diff --git a/LICENSE.txt b/LICENSE.txt index b09fe87..9faab6a 100644 --- a/LICENSE.txt +++ b/LICENSE.txt @@ -1,4 +1,4 @@ -Copyright © 2022-2023 Apple Inc. +Copyright © 2022-2024 Apple Inc. Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the diff --git a/README.md b/README.md index 1958eda..c3f8dd4 100644 --- a/README.md +++ b/README.md @@ -6,12 +6,34 @@ This repository contains Apple's Device Management Client schema data for the MD This release corresponds to the following OS versions -| OS | Version | -|---------|---------| -| iOS | 17.2 | -| macOS | 14.2 | -| tvOS | 17.2 | -| watchOS | 10.2 | +| OS | Version | +|----------|---------| +| iOS | 17.4 | +| macOS | 14.4 | +| tvOS | 17.4 | +| visionOS | 1.1 | +| watchOS | 10.4 | + +## Important Release Notes + +### visionOS support + +The 17.4/14.4 release adds a `visionOS` value to the `supportedOS` key to indicate support for visionOS devices. + +### Declarative device management supervision state + +The 17.4/14.4 release includes a major change to the `allowed-enrollments` key in declarative device management schema items. A new `supervised` value has been added. So now: + +* `supervised` is used to indicate support for a supervised device enrollment +* `device` is used to indicate support for an unsupervised device enrollment. + +On macOS, device enrollments are always supervised, so the `device` value has been replaced by `supervised` in all `allowed-enrollments`. + +On other platforms, `supervision` has been added or `device` has been removed, as appropriate for actual support. + +### Declarative device management combinetype values + +The 17.4/14.4 release has renamed the `enum-lowest` and `enum-highest` combinetype values to `enum-first` and `enum-last` respectively. ## What's Available diff --git a/declarative/declarations/activations/simple.yaml b/declarative/declarations/activations/simple.yaml index d915717..60550fc 100644 --- a/declarative/declarations/activations/simple.yaml +++ b/declarative/declarations/activations/simple.yaml @@ -9,6 +9,8 @@ payload: introduced: '13.0' tvOS: introduced: '16.0' + visionOS: + introduced: '1.1' watchOS: introduced: '10.0' payloadkeys: diff --git a/declarative/declarations/assets/credential.acme.yaml b/declarative/declarations/assets/credential.acme.yaml index c2feade..706b991 100644 --- a/declarative/declarations/assets/credential.acme.yaml +++ b/declarative/declarations/assets/credential.acme.yaml @@ -9,6 +9,8 @@ payload: introduced: '14.0' tvOS: introduced: '17.0' + visionOS: + introduced: '1.1' watchOS: introduced: '10.0' payloadkeys: diff --git a/declarative/declarations/assets/credential.certificate.yaml b/declarative/declarations/assets/credential.certificate.yaml index 36be55b..933f7eb 100644 --- a/declarative/declarations/assets/credential.certificate.yaml +++ b/declarative/declarations/assets/credential.certificate.yaml @@ -9,6 +9,8 @@ payload: introduced: '14.0' tvOS: introduced: '17.0' + visionOS: + introduced: '1.1' watchOS: introduced: '10.0' payloadkeys: diff --git a/declarative/declarations/assets/credential.identity.yaml b/declarative/declarations/assets/credential.identity.yaml index 1310fdc..0270966 100644 --- a/declarative/declarations/assets/credential.identity.yaml +++ b/declarative/declarations/assets/credential.identity.yaml @@ -9,6 +9,8 @@ payload: introduced: '14.0' tvOS: introduced: '17.0' + visionOS: + introduced: '1.1' watchOS: introduced: '10.0' payloadkeys: diff --git a/declarative/declarations/assets/credential.scep.yaml b/declarative/declarations/assets/credential.scep.yaml index c4daf10..e0e06cd 100644 --- a/declarative/declarations/assets/credential.scep.yaml +++ b/declarative/declarations/assets/credential.scep.yaml @@ -9,6 +9,8 @@ payload: introduced: '14.0' tvOS: introduced: '17.0' + visionOS: + introduced: '1.1' watchOS: introduced: '10.0' payloadkeys: diff --git a/declarative/declarations/assets/credential.userpassword.yaml b/declarative/declarations/assets/credential.userpassword.yaml index f45b74c..fdd7029 100644 --- a/declarative/declarations/assets/credential.userpassword.yaml +++ b/declarative/declarations/assets/credential.userpassword.yaml @@ -10,6 +10,8 @@ payload: introduced: '13.0' tvOS: introduced: '16.0' + visionOS: + introduced: '1.1' watchOS: introduced: '10.0' payloadkeys: diff --git a/declarative/declarations/assets/credentials/acme.yaml b/declarative/declarations/assets/credentials/acme.yaml index 3d6f2e5..2c2fd1b 100644 --- a/declarative/declarations/assets/credentials/acme.yaml +++ b/declarative/declarations/assets/credentials/acme.yaml @@ -9,6 +9,8 @@ payload: introduced: '14.0' tvOS: introduced: '17.0' + visionOS: + introduced: '1.1' watchOS: introduced: '10.0' payloadkeys: diff --git a/declarative/declarations/assets/credentials/identity.yaml b/declarative/declarations/assets/credentials/identity.yaml index a291367..1128bc4 100644 --- a/declarative/declarations/assets/credentials/identity.yaml +++ b/declarative/declarations/assets/credentials/identity.yaml @@ -9,6 +9,8 @@ payload: introduced: '14.0' tvOS: introduced: '17.0' + visionOS: + introduced: '1.1' watchOS: introduced: '10.0' payloadkeys: diff --git a/declarative/declarations/assets/credentials/scep.yaml b/declarative/declarations/assets/credentials/scep.yaml index c2427a0..9c81199 100644 --- a/declarative/declarations/assets/credentials/scep.yaml +++ b/declarative/declarations/assets/credentials/scep.yaml @@ -9,6 +9,8 @@ payload: introduced: '14.0' tvOS: introduced: '17.0' + visionOS: + introduced: '1.1' watchOS: introduced: '10.0' payloadkeys: diff --git a/declarative/declarations/assets/credentials/usernameandpassword.yaml b/declarative/declarations/assets/credentials/usernameandpassword.yaml index dd95b46..8f734b8 100644 --- a/declarative/declarations/assets/credentials/usernameandpassword.yaml +++ b/declarative/declarations/assets/credentials/usernameandpassword.yaml @@ -9,6 +9,8 @@ payload: introduced: '13.0' tvOS: introduced: '16.0' + visionOS: + introduced: '1.1' watchOS: introduced: '10.0' payloadkeys: diff --git a/declarative/declarations/assets/data.yaml b/declarative/declarations/assets/data.yaml index 7b8fcbb..9f560ea 100644 --- a/declarative/declarations/assets/data.yaml +++ b/declarative/declarations/assets/data.yaml @@ -9,6 +9,8 @@ payload: introduced: '14.0' tvOS: introduced: '17.0' + visionOS: + introduced: '1.1' watchOS: introduced: '10.0' payloadkeys: diff --git a/declarative/declarations/assets/useridentity.yaml b/declarative/declarations/assets/useridentity.yaml index 7eaa6f1..cfb1724 100644 --- a/declarative/declarations/assets/useridentity.yaml +++ b/declarative/declarations/assets/useridentity.yaml @@ -9,6 +9,8 @@ payload: introduced: '13.0' tvOS: introduced: '16.0' + visionOS: + introduced: '1.1' watchOS: introduced: '10.0' payloadkeys: diff --git a/declarative/declarations/configurations/account.caldav.yaml b/declarative/declarations/configurations/account.caldav.yaml index 6cefb24..e926742 100644 --- a/declarative/declarations/configurations/account.caldav.yaml +++ b/declarative/declarations/configurations/account.caldav.yaml @@ -6,6 +6,7 @@ payload: iOS: introduced: '15.0' allowed-enrollments: + - supervised - device - user - local @@ -17,15 +18,24 @@ payload: macOS: introduced: '13.0' allowed-enrollments: - - device + - supervised - user - local allowed-scopes: - user tvOS: introduced: n/a + visionOS: + introduced: '1.1' + allowed-enrollments: + - device + - user + - local + allowed-scopes: + - system watchOS: introduced: n/a + apply: multiple content: A CalDAV configuration defines a CalDAV calendar and reminders account for a user. payloadkeys: diff --git a/declarative/declarations/configurations/account.carddav.yaml b/declarative/declarations/configurations/account.carddav.yaml index b89b56b..4977304 100644 --- a/declarative/declarations/configurations/account.carddav.yaml +++ b/declarative/declarations/configurations/account.carddav.yaml @@ -6,6 +6,7 @@ payload: iOS: introduced: '15.0' allowed-enrollments: + - supervised - device - user - local @@ -17,15 +18,24 @@ payload: macOS: introduced: '13.0' allowed-enrollments: - - device + - supervised - user - local allowed-scopes: - user tvOS: introduced: n/a + visionOS: + introduced: '1.1' + allowed-enrollments: + - device + - user + - local + allowed-scopes: + - system watchOS: introduced: n/a + apply: multiple content: A CardDAV configuration defines a CardDAV contacts account for a user. payloadkeys: - key: VisibleName diff --git a/declarative/declarations/configurations/account.exchange.yaml b/declarative/declarations/configurations/account.exchange.yaml index 0313a55..0772234 100644 --- a/declarative/declarations/configurations/account.exchange.yaml +++ b/declarative/declarations/configurations/account.exchange.yaml @@ -7,6 +7,7 @@ payload: iOS: introduced: '15.0' allowed-enrollments: + - supervised - device - user - local @@ -18,15 +19,24 @@ payload: macOS: introduced: '13.0' allowed-enrollments: - - device + - supervised - user - local allowed-scopes: - user tvOS: introduced: n/a + visionOS: + introduced: '1.1' + allowed-enrollments: + - device + - user + - local + allowed-scopes: + - system watchOS: introduced: n/a + apply: multiple content: This payload configures an Exchange ActiveSync account on an iOS device. payloadkeys: - key: VisibleName @@ -72,6 +82,8 @@ payloadkeys: supportedOS: iOS: introduced: n/a + visionOS: + introduced: n/a type: presence: optional content: The port number of the EWS server. The system uses this only when this @@ -81,6 +93,8 @@ payloadkeys: supportedOS: iOS: introduced: n/a + visionOS: + introduced: n/a type: presence: optional content: The path of the EWS server. The system uses this only when this declaration @@ -90,6 +104,8 @@ payloadkeys: supportedOS: iOS: introduced: n/a + visionOS: + introduced: n/a type: presence: optional content: The external hostname of the EWS server (or IP address). This is a required @@ -100,6 +116,8 @@ payloadkeys: supportedOS: iOS: introduced: n/a + visionOS: + introduced: n/a type: presence: optional content: The external port number of the EWS server. The system uses this only when @@ -109,6 +127,8 @@ payloadkeys: supportedOS: iOS: introduced: n/a + visionOS: + introduced: n/a type: presence: optional content: The external path of the EWS server. The system uses this only when this diff --git a/declarative/declarations/configurations/account.google.yaml b/declarative/declarations/configurations/account.google.yaml index 0a4de29..233212a 100644 --- a/declarative/declarations/configurations/account.google.yaml +++ b/declarative/declarations/configurations/account.google.yaml @@ -6,6 +6,7 @@ payload: iOS: introduced: '15.0' allowed-enrollments: + - supervised - device - user - local @@ -17,15 +18,24 @@ payload: macOS: introduced: '13.0' allowed-enrollments: - - device + - supervised - user - local allowed-scopes: - user tvOS: introduced: n/a + visionOS: + introduced: '1.1' + allowed-enrollments: + - device + - user + - local + allowed-scopes: + - system watchOS: introduced: n/a + apply: multiple content: A Google configuration defines a Google account for a user. The user will be prompted to enter their credentials shortly after the configuration successfully installs. diff --git a/declarative/declarations/configurations/account.ldap.yaml b/declarative/declarations/configurations/account.ldap.yaml index 73c242a..daa6f43 100644 --- a/declarative/declarations/configurations/account.ldap.yaml +++ b/declarative/declarations/configurations/account.ldap.yaml @@ -6,6 +6,7 @@ payload: iOS: introduced: '15.0' allowed-enrollments: + - supervised - device - user - local @@ -17,15 +18,24 @@ payload: macOS: introduced: '13.0' allowed-enrollments: - - device + - supervised - user - local allowed-scopes: - user tvOS: introduced: n/a + visionOS: + introduced: '1.1' + allowed-enrollments: + - device + - user + - local + allowed-scopes: + - system watchOS: introduced: n/a + apply: multiple content: An LDAP configuration defines an LDAP directory account for a user. payloadkeys: - key: VisibleName diff --git a/declarative/declarations/configurations/account.mail.yaml b/declarative/declarations/configurations/account.mail.yaml index 478a990..ce7aba4 100644 --- a/declarative/declarations/configurations/account.mail.yaml +++ b/declarative/declarations/configurations/account.mail.yaml @@ -6,6 +6,7 @@ payload: iOS: introduced: '15.0' allowed-enrollments: + - supervised - device - user - local @@ -17,15 +18,24 @@ payload: macOS: introduced: '13.0' allowed-enrollments: - - device + - supervised - user - local allowed-scopes: - user tvOS: introduced: n/a + visionOS: + introduced: '1.1' + allowed-enrollments: + - device + - user + - local + allowed-scopes: + - system watchOS: introduced: n/a + apply: multiple content: An email configuration defines an email account for a user. payloadkeys: - key: VisibleName diff --git a/declarative/declarations/configurations/account.subscribed-calendar.yaml b/declarative/declarations/configurations/account.subscribed-calendar.yaml index 6fb0dd6..da35a64 100644 --- a/declarative/declarations/configurations/account.subscribed-calendar.yaml +++ b/declarative/declarations/configurations/account.subscribed-calendar.yaml @@ -6,6 +6,7 @@ payload: iOS: introduced: '15.0' allowed-enrollments: + - supervised - device - user - local @@ -17,15 +18,24 @@ payload: macOS: introduced: '14.0' allowed-enrollments: - - device + - supervised - user - local allowed-scopes: - user tvOS: introduced: n/a + visionOS: + introduced: '1.1' + allowed-enrollments: + - device + - user + - local + allowed-scopes: + - system watchOS: introduced: n/a + apply: multiple content: A subscribed calendar configuration defines a subscribed calendar for a user. payloadkeys: diff --git a/declarative/declarations/configurations/app.managed.yaml b/declarative/declarations/configurations/app.managed.yaml index a9819f8..7cb6a61 100644 --- a/declarative/declarations/configurations/app.managed.yaml +++ b/declarative/declarations/configurations/app.managed.yaml @@ -6,6 +6,7 @@ payload: iOS: introduced: '17.2' allowed-enrollments: + - supervised - device - user allowed-scopes: @@ -17,33 +18,36 @@ payload: introduced: n/a tvOS: introduced: n/a + visionOS: + introduced: n/a watchOS: introduced: n/a + apply: multiple beta: true payloadkeys: - key: AppStoreID title: App Store ID type: presence: optional - content: Specifies the App Store ID of the managed app. One and only one of `AppStoreID`, - `BundleID`, or `ManifestURL` must be present. + content: The App Store ID of the managed app. One and only one of 'AppStoreID', + 'BundleID', or 'ManifestURL' must be present. - key: BundleID title: Bundle ID type: presence: optional - content: Specifies the Bundle ID of the managed app. One and only one of `AppStoreID`, - `BundleID`, or `ManifestURL` must be present. + content: The bundle ID of the managed app. One and only one of 'AppStoreID', 'BundleID', + or 'ManifestURL' must be present. - key: ManifestURL title: Manifest URL type: presence: optional - content: Specifies the URL of the manifest for the managed app. One and only one - of `AppStoreID`, `BundleID`, or `ManifestURL` must be present. + content: The URL of the manifest for the managed app. One and only one of 'AppStoreID', + 'BundleID', or 'ManifestURL' must be present. - key: InstallBehavior title: Install Behavior type: presence: optional - content: Describes how and when the app will be installed. + content: A dictionary that describes how and when to install the app. subkeys: - key: Install title: Install @@ -54,15 +58,17 @@ payloadkeys: - Required default: Optional content: |- - Describes whether the app must remain on the device at all times, or if the user can freely install and remove it: - * Optional - the user can install and remove the app after the configuration is activated. - * Required - the app is installed when the configuration is activated. The user may not remove the app. - On supervised devices apps are installed automatically. Otherwise the device prompts the user to approve the install of the app. + A string that specifies if the app needs to remain on the device at all times or if the user can freely install and remove it, which is one of the following values: + + * Optional: The user can install and remove the app after the system activates the configuration. + * Required: The system installs the app after it activates the configuration. The user can't remove the app. + + The system automatically installs apps on supervised devices. Otherwise, the device prompts the user to approve installation of the app. - key: License title: License type: presence: optional - content: Describes how the app is licensed. + content: A dictionary that describes the app's license. subkeys: - key: VPPType title: VPP Type @@ -72,17 +78,18 @@ payloadkeys: - Device - User content: |- - Indicates what type of VPP license is used for the app when installed via the App Store: - * Device - the app has a VPP device license. - * User - the app has a VPP user license. - This key must be present when an App Store app is being installed. + The type of VPP license that the app uses for installation through the App Store, which is one of the following values: + + * Device: The app has a VPP device license. + * User: The app has a VPP user license. + + This key needs to be present to install an app through the App Store. - key: IncludeInBackup title: Include in Backup type: presence: optional default: true - content: If `true`, backups will contain the app and its data. If `false`, backups - will not contain the app and its data. + content: If 'true', backups contain the app and its data. - key: Attributes title: App Attributes supportedOS: @@ -90,7 +97,7 @@ payloadkeys: introduced: n/a type: presence: optional - content: A dictionary of values associated with the app. + content: A dictionary of values to associate with the app. subkeys: - key: AssociatedDomains title: Associated Domains @@ -108,16 +115,15 @@ payloadkeys: type: presence: optional default: false - content: If `true`, direct downloads will be enabled for associated domains. + content: If 'true', the system enables direct downloads for the 'AssociatedDomains'. - key: CellularSliceUUID title: Cellular Slice UUID type: presence: optional - content: Either data network name (DNN) or traffic category can be set as the - enterprise slice identifier. For DNN, the value must be encoded as "DNN:name”, - where "name" is the carrier provided DNN name. For app category, the value must - be encoded as "AppCategory:category", where "category" is a carrier provided - string like "Enterprise1". + content: The cellular slice identifier, which can be the data network name (DNN) + or app category. For DNN, encode the value as “DNN:name”, where “name” is the + carrier-provided DNN name. For app category, encode the value as “AppCategory:category”, + where “category” is a carrier-provided string such as “Enterprise1”. - key: ContentFilterUUID title: Content Filter UUID type: @@ -132,15 +138,14 @@ payloadkeys: title: Relay UUID type: presence: optional - content: The UUID of the Relay to associated with the app. + content: The UUID of the relay to associate with the app. - key: TapToPayScreenLock title: Tap to Pay Screen Lock type: presence: optional default: false - content: If `true`, the device will automatically lock after every transaction - that requires a customer's card PIN. If `false`, the user of the device may - choose the behavior they prefer. + content: If 'true', the device automatically locks after every transaction that + requires a customer's card PIN. If 'false', the user can choose the behavior. - key: VPNUUID title: VPN UUID type: diff --git a/declarative/declarations/configurations/legacy.interactive.yaml b/declarative/declarations/configurations/legacy.interactive.yaml index 9dd0e4c..24acf51 100644 --- a/declarative/declarations/configurations/legacy.interactive.yaml +++ b/declarative/declarations/configurations/legacy.interactive.yaml @@ -7,6 +7,7 @@ payload: iOS: introduced: '15.0' allowed-enrollments: + - supervised - device - user allowed-scopes: @@ -16,7 +17,7 @@ payload: macOS: introduced: '13.0' allowed-enrollments: - - device + - supervised - user allowed-scopes: - system @@ -24,11 +25,20 @@ payload: tvOS: introduced: '16.0' allowed-enrollments: + - supervised - device allowed-scopes: - system + visionOS: + introduced: '1.1' + allowed-enrollments: + - device + - user + allowed-scopes: + - system watchOS: introduced: n/a + apply: multiple payloadkeys: - key: ProfileURL title: Profile's URL. diff --git a/declarative/declarations/configurations/legacy.yaml b/declarative/declarations/configurations/legacy.yaml index 40aaf96..c6b5551 100644 --- a/declarative/declarations/configurations/legacy.yaml +++ b/declarative/declarations/configurations/legacy.yaml @@ -6,6 +6,7 @@ payload: iOS: introduced: '15.0' allowed-enrollments: + - supervised - device - user - local @@ -18,7 +19,7 @@ payload: macOS: introduced: '13.0' allowed-enrollments: - - device + - supervised - user - local allowed-scopes: @@ -27,17 +28,27 @@ payload: tvOS: introduced: '16.0' allowed-enrollments: + - supervised - device - local allowed-scopes: - system + visionOS: + introduced: '1.1' + allowed-enrollments: + - device + - user + - local + allowed-scopes: + - system watchOS: introduced: '10.0' allowed-enrollments: - - device + - supervised - local allowed-scopes: - system + apply: multiple payloadkeys: - key: ProfileURL title: Profile's URL. diff --git a/declarative/declarations/configurations/management.status-subscriptions.yaml b/declarative/declarations/configurations/management.status-subscriptions.yaml index 0fce14f..a9daae6 100644 --- a/declarative/declarations/configurations/management.status-subscriptions.yaml +++ b/declarative/declarations/configurations/management.status-subscriptions.yaml @@ -7,6 +7,7 @@ payload: iOS: introduced: '15.0' allowed-enrollments: + - supervised - device - user allowed-scopes: @@ -18,7 +19,7 @@ payload: macOS: introduced: '13.0' allowed-enrollments: - - device + - supervised - user allowed-scopes: - system @@ -26,20 +27,30 @@ payload: tvOS: introduced: '16.0' allowed-enrollments: + - supervised - device allowed-scopes: - system + visionOS: + introduced: '1.1' + allowed-enrollments: + - device + - user + allowed-scopes: + - system watchOS: introduced: '10.0' allowed-enrollments: - - device + - supervised allowed-scopes: - system + apply: combined payloadkeys: - key: StatusItems title: Status Items type: presence: required + combinetype: set-union content: An array of status items that the device notifies subscribers about. subkeys: - key: StatusItem diff --git a/declarative/declarations/configurations/management.test.yaml b/declarative/declarations/configurations/management.test.yaml index ab7bb94..9927c9a 100644 --- a/declarative/declarations/configurations/management.test.yaml +++ b/declarative/declarations/configurations/management.test.yaml @@ -6,6 +6,7 @@ payload: iOS: introduced: '15.0' allowed-enrollments: + - supervised - device - user - local @@ -18,7 +19,7 @@ payload: macOS: introduced: '13.0' allowed-enrollments: - - device + - supervised - user - local allowed-scopes: @@ -27,17 +28,27 @@ payload: tvOS: introduced: '16.0' allowed-enrollments: + - supervised - device - local allowed-scopes: - system + visionOS: + introduced: '1.1' + allowed-enrollments: + - device + - user + - local + allowed-scopes: + - system watchOS: introduced: '10.0' allowed-enrollments: - - device + - supervised - local allowed-scopes: - system + apply: multiple payloadkeys: - key: Echo title: Status Echo diff --git a/declarative/declarations/configurations/passcode.settings.yaml b/declarative/declarations/configurations/passcode.settings.yaml index 904db84..b3a8d65 100644 --- a/declarative/declarations/configurations/passcode.settings.yaml +++ b/declarative/declarations/configurations/passcode.settings.yaml @@ -6,6 +6,7 @@ payload: iOS: introduced: '15.0' allowed-enrollments: + - supervised - device - user - local @@ -16,26 +17,30 @@ payload: macOS: introduced: '13.0' allowed-enrollments: - - device + - supervised - local allowed-scopes: - system - user tvOS: introduced: n/a + visionOS: + introduced: n/a watchOS: introduced: '10.0' allowed-enrollments: - - device + - supervised - local allowed-scopes: - system + apply: combined payloadkeys: - key: RequirePasscode title: Require Passcode on Device type: presence: optional default: false + combinetype: boolean-or content: If 'true', the system requires the user to set a passcode without any requirements about the length or quality of the passcode. The presence of any other keys implicitly requires a passcode, and overrides this key's value. @@ -51,6 +56,7 @@ payloadkeys: type: presence: optional default: false + combinetype: boolean-or content: If 'true', the passcode needs to consist of at least one alphabetic character and at least one number. - key: RequireComplexPasscode @@ -58,6 +64,7 @@ payloadkeys: type: presence: optional default: false + combinetype: boolean-or content: If 'true', the system requires a complex passcode. A complex passcode is one that doesn't contain repeated characters or increasing or decreasing characters (such as 123 or CBA). @@ -69,6 +76,7 @@ payloadkeys: min: 0 max: 16 default: 0 + combinetype: number-max content: The minimum number of characters a passcode can contain. - key: MinimumComplexCharacters title: Minimum Complex Characters @@ -85,6 +93,7 @@ payloadkeys: min: 0 max: 4 default: 0 + combinetype: number-max content: Specifies the minimum number of complex characters in the password. A complex character is a character other than a number or a letter, such as '&', '%', '$', and '#'. @@ -96,6 +105,7 @@ payloadkeys: min: 2 max: 11 default: 11 + combinetype: number-min content: |- The number of failed passcode attempts that the system allows the user before iOS erases the device or macOS locks the device. If you don't change this setting, after six failed attempts, the device imposes a time delay before the user can enter a passcode again. The time delay increases with each failed attempt. After the final failed attempt, the system securely erases all data and settings from the iOS device. A macOS device locks after the final attempt. The passcode time delay begins after the sixth attempt, so if this value is six or lower, the system has no time delay and triggers the erase or lock as soon as the user exceeds the limit. @@ -110,6 +120,7 @@ payloadkeys: introduced: n/a type: presence: optional + combinetype: number-min content: The number of minutes before the login is reset after the maximum number of failed attempts. Also set the 'MaximumFailedAttempts' key for this to take effect. @@ -117,6 +128,7 @@ payloadkeys: title: Maximum Grace Period type: presence: optional + combinetype: number-min content: The maximum period that a user can select, during which the user can unlock the device without a passcode. A value of '0' means no grace period, and the device requires a passcode immediately. In the absence of this key, the user can select @@ -128,6 +140,7 @@ payloadkeys: range: min: 0 max: 15 + combinetype: number-min content: The maximum period that a user can select, during which the device can be idle before the system automatically locks it. When the device reaches this limit, the device locks and the user must enter the passcode to unlock it. In @@ -145,6 +158,7 @@ payloadkeys: range: min: 0 max: 730 + combinetype: number-min content: Specifies the maximum number of days that the passcode can remain unchanged. After this number of days, the system forces the user to change the passcode before it unlocks the device. @@ -155,6 +169,7 @@ payloadkeys: range: min: 1 max: 50 + combinetype: number-min content: The number of historical passcode entries the system checks when validating a new passcode. The device refuses a new passcode if it matches a previously used passcode within the specified passcode history range. In the absence of this key, @@ -171,6 +186,7 @@ payloadkeys: type: presence: optional default: false + combinetype: boolean-or content: If 'true', the system forces a password reset the next time the user tries to authenticate. If you set this key in a configuration in the system scope (device channel), the setting takes effect for all users, and admin authentication may diff --git a/declarative/declarations/configurations/screensharing.connection.group.yaml b/declarative/declarations/configurations/screensharing.connection.group.yaml index d05eaa4..3842234 100644 --- a/declarative/declarations/configurations/screensharing.connection.group.yaml +++ b/declarative/declarations/configurations/screensharing.connection.group.yaml @@ -8,7 +8,7 @@ payload: macOS: introduced: '14.0' allowed-enrollments: - - device + - supervised - user - local allowed-scopes: @@ -16,8 +16,11 @@ payload: - user tvOS: introduced: n/a + visionOS: + introduced: n/a watchOS: introduced: n/a + apply: multiple payloadkeys: - key: ConnectionGroupUUID title: Unique Identifier diff --git a/declarative/declarations/configurations/screensharing.connection.yaml b/declarative/declarations/configurations/screensharing.connection.yaml index 7d68759..b29d718 100644 --- a/declarative/declarations/configurations/screensharing.connection.yaml +++ b/declarative/declarations/configurations/screensharing.connection.yaml @@ -8,7 +8,7 @@ payload: macOS: introduced: '14.0' allowed-enrollments: - - device + - supervised - user - local allowed-scopes: @@ -16,8 +16,11 @@ payload: - user tvOS: introduced: n/a + visionOS: + introduced: n/a watchOS: introduced: n/a + apply: multiple payloadkeys: - key: ConnectionUUID title: Unique Identifier diff --git a/declarative/declarations/configurations/screensharing.host.settings.yaml b/declarative/declarations/configurations/screensharing.host.settings.yaml index b3db46b..d1b6213 100644 --- a/declarative/declarations/configurations/screensharing.host.settings.yaml +++ b/declarative/declarations/configurations/screensharing.host.settings.yaml @@ -8,14 +8,17 @@ payload: macOS: introduced: '14.0' allowed-enrollments: - - device + - supervised - local allowed-scopes: - system tvOS: introduced: n/a + visionOS: + introduced: n/a watchOS: introduced: n/a + apply: single payloadkeys: - key: MaximumVirtualDisplays title: Maximum number of Virtual Displays diff --git a/declarative/declarations/configurations/security.certificate.yaml b/declarative/declarations/configurations/security.certificate.yaml index f5474a2..056226b 100644 --- a/declarative/declarations/configurations/security.certificate.yaml +++ b/declarative/declarations/configurations/security.certificate.yaml @@ -6,6 +6,7 @@ payload: iOS: introduced: '17.0' allowed-enrollments: + - supervised - device - user - local @@ -18,7 +19,7 @@ payload: macOS: introduced: '14.0' allowed-enrollments: - - device + - supervised - user - local allowed-scopes: @@ -27,17 +28,27 @@ payload: tvOS: introduced: '17.0' allowed-enrollments: + - supervised - device - local allowed-scopes: - system + visionOS: + introduced: '1.1' + allowed-enrollments: + - device + - user + - local + allowed-scopes: + - system watchOS: introduced: '10.0' allowed-enrollments: - - device + - supervised - local allowed-scopes: - system + apply: multiple payloadkeys: - key: CredentialAssetReference title: Credential asset reference diff --git a/declarative/declarations/configurations/security.identity.yaml b/declarative/declarations/configurations/security.identity.yaml index e4c4ba5..5a02b66 100644 --- a/declarative/declarations/configurations/security.identity.yaml +++ b/declarative/declarations/configurations/security.identity.yaml @@ -6,6 +6,7 @@ payload: iOS: introduced: '17.0' allowed-enrollments: + - supervised - device - user - local @@ -18,7 +19,7 @@ payload: macOS: introduced: '14.0' allowed-enrollments: - - device + - supervised - user - local allowed-scopes: @@ -27,17 +28,27 @@ payload: tvOS: introduced: '17.0' allowed-enrollments: + - supervised - device - local allowed-scopes: - system + visionOS: + introduced: '1.1' + allowed-enrollments: + - device + - user + - local + allowed-scopes: + - system watchOS: introduced: '10.0' allowed-enrollments: - - device + - supervised - local allowed-scopes: - system + apply: multiple payloadkeys: - key: CredentialAssetReference title: Credential asset reference @@ -55,6 +66,10 @@ payloadkeys: introduced: n/a tvOS: introduced: n/a + visionOS: + introduced: n/a + watchOS: + introduced: n/a type: presence: optional default: false @@ -66,6 +81,10 @@ payloadkeys: introduced: n/a tvOS: introduced: n/a + visionOS: + introduced: n/a + watchOS: + introduced: n/a type: presence: optional default: true diff --git a/declarative/declarations/configurations/security.passkey.attestation.yaml b/declarative/declarations/configurations/security.passkey.attestation.yaml index b8d62a8..da4c8e5 100644 --- a/declarative/declarations/configurations/security.passkey.attestation.yaml +++ b/declarative/declarations/configurations/security.passkey.attestation.yaml @@ -7,6 +7,7 @@ payload: iOS: introduced: '17.0' allowed-enrollments: + - supervised - device allowed-scopes: - system @@ -15,13 +16,16 @@ payload: macOS: introduced: '14.0' allowed-enrollments: - - device + - supervised allowed-scopes: - user tvOS: introduced: n/a + visionOS: + introduced: n/a watchOS: introduced: n/a + apply: multiple payloadkeys: - key: AttestationIdentityAssetReference title: Attestation identity asset reference. diff --git a/declarative/declarations/configurations/services.configuration-files.yaml b/declarative/declarations/configurations/services.configuration-files.yaml index 7d9b0a4..2c8ecd6 100644 --- a/declarative/declarations/configurations/services.configuration-files.yaml +++ b/declarative/declarations/configurations/services.configuration-files.yaml @@ -8,13 +8,16 @@ payload: macOS: introduced: '14.0' allowed-enrollments: - - device + - supervised allowed-scopes: - system tvOS: introduced: n/a + visionOS: + introduced: n/a watchOS: introduced: n/a + apply: multiple payloadkeys: - key: ServiceType title: Service Type diff --git a/declarative/declarations/configurations/softwareupdate.enforcement.specific.yaml b/declarative/declarations/configurations/softwareupdate.enforcement.specific.yaml index 60b1823..aba0239 100644 --- a/declarative/declarations/configurations/softwareupdate.enforcement.specific.yaml +++ b/declarative/declarations/configurations/softwareupdate.enforcement.specific.yaml @@ -6,6 +6,7 @@ payload: iOS: introduced: '17.0' allowed-enrollments: + - supervised - device allowed-scopes: - system @@ -15,13 +16,16 @@ payload: macOS: introduced: '14.0' allowed-enrollments: - - device + - supervised allowed-scopes: - system tvOS: introduced: n/a + visionOS: + introduced: n/a watchOS: introduced: n/a + apply: multiple payloadkeys: - key: TargetOSVersion title: Target OS Version diff --git a/declarative/declarations/configurations/watch.enrollment.yaml b/declarative/declarations/configurations/watch.enrollment.yaml index 1ddd7bb..8d751bd 100644 --- a/declarative/declarations/configurations/watch.enrollment.yaml +++ b/declarative/declarations/configurations/watch.enrollment.yaml @@ -6,7 +6,7 @@ payload: iOS: introduced: '17.0' allowed-enrollments: - - device + - supervised allowed-scopes: - system sharedipad: @@ -15,8 +15,11 @@ payload: introduced: n/a tvOS: introduced: n/a + visionOS: + introduced: n/a watchOS: introduced: n/a + apply: single payloadkeys: - key: EnrollmentProfileURL title: Watch Enrollment Profile's URL. diff --git a/declarative/declarations/declarationbase.yaml b/declarative/declarations/declarationbase.yaml index 1a0ff3e..bfd6069 100644 --- a/declarative/declarations/declarationbase.yaml +++ b/declarative/declarations/declarationbase.yaml @@ -9,6 +9,8 @@ payload: introduced: '13.0' tvOS: introduced: '16.0' + visionOS: + introduced: '1.1' watchOS: introduced: '10.0' payloadkeys: @@ -19,12 +21,13 @@ payloadkeys: - key: Identifier type: presence: required - content: A string uniquely identifying this declaration. + content: A string uniquely identifying this declaration. The size of this string + should not exceed 64 octets. A UUID string value is a good choice. - key: ServerToken type: presence: required content: A unique token generated by the server specifying a particular revision - of the declaration. + of the declaration. The size of this string should not exceed 64 octets. - key: Payload type: presence: required diff --git a/declarative/declarations/management/organization-info.yaml b/declarative/declarations/management/organization-info.yaml index 2e63695..bc26aa8 100644 --- a/declarative/declarations/management/organization-info.yaml +++ b/declarative/declarations/management/organization-info.yaml @@ -10,6 +10,8 @@ payload: introduced: '13.0' tvOS: introduced: '16.0' + visionOS: + introduced: '1.1' watchOS: introduced: '10.0' payloadkeys: diff --git a/declarative/declarations/management/properties.yaml b/declarative/declarations/management/properties.yaml index 5b3e212..560fc0d 100644 --- a/declarative/declarations/management/properties.yaml +++ b/declarative/declarations/management/properties.yaml @@ -9,6 +9,8 @@ payload: introduced: '13.0' tvOS: introduced: '16.0' + visionOS: + introduced: '1.1' watchOS: introduced: '10.0' payloadkeys: diff --git a/declarative/declarations/management/server-capabilities.yaml b/declarative/declarations/management/server-capabilities.yaml index 32a85ff..4028be0 100644 --- a/declarative/declarations/management/server-capabilities.yaml +++ b/declarative/declarations/management/server-capabilities.yaml @@ -9,6 +9,8 @@ payload: introduced: '13.0' tvOS: introduced: '16.0' + visionOS: + introduced: '1.1' watchOS: introduced: '10.0' payloadkeys: diff --git a/declarative/protocol/declarationitemsresponse.yaml b/declarative/protocol/declarationitemsresponse.yaml index 1dc6101..ba2590e 100644 --- a/declarative/protocol/declarationitemsresponse.yaml +++ b/declarative/protocol/declarationitemsresponse.yaml @@ -9,6 +9,8 @@ payload: introduced: '13.0' tvOS: introduced: '16.0' + visionOS: + introduced: '1.1' watchOS: introduced: '10.0' payloadkeys: diff --git a/declarative/protocol/statusreport.yaml b/declarative/protocol/statusreport.yaml index 96d01a0..179de24 100644 --- a/declarative/protocol/statusreport.yaml +++ b/declarative/protocol/statusreport.yaml @@ -9,6 +9,8 @@ payload: introduced: '13.0' tvOS: introduced: '16.0' + visionOS: + introduced: '1.1' watchOS: introduced: '10.0' payloadkeys: diff --git a/declarative/protocol/tokensresponse.yaml b/declarative/protocol/tokensresponse.yaml index df7f0d7..faadd96 100644 --- a/declarative/protocol/tokensresponse.yaml +++ b/declarative/protocol/tokensresponse.yaml @@ -9,6 +9,8 @@ payload: introduced: '13.0' tvOS: introduced: '16.0' + visionOS: + introduced: '1.1' watchOS: introduced: '10.0' payloadkeys: diff --git a/declarative/status/account.list.caldav.yaml b/declarative/status/account.list.caldav.yaml index 11fa2d9..683c805 100644 --- a/declarative/status/account.list.caldav.yaml +++ b/declarative/status/account.list.caldav.yaml @@ -6,6 +6,7 @@ payload: iOS: introduced: '16.0' allowed-enrollments: + - supervised - device - user - local @@ -17,13 +18,21 @@ payload: macOS: introduced: '13.0' allowed-enrollments: - - device + - supervised - user - local allowed-scopes: - user tvOS: introduced: n/a + visionOS: + introduced: '1.1' + allowed-enrollments: + - device + - user + - local + allowed-scopes: + - system watchOS: introduced: n/a payloadkeys: diff --git a/declarative/status/account.list.carddav.yaml b/declarative/status/account.list.carddav.yaml index 061128c..7f25271 100644 --- a/declarative/status/account.list.carddav.yaml +++ b/declarative/status/account.list.carddav.yaml @@ -6,6 +6,7 @@ payload: iOS: introduced: '16.0' allowed-enrollments: + - supervised - device - user - local @@ -17,13 +18,21 @@ payload: macOS: introduced: '13.0' allowed-enrollments: - - device + - supervised - user - local allowed-scopes: - user tvOS: introduced: n/a + visionOS: + introduced: '1.1' + allowed-enrollments: + - device + - user + - local + allowed-scopes: + - system watchOS: introduced: n/a payloadkeys: diff --git a/declarative/status/account.list.exchange.yaml b/declarative/status/account.list.exchange.yaml index 10434f4..85f6cf0 100644 --- a/declarative/status/account.list.exchange.yaml +++ b/declarative/status/account.list.exchange.yaml @@ -6,6 +6,7 @@ payload: iOS: introduced: '16.0' allowed-enrollments: + - supervised - device - user - local @@ -17,13 +18,21 @@ payload: macOS: introduced: '13.0' allowed-enrollments: - - device + - supervised - user - local allowed-scopes: - user tvOS: introduced: n/a + visionOS: + introduced: '1.1' + allowed-enrollments: + - device + - user + - local + allowed-scopes: + - system watchOS: introduced: n/a payloadkeys: diff --git a/declarative/status/account.list.google.yaml b/declarative/status/account.list.google.yaml index ce93f60..3acaead 100644 --- a/declarative/status/account.list.google.yaml +++ b/declarative/status/account.list.google.yaml @@ -6,6 +6,7 @@ payload: iOS: introduced: '16.0' allowed-enrollments: + - supervised - device - user - local @@ -17,13 +18,21 @@ payload: macOS: introduced: '13.0' allowed-enrollments: - - device + - supervised - user - local allowed-scopes: - user tvOS: introduced: n/a + visionOS: + introduced: '1.1' + allowed-enrollments: + - device + - user + - local + allowed-scopes: + - system watchOS: introduced: n/a payloadkeys: diff --git a/declarative/status/account.list.ldap.yaml b/declarative/status/account.list.ldap.yaml index 5c46ad1..6d31841 100644 --- a/declarative/status/account.list.ldap.yaml +++ b/declarative/status/account.list.ldap.yaml @@ -6,6 +6,7 @@ payload: iOS: introduced: '16.0' allowed-enrollments: + - supervised - device - user - local @@ -17,13 +18,21 @@ payload: macOS: introduced: '13.0' allowed-enrollments: - - device + - supervised - user - local allowed-scopes: - user tvOS: introduced: n/a + visionOS: + introduced: '1.1' + allowed-enrollments: + - device + - user + - local + allowed-scopes: + - system watchOS: introduced: n/a payloadkeys: diff --git a/declarative/status/account.list.mail.incoming.yaml b/declarative/status/account.list.mail.incoming.yaml index f2f4695..c3d429d 100644 --- a/declarative/status/account.list.mail.incoming.yaml +++ b/declarative/status/account.list.mail.incoming.yaml @@ -6,6 +6,7 @@ payload: iOS: introduced: '16.0' allowed-enrollments: + - supervised - device - user - local @@ -17,13 +18,21 @@ payload: macOS: introduced: '13.0' allowed-enrollments: - - device + - supervised - user - local allowed-scopes: - user tvOS: introduced: n/a + visionOS: + introduced: '1.1' + allowed-enrollments: + - device + - user + - local + allowed-scopes: + - system watchOS: introduced: n/a payloadkeys: diff --git a/declarative/status/account.list.mail.outgoing.yaml b/declarative/status/account.list.mail.outgoing.yaml index 99b4e5e..8610069 100644 --- a/declarative/status/account.list.mail.outgoing.yaml +++ b/declarative/status/account.list.mail.outgoing.yaml @@ -6,6 +6,7 @@ payload: iOS: introduced: '16.0' allowed-enrollments: + - supervised - device - user - local @@ -17,13 +18,21 @@ payload: macOS: introduced: '13.0' allowed-enrollments: - - device + - supervised - user - local allowed-scopes: - user tvOS: introduced: n/a + visionOS: + introduced: '1.1' + allowed-enrollments: + - device + - user + - local + allowed-scopes: + - system watchOS: introduced: n/a payloadkeys: diff --git a/declarative/status/account.list.subscribed-calendar.yaml b/declarative/status/account.list.subscribed-calendar.yaml index b2959cd..edb2daf 100644 --- a/declarative/status/account.list.subscribed-calendar.yaml +++ b/declarative/status/account.list.subscribed-calendar.yaml @@ -6,6 +6,7 @@ payload: iOS: introduced: '16.0' allowed-enrollments: + - supervised - device - user - local @@ -17,13 +18,21 @@ payload: macOS: introduced: '14.0' allowed-enrollments: - - device + - supervised - user - local allowed-scopes: - user tvOS: introduced: n/a + visionOS: + introduced: '1.1' + allowed-enrollments: + - device + - user + - local + allowed-scopes: + - system watchOS: introduced: n/a payloadkeys: diff --git a/declarative/status/app.managed.list.yaml b/declarative/status/app.managed.list.yaml index 0ff21ee..b421e19 100644 --- a/declarative/status/app.managed.list.yaml +++ b/declarative/status/app.managed.list.yaml @@ -6,6 +6,7 @@ payload: iOS: introduced: '17.2' allowed-enrollments: + - supervised - device - user allowed-scopes: @@ -17,6 +18,8 @@ payload: introduced: n/a tvOS: introduced: n/a + visionOS: + introduced: n/a watchOS: introduced: n/a beta: true @@ -25,7 +28,8 @@ payloadkeys: title: Status item value. type: presence: required - content: Status value. + content: An array of dictionaries that describe the device's declarative managed + apps. subkeytype: App subkeys: - key: status_value @@ -35,7 +39,7 @@ payloadkeys: title: Unique identifier of the app. type: presence: required - content: The unique identifier of the app. This will be the app's bundle id. + content: The app's bundle id, which is unique. - key: _removed title: Indicates removal of the app. type: @@ -58,13 +62,9 @@ payloadkeys: title: External version id type: presence: optional - content: The application's external version ID. This can also be retrieved from - the store from the "contentMetadataLookupUrl" from the VPPServiceConfigSrv - endpoint. In the response from uclient-api.itunes.apple.com URL, there's a - key named "externalId" at the path results..offers[0].version.externalId. - If the current external version identifier of an app on the store does not - match the external version identifier reported by the device, there may be - an app update available for the device. + content: |- + The app's external version ID. You can also retrieve this value from the store through the contentMetadataLookupUrl of VPPServiceConfigSrv . + In the response from 'uclient-api.itunes.apple.com' URL, there's an 'externalId' at the path 'results..offers[0].version.externalId'. If the current external version identifier of an app on the store doesn't match the external version identifier reported by the device, there may be an app update available for the device. - key: version title: Version type: @@ -91,17 +91,18 @@ payloadkeys: - managed-but-uninstalled - failed content: |- - The status of the app. - * optional - the app is optional and the user has to trigger its installation - * queued - installation of the app has started - * prompting-for-consent - a prompt is being shown to the user to proceed with app installation - * prompting-for-login - a prompt to sign in to the App Store is being shown to the user to allow installation - * prompting-for-management - a prompt is being shown to the user to allow changing the installed app to a managed app - * downloading - an update is being downloaded - * installing - the app is being installed - * managed - the app is installed and managed - * managed-but-uninstalled - the app is managed, but has been removed by the user. If installed again, it will be managed - * failed - the app installation has failed + The status of the app, which has the following possible values: + + * 'optional': The app is optional and the user has to trigger its installation. + * 'queued': Installation of the app started. + * 'prompting-for-consent': The system is displaying a prompt to