Restrict device enrollment

By default, users can enroll devices they own and devices owned by their organization. You can set restrictions to prevent users from enrolling unauthorized devices and using certain functions on the user portal. You can do the following for any user or group:

  • Restrict access to the user portal

  • Restrict configuration profile downloads

  • Restrict enrollment using the user portal

  • Restrict unenrollment (Supervised only)

  • Restrict enrollment during setup when the device:

    • Was configured using Apple Configurator 2

    • Was configured using the Device Enrollment Program

  • Restrict the ability to lock the device

  • Restrict the ability to clear the device passcode

  • Restrict the ability to wipe the device

  • Restrict enrollment to placeholder devices

  • Restrict enrollment to assigned devices

Note: Changing the settings for the Everyone group affects all users. If a user is a member of more than one group, and different settings are applied to those groups, the more restrictive settings apply.

Restrict all access to the user portal

You can prevent access to the user portal entirely or just restrict certain options. By default, users have full access and no restrictions.

  1. In the Profile Manager sidebar, select Groups.

  2. Select Everyone, and then click the About tab and review restrictions options for all users.

  3. Deselect the features you want to restrict under “Allow access to user portal,” and then click Save.

    All users are now restricted to only those items you left selected. To change the restrictions for a certain user or group, select an account, make your changes, and then click Save.

Restrict device enrollment for all users during Setup Assistant

You can prevent users from authenticating and enrolling devices during Setup Assistant.

  1. In the Profile Manager sidebar, select Groups.

  2. Select Everyone, and then click the About tab.

  3. Deselect one or both of the following:

    • Allow enrollment during Setup Assistant for devices configured using Device Enrollment

    • Allow enrollment during Setup Assistant for devices configured using Apple Configurator 2

  4. Click Save.

Restrict enrollment of devices with no placeholder for all users

You can restrict which devices a user can enroll based on the presence of a device placeholder. For example, if a user tries to enroll a device that’s unknown to Profile Manager, you can prevent enrollment.

  1. In the Profile Manager sidebar, select Groups.

  2. Select Everyone, and then click the About tab.

  3. Select “Restrict enrollment to placeholder devices,” and then click Save.

    All users can now enroll devices that have a placeholder with the correct UDID. For more information about UDIDs, see Import a device list.

Restrict enrollment of devices not assigned to a user

You can restrict device enrollment based on a user’s current device assignment.

  1. In the Profile Manager sidebar, select Groups.

  2. Select Everyone, and then click the About tab.

  3. Select “Restrict enrollment to assigned devices,” and then click Save.

    All users can now only enroll devices assigned to their account.

Enrollment restriction examples

Here are two examples where you might want to use a combination of restrictions:

Example

Restrict enrollment to placeholder devices

Restrict enrollment to assigned devices

Only devices shown in Profile Manager device list

Enabled

Disabled

Only devices shown in Profile Manager device list and assigned to users

Enabled

Enabled