Swif recommends a range of common Apple device security and privacy features. The table below summarizes key features, their purpose, and whether they apply to supervised (company-owned) devices, BYOD (user-enrolled personal devices), or both.
Feature | Purpose | Applicability | Notes | Policy and Approach |
Block Backup of Work Data to iCloud | Stops managed app data or business accounts from being backed up to iCloud or personal cloud services, protecting sensitive data. | * Supervised only
* macOS/iOS/iPadOS | On supervised devices, admins often disable iCloud backup entirely to keep data on-premises. | iCloud policy |
Disable AirDrop | Prevents use of AirDrop for sharing files wirelessly, closing a common data exfiltration and malware ingress vector. | * Supervised only
* macOS/iOS/iPadOS | Often used to stop unsanctioned file sharing. Note: Disabling Bluetooth via MDM also automatically disables AirDrop. | AirDrop policy |
VPN | Forces specified apps to send network traffic through a secure VPN tunnel, isolating work app data in transit and protecting it on untrusted networks. | * Supervised only
* macOS/iOS/iPadOS | Only managed apps use the VPN, while personal apps’ traffic stays direct. This safeguards corporate data (e.g., email, internal apps) without surveilling personal traffic. | VPN Policy |
Passcode Policy (Password Requirements) | Enforces strong device passcodes – e.g. minimum length, complexity, and auto-lock timeout – to ensure the device is not easily unlocked by unauthorized people. | * Supervised only
* macOS/iOS/iPadOS | Policies can require a complex passcode (e.g., 6+ digits or alphanumeric, no simple patterns), set a short idle lock time, and enable auto-wipe after numerous failed attempts. On enrollment, users may be forced to set a compliant passcode, or the device will be marked non-compliant. | Password policy |
Remote Lock & Lost Mode | Allows IT to remotely lock the device and, on supervised devices, enable Lost Mode, which completely locks the screen and displays a custom message. Helps secure a lost/stolen iOS/iPadOS and assists in its recovery. | * Supervised only
* Lost Mode: iOS/iPadOS | In Managed Lost Mode, the user is logged out and can’t unlock the phone/tablet at all. The admin can display contact info on the lock screen and even get the device’s location while in Lost Mode. (Standard remote lock without Lost Mode is also available to simply force a screen lock on devices that have a passcode.) | Swif’s lock or lost mode command |
Remote Wipe (Device or Corporate Wipe) | Erases the device or corporate data remotely if a device is lost, stolen, or an employee leaves. Protects data by wiping it from the device. | * Supervised: Full device wipe
| A full device wipe returns a supervised device to factory settings. On personal BYOD devices with User Enrollment, the MDM cannot erase the whole disk – instead, it can remove all managed accounts while leaving personal data intact. | Swif’s Wipe command |
Block External Storage | Prevents use of USB storage devices (e.g., flash drives) with the device to avoid copying data off the device or introducing files. | * Supervised only
* macOS only | When enabled, the Files app won’t allow mounting external USB drives on the device. | USB policy:
On macOS, we use the Swif agent to prevent the use of USB storage devices. |
Disable Camera (and FaceTime) | Completely turns off the device cameras (and FaceTime) to prevent photography or video capture. | Supervised only | Common in high-security environments. Removes the Camera app; users cannot take photos or videos. (Also disables FaceTime since it relies on the camera.) | |
USB Restricted Mode (block USB accessories when locked) | Protects against device compromise via USB by disallowing data connection to USB accessories when the iPhone is locked. | Supervised only | Ensures that after a short period of being locked, the Lightning/USB port won’t transmit data without unlock. Prevents forensic USB attacks; MDM can enforce leaving this on (default on iOS). | |
Biometric Unlock Controls | Controls the use of Face ID/Touch ID for unlocking. Admins can require a passcode after a certain interval or disable biometric unlock entirely for security. | Both (Supervised or BYOD) | For example, MDM can set a maximum time window (e.g. 48 hours) after which Face ID/Touch ID will stop working and the passcode must be entered. In high-security cases, an admin might disallow biometric unlock (user must use PIN/password). (Disabling Face ID/Touch ID setup requires supervision.) | |
Allow Host Pairing | Blocks the device from pairing with any computers (iTunes/Finder) except those authorized, to stop uncontrolled data sync or backup. | Supervised iOS/iPadOS only | The iPhone/iPad will refuse new pairing requests, meaning users cannot export data via cable to a home computer. Often enabled on company-owned devices for security. | |
Limit Ad Tracking | Increases privacy by disabling personalized advertising and preventing apps from tracking user activity across other apps. | Supervised or BYOD iOS/iPadOS | MDM can force “Limit Ad Tracking” (iOS 14+ “Allow Apps to Request to Track” = Off) so apps cannot prompt for tracking permission. Supervised devices can also disable personalized Apple ads. | |
iOS/iPadOS Application Block Policy | Allows administrators to specify applications that should be blocked from running on managed iOS and iPadOS devices. Use this policy to enforce compliance, reduce distractions, and protect against unauthorized app usage. | Supervised iOS/iPadOS only | Typical Use-Cases:
|