the user to proceed with app installation. + * 'prompting-for-login': The system is displaying an App Store sign-in prompt to the user to allow app installation. + * 'prompting-for-management': The system is displaying a prompt to the user to allow changing the installed app to a managed app. + * 'downloading': The system is downloading an app update. + * 'installing': The system is installing an app update. + * 'managed': The app is installed and managed. + * 'managed-but-uninstalled': The app is managed, but the user removed it. The app remains managed if the system installs it again. + * 'failed': An app update failed. - key: update-state title: Managed application update status type: @@ -113,17 +114,21 @@ payloadkeys: - updating - failed content: |- - The update status of the app. This key is only present when the "state" key is set to "managed" and when there is an app update available. - * available - an update is available for the app - * prompting-for-update - a prompt is being shown to the user to proceed with app update - * prompting-for-update-login - a prompt to sign in to the App Store is being shown to the user to allow app update - * updating - the app is being updated - * failed - the app update has failed + The update status of the app, which has the following possible values: + + * 'available': An update is available for the app. + * 'prompting-for-update': The system is displaying a prompt to the user to proceed with app installation. + * 'prompting-for-update-login': The system is displaying an App Store sign-in prompt to the user to allow app installation. + * 'updating': The app is updating. + * 'failed': The app update failed. + + This key is only present if 'state' is 'managed' and an update is available. - key: reasons title: Status Reasons type: presence: optional - content: Additional detail about app state, including errors. + content: An array that contains additional details about the app state, including + errors. subkeytype: StatusReason subkeys: - key: _reasons @@ -136,17 +141,17 @@ payloadkeys: title: Error Code type: presence: required - content: The error code for this error. + content: A code for the state. - key: description title: Error Description type: presence: optional - content: The description of this error. + content: A description of the state. - key: details title: Error Details type: presence: optional - content: A dictionary that contains further details about this error. + content: A dictionary that contains additional details about the state. subkeys: - key: ANY type: diff --git a/declarative/status/device.identifier.serial-number.yaml b/declarative/status/device.identifier.serial-number.yaml index 6cecef9..c3cd141 100644 --- a/declarative/status/device.identifier.serial-number.yaml +++ b/declarative/status/device.identifier.serial-number.yaml @@ -6,6 +6,7 @@ payload: iOS: introduced: '16.0' allowed-enrollments: + - supervised - device - local allowed-scopes: @@ -17,7 +18,7 @@ payload: macOS: introduced: '13.0' allowed-enrollments: - - device + - supervised - local allowed-scopes: - system @@ -25,6 +26,14 @@ payload: tvOS: introduced: '16.0' allowed-enrollments: + - supervised + - device + - local + allowed-scopes: + - system + visionOS: + introduced: '1.1' + allowed-enrollments: - device - local allowed-scopes: @@ -32,7 +41,7 @@ payload: watchOS: introduced: '10.0' allowed-enrollments: - - device + - supervised - local allowed-scopes: - system diff --git a/declarative/status/device.identifier.udid.yaml b/declarative/status/device.identifier.udid.yaml index bc4d0b2..09503df 100644 --- a/declarative/status/device.identifier.udid.yaml +++ b/declarative/status/device.identifier.udid.yaml @@ -6,6 +6,7 @@ payload: iOS: introduced: '16.0' allowed-enrollments: + - supervised - device - local allowed-scopes: @@ -17,7 +18,7 @@ payload: macOS: introduced: '13.0' allowed-enrollments: - - device + - supervised - local allowed-scopes: - system @@ -25,6 +26,14 @@ payload: tvOS: introduced: '16.0' allowed-enrollments: + - supervised + - device + - local + allowed-scopes: + - system + visionOS: + introduced: '1.1' + allowed-enrollments: - device - local allowed-scopes: @@ -32,7 +41,7 @@ payload: watchOS: introduced: '10.0' allowed-enrollments: - - device + - supervised - local allowed-scopes: - system diff --git a/declarative/status/device.model.family.yaml b/declarative/status/device.model.family.yaml index 93133c3..4085ac4 100644 --- a/declarative/status/device.model.family.yaml +++ b/declarative/status/device.model.family.yaml @@ -6,6 +6,7 @@ payload: iOS: introduced: '15.0' allowed-enrollments: + - supervised - device - user - local @@ -18,7 +19,7 @@ payload: macOS: introduced: '13.0' allowed-enrollments: - - device + - supervised - user - local allowed-scopes: @@ -27,14 +28,23 @@ payload: tvOS: introduced: '16.0' allowed-enrollments: + - supervised - device - local allowed-scopes: - system + visionOS: + introduced: '1.1' + allowed-enrollments: + - device + - user + - local + allowed-scopes: + - system watchOS: introduced: '10.0' allowed-enrollments: - - device + - supervised - local allowed-scopes: - system diff --git a/declarative/status/device.model.identifier.yaml b/declarative/status/device.model.identifier.yaml index 05293bc..ea9d640 100644 --- a/declarative/status/device.model.identifier.yaml +++ b/declarative/status/device.model.identifier.yaml @@ -6,6 +6,7 @@ payload: iOS: introduced: '15.0' allowed-enrollments: + - supervised - device - user - local @@ -18,7 +19,7 @@ payload: macOS: introduced: '13.0' allowed-enrollments: - - device + - supervised - user - local allowed-scopes: @@ -27,14 +28,23 @@ payload: tvOS: introduced: '16.0' allowed-enrollments: + - supervised - device - local allowed-scopes: - system + visionOS: + introduced: '1.1' + allowed-enrollments: + - device + - user + - local + allowed-scopes: + - system watchOS: introduced: '10.0' allowed-enrollments: - - device + - supervised - local allowed-scopes: - system diff --git a/declarative/status/device.model.marketing-name.yaml b/declarative/status/device.model.marketing-name.yaml index ade021f..72881ee 100644 --- a/declarative/status/device.model.marketing-name.yaml +++ b/declarative/status/device.model.marketing-name.yaml @@ -6,6 +6,7 @@ payload: iOS: introduced: '15.0' allowed-enrollments: + - supervised - device - user - local @@ -18,7 +19,7 @@ payload: macOS: introduced: '13.0' allowed-enrollments: - - device + - supervised - user - local allowed-scopes: @@ -27,14 +28,23 @@ payload: tvOS: introduced: '16.0' allowed-enrollments: + - supervised - device - local allowed-scopes: - system + visionOS: + introduced: '1.1' + allowed-enrollments: + - device + - user + - local + allowed-scopes: + - system watchOS: introduced: '10.0' allowed-enrollments: - - device + - supervised - local allowed-scopes: - system diff --git a/declarative/status/device.model.number.yaml b/declarative/status/device.model.number.yaml index 0ac7101..d867e7d 100644 --- a/declarative/status/device.model.number.yaml +++ b/declarative/status/device.model.number.yaml @@ -6,6 +6,7 @@ payload: iOS: introduced: '17.0' allowed-enrollments: + - supervised - device - user - local @@ -18,7 +19,7 @@ payload: macOS: introduced: '14.0' allowed-enrollments: - - device + - supervised - user - local allowed-scopes: @@ -27,14 +28,23 @@ payload: tvOS: introduced: '17.0' allowed-enrollments: + - supervised - device - local allowed-scopes: - system + visionOS: + introduced: '1.1' + allowed-enrollments: + - device + - user + - local + allowed-scopes: + - system watchOS: introduced: '10.0' allowed-enrollments: - - device + - supervised - local allowed-scopes: - system diff --git a/declarative/status/device.operating-system.build-version.yaml b/declarative/status/device.operating-system.build-version.yaml index 0dbec7f..d9ac145 100644 --- a/declarative/status/device.operating-system.build-version.yaml +++ b/declarative/status/device.operating-system.build-version.yaml @@ -6,6 +6,7 @@ payload: iOS: introduced: '15.0' allowed-enrollments: + - supervised - device - user - local @@ -18,7 +19,7 @@ payload: macOS: introduced: '13.0' allowed-enrollments: - - device + - supervised - user - local allowed-scopes: @@ -27,14 +28,23 @@ payload: tvOS: introduced: '16.0' allowed-enrollments: + - supervised - device - local allowed-scopes: - system + visionOS: + introduced: '1.1' + allowed-enrollments: + - device + - user + - local + allowed-scopes: + - system watchOS: introduced: '10.0' allowed-enrollments: - - device + - supervised - local allowed-scopes: - system diff --git a/declarative/status/device.operating-system.family.yaml b/declarative/status/device.operating-system.family.yaml index e4fb9de..0ec0ba1 100644 --- a/declarative/status/device.operating-system.family.yaml +++ b/declarative/status/device.operating-system.family.yaml @@ -6,6 +6,7 @@ payload: iOS: introduced: '15.0' allowed-enrollments: + - supervised - device - user - local @@ -18,7 +19,7 @@ payload: macOS: introduced: '13.0' allowed-enrollments: - - device + - supervised - user - local allowed-scopes: @@ -27,14 +28,23 @@ payload: tvOS: introduced: '16.0' allowed-enrollments: + - supervised - device - local allowed-scopes: - system + visionOS: + introduced: '1.1' + allowed-enrollments: + - device + - user + - local + allowed-scopes: + - system watchOS: introduced: '10.0' allowed-enrollments: - - device + - supervised - local allowed-scopes: - system diff --git a/declarative/status/device.operating-system.marketing-name.yaml b/declarative/status/device.operating-system.marketing-name.yaml index 585f1a7..155b93d 100644 --- a/declarative/status/device.operating-system.marketing-name.yaml +++ b/declarative/status/device.operating-system.marketing-name.yaml @@ -6,6 +6,7 @@ payload: iOS: introduced: '15.0' allowed-enrollments: + - supervised - device - user - local @@ -18,7 +19,7 @@ payload: macOS: introduced: '13.0' allowed-enrollments: - - device + - supervised - user - local allowed-scopes: @@ -27,14 +28,23 @@ payload: tvOS: introduced: '16.0' allowed-enrollments: + - supervised - device - local allowed-scopes: - system + visionOS: + introduced: '1.1' + allowed-enrollments: + - device + - user + - local + allowed-scopes: + - system watchOS: introduced: '10.0' allowed-enrollments: - - device + - supervised - local allowed-scopes: - system diff --git a/declarative/status/device.operating-system.supplemental.build-version.yaml b/declarative/status/device.operating-system.supplemental.build-version.yaml index 71d9201..c8ffe3c 100644 --- a/declarative/status/device.operating-system.supplemental.build-version.yaml +++ b/declarative/status/device.operating-system.supplemental.build-version.yaml @@ -6,6 +6,7 @@ payload: iOS: introduced: '16.1' allowed-enrollments: + - supervised - device - user - local @@ -18,7 +19,7 @@ payload: macOS: introduced: '13.0' allowed-enrollments: - - device + - supervised - user - local allowed-scopes: @@ -27,14 +28,23 @@ payload: tvOS: introduced: '16.1' allowed-enrollments: + - supervised - device - local allowed-scopes: - system + visionOS: + introduced: '1.1' + allowed-enrollments: + - device + - user + - local + allowed-scopes: + - system watchOS: introduced: '10.0' allowed-enrollments: - - device + - supervised - local allowed-scopes: - system diff --git a/declarative/status/device.operating-system.supplemental.extra-version.yaml b/declarative/status/device.operating-system.supplemental.extra-version.yaml index 5e6756a..f1f22a9 100644 --- a/declarative/status/device.operating-system.supplemental.extra-version.yaml +++ b/declarative/status/device.operating-system.supplemental.extra-version.yaml @@ -6,6 +6,7 @@ payload: iOS: introduced: '16.1' allowed-enrollments: + - supervised - device - user - local @@ -18,7 +19,7 @@ payload: macOS: introduced: '13.0' allowed-enrollments: - - device + - supervised - user - local allowed-scopes: @@ -27,14 +28,23 @@ payload: tvOS: introduced: '16.1' allowed-enrollments: + - supervised - device - local allowed-scopes: - system + visionOS: + introduced: '1.1' + allowed-enrollments: + - device + - user + - local + allowed-scopes: + - system watchOS: introduced: '10.0' allowed-enrollments: - - device + - supervised - local allowed-scopes: - system diff --git a/declarative/status/device.operating-system.version.yaml b/declarative/status/device.operating-system.version.yaml index e63050c..824e478 100644 --- a/declarative/status/device.operating-system.version.yaml +++ b/declarative/status/device.operating-system.version.yaml @@ -6,6 +6,7 @@ payload: iOS: introduced: '15.0' allowed-enrollments: + - supervised - device - user - local @@ -18,7 +19,7 @@ payload: macOS: introduced: '13.0' allowed-enrollments: - - device + - supervised - user - local allowed-scopes: @@ -27,14 +28,23 @@ payload: tvOS: introduced: '16.0' allowed-enrollments: + - supervised - device - local allowed-scopes: - system + visionOS: + introduced: '1.1' + allowed-enrollments: + - device + - user + - local + allowed-scopes: + - system watchOS: introduced: '10.0' allowed-enrollments: - - device + - supervised - local allowed-scopes: - system diff --git a/declarative/status/device.power.battery-health.yaml b/declarative/status/device.power.battery-health.yaml index ec2b77b..55df950 100644 --- a/declarative/status/device.power.battery-health.yaml +++ b/declarative/status/device.power.battery-health.yaml @@ -6,6 +6,7 @@ payload: iOS: introduced: '17.0' allowed-enrollments: + - supervised - device - local allowed-scopes: @@ -14,9 +15,16 @@ payload: allowed-scopes: - system macOS: - introduced: n/a + introduced: '14.4' + allowed-enrollments: + - supervised + - local + allowed-scopes: + - system tvOS: introduced: n/a + visionOS: + introduced: n/a watchOS: introduced: n/a payloadkeys: @@ -32,9 +40,11 @@ payloadkeys: - unsupported content: |- The battery health status, which has the following values: - * 'non-genuine' - the battery isn't a genuine Apple battery. - * 'normal' - the battery is operating normally. - * 'service-recommended' - the system recommends battery service. - * 'unknown' - the system couldn't determine battery health information. - * 'unsupported' - the device doesn't support battery health reporting. - This field is available in iOS 17 and later on iPhone only. iPad returns 'unsupported'. + + * 'non-genuine': The battery isn't a genuine Apple battery. + * 'normal': The battery is operating normally. + * 'service-recommended': The system recommends battery service. + * 'unknown': The system couldn't determine battery health information. + * 'unsupported': The device doesn't support battery health reporting. + + Available in iOS 17 and later on iPhone only, and macOS 14.4 and later on Apple silicon Mac computers. iPad and Intel-based Macs return 'unsupported'. diff --git a/declarative/status/diskmanagement.filevault.enabled.yaml b/declarative/status/diskmanagement.filevault.enabled.yaml index 696d263..511814d 100644 --- a/declarative/status/diskmanagement.filevault.enabled.yaml +++ b/declarative/status/diskmanagement.filevault.enabled.yaml @@ -8,12 +8,14 @@ payload: macOS: introduced: '14.0' allowed-enrollments: - - device + - supervised - local allowed-scopes: - system tvOS: introduced: n/a + visionOS: + introduced: n/a watchOS: introduced: n/a payloadkeys: diff --git a/declarative/status/management.client-capabilities.yaml b/declarative/status/management.client-capabilities.yaml index 5dc2ba2..92f2d05 100644 --- a/declarative/status/management.client-capabilities.yaml +++ b/declarative/status/management.client-capabilities.yaml @@ -6,6 +6,7 @@ payload: iOS: introduced: '15.0' allowed-enrollments: + - supervised - device - user allowed-scopes: @@ -17,7 +18,7 @@ payload: macOS: introduced: '13.0' allowed-enrollments: - - device + - supervised - user allowed-scopes: - system @@ -25,13 +26,21 @@ payload: tvOS: introduced: '16.0' allowed-enrollments: + - supervised - device allowed-scopes: - system + visionOS: + introduced: '1.1' + allowed-enrollments: + - device + - user + allowed-scopes: + - system watchOS: introduced: '10.0' allowed-enrollments: - - device + - supervised allowed-scopes: - system payloadkeys: diff --git a/declarative/status/management.declarations.yaml b/declarative/status/management.declarations.yaml index 4887f0d..d031363 100644 --- a/declarative/status/management.declarations.yaml +++ b/declarative/status/management.declarations.yaml @@ -6,6 +6,7 @@ payload: iOS: introduced: '15.0' allowed-enrollments: + - supervised - device - user allowed-scopes: @@ -17,7 +18,7 @@ payload: macOS: introduced: '13.0' allowed-enrollments: - - device + - supervised - user allowed-scopes: - system @@ -25,13 +26,21 @@ payload: tvOS: introduced: '16.0' allowed-enrollments: + - supervised - device allowed-scopes: - system + visionOS: + introduced: '1.1' + allowed-enrollments: + - device + - user + allowed-scopes: + - system watchOS: introduced: '10.0' allowed-enrollments: - - device + - supervised allowed-scopes: - system payloadkeys: diff --git a/declarative/status/mdm.app.yaml b/declarative/status/mdm.app.yaml index 1166a35..05f429e 100644 --- a/declarative/status/mdm.app.yaml +++ b/declarative/status/mdm.app.yaml @@ -6,6 +6,7 @@ payload: iOS: introduced: '16.0' allowed-enrollments: + - supervised - device - user allowed-scopes: @@ -19,13 +20,21 @@ payload: tvOS: introduced: '16.0' allowed-enrollments: + - supervised - device allowed-scopes: - system + visionOS: + introduced: '1.1' + allowed-enrollments: + - device + - user + allowed-scopes: + - system watchOS: introduced: '10.0' allowed-enrollments: - - device + - supervised allowed-scopes: - system payloadkeys: @@ -50,8 +59,9 @@ payloadkeys: type: presence: optional default: false - content: If 'true', the app is removed and the status item object only contains - this key and the 'identifier' key. + content: To indicate removal of an app, this key's value is set to true, and + only this key and the "identifier" key will be present in the status item + object. - key: name title: App name type: @@ -102,4 +112,4 @@ payloadkeys: - update-rejected - management-rejected - failed - content: The status of the app reported by ManagedApplicationListCommand. + content: The status of the app that ManagedApplicationListCommand reports. diff --git a/declarative/status/passcode.is-compliant.yaml b/declarative/status/passcode.is-compliant.yaml index 2f18cc3..7ae00fe 100644 --- a/declarative/status/passcode.is-compliant.yaml +++ b/declarative/status/passcode.is-compliant.yaml @@ -6,6 +6,7 @@ payload: iOS: introduced: '16.0' allowed-enrollments: + - supervised - device - user - local @@ -19,10 +20,18 @@ payload: introduced: n/a tvOS: introduced: n/a + visionOS: + introduced: '1.1' + allowed-enrollments: + - device + - user + - local + allowed-scopes: + - system watchOS: introduced: '10.0' allowed-enrollments: - - device + - supervised - local allowed-scopes: - system diff --git a/declarative/status/passcode.is-present.yaml b/declarative/status/passcode.is-present.yaml index 1c1b8b1..394ccde 100644 --- a/declarative/status/passcode.is-present.yaml +++ b/declarative/status/passcode.is-present.yaml @@ -6,6 +6,7 @@ payload: iOS: introduced: '16.0' allowed-enrollments: + - supervised - device - user - local @@ -19,10 +20,18 @@ payload: introduced: n/a tvOS: introduced: n/a + visionOS: + introduced: '1.1' + allowed-enrollments: + - device + - user + - local + allowed-scopes: + - system watchOS: introduced: '10.0' allowed-enrollments: - - device + - supervised - local allowed-scopes: - system diff --git a/declarative/status/screensharing.connection.group.unresolved-connection.yaml b/declarative/status/screensharing.connection.group.unresolved-connection.yaml index 76c03b0..63a2a53 100644 --- a/declarative/status/screensharing.connection.group.unresolved-connection.yaml +++ b/declarative/status/screensharing.connection.group.unresolved-connection.yaml @@ -9,7 +9,7 @@ payload: macOS: introduced: '14.1' allowed-enrollments: - - device + - supervised - user - local allowed-scopes: @@ -17,6 +17,8 @@ payload: - user tvOS: introduced: n/a + visionOS: + introduced: n/a watchOS: introduced: n/a payloadkeys: @@ -24,7 +26,7 @@ payloadkeys: title: Connection Groups status type: presence: required - content: Status value. + content: A status item that contains an array of unresolved connection groups. subkeytype: UnresolvedGroup subkeys: - key: unresolved_group @@ -34,8 +36,7 @@ payloadkeys: title: Unique identifier of the connection group. type: presence: required - content: The unique identifier (i.e., ConnectionGroupUUID) of the connection - group. + content: The unique 'ConnectionGroupUUID' identifier of the connection group. - key: _removed title: Indicates removal of the unresolved connection group. type: @@ -48,8 +49,8 @@ payloadkeys: title: Unique identifiers of unresolved connections. type: presence: optional - content: An array of ConnectionUUID values (as specifed by the 'Members' key - in the group's declaration) which were not resolved. + content: An array of 'ConnectionUUID' values specified in the 'Members' key + in the group's declaration for the unresolved connections. subkeys: - key: ConnectionUUID title: Connection Unique Identifier diff --git a/declarative/status/security.certificate.list.yaml b/declarative/status/security.certificate.list.yaml index a314d8f..17c0b3c 100644 --- a/declarative/status/security.certificate.list.yaml +++ b/declarative/status/security.certificate.list.yaml @@ -6,6 +6,7 @@ payload: iOS: introduced: '17.0' allowed-enrollments: + - supervised - device - user - local @@ -18,7 +19,7 @@ payload: macOS: introduced: '14.0' allowed-enrollments: - - device + - supervised - user - local allowed-scopes: @@ -27,14 +28,23 @@ payload: tvOS: introduced: '17.0' allowed-enrollments: + - supervised - device - local allowed-scopes: - system + visionOS: + introduced: '1.1' + allowed-enrollments: + - device + - user + - local + allowed-scopes: + - system watchOS: introduced: '10.0' allowed-enrollments: - - device + - supervised - local allowed-scopes: - system @@ -60,8 +70,9 @@ payloadkeys: type: presence: optional default: false - content: If 'true', the certificate is removed and the status item object only - contains this key and the 'identifier' key. + content: To indicate removal of a certificate, this key's value is set to true, + and only this key and the "identifier" key will be present in the status item + object. - key: declaration-identifier title: Asset declaration identifier. type: diff --git a/declarative/status/services.background-task.yaml b/declarative/status/services.background-task.yaml index 47b1d3b..8f43c99 100644 --- a/declarative/status/services.background-task.yaml +++ b/declarative/status/services.background-task.yaml @@ -8,12 +8,14 @@ payload: macOS: introduced: '14.0' allowed-enrollments: - - device + - supervised - local allowed-scopes: - system tvOS: introduced: n/a + visionOS: + introduced: n/a watchOS: introduced: n/a payloadkeys: diff --git a/declarative/status/softwareupdate.failure-reason.yaml b/declarative/status/softwareupdate.failure-reason.yaml index 417c1da..2bd3753 100644 --- a/declarative/status/softwareupdate.failure-reason.yaml +++ b/declarative/status/softwareupdate.failure-reason.yaml @@ -6,6 +6,7 @@ payload: iOS: introduced: '17.0' allowed-enrollments: + - supervised - device allowed-scopes: - system @@ -15,11 +16,13 @@ payload: macOS: introduced: '14.0' allowed-enrollments: - - device + - supervised allowed-scopes: - system tvOS: introduced: n/a + visionOS: + introduced: n/a watchOS: introduced: n/a payloadkeys: diff --git a/declarative/status/softwareupdate.install-reason.yaml b/declarative/status/softwareupdate.install-reason.yaml index 35bb3f5..6753f15 100644 --- a/declarative/status/softwareupdate.install-reason.yaml +++ b/declarative/status/softwareupdate.install-reason.yaml @@ -6,6 +6,7 @@ payload: iOS: introduced: '17.0' allowed-enrollments: + - supervised - device allowed-scopes: - system @@ -15,11 +16,13 @@ payload: macOS: introduced: '14.0' allowed-enrollments: - - device + - supervised allowed-scopes: - system tvOS: introduced: n/a + visionOS: + introduced: n/a watchOS: introduced: n/a payloadkeys: diff --git a/declarative/status/softwareupdate.install-state.yaml b/declarative/status/softwareupdate.install-state.yaml index a4b5bf6..983e55b 100644 --- a/declarative/status/softwareupdate.install-state.yaml +++ b/declarative/status/softwareupdate.install-state.yaml @@ -6,6 +6,7 @@ payload: iOS: introduced: '17.0' allowed-enrollments: + - supervised - device allowed-scopes: - system @@ -15,11 +16,13 @@ payload: macOS: introduced: '14.0' allowed-enrollments: - - device + - supervised allowed-scopes: - system tvOS: introduced: n/a + visionOS: + introduced: n/a watchOS: introduced: n/a payloadkeys: @@ -34,7 +37,8 @@ payloadkeys: - installing - failed content: |- - The software update install status: + The software update install status, which has the following values: + * 'none': There's no software update pending, and any previous software update succeeded. * 'waiting': A software update is waiting to start. * 'downloading': The system is downloading data for a software update. diff --git a/declarative/status/softwareupdate.pending-version.yaml b/declarative/status/softwareupdate.pending-version.yaml index 635f92f..d74c929 100644 --- a/declarative/status/softwareupdate.pending-version.yaml +++ b/declarative/status/softwareupdate.pending-version.yaml @@ -6,6 +6,7 @@ payload: iOS: introduced: '17.0' allowed-enrollments: + - supervised - device allowed-scopes: - system @@ -15,11 +16,13 @@ payload: macOS: introduced: '14.0' allowed-enrollments: - - device + - supervised allowed-scopes: - system tvOS: introduced: n/a + visionOS: + introduced: n/a watchOS: introduced: n/a payloadkeys: diff --git a/declarative/status/statusreason.yaml b/declarative/status/statusreason.yaml index 4727ab1..2b0f886 100644 --- a/declarative/status/statusreason.yaml +++ b/declarative/status/statusreason.yaml @@ -9,6 +9,8 @@ payload: introduced: '13.0' tvOS: introduced: '16.0' + visionOS: + introduced: '1.1' watchOS: introduced: '10.0' payloadkeys: diff --git a/declarative/status/test.array-value.yaml b/declarative/status/test.array-value.yaml index 48c732d..14d07b5 100644 --- a/declarative/status/test.array-value.yaml +++ b/declarative/status/test.array-value.yaml @@ -6,6 +6,7 @@ payload: iOS: introduced: '16.0' allowed-enrollments: + - supervised - device - user - local @@ -18,7 +19,7 @@ payload: macOS: introduced: '13.0' allowed-enrollments: - - device + - supervised - user - local allowed-scopes: @@ -27,14 +28,23 @@ payload: tvOS: introduced: '16.0' allowed-enrollments: + - supervised - device - local allowed-scopes: - system + visionOS: + introduced: '1.1' + allowed-enrollments: + - device + - user + - local + allowed-scopes: + - system watchOS: introduced: '10.0' allowed-enrollments: - - device + - supervised - local allowed-scopes: - system diff --git a/declarative/status/test.boolean-value.yaml b/declarative/status/test.boolean-value.yaml index 6d4a76b..6ea1a6f 100644 --- a/declarative/status/test.boolean-value.yaml +++ b/declarative/status/test.boolean-value.yaml @@ -6,6 +6,7 @@ payload: iOS: introduced: '16.0' allowed-enrollments: + - supervised - device - user - local @@ -18,7 +19,7 @@ payload: macOS: introduced: '13.0' allowed-enrollments: - - device + - supervised - user - local allowed-scopes: @@ -27,14 +28,23 @@ payload: tvOS: introduced: '16.0' allowed-enrollments: + - supervised - device - local allowed-scopes: - system + visionOS: + introduced: '1.1' + allowed-enrollments: + - device + - user + - local + allowed-scopes: + - system watchOS: introduced: '10.0' allowed-enrollments: - - device + - supervised - local allowed-scopes: - system diff --git a/declarative/status/test.dictionary-value.yaml b/declarative/status/test.dictionary-value.yaml index 5512cd6..8f40710 100644 --- a/declarative/status/test.dictionary-value.yaml +++ b/declarative/status/test.dictionary-value.yaml @@ -6,6 +6,7 @@ payload: iOS: introduced: '16.0' allowed-enrollments: + - supervised - device - user - local @@ -18,7 +19,7 @@ payload: macOS: introduced: '13.0' allowed-enrollments: - - device + - supervised - user - local allowed-scopes: @@ -27,14 +28,23 @@ payload: tvOS: introduced: '16.0' allowed-enrollments: + - supervised - device - local allowed-scopes: - system + visionOS: + introduced: '1.1' + allowed-enrollments: + - device + - user + - local + allowed-scopes: + - system watchOS: introduced: '10.0' allowed-enrollments: - - device + - supervised - local allowed-scopes: - system diff --git a/declarative/status/test.error-value.yaml b/declarative/status/test.error-value.yaml index ed33ca9..05a1526 100644 --- a/declarative/status/test.error-value.yaml +++ b/declarative/status/test.error-value.yaml @@ -6,6 +6,7 @@ payload: iOS: introduced: '16.0' allowed-enrollments: + - supervised - device - user - local @@ -18,7 +19,7 @@ payload: macOS: introduced: '13.0' allowed-enrollments: - - device + - supervised - user - local allowed-scopes: @@ -27,14 +28,23 @@ payload: tvOS: introduced: '16.0' allowed-enrollments: + - supervised - device - local allowed-scopes: - system + visionOS: + introduced: '1.1' + allowed-enrollments: + - device + - user + - local + allowed-scopes: + - system watchOS: introduced: '10.0' allowed-enrollments: - - device + - supervised - local allowed-scopes: - system diff --git a/declarative/status/test.integer-value.yaml b/declarative/status/test.integer-value.yaml index 0ea68ad..5ff5717 100644 --- a/declarative/status/test.integer-value.yaml +++ b/declarative/status/test.integer-value.yaml @@ -6,6 +6,7 @@ payload: iOS: introduced: '16.0' allowed-enrollments: + - supervised - device - user - local @@ -18,7 +19,7 @@ payload: macOS: introduced: '13.0' allowed-enrollments: - - device + - supervised - user - local allowed-scopes: @@ -27,14 +28,23 @@ payload: tvOS: introduced: '16.0' allowed-enrollments: + - supervised - device - local allowed-scopes: - system + visionOS: + introduced: '1.1' + allowed-enrollments: + - device + - user + - local + allowed-scopes: + - system watchOS: introduced: '10.0' allowed-enrollments: - - device + - supervised - local allowed-scopes: - system diff --git a/declarative/status/test.real-value.yaml b/declarative/status/test.real-value.yaml index 8640f44..dbc6115 100644 --- a/declarative/status/test.real-value.yaml +++ b/declarative/status/test.real-value.yaml @@ -6,6 +6,7 @@ payload: iOS: introduced: '16.0' allowed-enrollments: + - supervised - device - user - local @@ -18,7 +19,7 @@ payload: macOS: introduced: '13.0' allowed-enrollments: - - device + - supervised - user - local allowed-scopes: @@ -27,14 +28,23 @@ payload: tvOS: introduced: '16.0' allowed-enrollments: + - supervised - device - local allowed-scopes: - system + visionOS: + introduced: '1.1' + allowed-enrollments: + - device + - user + - local + allowed-scopes: + - system watchOS: introduced: '10.0' allowed-enrollments: - - device + - supervised - local allowed-scopes: - system diff --git a/declarative/status/test.string-value.yaml b/declarative/status/test.string-value.yaml index 73b926e..0b89288 100644 --- a/declarative/status/test.string-value.yaml +++ b/declarative/status/test.string-value.yaml @@ -6,6 +6,7 @@ payload: iOS: introduced: '16.0' allowed-enrollments: + - supervised - device - user - local @@ -18,7 +19,7 @@ payload: macOS: introduced: '13.0' allowed-enrollments: - - device + - supervised - user - local allowed-scopes: @@ -27,14 +28,23 @@ payload: tvOS: introduced: '16.0' allowed-enrollments: + - supervised - device - local allowed-scopes: - system + visionOS: + introduced: '1.1' + allowed-enrollments: + - device + - user + - local + allowed-scopes: + - system watchOS: introduced: '10.0' allowed-enrollments: - - device + - supervised - local allowed-scopes: - system diff --git a/docs/errata.md b/docs/errata.md index 9c97ebd..61f7611 100644 --- a/docs/errata.md +++ b/docs/errata.md @@ -4,12 +4,20 @@ This document lists errata for the YAML schema. This is used when older versions ## iOS 17 / macOS 14 +### profiles/com.apple.education.yaml + +The `GroupBeaconIDs` key in the `DepartmentsItem` dictionary in the `com.apple.education` profile payload incorrectly listed its type as an array of `string`. The correct type is an array of `integer`. + ### profiles/com.apple.vpn.managed.yaml The `CertificateType` key in the `com.apple.vpn.managed` profile payload incorrectly listed `Ed25519` as a supported certificate type. That type was never supported and has now been removed. The `PPTP` VPNType has not been supported since iOS 10 and macOS 10.12, see https://support.apple.com/en-us/HT206844. The `PPTP` VPNType has been removed. +There were a number of keys in the VPN dictionary that were implied to appear in other VPN types. These keys have now been explicitly added in all VPN types. + +The `ActionParameters` key in the profile payload has always been an array of dictionaries. + ### mdmprotocol/commands passcode.firmware.set.yaml passcode.firmware.verify.yaml The response keys were incorrectly listed as being top-level keys in the response dictionary when in fact they were nested one-level deep. @@ -35,3 +43,7 @@ The `contrast` key in the `com.apple.universalaccess` profile payload incorrectl ### profiles/com.apple.extensiblesso.yaml The `AuthorizationGroups` key was updated as the key values-pairs in the dictionary were incorrectly stated. + +### profiles/com.apple.dnsSettings.managed + +The `ActionParameters` key in the `com.apple.dnsSettings.managed` profile payload has always been an array of dictionaries. diff --git a/docs/schema.md b/docs/schema.md index a208698..e4a7658 100644 --- a/docs/schema.md +++ b/docs/schema.md @@ -35,13 +35,14 @@ The definition of the schema used here is in the `schema.yaml` file. That file c | iOS | object | Supported features on this iOS | | macOS | object | Supported features on this macOS | | tvOS | object | Supported features on this tvOS | +| visionOS | object | Supported features on this visionOS | | watchOS | object | Supported features on this watchOS | __Notes__ The `supportedOS` object is used in the `payload` object to indicate overall support for this object on each OS, as well as which enrollment modes are supported per OS. The `supportedOS` key may also appear on any payload key defined in `payloadkeys` or `responsekeys` array item objects. Each payload key is assumed to "inherit" the `supportedOS` values from the `payload` object, but that is then updated with any items in the key's own `supportedOS` object if present. This also overriding specific values in `supportedOS` on a per-key basis without the need to duplicate the entire `supportedOS` value from the `payload`. -### iOS, macOS, tvOS, watchOS Objects +### iOS, macOS, tvOS, visionOS, watchOS Objects | Name | Type | Description | |---------------------|---------|-------------| diff --git a/docs/schema.yaml b/docs/schema.yaml index cc2af83..314ae97 100644 --- a/docs/schema.yaml +++ b/docs/schema.yaml @@ -79,6 +79,7 @@ properties: items: type: string enum: + - supervised - device - user - local @@ -155,6 +156,7 @@ properties: description: Indicates that this payload should be considered a beta release for this OS. It may change in an incompatible way prior to final release. macOS: *supportedOSItem tvOS: *supportedOSItem + visionOS: *supportedOSItem watchOS: *supportedOSItem apply: type: string @@ -279,8 +281,8 @@ properties: * boolean-and - multiple values are combined using a logical AND operation * number-min - multiple or values are combined by using the smallest value * number-max - multiple or values are combined by using the largest value - * enum-lowest - multiple values with a rangelist are combined by using the value whose position is lowest in the range list - * enum-highest - multiple values with a rangelist are combined by using the value whose position is highest in the range list + * enum-first - multiple values with a rangelist are combined by using the value whose position is first in the range list + * enum-last - multiple values with a rangelist are combined by using the value whose position is last in the range list * first - multiple values are combined by using the first value that is processed * array-append - multiple values are combined by concatenating the values in each array into a new array * set-union - multiple values are combined by returning the unique union of all values in each array @@ -290,8 +292,8 @@ properties: - boolean-and - number-min - number-max - - enum-lowest - - enum-highest + - enum-first + - enum-last - first - array-append - set-union diff --git a/mdm/checkin/authenticate.yaml b/mdm/checkin/authenticate.yaml index 7cd91a7..1f75442 100644 --- a/mdm/checkin/authenticate.yaml +++ b/mdm/checkin/authenticate.yaml @@ -23,6 +23,12 @@ payload: tvOS: introduced: '10.2' supervised: false + visionOS: + introduced: '1.1' + supervised: false + requiresdep: false + userenrollment: + mode: allowed watchOS: introduced: '10.0' supervised: false @@ -34,6 +40,8 @@ payloadkeys: introduced: n/a tvOS: introduced: n/a + visionOS: + introduced: n/a watchOS: introduced: n/a type: @@ -45,6 +53,8 @@ payloadkeys: introduced: n/a tvOS: introduced: n/a + visionOS: + introduced: n/a watchOS: introduced: n/a type: @@ -56,6 +66,8 @@ payloadkeys: introduced: n/a tvOS: introduced: n/a + visionOS: + introduced: n/a watchOS: introduced: n/a type: @@ -79,6 +91,9 @@ payloadkeys: macOS: userenrollment: mode: forbidden + visionOS: + userenrollment: + mode: forbidden type: presence: required content: The device's UDID (Unique Device ID). @@ -94,6 +109,9 @@ payloadkeys: mode: required tvOS: introduced: n/a + visionOS: + userenrollment: + mode: required watchOS: introduced: n/a type: @@ -105,6 +123,8 @@ payloadkeys: iOS: introduced: '9.0' accessrights: AllowQueryDeviceInformation + visionOS: + accessrights: AllowQueryDeviceInformation watchOS: introduced: '10.0' accessrights: AllowQueryDeviceInformation @@ -116,6 +136,8 @@ payloadkeys: iOS: introduced: '9.0' accessrights: AllowQueryDeviceInformation + visionOS: + accessrights: AllowQueryDeviceInformation watchOS: introduced: '10.0' accessrights: AllowQueryDeviceInformation @@ -127,6 +149,8 @@ payloadkeys: iOS: introduced: '9.0' accessrights: AllowQueryDeviceInformation + visionOS: + accessrights: AllowQueryDeviceInformation watchOS: introduced: '10.0' accessrights: AllowQueryDeviceInformation @@ -144,6 +168,10 @@ payloadkeys: accessrights: AllowQueryDeviceInformation userenrollment: mode: forbidden + visionOS: + accessrights: AllowQueryDeviceInformation + userenrollment: + mode: forbidden watchOS: introduced: '10.0' accessrights: AllowQueryDeviceInformation @@ -161,6 +189,10 @@ payloadkeys: introduced: n/a tvOS: introduced: n/a + visionOS: + accessrights: AllowQueryDeviceInformation + userenrollment: + mode: forbidden watchOS: introduced: '10.0' accessrights: AllowQueryDeviceInformation @@ -178,6 +210,10 @@ payloadkeys: introduced: n/a tvOS: introduced: n/a + visionOS: + accessrights: AllowQueryDeviceInformation + userenrollment: + mode: forbidden watchOS: introduced: '10.0' accessrights: AllowQueryDeviceInformation diff --git a/mdm/checkin/checkout.yaml b/mdm/checkin/checkout.yaml index 9bab959..efc8c04 100644 --- a/mdm/checkin/checkout.yaml +++ b/mdm/checkin/checkout.yaml @@ -23,6 +23,12 @@ payload: tvOS: introduced: '10.2' supervised: false + visionOS: + introduced: '1.1' + supervised: false + requiresdep: false + userenrollment: + mode: allowed watchOS: introduced: '10.0' supervised: false @@ -43,6 +49,9 @@ payloadkeys: iOS: userenrollment: mode: forbidden + visionOS: + userenrollment: + mode: forbidden type: presence: required content: The device's UDID (Unique Device ID). @@ -58,6 +67,9 @@ payloadkeys: mode: required tvOS: introduced: n/a + visionOS: + userenrollment: + mode: required watchOS: introduced: n/a type: diff --git a/mdm/checkin/declarativemanagement.yaml b/mdm/checkin/declarativemanagement.yaml index 9cc3072..7aa384c 100644 --- a/mdm/checkin/declarativemanagement.yaml +++ b/mdm/checkin/declarativemanagement.yaml @@ -25,6 +25,12 @@ payload: introduced: '16.0' supervised: false requiresdep: false + visionOS: + introduced: '1.1' + supervised: false + requiresdep: false + userenrollment: + mode: allowed watchOS: introduced: '10.0' supervised: false @@ -58,6 +64,9 @@ payloadkeys: macOS: userenrollment: mode: forbidden + visionOS: + userenrollment: + mode: forbidden type: presence: required content: The device's UDID. @@ -71,6 +80,9 @@ payloadkeys: mode: required tvOS: introduced: n/a + visionOS: + userenrollment: + mode: required watchOS: introduced: n/a type: @@ -86,6 +98,8 @@ payloadkeys: mode: required tvOS: introduced: n/a + visionOS: + introduced: n/a watchOS: introduced: n/a type: @@ -100,6 +114,8 @@ payloadkeys: devicechannel: false tvOS: introduced: n/a + visionOS: + introduced: n/a watchOS: introduced: n/a type: @@ -116,6 +132,8 @@ payloadkeys: devicechannel: false tvOS: introduced: n/a + visionOS: + introduced: n/a watchOS: introduced: n/a type: @@ -131,6 +149,8 @@ payloadkeys: devicechannel: false tvOS: introduced: n/a + visionOS: + introduced: n/a watchOS: introduced: n/a type: diff --git a/mdm/checkin/getbootstraptoken.yaml b/mdm/checkin/getbootstraptoken.yaml index 25ce5c3..5554762 100644 --- a/mdm/checkin/getbootstraptoken.yaml +++ b/mdm/checkin/getbootstraptoken.yaml @@ -3,6 +3,8 @@ description: Check-in protocol get bootstrap token data. payload: requesttype: GetBootstrapToken supportedOS: + iOS: + introduced: n/a macOS: introduced: '10.15' devicechannel: true @@ -11,6 +13,12 @@ payload: requiresdep: false userenrollment: mode: forbidden + tvOS: + introduced: n/a + visionOS: + introduced: n/a + watchOS: + introduced: n/a content: Check-in protocol get bootstrap token data request and response. payloadkeys: - key: MessageType diff --git a/mdm/checkin/gettoken.yaml b/mdm/checkin/gettoken.yaml index 6fbae51..08bfaff 100644 --- a/mdm/checkin/gettoken.yaml +++ b/mdm/checkin/gettoken.yaml @@ -23,6 +23,12 @@ payload: mode: allowed tvOS: introduced: n/a + visionOS: + introduced: '1.1' + supervised: false + requiresdep: false + userenrollment: + mode: allowed watchOS: introduced: n/a content: Check-in protocol get token data request and response. @@ -55,6 +61,8 @@ payloadkeys: mode: forbidden macOS: introduced: n/a + visionOS: + introduced: n/a type: presence: optional content: A security token to generate the server token. Required by the 'com.apple.watch.pairing' @@ -69,6 +77,8 @@ payloadkeys: mode: forbidden macOS: introduced: n/a + visionOS: + introduced: n/a type: presence: optional content: The identifier of the phone paired to the watch. Required by the 'com.apple.watch.pairing' @@ -83,6 +93,8 @@ payloadkeys: mode: forbidden macOS: introduced: n/a + visionOS: + introduced: n/a type: presence: optional content: The identifier of the watch paired to the phone. Required by the 'com.apple.watch.pairing' @@ -95,6 +107,9 @@ payloadkeys: macOS: userenrollment: mode: forbidden + visionOS: + userenrollment: + mode: forbidden type: presence: required content: The device's UDID. @@ -106,6 +121,9 @@ payloadkeys: macOS: userenrollment: mode: required + visionOS: + userenrollment: + mode: required type: presence: required content: A per-enrollment identifier that identifies the device for user enrollments. @@ -117,6 +135,8 @@ payloadkeys: devicechannel: false userenrollment: mode: required + visionOS: + introduced: n/a type: presence: required content: A per-enrollment identifier that identifies the user for user enrollments. @@ -127,6 +147,8 @@ payloadkeys: mode: required macOS: devicechannel: false + visionOS: + introduced: n/a type: presence: optional content: On Shared iPad, this value returns the Managed Apple ID of the user. When @@ -139,6 +161,8 @@ payloadkeys: mode: required macOS: devicechannel: false + visionOS: + introduced: n/a type: presence: optional content: In macOS, this value returns the ID of the user. On Shared iPad, this value @@ -149,6 +173,8 @@ payloadkeys: introduced: n/a macOS: devicechannel: false + visionOS: + introduced: n/a type: presence: required content: The full name of the user. diff --git a/mdm/checkin/setbootstraptoken.yaml b/mdm/checkin/setbootstraptoken.yaml index bfe0436..3864d45 100644 --- a/mdm/checkin/setbootstraptoken.yaml +++ b/mdm/checkin/setbootstraptoken.yaml @@ -3,6 +3,8 @@ description: Check-in protocol set bootstrap token data. payload: requesttype: SetBootstrapToken supportedOS: + iOS: + introduced: n/a macOS: introduced: '10.15' devicechannel: true @@ -11,6 +13,12 @@ payload: requiresdep: false userenrollment: mode: forbidden + tvOS: + introduced: n/a + visionOS: + introduced: n/a + watchOS: + introduced: n/a content: Check-in protocol set bootstrap token data request and response. payloadkeys: - key: MessageType diff --git a/mdm/checkin/tokenupdate.yaml b/mdm/checkin/tokenupdate.yaml index e1ea2ad..e5a2a1a 100644 --- a/mdm/checkin/tokenupdate.yaml +++ b/mdm/checkin/tokenupdate.yaml @@ -23,6 +23,12 @@ payload: tvOS: introduced: '10.2' supervised: false + visionOS: + introduced: '1.1' + supervised: false + requiresdep: false + userenrollment: + mode: allowed watchOS: introduced: '10.0' supervised: false @@ -35,6 +41,8 @@ payloadkeys: macOS: introduced: '10.11' devicechannel: false + visionOS: + introduced: n/a watchOS: introduced: n/a type: @@ -58,6 +66,9 @@ payloadkeys: macOS: userenrollment: mode: forbidden + visionOS: + userenrollment: + mode: forbidden type: presence: required content: The device's UDID. @@ -73,6 +84,9 @@ payloadkeys: mode: required tvOS: introduced: n/a + visionOS: + userenrollment: + mode: required watchOS: introduced: n/a type: @@ -90,6 +104,8 @@ payloadkeys: mode: required tvOS: introduced: n/a + visionOS: + introduced: n/a watchOS: introduced: n/a type: @@ -106,6 +122,8 @@ payloadkeys: devicechannel: false tvOS: introduced: n/a + visionOS: + introduced: n/a watchOS: introduced: n/a type: @@ -123,6 +141,8 @@ payloadkeys: devicechannel: false tvOS: introduced: n/a + visionOS: + introduced: n/a watchOS: introduced: n/a type: @@ -138,6 +158,8 @@ payloadkeys: devicechannel: false tvOS: introduced: n/a + visionOS: + introduced: n/a watchOS: introduced: n/a type: @@ -161,6 +183,10 @@ payloadkeys: mode: forbidden macOS: introduced: n/a + visionOS: + accessrights: AllowPasscodeRemovalAndLock + userenrollment: + mode: forbidden watchOS: accessrights: AllowPasscodeRemovalAndLock type: diff --git a/mdm/checkin/userauthenticate.yaml b/mdm/checkin/userauthenticate.yaml index 4d8c5d2..5b415bc 100644 --- a/mdm/checkin/userauthenticate.yaml +++ b/mdm/checkin/userauthenticate.yaml @@ -3,6 +3,8 @@ description: Authenticate network or mobile users with MDM. payload: requesttype: UserAuthenticate supportedOS: + iOS: + introduced: n/a macOS: introduced: '10.7' devicechannel: false @@ -10,6 +12,12 @@ payload: requiresdep: false userenrollment: mode: forbidden + tvOS: + introduced: n/a + visionOS: + introduced: n/a + watchOS: + introduced: n/a content: Authenticate network or mobile users with MDM. payloadkeys: - key: MessageType diff --git a/mdm/commands/account.configuration.yaml b/mdm/commands/account.configuration.yaml index 3bc1e87..13011e9 100644 --- a/mdm/commands/account.configuration.yaml +++ b/mdm/commands/account.configuration.yaml @@ -4,6 +4,8 @@ description: This command can be sent to the device to have it create the local payload: requesttype: AccountConfiguration supportedOS: + iOS: + introduced: n/a macOS: