Managed domains device policy

You can define managed domains that apply to email and the Safari browser. Managed domains help you protect corporate data by controlling which apps can open documents downloaded from domains using Safari.

For iOS 8 and later supervised devices, you specify URLs or subdomains to control how users can open documents, attachments, and downloads from the browser. For iOS 9.3 and later supervised devices, you can specify the URLs from which users can save passwords in Safari.

For the steps on setting an iOS device to supervised mode, see To place an iOS device in Supervised mode by using the Apple Configurator.

When a user sends email to a recipient whose domain is not on the managed email domains list, the message is flagged on the user’s device to warn them that they are sending a message to someone outside your corporate domain.

For items such as documents, attachments, or downloads: When a user opens an item by using Safari from a web domain that is on the managed web domains list, the appropriate corporate app opens the item. If the item is not from a web domain on the managed web domains list, the user cannot open the item with a corporate app. They must use a personal, unmanaged app.

For supervised devices, even if you do not specify Safari password autofill domains: If the device is configured as ephemeral multi-user, users can’t save passwords. However, if the device isn’t configured as ephemeral multi-user, users can save all passwords.

To add or configure this policy, go to Configure > Device Policies. For more information, see Device policies.

iOS settings

To specify domains:

Format Description
example.com Treat any path under example.com as managed, but not site.example.com/.
foo.example.com Treat any path under foo.example.com as managed, but not example.com/ or bar.example.com/.
\*.example.com Treat any path under foo.example.com or bar.example.com as managed, but not example.com/.
example.com/sub Treat example.com/sub and any path under it as managed, but not example.com/.
foo.example.com/sub Treat any path under foo.example.com/sub as managed, but not example.com, example.com/sub, foo.example.com/, or bar.example.com/sub.
\*.example.com/sub Treat any path under foo.example.com/sub or bar.example.com/sub as managed, but not example.com or foo.example.com/.

Rules:

  • Leading “www.” and trailing slashes in URLs are ignored when domains are compared.
  • If an entry contains a port number, only addresses that specify that port number are considered managed. Otherwise, only the standard ports are considered managed (port 80 for http and port 443 for https). For example, the pattern *.example.com:8080 matches https://site.example.com:8080/page.html, but not https://site.example.com/page.html, whereas the pattern *.example.com matches https://site.example.com/page.html and https://site.example.com/page.html, but not https://site.example.com:8080/page.html.
  • Managed Safari web domain definitions are cumulative. Patterns defined by all managed Safari web domain payloads are used to match a URL request.

Settings:

  • Managed Domains
    • Unmarked Email Domains: For each email domain you want to include in the list, click Add and then do the following:
      • Managed Email Domain: Type the email domain.
      • Click Save to save the email domain or click Cancel to not save the email domain.
    • Managed Safari Web Domains: For each web domain you want to include in the list, click Add and then do the following:
      • Managed Web Domain: Type the web domain.
      • Click Save to save the web domain or click Cancel to not save the web domain.
    • Safari Password AutoFill Domains: For each autofill domain you want to include in the list, click Add and then do the following:
      • Safari Password AutoFill Domain: Type the autofill domain.
      • Click Save to save the autofill domain or click Cancel to not save the autofill domain.

Managed domains device policy

In this article