • 6. Click the date and time next to From to configure the start time.

Timed Policies

    • The following will be displayed.

Timed Policies 2

    • 7. Use the calendar to set the date and use the sliders to set the hour and minute.
    • 8. Click Done.
    • 9. Repeat the steps above to configure the To (stop) time.
    • 10. Click Save to save your timed policy.

Tip: Click the red Delete button (delete-policy-button) to delete the timed policy immediately.