introduced: '10.11' accessrights: None @@ -12,6 +14,12 @@ payload: requiresdep: true userenrollment: mode: forbidden + tvOS: + introduced: n/a + visionOS: + introduced: n/a + watchOS: + introduced: n/a content: When a macOS (v10.11 and later) device is configured via DEP to enroll in an MDM server and the DEP profile has the await_device_configuration flag set to true, the AccountConfiguration command can be sent to the device to have it diff --git a/mdm/commands/application.extensions.listactive.yaml b/mdm/commands/application.extensions.listactive.yaml index 599e866..57978b4 100644 --- a/mdm/commands/application.extensions.listactive.yaml +++ b/mdm/commands/application.extensions.listactive.yaml @@ -3,6 +3,8 @@ description: Returns information about the active NSExtensions for a particular payload: requesttype: ActiveNSExtensions supportedOS: + iOS: + introduced: n/a macOS: introduced: '10.13' accessrights: QueryInstalledApps @@ -11,6 +13,12 @@ payload: requiresdep: false userenrollment: mode: forbidden + tvOS: + introduced: n/a + visionOS: + introduced: n/a + watchOS: + introduced: n/a content: |- Returns information about the active NSExtensions for a particular user. NSExtensions are installed and enabled at the user level. There is no concept of "device" NSExtensions. diff --git a/mdm/commands/application.extensions.mappings.yaml b/mdm/commands/application.extensions.mappings.yaml index 558ffb9..893755d 100644 --- a/mdm/commands/application.extensions.mappings.yaml +++ b/mdm/commands/application.extensions.mappings.yaml @@ -3,6 +3,8 @@ description: This command returns information about installed extensions for a u payload: requesttype: NSExtensionMappings supportedOS: + iOS: + introduced: n/a macOS: introduced: '10.13' accessrights: QueryInstalledApps @@ -11,6 +13,12 @@ payload: requiresdep: false userenrollment: mode: forbidden + tvOS: + introduced: n/a + visionOS: + introduced: n/a + watchOS: + introduced: n/a content: |- This command returns information about installed extensions for a user. The purpose of this command is to allow the server to build a mapping of diff --git a/mdm/commands/application.install.enterprise.yaml b/mdm/commands/application.install.enterprise.yaml index 3c600ec..d5b77fa 100644 --- a/mdm/commands/application.install.enterprise.yaml +++ b/mdm/commands/application.install.enterprise.yaml @@ -5,6 +5,8 @@ description: This command allows the server to install enterprise applications o payload: requesttype: InstallEnterpriseApplication supportedOS: + iOS: + introduced: n/a macOS: introduced: 10.13.6 accessrights: AllowAppInstallation @@ -13,6 +15,12 @@ payload: requiresdep: false userenrollment: mode: allowed + tvOS: + introduced: n/a + visionOS: + introduced: n/a + watchOS: + introduced: n/a content: This command allows the server to install an application on a device. It provides a more secure version of 'InstallApplication' that specifies a 'ManifestURL'. payloadkeys: diff --git a/mdm/commands/application.install.yaml b/mdm/commands/application.install.yaml index 813d322..76dc133 100644 --- a/mdm/commands/application.install.yaml +++ b/mdm/commands/application.install.yaml @@ -33,6 +33,13 @@ payload: introduced: '10.2' accessrights: AllowAppInstallation supervised: false + visionOS: + introduced: '1.1' + accessrights: AllowAppInstallation + supervised: false + requiresdep: false + userenrollment: + mode: allowed watchOS: introduced: '10.0' accessrights: AllowAppInstallation @@ -212,6 +219,8 @@ payloadkeys: introduced: '16.4' tvOS: introduced: n/a + visionOS: + introduced: n/a watchOS: introduced: n/a type: @@ -226,6 +235,8 @@ payloadkeys: introduced: '17.0' tvOS: introduced: n/a + visionOS: + introduced: n/a watchOS: introduced: n/a type: @@ -243,6 +254,9 @@ payloadkeys: introduced: '11.0' userenrollment: mode: forbidden + visionOS: + userenrollment: + mode: forbidden type: presence: optional rangelist: @@ -263,6 +277,8 @@ payloadkeys: mode: forbidden tvOS: introduced: n/a + visionOS: + introduced: n/a watchOS: introduced: n/a type: @@ -280,6 +296,8 @@ payloadkeys: introduced: '11.0' tvOS: introduced: n/a + visionOS: + introduced: n/a watchOS: introduced: n/a type: diff --git a/mdm/commands/application.installed.list.yaml b/mdm/commands/application.installed.list.yaml index 03a1031..c1006cb 100644 --- a/mdm/commands/application.installed.list.yaml +++ b/mdm/commands/application.installed.list.yaml @@ -26,6 +26,13 @@ payload: introduced: '10.2' accessrights: AllowQueryApplications supervised: false + visionOS: + introduced: '1.1' + accessrights: AllowQueryApplications + supervised: false + requiresdep: false + userenrollment: + mode: allowed watchOS: introduced: '10.0' accessrights: AllowQueryApplications @@ -85,6 +92,7 @@ payloadkeys: - BetaApp - BundleSize - DeviceBasedVPP + - DistributorIdentifier - DynamicSize - ExternalVersionIdentifier - HasUpdateAvailable @@ -123,6 +131,22 @@ responsekeys: content: |- The app's external version identifier, which you can use in the iTunes Search API to determine if an updated version of the app is available. Compare this value to the 'externalId' value in the 'contentMetadataLookupUrl' response from the 'VPPServiceConfigSrv' endpoint. If these values don't match, an updated version of the app may be available. A newer version of an app might not be available for installation on the device for a variety of reasons. A common reason is that the device's operating system version or hardware is incompatible with the available version of the app. + - key: DistributorIdentifier + supportedOS: + iOS: + introduced: '17.4' + macOS: + introduced: n/a + tvOS: + introduced: n/a + visionOS: + introduced: n/a + watchOS: + introduced: n/a + type: + presence: optional + content: The marketplace hosted application's distributor ID. This value is + available in iOS 17.4 and later. - key: Version type: presence: optional @@ -272,5 +296,5 @@ responsekeys: - key: Source type: presence: optional - content: Source of the application. This value will be set to "Declarative Device - Management" when the app is managed by Declarative Device Management. + content: The source of the application. When the app is managed by Declarative + Device Management this value is 'Declarative Device Management'. diff --git a/mdm/commands/application.invitetoprogram.yaml b/mdm/commands/application.invitetoprogram.yaml index 8cc9f5f..9cebc10 100644 --- a/mdm/commands/application.invitetoprogram.yaml +++ b/mdm/commands/application.invitetoprogram.yaml @@ -22,6 +22,12 @@ payload: requiresdep: false userenrollment: mode: forbidden + tvOS: + introduced: n/a + visionOS: + introduced: n/a + watchOS: + introduced: n/a content: This command allows a server to invite a user to join a program. This command issues the invitation, but does not allow the server to monitor whether the user has joined the program. This command is supported in the user channel. This command diff --git a/mdm/commands/application.managed.list.yaml b/mdm/commands/application.managed.list.yaml index ea1378a..59a8f49 100644 --- a/mdm/commands/application.managed.list.yaml +++ b/mdm/commands/application.managed.list.yaml @@ -28,6 +28,13 @@ payload: introduced: '10.2' accessrights: AllowAppInstallation supervised: false + visionOS: + introduced: '1.1' + accessrights: AllowAppInstallation + supervised: false + requiresdep: false + userenrollment: + mode: allowed watchOS: introduced: '10.0' accessrights: AllowAppInstallation diff --git a/mdm/commands/application.redemptioncode.yaml b/mdm/commands/application.redemptioncode.yaml index db844a6..433b184 100644 --- a/mdm/commands/application.redemptioncode.yaml +++ b/mdm/commands/application.redemptioncode.yaml @@ -13,6 +13,14 @@ payload: mode: forbidden userenrollment: mode: forbidden + macOS: + introduced: n/a + tvOS: + introduced: n/a + visionOS: + introduced: n/a + watchOS: + introduced: n/a content: If a redemption code is needed during app installation, the server can use this command to complete the app installation. payloadkeys: diff --git a/mdm/commands/application.remove.yaml b/mdm/commands/application.remove.yaml index cfc7657..b53f239 100644 --- a/mdm/commands/application.remove.yaml +++ b/mdm/commands/application.remove.yaml @@ -25,6 +25,13 @@ payload: introduced: '10.2' accessrights: AllowAppInstallation supervised: false + visionOS: + introduced: '1.1' + accessrights: AllowAppInstallation + supervised: false + requiresdep: false + userenrollment: + mode: allowed watchOS: introduced: '10.0' accessrights: AllowAppInstallation diff --git a/mdm/commands/application.validate.yaml b/mdm/commands/application.validate.yaml index 9d2d45c..03b5f0e 100644 --- a/mdm/commands/application.validate.yaml +++ b/mdm/commands/application.validate.yaml @@ -15,10 +15,21 @@ payload: userchannel: false userenrollment: mode: allowed + macOS: + introduced: n/a tvOS: introduced: '10.2' accessrights: AllowAppInstallation supervised: false + visionOS: + introduced: '1.1' + accessrights: AllowAppInstallation + supervised: false + requiresdep: false + userenrollment: + mode: allowed + watchOS: + introduced: n/a content: This command allows the server to query for installed 3rd party applications. payloadkeys: - key: Identifiers diff --git a/mdm/commands/certificate.list.yaml b/mdm/commands/certificate.list.yaml index ccb6ce5..66b6685 100644 --- a/mdm/commands/certificate.list.yaml +++ b/mdm/commands/certificate.list.yaml @@ -32,6 +32,13 @@ payload: introduced: '6.0' accessrights: AllowInspection supervised: false + visionOS: + introduced: '1.1' + accessrights: AllowInspection + supervised: false + requiresdep: false + userenrollment: + mode: allowed watchOS: introduced: '10.0' accessrights: AllowInspection diff --git a/mdm/commands/declarativemanagement.yaml b/mdm/commands/declarativemanagement.yaml index 9a579ca..64f8948 100644 --- a/mdm/commands/declarativemanagement.yaml +++ b/mdm/commands/declarativemanagement.yaml @@ -27,6 +27,12 @@ payload: introduced: '16.0' supervised: false requiresdep: false + visionOS: + introduced: '1.1' + supervised: false + requiresdep: false + userenrollment: + mode: allowed watchOS: introduced: '10.0' supervised: false diff --git a/mdm/commands/device.activationlock.bypasscode.yaml b/mdm/commands/device.activationlock.bypasscode.yaml index 800d92b..62fb7db 100644 --- a/mdm/commands/device.activationlock.bypasscode.yaml +++ b/mdm/commands/device.activationlock.bypasscode.yaml @@ -21,6 +21,12 @@ payload: requiresdep: false userenrollment: mode: forbidden + tvOS: + introduced: n/a + visionOS: + introduced: n/a + watchOS: + introduced: n/a content: Retrieves the Activation Lock bypass code from the device. This bypass code is only available for 15 days after supervision. responsekeys: diff --git a/mdm/commands/device.activationlock.clearbypasscode.yaml b/mdm/commands/device.activationlock.clearbypasscode.yaml index b6cd681..128b422 100644 --- a/mdm/commands/device.activationlock.clearbypasscode.yaml +++ b/mdm/commands/device.activationlock.clearbypasscode.yaml @@ -21,4 +21,10 @@ payload: requiresdep: false userenrollment: mode: forbidden + tvOS: + introduced: n/a + visionOS: + introduced: n/a + watchOS: + introduced: n/a content: Clears the Activation Lock bypass code from the device. diff --git a/mdm/commands/device.configured.yaml b/mdm/commands/device.configured.yaml index aebba8d..e962e73 100644 --- a/mdm/commands/device.configured.yaml +++ b/mdm/commands/device.configured.yaml @@ -27,5 +27,9 @@ payload: introduced: '10.2' accessrights: None supervised: true + visionOS: + introduced: n/a + watchOS: + introduced: n/a content: Informs the device that it can continue past DEP enrollment. Only works on devices in DEP that have their cloud configuration set to await configuration. diff --git a/mdm/commands/device.erase.yaml b/mdm/commands/device.erase.yaml index e9b29bb..75a8869 100644 --- a/mdm/commands/device.erase.yaml +++ b/mdm/commands/device.erase.yaml @@ -27,6 +27,13 @@ payload: introduced: '10.2' accessrights: AllowDeviceErase supervised: false + visionOS: + introduced: '1.1' + accessrights: AllowDeviceErase + supervised: false + requiresdep: false + userenrollment: + mode: forbidden watchOS: introduced: '10.0' accessrights: AllowDeviceErase @@ -42,6 +49,8 @@ payloadkeys: introduced: n/a tvOS: introduced: n/a + visionOS: + introduced: n/a type: presence: optional default: false @@ -57,6 +66,8 @@ payloadkeys: introduced: n/a tvOS: introduced: n/a + visionOS: + introduced: n/a watchOS: introduced: n/a type: @@ -73,6 +84,8 @@ payloadkeys: introduced: '10.8' tvOS: introduced: n/a + visionOS: + introduced: n/a watchOS: introduced: n/a type: @@ -87,6 +100,8 @@ payloadkeys: introduced: '12.0' tvOS: introduced: n/a + visionOS: + introduced: n/a watchOS: introduced: n/a type: @@ -117,6 +132,8 @@ payloadkeys: introduced: n/a tvOS: introduced: n/a + visionOS: + introduced: n/a watchOS: introduced: n/a type: diff --git a/mdm/commands/device.esim.yaml b/mdm/commands/device.esim.yaml index 371a085..7bace41 100644 --- a/mdm/commands/device.esim.yaml +++ b/mdm/commands/device.esim.yaml @@ -15,6 +15,14 @@ payload: userchannel: false userenrollment: mode: forbidden + macOS: + introduced: n/a + tvOS: + introduced: n/a + visionOS: + introduced: n/a + watchOS: + introduced: n/a content: |- Instructs the device to query for active cellular plan eSIM "profiles" (not a profile in the MDM sense) at the designated carrier eSIM server URL. This command is only supported on cellular devices, and only diff --git a/mdm/commands/device.lock.yaml b/mdm/commands/device.lock.yaml index b218e8f..da80d2e 100644 --- a/mdm/commands/device.lock.yaml +++ b/mdm/commands/device.lock.yaml @@ -23,6 +23,10 @@ payload: requiresdep: false userenrollment: mode: forbidden + tvOS: + introduced: n/a + visionOS: + introduced: n/a watchOS: introduced: '10.0' accessrights: AllowPasscodeRemovalAndLock diff --git a/mdm/commands/device.lostmode.disable.yaml b/mdm/commands/device.lostmode.disable.yaml index 4fe0289..0c577f7 100644 --- a/mdm/commands/device.lostmode.disable.yaml +++ b/mdm/commands/device.lostmode.disable.yaml @@ -14,4 +14,12 @@ payload: userchannel: false userenrollment: mode: forbidden + macOS: + introduced: n/a + tvOS: + introduced: n/a + visionOS: + introduced: n/a + watchOS: + introduced: n/a content: This command allows the server to take the device out of MDM lost mode. diff --git a/mdm/commands/device.lostmode.enable.yaml b/mdm/commands/device.lostmode.enable.yaml index d2f1f86..8e02907 100644 --- a/mdm/commands/device.lostmode.enable.yaml +++ b/mdm/commands/device.lostmode.enable.yaml @@ -15,6 +15,14 @@ payload: userchannel: false userenrollment: mode: forbidden + macOS: + introduced: n/a + tvOS: + introduced: n/a + visionOS: + introduced: n/a + watchOS: + introduced: n/a content: This command allows the server to put the device in MDM lost mode, with a message, phone number, and footnote text. A message or phone number must be provided. diff --git a/mdm/commands/device.lostmode.location.yaml b/mdm/commands/device.lostmode.location.yaml index 3328072..964f296 100644 --- a/mdm/commands/device.lostmode.location.yaml +++ b/mdm/commands/device.lostmode.location.yaml @@ -15,6 +15,14 @@ payload: userchannel: false userenrollment: mode: forbidden + macOS: + introduced: n/a + tvOS: + introduced: n/a + visionOS: + introduced: n/a + watchOS: + introduced: n/a responsekeys: - key: Latitude type: diff --git a/mdm/commands/device.lostmode.playsound.yaml b/mdm/commands/device.lostmode.playsound.yaml index 102f84f..5d989c9 100644 --- a/mdm/commands/device.lostmode.playsound.yaml +++ b/mdm/commands/device.lostmode.playsound.yaml @@ -16,6 +16,14 @@ payload: userchannel: false userenrollment: mode: forbidden + macOS: + introduced: n/a + tvOS: + introduced: n/a + visionOS: + introduced: n/a + watchOS: + introduced: n/a content: This command allows the server to tell the device to play a sound if it is in MDM Lost Mode. The sound will play until the device is either removed from Lost Mode or a user disables the sound from the device. diff --git a/mdm/commands/device.restart.yaml b/mdm/commands/device.restart.yaml index 9b26291..1c296ef 100644 --- a/mdm/commands/device.restart.yaml +++ b/mdm/commands/device.restart.yaml @@ -27,6 +27,10 @@ payload: introduced: '10.2' accessrights: AllowPasscodeRemovalAndLock supervised: true + visionOS: + introduced: n/a + watchOS: + introduced: n/a content: This command requires the Device Lock access right. The device will restart immediately. payloadkeys: diff --git a/mdm/commands/device.restrictions.clearpassword.yaml b/mdm/commands/device.restrictions.clearpassword.yaml index c8a3d45..0481485 100644 --- a/mdm/commands/device.restrictions.clearpassword.yaml +++ b/mdm/commands/device.restrictions.clearpassword.yaml @@ -13,3 +13,11 @@ payload: mode: forbidden userenrollment: mode: forbidden + macOS: + introduced: n/a + tvOS: + introduced: n/a + visionOS: + introduced: n/a + watchOS: + introduced: n/a diff --git a/mdm/commands/device.restrictions.list.yaml b/mdm/commands/device.restrictions.list.yaml index 6430972..150a111 100644 --- a/mdm/commands/device.restrictions.list.yaml +++ b/mdm/commands/device.restrictions.list.yaml @@ -16,10 +16,19 @@ payload: userchannel: true userenrollment: mode: forbidden + macOS: + introduced: n/a tvOS: introduced: '6.1' accessrights: AllowQueryRestrictions supervised: false + visionOS: + introduced: '1.1' + accessrights: AllowQueryRestrictions + supervised: false + requiresdep: false + userenrollment: + mode: forbidden watchOS: introduced: '10.0' accessrights: AllowQueryRestrictions diff --git a/mdm/commands/device.shutdown.yaml b/mdm/commands/device.shutdown.yaml index b8d1e98..e442391 100644 --- a/mdm/commands/device.shutdown.yaml +++ b/mdm/commands/device.shutdown.yaml @@ -23,5 +23,11 @@ payload: requiresdep: false userenrollment: mode: forbidden + tvOS: + introduced: n/a + visionOS: + introduced: n/a + watchOS: + introduced: n/a content: This command requires the Device Lock access right. The device will shut down immediately. diff --git a/mdm/commands/information.contentcaching.yaml b/mdm/commands/information.contentcaching.yaml index 124bae3..71386a7 100644 --- a/mdm/commands/information.contentcaching.yaml +++ b/mdm/commands/information.contentcaching.yaml @@ -4,6 +4,8 @@ description: This command allows the server to query for information about Conte payload: requesttype: ContentCachingInformation supportedOS: + iOS: + introduced: n/a macOS: introduced: 10.15.4 accessrights: AllowQueryNetworkInformation @@ -12,6 +14,12 @@ payload: requiresdep: false userenrollment: mode: forbidden + tvOS: + introduced: n/a + visionOS: + introduced: n/a + watchOS: + introduced: n/a content: This command allows the server to query for information about Content Caching. responsekeys: - key: StatusResponse diff --git a/mdm/commands/information.device.yaml b/mdm/commands/information.device.yaml index 59d8246..084e53c 100644 --- a/mdm/commands/information.device.yaml +++ b/mdm/commands/information.device.yaml @@ -27,6 +27,13 @@ payload: introduced: '6.0' accessrights: Special Case supervised: false + visionOS: + introduced: '1.1' + accessrights: Special Case + supervised: false + requiresdep: false + userenrollment: + mode: allowed watchOS: introduced: '10.0' accessrights: Special Case @@ -54,10 +61,14 @@ payloadkeys: mode: forbidden tvOS: accessrights: n/a + visionOS: + accessrights: n/a + userenrollment: + mode: forbidden watchOS: accessrights: n/a type: - content: The unique identifier of the device. + content: The key to get the unique identifier of the device. - key: ProvisioningUDID supportedOS: iOS: @@ -69,11 +80,14 @@ payloadkeys: mode: forbidden tvOS: introduced: n/a + visionOS: + introduced: n/a watchOS: introduced: n/a type: - content: The device identifier for provisioning profiles. This value differs - from the UDID for Apple silicon. Available in macOS 11.3 and later. + content: The key to get the device identifier for provisioning profiles. This + value differs from the UDID for Apple silicon. Available in macOS 11.3 and + later. - key: OrganizationInfo supportedOS: iOS: @@ -84,10 +98,12 @@ payloadkeys: tvOS: introduced: '9.0' accessrights: n/a + visionOS: + accessrights: n/a watchOS: accessrights: n/a type: - content: The contents of SettingsCommand.Command.Settings.OrganizationInfo.OrganizationInfo. + content: The key to get the contents of SettingsCommand.Command.Settings.OrganizationInfo.OrganizationInfo. - key: MDMOptions supportedOS: iOS: @@ -98,10 +114,12 @@ payloadkeys: tvOS: introduced: '9.0' accessrights: n/a + visionOS: + accessrights: n/a watchOS: introduced: '10.0' type: - content: The contents of SettingsCommand.Command.Settings.MDMOptions.MDMOptions. + content: The key to get the contents of SettingsCommand.Command.Settings.MDMOptions.MDMOptions. - key: LastCloudBackupDate supportedOS: iOS: @@ -112,10 +130,14 @@ payloadkeys: introduced: n/a tvOS: introduced: n/a + visionOS: + userenrollment: + mode: forbidden watchOS: introduced: n/a type: - content: The date of the most recent iCloud backup. Available in iOS 8 and later. + content: The key to get the date of the most recent iCloud backup. Available + in iOS 8 and later. - key: AwaitingConfiguration supportedOS: iOS: @@ -131,12 +153,14 @@ payloadkeys: tvOS: introduced: '10.2' accessrights: n/a + visionOS: + introduced: n/a watchOS: accessrights: n/a type: - content: Specifies whether the device is waiting for a DeviceConfigured or UserConfigured - command to continue through Setup Assistant on the device channel or user - channel, respectively. + content: The key to determine whether the device is waiting for a DeviceConfigured + or UserConfigured Command to continue through Setup Assistant on the device + channel or user channel, respectively. - key: iTunesStoreAccountIsActive supportedOS: iOS: @@ -152,11 +176,13 @@ payloadkeys: tvOS: introduced: '9.0' accessrights: AllowAppInstallation + visionOS: + introduced: n/a watchOS: accessrights: AllowAppInstallation type: - content: Specifies whether an iTunes Store account is active. Requires the App - Installation access right. + content: The key to determine whether iTunes Store account is active. Requires + the App Installation access right. - key: iTunesStoreAccountHash supportedOS: iOS: @@ -172,11 +198,13 @@ payloadkeys: tvOS: introduced: '9.0' accessrights: AllowAppInstallation + visionOS: + introduced: n/a watchOS: accessrights: AllowAppInstallation type: - content: A hash of the logged-in iTunes Store account. Also see GetVppUserRequest. - This value requires the App Installation access right. + content: The key to get a hash of the logged-in iTunes Store account. Also see + GetVppUserRequest. This value requires the App Installation access right. - key: DeviceName supportedOS: iOS: @@ -185,10 +213,13 @@ payloadkeys: accessrights: AllowQueryDeviceInformation tvOS: accessrights: AllowQueryDeviceInformation + visionOS: + accessrights: AllowQueryDeviceInformation watchOS: accessrights: AllowQueryDeviceInformation type: - content: The device name. Requires the Device Information access right. + content: The key to get the device name. Requires the Device Information access + right. - key: OSVersion supportedOS: iOS: @@ -197,11 +228,13 @@ payloadkeys: accessrights: AllowQueryDeviceInformation tvOS: accessrights: AllowQueryDeviceInformation + visionOS: + accessrights: AllowQueryDeviceInformation watchOS: accessrights: AllowQueryDeviceInformation type: - content: The operating system version. Requires the Device Information access - right. + content: The key to get the operating system version. Requires the Device Information + access right. - key: SupplementalOSVersionExtra supportedOS: iOS: @@ -213,12 +246,14 @@ payloadkeys: tvOS: introduced: '16.1' accessrights: AllowQueryDeviceInformation + visionOS: + accessrights: AllowQueryDeviceInformation watchOS: - introduced: n/a + accessrights: AllowQueryDeviceInformation type: - content: The OS update rapid security response version letter, if a rapid security - response update is installed. This value requires the Device Information access - right. + content: The key to get the OS update rapid security response version letter, + if a rapid security response update is installed. This value requires the + Device Information access right. - key: BuildVersion supportedOS: iOS: @@ -227,11 +262,13 @@ payloadkeys: accessrights: AllowQueryDeviceInformation tvOS: accessrights: AllowQueryDeviceInformation + visionOS: + accessrights: AllowQueryDeviceInformation watchOS: accessrights: AllowQueryDeviceInformation type: - content: The operating system version. This value requires the Device Information - access right. + content: The key to get the operating system version. This value requires the + Device Information access right. - key: SupplementalBuildVersion supportedOS: iOS: @@ -243,12 +280,14 @@ payloadkeys: tvOS: introduced: '16.1' accessrights: AllowQueryDeviceInformation + visionOS: + accessrights: AllowQueryDeviceInformation watchOS: accessrights: AllowQueryDeviceInformation type: - content: The build version for the currently installed rapid security response. - If there's no installed rapid security response, this value is the same as - 'BuildVersion'. Requires the Device Information access right. + content: The key to get the build version for the currently installed rapid + security response. If there's no installed rapid security response, this value + is the same as 'BuildVersion'. Requires the Device Information access right. - key: ModelName supportedOS: iOS: @@ -257,11 +296,13 @@ payloadkeys: accessrights: AllowQueryDeviceInformation tvOS: accessrights: AllowQueryDeviceInformation + visionOS: + accessrights: AllowQueryDeviceInformation watchOS: accessrights: AllowQueryDeviceInformation type: - content: The model name, such as iPhone. Requires the Device Information access - right. + content: The key to get the model name, such as iPhone. Requires the Device + Information access right. - key: Model supportedOS: iOS: @@ -270,10 +311,12 @@ payloadkeys: accessrights: AllowQueryDeviceInformation tvOS: accessrights: AllowQueryDeviceInformation + visionOS: + introduced: n/a watchOS: accessrights: AllowQueryDeviceInformation type: - content: The model. Requires the Device Information access right. + content: The key to get the model. Requires the Device Information access right. - key: ModelNumber supportedOS: iOS: @@ -285,11 +328,14 @@ payloadkeys: tvOS: introduced: '16.4' accessrights: AllowQueryDeviceInformation + visionOS: + accessrights: AllowQueryDeviceInformation watchOS: - introduced: n/a + accessrights: AllowQueryDeviceInformation type: - content: The device's hardware model number including region info, such as 'MK1A3LL/A'. - Requires the Device Information access right. Requires Apple silicon on macOS. + content: The key to get the device's hardware model number including region + info, such as 'MK1A3LL/A'. Requires the Device Information access right. Requires + Apple silicon on macOS. - key: IsAppleSilicon supportedOS: iOS: @@ -299,11 +345,13 @@ payloadkeys: accessrights: AllowQueryDeviceInformation tvOS: introduced: n/a + visionOS: + introduced: n/a watchOS: introduced: n/a type: - content: Specifies whether the device is a Mac with Apple silicon (for example, - an Apple M1 chip). Available in macOS 12 and later. + content: The key to determine whether the device is a Mac with Apple silicon + (for example, an Apple M1 chip). Available in macOS 12 and later. - key: ProductName supportedOS: iOS: @@ -312,11 +360,13 @@ payloadkeys: accessrights: AllowQueryDeviceInformation tvOS: accessrights: AllowQueryDeviceInformation + visionOS: + accessrights: AllowQueryDeviceInformation watchOS: accessrights: AllowQueryDeviceInformation type: - content: The product name, such as iPad8,12. This value requires the Device - Information access right. + content: The key to get the product name, such as iPad8,12. This value requires + the Device Information access right. - key: SerialNumber supportedOS: iOS: @@ -329,10 +379,15 @@ payloadkeys: mode: forbidden tvOS: accessrights: AllowQueryDeviceInformation + visionOS: + accessrights: AllowQueryDeviceInformation + userenrollment: + mode: forbidden watchOS: accessrights: AllowQueryDeviceInformation type: - content: The serial number. Requires the Device Information access right. + content: The key to get the serial number. Requires the Device Information access + right. - key: DeviceCapacity supportedOS: iOS: @@ -341,11 +396,13 @@ payloadkeys: accessrights: AllowQueryDeviceInformation tvOS: introduced: n/a + visionOS: + accessrights: AllowQueryDeviceInformation watchOS: accessrights: AllowQueryDeviceInformation type: - content: The device's total capacity. Requires the Device Information access - right. Available in iOS 4 and later, and macOS 10.7 and later. + content: The key to get the device's total capacity. Requires the Device Information + access right. Available in iOS 4 and later, and macOS 10.7 and later. - key: AvailableDeviceCapacity supportedOS: iOS: @@ -354,11 +411,13 @@ payloadkeys: accessrights: AllowQueryDeviceInformation tvOS: introduced: n/a + visionOS: + accessrights: AllowQueryDeviceInformation watchOS: accessrights: AllowQueryDeviceInformation type: - content: The available capacity. Requires the Device Information access right. - Available in iOS 4 and later, and macOS 10.7 and later. + content: The key to get the available capacity. Requires the Device Information + access right. Available in iOS 4 and later, and macOS 10.7 and later. - key: IMEI supportedOS: iOS: @@ -370,11 +429,13 @@ payloadkeys: introduced: n/a tvOS: introduced: n/a + visionOS: + introduced: n/a watchOS: introduced: n/a type: - content: The International Mobile Equipment Identity (IMEI) number. Requires - the Device Information access right. Available as of iOS 4 and deprecated + content: The key to get the International Mobile Equipment Identity (IMEI) number. + Requires the Device Information access right. Available as of iOS 4 and deprecated in iOS 16. - key: MEID supportedOS: @@ -387,11 +448,13 @@ payloadkeys: introduced: n/a tvOS: introduced: n/a + visionOS: + introduced: n/a watchOS: introduced: n/a type: - content: The mobile equipment ID (MEID). Requires the Device Information access - right. Available as of iOS 4 and deprecated in iOS 16. + content: The key to get the mobile equipment ID (MEID). Requires the Device + Information access right. Available as of iOS 4 and deprecated in iOS 16. - key: ModemFirmwareVersion supportedOS: iOS: @@ -402,11 +465,13 @@ payloadkeys: introduced: n/a tvOS: introduced: n/a + visionOS: + introduced: n/a watchOS: introduced: n/a type: - content: The modem firmware version. Requires the Device Information access - right. Available in iOS 4 and later. + content: The key to get the modem firmware version. Requires the Device Information + access right. Available in iOS 4 and later. - key: CellularTechnology supportedOS: iOS: @@ -416,11 +481,13 @@ payloadkeys: introduced: n/a tvOS: introduced: n/a + visionOS: + introduced: n/a watchOS: introduced: n/a type: - content: The cellular technology type. Requires the Device Information access - right. Available in iOS 4.2.6 and later. + content: The key to get the cellular technology type. Requires the Device Information + access right. Available in iOS 4.2.6 and later. - key: BatteryLevel supportedOS: iOS: @@ -431,11 +498,13 @@ payloadkeys: accessrights: AllowQueryDeviceInformation tvOS: introduced: n/a + visionOS: + accessrights: AllowQueryDeviceInformation watchOS: accessrights: AllowQueryDeviceInformation type: - content: The battery level. Requires the Device Information access right. Available - in iOS 5 and later. + content: The key to get the battery level. Requires the Device Information access + right. Available in iOS 5 and later. - key: HasBattery supportedOS: iOS: @@ -445,10 +514,12 @@ payloadkeys: accessrights: AllowQueryDeviceInformation tvOS: introduced: n/a + visionOS: + introduced: n/a watchOS: introduced: n/a type: - content: Specifies whether the device has an internal battery. + content: The key to determine whether the device has an internal battery. - key: IsSupervised supportedOS: iOS: @@ -459,12 +530,14 @@ payloadkeys: tvOS: introduced: '9.0' accessrights: AllowQueryDeviceInformation + visionOS: + accessrights: AllowQueryDeviceInformation watchOS: accessrights: AllowQueryDeviceInformation type: - content: Specifies whether the device is supervised. Requires the Device Information - access right. Available in iOS 6 and later, macOS 10.15 and later, and tvOS - 9 and later. + content: The key to determine whether the device is supervised. Requires the + Device Information access right. Available in iOS 6 and later, macOS 10.15 + and later, and tvOS 9 and later. - key: IsMultiUser supportedOS: iOS: @@ -474,11 +547,13 @@ payloadkeys: introduced: n/a tvOS: introduced: n/a + visionOS: + introduced: n/a watchOS: introduced: n/a type: - content: Specifies whether the device is a Shared iPad. Requires the Device - Information access right. Available in iOS 9.3 and later. + content: The key to determine whether the device is a Shared iPad. Requires + the Device Information access right. Available in iOS 9.3 and later. - key: IsDeviceLocatorServiceEnabled supportedOS: iOS: @@ -488,12 +563,14 @@ payloadkeys: introduced: n/a tvOS: introduced: n/a + visionOS: + accessrights: AllowQueryDeviceInformation watchOS: accessrights: AllowQueryDeviceInformation type: - content: Specifies whether a device locator service such as Find My is enabled - on the device. Requires the Device Information access right. Available in - iOS 7 and later. + content: The key to determine whether the system enabled a device locator service + such as Find My on the device. Requires the Device Information access right. + Available in iOS 7 and later. - key: IsActivationLockEnabled supportedOS: iOS: @@ -510,13 +587,15 @@ payloadkeys: mode: forbidden tvOS: introduced: n/a + visionOS: + introduced: n/a watchOS: deprecated: '10.0' accessrights: AllowQueryDeviceInformation type: - content: Specifies whether Activation Lock is enabled on the device. Requires - the Device Information access right. Available as of iOS 7 and macOS 10.15, - and deprecated in iOS 16 and macOS 13. + content: The key to determine whether the system enabled Activation Lock on + the device. Requires the Device Information access right. Available as of + iOS 7 and macOS 10.15, and deprecated in iOS 16 and macOS 13. - key: IsActivationLockSupported supportedOS: iOS: @@ -528,12 +607,14 @@ payloadkeys: mode: forbidden tvOS: introduced: n/a + visionOS: + introduced: n/a watchOS: introduced: n/a type: - content: Specifies whether the device supports Activation Lock. Also see 'IsActivationLockManageable' - in SecurityInfoResponse.SecurityInfo.ManagementStatus. Available in macOS - 10.9 and later. + content: The key to determine whether the device supports Activation Lock. Also + see 'IsActivationLockManageable' in SecurityInfoResponse.SecurityInfo.ManagementStatus. + Available in macOS 10.9 and later. - key: IsDoNotDisturbInEffect supportedOS: iOS: @@ -545,11 +626,16 @@ payloadkeys: introduced: n/a tvOS: introduced: n/a + visionOS: + accessrights: AllowQueryDeviceInformation + userenrollment: + mode: forbidden watchOS: accessrights: AllowQueryDeviceInformation type: - content: Specifies whether the device is in Do Not Disturb (DND) mode. Requires - the Device Information access right. Available in iOS 7 and later. + content: The key to determine whether the device is in Do Not Disturb (DND) + mode. Requires the Device Information access right. Available in iOS 7 and + later. - key: DeviceID supportedOS: iOS: @@ -559,11 +645,13 @@ payloadkeys: tvOS: introduced: '6.0' accessrights: AllowQueryDeviceInformation + visionOS: + introduced: n/a watchOS: introduced: n/a type: - content: The device ID. Requires the Device Information access right. Available - in tvOS 6 and later. + content: The key to get the device ID. Requires the Device Information access + right. Available in tvOS 6 and later. - key: EASDeviceIdentifier supportedOS: iOS: @@ -573,11 +661,13 @@ payloadkeys: introduced: n/a tvOS: introduced: n/a + visionOS: + accessrights: AllowQueryDeviceInformation watchOS: introduced: n/a type: - content: The device identifier for Exchange ActiveSync (EAS). Requires the Device - Information access right. Available in iOS 7 and later. + content: The key to get the device identifier for Exchange ActiveSync (EAS). + Requires the Device Information access right. Available in iOS 7 and later. - key: IsCloudBackupEnabled supportedOS: iOS: @@ -589,11 +679,16 @@ payloadkeys: introduced: n/a tvOS: introduced: n/a + visionOS: + accessrights: AllowQueryDeviceInformation + userenrollment: + mode: forbidden watchOS: introduced: n/a type: - content: Specifies whether iCloud Backup is enabled on the device. Requires - the Device Information access right. Available in iOS 7.1 and later. + content: The key to determine whether the system enabled iCloud Backup on the + device. Requires the Device Information access right. Available in iOS 7.1 + and later. - key: ActiveManagedUsers supportedOS: iOS: @@ -604,11 +699,14 @@ payloadkeys: userchannel: false tvOS: introduced: n/a + visionOS: + introduced: n/a watchOS: introduced: n/a type: - content: An array of directory GUIDs for logged-in managed users. Requires the - Device Information access right. Available in macOS 10.11 and later. + content: The key to get an array of directory GUIDs for logged-in managed users. + Requires the Device Information access right. Available in macOS 10.11 and + later. - key: OSUpdateSettings supportedOS: iOS: @@ -620,10 +718,12 @@ payloadkeys: mode: forbidden tvOS: introduced: n/a + visionOS: + introduced: n/a watchOS: introduced: n/a type: - content: The contents of DeviceInformationResponse.QueryResponses.OSUpdateSettings. + content: The key to get the contents of DeviceInformationResponse.QueryResponses.OSUpdateSettings. Requires the Device Information access right. Available in macOS 10.11 and later. - key: LocalHostName @@ -635,10 +735,13 @@ payloadkeys: accessrights: AllowQueryDeviceInformation tvOS: introduced: n/a + visionOS: + introduced: n/a watchOS: introduced: n/a type: - content: The local hostname from Bonjour. Available in macOS 10.11 and later. + content: The key to get the local hostname from Bonjour. Available in macOS + 10.11 and later. - key: HostName supportedOS: iOS: @@ -648,10 +751,12 @@ payloadkeys: accessrights: AllowQueryDeviceInformation tvOS: introduced: n/a + visionOS: + introduced: n/a watchOS: introduced: n/a type: - content: The hostname. Available in macOS 10.11 and later. + content: The key to get the hostname. Available in macOS 10.11 and later. - key: AutoSetupAdminAccounts supportedOS: iOS: @@ -664,10 +769,12 @@ payloadkeys: mode: forbidden tvOS: introduced: n/a + visionOS: + introduced: n/a watchOS: introduced: n/a type: - content: The contents of DeviceInformationResponse.QueryResponses.AutoSetupAdminAccountsItem, + content: The key to get the contents of DeviceInformationResponse.QueryResponses.AutoSetupAdminAccountsItem, which Setup Assistant automatically creates during enrollment. Requires the Device Information access right. Available in macOS 10.11 and later. - key: SystemIntegrityProtectionEnabled @@ -679,12 +786,14 @@ payloadkeys: accessrights: AllowQueryDeviceInformation tvOS: introduced: n/a + visionOS: + introduced: n/a watchOS: introduced: n/a type: - content: Specifies whether System Integrity Protection is enabled on the device. - This value requires the Device Information access right, and is available - in macOS 10.12 and later. + content: The key to determine whether the system enabled System Integrity Protection + on the device. This value requires the Device Information access right, and + is available in macOS 10.12 and later. - key: SupportsLOMDevice supportedOS: iOS: @@ -694,11 +803,13 @@ payloadkeys: accessrights: AllowQueryDeviceInformation tvOS: introduced: n/a + visionOS: + introduced: n/a watchOS: introduced: n/a type: - content: Specifies whether the device can receive 'PowerON', 'PowerOFF', and - 'Reset' commands from a lights-out management (LOM) controller. Available + content: The key to determine whether the device can receive 'PowerON', 'PowerOFF', + and 'Reset' commands from a lights-out management (LOM) controller. Available in macOS 11 and later. - key: IsMDMLostModeEnabled supportedOS: @@ -711,11 +822,14 @@ payloadkeys: introduced: n/a tvOS: introduced: n/a + visionOS: + introduced: n/a watchOS: accessrights: AllowQueryDeviceInformation type: - content: Specifies whether Managed Lost Mode is enabled on the device. Requires - the Device Information access right. Available in iOS 9.3 and later. + content: The key to determine whether the system enabled Managed Lost Mode on + the device. Requires the Device Information access right. Available in iOS + 9.3 and later. - key: MaximumResidentUsers supportedOS: iOS: @@ -733,12 +847,14 @@ payloadkeys: introduced: n/a tvOS: introduced: n/a + visionOS: + introduced: n/a watchOS: introduced: n/a type: - content: The maximum number of users that can use this Shared iPad device. In - iOS 13.4 and later, this value is always '32'. Requires the Device Information - access right. Available in iOS 9.3 and later. + content: The key to get the maximum number of users that can use this Shared + iPad device. In iOS 13.4 and later, this value is always '32'. Requires the + Device Information access right. Available in iOS 9.3 and later. - key: EstimatedResidentUsers supportedOS: iOS: @@ -756,12 +872,15 @@ payloadkeys: introduced: n/a tvOS: introduced: n/a + visionOS: + introduced: n/a watchOS: introduced: n/a type: - content: The estimated number of users that can use this Shared iPad device, - according to the available space of the device and each user's quota. Requires - the Device Information access right. Available in iOS 14 and later. + content: The key to get the estimated number of users that can use this Shared + iPad device, according to the available space of the device and each user's + quota. Requires the Device Information access right. Available in iOS 14 and + later. - key: QuotaSize supportedOS: iOS: @@ -779,11 +898,13 @@ payloadkeys: introduced: n/a tvOS: introduced: n/a + visionOS: + introduced: n/a watchOS: introduced: n/a type: - content: The quota size for each user on this Shared iPad device. Requires the - Device Information access right. Available in iOS 13.4 and later. + content: The key to get the quota size for each user on this Shared iPad device. + Requires the Device Information access right. Available in iOS 13.4 and later. - key: ResidentUsers supportedOS: iOS: @@ -801,11 +922,13 @@ payloadkeys: introduced: n/a tvOS: introduced: n/a + visionOS: + introduced: n/a watchOS: introduced: n/a type: - content: The number of users currently on this Shared iPad device. Requires - the Device Information access right. Available in iOS 13.4 and later. + content: The key to get the number of users currently on this Shared iPad device. + Requires the Device Information access right. Available in iOS 13.4 and later. - key: UserSessionTimeout supportedOS: iOS: @@ -823,10 +946,12 @@ payloadkeys: introduced: n/a tvOS: introduced: n/a + visionOS: + introduced: n/a watchOS: introduced: n/a type: - content: The timeout interval for the user session. + content: The key to get the timeout interval for the user session. - key: TemporarySessionTimeout supportedOS: iOS: @@ -844,10 +969,12 @@ payloadkeys: introduced: n/a tvOS: introduced: n/a + visionOS: + introduced: n/a watchOS: introduced: n/a type: - content: The timeout interval for the temporary session. + content: The key to get the timeout interval for the temporary session. - key: TemporarySessionOnly supportedOS: iOS: @@ -865,10 +992,12 @@ payloadkeys: introduced: n/a tvOS: introduced: n/a + visionOS: + introduced: n/a watchOS: introduced: n/a type: - content: Specifies whether the device only allows temporary sessions. + content: The key to determine whether the device only allows temporary sessions. - key: ManagedAppleIDDefaultDomains supportedOS: iOS: @@ -886,11 +1015,13 @@ payloadkeys: introduced: n/a tvOS: introduced: n/a + visionOS: + introduced: n/a watchOS: introduced: n/a type: - content: The list of domains that the device suggests on the Shared iPad login - screen. Available in iOS 16 and later. + content: The key to get the list of domains that the device suggests on the + Shared iPad login screen. Available in iOS 16 and later. - key: OnlineAuthenticationGracePeriod supportedOS: iOS: @@ -908,11 +1039,13 @@ payloadkeys: introduced: n/a tvOS: introduced: n/a + visionOS: + introduced: n/a watchOS: introduced: n/a type: - content: The grace period for Shared iPad online authentication (in days). Available - in iOS 16 and later. + content: The key to get the grace period for Shared iPad online authentication + (in days). Available in iOS 16 and later. - key: SkipLanguageAndLocaleSetupForNewUsers supportedOS: iOS: @@ -930,10 +1063,12 @@ payloadkeys: introduced: n/a tvOS: introduced: n/a + visionOS: + introduced: n/a watchOS: introduced: n/a type: - content: Specifies whether the system skips the language and country/region + content: The key to determine whether the system skips the language and country/region panes for new users on Shared iPad. - key: PushToken supportedOS: @@ -948,12 +1083,15 @@ payloadkeys: introduced: '10.12' tvOS: introduced: n/a + visionOS: + introduced: n/a watchOS: introduced: n/a type: - content: The push token for the current user-channel connection. The MDM server - ignores this query for the device channel. Requires the Device Information - access right. Available in iOS 9.3 and later, and macOS 10.12 and later. + content: The key to get the push token for the current user-channel connection. + The MDM server ignores this query for the device channel. Requires the Device + Information access right. Available in iOS 9.3 and later, and macOS 10.12 + and later. - key: DiagnosticSubmissionEnabled supportedOS: iOS: @@ -963,12 +1101,14 @@ payloadkeys: introduced: n/a tvOS: introduced: n/a + visionOS: + accessrights: AllowQueryDeviceInformation watchOS: accessrights: AllowQueryDeviceInformation type: - content: Specifies whether the diagnostic submission setting is enabled on the - device. Requires the Device Information access right. Available in iOS 9.3 - and later. + content: The key to determine whether the system enabled the diagnostic submission + setting on the device. Requires the Device Information access right. Available + in iOS 9.3 and later. - key: AppAnalyticsEnabled supportedOS: iOS: @@ -978,12 +1118,14 @@ payloadkeys: introduced: n/a tvOS: introduced: n/a + visionOS: + accessrights: AllowQueryDeviceInformation watchOS: accessrights: AllowQueryDeviceInformation type: - content: Specifies whether the device is sharing app analytics. Requires the - Device Information access right. Available in iOS 4 and later, and macOS 10.7 - and later. + content: The key to determine whether the device is sharing app analytics. Requires + the Device Information access right. Available in iOS 4 and later, and macOS + 10.7 and later. - key: TimeZone supportedOS: iOS: @@ -994,12 +1136,14 @@ payloadkeys: tvOS: introduced: '14.0' accessrights: AllowQueryDeviceInformation + visionOS: + accessrights: AllowQueryDeviceInformation