Skip to main content

macOS/iOS/iPadOS MDM Security Features and Settings

Updated over a week ago

Swif recommends a range of common Apple device security and privacy features. The table below summarizes key features, their purpose, and whether they apply to supervised (company-owned) devices, BYOD (user-enrolled personal devices), or both.

Feature

Purpose

Applicability

Notes

Policy and Approach

Block Backup of Work Data to iCloud

Stops managed app data or business accounts from being backed up to iCloud or personal cloud services, protecting sensitive data.

* Supervised only

* macOS/iOS/iPadOS

On supervised devices, admins often disable iCloud backup entirely to keep data on-premises.

iCloud policy

Disable AirDrop

Prevents use of AirDrop for sharing files wirelessly, closing a common data exfiltration and malware ingress vector.

* Supervised only

* macOS/iOS/iPadOS

Often used to stop unsanctioned file sharing. Note: Disabling Bluetooth via MDM also automatically disables AirDrop.

AirDrop policy

VPN

Forces specified apps to send network traffic through a secure VPN tunnel, isolating work app data in transit and protecting it on untrusted networks.

* Supervised only

* macOS/iOS/iPadOS

Only managed apps use the VPN, while personal apps’ traffic stays direct. This safeguards corporate data (e.g., email, internal apps) without surveilling personal traffic.

VPN Policy

Passcode Policy (Password Requirements)

Enforces strong device passcodes – e.g. minimum length, complexity, and auto-lock timeout – to ensure the device is not easily unlocked by unauthorized people.

* Supervised only

* macOS/iOS/iPadOS

Policies can require a complex passcode (e.g., 6+ digits or alphanumeric, no simple patterns), set a short idle lock time, and enable auto-wipe after numerous failed attempts. On enrollment, users may be forced to set a compliant passcode, or the device will be marked non-compliant.

Password policy

Remote Lock & Lost Mode

Allows IT to remotely lock the device and, on supervised devices, enable Lost Mode, which completely locks the screen and displays a custom message. Helps secure a lost/stolen iOS/iPadOS and assists in its recovery.

* Supervised only


* Remote Lock: macOS/iOS/iPadOS

* Lost Mode: iOS/iPadOS

In Managed Lost Mode, the user is logged out and can’t unlock the phone/tablet at all. The admin can display contact info on the lock screen and even get the device’s location while in Lost Mode. (Standard remote lock without Lost Mode is also available to simply force a screen lock on devices that have a passcode.)

Swif’s lock or lost mode command

Remote Wipe (Device or Corporate Wipe)

Erases the device or corporate data remotely if a device is lost, stolen, or an employee leaves. Protects data by wiping it from the device.

* Supervised: Full device wipe

* BYOD: Partial wipe only by removing Swif admin when Swif agent is installed


* Supervised Full/Partial Wipe: macOS/iOS/iPadOS


* BYOD Partial Wipe: macOS

A full device wipe returns a supervised device to factory settings. On personal BYOD devices with User Enrollment, the MDM cannot erase the whole disk – instead, it can remove all managed accounts while leaving personal data intact.

Swif’s Wipe command

Block External Storage

Prevents use of USB storage devices (e.g., flash drives) with the device to avoid copying data off the device or introducing files.

* Supervised only

* macOS only

When enabled, the Files app won’t allow mounting external USB drives on the device.

USB policy:

On macOS, we use the Swif agent to prevent the use of USB storage devices.

iOS/iPadOS doesn’t have an agent, so this is not supported.

Disable Camera (and FaceTime)

Completely turns off the device cameras (and FaceTime) to prevent photography or video capture.

Supervised only

Common in high-security environments. Removes the Camera app; users cannot take photos or videos. (Also disables FaceTime since it relies on the camera.)

USB Restricted Mode (block USB accessories when locked)

Protects against device compromise via USB by disallowing data connection to USB accessories when the iPhone is locked.

Supervised only

Ensures that after a short period of being locked, the Lightning/USB port won’t transmit data without unlock. Prevents forensic USB attacks; MDM can enforce leaving this on (default on iOS).

Biometric Unlock Controls

Controls the use of Face ID/Touch ID for unlocking. Admins can require a passcode after a certain interval or disable biometric unlock entirely for security.

Both (Supervised or BYOD)

For example, MDM can set a maximum time window (e.g. 48 hours) after which Face ID/Touch ID will stop working and the passcode must be entered. In high-security cases, an admin might disallow biometric unlock (user must use PIN/password). (Disabling Face ID/Touch ID setup requires supervision.)

Did this answer your question?