ASD's Blueprint for Secure Cloud


This section describes the configuration of device configuration profiles within Microsoft Intune associated with systems built according to the guidance provided by ASD's Blueprint for Secure Cloud.

Estimated reading time: 5 minutes


Profile typeDevice restrictions


Included groups


Excluded groups


Scope tags

Scope tagsDefault

Configuration settings

App Store, Doc Viewing, Gaming

Block viewing corporate documents in unmanaged appsYes
Allow unmanaged apps to read from managed contacts accountsYes
Treat AirDrop as an unmanaged destinationYes
Block viewing non-corporate documents in corporate appsYes
Allow copy/paste to be affected by managed open-inYes
Block App storeYes
Block automatic app downloadsYes

Built-in apps

Block SiriYes
Require Safari fraud warningsYes
Block internet search results from SpotlightYes
Safari cookiesBlock all cookies, and block cross site tracking
Block Safari JavaScriptYes
Block Safari pop-upsYes
Block Siri for dictationYes
Block Siri for translationYes
Block cameraYes
Block FaceTimeYes
Block Apple BooksYes
Block iMessageYes
Block PodcastsYes
Music serviceYes
Block iTunes RadioYes
Block iTunes storeYes
Block Find My iPhoneYes
Block Find My FriendsYes
Block user modification to the Find My Friends settingsYes
Block removal of system apps from deviceYes
Block SafariYes
Block Safari AutofillYes

Cloud and Storage

Force encrypted backupYes
Block managed apps from storing data in iCloudYes
Block backup of enterprise booksYes
Block notes and highlights sync for enterprise booksYes
Block iCloud Photos syncYes
Block iCloud Photo LibraryYes
Block My Photo StreamYes
Block HandoffYes
Block iCloud backupYes
Block iCloud document and data syncYes
Block iCloud Keychain syncYes

Connected devices

Force Apple Watch wrist detectionYes
Require AirPlay outgoing requests pairing passwordYes
Block Apple Watch auto unlockYes
Block AirDropYes
Block pairing with Apple WatchYes
Block modifying Bluetooth settingsYes
Block pairing with non-Configurator hostsYes
Block AirPrintYes
Block setting up new nearby devicesYes
Block access to USB drive in Files appYes
Disable near-field communication (NFC)Yes


Block sending diagnostic and usage data to AppleYes
Block screenshots and screen recordingYes
Block untrusted TLS certificatesYes
Block over-the-air PKI updatesYes
Force limited ad trackingYes
Block trusting new enterprise app authorsYes
Limit Apple personalized advertisingYes
Block remote AirPlay, view screen by Classroom app, and screen sharingYes
Allow Classroom app to perform AirPlay and view screen without promptingYes
Block modification of account settingsYes
Block Screen TimeYes
Block users from erasing all content and settings on deviceYes
Block modification of device nameYes
Block modification of notifications settingsYes
Block modification of WallpaperYes
Block configuration profile changesYes
Allow activation lockYes
Block removing appsYes
Block app clipsYes
Force automatic date and timeYes
Block VPN creationYes
Block modification of eSIM settingsYes

Locked Screen Experience

Block Control Center access in lock screenYes
Block Notification Center access in lock screenYes
Block Today view in lock screenYes
Block Wallet notifications in lock screenYes


Require passwordYes
Block simple passwordsYes
Required password typeAlphanumeric
Number of non-alphanumeric characters in password1
Minimum password length14
Number of sign-in failures before wiping device11
Maximum minutes after screen lock before password is requiredImmediately
Maximum minutes of inactivity until screen locks1 Minute
Password expiration (days)365
Prevent reuse of previous passwords5
Block Touch ID and Face ID unlockYes
Block passcode modificationYes
Block modification of Touch ID fingerprints and Face ID facesYes
Block password AutoFillYes
Block password proximity requestsYes
Block password sharingYes

Restricted Apps

Type of restricted apps listApproved apps
Apps list
App store URLApp bundle IDApp namePublisher Acrobat Reader for PDFAdobe Inc AuthenticatorMicrosoft Corporation EdgeMicrosoft Corporation ExcelMicrosoft Corporation OneDriveMicrosoft Corporation OneNoteMicrosoft Corporation PowerPointMicrosoft Corporation OutlookMicrosoft Corporation SharePointMicrosoft Corporation TeamsMicrosoft Corporation WordMicrosoft Corporation Corporation

Shared iPad

Block Shared iPad temporary sessions​Yes


Block voice dialing while device is lockedYes

Security & Governance




  • None identified

Do you have a suggestion on how the above page could be improved? Get in touch! ASD's Blueprint for Secure Cloud is an open source project, and we would love to get your input. Submit an issue on our GitHub, or send us an email at

Acknowledgement of Country icon

Acknowledgement of Country
We acknowledge the Traditional Owners and Custodians of Country throughout Australia and their continuing connections to land, sea and communities. We pay our respects to them, their cultures and their Elders; past, present and emerging. We also recognise Australia's First Peoples' enduring contribution to Australia's national security.

Authorised by the Australian Government, Canberra