watchOS: accessrights: AllowQueryDeviceInformation type: - content: The current Internet Assigned Numbers Authority (IANA) time zone database - name. Requires the Device Information access right. Available in iOS 14 and - later, and tvOS 14 and later. + content: The key to get the current Internet Assigned Numbers Authority (IANA) + time zone database name. Requires the Device Information access right. Available + in iOS 14 and later, and tvOS 14 and later. - key: ICCID supportedOS: iOS: @@ -1011,12 +1155,14 @@ payloadkeys: introduced: n/a tvOS: introduced: n/a + visionOS: + introduced: n/a watchOS: introduced: n/a type: - content: The integrated circuit card (ICC) identifier for the installed SIM - card. Requires the Network Information access right. Available as of iOS 4 - and deprecated in iOS 16. + content: The key to get the integrated circuit card (ICC) identifier for the + installed SIM card. Requires the Network Information access right. Available + as of iOS 4 and deprecated in iOS 16. - key: BluetoothMAC supportedOS: iOS: @@ -1029,11 +1175,15 @@ payloadkeys: mode: forbidden tvOS: accessrights: AllowQueryNetworkInformation + visionOS: + accessrights: AllowQueryNetworkInformation + userenrollment: + mode: forbidden watchOS: introduced: n/a type: - content: The Bluetooth media access control (MAC) address. Requires the Network - Information access right. + content: The key to get the Bluetooth media access control (MAC) address. Requires + the Network Information access right. - key: WiFiMAC supportedOS: iOS: @@ -1046,10 +1196,15 @@ payloadkeys: mode: forbidden tvOS: accessrights: AllowQueryNetworkInformation + visionOS: + accessrights: AllowQueryNetworkInformation + userenrollment: + mode: forbidden watchOS: accessrights: AllowQueryNetworkInformation type: - content: The Wi-Fi MAC address. Requires the Network Information access right. + content: The key to get the Wi-Fi MAC address. Requires the Network Information + access right. - key: EthernetMAC supportedOS: iOS: @@ -1060,11 +1215,13 @@ payloadkeys: mode: forbidden tvOS: introduced: n/a + visionOS: + introduced: n/a watchOS: introduced: n/a type: - content: The primary Ethernet MAC address. Requires the Network Information - access right. Available in macOS 10.7 and later. + content: The key to get the primary Ethernet MAC address. Requires the Network + Information access right. Available in macOS 10.7 and later. - key: CurrentCarrierNetwork supportedOS: iOS: @@ -1076,11 +1233,14 @@ payloadkeys: introduced: n/a tvOS: introduced: n/a + visionOS: + introduced: n/a watchOS: introduced: n/a type: - content: The name of the current carrier network. Requires the Network Information - access right. Available as of iOS 4 and deprecated in iOS 16. + content: The key to get the name of the current carrier network. Requires the + Network Information access right. Available as of iOS 4 and deprecated in + iOS 16. - key: SIMCarrierNetwork supportedOS: iOS: @@ -1092,6 +1252,8 @@ payloadkeys: introduced: n/a tvOS: introduced: n/a + visionOS: + introduced: n/a watchOS: introduced: n/a type: @@ -1109,11 +1271,13 @@ payloadkeys: introduced: n/a tvOS: introduced: n/a + visionOS: + introduced: n/a watchOS: introduced: n/a type: - content: The home carrier network. Requires the Network Information access right. - Available as of iOS 5 and deprecated in iOS 16. + content: The key to get the home carrier network. Requires the Network Information + access right. Available as of iOS 5 and deprecated in iOS 16. - key: CarrierSettingsVersion supportedOS: iOS: @@ -1125,11 +1289,13 @@ payloadkeys: introduced: n/a tvOS: introduced: n/a + visionOS: + introduced: n/a watchOS: introduced: n/a type: - content: The version of the carrier settings.Requires the Network Information - access right. Available as of iOS 4 and deprecated in iOS 16. + content: The key to get the version of the carrier settings. Requires the Network + Information access right. Available as of iOS 4 and deprecated in iOS 16. - key: PhoneNumber supportedOS: iOS: @@ -1141,12 +1307,14 @@ payloadkeys: introduced: n/a tvOS: introduced: n/a + visionOS: + introduced: n/a watchOS: introduced: n/a type: - content: The raw phone number, without punctuation, and including the country - code. Requires the Network Information access right. Available as of iOS 4 - and deprecated in iOS 16. + content: The key to get the raw phone number, without punctuation, and including + the country code. Requires the Network Information access right. Available + as of iOS 4 and deprecated in iOS 16. - key: DataRoamingEnabled supportedOS: iOS: @@ -1158,11 +1326,14 @@ payloadkeys: introduced: n/a tvOS: introduced: n/a + visionOS: + introduced: n/a watchOS: introduced: n/a type: - content: Specifies whether data roaming is enabled on the device. Requires the - Network Information access right. Available in iOS 5 and later. + content: The key to determine whether the system enabled data roaming on the + device. Requires the Network Information access right. Available in iOS 5 + and later. - key: VoiceRoamingEnabled supportedOS: iOS: @@ -1175,12 +1346,14 @@ payloadkeys: introduced: n/a tvOS: introduced: n/a + visionOS: + introduced: n/a watchOS: introduced: n/a type: - content: Specifies whether voice roaming, which isn't available for all carriers, - is enabled on the device. Requires the Network Information access right. Available - as of iOS 5 and deprecated in iOS 16. + content: The key to determine whether the system enabled voice roaming on the + device, which isn't available for all carriers. Requires the Network Information + access right. Available as of iOS 5 and deprecated in iOS 16. - key: PersonalHotspotEnabled supportedOS: iOS: @@ -1192,12 +1365,14 @@ payloadkeys: introduced: n/a tvOS: introduced: n/a + visionOS: + introduced: n/a watchOS: introduced: n/a type: - content: Specifies whether Personal Hotspot, which isn't available for all carriers, - is enabled on the device. Requires the Network Information access right. Available - in iOS 7 and later. + content: The key to determine whether the system enabled Personal Hotspot on + the device, which isn't available for all carriers. Requires the Network Information + access right. Available in iOS 7 and later. - key: IsNetworkTethered supportedOS: iOS: @@ -1207,11 +1382,13 @@ payloadkeys: introduced: n/a tvOS: introduced: n/a + visionOS: + introduced: n/a watchOS: introduced: n/a type: - content: Specifies whether the device is network-tethered. Requires the Network - Information access right. Available in iOS 10.3 and later. + content: The key to determine whether the device is network-tethered. Requires + the Network Information access right. Available in iOS 10.3 and later. - key: IsRoaming supportedOS: iOS: @@ -1223,11 +1400,13 @@ payloadkeys: introduced: n/a tvOS: introduced: n/a + visionOS: + introduced: n/a watchOS: introduced: n/a type: - content: Specifies whether the device is roaming. Requires the Network Information - access right. Available in iOS 4.2 and later. + content: The key to determine whether the device is roaming. Requires the Network + Information access right. Available in iOS 4.2 and later. - key: SubscriberMCC supportedOS: iOS: @@ -1240,11 +1419,13 @@ payloadkeys: introduced: n/a tvOS: introduced: n/a + visionOS: + introduced: n/a watchOS: introduced: n/a type: - content: The home mobile country code. Requires the Network Information access - right. Available as of iOS 4.2.6 and deprecated in iOS 16. + content: The key to get the home mobile country code. Requires the Network Information + access right. Available as of iOS 4.2.6 and deprecated in iOS 16. - key: SubscriberMNC supportedOS: iOS: @@ -1257,11 +1438,13 @@ payloadkeys: introduced: n/a tvOS: introduced: n/a + visionOS: + introduced: n/a watchOS: introduced: n/a type: - content: The home mobile network code. Requires the Network Information access - right. Available as of iOS 4.2.6 and deprecated in iOS 16. + content: The key to get the home mobile network code. Requires the Network Information + access right. Available as of iOS 4.2.6 and deprecated in iOS 16. - key: CurrentMCC supportedOS: iOS: @@ -1273,11 +1456,14 @@ payloadkeys: introduced: n/a tvOS: introduced: n/a + visionOS: + introduced: n/a watchOS: introduced: n/a type: - content: The current mobile country code (MCC). Requires the Network Information - access right. It's available as of iOS 4 and deprecated in iOS 16. + content: The key to get the current mobile country code (MCC). Requires the + Network Information access right. It's available as of iOS 4 and deprecated + in iOS 16. - key: CurrentMNC supportedOS: iOS: @@ -1289,11 +1475,14 @@ payloadkeys: introduced: n/a tvOS: introduced: n/a + visionOS: + introduced: n/a watchOS: introduced: n/a type: - content: The current mobile network code (MNC). Requires the Network Information - access right. Available as of iOS 4 and deprecated in iOS 16. + content: The key to get the current mobile network code (MNC). Requires the + Network Information access right. Available as of iOS 4 and deprecated in + iOS 16. - key: ServiceSubscriptions supportedOS: iOS: @@ -1305,10 +1494,12 @@ payloadkeys: introduced: n/a tvOS: introduced: n/a + visionOS: + introduced: n/a watchOS: introduced: n/a type: - content: The contents of DeviceInformationResponse.QueryResponses.ServiceSubscriptionProperty. + content: The key to get the contents of DeviceInformationResponse.QueryResponses.ServiceSubscriptionProperty. Requires the Network Information access right. - key: PINRequiredForEraseDevice supportedOS: @@ -1321,9 +1512,11 @@ payloadkeys: mode: forbidden tvOS: introduced: n/a + visionOS: + introduced: n/a type: - content: Specifies whether the EraseDeviceCommand requires a PIN. Available - in macOS 11 and later. + content: The key to determine whether the EraseDeviceCommand requires a PIN. + Available in macOS 11 and later. - key: PINRequiredForDeviceLock supportedOS: iOS: @@ -1335,11 +1528,13 @@ payloadkeys: mode: forbidden tvOS: introduced: n/a + visionOS: + introduced: n/a watchOS: introduced: n/a type: - content: Specifies whether the DeviceLockCommand requires a PIN. Available in - macOS 11 and later. + content: The key to determine whether the DeviceLockCommand requires a PIN. + Available in macOS 11 and later. - key: SupportsiOSAppInstalls supportedOS: iOS: @@ -1349,11 +1544,13 @@ payloadkeys: accessrights: AllowQueryDeviceInformation tvOS: introduced: n/a + visionOS: + introduced: n/a watchOS: introduced: n/a type: - content: Specifies whether the macOS device supports iOS/iPadOS app installs. - Available in macOS 11 and later. + content: The key to determine whether the macOS device supports iOS or iPadOS + app installs. Available in macOS 11 and later. - key: SoftwareUpdateDeviceID supportedOS: iOS: @@ -1366,12 +1563,15 @@ payloadkeys: mode: forbidden tvOS: introduced: n/a + visionOS: + userenrollment: + mode: forbidden watchOS: introduced: n/a type: - content: The device identifier that you use to look up available OS updates - through . Available in iOS 15 and later, and - macOS 12 and later. + content: The key to get the device identifier that you use to look up available + OS updates through . Available in iOS 15 and + later, and macOS 12 and later. - key: SoftwareUpdateSettings supportedOS: iOS: @@ -1382,11 +1582,13 @@ payloadkeys: introduced: n/a tvOS: introduced: n/a + visionOS: + introduced: n/a watchOS: introduced: n/a type: - content: The device settings that control which updates appear in the Software - Update pane in Settings. Available in iOS 14.5 and later. + content: The key to get the device settings that control which updates appear + in the Software Update pane in Settings. Available in iOS 14.5 and later. - key: AccessibilitySettings supportedOS: iOS: @@ -1401,25 +1603,30 @@ payloadkeys: introduced: n/a tvOS: introduced: n/a + visionOS: + introduced: n/a watchOS: supervised: true type: - content: The current state of settable accessibility settings. Available in - iOS 16 and later. + content: The key to get the current state of settable accessibility settings. + Available in iOS 16 and later. - key: DevicePropertiesAttestation supportedOS: iOS: introduced: '16.0' - supervised: false userenrollment: mode: allowed macOS: introduced: '14.0' tvOS: introduced: '16.0' + visionOS: + userenrollment: + mode: allowed type: - content: An attestation of the device's properties. Available in iOS 16 and - later, macOS 14 and later, tvOS 16 and later, and watchOS 10 and later. + content: The key to get an attestation of the device's properties. Available + in iOS 16 and later, macOS 14 and later, tvOS 16 and later, and watchOS 10 + and later. - key: EACSPreflight supportedOS: iOS: @@ -1432,22 +1639,26 @@ payloadkeys: mode: forbidden tvOS: introduced: n/a + visionOS: + introduced: n/a watchOS: introduced: n/a type: - content: Specifies whether the device can perform an EraseDeviceCommand using - Erase All Content and Settings (EACS). + content: The key to determine whether the device can perform an EraseDeviceCommand + using Erase All Content and Settings (EACS). - key: DeviceAttestationNonce supportedOS: iOS: introduced: '16.0' - supervised: false userenrollment: mode: allowed macOS: introduced: '14.0' tvOS: introduced: '16.0' + visionOS: + userenrollment: + mode: allowed type: presence: optional content: |- @@ -1473,6 +1684,8 @@ responsekeys: mode: forbidden tvOS: introduced: n/a + visionOS: + introduced: n/a watchOS: introduced: n/a type: @@ -1530,6 +1743,8 @@ responsekeys: subkeys: - key: ActivationLockAllowedWhileSupervised supportedOS: + visionOS: + introduced: n/a watchOS: introduced: n/a type: @@ -1547,6 +1762,8 @@ responsekeys: introduced: '11.0' tvOS: introduced: n/a + visionOS: + introduced: n/a watchOS: introduced: n/a type: @@ -1562,6 +1779,8 @@ responsekeys: introduced: '11.0' tvOS: introduced: n/a + visionOS: + introduced: n/a watchOS: introduced: n/a type: @@ -1592,6 +1811,8 @@ responsekeys: introduced: '10.11' tvOS: introduced: '10.2' + visionOS: + introduced: n/a type: content: |- If 'true' on the device channel, the device is still waiting for a DeviceConfiguredCommand to continue through Setup Assistant. @@ -1604,6 +1825,8 @@ responsekeys: introduced: '10.9' tvOS: introduced: '9.0' + visionOS: + introduced: n/a type: content: If 'true', the device has an active iTunes Store account. Requires the App Installation access right. @@ -1615,6 +1838,8 @@ responsekeys: introduced: '10.10' tvOS: introduced: '9.0' + visionOS: + introduced: n/a type: content: A hash of the logged-in iTunes Store account. Also see GetVppUserRequest. Requires the App Installation access right. @@ -1627,8 +1852,12 @@ responsekeys: right. - key: SupplementalOSVersionExtra supportedOS: - watchOS: - introduced: n/a + iOS: + introduced: '16.1' + macOS: + introduced: '13.0' + tvOS: + introduced: '16.1' type: content: The OS update rapid security response version letter. - key: BuildVersion @@ -1636,6 +1865,13 @@ responsekeys: content: The operating system version. Requires the Device Information access right. - key: SupplementalBuildVersion + supportedOS: + iOS: + introduced: '16.1' + macOS: + introduced: '13.0' + tvOS: + introduced: '16.1' type: content: The supplemental OS build version. - key: ModelName @@ -1643,12 +1879,12 @@ responsekeys: content: The model name, such as iPhone. Requires the Device Information access right. - key: Model + supportedOS: + visionOS: + introduced: n/a type: content: The model. Requires the Device Information access right. - key: ModelNumber - supportedOS: - watchOS: - introduced: n/a type: content: The device's hardware model number including region info, for example, 'MK1A3LL/A'. Requires the Device Information access right. Requires Apple silicon @@ -1661,6 +1897,8 @@ responsekeys: introduced: '12.0' tvOS: introduced: n/a + visionOS: + introduced: n/a watchOS: introduced: n/a type: @@ -1698,6 +1936,8 @@ responsekeys: introduced: n/a tvOS: introduced: n/a + visionOS: + introduced: n/a watchOS: introduced: n/a type: @@ -1712,6 +1952,8 @@ responsekeys: introduced: n/a tvOS: introduced: n/a + visionOS: + introduced: n/a watchOS: introduced: n/a type: @@ -1723,6 +1965,8 @@ responsekeys: introduced: n/a tvOS: introduced: n/a + visionOS: + introduced: n/a watchOS: introduced: n/a type: @@ -1736,6 +1980,8 @@ responsekeys: introduced: n/a tvOS: introduced: n/a + visionOS: + introduced: n/a watchOS: introduced: n/a type: @@ -1773,6 +2019,8 @@ responsekeys: introduced: '13.3' tvOS: introduced: n/a + visionOS: + introduced: n/a watchOS: introduced: n/a type: @@ -1797,6 +2045,8 @@ responsekeys: introduced: n/a tvOS: introduced: n/a + visionOS: + introduced: n/a watchOS: introduced: n/a type: @@ -1823,6 +2073,8 @@ responsekeys: deprecated: '13.0' tvOS: introduced: n/a + visionOS: + introduced: n/a watchOS: deprecated: '10.0' type: @@ -1837,6 +2089,8 @@ responsekeys: introduced: '10.9' tvOS: introduced: n/a + visionOS: + introduced: n/a watchOS: introduced: n/a type: @@ -1863,6 +2117,8 @@ responsekeys: introduced: '11.0' tvOS: introduced: n/a + visionOS: + introduced: n/a watchOS: introduced: n/a type: @@ -1877,6 +2133,8 @@ responsekeys: introduced: n/a tvOS: introduced: '6.0' + visionOS: + introduced: n/a watchOS: introduced: n/a type: @@ -1916,6 +2174,8 @@ responsekeys: introduced: '10.11' tvOS: introduced: n/a + visionOS: + introduced: n/a watchOS: introduced: n/a type: @@ -1934,6 +2194,8 @@ responsekeys: introduced: '10.11' tvOS: introduced: n/a + visionOS: + introduced: n/a watchOS: introduced: n/a type: @@ -1988,6 +2250,8 @@ responsekeys: introduced: '10.11' tvOS: introduced: n/a + visionOS: + introduced: n/a watchOS: introduced: n/a type: @@ -2000,6 +2264,8 @@ responsekeys: introduced: '10.11' tvOS: introduced: n/a + visionOS: + introduced: n/a watchOS: introduced: n/a type: @@ -2012,6 +2278,8 @@ responsekeys: introduced: '10.11' tvOS: introduced: n/a + visionOS: + introduced: n/a watchOS: introduced: n/a type: @@ -2038,6 +2306,8 @@ responsekeys: introduced: '10.12' tvOS: introduced: n/a + visionOS: + introduced: n/a watchOS: introduced: n/a type: @@ -2051,6 +2321,8 @@ responsekeys: introduced: n/a tvOS: introduced: n/a + visionOS: + introduced: n/a type: content: If 'true', the device has enabled Managed Lost Mode. Requires the Device Information access right. Available in iOS 9.3 and later. @@ -2062,6 +2334,8 @@ responsekeys: introduced: n/a tvOS: introduced: n/a + visionOS: + introduced: n/a watchOS: introduced: n/a type: @@ -2076,6 +2350,8 @@ responsekeys: introduced: n/a tvOS: introduced: n/a + visionOS: + introduced: n/a watchOS: introduced: n/a type: @@ -2090,6 +2366,8 @@ responsekeys: introduced: n/a tvOS: introduced: n/a + visionOS: + introduced: n/a watchOS: introduced: n/a type: @@ -2103,6 +2381,8 @@ responsekeys: introduced: n/a tvOS: introduced: n/a + visionOS: + introduced: n/a watchOS: introduced: n/a type: @@ -2116,6 +2396,8 @@ responsekeys: introduced: n/a tvOS: introduced: n/a + visionOS: + introduced: n/a watchOS: introduced: n/a type: @@ -2129,6 +2411,8 @@ responsekeys: introduced: n/a tvOS: introduced: n/a + visionOS: + introduced: n/a watchOS: introduced: n/a type: @@ -2142,6 +2426,8 @@ responsekeys: introduced: n/a tvOS: introduced: n/a + visionOS: + introduced: n/a watchOS: introduced: n/a type: @@ -2154,6 +2440,8 @@ responsekeys: introduced: n/a tvOS: introduced: n/a + visionOS: + introduced: n/a watchOS: introduced: n/a type: @@ -2170,6 +2458,8 @@ responsekeys: introduced: n/a tvOS: introduced: n/a + visionOS: + introduced: n/a watchOS: introduced: n/a type: @@ -2184,6 +2474,8 @@ responsekeys: introduced: n/a tvOS: introduced: n/a + visionOS: + introduced: n/a watchOS: introduced: n/a type: @@ -2197,6 +2489,8 @@ responsekeys: introduced: '10.12' tvOS: introduced: n/a + visionOS: + introduced: n/a watchOS: introduced: n/a type: @@ -2246,6 +2540,8 @@ responsekeys: introduced: n/a tvOS: introduced: n/a + visionOS: + introduced: n/a watchOS: introduced: n/a type: @@ -2268,6 +2564,8 @@ responsekeys: introduced: n/a tvOS: introduced: n/a + visionOS: + introduced: n/a watchOS: introduced: n/a type: @@ -2281,6 +2579,8 @@ responsekeys: introduced: n/a tvOS: introduced: n/a + visionOS: + introduced: n/a watchOS: introduced: n/a type: @@ -2294,6 +2594,8 @@ responsekeys: introduced: n/a tvOS: introduced: n/a + visionOS: + introduced: n/a watchOS: introduced: n/a type: @@ -2307,6 +2609,8 @@ responsekeys: introduced: n/a tvOS: introduced: n/a + visionOS: + introduced: n/a watchOS: introduced: n/a type: @@ -2320,6 +2624,8 @@ responsekeys: introduced: n/a tvOS: introduced: n/a + visionOS: + introduced: n/a watchOS: introduced: n/a type: @@ -2333,6 +2639,8 @@ responsekeys: introduced: n/a tvOS: introduced: n/a + visionOS: + introduced: n/a watchOS: introduced: n/a type: @@ -2347,6 +2655,8 @@ responsekeys: introduced: n/a tvOS: introduced: n/a + visionOS: + introduced: n/a watchOS: introduced: n/a type: @@ -2361,6 +2671,8 @@ responsekeys: introduced: n/a tvOS: introduced: n/a + visionOS: + introduced: n/a watchOS: introduced: n/a type: @@ -2376,6 +2688,8 @@ responsekeys: introduced: n/a tvOS: introduced: n/a + visionOS: + introduced: n/a watchOS: introduced: n/a type: @@ -2390,6 +2704,8 @@ responsekeys: introduced: n/a tvOS: introduced: n/a + visionOS: + introduced: n/a watchOS: introduced: n/a type: @@ -2404,6 +2720,8 @@ responsekeys: introduced: n/a tvOS: introduced: n/a + visionOS: + introduced: n/a watchOS: introduced: n/a type: @@ -2417,6 +2735,8 @@ responsekeys: introduced: n/a tvOS: introduced: n/a + visionOS: + introduced: n/a watchOS: introduced: n/a type: @@ -2429,6 +2749,8 @@ responsekeys: introduced: n/a tvOS: introduced: n/a + visionOS: + introduced: n/a watchOS: introduced: n/a type: @@ -2442,6 +2764,8 @@ responsekeys: introduced: n/a tvOS: introduced: n/a + visionOS: + introduced: n/a watchOS: introduced: n/a type: @@ -2456,6 +2780,8 @@ responsekeys: introduced: n/a tvOS: introduced: n/a + visionOS: + introduced: n/a watchOS: introduced: n/a type: @@ -2469,6 +2795,8 @@ responsekeys: introduced: n/a tvOS: introduced: n/a + visionOS: + introduced: n/a watchOS: introduced: n/a type: @@ -2482,6 +2810,8 @@ responsekeys: introduced: n/a tvOS: introduced: n/a + visionOS: + introduced: n/a watchOS: introduced: n/a type: @@ -2495,6 +2825,8 @@ responsekeys: introduced: n/a tvOS: introduced: n/a + visionOS: + introduced: n/a watchOS: introduced: n/a type: @@ -2590,6 +2922,8 @@ responsekeys: introduced: '11.0' tvOS: introduced: n/a + visionOS: + introduced: n/a watchOS: introduced: n/a type: @@ -2603,6 +2937,8 @@ responsekeys: introduced: '11.0' tvOS: introduced: n/a + visionOS: + introduced: n/a watchOS: introduced: n/a type: @@ -2616,6 +2952,8 @@ responsekeys: introduced: '11.0' tvOS: introduced: n/a + visionOS: + introduced: n/a watchOS: introduced: n/a type: @@ -2633,6 +2971,9 @@ responsekeys: mode: forbidden tvOS: introduced: n/a + visionOS: + userenrollment: + mode: forbidden watchOS: introduced: n/a type: @@ -2649,6 +2990,8 @@ responsekeys: introduced: n/a tvOS: introduced: n/a + visionOS: + introduced: n/a watchOS: introduced: n/a type: @@ -2677,6 +3020,8 @@ responsekeys: introduced: n/a tvOS: introduced: n/a + visionOS: + introduced: n/a watchOS: supervised: true type: @@ -2736,13 +3081,15 @@ responsekeys: supportedOS: iOS: introduced: '16.0' - supervised: false userenrollment: mode: allowed macOS: introduced: '14.0' tvOS: introduced: '16.0' + visionOS: + userenrollment: + mode: allowed type: content: The key to get an attestation of the device's properties. Available in iOS 16 and later, macOS 14 and later, tvOS 16 and later, and watchOS 10 and @@ -2760,6 +3107,8 @@ responsekeys: mode: forbidden tvOS: introduced: n/a + visionOS: + introduced: n/a watchOS: introduced: n/a type: diff --git a/mdm/commands/information.security.yaml b/mdm/commands/information.security.yaml index 7b19007..836a140 100644 --- a/mdm/commands/information.security.yaml +++ b/mdm/commands/information.security.yaml @@ -27,6 +27,13 @@ payload: introduced: '6.0' accessrights: AllowQuerySecurity supervised: false + visionOS: + introduced: '1.1' + accessrights: AllowQuerySecurity + supervised: false + requiresdep: false + userenrollment: + mode: allowed watchOS: introduced: '10.0' accessrights: AllowQuerySecurity @@ -58,6 +65,9 @@ responsekeys: mode: forbidden macOS: introduced: n/a + visionOS: + userenrollment: + mode: forbidden type: content: If 'true', the device has a passcode. This value is available in iOS 4 and later, and tvOS 6 and later. @@ -76,6 +86,9 @@ responsekeys: mode: forbidden macOS: introduced: n/a + visionOS: + userenrollment: + mode: forbidden type: content: If 'true', the user's passcode is compliant with requirements from profiles. This key doesn't apply to User-Enrolled devices. This value is available in @@ -88,6 +101,9 @@ responsekeys: mode: forbidden macOS: introduced: n/a + visionOS: + userenrollment: + mode: forbidden type: content: The user preference for the number of seconds before a locked screen requires the device passcode to unlock it. This value is only available for @@ -100,6 +116,9 @@ responsekeys: mode: forbidden macOS: introduced: n/a + visionOS: + userenrollment: + mode: forbidden type: content: The enforced value for the number of seconds before a locked screen requires the device passcode to unlock it. If a device has a passcode, changing 'PasscodeLockGracePeriod' @@ -117,6 +136,8 @@ responsekeys: introduced: n/a tvOS: introduced: n/a + visionOS: + introduced: n/a watchOS: introduced: n/a type: @@ -131,6 +152,8 @@ responsekeys: userchannel: false tvOS: introduced: n/a + visionOS: + introduced: n/a watchOS: introduced: n/a type: @@ -147,6 +170,8 @@ responsekeys: mode: forbidden tvOS: introduced: n/a + visionOS: + introduced: n/a watchOS: introduced: n/a type: @@ -163,6 +188,8 @@ responsekeys: mode: forbidden tvOS: introduced: n/a + visionOS: + introduced: n/a watchOS: introduced: n/a type: @@ -179,6 +206,8 @@ responsekeys: mode: forbidden tvOS: introduced: n/a + visionOS: + introduced: n/a watchOS: introduced: n/a type: @@ -197,6 +226,8 @@ responsekeys: mode: forbidden tvOS: introduced: n/a + visionOS: + introduced: n/a watchOS: introduced: n/a type: @@ -216,6 +247,8 @@ responsekeys: userchannel: false tvOS: introduced: n/a + visionOS: + introduced: n/a watchOS: introduced: n/a type: @@ -230,6 +263,8 @@ responsekeys: userchannel: false tvOS: introduced: n/a + visionOS: + introduced: n/a watchOS: introduced: n/a type: @@ -291,6 +326,8 @@ responsekeys: userchannel: false tvOS: introduced: n/a + visionOS: + introduced: n/a watchOS: introduced: n/a type: @@ -325,6 +362,8 @@ responsekeys: introduced: n/a tvOS: introduced: n/a + visionOS: + introduced: n/a watchOS: introduced: n/a type: @@ -336,6 +375,8 @@ responsekeys: introduced: n/a tvOS: introduced: n/a + visionOS: + introduced: n/a watchOS: introduced: n/a type: @@ -357,6 +398,8 @@ responsekeys: introduced: '10.15' tvOS: introduced: n/a + visionOS: + introduced: n/a watchOS: introduced: n/a type: @@ -371,6 +414,8 @@ responsekeys: userchannel: false tvOS: introduced: n/a + visionOS: + introduced: n/a watchOS: introduced: n/a type: @@ -427,6 +472,8 @@ responsekeys: mode: forbidden tvOS: introduced: n/a + visionOS: + introduced: n/a watchOS: introduced: n/a type: @@ -441,6 +488,8 @@ responsekeys: userchannel: false tvOS: introduced: n/a + visionOS: + introduced: n/a watchOS: introduced: n/a type: @@ -457,6 +506,8 @@ responsekeys: mode: forbidden tvOS: introduced: n/a + visionOS: + introduced: n/a watchOS: introduced: n/a type: @@ -478,6 +529,8 @@ responsekeys: mode: forbidden tvOS: introduced: n/a + visionOS: + introduced: n/a watchOS: introduced: n/a type: @@ -495,6 +548,8 @@ responsekeys: mode: forbidden tvOS: introduced: n/a + visionOS: + introduced: n/a watchOS: introduced: n/a type: @@ -512,6 +567,8 @@ responsekeys: mode: forbidden tvOS: introduced: n/a + visionOS: + introduced: n/a watchOS: introduced: n/a type: diff --git a/mdm/commands/lom.devicerequest.yaml b/mdm/commands/lom.devicerequest.yaml index 4684dd0..c349ca1 100644 --- a/mdm/commands/lom.devicerequest.yaml +++ b/mdm/commands/lom.devicerequest.yaml @@ -3,6 +3,8 @@ description: Issues LOM requests to devices. payload: requesttype: LOMDeviceRequest supportedOS: + iOS: + introduced: n/a macOS: introduced: '11.0' accessrights: DeviceLockAndRemovePasscode @@ -11,6 +13,12 @@ payload: requiresdep: false userenrollment: mode: forbidden + tvOS: + introduced: n/a + visionOS: + introduced: n/a + watchOS: + introduced: n/a content: Used to send LOM requests ("PowerON", "PowerOFF", "Reset") to LOM Controller which then forwards the request to LOM Devices. payloadkeys: diff --git a/mdm/commands/lom.setuprequest.yaml b/mdm/commands/lom.setuprequest.yaml index 2ddf0ad..c02bc0c 100644 --- a/mdm/commands/lom.setuprequest.yaml +++ b/mdm/commands/lom.setuprequest.yaml @@ -4,6 +4,8 @@ description: Queries the device for LOM setup information such as IP addresses, payload: requesttype: LOMSetupRequest supportedOS: + iOS: + introduced: n/a macOS: introduced: '11.0' accessrights: DeviceLockAndRemovePasscode @@ -12,6 +14,12 @@ payload: requiresdep: false userenrollment: mode: forbidden + tvOS: + introduced: n/a + visionOS: + introduced: n/a + watchOS: + introduced: n/a content: Queries the device for LOM setup information such as IP addresses, protocol version, etc. The MDM server must send this command prior to sending the LOMDeviceRequest command. diff --git a/mdm/commands/managed.application.attributes.yaml b/mdm/commands/managed.application.attributes.yaml index 9f4fcc2..15ab8f1 100644 --- a/mdm/commands/managed.application.attributes.yaml +++ b/mdm/commands/managed.application.attributes.yaml @@ -15,10 +15,19 @@ payload: userchannel: false userenrollment: mode: allowed + macOS: + introduced: n/a tvOS: introduced: '10.2' accessrights: AllowAppInstallation supervised: false + visionOS: + introduced: '1.1' + accessrights: AllowAppInstallation + supervised: false + requiresdep: false + userenrollment: + mode: allowed watchOS: introduced: '10.0' accessrights: AllowAppInstallation @@ -143,6 +152,8 @@ responsekeys: introduced: '16.4' tvOS: introduced: n/a + visionOS: + introduced: n/a watchOS: introduced: n/a type: @@ -158,6 +169,8 @@ responsekeys: introduced: '17.0' tvOS: introduced: n/a + visionOS: + introduced: n/a watchOS: introduced: n/a type: diff --git a/mdm/commands/managed.application.configuration.yaml b/mdm/commands/managed.application.configuration.yaml index c3cea80..6d5ef19 100644 --- a/mdm/commands/managed.application.configuration.yaml +++ b/mdm/commands/managed.application.configuration.yaml @@ -30,6 +30,13 @@ payload: introduced: '10.2' accessrights: AllowAppInstallation supervised: false + visionOS: + introduced: '1.1' + accessrights: AllowAppInstallation + supervised: false + requiresdep: false + userenrollment: + mode: allowed watchOS: introduced: '10.0' accessrights: AllowAppInstallation diff --git a/mdm/commands/managed.application.feedback.yaml b/mdm/commands/managed.application.feedback.yaml index ba16522..6334be6 100644 --- a/mdm/commands/managed.application.feedback.yaml +++ b/mdm/commands/managed.application.feedback.yaml @@ -26,6 +26,15 @@ payload: introduced: '10.2' accessrights: AllowAppInstallation supervised: false + visionOS: + introduced: '1.1' + accessrights: AllowAppInstallation + supervised: false + requiresdep: false + userenrollment: + mode: allowed + watchOS: + introduced: n/a content: This command queries the device for application feedback information. This command requires the App Management right. The response will not include apps that are managed by Declarative Device Management. diff --git a/mdm/commands/media.install.yaml b/mdm/commands/media.install.yaml index 716a134..adb385e 100644 --- a/mdm/commands/media.install.yaml +++ b/mdm/commands/media.install.yaml @@ -23,6 +23,12 @@ payload: requiresdep: false userenrollment: mode: forbidden + tvOS: + introduced: n/a + visionOS: + introduced: n/a + watchOS: + introduced: n/a content: This command allows the server to install a book on a device. If the book is already being managed, this command will update the book. payloadkeys: diff --git a/mdm/commands/media.managed.list.yaml b/mdm/commands/media.managed.list.yaml index a1d0607..8289a50 100644 --- a/mdm/commands/media.managed.list.yaml +++ b/mdm/commands/media.managed.list.yaml @@ -14,6 +14,14 @@ payload: userchannel: false userenrollment: mode: allowed + macOS: + introduced: n/a + tvOS: + introduced: n/a + visionOS: + introduced: n/a + watchOS: + introduced: n/a content: This command allows the server to query for installed 3rd party applications. responsekeys: - key: Books diff --git a/mdm/commands/media.remove.yaml b/mdm/commands/media.remove.yaml index accd593..12c1ce8 100644 --- a/mdm/commands/media.remove.yaml +++ b/mdm/commands/media.remove.yaml @@ -15,6 +15,14 @@ payload: userchannel: false userenrollment: mode: allowed + macOS: + introduced: n/a + tvOS: + introduced: n/a + visionOS: + introduced: n/a + watchOS: + introduced: n/a content: This command allows an MDM server to remove managed media. This command returns Acknowledged even if the item is not found. payloadkeys: diff --git a/mdm/commands/mirroring.request.yaml b/mdm/commands/mirroring.request.yaml index 42f68b9..f30c2f2 100644 --- a/mdm/commands/mirroring.request.yaml +++ b/mdm/commands/mirroring.request.yaml @@ -22,6 +22,12 @@ payload: requiresdep: false userenrollment: mode: allowed + tvOS: + introduced: n/a + visionOS: + introduced: n/a + watchOS: + introduced: n/a content: This command prompts the user to share their screen using AirPlay Mirroring. payloadkeys: - key: DestinationName diff --git a/mdm/commands/mirroring.stop.yaml b/mdm/commands/mirroring.stop.yaml index a118b51..09ed9aa 100644 --- a/mdm/commands/mirroring.stop.yaml +++ b/mdm/commands/mirroring.stop.yaml @@ -22,4 +22,10 @@ payload: requiresdep: false userenrollment: mode: forbidden + tvOS: + introduced: n/a + visionOS: + introduced: n/a + watchOS: + introduced: n/a content: This command stops AirPlay mirroring. diff --git a/mdm/commands/passcode.clear.yaml b/mdm/commands/passcode.clear.yaml index 0f2431d..7fac86c 100644 --- a/mdm/commands/passcode.clear.yaml +++ b/mdm/commands/passcode.clear.yaml @@ -13,6 +13,17 @@ payload: mode: forbidden userenrollment: mode: forbidden + macOS: + introduced: n/a + tvOS: + introduced: n/a + visionOS: + introduced: '1.1' + accessrights: AllowPasscodeRemovalAndLock + supervised: false + requiresdep: false + userenrollment: + mode: forbidden watchOS: introduced: '10.0' accessrights: AllowPasscodeRemovalAndLock diff --git a/mdm/commands/passcode.firmware.set.yaml b/mdm/commands/passcode.firmware.set.yaml index b85fd55..d566399 100644 --- a/mdm/commands/passcode.firmware.set.yaml +++ b/mdm/commands/passcode.firmware.set.yaml @@ -3,6 +3,8 @@ description: Changes or clears the firmware password for the device. payload: requesttype: SetFirmwarePassword supportedOS: + iOS: + introduced: n/a macOS: introduced: '10.13' accessrights: DeviceLockAndRemovePasscode @@ -11,6 +13,12 @@ payload: requiresdep: false userenrollment: mode: forbidden + tvOS: + introduced: n/a + visionOS: + introduced: n/a + watchOS: + introduced: n/a content: Changes or clears the firmware password for the device. Requires the "Device lock and passcode removal right". This command is not available on Apple silicon devices. diff --git a/mdm/commands/passcode.firmware.verify.yaml b/mdm/commands/passcode.firmware.verify.yaml index 11a7e51..a4934d5 100644 --- a/mdm/commands/passcode.firmware.verify.yaml +++ b/mdm/commands/passcode.firmware.verify.yaml @@ -3,6 +3,8 @@ description: Verifies the device's firmware password. payload: requesttype: VerifyFirmwarePassword supportedOS: + iOS: + introduced: n/a macOS: introduced: '10.13' accessrights: None @@ -11,6 +13,12 @@ payload: requiresdep: false userenrollment: mode: forbidden + tvOS: + introduced: n/a + visionOS: + introduced: n/a + watchOS: + introduced: n/a content: Verifies the device's firmware password. This command is not available on Apple silicon devices. payloadkeys: diff --git a/mdm/commands/passcode.recovery.set.yaml b/mdm/commands/passcode.recovery.set.yaml index 1d3995d..35a2d13 100644 --- a/mdm/commands/passcode.recovery.set.yaml +++ b/mdm/commands/passcode.recovery.set.yaml @@ -3,6 +3,8 @@ description: Sets or clears the recovery lock password (AppleSilicon devices onl payload: requesttype: SetRecoveryLock supportedOS: + iOS: + introduced: n/a macOS: introduced: '11.5' accessrights: DeviceLockAndRemovePasscode @@ -11,6 +13,12 @@ payload: requiresdep: false userenrollment: mode: forbidden + tvOS: + introduced: n/a + visionOS: + introduced: n/a + watchOS: + introduced: n/a content: Sets or clears the recovery lock password (Apple Silicon devices only). Requires the "Device lock and passcode removal right". payloadkeys: diff --git a/mdm/commands/passcode.recovery.verify.yaml b/mdm/commands/passcode.recovery.verify.yaml index cb27f88..cf72fb1 100644 --- a/mdm/commands/passcode.recovery.verify.yaml +++ b/mdm/commands/passcode.recovery.verify.yaml @@ -3,6 +3,8 @@ description: Verifies the device's recovery lock password. (AppleSilicon devices payload: requesttype: VerifyRecoveryLock supportedOS: + iOS: + introduced: n/a macOS: introduced: '11.5' accessrights: DeviceLockAndRemovePasscode @@ -11,6 +13,12 @@ payload: requiresdep: false userenrollment: mode: forbidden + tvOS: + introduced: n/a + visionOS: + introduced: n/a + watchOS: + introduced: n/a content: Verifies the device's recovery lock password. (AppleSilicon devices only) payloadkeys: - key: Password diff --git a/mdm/commands/passcode.unlocktoken.yaml b/mdm/commands/passcode.unlocktoken.yaml index 2dc1a5f..66693ff 100644 --- a/mdm/commands/passcode.unlocktoken.yaml +++ b/mdm/commands/passcode.unlocktoken.yaml @@ -13,6 +13,14 @@ payload: mode: forbidden userenrollment: mode: forbidden + macOS: + introduced: n/a + tvOS: + introduced: n/a + visionOS: + introduced: n/a + watchOS: + introduced: n/a content: This command requests an UnlockToken from the device. Pass this token to the ClearPasscode command to unlock the device. responsekeys: diff --git a/mdm/commands/profile.install.yaml b/mdm/commands/profile.install.yaml index 380b614..4bef89f 100644 --- a/mdm/commands/profile.install.yaml +++ b/mdm/commands/profile.install.yaml @@ -29,6 +29,13 @@ payload: introduced: '6.0' accessrights: AllowInstallationRemoval supervised: false + visionOS: + introduced: '1.1' + accessrights: AllowInstallationRemoval + supervised: false + requiresdep: false + userenrollment: + mode: allowed watchOS: introduced: '10.0' accessrights: AllowInstallationRemoval diff --git a/mdm/commands/profile.list.yaml b/mdm/commands/profile.list.yaml index c05462d..f4f7ac0 100644 --- a/mdm/commands/profile.list.yaml +++ b/mdm/commands/profile.list.yaml @@ -28,6 +28,13 @@ payload: introduced: '6.0' accessrights: AllowInspection supervised: false + visionOS: + introduced: '1.1' + accessrights: AllowInspection + supervised: false + requiresdep: false + userenrollment: + mode: allowed watchOS: introduced: '10.0' accessrights: AllowInspection diff --git a/mdm/commands/profile.provisioning.install.yaml b/mdm/commands/profile.provisioning.install.yaml index 93ff48c..65c1044 100644 --- a/mdm/commands/profile.provisioning.install.yaml +++ b/mdm/commands/profile.provisioning.install.yaml @@ -29,13 +29,20 @@ payload: introduced: '10.2' accessrights: AllowProvisioningInstallationRemoval supervised: false + visionOS: + introduced: '1.1' + accessrights: AllowProvisioningInstallationRemoval + supervised: false + requiresdep: false + userenrollment: + mode: allowed watchOS: introduced: '10.0' accessrights: AllowProvisioningInstallationRemoval supervised: false content: This command allows the server to install a provisioning profile. No error occurs if the provisioning profile is already installed. This command requires - the Provisioning Profile Installation and Removal right. On macOS, this command + the Provisioning Profile Installation and Removal right. On macOS, this command is for iOS and iPadOS style provisioning profiles only. payloadkeys: - key: ProvisioningProfile diff --git a/mdm/commands/profile.provisioning.list.yaml b/mdm/commands/profile.provisioning.list.yaml index 0969bf0..91b2cf6 100644 --- a/mdm/commands/profile.provisioning.list.yaml +++ b/mdm/commands/profile.provisioning.list.yaml @@ -29,6 +29,13 @@ payload: introduced: '10.2' accessrights: AllowProvisioningInspection supervised: false + visionOS: + introduced: '1.1' + accessrights: AllowProvisioningInspection + supervised: false + requiresdep: false + userenrollment: + mode: allowed watchOS: introduced: '10.0' accessrights: AllowProvisioningInspection diff --git a/mdm/commands/profile.provisioning.remove.yaml b/mdm/commands/profile.provisioning.remove.yaml index 0b5e756..c845dae 100644 --- a/mdm/commands/profile.provisioning.remove.yaml +++ b/mdm/commands/profile.provisioning.remove.yaml @@ -28,6 +28,13 @@ payload: introduced: '10.2' accessrights: AllowProvisioningInstallationRemoval supervised: false + visionOS: + introduced: '1.1' + accessrights: AllowProvisioningInstallationRemoval + supervised: false + requiresdep: false + userenrollment: + mode: allowed watchOS: introduced: '10.0' accessrights: AllowProvisioningInstallationRemoval diff --git a/mdm/commands/profile.remove.yaml b/mdm/commands/profile.remove.yaml index 5ffdd2a..8aca7a9 100644 --- a/mdm/commands/profile.remove.yaml +++ b/mdm/commands/profile.remove.yaml @@ -27,6 +27,13 @@ payload: introduced: '6.0' accessrights: AllowInstallationRemoval supervised: false + visionOS: + introduced: '1.1' + accessrights: AllowInstallationRemoval + supervised: false + requiresdep: false + userenrollment: + mode: allowed watchOS: introduced: '10.0' accessrights: AllowInstallationRemoval diff --git a/mdm/commands/remotedesktop.disable.yaml b/mdm/commands/remotedesktop.disable.yaml index 6eaf356..2fd99fe 100644 --- a/mdm/commands/remotedesktop.disable.yaml +++ b/mdm/commands/remotedesktop.disable.yaml @@ -3,6 +3,8 @@ description: Disable Remote Desktop on the device. payload: requesttype: DisableRemoteDesktop supportedOS: + iOS: + introduced: n/a macOS: introduced: 10.14.4 devicechannel: true @@ -11,4 +13,10 @@ payload: requiresdep: false userenrollment: mode: forbidden + tvOS: + introduced: n/a + visionOS: + introduced: n/a + watchOS: + introduced: n/a content: Disable Remote Desktop. diff --git a/mdm/commands/remotedesktop.enable.yaml b/mdm/commands/remotedesktop.enable.yaml index 94448ea..4014b91 100644 --- a/mdm/commands/remotedesktop.enable.yaml +++ b/mdm/commands/remotedesktop.enable.yaml @@ -3,6 +3,8 @@ description: Enable Remote Desktop on the device. payload: requesttype: EnableRemoteDesktop supportedOS: + iOS: + introduced: n/a macOS: introduced: 10.14.4 devicechannel: true @@ -11,4 +13,10 @@ payload: requiresdep: false userenrollment: mode: forbidden + tvOS: + introduced: n/a + visionOS: + introduced: n/a + watchOS: + introduced: n/a content: Enable Remote Desktop. diff --git a/mdm/commands/rotate.file.vault.key.yaml b/mdm/commands/rotate.file.vault.key.yaml index a6d6fa8..93244c4 100644 --- a/mdm/commands/rotate.file.vault.key.yaml +++ b/mdm/commands/rotate.file.vault.key.yaml @@ -3,6 +3,8 @@ description: This command allows for changing a device's FileVaultMaster passwor payload: requesttype: RotateFileVaultKey supportedOS: + iOS: + introduced: n/a macOS: introduced: '10.9' accessrights: DeviceLockAndRemovePasscode @@ -11,6 +13,12 @@ payload: requiresdep: false userenrollment: mode: forbidden + tvOS: + introduced: n/a + visionOS: + introduced: n/a + watchOS: + introduced: n/a content: This command allows for changing a device's FileVaultMaster password. payloadkeys: - key: KeyType diff --git a/mdm/commands/set.auto.admin.password.yaml b/mdm/commands/set.auto.admin.password.yaml index a188d53..ec401ea 100644 --- a/mdm/commands/set.auto.admin.password.yaml +++ b/mdm/commands/set.auto.admin.password.yaml @@ -4,6 +4,8 @@ description: Allows changing the password of a local admin account that was crea payload: requesttype: SetAutoAdminPassword supportedOS: + iOS: + introduced: n/a macOS: introduced: '10.11' accessrights: None @@ -12,6 +14,12 @@ payload: requiresdep: true userenrollment: mode: forbidden + tvOS: + introduced: n/a + visionOS: + introduced: n/a + watchOS: + introduced: n/a content: Allows changing the password of a local admin account that was created by Setup Assistant during DEP enrollment via the AccountConfiguration command. payloadkeys: diff --git a/mdm/commands/settings.yaml b/mdm/commands/settings.yaml index a0dc9ea..12f40ba 100644 --- a/mdm/commands/settings.yaml +++ b/mdm/commands/settings.yaml @@ -26,6 +26,13 @@ payload: introduced: '6.0' accessrights: AllowSettings supervised: false + visionOS: + introduced: '1.1' + accessrights: AllowSettings + supervised: false + requiresdep: false + userenrollment: + mode: allowed watchOS: introduced: '10.0' accessrights: AllowSettings @@ -54,6 +61,8 @@ payloadkeys: introduced: n/a tvOS: introduced: n/a + visionOS: + introduced: n/a watchOS: introduced: n/a type: @@ -82,9 +91,12 @@ payloadkeys: - 3 content: |- A number that indicates where to use the wallpaper, which is one of the following values: + * '1': Lock screen * '2': Home screen - * '3': Lock and Home screens + * '3': Both lock and home screens. + + In iOS 16 and later, and iPadOS 17 and later, when you set the wallpaper for the first time, the system sets both the lock screen and home screen. After that, you can separately set each location. - key: DataRoaming supportedOS: iOS: @@ -98,6 +110,8 @@ payloadkeys: introduced: n/a tvOS: introduced: n/a + visionOS: + introduced: n/a watchOS: introduced: n/a type: @@ -131,6 +145,8 @@ payloadkeys: introduced: n/a tvOS: introduced: n/a + visionOS: + introduced: n/a watchOS: introduced: n/a type: @@ -165,6 +181,8 @@ payloadkeys: introduced: n/a tvOS: introduced: n/a + visionOS: + introduced: n/a watchOS: introduced: n/a type: @@ -200,6 +218,8 @@ payloadkeys: mode: forbidden tvOS: introduced: n/a + visionOS: + introduced: n/a watchOS: introduced: n/a type: @@ -236,6 +256,8 @@ payloadkeys: tvOS: introduced: '10.2' accessrights: AllowAppInstallation + visionOS: + accessrights: AllowAppInstallation watchOS: accessrights: AllowAppInstallation type: @@ -282,6 +304,8 @@ payloadkeys: tvOS: introduced: '10.2' accessrights: AllowAppInstallation + visionOS: + accessrights: AllowAppInstallation watchOS: accessrights: AllowAppInstallation type: @@ -393,6 +417,8 @@ payloadkeys: introduced: '16.4' tvOS: introduced: n/a + visionOS: + introduced: n/a watchOS: introduced: n/a type: @@ -407,6 +433,8 @@ payloadkeys: introduced: '17.0' tvOS: introduced: n/a + visionOS: + introduced: n/a watchOS: introduced: n/a type: @@ -428,6 +456,8 @@ payloadkeys: introduced: '10.10' userenrollment: mode: forbidden + visionOS: + introduced: n/a watchOS: introduced: n/a type: @@ -456,6 +486,8 @@ payloadkeys: mode: forbidden tvOS: introduced: n/a + visionOS: + introduced: n/a watchOS: introduced: n/a type: @@ -551,6 +583,8 @@ payloadkeys: mode: forbidden tvOS: introduced: n/a + visionOS: + introduced: n/a watchOS: introduced: n/a type: @@ -588,6 +622,8 @@ payloadkeys: mode: forbidden tvOS: introduced: n/a + visionOS: + introduced: n/a type: presence: optional default: false @@ -600,6 +636,8 @@ payloadkeys: introduced: '11.0' tvOS: introduced: n/a + visionOS: + introduced: n/a type: presence: optional default: false @@ -626,6 +664,8 @@ payloadkeys: introduced: n/a tvOS: introduced: n/a + visionOS: + introduced: n/a watchOS: introduced: n/a type: @@ -662,6 +702,8 @@ payloadkeys: introduced: n/a tvOS: introduced: n/a + visionOS: + introduced: n/a watchOS: introduced: n/a type: @@ -785,9 +827,7 @@ payloadkeys: content: |- The number of seconds before a locked screen requires the user to enter the device passcode to unlock it. The minimum value is '0' seconds and the maximum value is '14400' seconds. If a device has a passcode, a change to a larger value doesn't take effect until the user logs out or removes the passcode. For this reason, it's better to set this value before the user sets a passcode. - If the value set is less than one of the known - values, the next lowest value will be used. For example a value of 299 will - result in an effective setting of 60. + If the value set is less than one of the known values, the next lowest value will be used. For example a value of 299 will result in an effective setting of 60. This setting won't take effect if 'TemporarySessionOnly' is 'true' because there's no passcode for a temporary session. - key: AutoLockTime type: @@ -808,6 +848,8 @@ payloadkeys: introduced: n/a tvOS: introduced: n/a + visionOS: + introduced: n/a watchOS: introduced: n/a type: @@ -841,6 +883,8 @@ payloadkeys: introduced: n/a tvOS: introduced: n/a + visionOS: + introduced: n/a watchOS: introduced: n/a type: @@ -875,6 +919,8 @@ payloadkeys: introduced: n/a tvOS: introduced: n/a + visionOS: + introduced: n/a watchOS: introduced: n/a type: @@ -922,6 +968,8 @@ payloadkeys: tvOS: introduced: '14.0' supervised: true + visionOS: + introduced: n/a watchOS: introduced: n/a type: @@ -957,6 +1005,8 @@ payloadkeys: introduced: n/a tvOS: introduced: n/a + visionOS: + introduced: n/a watchOS: introduced: n/a type: @@ -999,6 +1049,8 @@ payloadkeys: introduced: n/a tvOS: introduced: n/a + visionOS: + introduced: n/a watchOS: supervised: true type: diff --git a/mdm/commands/system.update.available.yaml b/mdm/commands/system.update.available.yaml index 3967391..e775fdc 100644 --- a/mdm/commands/system.update.available.yaml +++ b/mdm/commands/system.update.available.yaml @@ -29,6 +29,10 @@ payload: devicechannel: true supervised: true requiresdep: false + visionOS: + introduced: n/a + watchOS: + introduced: n/a content: Queries the device for a list of available OS updates. On OS X, a ScheduleOSUpdateScan must be performed to update the results returned by this query. responsekeys: diff --git a/mdm/commands/system.update.scan.yaml b/mdm/commands/system.update.scan.yaml index 2837efd..9dba837 100644 --- a/mdm/commands/system.update.scan.yaml +++ b/mdm/commands/system.update.scan.yaml @@ -3,6 +3,8 @@ description: Requests that the device perform a background scan for OS updates. payload: requesttype: ScheduleOSUpdateScan supportedOS: + iOS: + introduced: n/a macOS: introduced: '10.11' accessrights: None @@ -12,6 +14,12 @@ payload: requiresdep: false userenrollment: mode: forbidden + tvOS: + introduced: n/a + visionOS: + introduced: n/a + watchOS: + introduced: n/a content: Requests that the device perform a background scan for OS updates. payloadkeys: - key: Force diff --git a/mdm/commands/system.update.schedule.yaml b/mdm/commands/system.update.schedule.yaml index 8ff3e3e..32166c2 100644 --- a/mdm/commands/system.update.schedule.yaml +++ b/mdm/commands/system.update.schedule.yaml @@ -29,6 +29,10 @@ payload: devicechannel: true supervised: true requiresdep: false + visionOS: + introduced: n/a + watchOS: + introduced: n/a content: This command allows the server to schedule an OS update. payloadkeys: - key: Updates diff --git a/mdm/commands/system.update.status.yaml b/mdm/commands/system.update.status.yaml index 96c96a3..3ae9709 100644 --- a/mdm/commands/system.update.status.yaml +++ b/mdm/commands/system.update.status.yaml @@ -29,6 +29,10 @@ payload: devicechannel: true supervised: true requiresdep: false + visionOS: + introduced: n/a + watchOS: + introduced: n/a content: Queries the device for the status of software updates. responsekeys: - key: OSUpdateStatus diff --git a/mdm/commands/user.configured.yaml b/mdm/commands/user.configured.yaml index 3ac79fc..cfc3e07 100644 --- a/mdm/commands/user.configured.yaml +++ b/mdm/commands/user.configured.yaml @@ -15,6 +15,14 @@ payload: userchannel: true userenrollment: mode: forbidden + macOS: + introduced: n/a + tvOS: + introduced: n/a + visionOS: + introduced: n/a + watchOS: + introduced: n/a content: Informs the device that it can continue past Setup Assistant and finish login. Only works on Shared iPads that have the AwaitUserConfiguration feature enabled. diff --git a/mdm/commands/user.delete.yaml b/mdm/commands/user.delete.yaml index e139a75..332f081 100644 --- a/mdm/commands/user.delete.yaml +++ b/mdm/commands/user.delete.yaml @@ -24,13 +24,20 @@ payload: requiresdep: false userenrollment: mode: forbidden + tvOS: + introduced: n/a + visionOS: + introduced: n/a + watchOS: + introduced: n/a content: This command allows the server to delete a user that has an active account on the device. payloadkeys: - key: UserName type: - presence: required - content: The user name of the account to delete. + presence: optional + content: The user name of the account to delete. This key is required when the value + for DeleteAllUsers is absent or false. - key: ForceDeletion supportedOS: macOS: diff --git a/mdm/commands/user.list.yaml b/mdm/commands/user.list.yaml index 8905182..db33c93 100644 --- a/mdm/commands/user.list.yaml +++ b/mdm/commands/user.list.yaml @@ -24,6 +24,12 @@ payload: requiresdep: false userenrollment: mode: forbidden + tvOS: + introduced: n/a + visionOS: + introduced: n/a + watchOS: + introduced: n/a content: This command allows the server to query for a list of users that have an active account on the device. responsekeys: diff --git a/mdm/commands/user.logout.yaml b/mdm/commands/user.logout.yaml index 8c625cb..393a39b 100644 --- a/mdm/commands/user.logout.yaml +++ b/mdm/commands/user.logout.yaml @@ -14,4 +14,12 @@ payload: userchannel: false userenrollment: mode: forbidden + macOS: + introduced: n/a + tvOS: + introduced: n/a + visionOS: + introduced: n/a + watchOS: + introduced: n/a content: This command allows the server to force the current user to logout. diff --git a/mdm/commands/user.unlock.yaml b/mdm/commands/user.unlock.yaml index 4c60d2f..d77d252 100644 --- a/mdm/commands/user.unlock.yaml +++ b/mdm/commands/user.unlock.yaml @@ -3,6 +3,8 @@ description: This command allows the server to unlock a local user account. payload: requesttype: UnlockUserAccount supportedOS: + iOS: + introduced: n/a macOS: introduced: '10.13' accessrights: DeviceLockAndRemovePasscode @@ -11,6 +13,12 @@ payload: requiresdep: false userenrollment: mode: forbidden + tvOS: + introduced: n/a + visionOS: + introduced: n/a + watchOS: + introduced: n/a content: This command allows the server to unlock a local user account that has been locked due to too many failed password attempts. Requires "Device lock and passcode removal right". diff --git a/mdm/errors/softwareupdate.required.yaml b/mdm/errors/softwareupdate.required.yaml index 12677fa..0c62dff 100644 --- a/mdm/errors/softwareupdate.required.yaml +++ b/mdm/errors/softwareupdate.required.yaml @@ -8,6 +8,8 @@ payload: introduced: '14.0' tvOS: introduced: n/a + visionOS: + introduced: n/a watchOS: introduced: n/a content: |- diff --git a/mdm/errors/unrecognized.device.yaml b/mdm/errors/unrecognized.device.yaml new file mode 100644 index 0000000..f7c285a --- /dev/null +++ b/mdm/errors/unrecognized.device.yaml @@ -0,0 +1,40 @@ +title: Error Unrecognized Device +description: Error response for unrecognized device. +payload: + supportedOS: + iOS: + introduced: '17.0' + macOS: + introduced: '14.0' + tvOS: + introduced: '17.0' + visionOS: + introduced: '1.1' + watchOS: + introduced: '10.0' + content: |- + The schema for a JSON or property list XML document returned in an MDM server's 403 response body. The + response headers must include a "Content-Type" header indicating whether JSON or XML is being returned. + + This response is returned when a server does not recognize the device making the MDM request, and + causes the device to unenroll with the MDM server. This error should be used in place of the server + returning a 401 response to trigger an unenroll. +payloadkeys: +- key: code + type: + presence: required + rangelist: + - com.apple.unrecognized.device + content: Indicates that the device is not recognized by the server, causing the + device to unenroll from MDM. +- key: description + type: + presence: optional + content: The description of the error. This will only be used by the client for + logging purposes and will not be displayed to the user. +- key: message + type: + presence: optional + content: A description of the error suitable for displaying to the user. If needed, + the client will make a best-effort attempt to display the message, but may not + be able to, due to local conditions. diff --git a/mdm/errors/watch.pairing.token.missing.yaml b/mdm/errors/watch.pairing.token.missing.yaml index 3959530..0d0b6be 100644 --- a/mdm/errors/watch.pairing.token.missing.yaml +++ b/mdm/errors/watch.pairing.token.missing.yaml @@ -8,6 +8,8 @@ payload: introduced: n/a tvOS: introduced: n/a + visionOS: + introduced: n/a watchOS: introduced: '10.0' content: |- diff --git a/mdm/profiles/CommonPayloadKeys.yaml b/mdm/profiles/CommonPayloadKeys.yaml index aa02a28..0928cb7 100644 --- a/mdm/profiles/CommonPayloadKeys.yaml +++ b/mdm/profiles/CommonPayloadKeys.yaml @@ -29,6 +29,13 @@ payload: multiple: false supervised: false allowmanualinstall: true + visionOS: + introduced: '1.0' + multiple: false + supervised: false + allowmanualinstall: true + userenrollment: + mode: allowed watchOS: introduced: '1.0' multiple: false diff --git a/mdm/profiles/GlobalPreferences.yaml b/mdm/profiles/GlobalPreferences.yaml index 16c263f..6b2007c 100644 --- a/mdm/profiles/GlobalPreferences.yaml +++ b/mdm/profiles/GlobalPreferences.yaml @@ -3,6 +3,8 @@ description: '' payload: payloadtype: .GlobalPreferences supportedOS: + iOS: + introduced: n/a macOS: introduced: '10.7' multiple: false @@ -13,6 +15,12 @@ payload: allowmanualinstall: true userenrollment: mode: forbidden + tvOS: + introduced: n/a + visionOS: + introduced: n/a + watchOS: + introduced: n/a content: Global preferences on macOS payloadkeys: - key: MultipleSessionEnabled diff --git a/mdm/profiles/TopLevel.yaml b/mdm/profiles/TopLevel.yaml index a411ecb..ab82d56 100644 --- a/mdm/profiles/TopLevel.yaml +++ b/mdm/profiles/TopLevel.yaml @@ -29,6 +29,13 @@ payload: multiple: false supervised: false allowmanualinstall: true + visionOS: + introduced: '1.0' + multiple: false + supervised: false + allowmanualinstall: true + userenrollment: + mode: allowed watchOS: introduced: '1.0' multiple: false @@ -110,6 +117,8 @@ payloadkeys: mode: forbidden tvOS: supervised: true + visionOS: + introduced: n/a watchOS: introduced: n/a type: @@ -159,6 +168,8 @@ payloadkeys: introduced: '10.15' tvOS: introduced: '12.2' + visionOS: + introduced: '1.1' watchOS: introduced: '5.2' type: @@ -170,11 +181,12 @@ payloadkeys: - 3 - 4 - 5 + - 6 default: 0 content: |- The type of platform of the target device. Specifying the platform type helps prevent unintended installations. For interactive installations on iOS devices, specifying a target platform avoids interstitial alerts that prompt the user to choose a profile target when multiple targets are eligible. - Possible values include: + Allowed values: * '0': Any/unspecified * '1': iPhone/iPad/iPod Touch @@ -182,6 +194,7 @@ payloadkeys: * '3': HomePod * '4': Apple TV * '5': Mac + * '6': Vision Pro - key: ConsentText type: presence: optional diff --git a/mdm/profiles/com.apple.ADCertificate.managed.yaml b/mdm/profiles/com.apple.ADCertificate.managed.yaml index 02c723e..4182289 100644 --- a/mdm/profiles/com.apple.ADCertificate.managed.yaml +++ b/mdm/profiles/com.apple.ADCertificate.managed.yaml @@ -3,6 +3,8 @@ description: Active Directory Certificate payload: payloadtype: com.apple.ADCertificate.managed supportedOS: + iOS: + introduced: n/a macOS: introduced: '10.7' multiple: true @@ -13,6 +15,12 @@ payload: allowmanualinstall: true userenrollment: mode: allowed + tvOS: + introduced: n/a + visionOS: + introduced: n/a + watchOS: + introduced: n/a content: A certificate can be requested from a Microsoft Certificate Authority (CA) using DCE/RPC and the Active Directory Certificate profile payload instructions detailed at support.apple.com/kb/HT5357. @@ -47,9 +55,7 @@ payloadkeys: type: presence: optional content: |- - The name of the certificate authority (CA). This value is determined from the common name (CN) of the Active Directory entry. Available in macOS 10.8 and later. - - Valid values: + The name of the certificate authority (CA), which is determined from the common name (CN) of the Active Directory entry. Available in macOS 10.8 and later. Valid values: * CN= * CN='Certification Authorities' * CN='Public Key Services' @@ -83,9 +89,10 @@ payloadkeys: type: presence: optional default: false - content: If 'true', the user is prompted for credentials when the profile is installed. - This key applies only to user certificates with the Manual Download profile delivery - method. Omit this key for computer certificates. Available in macOS 10.8 and later. + content: If 'true', the system prompts the user for credentials when is installs + the profile. This key applies only to user certificates with the Manual Download + profile delivery method. Omit this key for computer certificates. Available in + macOS 10.8 and later. - key: KeyIsExtractable title: Key Is Extractable supportedOS: @@ -94,8 +101,8 @@ payloadkeys: type: presence: optional default: false - content: If 'true', allows exporting the private key. Available in macOS 10.10 and - later. + content: If 'true', the system allows exporting the private key. Available in macOS + 10.10 and later. - key: Keysize title: Key Size supportedOS: diff --git a/mdm/profiles/com.apple.AIM.account.yaml b/mdm/profiles/com.apple.AIM.account.yaml index 3ad7fbf..2b36a70 100644 --- a/mdm/profiles/com.apple.AIM.account.yaml +++ b/mdm/profiles/com.apple.AIM.account.yaml @@ -3,6 +3,8 @@ description: Use this section to define settings for configuration access to AIM payload: payloadtype: com.apple.AIM.account supportedOS: + iOS: + introduced: n/a macOS: introduced: '10.7' deprecated: '10.13' @@ -15,6 +17,12 @@ payload: allowmanualinstall: true userenrollment: mode: forbidden + tvOS: + introduced: n/a + visionOS: + introduced: n/a + watchOS: + introduced: n/a content: An AIM payload creates an AIM account on the device. payloadkeys: - key: AIMAccountDescription diff --git a/mdm/profiles/com.apple.AssetCache.managed.yaml b/mdm/profiles/com.apple.AssetCache.managed.yaml index 35d8cd4..a3707bb 100644 --- a/mdm/profiles/com.apple.AssetCache.managed.yaml +++ b/mdm/profiles/com.apple.AssetCache.managed.yaml @@ -3,6 +3,8 @@ description: '' payload: payloadtype: com.apple.AssetCache.managed supportedOS: + iOS: + introduced: n/a macOS: introduced: 10.13.4 multiple: false @@ -13,6 +15,12 @@ payload: allowmanualinstall: true userenrollment: mode: forbidden + tvOS: + introduced: n/a + visionOS: + introduced: n/a + watchOS: + introduced: n/a content: Configures the Content Caching service. payloadkeys: - key: AllowCacheDelete @@ -22,9 +30,10 @@ payloadkeys: type: presence: optional default: true - content: |- - Allow the system to purge content from the cache automatically when it needs disk space for other apps (i.e. when free disk space runs low on the computer). Customers who want Content Caching to be as effective as possible should turn this setting off. - Available in macOS 10.15 and later. + content: If true, the system purges content from the cache automatically when it + needs disk space for other apps when free disk space runs low on the computer. + Set to 'false' to maximize effectiveness of Content Caching. Available in macOS + 10.15 and later. - key: AllowPersonalCaching supportedOS: macOS: @@ -33,9 +42,8 @@ payloadkeys: presence: optional default: true content: |- - If 'true', caches the user's iCloud data. Clients may take some time (hours or days) to react to changes to this setting; it doesn't have an immediate effect. - - At least one of the 'AllowPersonalCaching' or 'AllowSharedCaching' keys must be 'true'. + If 'true', the system caches the user's iCloud data. Changes to this value don't have an immediate effect. Clients may take some time, such as hours or days, to react to changes. + At least one of the 'AllowPersonalCaching' or 'AllowSharedCaching' keys need to be 'true'. - key: AllowSharedCaching supportedOS: macOS: @@ -44,9 +52,8 @@ payloadkeys: presence: optional default: true content: |- - If 'true', caches non-iCloud content, such as apps and software updates. Clients may take some time (hours, days) to react to changes to this setting; it does not have an immediate effect. - - At least one of the 'AllowPersonalCaching' or 'AllowSharedCaching' keys must be 'true'. + If 'true', the system caches non-iCloud content, such as apps and software updates. Changes to this value don't have an immediate effect. Clients may take some time, such as hours or days, to react to changes. + At least one of the 'AllowPersonalCaching' or 'AllowSharedCaching' keys need to be 'true'. - key: AutoActivation supportedOS: macOS: @@ -55,8 +62,8 @@ payloadkeys: presence: optional default: false content: |- - If 'true', automatically activates the content cache when possible and prevents it from being disabled. If the 'allowContentCaching' restriction is set to 'false', 'AutoActivation' is also 'false'. - Removing a profile that set 'AutoActivation' to 'true' does not deactivate the Content Cache. + If 'true', the system automatically activates the content cache when possible and prevents disabling it. If 'allowContentCaching' is 'false', 'AutoActivation' is also 'false'. + Removing a profile that set 'AutoActivation' to 'true' doesn't deactivate the Content Cache. - key: AutoEnableTetheredCaching supportedOS: macOS: @@ -65,7 +72,7 @@ payloadkeys: presence: optional default: false content: |- - Automatically enable Internet connection sharing when possible and prevent disabling Internet connection sharing. 'DenyTetheredCaching' overrides 'AutoEnableTetheredCaching'. Tethered caching requires Content Caching. + If 'true', the system automatically enables Internet connection sharing when possible and prevent disabling Internet connection sharing. 'DenyTetheredCaching' overrides 'AutoEnableTetheredCaching'. Tethered caching requires Content Caching. Available in macOS 10.15.4 and later. - key: CacheLimit supportedOS: @@ -74,8 +81,8 @@ payloadkeys: type: presence: optional default: 0 - content: The maximum number of bytes of disk space that will be used for the content - cache. A value of 0 means unlimited disk space. + content: The maximum number of bytes of disk space to use for the content cache. + Set to '0' for unlimited disk space. - key: DataPath supportedOS: macOS: @@ -85,8 +92,7 @@ payloadkeys: default: /Library/Application Support/Apple/AssetCache/Data content: |- The path to the directory used to store cached content. Changing this setting manually doesn't automatically move cached content from the old location to the new one. To move content automatically, use the Sharing preference's Content Caching pane. The value must be (or end with) '/Library/Application Support/Apple/AssetCache/Data'. - - A directory and its intermediates are created for the given data path if it doesn't already exist. The directory is owned by '_assetcache:_assetcache' and has mode 0750. Its immediate parent directory ('.../Library/Application Support/Apple/AssetCache') is owned by '_assetcache:_assetcache' and has mode '0755'. + The system creates a directory and its intermediates for the given data path if it doesn't already exist. The directory is owned by '_assetcache:_assetcache' and has mode 0750. Its immediate parent directory ('.../Library/Application Support/Apple/AssetCache') is owned by '_assetcache:_assetcache' and has mode '0755'. - key: DenyTetheredCaching supportedOS: macOS: @@ -94,7 +100,7 @@ payloadkeys: type: presence: optional default: false - content: If 'true', disables tethered caching. + content: If 'true', the system disables tethered caching. - key: DisplayAlerts supportedOS: macOS: @@ -102,9 +108,10 @@ payloadkeys: type: presence: optional default: false - content: |- - If 'true', Content Caching displays exceptional conditions (alerts) as system notifications in the upper corner of the screen. Alerts were automatically displayed starting in macOS 10.13. In macOS 10.15 the alerts are off by default, but still available via this setting. - Available in macOS 10.15 and later. + content: If 'true', Content Caching displays exceptional conditions (alerts) as + system notifications in the upper corner of the screen. Alerts were automatically + displayed starting in macOS 10.13. In macOS 10.15 the alerts are off by default, + but still available through this setting. Available in macOS 10.15 and later. - key: KeepAwake supportedOS: macOS: @@ -112,16 +119,18 @@ payloadkeys: type: presence: optional default: false - content: |- - If 'true', prevents the computer from sleeping as long as Content Caching is on (System Preferences > Sharing > Content Caching is on). Customers who want Content Caching to be as available as much as possible should turn this setting on. - Available in macOS 10.15 and later. + content: If 'true', the system prevents the computer from sleeping as long as Content + Caching is on (System Settings > Sharing > Content Caching is on). Customers who + want Content Caching to be as available as much as possible should turn this setting + on. Available in macOS 10.15 and later. - key: ListenRanges supportedOS: macOS: introduced: 10.13.4 type: presence: optional - content: An array of dictionaries describing a range of client IP addresses to serve. + content: An array of dictionaries that describe a range of client IP addresses to + serve. subkeytype: Ranges subkeys: &id001 - key: RangesItem @@ -178,8 +187,8 @@ payloadkeys: default: true content: If 'true', the content cache offers content to clients only on the same immediate local network only. No content is offered to clients on other networks - reachable by the content cache. If 'LocalSubnetsOnly' is set to 'true', 'ListenRanges' - will be ignored. + reachable by the content cache. If 'LocalSubnetsOnly' is 'true', the system ignores + 'ListenRanges'. - key: LogClientIdentity supportedOS: macOS: @@ -197,10 +206,10 @@ payloadkeys: presence: optional content: An array of the local IP addresses of other content caches that this cache should download from or upload to, instead of downloading from or uploading to - Apple directly. Invalid addresses and addresses of computers that aren't content - caches are ignored. Parent caches that become unavailable are skipped. If all - parent content caches become unavailable, the content cache downloads from or - uploads to Apple directly, until a parent content cache becomes available again. + Apple directly. The system ignores invalid addresses and addresses of computers + that aren't content caches. The system skips Parent caches that become unavailable. + If all parent content caches become unavailable, the content cache downloads from + or uploads to Apple directly, until a parent content cache becomes available again. subkeys: - key: ParentsItem type: @@ -220,17 +229,13 @@ payloadkeys: - sticky-available default: round-robin content: |- - The policy to implement when choosing among more than one configured parent content cache. With every policy, parent caches that are temporarily unavailable are skipped. + The policy to implement when choosing among more than one configured parent content cache. With every policy, the system skips parent caches that are temporarily unavailable. Allowed values: - 'first-available': Always use the first available parent in the Parents list. Use this policy to designate permanent primary, secondary, and subsequent parents. - - 'url-path-hash': Hash the path part of the requested URL so that the same parent is always used for the same URL. This is useful for maximizing the size of the combined caches of the parents. - - 'random': Choose a parent at random. Use this policy for load balancing. - - 'round-robin': Rotate through the parents in order. Use this policy for load balancing. - - 'sticky-available': Use the first available parent that is available in the Parents list until it becomes unavailable, then advance to the next one. Use this policy for designating floating primary, secondary, and subsequent parents. + * 'first-available': Always use the first available parent in the Parents list. Use this policy to designate permanent primary, secondary, and subsequent parents. + * 'url-path-hash': Hash the path part of the requested URL so that the same parent is always used for the same URL. This is useful for maximizing the size of the combined caches of the parents. + * 'random': Choose a parent at random. Use this policy for load balancing. + * 'round-robin': Rotate through the parents in order. Use this policy for load balancing. + * 'sticky-available': Use the first available parent in the Parents list until it becomes unavailable, then advance to the next one. Use this policy for designating floating primary, secondary, and subsequent parents. - key: PeerFilterRanges supportedOS: macOS: @@ -276,7 +281,7 @@ payloadkeys: presence: optional default: 0 content: The TCP port number on which the content cache accepts requests for uploads - or downloads. Set the port to 0 to pick a random, available port. + or downloads. Set to '0' to pick a random, available port. - key: PublicRanges supportedOS: macOS: diff --git a/mdm/profiles/com.apple.Dictionary.yaml b/mdm/profiles/com.apple.Dictionary.yaml index 4895bf3..1daffea 100644 --- a/mdm/profiles/com.apple.Dictionary.yaml +++ b/mdm/profiles/com.apple.Dictionary.yaml @@ -3,6 +3,8 @@ description: '' payload: payloadtype: com.apple.Dictionary supportedOS: + iOS: + introduced: n/a macOS: introduced: '10.7' multiple: false @@ -13,6 +15,12 @@ payload: allowmanualinstall: true userenrollment: mode: forbidden + tvOS: + introduced: n/a + visionOS: + introduced: n/a + watchOS: + introduced: n/a content: Parental controls dictionary restrictions. payloadkeys: - key: parentalControl diff --git a/mdm/profiles/com.apple.DirectoryService.managed.yaml b/mdm/profiles/com.apple.DirectoryService.managed.yaml index 5e127b0..013187b 100644 --- a/mdm/profiles/com.apple.DirectoryService.managed.yaml +++ b/mdm/profiles/com.apple.DirectoryService.managed.yaml @@ -3,6 +3,8 @@ description: Directory Service payload: payloadtype: com.apple.DirectoryService.managed supportedOS: + iOS: + introduced: n/a macOS: introduced: '10.8' multiple: true @@ -13,6 +15,12 @@ payload: allowmanualinstall: true userenrollment: mode: allowed + tvOS: + introduced: n/a + visionOS: + introduced: n/a + watchOS: + introduced: n/a content: In macOS 10.9 and later, a configuration profile can be used to configure macOS to join an Active Directory (AD) domain. Advanced AD options available via Directory Utility or the dsconfigad command line tool can also be set using a @@ -47,7 +55,7 @@ payloadkeys: title: ADOrganizationalUnit type: presence: optional - content: The organizational unit where the joining computer object is added. + content: The organizational unit to add the joining computer object to. - key: ADMountStyle title: ADMountStyle type: @@ -61,13 +69,13 @@ payloadkeys: type: presence: optional default: false - content: If 'true', enables the 'ADCreateMobileAccountAtLogin' key. + content: If 'true', the system enables the 'ADCreateMobileAccountAtLogin' key. - key: ADCreateMobileAccountAtLogin title: ADCreateMobileAccountAtLogin type: presence: optional default: false - content: If 'true', creates a mobile account at login. + content: If 'true', the system creates a mobile account at login. - key: ADWarnUserBeforeCreatingMAFlag title: ADWarnUserBeforeCreatingMAFlag supportedOS: @@ -76,13 +84,13 @@ payloadkeys: type: presence: optional default: false - content: If 'true', enables the 'ADWarnUserBeforeCreatingMA' key. + content: If 'true', the system enables the 'ADWarnUserBeforeCreatingMA' key. - key: ADWarnUserBeforeCreatingMA title: ADWarnUserBeforeCreatingMA type: presence: optional default: false - content: If 'true', enables the warning before creating the mobile account. + content: If 'true', the system enables the warning before creating the mobile account. - key: ADForceHomeLocalFlag title: ADForceHomeLocalFlag supportedOS: @@ -91,13 +99,13 @@ payloadkeys: type: presence: optional default: false - content: If 'true', enables the 'ADForceHomeLocal' key. + content: If 'true', the system enables the 'ADForceHomeLocal' key. - key: ADForceHomeLocal title: ADForceHomeLocal type: presence: optional default: false - content: If 'true', forces a local home directory. + content: If 'true', the system forces a local home directory. - key: ADUseWindowsUNCPathFlag title: ADUseWindowsUNCPathFlag supportedOS: @@ -106,14 +114,14 @@ payloadkeys: type: presence: optional default: false - content: If 'true', enables the 'ADUseWindowsUNCPath' key. + content: If 'true', the system enables the 'ADUseWindowsUNCPath' key. - key: ADUseWindowsUNCPath title: ADUseWindowsUNCPath type: presence: optional default: false - content: If 'true', uses the UNC path from Active Directory to derive the network - home location. + content: If 'true', the system uses the UNC path from Active Directory to derive + the network home location. - key: ADAllowMultiDomainAuthFlag title: ADAllowMultiDomainAuthFlag supportedOS: @@ -122,19 +130,19 @@ payloadkeys: type: presence: optional default: false - content: If 'true', enables the 'ADAllowMultiDomainAuth' key. + content: If 'true', the system enables the 'ADAllowMultiDomainAuth' key. - key: ADAllowMultiDomainAuth title: ADAllowMultiDomainAuth type: presence: optional default: false - content: If 'true', allows authentication from any domain in the namespace. + content: If 'true', the system allows authentication from any domain in the namespace. - key: ADDefaultUserShellFlag title: ADDefaultUserShellFlag type: presence: optional default: false - content: If 'true', enables the 'ADDefaultUserShell' key. + content: If 'true', the system enables the 'ADDefaultUserShell' key. - key: ADDefaultUserShell title: ADDefaultUserShell type: @@ -145,7 +153,7 @@ payloadkeys: type: presence: optional default: false - content: If 'true', enables the 'ADMapUIDAttribute' key. + content: If 'true', the system enables the 'ADMapUIDAttribute' key. - key: ADMapUIDAttribute title: ADMapUIDAttribute type: @@ -156,7 +164,7 @@ payloadkeys: type: presence: optional default: false - content: If 'true', enables the 'ADMapGIDAttribute' key. + content: If 'true', the system enables the 'ADMapGIDAttribute' key. - key: ADMapGIDAttribute title: ADMapGIDAttribute type: @@ -167,7 +175,7 @@ payloadkeys: type: presence: optional default: false - content: If 'true', enables the 'ADMapGGIDAttributeFlag' key. + content: If 'true', the system enables the 'ADMapGGIDAttributeFlag' key. - key: ADMapGGIDAttribute title: ADMapGGIDAttribute type: @@ -178,7 +186,7 @@ payloadkeys: type: presence: optional default: false - content: If 'true', enables the 'ADPreferredDCServer' key. + content: If 'true', the system enables the 'ADPreferredDCServer' key. - key: ADPreferredDCServer title: ADPreferredDCServer type: @@ -189,12 +197,12 @@ payloadkeys: type: presence: optional default: false - content: If 'true', enables the 'ADDomainAdminGroupList' key. + content: If 'true', the system enables the 'ADDomainAdminGroupList' key. - key: ADDomainAdminGroupList title: ADDomainAdminGroupList type: presence: optional - content: The list of Active Directory groups that are granted admin access. + content: The list of Active Directory groups with admin access. subkeys: - key: ADDomainAdminGroupListItem type: @@ -203,7 +211,7 @@ payloadkeys: type: presence: optional default: false - content: If 'true', enables the 'ADNamespace' key. + content: If 'true', the system enables the 'ADNamespace' key. - key: ADNamespace title: ADNamespace type: @@ -217,7 +225,7 @@ payloadkeys: type: presence: optional default: false - content: If 'true', enables the 'ADPacketSign' key. + content: If 'true', the system enables the 'ADPacketSign' key. - key: ADPacketSign title: ADPacketSign type: @@ -228,7 +236,7 @@ payloadkeys: type: presence: optional default: false - content: If 'true', enables the 'ADPacketEncrypt' key. + content: If 'true', the system enables the 'ADPacketEncrypt' key. - key: ADPacketEncrypt title: ADPacketEncrypt type: @@ -239,7 +247,7 @@ payloadkeys: type: presence: optional default: false - content: If 'true', enables the 'ADRestrictDDNS' key. + content: If 'true', the system enables the 'ADRestrictDDNS' key. - key: ADRestrictDDNS title: ADRestrictDDNS supportedOS: @@ -247,8 +255,8 @@ payloadkeys: introduced: '10.8' type: presence: optional - content: An array of strings representing the interfaces that are allowed for dynamic - DNS updates (for example, en0, en1, and so on). + content: An array of strings that represent the interfaces allowed for dynamic DNS + updates, such as en0 and en1. subkeys: - key: ADRestrictDDNSItem type: @@ -257,10 +265,10 @@ payloadkeys: type: presence: optional default: false - content: If true, enables the 'ADTrustChangePassIntervalDays 'key. + content: If 'true', the system enables the 'ADTrustChangePassIntervalDays 'key. - key: ADTrustChangePassIntervalDays title: ADTrustChangePassIntervalDays type: presence: optional content: The number of days before requiring a change of the computer trust account - password. '0' disables the feature. + password. Set to '0' to disable the feature. diff --git a/mdm/profiles/com.apple.DiscRecording.yaml b/mdm/profiles/com.apple.DiscRecording.yaml index 20d5321..2270397 100644 --- a/mdm/profiles/com.apple.DiscRecording.yaml +++ b/mdm/profiles/com.apple.DiscRecording.yaml @@ -3,6 +3,8 @@ description: '' payload: payloadtype: com.apple.DiscRecording supportedOS: + iOS: + introduced: n/a macOS: introduced: '10.7' multiple: false @@ -13,6 +15,12 @@ payload: allowmanualinstall: true userenrollment: mode: forbidden + tvOS: + introduced: n/a + visionOS: + introduced: n/a + watchOS: + introduced: n/a payloadkeys: - key: BurnSupport type: @@ -22,8 +30,8 @@ payloadkeys: - authenticate - 'on' content: |- - If 'off', disables disc burning. + Configure disc-burn. Allowed values: - If 'on', allows normal default operation. Setting this key to 'on' doesn't enable disc burn support if it has already been disabled by other mechanisms or preferences. It also must be enabled with the Finder profile. - - If 'authenticate', requires authentication. + * 'off': The system disables disc burning. + * 'on': The system allows normal default operation. Setting this key to 'on' doesn't enable disc burn support if other mechanisms or preferences disabled it. Needs to be enabled with the Finder profile + * 'authenticate': The system requires authentication. diff --git a/mdm/profiles/com.apple.MCX(Accounts).yaml b/mdm/profiles/com.apple.MCX(Accounts).yaml index cf15d1f..680ff22 100644 --- a/mdm/profiles/com.apple.MCX(Accounts).yaml +++ b/mdm/profiles/com.apple.MCX(Accounts).yaml @@ -3,6 +3,8 @@ description: '' payload: payloadtype: com.apple.MCX supportedOS: + iOS: + introduced: n/a macOS: introduced: '10.7' multiple: true @@ -13,6 +15,12 @@ payload: allowmanualinstall: true userenrollment: mode: forbidden + tvOS: + introduced: n/a + visionOS: + introduced: n/a + watchOS: + introduced: n/a payloadkeys: - key: EnableGuestAccount supportedOS: @@ -21,7 +29,7 @@ payloadkeys: type: presence: optional default: false - content: If 'true', enables the guest account. + content: If 'true', the system enables the guest account. - key: DisableGuestAccount supportedOS: macOS: @@ -29,5 +37,5 @@ payloadkeys: type: presence: optional default: false - content: If 'true', disables the guest account. This property has no effect if 'EnableGuestAccount' - is 'true'. + content: If 'true', the system disables the guest account. This property has no + effect if 'EnableGuestAccount' is 'true'. diff --git a/mdm/profiles/com.apple.MCX(EnergySaver).yaml b/mdm/profiles/com.apple.MCX(EnergySaver).yaml index 7668c05..a37bd92 100644 --- a/mdm/profiles/com.apple.MCX(EnergySaver).yaml +++ b/mdm/profiles/com.apple.MCX(EnergySaver).yaml @@ -3,6 +3,8 @@ description: '' payload: payloadtype: com.apple.MCX supportedOS: + iOS: + introduced: n/a macOS: introduced: '10.7' multiple: true @@ -13,6 +15,12 @@ payload: allowmanualinstall: true userenrollment: mode: forbidden + tvOS: + introduced: n/a + visionOS: + introduced: n/a + watchOS: + introduced: n/a payloadkeys: - key: com.apple.EnergySaver.desktop.ACPower type: diff --git a/mdm/profiles/com.apple.MCX(FileVault2).yaml b/mdm/profiles/com.apple.MCX(FileVault2).yaml index 6d1753e..6b99b7b 100644 --- a/mdm/profiles/com.apple.MCX(FileVault2).yaml +++ b/mdm/profiles/com.apple.MCX(FileVault2).yaml @@ -3,6 +3,8 @@ description: '' payload: payloadtype: com.apple.MCX supportedOS: + iOS: + introduced: n/a macOS: introduced: '10.7' multiple: false @@ -13,18 +15,24 @@ payload: allowmanualinstall: true userenrollment: mode: forbidden + tvOS: + introduced: n/a + visionOS: + introduced: n/a + watchOS: + introduced: n/a content: The FileVault accounts payload sets up options for enabling FileVault. payloadkeys: - key: dontAllowFDEDisable type: presence: optional default: false - content: Set to 'true' to prevent FileVault from being disabled. + content: If 'true', the system won't disable FileVault. - key: dontAllowFDEEnable type: presence: optional default: false - content: Set to 'true' to prevent FileVault from being enabled. + content: If 'true', the system won't enable FileVault. - key: DestroyFVKeyOnStandby supportedOS: macOS: @@ -32,4 +40,4 @@ payloadkeys: type: presence: optional default: false - content: Set to 'true' to prevent storing the FileVault key across restarts. + content: If 'true', the system won't store th FileVault key across restarts. diff --git a/mdm/profiles/com.apple.MCX(Mobililty).yaml b/mdm/profiles/com.apple.MCX(Mobililty).yaml index cf8fd21..752d110 100644 --- a/mdm/profiles/com.apple.MCX(Mobililty).yaml +++ b/mdm/profiles/com.apple.MCX(Mobililty).yaml @@ -3,6 +3,8 @@ description: '' payload: payloadtype: com.apple.MCX supportedOS: + iOS: + introduced: n/a macOS: introduced: '10.7' multiple: false @@ -13,36 +15,43 @@ payload: allowmanualinstall: true userenrollment: mode: forbidden + tvOS: + introduced: n/a + visionOS: + introduced: n/a + watchOS: + introduced: n/a content: Sets up mobile account options for network based user accounts. payloadkeys: - key: com.apple.cachedaccounts.CreateAtLogin type: presence: optional default: false - content: If 'true', creates the mobile account at login time. + content: If 'true', the system creates the mobile account at login time. - key: com.apple.cachedaccounts.WarnOnCreate type: presence: optional default: false - content: If 'true', asks the user if the mobile account should be created and allow - the user to not create it. + content: If 'true', the system asks the user whether to create the mobile account + and it allows the user to not create it. - key: cachedaccounts.WarnOnCreate.allowNever type: presence: optional default: false - content: If 'true', allows the user to stop the prompts about mobile account creation - every time the user logs in. This key is only valid if 'com.apple.cachedaccounts.WarnOnCreate' - is set to 'true'. + content: If 'true', the system allows the user to stop the prompts about mobile + account creation every time the user logs in. This key is only valid if 'com.apple.cachedaccounts.WarnOnCreate' + is 'true'. - key: cachedaccounts.expiry.delete.disusedSeconds type: presence: optional default: -1 - content: |- - The minimum number of seconds a mobile account can exist before an automatic attempt is made to remove the mobile account. - Set to '0' to try to remove it at next login or logout time. Set to '-1' to never try to remove the mobile account. + content: The minimum number of seconds a mobile account can exist before the system + makes an automatic attempt to remove the mobile account. Set to '0' to attempt + removing it at the next login or logout. Set to '-1' to never attempt removing + the mobile account. - key: cachedaccounts.askForSecureTokenAuthBypass type: presence: optional default: false - content: If 'true', bypasses the secure token authorization dialog. This dialog - only appears on APFS volumes. + content: If 'true', the system bypasses the secure token authorization dialog. This + dialog only appears on APFS volumes. diff --git a/mdm/profiles/com.apple.MCX(TimeServer).yaml b/mdm/profiles/com.apple.MCX(TimeServer).yaml index 448f912..fc484dc 100644 --- a/mdm/profiles/com.apple.MCX(TimeServer).yaml +++ b/mdm/profiles/com.apple.MCX(TimeServer).yaml @@ -3,6 +3,8 @@ description: '' payload: payloadtype: com.apple.MCX supportedOS: + iOS: + introduced: n/a macOS: introduced: 10.12.4 multiple: false @@ -13,6 +15,12 @@ payload: allowmanualinstall: true userenrollment: mode: forbidden + tvOS: + introduced: n/a + visionOS: + introduced: n/a + watchOS: + introduced: n/a content: Settings for time zone and server. If multiple profiles with this payload are sent, the device's time server will be set to the value in the last payload installed. Removing the payload will not change the settings back to the prior diff --git a/mdm/profiles/com.apple.MCX(WiFi).yaml b/mdm/profiles/com.apple.MCX(WiFi).yaml index 0cf12da..0bc71ce 100644 --- a/mdm/profiles/com.apple.MCX(WiFi).yaml +++ b/mdm/profiles/com.apple.MCX(WiFi).yaml @@ -3,6 +3,8 @@ description: '' payload: payloadtype: com.apple.MCX supportedOS: + iOS: + introduced: n/a macOS: introduced: '10.9' multiple: true @@ -13,6 +15,12 @@ payload: allowmanualinstall: true userenrollment: mode: forbidden + tvOS: + introduced: n/a + visionOS: + introduced: n/a + watchOS: + introduced: n/a payloadkeys: - key: RequireAdminForIBSS supportedOS: diff --git a/mdm/profiles/com.apple.MCX.FileVault2.yaml b/mdm/profiles/com.apple.MCX.FileVault2.yaml index 46eaf04..71db915 100644 --- a/mdm/profiles/com.apple.MCX.FileVault2.yaml +++ b/mdm/profiles/com.apple.MCX.FileVault2.yaml @@ -3,6 +3,8 @@ description: '' payload: payloadtype: com.apple.MCX.FileVault2 supportedOS: + iOS: + introduced: n/a macOS: introduced: '10.9' multiple: false @@ -13,6 +15,12 @@ payload: allowmanualinstall: true userenrollment: mode: forbidden + tvOS: + introduced: n/a + visionOS: + introduced: n/a + watchOS: + introduced: n/a content: The FileVault payload only works on macOS to enable or disable FileVault. Starting with macOS 10.15, this payload requires UAMDM to enable FileVault. payloadkeys: @@ -31,25 +39,27 @@ payloadkeys: type: presence: optional default: false - content: If 'true', defers enabling FileVault until the designated user logs out. - For details, see 'fdesetup(8)'. Only a local user or a mobile account user can - enable FileVault. + content: If 'true', the system defers enabling FileVault until the designated user + logs out. For details, see 'fdesetup(8)'. Only a local user or a mobile account + user can enable FileVault. - key: UserEntersMissingInfo type: presence: optional default: false - content: If 'true', enables a prompt for missing user name or password fields. + content: If 'true', the system enables a prompt for missing user name or password + fields. - key: UseRecoveryKey type: presence: optional default: true - content: If 'true', creates a personal recovery key and displays it to the user. + content: If 'true', the system creates a personal recovery key and displays it to + the user. - key: ShowRecoveryKey type: presence: optional default: true - content: If 'false', prevents display of the personal recovery key to the user after - the system enables FileVault. + content: If 'false', the system prevents display of the personal recovery key to + the user after the system enables FileVault. - key: OutputPath type: presence: optional @@ -97,7 +107,8 @@ payloadkeys: type: presence: optional default: false - content: If 'true', prevents requests to enable FileVault at user logout time. + content: If 'true', the system prevents requests to enable FileVault at user logout + time. - key: ForceEnableInSetupAssistant supportedOS: macOS: diff --git a/mdm/profiles/com.apple.MCX.TimeMachine.yaml b/mdm/profiles/com.apple.MCX.TimeMachine.yaml index 72fe674..171322a 100644 --- a/mdm/profiles/com.apple.MCX.TimeMachine.yaml +++ b/mdm/profiles/com.apple.MCX.TimeMachine.yaml @@ -2,6 +2,8 @@ title: Time Machine payload: payloadtype: com.apple.MCX.TimeMachine supportedOS: + iOS: + introduced: n/a macOS: introduced: '10.7' multiple: false @@ -12,6 +14,12 @@ payload: allowmanualinstall: true userenrollment: mode: forbidden + tvOS: + introduced: n/a + visionOS: + introduced: n/a + watchOS: + introduced: n/a payloadkeys: - key: AutoBackup type: diff --git a/mdm/profiles/com.apple.ManagedClient.preferences.yaml b/mdm/profiles/com.apple.ManagedClient.preferences.yaml index 1365ff7..97cf462 100644 --- a/mdm/profiles/com.apple.ManagedClient.preferences.yaml +++ b/mdm/profiles/com.apple.ManagedClient.preferences.yaml @@ -3,6 +3,8 @@ description: '' payload: payloadtype: com.apple.ManagedClient.preferences supportedOS: + iOS: + introduced: n/a macOS: introduced: '10.7' multiple: true @@ -13,6 +15,12 @@ payload: allowmanualinstall: true userenrollment: mode: forbidden + tvOS: + introduced: n/a + visionOS: + introduced: n/a + watchOS: + introduced: n/a payloadkeys: - key: PreferenceDomain type: diff --git a/mdm/profiles/com.apple.NSExtension.yaml b/mdm/profiles/com.apple.NSExtension.yaml index 7506e50..50e77cd 100644 --- a/mdm/profiles/com.apple.NSExtension.yaml +++ b/mdm/profiles/com.apple.NSExtension.yaml @@ -3,6 +3,8 @@ description: '' payload: payloadtype: com.apple.NSExtension supportedOS: + iOS: + introduced: n/a macOS: introduced: '10.13' multiple: true @@ -13,6 +15,12 @@ payload: allowmanualinstall: true userenrollment: mode: forbidden + tvOS: + introduced: n/a + visionOS: + introduced: n/a + watchOS: + introduced: n/a content: Specifies which NSExtension extensions are to be allowed or disallowed on a system. Extensions can be managed by bundleID allow/deny lists and "extension points". @@ -20,7 +28,7 @@ payloadkeys: - key: AllowedExtensions type: presence: optional - content: An array of identifiers for extensions that are allowed to run on the system. + content: An array of bundle identifiers for allowed extensions. subkeys: - key: AllowedExtensionsItem type: @@ -29,8 +37,8 @@ payloadkeys: - key: DeniedExtensions type: presence: optional - content: An array of identifiers for extensions that aren't allowed to run on the - system. + content: An array of bundle identifiers for extensions that the system doesn't allow + to run. subkeys: - key: DeniedExtensionsItem type: @@ -39,8 +47,8 @@ payloadkeys: - key: DeniedExtensionPoints type: presence: optional - content: An array of extension points for extensions that aren't allowed to run - on the system. + content: An array of extension points for extensions that the system doesn't allow + to run. subkeys: - key: DeniedExtensionPointsItem type: diff --git a/mdm/profiles/com.apple.SetupAssistant.managed.yaml b/mdm/profiles/com.apple.SetupAssistant.managed.yaml index e1e7ee6..b1c34f9 100644 --- a/mdm/profiles/com.apple.SetupAssistant.managed.yaml +++ b/mdm/profiles/com.apple.SetupAssistant.managed.yaml @@ -24,6 +24,12 @@ payload: allowmanualinstall: true userenrollment: mode: forbidden + tvOS: + introduced: n/a + visionOS: + introduced: n/a + watchOS: + introduced: n/a content: On macOS, this payload can specify Setup Assistant options for either the system or particular users. payloadkeys: diff --git a/mdm/profiles/com.apple.ShareKitHelper.yaml b/mdm/profiles/com.apple.ShareKitHelper.yaml index dd3cb6e..786ddb7 100644 --- a/mdm/profiles/com.apple.ShareKitHelper.yaml +++ b/mdm/profiles/com.apple.ShareKitHelper.yaml @@ -3,6 +3,8 @@ description: '' payload: payloadtype: com.apple.ShareKitHelper supportedOS: + iOS: + introduced: n/a macOS: introduced: '10.9' deprecated: '10.12' @@ -14,6 +16,12 @@ payload: allowmanualinstall: true userenrollment: mode: forbidden + tvOS: + introduced: n/a + visionOS: + introduced: n/a + watchOS: + introduced: n/a content: macOS only. Specifies which ShareKit plugin can be accessed on client. Both allow and disallow lists can be specified. payloadkeys: diff --git a/mdm/profiles/com.apple.SoftwareUpdate.yaml b/mdm/profiles/com.apple.SoftwareUpdate.yaml index 338dcf6..89c97f1 100644 --- a/mdm/profiles/com.apple.SoftwareUpdate.yaml +++ b/mdm/profiles/com.apple.SoftwareUpdate.yaml @@ -3,6 +3,8 @@ description: Software Update Managed Settings payload: payloadtype: com.apple.SoftwareUpdate supportedOS: + iOS: + introduced: n/a macOS: introduced: '10.7' multiple: false @@ -13,6 +15,12 @@ payload: allowmanualinstall: true userenrollment: mode: forbidden + tvOS: + introduced: n/a + visionOS: + introduced: n/a + watchOS: + introduced: n/a content: Software update catalog options. payloadkeys: - key: CatalogURL diff --git a/mdm/profiles/com.apple.SystemConfiguration.yaml b/mdm/profiles/com.apple.SystemConfiguration.yaml index 18e7d1b..8e05f7f 100644 --- a/mdm/profiles/com.apple.SystemConfiguration.yaml +++ b/mdm/profiles/com.apple.SystemConfiguration.yaml @@ -2,6 +2,8 @@ title: Network Proxy Configuration payload: payloadtype: com.apple.SystemConfiguration supportedOS: + iOS: + introduced: n/a macOS: introduced: '10.7' multiple: false @@ -12,6 +14,12 @@ payload: allowmanualinstall: true userenrollment: mode: forbidden + tvOS: + introduced: n/a + visionOS: + introduced: n/a + watchOS: + introduced: n/a payloadkeys: - key: Proxies type: diff --git a/mdm/profiles/com.apple.TCC.configuration-profile-policy.yaml b/mdm/profiles/com.apple.TCC.configuration-profile-policy.yaml index 31b89bd..7c5a0b5 100644 --- a/mdm/profiles/com.apple.TCC.configuration-profile-policy.yaml +++ b/mdm/profiles/com.apple.TCC.configuration-profile-policy.yaml @@ -3,6 +3,8 @@ description: Configures Security Preferences:Privacy settings payload: payloadtype: com.apple.TCC.configuration-profile-policy supportedOS: + iOS: + introduced: n/a macOS: introduced: '10.14' multiple: true @@ -13,6 +15,12 @@ payload: allowmanualinstall: false userenrollment: mode: forbidden + tvOS: + introduced: n/a + visionOS: + introduced: n/a + watchOS: + introduced: n/a payloadkeys: - key: Services type: @@ -57,8 +65,9 @@ payloadkeys: - key: Allowed type: presence: required - content: If 'true', access is granted; otherwise, the process doesn't have - access. The user isn't prompted and can't change this value. + content: |- + If 'true', access is granted; otherwise, the process doesn't have access. The user isn't prompted and can't change this value. + Every payload needs to include either 'Authorization' or 'Allowed', but not both. - key: Authorization supportedOS: macOS: @@ -70,10 +79,13 @@ payloadkeys: - Deny - AllowStandardUserToSetSystemService content: |- - The 'Authorization' key is an optional replacement for the 'Allowed' key. Every payload must specify either 'Authorization' or 'Allowed', but not both. - 'Allow': Equivalent to a 'true' value for the 'Allowed' key. - 'Deny': Equivalent to a 'false' value for the 'Allowed' key. - 'AllowStandardUserToSetSystemService:' allows a standard (non-admin) user to configure the permissions for the specified app in the Privacy preferences for services that otherwise require admin authorization. 'AllowStandardUserToSetSystemService' is only valid for the 'ListenEvent' and 'ScreenCapture' services. + The 'Authorization' key is an optional replacement for the 'Allowed' key, which has one of the following possible values: + + * 'Allow': Equivalent to a 'true' value for the 'Allowed' key + * 'Deny': Equivalent to a 'false' value for the 'Allowed' key + * 'AllowStandardUserToSetSystemService': Allows a standard (non-admin) user to configure the permissions for the specified app in the Privacy preferences for services that otherwise require admin authorization; only valid for the 'ListenEvent' and 'ScreenCapture' services + + Every payload needs to include either 'Authorization' or 'Allowed', but not both. Available in macOS 11 and later. - key: Comment type: diff --git a/mdm/profiles/com.apple.airplay.security.yaml b/mdm/profiles/com.apple.airplay.security.yaml index 2da8655..6ae03b5 100644 --- a/mdm/profiles/com.apple.airplay.security.yaml +++ b/mdm/profiles/com.apple.airplay.security.yaml @@ -3,11 +3,19 @@ description: AirPlay Security settings payload: payloadtype: com.apple.airplay.security supportedOS: + iOS: + introduced: n/a + macOS: + introduced: n/a tvOS: introduced: '11.0' multiple: false supervised: false allowmanualinstall: true + visionOS: + introduced: n/a + watchOS: + introduced: n/a content: Manages the AirPlay Security settings on Apple TV (Settings > AirPlay > Security). Use this payload to lock Apple TV to a particular style of AirPlay security. The setting can enable/disable an on-screen passcode, or require a specific @@ -22,13 +30,13 @@ payloadkeys: - PASSCODE_ALWAYS - PASSWORD content: |- - The security policy for AirPlay. - 'PASSCODE_ONCE' requires an onscreen passcode on first connection from a device. Subsequent connections from the same device aren't prompted. - 'PASSCODE_ALWAYS' requires an onscreen passcode for every AirPlay connection. After an AirPlay connection ends, reconnecting within 30 seconds is allowed without a password. + The security policy for AirPlay. Allowed values: - 'PASSWORD' requires a passphrase as specified in the 'Password' key. + * 'PASSCODE_ONCE': Requires an onscreen passcode on first connection from a device. Subsequent connections from the same device aren't prompted. + * 'PASSCODE_ALWAYS': Requires an onscreen passcode for every AirPlay connection. After an AirPlay connection ends, the system allows reconnecting within 30 seconds without a password. + * 'PASSWORD': Requires the passphrase set for 'Password'. - 'NONE' was deprecated in tvOS 11.3. Existing profiles using 'NONE' get the 'PASSWORD_ONCE' behavior. + 'NONE' was deprecated in tvOS 11.3. Existing profiles that use 'NONE' get the 'PASSWORD_ONCE' behavior. - key: AccessType title: Access Type type: @@ -44,4 +52,4 @@ payloadkeys: title: Password type: presence: optional - content: The AirPlay password; required if SecurityType is 'PASSWORD'. + content: The AirPlay password; required if 'SecurityType' is 'PASSWORD'. diff --git a/mdm/profiles/com.apple.airplay.yaml b/mdm/profiles/com.apple.airplay.yaml index ab0eb52..db543fb 100644 --- a/mdm/profiles/com.apple.airplay.yaml +++ b/mdm/profiles/com.apple.airplay.yaml @@ -24,6 +24,12 @@ payload: allowmanualinstall: true userenrollment: mode: allowed + tvOS: + introduced: n/a + visionOS: + introduced: n/a + watchOS: + introduced: n/a content: macOS supports more than one payload, iOS does not. Supported on the user channel for macOS only. payloadkeys: @@ -70,9 +76,9 @@ payloadkeys: title: Passwords type: presence: optional - content: |- - If present, sets passwords for known AirPlay destinations. - Using multiple entries for the same destination, whether within the same payload or across multiple installed payloads, is an error and results in undefined behavior. + content: If present, sets passwords for known AirPlay destinations. Using multiple + entries for the same destination, whether within the same payload or across multiple + installed payloads, is an error and results in undefined behavior. subkeys: - key: PasswordsItem title: Password Content Item @@ -113,5 +119,5 @@ payloadkeys: mode: ignored type: presence: optional - content: Use 'AllowList' instead. As of macOS 11.3 and iOS 14.5 this key is deprecated. + content: Use 'AllowList' instead. This key is deprecated in iOS 14.5 and macOS 11.3. subkeys: *id001 diff --git a/mdm/profiles/com.apple.airprint.yaml b/mdm/profiles/com.apple.airprint.yaml index a40492a..094eb16 100644 --- a/mdm/profiles/com.apple.airprint.yaml +++ b/mdm/profiles/com.apple.airprint.yaml @@ -24,6 +24,12 @@ payload: allowmanualinstall: true userenrollment: mode: allowed + tvOS: + introduced: n/a + visionOS: + introduced: n/a + watchOS: + introduced: n/a payloadkeys: - key: AirPrint title: Air print diff --git a/mdm/profiles/com.apple.apn.managed.yaml b/mdm/profiles/com.apple.apn.managed.yaml index b8da8d7..98ef607 100644 --- a/mdm/profiles/com.apple.apn.managed.yaml +++ b/mdm/profiles/com.apple.apn.managed.yaml @@ -15,6 +15,14 @@ payload: userchannel: false userenrollment: mode: forbidden + macOS: + introduced: n/a + tvOS: + introduced: n/a + visionOS: + introduced: n/a + watchOS: + introduced: n/a content: |- Not supported in macOS. This technically does install on watchOS but we are removing the supportedOS dictionary. The cellular payload should be used instead. diff --git a/mdm/profiles/com.apple.app.lock.yaml b/mdm/profiles/com.apple.app.lock.yaml index d90a588..de55762 100644 --- a/mdm/profiles/com.apple.app.lock.yaml +++ b/mdm/profiles/com.apple.app.lock.yaml @@ -14,11 +14,17 @@ payload: userchannel: false userenrollment: mode: forbidden + macOS: + introduced: n/a tvOS: introduced: '10.2' multiple: false supervised: true allowmanualinstall: true + visionOS: + introduced: n/a + watchOS: + introduced: n/a payloadkeys: - key: App title: App @@ -38,15 +44,15 @@ payloadkeys: introduced: '7.0' type: presence: optional - content: A dictionary of options that the user cannot change. + content: A dictionary of options that the user can't change. subkeys: - key: DisableTouch title: Disable Touch type: presence: optional default: false - content: If 'true', disables the touch screen. In tvOS, it disables the touch - surface on the Apple TV Remote. + content: If 'true', the system disables the touch screen. In tvOS, it disables + the touch surface on the Apple TV Remote. - key: DisableDeviceRotation title: Disable Device Rotation supportedOS: @@ -55,7 +61,7 @@ payloadkeys: type: presence: optional default: false - content: If 'true', disables device rotation sensing. + content: If 'true', the system disables device rotation sensing. - key: DisableVolumeButtons title: Disable Volume Buttons supportedOS: @@ -64,7 +70,7 @@ payloadkeys: type: presence: optional default: false - content: If 'true', disables the volume buttons. + content: If 'true', the system disables the volume buttons. - key: DisableRingerSwitch title: Disable Ringer Switch supportedOS: @@ -73,8 +79,9 @@ payloadkeys: type: presence: optional default: false - content: If 'true', disables the ringer switch. When disabled, the ringer behavior - depends on what position the switch was in when it was first disabled. + content: If 'true', the system disables the ringer switch. When disabled, the + ringer behavior depends on what position the switch was in when it was first + disabled. - key: DisableSleepWakeButton title: Disable Sleep Wake Button supportedOS: @@ -83,7 +90,7 @@ payloadkeys: type: presence: optional default: false - content: If 'true', disables the sleep/wake button. + content: If 'true', the system disables the sleep/wake button. - key: DisableAutoLock title: Disable Auto Lock type: @@ -96,19 +103,19 @@ payloadkeys: type: presence: optional default: false - content: If 'true', enables VoiceOver. + content: If 'true', the system enables VoiceOver. - key: EnableZoom title: Enable Zoom type: presence: optional default: false - content: If 'true', enables Zoom. + content: If 'true', the system enables Zoom. - key: EnableInvertColors title: Enable Invert Colors type: presence: optional default: false - content: If 'true', enables Invert Colors. + content: If 'true', the system enables Invert Colors. - key: EnableAssistiveTouch title: Enable Assistive Touch supportedOS: @@ -117,7 +124,7 @@ payloadkeys: type: presence: optional default: false - content: If 'true', enables AssistiveTouch. + content: If 'true', the system enables AssistiveTouch. - key: EnableSpeakSelection title: Enable Speak Selection supportedOS: @@ -126,7 +133,7 @@ payloadkeys: type: presence: optional default: false - content: If 'true', enables Speak Selection. + content: If 'true', the system enables Speak Selection. - key: EnableMonoAudio title: Enable Mono Audio supportedOS: @@ -135,7 +142,7 @@ payloadkeys: type: presence: optional default: false - content: If 'true', enables Mono Audio. + content: If 'true', the system enables Mono Audio. - key: EnableVoiceControl title: Enable Voice Control supportedOS: @@ -146,7 +153,7 @@ payloadkeys: type: presence: optional default: false - content: If 'true', enables Voice Control. + content: If 'true', the system enables Voice Control. - key: UserEnabledOptions title: User Enabled Options supportedOS: @@ -166,25 +173,25 @@ payloadkeys: type: presence: optional default: false - content: If 'true', allows the user to toggle Voice Control. + content: If 'true', the system allows the user to toggle Voice Control. - key: VoiceOver title: Voice Over type: presence: optional default: false - content: If 'true', allows the user to toggle VoiceOver. + content: If 'true', the system allows the user to toggle VoiceOver. - key: Zoom title: Zoom type: presence: optional default: false - content: If 'true', allows the user to toggle Zoom. + content: If 'true', the system allows the user to toggle Zoom. - key: InvertColors title: Invert Colors type: presence: optional default: false - content: If 'true', allows the user to toggle Invert Colors. + content: If 'true', the system allows the user to toggle Invert Colors. - key: AssistiveTouch title: Assistive Touch supportedOS: @@ -193,4 +200,4 @@ payloadkeys: type: presence: optional default: false - content: If 'true', allows the user to toggle AssistiveTouch. + content: If 'true', the system allows the user to toggle AssistiveTouch. diff --git a/mdm/profiles/com.apple.applicationaccess.new.yaml b/mdm/profiles/com.apple.applicationaccess.new.yaml index 33438db..22dfc4f 100644 --- a/mdm/profiles/com.apple.applicationaccess.new.yaml +++ b/mdm/profiles/com.apple.applicationaccess.new.yaml @@ -3,6 +3,8 @@ description: '' payload: payloadtype: com.apple.applicationaccess.new supportedOS: + iOS: + introduced: n/a macOS: introduced: '10.7' multiple: true @@ -13,6 +15,12 @@ payload: allowmanualinstall: true userenrollment: mode: forbidden + tvOS: + introduced: n/a + visionOS: + introduced: n/a + watchOS: + introduced: n/a content: |- Parental controls application restrictions. Order of evaluation: diff --git a/mdm/profiles/com.apple.applicationaccess.yaml b/mdm/profiles/com.apple.applicationaccess.yaml index 1c82e30..631f89f 100644 --- a/mdm/profiles/com.apple.applicationaccess.yaml +++ b/mdm/profiles/com.apple.applicationaccess.yaml @@ -29,6 +29,13 @@ payload: multiple: true supervised: false allowmanualinstall: true + visionOS: + introduced: '1.1' + multiple: true + supervised: false + allowmanualinstall: true + userenrollment: + mode: allowed watchOS: introduced: '10.0' multiple: true @@ -48,15 +55,17 @@ payloadkeys: mode: forbidden tvOS: introduced: n/a + visionOS: + introduced: n/a watchOS: supervised: true type: presence: optional default: true content: If 'false', the system disables modification of accounts such as Apple - IDs and Internet-based accounts such as Mail, Contacts, and Calendar. Requires - a supervised device. Available in iOS 7 and later, macOS 14 and later, and watchOS - 10 and later. + IDs and Internet-based accounts such as Mail, Contacts, and Calendar. Available + in iOS 7 and later, macOS 14 and later, and watchOS 10 and later. Requires a supervised + device in iOS and watchOS. - key: allowActivityContinuation title: Allow Handoff supportedOS: @@ -70,13 +79,16 @@ payloadkeys: mode: forbidden tvOS: introduced: n/a + visionOS: + introduced: n/a watchOS: introduced: n/a type: presence: optional default: true content: If 'false', the system disables activity continuation. Available in iOS - 8 and later, and macOS 10.15 and later. In a future release, this restriction + 8 and later, and macOS 10.15 and later. Support for this restriction on unsupervised + devices and with managed Apple IDs is deprecated. In a future release, this restriction will begin requiring supervision and will apply to personal Apple IDs only. - key: allowAddingGameCenterFriends title: Allow Adding Game Center Friends @@ -92,14 +104,16 @@ payloadkeys: mode: forbidden tvOS: introduced: n/a + visionOS: + introduced: n/a watchOS: introduced: n/a type: presence: optional default: true - content: If 'false', the system prohibits adding friends to Game Center. As of iOS - 13, requires a supervised device. Available in iOS 4.2.1 and later, and macOS - 10.13 and later. + content: If 'false', the system prohibits adding friends to Game Center. Available + in iOS 4.2.1 and later, and macOS 10.13 and later. Requires a supervised device + in iOS 13 and later. - key: allowAirDrop supportedOS: iOS: @@ -113,6 +127,8 @@ payloadkeys: mode: forbidden tvOS: introduced: n/a + visionOS: + introduced: n/a watchOS: introduced: n/a type: @@ -132,13 +148,16 @@ payloadkeys: tvOS: introduced: '10.2' supervised: true + visionOS: + introduced: n/a watchOS: introduced: n/a type: presence: optional default: true - content: If 'false', the system disables incoming AirPlay requests. Requires a supervised - device. Available in macOS 12.3 and later, and tvOS 10.2 and later. + content: If 'false', the system disables incoming AirPlay requests. Available in + macOS 12.3 and later, and tvOS 10.2 and later. Requires a supervised device in + tvOS. - key: allowAirPrint title: Allow AirPrint supportedOS: @@ -151,12 +170,14 @@ payloadkeys: introduced: n/a tvOS: introduced: n/a + visionOS: + introduced: n/a watchOS: introduced: n/a type: presence: optional default: true - content: If 'false', the system disables AirPrint. Requires a supervised device. + content: If 'false', the system disables AirPrint. Requires a supervised device. Available in iOS 11 and later. - key: allowAirPrintCredentialsStorage title: Allow storage of AirPrint credentials in Keychain @@ -170,6 +191,8 @@ payloadkeys: introduced: n/a tvOS: introduced: n/a + visionOS: + introduced: n/a watchOS: introduced: n/a type: @@ -189,6 +212,8 @@ payloadkeys: introduced: n/a tvOS: introduced: n/a + visionOS: + introduced: n/a watchOS: introduced: n/a type: @@ -209,6 +234,8 @@ payloadkeys: introduced: n/a tvOS: introduced: n/a + visionOS: + introduced: n/a watchOS: introduced: n/a type: @@ -228,6 +255,8 @@ payloadkeys: introduced: n/a tvOS: introduced: n/a + visionOS: + introduced: n/a watchOS: introduced: n/a type: @@ -237,7 +266,7 @@ payloadkeys: any existing App Clips on the device. Requires a supervised device. Available in iOS 14.0 and later. - key: allowAppInstallation - title: Allow App Installation from Apple Configurator and iTunes + title: Allow App Installation supportedOS: iOS: introduced: '4.0' @@ -248,16 +277,16 @@ payloadkeys: introduced: n/a tvOS: introduced: n/a + visionOS: + introduced: n/a watchOS: supervised: true type: presence: optional default: true - content: If 'false', the system disables the App Store, and the system removes its - icon from the Home screen. Users are unable to install or update their apps. In - iOS 10 and later, MDM commands can override this restriction. As of iOS 13, this - restriction requires a supervised device. Available in iOS 4 and later and watchOS - 10 and later. + content: |- + If 'false', the system disables the App Store, and the system removes its icon from the Home screen. Users are unable to install or update their apps. This applies to App Store apps, marketplace apps, and locally installed apps (using Configurator, Xcode, etc). + In iOS 10 and later, MDM commands can override this restriction. Available in iOS 4 and later, and watchOS 10 and later. Requires a supervised device in iOS 13 and later, and watchOS. - key: allowApplePersonalizedAdvertising supportedOS: iOS: @@ -270,13 +299,15 @@ payloadkeys: mode: forbidden tvOS: introduced: n/a + visionOS: + introduced: n/a watchOS: introduced: n/a type: presence: optional default: true content: If 'false', the system limits Apple personalized advertising. Available - in iOS 14 and later and macOS 12 and later. + in iOS 14 and later, and macOS 12 and later. - key: allowAppRemoval title: Allow App Removal supportedOS: @@ -289,13 +320,16 @@ payloadkeys: introduced: n/a tvOS: introduced: n/a + visionOS: + introduced: n/a watchOS: supervised: true type: presence: optional default: true - content: If 'false', the system disables removal of apps from an iOS device. Requires - a supervised device. Available in iOS 4.2.1 and later and watchOS 10 and later. + content: |- + If 'false', the system disables removal of apps from an iOS device. This applies to App Store apps, marketplace apps, and locally installed apps (using Configurator, Xcode, etc). + Requires a supervised device. Available in iOS 4.2.1 and later, and watchOS 10 and later. - key: allowARDRemoteManagementModification title: Allow modifying Remote Management Sharing setting supportedOS: @@ -307,6 +341,8 @@ payloadkeys: mode: forbidden tvOS: introduced: n/a + visionOS: + introduced: n/a watchOS: introduced: n/a type: @@ -325,13 +361,15 @@ payloadkeys: mode: forbidden tvOS: introduced: n/a + visionOS: + introduced: n/a watchOS: introduced: n/a type: presence: optional default: true - content: If 'false', the system disables Siri. Available in iOS 5 and later and - macOS 14 and later. Also available on iOS for user enrollment. + content: If 'false', the system disables Siri. Available in iOS 5 and later, and + macOS 14 and later. Also available for user enrollment. - key: allowAssistantUserGeneratedContent supportedOS: iOS: @@ -343,14 +381,16 @@ payloadkeys: introduced: n/a tvOS: introduced: n/a + visionOS: + introduced: n/a watchOS: supervised: true type: presence: optional default: true content: If 'false', the system prevents Siri from querying user-generated content - from the web. Requires a supervised device. Available in iOS 7 and later and watchOS - 10 and later. + from the web. Requires a supervised device. Available in iOS 7 and later, and + watchOS 10 and later. - key: allowAssistantWhileLocked title: Allow Siri While Locked supportedOS: @@ -360,6 +400,8 @@ payloadkeys: introduced: n/a tvOS: introduced: n/a + visionOS: + introduced: n/a type: presence: optional default: true @@ -378,6 +420,8 @@ payloadkeys: introduced: n/a tvOS: introduced: n/a + visionOS: + introduced: n/a watchOS: introduced: n/a type: @@ -397,6 +441,8 @@ payloadkeys: introduced: n/a tvOS: introduced: n/a + visionOS: + introduced: n/a watchOS: supervised: true type: @@ -404,7 +450,7 @@ payloadkeys: default: true content: If 'false', the system prevents automatic downloading of apps purchased on other devices. This setting doesn't affect updates to existing apps. Requires - a supervised device. Available in iOS 9 and later and watchOS 10 and later. + a supervised device. Available in iOS 9 and later, and watchOS 10 and later. - key: allowAutomaticScreenSaver supportedOS: iOS: @@ -414,6 +460,8 @@ payloadkeys: tvOS: introduced: '15.4' supervised: true + visionOS: + introduced: n/a watchOS: introduced: n/a type: @@ -433,14 +481,16 @@ payloadkeys: mode: forbidden tvOS: introduced: n/a + visionOS: + introduced: n/a watchOS: introduced: n/a type: presence: optional default: true content: If 'false', the system disallows auto unlock. Available in macOS 10.12 - and later, and iOS 14.5 and later. This restriction will require supervision in - a future release. + and later, and iOS 14.5 and later. Support for this restriction on unsupervised + devices is deprecated. - key: allowBluetoothModification title: Allow modifying Bluetooth settings supportedOS: @@ -455,6 +505,8 @@ payloadkeys: mode: forbidden tvOS: introduced: n/a + visionOS: + introduced: n/a watchOS: introduced: n/a type: @@ -473,13 +525,15 @@ payloadkeys: mode: forbidden tvOS: introduced: n/a + visionOS: + introduced: n/a watchOS: introduced: n/a type: presence: optional default: true - content: If 'false', the system prevents modifying Bluetooth setting in System Settings. - Available in macOS 14 and later. + content: If 'false', the system prevents modifying Bluetooth settings in System + Settings. Available in macOS 14 and later. - key: allowBookstore title: Allow Bookstore supportedOS: @@ -492,6 +546,8 @@ payloadkeys: introduced: n/a tvOS: introduced: n/a + visionOS: + introduced: n/a watchOS: introduced: n/a type: @@ -511,6 +567,8 @@ payloadkeys: tvOS: introduced: '11.3' deprecated: '17.0' + visionOS: + introduced: n/a watchOS: introduced: n/a type: @@ -518,7 +576,7 @@ payloadkeys: default: true content: If 'false', the system prevents the user from downloading Apple Books media that's tagged as erotica. Available in iOS 6 and later, and tvOS 11.3 and later. - This restriction will require supervision in a future release. + Support for this restriction on unsupervised devices is deprecated. - key: allowCamera title: Allow Camera Use supportedOS: @@ -534,14 +592,17 @@ payloadkeys: tvOS: introduced: '17.0' supervised: false + visionOS: + introduced: n/a watchOS: introduced: n/a type: presence: optional default: true - content: |- - If 'false', the system disables the camera, and the system removes its icon from the Home screen. Users are unable to take photographs. - This restriction is deprecated on unsupervised devices and will be supervised only in a future release. Available in iOS 4 and later, macOS 10.11 and later, and tvOS 17 and later. + content: If 'false', the system disables the camera and removes its icon from the + Home screen, and users are unable to take photographs. Available in iOS 4 and + later, macOS 10.11 and later, and tvOS 17 and later. Support for this restriction + on unsupervised devices is deprecated. - key: allowCellularPlanModification supportedOS: iOS: @@ -553,6 +614,8 @@ payloadkeys: introduced: n/a tvOS: introduced: n/a + visionOS: + introduced: n/a watchOS: introduced: n/a type: @@ -572,14 +635,16 @@ payloadkeys: introduced: n/a tvOS: introduced: n/a + visionOS: + introduced: n/a watchOS: introduced: n/a type: presence: optional default: true - content: If 'false', the system disables the use of the iMessage with supervised - devices. If the device supports text messaging, the user can still send and receive - text messages. Requires a supervised device. Available in iOS 5 and later. + content: If 'false', the system disables the use of iMessage with supervised devices. + If the device supports text messaging, the user can still send and receive text + messages. Requires a supervised device. Available in iOS 5 and later. - key: allowCloudAddressBook supportedOS: iOS: @@ -590,6 +655,8 @@ payloadkeys: mode: forbidden tvOS: introduced: n/a + visionOS: + introduced: n/a watchOS: introduced: n/a type: @@ -609,14 +676,15 @@ payloadkeys: introduced: n/a tvOS: introduced: n/a + visionOS: + introduced: n/a watchOS: introduced: n/a type: presence: optional default: true - content: |- - If 'false', the system disables backing up the device to iCloud. - This restriction is deprecated on unsupervised devices and will be supervised only in a future release. Available in iOS 5 and later. + content: If 'false', the system disables backing up the device to iCloud. Available + in iOS 5 and later. Support for this restriction on unsupervised devices is deprecated. - key: allowCloudBookmarks supportedOS: iOS: @@ -627,6 +695,8 @@ payloadkeys: mode: forbidden tvOS: introduced: n/a + visionOS: + introduced: n/a watchOS: introduced: n/a type: @@ -644,6 +714,8 @@ payloadkeys: mode: forbidden tvOS: introduced: n/a + visionOS: + introduced: n/a watchOS: introduced: n/a type: @@ -661,12 +733,14 @@ payloadkeys: mode: forbidden tvOS: introduced: n/a + visionOS: + introduced: n/a watchOS: introduced: n/a type: presence: optional default: true - content: If 'false', the system disables cloud desktop and document services. Available + content: If 'false', the system disables iCloud Desktop and Document services. Available in macOS 10.12.4 and later. - key: allowCloudDocumentSync title: Allow iCloud Document Sync @@ -684,16 +758,17 @@ payloadkeys: mode: forbidden tvOS: introduced: n/a + visionOS: + introduced: n/a watchOS: introduced: n/a type: presence: optional default: true content: If 'false', the system disables document and key-value syncing to iCloud. - As of iOS 13, this restriction requires a supervised device and Shared iPad doesn't - support it. Available in iOS 5 and later, and macOS 10.11 and later. In a future - release, this restriction will apply only to personal Apple IDs and will have - no effect on Managed Apple IDs. + Available in iOS 5 and later, and macOS 10.11 and later. Requires a supervised + device in iOS 13 and later, and Shared iPad doesn't support it. Support for this + restriction on unsupervised devices and with managed Apple IDs is deprecated. - key: allowCloudFreeform supportedOS: iOS: @@ -704,6 +779,8 @@ payloadkeys: mode: forbidden tvOS: introduced: n/a + visionOS: + introduced: n/a watchOS: introduced: n/a type: @@ -724,14 +801,16 @@ payloadkeys: mode: forbidden tvOS: introduced: n/a + visionOS: + introduced: n/a watchOS: introduced: n/a type: presence: optional default: true - content: |- - If 'false', the system disables iCloud keychain synchronization. - This restriction is deprecated on unsupervised devices and will be supervised only in a future release. Available in iOS 7 and later and macOS 10.12 and later. + content: If 'false', the system disables iCloud keychain synchronization. Available + in iOS 7 and later, and macOS 10.12 and later. Support for this restriction on + unsupervised devices and with managed Apple IDs is deprecated. - key: allowCloudMail supportedOS: iOS: @@ -742,6 +821,8 @@ payloadkeys: mode: forbidden tvOS: introduced: n/a + visionOS: + introduced: n/a watchOS: introduced: n/a type: @@ -759,6 +840,8 @@ payloadkeys: mode: forbidden tvOS: introduced: n/a + visionOS: + introduced: n/a watchOS: introduced: n/a type: @@ -779,6 +862,8 @@ payloadkeys: mode: forbidden tvOS: introduced: n/a + visionOS: + introduced: n/a watchOS: introduced: n/a type: @@ -786,9 +871,8 @@ payloadkeys: default: true content: If 'false', the system disables iCloud Photo Library. The system removes any photos from local storage that aren't fully downloaded from iCloud Photo Library - to the device. Available in iOS 9 and later, and macOS 10.12 and later. In a future - release, this restriction will begin requiring supervision and will apply to personal - Apple IDs only. + to the device. Available in iOS 9 and later, and macOS 10.12 and later. Support + for this restriction on unsupervised devices and with managed Apple IDs is deprecated. - key: allowCloudPrivateRelay supportedOS: iOS: @@ -802,15 +886,17 @@ payloadkeys: mode: forbidden tvOS: introduced: n/a + visionOS: + introduced: n/a watchOS: introduced: n/a type: presence: optional default: true - content: If 'false', the system disables iCloud Private Relay. For iOS devices, - this restriction requires a supervised device. Available in macOS 12 and later, - and iOS 15 and later. In a future release, this restriction will apply only to - personal Apple IDs and will have no effect on Managed Apple IDs. + content: If 'false', the system disables iCloud Private Relay. Available in iOS + 15 and later, and in macOS 12 and later. Requires a supervised device in iOS. + Support for this restriction on unsupervised devices and with managed Apple IDs + is deprecated. - key: allowCloudReminders supportedOS: iOS: @@ -821,6 +907,8 @@ payloadkeys: mode: forbidden tvOS: introduced: n/a + visionOS: + introduced: n/a watchOS: introduced: n/a type: @@ -839,6 +927,8 @@ payloadkeys: mode: forbidden tvOS: introduced: n/a + visionOS: + introduced: n/a watchOS: introduced: n/a type: @@ -858,6 +948,8 @@ payloadkeys: introduced: n/a tvOS: introduced: n/a + visionOS: + introduced: n/a watchOS: introduced: n/a type: @@ -879,13 +971,15 @@ payloadkeys: mode: forbidden tvOS: introduced: n/a + visionOS: + introduced: n/a watchOS: introduced: n/a type: presence: optional default: true - content: If 'false', the system disables definition lookup. Requires a supervised - device on iOS. Available in iOS 8.1.3 and later and macOS 10.11 and later. + content: If 'false', the system disables definition lookup. Available in iOS 8.1.3 + and later, and macOS 10.11 and later. Requires a supervised device on iOS. - key: allowDeviceNameModification title: Allow Modifying Device Name supportedOS: @@ -901,14 +995,16 @@ payloadkeys: tvOS: introduced: '11.0' supervised: true + visionOS: + introduced: n/a watchOS: introduced: n/a type: presence: optional default: true content: If 'false', the system prevents the user from changing the device name. - Requires a supervised device. Available in iOS 9 and later, macOS 14 and later, - and tvOS 11.0 and later. + Available in iOS 9 and later, macOS 14 and later, and tvOS 11.0 and later. Requires + a supervised device in iOS and tvOS. - key: allowDeviceSleep title: Allow Device Sleep supportedOS: @@ -919,13 +1015,15 @@ payloadkeys: tvOS: introduced: '13.0' supervised: true + visionOS: + introduced: n/a watchOS: introduced: n/a type: presence: optional default: true - content: If 'false', the system prevents device from automatically sleeping. Requires - a supervised device. Available in tvOS 13 and later. + content: If 'false', the system prevents the device from automatically sleeping. + Requires a supervised device. Available in tvOS 13 and later. - key: allowDiagnosticSubmission title: Allow diagnostic submission supportedOS: @@ -935,6 +1033,8 @@ payloadkeys: introduced: '10.13' tvOS: introduced: n/a + visionOS: + introduced: n/a type: presence: optional default: true @@ -953,6 +1053,8 @@ payloadkeys: introduced: n/a tvOS: introduced: n/a + visionOS: + introduced: n/a watchOS: introduced: n/a type: @@ -975,13 +1077,15 @@ payloadkeys: mode: forbidden tvOS: introduced: n/a + visionOS: + introduced: n/a watchOS: introduced: n/a type: presence: optional default: true - content: If 'false', the system disallows dictation input. Requires a supervised - device. Available in iOS 10.3 and later, and macOS 10.13 and later. + content: If 'false', the system disallows dictation input. Available in iOS 10.3 + and later, and macOS 10.13 and later. Requires a supervised device in iOS. - key: allowEnablingRestrictions title: Allow Configuring Restrictions or ScreenTime supportedOS: @@ -994,14 +1098,17 @@ payloadkeys: introduced: n/a tvOS: introduced: n/a + visionOS: + introduced: n/a watchOS: introduced: n/a type: presence: optional default: true - content: |- - If 'false', the system disables the “Enable Restrictions” option in the Restrictions UI in Settings. - In iOS 12 or later, if 'false', the system disables the “Enable ScreenTime” option in the ScreenTime UI in Settings and disables ScreenTime if already enabled. Requires a supervised device. Available in iOS 8 and later. + content: If 'false', the system disables the Enable Restrictions option in the Restrictions + UI in Settings. If 'false' in iOS 12 and later, the system disables the Enable + ScreenTime option in the ScreenTime UI in Settings and disables ScreenTime if + already enabled. Requires a supervised device. Available in iOS 8 and later. - key: allowEnterpriseAppTrust title: Allow Trusting Enterprise Apps supportedOS: @@ -1013,6 +1120,8 @@ payloadkeys: introduced: n/a tvOS: introduced: n/a + visionOS: + introduced: n/a watchOS: introduced: n/a type: @@ -1033,6 +1142,8 @@ payloadkeys: introduced: n/a tvOS: introduced: n/a + visionOS: + introduced: n/a watchOS: introduced: n/a type: @@ -1049,6 +1160,8 @@ payloadkeys: introduced: n/a tvOS: introduced: n/a + visionOS: + introduced: n/a watchOS: introduced: n/a type: @@ -1070,14 +1183,16 @@ payloadkeys: mode: forbidden tvOS: introduced: n/a + visionOS: + introduced: n/a watchOS: introduced: n/a type: presence: optional default: true - content: If 'false', the system disables the Erase All Content And Settings option - in the Reset UI. Requires a supervised device. Available in iOS 8 and later, and - macOS 12 and later. + content: If 'false', the system disables the Erase All Content and Settings option + in the Reset UI. Available in iOS 8 and later, and macOS 12 and later. Requires + a supervised device in iOS. - key: allowESIMModification title: Allow eSIM Modification supportedOS: @@ -1090,6 +1205,8 @@ payloadkeys: introduced: n/a tvOS: introduced: n/a + visionOS: + introduced: n/a watchOS: introduced: n/a type: @@ -1110,6 +1227,8 @@ payloadkeys: introduced: n/a tvOS: introduced: '11.3' + visionOS: + introduced: n/a watchOS: introduced: n/a type: @@ -1117,10 +1236,9 @@ payloadkeys: default: true content: If 'false', the system hides explicit music or video content purchased from the iTunes Store. The system marks explicit content as such by content providers, - such as record labels, when sold through the iTunes Store. As of iOS 13, requires - a supervised device. Available in iOS 4 and later, and tvOS 11.3 and later. This - restriction will require supervision in a future tvOS release, in addition to - iOS. + such as record labels, when sold through the iTunes Store. Available in iOS 4 + and later, and tvOS 11.3 and later. Requires a supervised device in iOS 13 and + later. Support for this restriction on unsupervised devices is deprecated. - key: allowFileSharingModification title: Allow modifying File Sharing setting supportedOS: @@ -1132,6 +1250,8 @@ payloadkeys: mode: forbidden tvOS: introduced: n/a + visionOS: + introduced: n/a watchOS: introduced: n/a type: @@ -1150,6 +1270,8 @@ payloadkeys: introduced: n/a tvOS: introduced: n/a + visionOS: + introduced: n/a watchOS: introduced: n/a type: @@ -1168,6 +1290,8 @@ payloadkeys: introduced: n/a tvOS: introduced: n/a + visionOS: + introduced: n/a watchOS: introduced: n/a type: @@ -1188,13 +1312,15 @@ payloadkeys: mode: forbidden tvOS: introduced: n/a + visionOS: + introduced: n/a watchOS: introduced: n/a type: presence: optional default: true content: If 'false', the system disables Find My Device in the Find My app. Requires - a supervised device. Available in iOS 13 and later. + a supervised device. Available in iOS 13 and later, and macOS 10.15 and later. - key: allowFindMyFriends supportedOS: iOS: @@ -1208,13 +1334,15 @@ payloadkeys: mode: forbidden tvOS: introduced: n/a + visionOS: + introduced: n/a watchOS: introduced: n/a type: presence: optional default: true content: If 'false', the system disables Find My Friends in the Find My app. Requires - a supervised device. Available in iOS 13 and later. + a supervised device. Available in iOS 13 and later, and macOS 10.15 and later. - key: allowFindMyFriendsModification supportedOS: iOS: @@ -1226,6 +1354,8 @@ payloadkeys: introduced: n/a tvOS: introduced: n/a + visionOS: + introduced: n/a watchOS: introduced: n/a type: @@ -1246,14 +1376,16 @@ payloadkeys: mode: forbidden tvOS: introduced: n/a + visionOS: + introduced: n/a watchOS: introduced: n/a type: presence: optional default: true content: If 'false', the system prevents Touch ID or Face ID from unlocking a device. - Available in iOS 7 and later, and macOS 10.12.4 and later. This restriction will - require supervision in a future release. + Available in iOS 7 and later, and macOS 10.12.4 and later. Support for this restriction + on unsupervised devices is deprecated. - key: allowFingerprintModification title: Allow Modifying Touch ID Fingerprints supportedOS: @@ -1268,14 +1400,16 @@ payloadkeys: mode: forbidden tvOS: introduced: n/a + visionOS: + introduced: n/a watchOS: introduced: n/a type: presence: optional default: true content: If 'false', the system prevents the user from modifying Touch ID or Face - ID. Requires a supervised device. Available in iOS 8.3 and later, and macOS 14 - and later. + ID. Available in iOS 8.3 and later, and macOS 14 and later. Requires a supervised + device in iOS. - key: allowGameCenter title: Allow Game Center supportedOS: @@ -1290,14 +1424,16 @@ payloadkeys: mode: forbidden tvOS: introduced: n/a + visionOS: + introduced: n/a watchOS: introduced: n/a type: presence: optional default: true content: If 'false', the system disables Game Center, and the system removes its - icon from the Home screen. Requires a supervised device. Available in iOS 6 and - later, and macOS 10.13 and later. + icon from the Home screen. Available in iOS 6 and later, and macOS 10.13 and later. + Requires a supervised device in iOS. - key: allowGlobalBackgroundFetchWhenRoaming title: Allow Automatic Sync While Roaming supportedOS: @@ -1309,14 +1445,16 @@ payloadkeys: introduced: n/a tvOS: introduced: n/a + visionOS: + introduced: n/a watchOS: introduced: n/a type: presence: optional default: true content: If 'false', the system disables global background fetch activity when an - iOS phone is roaming. Available in iOS 4 and later. This restriction will require - supervision in a future release. + iOS phone is roaming. Available in iOS 4 and later. Support for this restriction + on unsupervised devices is deprecated. - key: allowHostPairing supportedOS: iOS: @@ -1328,6 +1466,8 @@ payloadkeys: introduced: n/a tvOS: introduced: n/a + visionOS: + introduced: n/a watchOS: introduced: n/a type: @@ -1349,13 +1489,15 @@ payloadkeys: introduced: n/a tvOS: introduced: n/a + visionOS: + introduced: n/a watchOS: introduced: n/a type: presence: optional default: true content: If 'false', the system prohibits in-app purchasing. Available in iOS 4 - and later. This restriction will require supervision in a future release. + and later. Support for this restriction on unsupervised devices is deprecated. - key: allowInternetSharingModification title: Allow modifying Internet Sharing setting supportedOS: @@ -1367,13 +1509,15 @@ payloadkeys: mode: forbidden tvOS: introduced: n/a + visionOS: + introduced: n/a watchOS: introduced: n/a type: presence: optional default: true - content: If 'false', the system prevents modifying Internet Sharing setting in System - Settings. Available in macOS 14 and later. + content: If 'false', the system prevents modifying the Internet Sharing setting + in System Settings. Available in macOS 14 and later. - key: allowiPhoneWidgetsOnMac title: Allow iPhone widget on Mac supportedOS: @@ -1388,13 +1532,15 @@ payloadkeys: introduced: n/a tvOS: introduced: n/a + visionOS: + introduced: n/a watchOS: introduced: n/a type: presence: optional default: true content: If 'false', the system disallows iPhone widgets on a Mac that has signed - in the same AppleID for iCloud. Requires a supervised device. Available on iOS + in the same Apple ID for iCloud. Requires a supervised device. Available on iOS 17 and later. - key: allowiTunes title: Allow use of iTunes @@ -1408,6 +1554,8 @@ payloadkeys: introduced: n/a tvOS: introduced: n/a + visionOS: + introduced: n/a watchOS: introduced: n/a type: @@ -1415,7 +1563,8 @@ payloadkeys: default: true content: If 'false', the system disables the iTunes Music Store, and the system removes its icon from the Home screen. Users can't preview, purchase, or download - content. As of iOS 13, requires a supervised device. Available in iOS 4 and later. + content. Available in iOS 4 and later. Requires a supervised device in iOS 13 + and later. - key: allowiTunesFileSharing supportedOS: iOS: @@ -1426,6 +1575,8 @@ payloadkeys: mode: forbidden tvOS: introduced: n/a + visionOS: + introduced: n/a watchOS: introduced: n/a type: @@ -1445,6 +1596,8 @@ payloadkeys: introduced: n/a tvOS: introduced: n/a + visionOS: + introduced: n/a watchOS: introduced: n/a type: @@ -1465,13 +1618,15 @@ payloadkeys: tvOS: introduced: '15.0' supervised: true + visionOS: + introduced: n/a watchOS: introduced: n/a type: presence: optional - content: If present, the system only shows or can launch apps with bundle IDs in - the array. Include the value 'com.apple.webapp' to allow all webclips. Requires - a supervised device. Available in iOS 9.3 and later, and tvOS 11.0 and later. + content: |- + If present, the system only shows or can launch apps with bundle IDs in the array. Include the value 'com.apple.webapp' to allow all webclips. This applies to App Store apps, marketplace apps, and locally installed apps (using Configurator, Xcode, etc). + Requires a supervised device. Available in iOS 15 and later, and tvOS 15 and later. subkeys: - key: appAllowlistedBundleID title: Allow Listed App @@ -1490,12 +1645,15 @@ payloadkeys: introduced: n/a tvOS: introduced: n/a + visionOS: + introduced: n/a watchOS: introduced: n/a type: presence: optional default: true - content: If set to false, disables live voicemail on the device. + content: If 'false', the system disables live voicemail on the device. Available + in iOS 17.2 and later. - key: allowLocalUserCreation title: Allow creating users in System Settings supportedOS: @@ -1507,6 +1665,8 @@ payloadkeys: mode: forbidden tvOS: introduced: n/a + visionOS: + introduced: n/a watchOS: introduced: n/a type: @@ -1522,6 +1682,8 @@ payloadkeys: introduced: n/a tvOS: introduced: n/a + visionOS: + introduced: n/a watchOS: introduced: n/a type: @@ -1537,6 +1699,8 @@ payloadkeys: introduced: n/a tvOS: introduced: n/a + visionOS: + introduced: n/a type: presence: optional default: true @@ -1551,6 +1715,8 @@ payloadkeys: introduced: n/a tvOS: introduced: n/a + visionOS: + introduced: n/a watchOS: introduced: n/a type: @@ -1569,6 +1735,8 @@ payloadkeys: introduced: n/a tvOS: introduced: n/a + visionOS: + introduced: n/a watchOS: introduced: n/a type: @@ -1585,6 +1753,8 @@ payloadkeys: introduced: n/a tvOS: introduced: n/a + visionOS: + introduced: n/a watchOS: introduced: n/a type: @@ -1604,14 +1774,38 @@ payloadkeys: introduced: n/a tvOS: introduced: n/a + visionOS: + introduced: n/a watchOS: introduced: n/a type: presence: optional default: false content: |- - If 'true', the system allows managed apps to write contacts to unmanaged contacts accounts. If 'allowOpenFromManagedToUnmanaged' is 'true', this restriction has no effect. Available in iOS 12 and later. - You need to use MDM to install profiles that contain this restriction. + If 'true', the system allows managed apps to write contacts to unmanaged accounts. If 'allowOpenFromManagedToUnmanaged' is 'true', this restriction has no effect. Available in iOS 12 and later. + Use MDM to install profiles that contain this restriction. +- key: allowMarketplaceAppInstallation + title: Allow App Installation from alternative marketplaces + supportedOS: + iOS: + introduced: '17.4' + supervised: true + userenrollment: + mode: forbidden + macOS: + introduced: n/a + tvOS: + introduced: n/a + visionOS: + introduced: n/a + watchOS: + introduced: n/a + type: + presence: optional + default: true + content: If 'false', the system prevents installation of alternative marketplace + apps from the web and prevents any installed alternative marketplace apps from + installing apps. Available in iOS 17.4 and later. - key: allowMultiplayerGaming title: Allow Multiplayer Gaming supportedOS: @@ -1626,13 +1820,15 @@ payloadkeys: mode: forbidden tvOS: introduced: n/a + visionOS: + introduced: n/a watchOS: introduced: n/a type: presence: optional default: true - content: If 'false', the system prohibits multiplayer gaming. Requires a supervised - device. Available in iOS 4.1 and later, and macOS 10.13 and later. + content: If 'false', the system prohibits multiplayer gaming. Available in iOS 4.1 + and later, and macOS 10.13 and later. Requires a supervised device in iOS. - key: allowMusicService title: Allow Apple Music supportedOS: @@ -1647,6 +1843,8 @@ payloadkeys: mode: forbidden tvOS: introduced: n/a + visionOS: + introduced: n/a watchOS: introduced: n/a type: @@ -1667,6 +1865,8 @@ payloadkeys: introduced: n/a tvOS: introduced: n/a + visionOS: + introduced: n/a watchOS: introduced: n/a type: @@ -1685,6 +1885,8 @@ payloadkeys: introduced: n/a tvOS: introduced: n/a + visionOS: + introduced: n/a watchOS: introduced: n/a type: @@ -1704,6 +1906,8 @@ payloadkeys: introduced: n/a tvOS: introduced: n/a + visionOS: + introduced: n/a watchOS: introduced: n/a type: @@ -1720,6 +1924,8 @@ payloadkeys: introduced: n/a tvOS: introduced: n/a + visionOS: + introduced: n/a watchOS: introduced: n/a type: @@ -1736,6 +1942,8 @@ payloadkeys: introduced: n/a tvOS: introduced: n/a + visionOS: + introduced: n/a watchOS: introduced: n/a type: @@ -1754,14 +1962,16 @@ payloadkeys: introduced: n/a tvOS: introduced: n/a + visionOS: + introduced: n/a watchOS: introduced: n/a type: presence: optional default: true content: If 'false', the system disables over-the-air PKI updates. Setting this - restriction to 'false' doesn't disable CRL and OCSP checks. Available in iOS - 7 and later. + restriction to 'false' doesn't disable CRL and OCSP checks. Available in iOS 7 + and later. - key: allowPairedWatch title: Allow Pairing With Apple Watch supportedOS: @@ -1774,6 +1984,8 @@ payloadkeys: introduced: n/a tvOS: introduced: n/a + visionOS: + introduced: n/a watchOS: introduced: n/a type: @@ -1793,6 +2005,8 @@ payloadkeys: introduced: n/a tvOS: introduced: n/a + visionOS: + introduced: n/a watchOS: introduced: n/a type: @@ -1814,14 +2028,16 @@ payloadkeys: mode: forbidden tvOS: introduced: n/a + visionOS: + introduced: n/a watchOS: introduced: n/a type: presence: optional default: true - content: If 'false', the system prevents adding, changingThe system ignores this - restriction on Shared iPad. Requires a supervised device. Available in iOS 9 and - later, and macOS 10.13 and later. + content: If 'false', the system prevents adding, changing, or removing the passcode. + The system ignores this restriction on Shared iPad. Available in iOS 9 and later, + and macOS 10.13 and later. Requires a supervised device in iOS. - key: allowPasswordAutoFill supportedOS: iOS: @@ -1835,6 +2051,8 @@ payloadkeys: mode: forbidden tvOS: introduced: n/a + visionOS: + introduced: n/a watchOS: introduced: n/a type: @@ -1844,10 +2062,10 @@ payloadkeys: If 'false', the system disables: * The AutoFill Passwords feature in iOS, with Keychain and third-party password managers * Prompting the user to use a saved password in Safari or in apps - * Automatic Strong Passwords + * Automatic strong passwords * Suggesting strong passwords to users However, if 'false', the system doesn't prevent AutoFill for contact info and credit cards in Safari. - Requires a supervised device. Available in iOS 12 and later, and macOS 10.14 and later. + Available in iOS 12 and later, and macOS 10.14 and later. Requires a supervised device in iOS. - key: allowPasswordProximityRequests supportedOS: iOS: @@ -1862,14 +2080,16 @@ payloadkeys: tvOS: introduced: '12.0' supervised: true + visionOS: + introduced: n/a watchOS: introduced: n/a type: presence: optional default: true content: If 'false', the system disables requesting passwords from nearby devices. - Requires a supervised device. Available in iOS 12 and later, macOS 10.14 and later, - and tvOS 12 and later. + Available in iOS 12 and later, macOS 10.14 and later, and tvOS 12 and later. Requires + a supervised device in iOS and tvOS. - key: allowPasswordSharing supportedOS: iOS: @@ -1883,14 +2103,16 @@ payloadkeys: mode: forbidden tvOS: introduced: n/a + visionOS: + introduced: n/a watchOS: introduced: n/a type: presence: optional default: true content: If 'false', the system disables sharing passwords with the Airdrop Passwords - feature. Requires a supervised device. Available in iOS 12 and later, and macOS - 10.14 and later. + feature. Available in iOS 12 and later, and macOS 10.14 and later. Requires a + supervised device in iOS. - key: allowPersonalHotspotModification title: Allow modifying Personal Hotspot settings supportedOS: @@ -1903,6 +2125,8 @@ payloadkeys: introduced: n/a tvOS: introduced: n/a + visionOS: + introduced: n/a watchOS: introduced: n/a type: @@ -1922,6 +2146,8 @@ payloadkeys: introduced: n/a tvOS: introduced: n/a + visionOS: + introduced: n/a watchOS: introduced: n/a type: @@ -1940,6 +2166,8 @@ payloadkeys: introduced: n/a tvOS: introduced: n/a + visionOS: + introduced: n/a watchOS: introduced: n/a type: @@ -1959,6 +2187,8 @@ payloadkeys: introduced: n/a tvOS: introduced: n/a + visionOS: + introduced: n/a watchOS: introduced: n/a type: @@ -1977,12 +2207,14 @@ payloadkeys: mode: forbidden tvOS: introduced: n/a + visionOS: + introduced: n/a watchOS: introduced: n/a type: presence: optional default: true - content: If 'false', the system prevents modifying Printer Sharing setting in System + content: If 'false', the system prevents modifying Printer Sharing settings in System Settings. Available in macOS 14 and later. - key: allowProximitySetupToNewDevice supportedOS: @@ -1995,6 +2227,8 @@ payloadkeys: introduced: n/a tvOS: introduced: n/a + visionOS: + introduced: n/a watchOS: introduced: n/a type: @@ -2014,6 +2248,8 @@ payloadkeys: introduced: n/a tvOS: introduced: n/a + visionOS: + introduced: n/a watchOS: introduced: n/a type: @@ -2035,6 +2271,8 @@ payloadkeys: mode: forbidden tvOS: introduced: n/a + visionOS: + introduced: n/a watchOS: introduced: n/a type: @@ -2056,6 +2294,8 @@ payloadkeys: mode: forbidden tvOS: introduced: n/a + visionOS: + introduced: n/a watchOS: introduced: n/a type: @@ -2074,12 +2314,14 @@ payloadkeys: mode: forbidden tvOS: introduced: n/a + visionOS: + introduced: n/a watchOS: introduced: n/a type: presence: optional default: true - content: If 'false', the system prevents modifying Remote Apple Events Sharing setting + content: If 'false', the system prevents modifying Remote Apple Events Sharing settings in System Settings. Available in macOS 14 and later. - key: allowRemoteAppPairing title: Allow pairing with Remote app @@ -2091,6 +2333,8 @@ payloadkeys: tvOS: introduced: '10.2' supervised: true + visionOS: + introduced: n/a watchOS: introduced: n/a type: @@ -2107,6 +2351,8 @@ payloadkeys: introduced: 10.14.4 tvOS: introduced: n/a + visionOS: + introduced: n/a watchOS: introduced: n/a type: @@ -2114,9 +2360,9 @@ payloadkeys: default: true content: If 'false', the system disables remote screen observation by the Classroom app. Nest this key beneath 'allowScreenShot' as a subrestriction. If 'allowScreenShot' - is 'false', the Classroom app doesn't observe remote screens. Requires a supervised - device until iOS 13 and macOS 10.15. Available in iOS 12 and later, and macOS - 10.14.4 and later. + is 'false', the Classroom app doesn't observe remote screens. Available in iOS + 12 and later, and macOS 10.14.4 and later. Requires a supervised device until + iOS 13 and macOS 10.15. Allowed for user enrollments in macOS 12 and later. - key: allowSafari title: Allow use of Safari supportedOS: @@ -2129,6 +2375,8 @@ payloadkeys: introduced: n/a tvOS: introduced: n/a + visionOS: + introduced: n/a watchOS: introduced: n/a type: @@ -2147,6 +2395,8 @@ payloadkeys: introduced: 10.14.4 tvOS: introduced: n/a + visionOS: + introduced: n/a type: presence: optional default: true @@ -2165,6 +2415,8 @@ payloadkeys: introduced: n/a tvOS: introduced: n/a + visionOS: + introduced: n/a watchOS: introduced: n/a type: @@ -2183,13 +2435,15 @@ payloadkeys: introduced: n/a tvOS: introduced: n/a + visionOS: + introduced: n/a watchOS: introduced: n/a type: presence: optional default: true content: If 'false', the system disables Shared Photo Stream. Available in iOS 6 - and later. This restriction will require supervision in a future release. + and later. Support for this restriction on unsupervised devices is deprecated. - key: allowSpellCheck title: Allow Spell Check supportedOS: @@ -2202,13 +2456,15 @@ payloadkeys: introduced: n/a tvOS: introduced: n/a + visionOS: + introduced: n/a watchOS: introduced: n/a type: presence: optional default: true - content: If 'false', the system disables keyboard spell-check. Requires a supervised - device. Available in iOS 8.1.3 and later. + content: If 'false', the system disables the keyboard spell checker. Requires a + supervised device. Available in iOS 8.1.3 and later. - key: allowSpotlightInternetResults title: Allow Siri Suggestions supportedOS: @@ -2222,14 +2478,16 @@ payloadkeys: mode: forbidden tvOS: introduced: n/a + visionOS: + introduced: n/a watchOS: introduced: n/a type: presence: optional default: true content: If 'false', the system disables Spotlight Internet search results in Siri - Suggestions. Available in iOS 8 and later, and macOS 10.11 and later. This restriction - will require supervision in a future release. + Suggestions. Available in iOS 8 and later, and macOS 10.11 and later. Support + for this restriction on unsupervised devices is deprecated. - key: allowStartupDiskModification title: Allow modifying Startup Disk settings supportedOS: @@ -2241,12 +2499,14 @@ payloadkeys: mode: forbidden tvOS: introduced: n/a + visionOS: + introduced: n/a watchOS: introduced: n/a type: presence: optional default: true - content: If 'false', the system prevents modification of Startup Disk setting in + content: If 'false', the system prevents modification of Startup Disk settings in System Settings. Available in macOS 14 and later. - key: allowSystemAppRemoval supportedOS: @@ -2259,6 +2519,8 @@ payloadkeys: introduced: n/a tvOS: introduced: n/a + visionOS: + introduced: n/a watchOS: introduced: n/a type: @@ -2277,6 +2539,8 @@ payloadkeys: mode: forbidden tvOS: introduced: n/a + visionOS: + introduced: n/a watchOS: introduced: n/a type: @@ -2296,14 +2560,16 @@ payloadkeys: introduced: n/a tvOS: introduced: n/a + visionOS: + introduced: n/a watchOS: supervised: true type: presence: optional default: true content: |- - If 'false', the system disables the App Store, and the systems removes its icon from the Home screen. However, users can continue to use host apps (iTunes, Configurator) to install or update their apps. - In iOS 10 and later, MDM commands can override this restriction. Requires a supervised device. Available in iOS 9 and later and watchOS 10 and later. + If 'false', the system disables the App Store, and the systems removes its icon from the Home screen. However, users may continue to install or update their apps either locally (via Configurator, Xcode, etc), or using alternative marketplace apps. + In iOS 10 and later, MDM commands can override this restriction. Requires a supervised device. Available in iOS 9 and later, and watchOS 10 and later. - key: allowUIConfigurationProfileInstallation title: Allow UI Configuration Profile Installation supportedOS: @@ -2318,14 +2584,16 @@ payloadkeys: mode: forbidden tvOS: introduced: n/a + visionOS: + introduced: n/a watchOS: introduced: n/a type: presence: optional default: true content: If 'false', the system prohibits the user from installing configuration - profiles and certificates interactively. Requires a supervised device. Available - in iOS 6 and later and macOS 13 and later. + profiles and certificates interactively. Available in iOS 6 and later, and macOS + 13 and later. Requires a supervised device in iOS. - key: allowUniversalControl title: Allow Universal Control supportedOS: @@ -2337,6 +2605,8 @@ payloadkeys: mode: forbidden tvOS: introduced: n/a + visionOS: + introduced: n/a watchOS: introduced: n/a type: @@ -2354,6 +2624,8 @@ payloadkeys: introduced: n/a tvOS: introduced: n/a + visionOS: + introduced: n/a watchOS: introduced: n/a type: @@ -2361,7 +2633,7 @@ payloadkeys: default: false content: |- If 'true', the system allows unmanaged apps to read from managed contacts accounts. If 'allowOpenFromManagedToUnmanaged' is 'true', this restriction has no effect. Available in iOS 12 and later. - You need to use MDM to install profiles that contain this restriction. + Use MDM to install profiles that contain this restriction. - key: allowUnpairedExternalBootToRecovery supportedOS: iOS: @@ -2373,6 +2645,8 @@ payloadkeys: introduced: n/a tvOS: introduced: n/a + visionOS: + introduced: n/a watchOS: introduced: n/a type: @@ -2391,6 +2665,8 @@ payloadkeys: introduced: n/a tvOS: introduced: n/a + visionOS: + introduced: '1.1' watchOS: introduced: n/a type: @@ -2412,6 +2688,8 @@ payloadkeys: mode: forbidden tvOS: introduced: n/a + visionOS: + introduced: n/a watchOS: introduced: n/a type: @@ -2420,8 +2698,8 @@ payloadkeys: content: If 'false', the system allows iOS devices to always connect to USB accessories while locked. On macOS, allows new USB and Thunderbolt accessories and SD cards to connect without authorization. If the system has Lockdown mode enabled, it - ignores this value. Requires a supervised device. Available in iOS 11.4.1 and - later and macOS 13 and later. + ignores this value. Available in iOS 11.4.1 and later, and macOS 13 and later. + Requires a supervised device in iOS. - key: allowVideoConferencing title: Allow Video Conferencing supportedOS: @@ -2434,13 +2712,15 @@ payloadkeys: introduced: n/a tvOS: introduced: n/a + visionOS: + introduced: n/a watchOS: introduced: n/a type: presence: optional default: true - content: If 'false', the system hides the FaceTime app. As of iOS 13, requires a - supervised device. Available in iOS 4 and later. + content: If 'false', the system hides the FaceTime app. Available in iOS 4 and later. + Requires a supervised device in iOS 13 and later. - key: allowVoiceDialing title: Allow Voice Dialing While Device is Locked supportedOS: @@ -2453,6 +2733,8 @@ payloadkeys: introduced: n/a tvOS: introduced: n/a + visionOS: + introduced: n/a watchOS: introduced: n/a type: @@ -2472,6 +2754,8 @@ payloadkeys: introduced: n/a tvOS: introduced: n/a + visionOS: + introduced: n/a watchOS: introduced: n/a type: @@ -2493,13 +2777,15 @@ payloadkeys: mode: forbidden tvOS: introduced: n/a + visionOS: + introduced: n/a watchOS: introduced: n/a type: presence: optional default: true - content: If 'false', the system prevents changing the wallpaper. Requires a supervised - device. Available in iOS 9 and later, and macOS 10.13 and later. + content: If 'false', the system prevents changing the wallpaper. Available in iOS + 9 and later, and macOS 10.13 and later. Requires a supervised device in iOS. - key: autonomousSingleAppModePermittedAppIDs supportedOS: iOS: @@ -2511,6 +2797,8 @@ payloadkeys: introduced: n/a tvOS: introduced: n/a + visionOS: + introduced: n/a watchOS: introduced: n/a type: @@ -2537,6 +2825,8 @@ payloadkeys: introduced: '11.0' deprecated: '15.0' supervised: true + visionOS: + introduced: n/a watchOS: introduced: n/a type: @@ -2559,12 +2849,15 @@ payloadkeys: tvOS: introduced: '15.0' supervised: true + visionOS: + introduced: n/a watchOS: introduced: n/a type: presence: optional content: |- - If present, the system prevents showing or launching apps with bundle IDs in the array from. Include the value 'com.apple.webapp' to restrict all webclips. Requires a supervised device. Available in iOS 9.3 and later, and tvOS 11.0 and later. + If present, the system prevents showing or launching apps with bundle IDs in the array. Include the value 'com.apple.webapp' to restrict all webclips. This applies to App Store apps, marketplace apps, and locally installed apps (using Configurator, Xcode, etc). + Requires a supervised device. Available in iOS 15 and later, and tvOS 15 and later. Denying system apps may disable other functionality. For example, denying the App Store app may prevent users from accepting the terms and conditions for the user-based Volume Purchase Program (VPP). subkeys: - key: appBlockedBundleID @@ -2580,6 +2873,8 @@ payloadkeys: mode: forbidden tvOS: introduced: n/a + visionOS: + introduced: n/a watchOS: introduced: n/a type: @@ -2601,6 +2896,8 @@ payloadkeys: tvOS: introduced: '12.2' supervised: true + visionOS: + introduced: n/a watchOS: introduced: n/a type: @@ -2612,9 +2909,9 @@ payloadkeys: content: How many days to delay a software update on the device. With this restriction in place, the user doesn't see a software update until the specified number of days after the software update release date. The restrictions 'forceDelayedAppSoftwareUpdates' - and 'forceDelayedSoftwareUpdates' use this value. Requires a supervised device - in iOS and tvOS. Available in iOS 11.3 and later, macOS 10.13.4 and later, and - tvOS 12.2 and later. + and 'forceDelayedSoftwareUpdates' use this value. Available in iOS 11.3 and later, + macOS 10.13.4 and later, and tvOS 12.2 and later. Requires a supervised device + in iOS and tvOS. - key: enforcedSoftwareUpdateMajorOSDeferredInstallDelay supportedOS: iOS: @@ -2625,6 +2922,8 @@ payloadkeys: mode: forbidden tvOS: introduced: n/a + visionOS: + introduced: n/a watchOS: introduced: n/a type: @@ -2633,10 +2932,10 @@ payloadkeys: min: 1 max: 90 default: 30 - content: This restriction allows the admin to set how many days to delay a major - software upgrade on the device. When this restriction is in place the user sees - a software upgrade only after the specified delay after the release of the software - upgrade. This value controls the delay for 'forceDelayedMajorSoftwareUpdates'. + content: This restriction allows the administrator to set how many days to delay + a major software upgrade on the device. When this restriction is in place, the + user sees a software upgrade only after the specified delay after the release + of the software upgrade. This value controls the delay for 'forceDelayedMajorSoftwareUpdates'. Available in macOS 11.3 and later. - key: enforcedSoftwareUpdateMinorOSDeferredInstallDelay supportedOS: @@ -2648,6 +2947,8 @@ payloadkeys: mode: forbidden tvOS: introduced: n/a + visionOS: + introduced: n/a watchOS: introduced: n/a type: @@ -2656,11 +2957,11 @@ payloadkeys: min: 1 max: 90 default: 30 - content: This restriction allows the admin to set how many days to delay a minor - OS software update on the device. When this restriction is in place the user see - a software update only after the specified delay after the release of the software - update. This value controls the delay for 'forceDelayedSoftwareUpdates'. Available - in macOS 11.3 and later. + content: This restriction allows the administrator to set how many days to delay + a minor OS software update on the device. When this restriction is in place, the + user see a software update only after the specified delay after the release of + the software update. This value controls the delay for 'forceDelayedSoftwareUpdates'. + Available in macOS 11.3 and later. - key: enforcedSoftwareUpdateNonOSDeferredInstallDelay supportedOS: iOS: @@ -2671,6 +2972,8 @@ payloadkeys: mode: forbidden tvOS: introduced: n/a + visionOS: + introduced: n/a watchOS: introduced: n/a type: @@ -2679,10 +2982,10 @@ payloadkeys: min: 1 max: 90 default: 30 - content: This restriction allows the admin to set how many days to delay an app - software update on the device. When this restriction is in place the user sees - a non-OS software update only after the specified delay after the release of the - software. This value controls the delay for 'forceDelayedAppSoftwareUpdates'. + content: This restriction allows the administrator to set how many days to delay + an app software update on the device. When this restriction is in place, the user + sees a non-OS software update only after the specified delay after the release + of the software. This value controls the delay for 'forceDelayedAppSoftwareUpdates'. Available in macOS 11.3 and later. - key: forceAirDropUnmanaged title: Treat AirDrop as Unmanaged Destination @@ -2693,6 +2996,8 @@ payloadkeys: introduced: n/a tvOS: introduced: n/a + visionOS: + introduced: n/a watchOS: introduced: n/a type: @@ -2708,15 +3013,16 @@ payloadkeys: introduced: n/a tvOS: introduced: '6.2' + visionOS: + introduced: n/a watchOS: introduced: n/a type: presence: optional default: false content: If 'true', the system forces all devices sending AirPlay requests to this - device to use a pairing password. Available in Apple TV Software 6.2 and later. - This key isn't supported in tvOS 10.2 and later. Use the AirPlay Security Payload - instead. + device to use a pairing password. Available in tvOS 6.2 and later. This key isn't + supported in tvOS 10.2 and later. Use the AirPlay Security Payload instead. - key: forceAirPlayOutgoingRequestsPairingPassword supportedOS: iOS: @@ -2725,6 +3031,8 @@ payloadkeys: introduced: n/a tvOS: introduced: n/a + visionOS: + introduced: n/a watchOS: introduced: n/a type: @@ -2745,6 +3053,8 @@ payloadkeys: introduced: n/a tvOS: introduced: n/a + visionOS: + introduced: n/a watchOS: introduced: n/a type: @@ -2766,14 +3076,16 @@ payloadkeys: mode: forbidden tvOS: introduced: n/a + visionOS: + introduced: n/a watchOS: introduced: n/a type: presence: optional default: false content: If 'true', the system forces the use of the profanity filter assistant. - Requires a supervised device. Available in iOS 11 and later and macOS 10.13 and - later. + Available in iOS 11 and later, and macOS 10.13 and later. Requires a supervised + device in iOS. - key: forceAuthenticationBeforeAutoFill supportedOS: iOS: @@ -2785,16 +3097,18 @@ payloadkeys: introduced: n/a tvOS: introduced: n/a + visionOS: + introduced: n/a watchOS: introduced: n/a type: presence: optional default: false - content: If 'true', the system the user needs to authenticate before the system - can autofill passwords or credit card information in Safari and apps. If this - restriction isn't enforced, the user can toggle this feature in Settings. Only - supported on devices with Face ID or Touch ID. Requires a supervised device. Available - in iOS 11 and later. + content: If 'true', the user needs to authenticate before the system can autofill + passwords or credit card information in Safari and apps. If this restriction isn't + enforced, the user can toggle this feature in Settings. Only supported on devices + with Face ID or Touch ID. Requires a supervised device. Available in iOS 11 and + later. - key: forceAutomaticDateAndTime supportedOS: iOS: @@ -2807,6 +3121,8 @@ payloadkeys: tvOS: introduced: '12.2' supervised: true + visionOS: + introduced: n/a watchOS: introduced: n/a type: @@ -2831,6 +3147,8 @@ payloadkeys: mode: forbidden tvOS: introduced: n/a + visionOS: + introduced: n/a watchOS: introduced: n/a type: @@ -2853,15 +3171,16 @@ payloadkeys: mode: forbidden tvOS: introduced: n/a + visionOS: + introduced: n/a watchOS: introduced: n/a type: presence: optional default: false - content: If 'true', the system a student enrolled in an unmanaged course through - Classroom requests permission from the teacher when attempting to leave the course. - Requires a supervised device. Available in iOS 11.3 and later, and macOS 10.14.4 - and later. + content: If 'true', a student enrolled in an unmanaged course through Classroom + needs to request permission from the teacher to leave the course. Requires a supervised + device. Available in iOS 11.3 and later, and macOS 10.14.4 and later. - key: forceClassroomUnpromptedAppAndDeviceLock supportedOS: iOS: @@ -2876,6 +3195,8 @@ payloadkeys: mode: forbidden tvOS: introduced: n/a + visionOS: + introduced: n/a watchOS: introduced: n/a type: @@ -2898,6 +3219,8 @@ payloadkeys: mode: forbidden tvOS: introduced: n/a + visionOS: + introduced: n/a watchOS: introduced: n/a type: @@ -2918,12 +3241,14 @@ payloadkeys: mode: forbidden tvOS: introduced: n/a + visionOS: + introduced: n/a watchOS: introduced: n/a type: presence: optional default: false - content: If 'true', the system delays user visibility of non-OS Software Updates. + content: If 'true', the system delays user visibility of non-OS software updates. Requires a supervised device. Control visibility of operating system updates through 'forceDelayedSoftwareUpdates'. The delay is 30 days unless you set 'enforcedSoftwareUpdateDelay' to another value. Available in macOS 11 and later. @@ -2937,13 +3262,15 @@ payloadkeys: mode: forbidden tvOS: introduced: n/a + visionOS: + introduced: n/a watchOS: introduced: n/a type: presence: optional default: false - content: If 'true', the system delays user visibility of major upgrades to OS Software. - Available in macOS 11.3 and later. + content: If 'true', the system delays user visibility of major OS updates. Available + in macOS 11.3 and later. - key: forceDelayedSoftwareUpdates supportedOS: iOS: @@ -2958,16 +3285,18 @@ payloadkeys: tvOS: introduced: '12.2' supervised: true + visionOS: + introduced: n/a watchOS: introduced: n/a type: presence: optional default: false content: If 'true', the system delays user visibility of software updates. In macOS, - the system allows seed build updates without delay. Requires a supervised device - in iOS and tvOS. The delay is 30 days unless you set 'enforcedSoftwareUpdateDelay' - to another value. Available in iOS 11.3 and later, macOS 10.13 and later, and - tvOS 12.2 and later. + the system allows seed build updates without delay. The delay is 30 days unless + you set 'enforcedSoftwareUpdateDelay' to another value. Available in iOS 11.3 + and later, macOS 10.13 and later, and tvOS 12.2 and later. Requires a supervised + device in iOS and tvOS. - key: forceEncryptedBackup title: Force Encrypted Backups supportedOS: @@ -2977,6 +3306,8 @@ payloadkeys: introduced: n/a tvOS: introduced: n/a + visionOS: + introduced: n/a watchOS: introduced: n/a type: @@ -2996,6 +3327,8 @@ payloadkeys: introduced: n/a tvOS: introduced: n/a + visionOS: + introduced: n/a watchOS: introduced: n/a type: @@ -3013,13 +3346,15 @@ payloadkeys: introduced: n/a tvOS: introduced: n/a + visionOS: + introduced: n/a watchOS: introduced: n/a type: presence: optional default: false content: If 'true', the system limits ad tracking. Additionally, it disables app - tracking and the Allow Apps To Request To Track setting. Available in iOS 7 and + tracking and the Allow Apps to Request to Track setting. Available in iOS 7 and later. - key: forceOnDeviceOnlyDictation supportedOS: @@ -3029,6 +3364,8 @@ payloadkeys: introduced: '14.0' tvOS: introduced: n/a + visionOS: + introduced: n/a type: presence: optional default: false @@ -3043,6 +3380,8 @@ payloadkeys: introduced: n/a tvOS: introduced: n/a + visionOS: + introduced: n/a type: presence: optional default: false @@ -3060,15 +3399,16 @@ payloadkeys: introduced: n/a tvOS: introduced: n/a + visionOS: + introduced: n/a watchOS: introduced: n/a type: presence: optional default: false - content: If set to true, eSIM will be preserved when a device is erased due to too - many failed password attempt or the "Erase All Content and Settings" option in - Settings > General > Reset. eSIM will not be preserved if the device is erased - by FindMy. + content: |- + If 'true', the system preserves eSIM when it erases the device due to too many failed password attempts or the Erase All Content and Settings option in Settings > General > Reset. Available in iOS 17.2 and later. + The system doesn't preserve eSIM if Find My initiates erasing the device. - key: forceWatchWristDetection title: Force Apple Watch Wrist Detection supportedOS: @@ -3078,6 +3418,8 @@ payloadkeys: introduced: n/a tvOS: introduced: n/a + visionOS: + introduced: n/a type: presence: optional default: false @@ -3095,6 +3437,8 @@ payloadkeys: introduced: n/a tvOS: introduced: n/a + visionOS: + introduced: n/a watchOS: introduced: n/a type: @@ -3115,14 +3459,16 @@ payloadkeys: introduced: n/a tvOS: introduced: n/a + visionOS: + introduced: n/a watchOS: introduced: n/a type: presence: optional default: false - content: If 'true', the system limits device to only join Wi-Fi networks set up - through a configuration profile. Requires a supervised device. Available in iOS - 14.5 and later. + content: If 'true', the system limits the device to only join Wi-Fi networks set + up through a configuration profile. Requires a supervised device. Available in + iOS 14.5 and later. - key: forceWiFiWhitelisting title: Only join Wi-Fi networks installed by profiles supportedOS: @@ -3136,6 +3482,8 @@ payloadkeys: introduced: n/a tvOS: introduced: n/a + visionOS: + introduced: n/a watchOS: introduced: n/a type: @@ -3153,6 +3501,8 @@ payloadkeys: introduced: n/a tvOS: introduced: '11.3' + visionOS: + introduced: n/a watchOS: introduced: n/a type: @@ -3162,7 +3512,7 @@ payloadkeys: max: 1000 default: 1000 content: |- - The maximum level of app content allowed on the device. Pre-installed (1st party) apps ignore this restriction. Available in iOS 4 and later, and tvOS 11.3 and later. + The maximum level of app content allowed on the device. Preinstalled (first party) apps ignore this restriction. Available in iOS 4 and later, and tvOS 11.3 and later. Support for this restriction on unsupervised devices is deprecated. Possible values, with the US description of the rating level: * '1000': All @@ -3171,8 +3521,6 @@ payloadkeys: * '200': 9+ * '100': 4+ * '0': None - - This restriction will require supervision in a future release. - key: ratingMovies title: Movies Ranking Number supportedOS: @@ -3184,6 +3532,8 @@ payloadkeys: introduced: n/a tvOS: introduced: '11.3' + visionOS: + introduced: n/a watchOS: introduced: n/a type: @@ -3193,7 +3543,7 @@ payloadkeys: max: 1000 default: 1000 content: |- - The maximum level of movie content allowed on the device. Available in iOS 4 and later, and tvOS 11.3 and later. + The maximum level of movie content allowed on the device. Available in iOS 4 and later, and tvOS 11.3 and later. Support for this restriction on unsupervised devices is deprecated. Possible values, with the US description of the rating level: * '1000': All @@ -3203,11 +3553,11 @@ payloadkeys: * '200': PG * '100': G * '0': None - - This restriction will require supervision in a future release. - key: ratingRegion title: Region Code supportedOS: + visionOS: + introduced: n/a watchOS: introduced: n/a type: @@ -3223,7 +3573,7 @@ payloadkeys: - nz - gb content: The two-letter key that profile tools use to display the proper ratings - for the given region. This data isn't recognized or reported by the client. + for the given region. The client doesn't recognize or report this data. - key: ratingTVShows title: TV Shows Ranking Number supportedOS: @@ -3235,6 +3585,8 @@ payloadkeys: introduced: n/a tvOS: introduced: '11.3' + visionOS: + introduced: n/a watchOS: introduced: n/a type: @@ -3244,7 +3596,7 @@ payloadkeys: max: 1000 default: 1000 content: |- - The maximum level of TV content allowed on the device. Available in iOS 4 and later, and tvOS 11.3 and later. + The maximum level of TV content allowed on the device. Available in iOS 4 and later, and tvOS 11.3 and later. Support for this restriction on unsupervised devices is deprecated. Possible values, with the US description of the rating level: * '1000': All @@ -3255,8 +3607,6 @@ payloadkeys: * '200': TV-Y7 * '100': TV-Y * '0': None - - This restriction will require supervision in a future release. - key: requireManagedPasteboard supportedOS: iOS: @@ -3265,6 +3615,8 @@ payloadkeys: introduced: n/a tvOS: introduced: n/a + visionOS: + introduced: n/a watchOS: introduced: n/a type: @@ -3283,6 +3635,8 @@ payloadkeys: introduced: n/a tvOS: introduced: n/a + visionOS: + introduced: n/a watchOS: introduced: n/a type: @@ -3294,13 +3648,11 @@ payloadkeys: - 2.0 default: 2.0 content: |- - Defines the conditions under which the device accepts cookies. The user-facing settings changed in iOS 11, although the possible values remain the same. Available in iOS 4 and later. + Defines the conditions under which the device accepts cookies. The user-facing settings changed in iOS 11, although the possible values remain the same. Available in iOS 4 and later. Support for this restriction on unsupervised devices is deprecated. Allowed values: - * '0': Enables Prevent Cross-Site Tracking and Block All Cookies and the user canʼt disable either setting. - * '1' or '1.5': Enables Prevent Cross-Site Tracking and the user canʼt disable it. Doesn't enable Block All Cookies, but the user can enable it. + * '0': Enables Prevent Cross-Site Tracking and Block All Cookies, and the user canʼt disable either setting. + * '1' or '1.5': Enables Prevent Cross-Site Tracking, and the user canʼt disable it. Doesn't enable Block All Cookies, but the user can enable it. * '2': Enables Prevent Cross-Site Tracking but doesn't enable Block All Cookies. The user can toggle either setting. - - This restriction will require supervision in a future release. - key: safariAllowAutoFill title: Allow AutoFill in Safari supportedOS: @@ -3315,6 +3667,8 @@ payloadkeys: mode: forbidden tvOS: introduced: n/a + visionOS: + introduced: n/a watchOS: introduced: n/a type: @@ -3322,7 +3676,7 @@ payloadkeys: default: true content: |- If 'false', the system disables Safari AutoFill for passwords, contact info, and credit cards and also prevents using the Keychain for AutoFill. As of iOS 13, requires a supervised device. Available in iOS 4 and later, and macOS 10.13 and later. - The system still allows third-party password managers and apps can use AutoFill. + The system still allows third-party password managers, and apps can use AutoFill. - key: safariAllowJavaScript title: Allow JavaScript supportedOS: @@ -3334,6 +3688,8 @@ payloadkeys: introduced: n/a tvOS: introduced: n/a + visionOS: + introduced: n/a watchOS: introduced: n/a type: @@ -3352,13 +3708,15 @@ payloadkeys: introduced: n/a tvOS: introduced: n/a + visionOS: + introduced: n/a watchOS: introduced: n/a type: presence: optional default: true content: If 'false', Safari doesn't allow pop-up windows. Available in iOS 4 and - later. This restriction will require supervision in a future release. + later. Support for this restriction on unsupervised devices is deprecated. - key: safariForceFraudWarning title: Enable Fraud Warning supportedOS: @@ -3368,6 +3726,8 @@ payloadkeys: introduced: n/a tvOS: introduced: n/a + visionOS: + introduced: n/a watchOS: introduced: n/a type: @@ -3390,6 +3750,8 @@ payloadkeys: introduced: '11.0' deprecated: '15.0' supervised: true + visionOS: + introduced: n/a watchOS: introduced: n/a type: diff --git a/mdm/profiles/com.apple.appstore.yaml b/mdm/profiles/com.apple.appstore.yaml index d2051e2..8fe557b 100644 --- a/mdm/profiles/com.apple.appstore.yaml +++ b/mdm/profiles/com.apple.appstore.yaml @@ -3,6 +3,8 @@ description: '' payload: payloadtype: com.apple.appstore supportedOS: + iOS: + introduced: n/a macOS: introduced: '10.9' multiple: false @@ -13,6 +15,12 @@ payload: allowmanualinstall: true userenrollment: mode: forbidden + tvOS: + introduced: n/a + visionOS: + introduced: n/a + watchOS: + introduced: n/a content: Use this payload to set restrictions used by the Mac App Store. payloadkeys: - key: restrict-store-require-admin-to-install @@ -23,9 +31,9 @@ payloadkeys: type: presence: optional default: false - content: If 'true', restricts app installations to admin users only. Deprecated - in macOS 10.14. Use the 'com.apple.SoftwareUpdate' payload key 'restrict-software-update-require-admin-to-install' - as a replacement. + content: If 'true', the system restricts app installations to admin users only. + Deprecated in macOS 10.14. Use the 'com.apple.SoftwareUpdate' payload key 'restrict-software-update-require-admin-to-install' + instead. - key: restrict-store-softwareupdate-only supportedOS: macOS: @@ -33,8 +41,9 @@ payloadkeys: type: presence: optional default: false - content: If 'true', prevents App Store from launching. Available in macOS 10.14 - and later. Restricts installations to software updates only in macOS 10.10 - 10.13. + content: If 'true', the system prevents App Store from launching. Available in macOS + 10.14 and later. Restricts installations to software updates only in macOS 10.10 + through 10.13. - key: restrict-store-disable-app-adoption supportedOS: macOS: @@ -42,8 +51,8 @@ payloadkeys: type: presence: optional default: false - content: If 'true', disables app adoption by users. Available in macOS 10.10 and - later. + content: If 'true', the system disables app adoption by users. Available in macOS + 10.10 and later. - key: DisableSoftwareUpdateNotifications supportedOS: macOS: @@ -51,5 +60,5 @@ payloadkeys: type: presence: optional default: false - content: If 'true', disables software update notifications. Available in macOS 10.10 - and later. + content: If 'true', the system disables software update notifications. Available + in macOS 10.10 and later. diff --git a/mdm/profiles/com.apple.asam.yaml b/mdm/profiles/com.apple.asam.yaml index a704bbd..dafe8d8 100644 --- a/mdm/profiles/com.apple.asam.yaml +++ b/mdm/profiles/com.apple.asam.yaml @@ -3,6 +3,8 @@ description: '' payload: payloadtype: com.apple.asam supportedOS: + iOS: + introduced: n/a macOS: introduced: 10.13.4 multiple: false @@ -13,6 +15,12 @@ payload: allowmanualinstall: false userenrollment: mode: forbidden + tvOS: + introduced: n/a + visionOS: + introduced: n/a + watchOS: + introduced: n/a payloadkeys: - key: AllowedApplications supportedOS: @@ -20,8 +28,8 @@ payloadkeys: introduced: 10.13.4 type: presence: required - content: An array of dictionaries that specifies the apps that can be granted access - to the Accessibility APIs. + content: An array of dictionaries that specifies the apps that the system grants + access to the Accessibility APIs. subkeys: - key: AllowedApplicationsItem type: @@ -41,4 +49,5 @@ payloadkeys: introduced: 10.13.4 type: presence: required - content: The developer's team identifier, used when the app was signed. + content: The developer's team identifier that the system used when it signed + the app. diff --git a/mdm/profiles/com.apple.associated-domains.yaml b/mdm/profiles/com.apple.associated-domains.yaml index 70dfdf0..947ad6b 100644 --- a/mdm/profiles/com.apple.associated-domains.yaml +++ b/mdm/profiles/com.apple.associated-domains.yaml @@ -4,6 +4,8 @@ description: Use this section to define settings for Associated Domains to be us payload: payloadtype: com.apple.associated-domains supportedOS: + iOS: + introduced: n/a macOS: introduced: '10.15' multiple: true @@ -14,6 +16,12 @@ payload: allowmanualinstall: true userenrollment: mode: allowed + tvOS: + introduced: n/a + visionOS: + introduced: n/a + watchOS: + introduced: n/a content: Configures Associated Domains to be used with features such as Extensible AppSSO, universal links and Password AutoFill. Settings are per-user. The effective settings for a user will be the union of payloads installed for the device and @@ -36,8 +44,8 @@ payloadkeys: - key: AssociatedDomains type: presence: required - content: |- - The domains to be associated with the app. Each string is in the form of ''service:domain''. Domains should be fully qualified hostnames, like 'www.example.com'. + content: The domains to associate with the app. Each string is in the form of + ''service:domain''. Use fully qualified hostnames, such as 'www.example.com'. See Supporting associated domains for more information. subkeys: - key: AssociatedDomain @@ -50,6 +58,6 @@ payloadkeys: type: presence: optional default: false - content: If 'true', data for this domain should be downloaded directly instead - of through a CDN. The entitlement value for this domain must be set to 'service:domain?mode=managed' - or this value will be ignored. Available in macOS 11 and later. + content: If 'true', the system enables direct download of data for this domain + instead of through a CDN. Set the entitlement value for this domain to 'service:domain?mode=managed'; + otherwise, the system ignores this value. Available in macOS 11 and later. diff --git a/mdm/profiles/com.apple.caldav.account.yaml b/mdm/profiles/com.apple.caldav.account.yaml index 479847b..ac65195 100644 --- a/mdm/profiles/com.apple.caldav.account.yaml +++ b/mdm/profiles/com.apple.caldav.account.yaml @@ -25,6 +25,17 @@ payload: allowmanualinstall: true userenrollment: mode: allowed + tvOS: + introduced: n/a + visionOS: + introduced: '1.1' + multiple: true + supervised: false + allowmanualinstall: true + userenrollment: + mode: allowed + watchOS: + introduced: n/a payloadkeys: - key: CalDAVAccountDescription title: Account Description @@ -40,14 +51,13 @@ payloadkeys: title: Account Username type: presence: optional - content: |- - The user name for logins. - If this profile part of a non-interactive install, this field is required. + content: The user name for logins. If this profile is part of a non-interactive + install, the system requires this field. - key: CalDAVPassword title: Account Password type: presence: optional - content: The user's password. This is only used with encrypted profiles. + content: The user's password. Only use this with encrypted profiles. - key: CalDAVPrincipalURL title: Principal URL type: @@ -58,7 +68,7 @@ payloadkeys: type: presence: optional default: true - content: If 'true', enables SSL. + content: If 'true', the system enables SSL. - key: CalDAVPort title: Port Number type: @@ -73,6 +83,5 @@ payloadkeys: introduced: n/a type: presence: optional - content: |- - The VPNUUID of the per-app VPN the account uses for network communication. + content: The VPNUUID of the per-app VPN the account uses for network communication. Available in iOS 14 and later. diff --git a/mdm/profiles/com.apple.carddav.account.yaml b/mdm/profiles/com.apple.carddav.account.yaml index 4292270..c1e3aae 100644 --- a/mdm/profiles/com.apple.carddav.account.yaml +++ b/mdm/profiles/com.apple.carddav.account.yaml @@ -25,6 +25,17 @@ payload: allowmanualinstall: true userenrollment: mode: allowed + tvOS: + introduced: n/a + visionOS: + introduced: '1.1' + multiple: true + supervised: false + allowmanualinstall: true + userenrollment: + mode: allowed + watchOS: + introduced: n/a payloadkeys: - key: CardDAVAccountDescription title: Account Description @@ -57,7 +68,7 @@ payloadkeys: introduced: '10.7' type: presence: optional - content: The user's password. + content: The user's password. Only use this with encrypted profiles. - key: CardDAVPrincipalURL title: Principal URL supportedOS: @@ -74,7 +85,7 @@ payloadkeys: type: presence: optional default: true - content: If 'true', enables SSL. + content: If 'true', the system enables SSL. - key: CardDAVPort title: Port Number supportedOS: @@ -114,8 +125,8 @@ payloadkeys: introduced: n/a type: presence: optional - content: A string containing the bundle identifier for the default application - that handles audio calls made to contacts from this account. + content: The bundle identifier for the default application that handles audio + calls to contacts from this account. - key: VPNUUID title: VPNUUID supportedOS: @@ -125,6 +136,5 @@ payloadkeys: introduced: n/a type: presence: optional - content: |- - The VPNUUID of the per-app VPN the account uses for network communication. + content: The VPNUUID of the per-app VPN the account uses for network communication. Available in iOS 14 and later. diff --git a/mdm/profiles/com.apple.cellular.yaml b/mdm/profiles/com.apple.cellular.yaml index 65373bc..52dab6f 100644 --- a/mdm/profiles/com.apple.cellular.yaml +++ b/mdm/profiles/com.apple.cellular.yaml @@ -14,6 +14,12 @@ payload: userchannel: false userenrollment: mode: forbidden + macOS: + introduced: n/a + tvOS: + introduced: n/a + visionOS: + introduced: n/a watchOS: introduced: '3.2' multiple: false @@ -65,7 +71,7 @@ payloadkeys: - 2 - 3 content: |- - The Internet Protocol versions that the system supports. Possible values are: + The Internet Protocol versions that the system supports. Allowed values: * '1': IPv4 * '2': IPv6 @@ -128,7 +134,7 @@ payloadkeys: - 2 - 3 content: |- - The default Internet Protocol versions. Available in iOS 10.3 but no longer used in iOS 11 and later. Possible values are: + The default Internet Protocol versions. Available in iOS 10.3 but no longer used in iOS 11 and later. Allowed values: * '1': IPv4 * '2': IPv6 @@ -145,7 +151,7 @@ payloadkeys: - 2 - 3 content: |- - The Internet Protocol versions that the system supports. Available in iOS 10.3 and later. Possible values are: + The Internet Protocol versions that the system supports. Available in iOS 10.3 and later. Allowed values: * '1': IPv4 * '2': IPv6 @@ -162,7 +168,7 @@ payloadkeys: - 2 - 3 content: |- - The Internet Protocol versions that the system supports while roaming. Available in iOS 10.3 and later. Possible values are: + The Internet Protocol versions that the system supports while roaming. Available in iOS 10.3 and later. Allowed values: * '1': IPv4 * '2': IPv6 @@ -179,7 +185,7 @@ payloadkeys: - 2 - 3 content: |- - The Internet Protocol versions that the system supports while roaming. Available in iOS 10.3 and later. Possible values are: + The Internet Protocol versions that the system supports while roaming. Available in iOS 10.3 and later. Allowed values: * '1': IPv4 * '2': IPv6 diff --git a/mdm/profiles/com.apple.cellularprivatenetwork.managed.yaml b/mdm/profiles/com.apple.cellularprivatenetwork.managed.yaml index 5e5f6fa..ccdb1ab 100644 --- a/mdm/profiles/com.apple.cellularprivatenetwork.managed.yaml +++ b/mdm/profiles/com.apple.cellularprivatenetwork.managed.yaml @@ -14,6 +14,14 @@ payload: userchannel: false userenrollment: mode: allowed + macOS: + introduced: n/a + tvOS: + introduced: n/a + visionOS: + introduced: n/a + watchOS: + introduced: n/a content: Payload can be used to provide device info on private network deployments including geographical location, preference over wifi, and network deployment type. diff --git a/mdm/profiles/com.apple.conferenceroomdisplay.yaml b/mdm/profiles/com.apple.conferenceroomdisplay.yaml index ce1b04c..e86275b 100644 --- a/mdm/profiles/com.apple.conferenceroomdisplay.yaml +++ b/mdm/profiles/com.apple.conferenceroomdisplay.yaml @@ -4,11 +4,19 @@ description: Use this section to place an Apple TV device into Conference Room D payload: payloadtype: com.apple.conferenceroomdisplay supportedOS: + iOS: + introduced: n/a + macOS: + introduced: n/a tvOS: introduced: '10.2' multiple: false supervised: true allowmanualinstall: true + visionOS: + introduced: n/a + watchOS: + introduced: n/a content: Configures an Apple TV to enter Conference Room Display mode, and restrictions exit from that mode payloadkeys: diff --git a/mdm/profiles/com.apple.configurationprofile.identification.yaml b/mdm/profiles/com.apple.configurationprofile.identification.yaml index 6cb74ea..c5ea719 100644 --- a/mdm/profiles/com.apple.configurationprofile.identification.yaml +++ b/mdm/profiles/com.apple.configurationprofile.identification.yaml @@ -2,6 +2,8 @@ title: Identification payload: payloadtype: com.apple.configurationprofile.identification supportedOS: + iOS: + introduced: n/a macOS: introduced: '10.7' multiple: false @@ -12,6 +14,12 @@ payload: allowmanualinstall: true userenrollment: mode: allowed + tvOS: + introduced: n/a + visionOS: + introduced: n/a + watchOS: + introduced: n/a content: |- This payload can be used on the device or user channel depending on what payload it is paired with. @@ -30,7 +38,7 @@ payloadkeys: - key: PayloadIdentification type: presence: required - content: The dictionary containing details about the user. + content: The dictionary that contains details about the user. subkeys: - key: UserName type: @@ -50,13 +58,12 @@ payloadkeys: rangelist: - Password - UserEnteredPassword - content: The authorization method. Either the password is supplied in the profile - or the user supplies it. + content: The authorization method. Either the profile contains the password or + the user provides it. - key: Password type: presence: required - content: The password for the account. Required when the 'AuthMethod' is of type - 'password'. + content: The password for the account. Required when the 'AuthMethod' is 'Password'. - key: Prompt type: presence: optional diff --git a/mdm/profiles/com.apple.dashboard.yaml b/mdm/profiles/com.apple.dashboard.yaml index 283844c..e531995 100644 --- a/mdm/profiles/com.apple.dashboard.yaml +++ b/mdm/profiles/com.apple.dashboard.yaml @@ -3,6 +3,8 @@ description: '' payload: payloadtype: com.apple.dashboard supportedOS: + iOS: + introduced: n/a macOS: introduced: '10.7' deprecated: '10.15' @@ -15,6 +17,12 @@ payload: allowmanualinstall: true userenrollment: mode: forbidden + tvOS: + introduced: n/a + visionOS: + introduced: n/a + watchOS: + introduced: n/a content: Widget restrictions. payloadkeys: - key: whiteListEnabled diff --git a/mdm/profiles/com.apple.declarations.yaml b/mdm/profiles/com.apple.declarations.yaml index 4b5b998..39efa10 100644 --- a/mdm/profiles/com.apple.declarations.yaml +++ b/mdm/profiles/com.apple.declarations.yaml @@ -27,6 +27,13 @@ payload: multiple: true supervised: false allowmanualinstall: true + visionOS: + introduced: '1.0' + multiple: true + supervised: false + allowmanualinstall: true + userenrollment: + mode: forbidden watchOS: introduced: '10.0' multiple: true diff --git a/mdm/profiles/com.apple.desktop.yaml b/mdm/profiles/com.apple.desktop.yaml index db24613..100f643 100644 --- a/mdm/profiles/com.apple.desktop.yaml +++ b/mdm/profiles/com.apple.desktop.yaml @@ -3,6 +3,8 @@ description: '' payload: payloadtype: com.apple.desktop supportedOS: + iOS: + introduced: n/a macOS: introduced: '10.10' multiple: false @@ -13,6 +15,12 @@ payload: allowmanualinstall: true userenrollment: mode: forbidden + tvOS: + introduced: n/a + visionOS: + introduced: n/a + watchOS: + introduced: n/a payloadkeys: - key: locked supportedOS: diff --git a/mdm/profiles/com.apple.dnsProxy.managed.yaml b/mdm/profiles/com.apple.dnsProxy.managed.yaml index c0602dc..74e8a3f 100644 --- a/mdm/profiles/com.apple.dnsProxy.managed.yaml +++ b/mdm/profiles/com.apple.dnsProxy.managed.yaml @@ -24,6 +24,17 @@ payload: allowmanualinstall: true userenrollment: mode: forbidden + tvOS: + introduced: n/a + visionOS: + introduced: '1.1' + multiple: false + supervised: false + allowmanualinstall: false + userenrollment: + mode: allowed + watchOS: + introduced: n/a content: As of iOS 15.0 this payload can be installed on unsupervised devices via MDM and can only be installed via MDM. As of iOS 16.0, this can be installed on User Enrollments via MDM if DNSProxyUUID is specified. diff --git a/mdm/profiles/com.apple.dnsSettings.managed.yaml b/mdm/profiles/com.apple.dnsSettings.managed.yaml index aea65ce..3b6e60a 100644 --- a/mdm/profiles/com.apple.dnsSettings.managed.yaml +++ b/mdm/profiles/com.apple.dnsSettings.managed.yaml @@ -24,6 +24,17 @@ payload: allowmanualinstall: true userenrollment: mode: forbidden + tvOS: + introduced: n/a + visionOS: + introduced: '1.0' + multiple: true + supervised: false + allowmanualinstall: true + userenrollment: + mode: forbidden + watchOS: + introduced: n/a payloadkeys: - key: DNSSettings title: DNS Settings @@ -44,18 +55,18 @@ payloadkeys: type: presence: optional content: The URI template of a DNS-over-HTTPS server, as defined in RFC 8484. - This URL must use the 'https://' scheme, and the hostname or address in the - URL will be used to validate the server certificate. If no 'ServerAddresses' - are provided, the hostname or address in the URL will be used to determine the - server addresses. This key must be present only if the 'DNSProtocol' is 'HTTPS'. + This URL needs to use the 'https://' scheme, and the system uses the hostname + or address in the URL to validate the server certificate. If no 'ServerAddresses' + are provided, the system uses the hostname or address in the URL to determine + the server addresses. Required if 'DNSProtocol' is 'HTTPS'. - key: ServerName title: Server Name type: presence: optional content: The hostname of a DNS-over-TLS server used to validate the server certificate, - as defined in RFC 7858. If no 'ServerAddresses' are provided, the hostname will - be used to determine the server addresses. This key must be present only if - the DNSProtocol is 'TLS'. + as defined in RFC 7858. If no 'ServerAddresses' are provided, the system uses + the hostname to determine the server addresses. This key must be present only + if the DNSProtocol is 'TLS'. - key: ServerAddresses title: DNS Server Addresses type: @@ -71,8 +82,8 @@ payloadkeys: type: presence: optional content: |- - A list of domain strings used to determine which DNS queries will use the DNS server. If this array is not provided, all domains will use the DNS server. - A single wildcard '*' prefix is supported, but is not required. For example, both '*.example.com' and 'example.com' match against 'mydomain.example.com' and 'your.domain.example.com', but do not match against 'mydomain-example.com'. + A list of domain strings used to determine which DNS queries use the DNS server. If not set, all domains use the DNS server. + The system supports a single wildcard ('*') prefix, but it's not required. For example, both '*.example.com' and 'example.com' match against 'mydomain.example.com' and 'your.domain.example.com', but don't match against 'mydomain-example.com'. subkeys: - key: SupplementalMatchDomainsElement title: Supplemental Match Domains Element @@ -81,8 +92,8 @@ payloadkeys: title: On Demand Rules type: presence: optional - content: An array of rules defining the DNS settings. If rules aren't present, the - system always applies the DNS settings. These rules are identical to the 'OnDemandRules' + content: An array of rules that define the DNS settings. If not set, the system + always applies the DNS settings. These rules are identical to the 'OnDemandRules' array in VPN payloads. subkeytype: OnDemandRulesElement subkeys: @@ -99,45 +110,54 @@ payloadkeys: - Disconnect - EvaluateConnection content: |- - The action to take if this dictionary matches the current network. Possible values are: + The action to take if this dictionary matches the current network. Allowed values: + * 'Connect': Apply DNS Settings when the dictionary matches. - * 'Disconnect': Do not apply DNS Settings when the dictionary matches. + * 'Disconnect': Don't apply DNS Settings when the dictionary matches. * 'EvaluateConnection': Apply DNS Settings with per-domain exceptions when the dictionary matches. - key: ActionParameters title: Action Parameters - type: + type: presence: optional - content: |- - A dictionary that provides per-connection rules. - This array is used only for settings where the 'Action' value is'EvaluateConnection'. + content: An array of dictionaries that provides per-connection rules. The system + uses this array only for settings where the 'Action' value is'EvaluateConnection'. subkeys: - - key: Domains - title: Domains - type: - presence: required - content: The domains for which this evaluation applies. - subkeys: - - key: DomainsElement - title: Domains Element - type: - - key: DomainAction - title: Domain Action - type: - presence: required - rangelist: - - NeverConnect - - ConnectIfNeeded + - key: ActionParameter + title: Action Parameter + type: + presence: optional content: |- - The DNS settings behavior for the specified domains. Allowed values are: - * 'NeverConnect': Do not use the DNS Settings for the specified domains. - * 'ConnectIfNeeded': Allow using the DNS Settings for the specified domains. + A dictionary that provides per-connection rules. + The keys allowed in each dictionary are described below. Note: This array is used only for dictionaries in which EvaluateConnection is the Action value. + subkeys: + - key: Domains + title: Domains + type: + presence: required + content: The domains for which this evaluation applies. + subkeys: + - key: DomainsElement + title: Domains Element + type: + - key: DomainAction + title: Domain Action + type: + presence: required + rangelist: + - NeverConnect + - ConnectIfNeeded + content: |- + The DNS settings behavior for the specified domains. Allowed values: + + * 'NeverConnect': Don't use the DNS Settings for the specified domains. + * 'ConnectIfNeeded': Allow using the DNS Settings for the specified domains. - key: DNSDomainMatch title: DNS Domain Match type: presence: optional content: |- An array of domain names. This rule matches if any of the domain names in the specified list matches any domain in the device's search domains list. - A single wildcard '*' prefix is supported, but is not required. For example, both '*.example.com' and 'example.com' match against 'mydomain.example.com' and 'your.domain.example.com', but do not match against 'mydomain-example.com'. + The system supports a single wildcard ('*') prefix, but it's not required. For example, both '*.example.com' and 'example.com' match against 'mydomain.example.com' and 'your.domain.example.com', but don't match against 'mydomain-example.com'. subkeys: - key: DNSDomainMatchElement title: DNS Domain Match Element @@ -148,7 +168,7 @@ payloadkeys: presence: optional content: |- An array of IP addresses. This rule matches if any of the network's specified DNS servers match any entry in the array. - Matching with a single wildcard is supported. For example, 17.* matches any DNS server in the 17.0.0.0/8 subnet. + The system supports matching with a single wildcard. For example, '17.*' matches any DNS server in the 17.0.0.0/8 subnet. subkeys: - key: DNSServerAddressMatchElement title: DNS Server Address Match Element @@ -167,9 +187,9 @@ payloadkeys: title: SSID Match type: presence: optional - content: |- - An array of SSIDs to match against the current network. If the network is not a Wi-Fi network or if the SSID does not appear in this array, the match fails. - Omit this key and the corresponding array to match against any SSID. + content: An array of SSIDs to match against the current network. If the network + isn't a Wi-Fi network or if the SSID doesn't appear in this array, the match + fails. Omit this key and the corresponding array to match against any SSID. subkeys: - key: SSIDMatchElement title: SSID Match Element @@ -178,15 +198,15 @@ payloadkeys: title: URL String Probe type: presence: optional - content: A URL to probe. If this URL is successfully fetched (returning a 200 - HTTP status code) without redirection, this rule matches. + content: A URL to probe. This rule matches if this URL is successfully fetched + and returns a 200 HTTP status code without redirection. - key: ProhibitDisablement title: Prohibit Disablement type: presence: optional default: false - content: If 'true', prohibits users from disabling DNS settings. This key is only - available on supervised devices. + content: If 'true', the system prohibits users from disabling DNS settings. This + key is only available on supervised devices. - key: PayloadCertificateUUID title: Certificate UUID supportedOS: diff --git a/mdm/profiles/com.apple.dock.yaml b/mdm/profiles/com.apple.dock.yaml index d9139dc..0f352c7 100644 --- a/mdm/profiles/com.apple.dock.yaml +++ b/mdm/profiles/com.apple.dock.yaml @@ -3,6 +3,8 @@ description: '' payload: payloadtype: com.apple.dock supportedOS: + iOS: + introduced: n/a macOS: introduced: '10.7' multiple: false @@ -13,6 +15,12 @@ payload: allowmanualinstall: true userenrollment: mode: forbidden + tvOS: + introduced: n/a + visionOS: + introduced: n/a + watchOS: + introduced: n/a payloadkeys: - key: tilesize type: diff --git a/mdm/profiles/com.apple.domains.yaml b/mdm/profiles/com.apple.domains.yaml index ea34136..da8bb83 100644 --- a/mdm/profiles/com.apple.domains.yaml +++ b/mdm/profiles/com.apple.domains.yaml @@ -24,6 +24,12 @@ payload: allowmanualinstall: true userenrollment: mode: forbidden + tvOS: + introduced: n/a + visionOS: + introduced: n/a + watchOS: + introduced: n/a content: This payload defines web domains that are under an enterprise's management. payloadkeys: - key: EmailDomains diff --git a/mdm/profiles/com.apple.eas.account.yaml b/mdm/profiles/com.apple.eas.account.yaml index 7ceba61..64cfad8 100644 --- a/mdm/profiles/com.apple.eas.account.yaml +++ b/mdm/profiles/com.apple.eas.account.yaml @@ -14,6 +14,19 @@ payload: userchannel: true userenrollment: mode: allowed + macOS: + introduced: n/a + tvOS: + introduced: n/a + visionOS: + introduced: '1.1' + multiple: true + supervised: false + allowmanualinstall: true + userenrollment: + mode: allowed + watchOS: + introduced: n/a content: |- This payload configures an Exchange Active Sync account on an iOS device for Mail, Contacts, Calendars, Reminders, and Notes. Updating this payload overrides any settings that the user customized, such as EnableMail/Contacts/Calendars/Reminders/Notes and MailNumberOfPastDaysToSync. @@ -36,7 +49,7 @@ payloadkeys: type: presence: optional default: false - content: If 'true', enables SSL for authentication. + content: If 'true', the system enables SSL for authentication. - key: OAuth title: Use OAuth supportedOS: @@ -52,8 +65,8 @@ payloadkeys: title: User type: presence: optional - content: This user name for this Exchange account. The user name is required for - noninteractive installations like MDM in iOS. + content: This user name for this Exchange account. Required for noninteractive installations + like MDM in iOS. - key: Password title: Password type: @@ -90,9 +103,9 @@ payloadkeys: type: presence: optional default: false - content: If 'true', prevents messages from being moved out of this email account + content: If 'true', the system prevents moving messages from out of this email account into another account. This setting also prevents forwarding or replying from an - account other than the one the message was sent to. + account other than the recipient of the message. - key: PreventAppSheet title: Prevent App Sheet supportedOS: @@ -108,8 +121,8 @@ payloadkeys: type: presence: optional format: ^[0-9A-Za-z]{8}-[0-9A-Za-z]{4}-[0-9A-Za-z]{4}-[0-9A-Za-z]{4}-[0-9A-Za-z]{12}$ - content: The UUID of of the certificate payload within the same profile to use for - the identity credential. If this field is present, the Certificate field is not + content: The UUID of the certificate payload within the same profile to use for + the identity credential. If this field is present, the Certificate field isn't used. - key: SMIMEEnabled title: S/MIME Enabled @@ -117,11 +130,13 @@ payloadkeys: iOS: introduced: '5.0' deprecated: '10.0' + visionOS: + introduced: n/a type: presence: optional default: false - content: If 'true', enables S/MIME encryption. In iOS 10.0 and later, this key is - ignored. Use 'SMIMESigningEnabled' instead. + content: If 'true', the system enables S/MIME encryption. In iOS 10.0 and later, + this key is ignored. Use 'SMIMESigningEnabled' instead. - key: SMIMESigningEnabled title: S/MIME Signing Enabled supportedOS: @@ -130,8 +145,8 @@ payloadkeys: type: presence: optional default: false - content: If 'true', enables S/MIME signing for this account. Available in iOS 10.0 - and later. + content: If 'true', the system enables S/MIME signing for this account. Available + in iOS 10.0 and later. - key: SMIMESigningCertificateUUID title: S/MIME Signing Certificate supportedOS: @@ -148,12 +163,14 @@ payloadkeys: iOS: introduced: '10.3' deprecated: '12.0' + visionOS: + introduced: n/a type: presence: optional default: false - content: If 'true', enables S/MIME encryption for this account. Available in iOS - 10.0 and later. As of iOS 12.0, this key is deprecated. It is recommended to use - 'SMIMEEncryptByDefault' instead. + content: If 'true', the system enables S/MIME encryption for this account. Available + in iOS 10.0 and later. As of iOS 12.0, this key is deprecated. Use 'SMIMEEncryptByDefault' + instead. - key: SMIMEEncryptionCertificateUUID title: S/MIME Encryption Certificate supportedOS: @@ -163,28 +180,30 @@ payloadkeys: presence: optional format: ^[0-9A-Za-z]{8}-[0-9A-Za-z]{4}-[0-9A-Za-z]{4}-[0-9A-Za-z]{4}-[0-9A-Za-z]{12}$ content: The payload UUID of the identity certificate used to decrypt messages sent - to this account. The public certificate is attached to outgoing mail to allow - encrypted mail to be sent to this user. When the user sends encrypted mail, the - public certificate is used to encrypt the copy of the mail in the user's Sent - mailbox. + to this account. The system attaches the public certificate to outgoing mail to + allow the user to receive encrypted mail. When the user sends encrypted mail, + the system uses the public certificate to encrypt the copy of the mail in the + user's Sent mailbox. - key: SMIMEEnablePerMessageSwitch title: S/MIME Enable Per-Message Switch supportedOS: iOS: introduced: '8.0' deprecated: '12.0' + visionOS: + introduced: n/a type: presence: optional default: false content: |- - If 'true', displays the per-message encryption switch in the Mail Compose UI. + If 'true', the system displays the per-message encryption switch in the Mail Compose UI. Available in iOS 8.0 and later. As of iOS 12.0, this key is deprecated. Use 'SMIMEEnableEncryptionPerMessageSwitch' instead. - key: disableMailRecentsSyncing title: Disable Mail Recents Syncing type: presence: optional default: false - content: If 'true', excludes this account from Recent Addresses syncing. + content: If 'true', the system excludes this account from Recent Addresses syncing. - key: MailNumberOfPastDaysToSync title: Past Days of Mail to Sync type: @@ -201,6 +220,8 @@ payloadkeys: supportedOS: iOS: deprecated: '7.0' + visionOS: + introduced: n/a type: presence: optional content: The value of the 'X-Apple-Config-Magic' header in each EAS HTTP request. @@ -220,7 +241,7 @@ payloadkeys: introduced: '10.0' type: presence: optional - content: The default handlers to be used for contacts from this account. + content: The default handlers to use for contacts from this account. subkeys: - key: AudioCall title: App for audio calls @@ -239,7 +260,7 @@ payloadkeys: type: presence: optional default: false - content: If 'true', enables this account to use Mail Drop. + content: If 'true', the system enables this account to use Mail Drop. - key: SMIMESigningUserOverrideable supportedOS: iOS: @@ -265,9 +286,8 @@ payloadkeys: type: presence: optional default: false - content: If set to true, S/MIME encryption is enabled by default. If 'SMIMEEnableEncryptionPerMessageSwitch' - is false, this default cannot be changed by the user. Available in iOS 12.0 and - later. + content: If 'true', the system enables S/MIME encryption by default. If 'SMIMEEnableEncryptionPerMessageSwitch' + is 'false', the user can't change this default. Available in iOS 12.0 and later. - key: SMIMEEncryptByDefaultUserOverrideable supportedOS: iOS: @@ -275,8 +295,8 @@ payloadkeys: type: presence: optional default: false - content: If 'true', the user can turn encryption by default on/off, and encryption - is on. Available in iOS 12.0 and later. + content: If 'true', the system enables encryption by default and the user can't + change it. Available in iOS 12.0 and later. - key: SMIMEEncryptionCertificateUUIDUserOverrideable supportedOS: iOS: @@ -293,8 +313,8 @@ payloadkeys: type: presence: optional default: false - content: If 'true', displays the per-message encryption switch in the Mail Compose - UI. Available in iOS 12.0 and later. + content: If 'true', the system displays the per-message encryption switch in the + Mail Compose UI. Available in iOS 12.0 and later. - key: EnableMail supportedOS: iOS: @@ -303,8 +323,8 @@ payloadkeys: presence: optional default: true content: |- - If 'false', disables the Mail service for this account. The Mail service may be re-enabled in Settings unless 'EnableMailUserOverridable' is 'false'. - 'EnableMail', 'EnableContacts', 'EnableCalendars', 'EnableReminders', and 'EnableNotes' can't all be set to 'false'. + If 'false', the system disables the Mail service for this account. The user can reenable Mail service in Settings unless 'EnableMailUserOverridable' is 'false'. + At least of the following fields needs to be 'true': 'EnableMail', 'EnableContacts', 'EnableCalendars', 'EnableReminders', and 'EnableNotes'. - key: EnableContacts supportedOS: iOS: @@ -313,8 +333,8 @@ payloadkeys: presence: optional default: true content: |- - If 'false', disables the Contacts service for this account. The Contacts service may be re-enabled in Settings unless 'EnableContactsUserOverridable' is 'false'. - 'EnableMail', 'EnableContacts', 'EnableCalendars', 'EnableReminders', and 'EnableNotes' can't all be set to 'false'. + If 'false', the system disables the Contacts service for this account. The user can reenable Contacts service in Settings unless 'EnableContactsUserOverridable' is 'false'. + At least of the following fields needs to be 'true': 'EnableMail', 'EnableContacts', 'EnableCalendars', 'EnableReminders', and 'EnableNotes'. - key: EnableCalendars supportedOS: iOS: @@ -323,8 +343,8 @@ payloadkeys: presence: optional default: true content: |- - If 'false', disables the Calendars service for this account. The Calendars service may be re-enabled in Settings unless 'EnableCalendarsUserOverridable' is 'false'. - 'EnableMail', 'EnableContacts', 'EnableCalendars', 'EnableReminders', and 'EnableNotes' can't all be set to 'false'. + If 'false', the system disables the Calendars service for this account. The user can reenable Calendars service in Settings unless 'EnableCalendarsUserOverridable' is 'false'. + At least of the following fields needs to be 'true': 'EnableMail', 'EnableContacts', 'EnableCalendars', 'EnableReminders', and 'EnableNotes'. - key: EnableReminders supportedOS: iOS: @@ -333,8 +353,8 @@ payloadkeys: presence: optional default: true content: |- - If 'false', disables the Reminders service for this account. The Reminders service may be re-enabled in Settings unless 'EnableRemindersUserOverridable' is false. - 'EnableMail', 'EnableContacts', 'EnableCalendars', 'EnableReminders', and 'EnableNotes' can't all be set to 'false'. + If 'false', the system disables the Reminders service for this account. The user can reenable Reminders service in Settings unless 'EnableRemindersUserOverridable' is 'false'. + At least of the following fields needs to be 'true': 'EnableMail', 'EnableContacts', 'EnableCalendars', 'EnableReminders', and 'EnableNotes'. - key: EnableNotes supportedOS: iOS: @@ -343,8 +363,8 @@ payloadkeys: presence: optional default: true content: |- - If 'false', disables the Notes service for this account. The Notes service may be re-enabled in Settings unless 'EnableNotesUserOverridable' is 'false'. - 'EnableMail', 'EnableContacts', 'EnableCalendars', 'EnableReminders', and 'EnableNotes' can't all be set to 'false'. + If 'false', the system disables the Notes service for this account. The user can reenable Notes service in Settings unless 'EnableNotesUserOverridable' is 'false'. + At least of the following fields needs to be 'true': 'EnableMail', 'EnableContacts', 'EnableCalendars', 'EnableReminders', and 'EnableNotes'. - key: EnableMailUserOverridable supportedOS: iOS: @@ -352,8 +372,8 @@ payloadkeys: type: presence: optional default: true - content: If 'false', prevents the user from changing the state of the Mail service - for this account in Settings. + content: If 'false', the system prevents the user from changing the state of the + Mail service for this account in Settings. - key: EnableContactsUserOverridable supportedOS: iOS: @@ -361,8 +381,8 @@ payloadkeys: type: presence: optional default: true - content: If 'false', prevents the user from changing the state of the Contacts service - for this account in Settings. + content: If 'false', the system prevents the user from changing the state of the + Contacts service for this account in Settings. - key: EnableCalendarsUserOverridable supportedOS: iOS: @@ -370,8 +390,8 @@ payloadkeys: type: presence: optional default: true - content: If 'false', prevents the user from changing the state of the Calendars - service for this account in Settings. + content: If 'false', the system prevents the user from changing the state of the + Calendars service for this account in Settings. - key: EnableRemindersUserOverridable supportedOS: iOS: @@ -379,8 +399,8 @@ payloadkeys: type: presence: optional default: true - content: If 'false', prevents the user from changing the state of the Reminders - service for this account in Settings. + content: If 'false', the system prevents the user from changing the state of the + Reminders service for this account in Settings. - key: EnableNotesUserOverridable supportedOS: iOS: @@ -396,18 +416,17 @@ payloadkeys: introduced: '13.0' type: presence: optional - content: |- - The URL that this account should use for signing in via OAuth. When this URL is specified, auto-discovery is not used for this account so you must also specify a host. - This field is ignored unless 'OAuth' is 'true'. + content: The URL that this account should use for signing in through OAuth. Ignored + unless 'OAuth' is 'true'. If you specify this URL, auto-discovery isn't used for + this account, so you need to also specify a host. - key: OAuthTokenRequestURL supportedOS: iOS: introduced: '13.0' type: presence: optional - content: |- - The URL that this account should use for token requests via OAuth. - This field is ignored unless 'OAuth' is 'true'. + content: The URL that this account should use for token requests through OAuth. + Ignored unless 'OAuth' is 'true'. - key: OverridePreviousPassword supportedOS: iOS: @@ -415,8 +434,8 @@ payloadkeys: type: presence: optional default: false - content: If 'true', overrides the previous user/EAS password with the new EAS password - in the payload. Available in iOS 14 and later. + content: If 'true', the system overrides the previous user/EAS password with the + new EAS password in the payload. Available in iOS 14 and later. - key: VPNUUID title: VPNUUID supportedOS: @@ -424,6 +443,5 @@ payloadkeys: introduced: '14.0' type: presence: optional - content: |- - The VPNUUID of the per-app VPN the account uses for network communication. + content: The VPNUUID of the per-app VPN the account uses for network communication. Available in iOS 14 and later. diff --git a/mdm/profiles/com.apple.education.yaml b/mdm/profiles/com.apple.education.yaml index 828b351..d16c7e2 100644 --- a/mdm/profiles/com.apple.education.yaml +++ b/mdm/profiles/com.apple.education.yaml @@ -24,6 +24,12 @@ payload: allowmanualinstall: true userenrollment: mode: allowed + tvOS: + introduced: n/a + visionOS: + introduced: n/a + watchOS: + introduced: n/a content: This payload is used to configure Classroom students, Classroom instructors, and the Shared iPad login screen. These do not necessarily require the same set of keys to be present in their payloads, so make sure to include all keys that @@ -39,20 +45,21 @@ payloadkeys: - key: OrganizationName type: presence: required - content: The organization's display name. This name is shown in the iOS login screen. + content: The organization's display name. The system displays this name in the iOS + login screen. - key: PayloadCertificateUUID type: presence: optional content: |- The UUID of an identity certificate payload within the same profile to use for performing client authentication with other devices. This property supports PKCS12 certificates. - This key is required to configure Classroom. It does not impact the configuration of the Shared iPad login screen. + Required to configure Classroom. Has no effect on the configuration of the Shared iPad login screen. - key: LeaderPayloadCertificateAnchorUUID type: presence: optional content: |- - The array of UUIDs referring to certificate payloads within the same profile that are used to authorize leader peer certificate identities. This array must contain all certificates needed to validate the entire chain of trust. Leader certificates must have the common name prefix leader (case insensitive). - Note: This property doesn't support identity payloads or PKCS12 certificates. - This key is required when configuring a student device for Classroom, and is ignored when configuring an instructor device. It does not impact the configuration of the Shared iPad login screen. + The array of UUIDs referring to certificate payloads within the same profile that the system uses to authorize leader peer certificate identities. This array needs to contain all necessary certificates to validate the entire chain of trust. Leader certificates needs to have the common name prefix leader, which is case insensitive. + This property doesn't support identity payloads or PKCS12 certificates. + Required when configuring a student device for Classroom, and ignored when configuring an instructor device. Has no effect on the configuration of the Shared iPad login screen. subkeys: - key: LeaderPayloadCertificateAnchorUUIDItem type: @@ -62,9 +69,9 @@ payloadkeys: type: presence: optional content: |- - The array of UUIDs referring to certificate payloads within the same profile that are used to authorize group member peer certificate identities. This array must contain all certificates needed to validate the entire chain of trust. Member certificates must have the common name prefix member (case insensitive). - Note: This property doesn't support identity payloads or PKCS12 certificates. - This key is required when configuring an instructor device for Classroom, and is ignored when configuring a student device. It does not impact the configuration of the Shared iPad login screen. + The array of UUIDs referring to certificate payloads within the same profile that the system uses to authorize group member peer certificate identities. This array must contain all certificates needed to validate the entire chain of trust. Member certificates must have the common name prefix member (case insensitive). + This property doesn't support identity payloads or PKCS12 certificates. + Required when configuring a student device for Classroom, and ignored when configuring an instructor device. Has no effect on the configuration of the Shared iPad login screen. subkeys: - key: MemberPayloadCertificateAnchorUUIDItem type: @@ -74,20 +81,20 @@ payloadkeys: type: presence: optional content: |- - The UUID of an identity certificate payload within the same profile that is used to perform client authentication when fetching additional resources, such as student images. If not specified, the MDM client identity is used. - If present, this key is used to configure both Classroom and the Shared iPad login screen. + The UUID of an identity certificate payload within the same profile that the system uses to perform client authentication when fetching additional resources, such as student images. + If set, the system uses this key to configure both Classroom and the Shared iPad login screen. If not set, the system uses MDM client identity. - key: UserIdentifier type: presence: required content: |- The unique string that identifies the user of this device within the organization. - If this payload is intended to configure the Shared iPad login screen, this value must not be set. + Don't set this value in payloads intended to configure the Shared iPad login screen. - key: Departments type: presence: optional - content: |- - For shared iPad profiles: The array of dictionaries that defines which departments are shown in the Shared iPad login screen. - If present, this key is used to configure both Classroom and the Shared iPad login screen. + content: 'For shared iPad profiles: The array of dictionaries that defines which + departments the system displays in the Shared iPad login screen. If set, the system + uses this key to configure both Classroom and the Shared iPad login screen.' subkeys: - key: DepartmentsItem type: @@ -102,7 +109,7 @@ payloadkeys: content: The group beacon identifiers that are members of this department. subkeys: - key: GroupBeaconIDsItem - type: + type: presence: required content: A group beacon identifier. - key: Groups @@ -110,9 +117,7 @@ payloadkeys: presence: required content: |- For shared iPad profiles: The array of dictionaries that defines which groups the user can select in the login window. - For leader/teacher profiles: The array of dictionaries that defines the groups that the user can control. - For member/student profiles: The array of dictionaries that defines the groups where the user is a member. subkeys: - key: GroupsItem @@ -142,8 +147,7 @@ payloadkeys: - key: ConfigurationSource type: presence: optional - content: The source that provided this group; for example, iTunesU, SIS, or - MDM. + content: The source that provided this group, such as SIS, or MDM. - key: LeaderIdentifiers type: presence: optional @@ -166,8 +170,8 @@ payloadkeys: type: presence: optional content: |- - The identifiers that refer to entries in the DeviceGroups array to which the instructor can assign users from this class. - The presence/value of this key does not impact the configuration of the Shared iPad login screen. + The identifiers that refer to entries in the 'DeviceGroups' array to which the instructor can assign users from this class. + Has no effect on the configuration of the Shared iPad login screen. subkeys: - key: DeviceGroupIdentifiersItem type: @@ -177,11 +181,9 @@ payloadkeys: type: presence: required content: |- - For shared iPad profiles: The array of dictionaries that define the users that are shown in the iOS login window. - + For shared iPad profiles: The array of dictionaries that define the users that the system displays in the iOS login window. For leader/teacher profiles: The array of dictionaries that define users that are members of the teacher's groups. - - For member/student profiles: The array of dictionaries that must contain the definition of the user specified in the 'UserIdentifier' key. With one-to-one member devices, this key should include only the device user and the teacher but not other class members. + For member/student profiles: The array of dictionaries that needs to contain the definition of the user specified in the 'UserIdentifier' key. With one-to-one member devices, this key should include only the device user and the teacher but not other class members. subkeys: - key: UsersItem type: @@ -205,19 +207,22 @@ payloadkeys: - key: PhoneticGivenName type: presence: optional - content: The user's phonetic given name. This name is used to sort users in - the Classroom app and the Shared iPad Login Screen. + content: The user's phonetic given name. The system uses this name to sort users + in the Classroom app and the Shared iPad Login Screen. - key: PhoneticFamilyName type: presence: optional - content: The user's phonetic family name. This name is used to sort users in - the Classroom app and the shared iPad login screen. + content: The user's phonetic family name. The system uses this name to sort + users in the Classroom app and the shared iPad login screen. - key: ImageURL type: presence: optional - content: |- - A string containing a URL pointing to an image of the user. This image will be displayed in the iOS login screen and in the Classroom app. The recommended resolution is 256 x 256 pixels (512 x 512 pixels on a 2x device). The recommended formats are JPEG, PNG, and TIFF. - The 'ResourcePayloadCertificateUUID' identity certificate or the MDM client identity will be used to perform authentication when fetching the image. + content: A string that contains a URL pointing to an image of the user. The + system displays this image in the iOS login screen and in the Classroom app. + The recommended resolution is 256 x 256 pixels (512 x 512 pixels on a 2x device). + The recommended formats are JPEG, PNG, and TIFF. The system uses the 'ResourcePayloadCertificateUUID' + identity certificate or the MDM client identity to perform authentication + when fetching the image. - key: FullScreenImageURL supportedOS: iOS: @@ -227,16 +232,16 @@ payloadkeys: type: presence: optional content: Deprecated in iOS 9.3.1 and later. The URL pointing to an image of - the user. The 'ResourcePayloadCertificateUUID' identity certificate or the - MDM client identity will be used to perform authentication when fetching the - specified resource. + the user. The system uses the 'ResourcePayloadCertificateUUID' identity certificate + or the MDM client identity to perform authentication when fetching the specified + resource. - key: AppleID type: presence: optional content: |- The managed Apple ID for this user. - This key is not required to configure Classroom, but it is used by Classroom if it is present. - This key is required when configuring the Shared iPad login screen. + Not required to configure Classroom, but if set the system uses it. + Required to configure the Shared iPad login screen. - key: PasscodeType type: presence: optional @@ -249,8 +254,7 @@ payloadkeys: type: presence: optional content: 'For leader/teacher profiles: The array of dictionaries that defines which - device groups the leader can assign devices to. This key is not included in member - payloads.' + device groups the leader can assign devices to. Not included in member payloads.' subkeys: - key: DeviceGroupsItem type: @@ -279,5 +283,5 @@ payloadkeys: type: presence: optional default: false - content: If 'true', allows students enrolled in managed classes to modify their - teacher's permissions for screen observation on their device. + content: If 'true', the system allows students enrolled in managed classes to modify + their teacher's permissions for screen observation on their device. diff --git a/mdm/profiles/com.apple.ews.account.yaml b/mdm/profiles/com.apple.ews.account.yaml index 38f4295..6fa59ad 100644 --- a/mdm/profiles/com.apple.ews.account.yaml +++ b/mdm/profiles/com.apple.ews.account.yaml @@ -3,6 +3,8 @@ description: '' payload: payloadtype: com.apple.ews.account supportedOS: + iOS: + introduced: n/a macOS: introduced: '10.7' multiple: true @@ -13,6 +15,12 @@ payload: allowmanualinstall: true userenrollment: mode: allowed + tvOS: + introduced: n/a + visionOS: + introduced: n/a + watchOS: + introduced: n/a content: For macOS 10.9 and higher, an Exchange Web services (EWS) account is configured with support for Mail, Contacts, Calendar, Notes and Reminders. macOS 10.7-10.8 only supported Contacts. @@ -25,14 +33,12 @@ payloadkeys: - key: Host type: presence: optional - content: |- - The Exchange server host name or IP address. - If using OAuth, the host name is ignored.. + content: The Exchange server host name or IP address. Ignored if using OAuth. - key: SSL type: presence: optional default: true - content: If 'true', enables SSL. + content: If 'true', the system enables SSL. - key: OAuth title: Use OAuth supportedOS: @@ -41,9 +47,8 @@ payloadkeys: type: presence: optional default: false - content: |- - If 'true', enables OAuth for authentication. If OAuth is enabled, don't specify a password. - Available in macOS 10.14 and later + content: If 'true', the system enables OAuth for authentication. Don't specify a + password if 'OAuth' is 'true'. Available in macOS 10.14 and later - key: OAuthSignInURL title: URL for OAuth sign-in supportedOS: @@ -51,14 +56,14 @@ payloadkeys: introduced: '10.14' type: presence: optional - content: The URL to load into a web view for authentication via OAuth when autodiscovery + content: The URL to load into a web view for authentication through OAuth when autodiscovery isn't used. This setting requires a 'Host' value. - key: UserName type: presence: optional - content: The user name for this Exchange account. This string is required for noninteractive - (for example, MDM) installation. If it's missing, the device prompts for it during - interactive profile installation. + content: The user name for this Exchange account. Required for noninteractive installation, + such as through MDM. If missing, the system prompts the user for it during interactive + profile installation. - key: Password type: presence: optional @@ -71,7 +76,7 @@ payloadkeys: type: presence: optional format: ^[0-9A-Za-z]{8}-[0-9A-Za-z]{4}-[0-9A-Za-z]{4}-[0-9A-Za-z]{4}-[0-9A-Za-z]{12}$ - content: The UUID of of the certificate payload within the same profile to use for + content: The UUID of the certificate payload within the same profile to use for the identity credential. Supported on macOS 10.12 or later. - key: AuthenticationCertificateUUID supportedOS: @@ -79,7 +84,7 @@ payloadkeys: introduced: '10.11' type: presence: optional - content: The UUID of of the certificate payload within the same profile to use for + content: The UUID of the certificate payload within the same profile to use for the identity credential. Supported on macOS 10.11 or later. On macOS 10.12 or later use the PayloadCertificateUUID. - key: allowMailDrop @@ -90,7 +95,7 @@ payloadkeys: type: presence: optional default: false - content: If 'true', enables Mail Drop. + content: If 'true', the system enables Mail Drop. - key: Path type: presence: optional @@ -107,7 +112,7 @@ payloadkeys: type: presence: optional default: true - content: If 'true', enables SSL for connections to the external server. + content: If 'true', the system enables SSL for connections to the external server. - key: ExternalPath type: presence: optional diff --git a/mdm/profiles/com.apple.extensiblesso(kerberos).yaml b/mdm/profiles/com.apple.extensiblesso(kerberos).yaml index 8706802..9d890f4 100644 --- a/mdm/profiles/com.apple.extensiblesso(kerberos).yaml +++ b/mdm/profiles/com.apple.extensiblesso(kerberos).yaml @@ -24,6 +24,12 @@ payload: allowmanualinstall: false userenrollment: mode: allowed + tvOS: + introduced: n/a + visionOS: + introduced: n/a + watchOS: + introduced: n/a content: Configures the included Kerberos extension that performs SSO on behalf of specified hosts. User channel support was added in macOS 11.0. payloadkeys: @@ -32,25 +38,24 @@ payloadkeys: presence: required rangelist: - com.apple.AppSSOKerberos.KerberosExtension - content: This value must be 'com.apple.AppSSOKerberos.KerberosExtension' for this - extension. + content: Set this to 'com.apple.AppSSOKerberos.KerberosExtension' for this extension. - key: TeamIdentifier type: presence: required rangelist: - apple - content: This value must be 'apple' for the Kerberos extension. + content: Set this to 'apple' for this extension. - key: Type type: presence: required rangelist: - Credential - content: This value must be 'Credential' for the Kerberos extension. + content: Set this to 'Credential' for this extension. - key: Realm type: presence: required - content: The Kerberos realm, which should be properly capitalized. If in an Active - Directory forest, this is the realm where the user logs in. + content: The Kerberos realm. Use proper capitalization for this value. If in an + Active Directory forest, this is the realm where the user logs in. - key: ExtensionData type: presence: optional @@ -68,12 +73,12 @@ payloadkeys: - key: principalName type: presence: optional - content: The principal (aka username) to use. You do not need to include the realm. + content: The principal (username) to use. You don't need to include the realm. - key: siteCode type: presence: optional content: The name of the Active Directory site the Kerberos extension should use. - Most administrators will never need to modify this value, as the Kerberos extension + Most administrators don't need to modify this value, as the Kerberos extension can normally find the site automatically. - key: certificateUUID type: @@ -93,7 +98,7 @@ payloadkeys: - key: credentialBundleIdACLItem type: presence: optional - content: Bundle IDs allowed to access the TGT. These values are case sensitive. + content: Bundle IDs allowed to access the TGT. These values are case sensitive. - key: includeManagedAppsInBundleIdACL supportedOS: iOS: @@ -105,7 +110,7 @@ payloadkeys: default: false content: If 'true', the Kerberos extension allows only managed apps to access and use the credential. This is in addition to the 'credentialBundleIDACL', - if it is specified. Available in iOS 14 and later, and macOS 12 and later. + if you specify that value. Available in iOS 14 and later, and macOS 12 and later. - key: includeKerberosAppsInBundleIdACL supportedOS: iOS: @@ -115,15 +120,16 @@ payloadkeys: type: presence: optional default: false - content: |- - If 'true', the Kerberos extension allows the standard kerberos utilities including 'TicketViewer' and 'klist' to access and use the credential. This is in addition to 'includeManagedAppsInBundleIdACL' or the 'credentialBundleIdACL', if it is specified. - Available in macOS 12 and later. + content: If 'true', the Kerberos extension allows the standard Kerberos utilities + including 'TicketViewer' and 'klist' to access and use the credential. This + is in addition to 'includeManagedAppsInBundleIdACL' or the 'credentialBundleIdACL', + if you specify those values. Available in macOS 12 and later. - key: domainRealmMapping type: presence: optional - content: A custom domain-realm mapping for Kerberos. This is used when the DNS - name of hosts do not match the realm name. Most administrators will not need - to customize this. + content: A custom domain-realm mapping for Kerberos. The system uses this when + the DNS name of hosts doesn't match the realm name. Most administrators don't + need to customize this. subkeys: - key: Realm type: @@ -139,8 +145,8 @@ payloadkeys: type: presence: optional default: false - content: This property specifies it is the default realm if there is more than - one Kerberos extension configuration. + content: Specifies whether this is the default realm if there's more than one + Kerberos extension configuration. - key: customUsernameLabel supportedOS: iOS: @@ -150,7 +156,7 @@ payloadkeys: type: presence: optional content: The custom user name label used in the Kerberos extension instead of - “Username”. For example, “Company ID”. Available in macOS 11 and later. + “Username,” such as “Company ID”. Available in macOS 11 and later. - key: helpText supportedOS: iOS: @@ -159,9 +165,9 @@ payloadkeys: introduced: '11.0' type: presence: optional - content: The text to be displayed to the user at the bottom of the Kerberos login - window. It can be used to display help information or disclaimer text. Available - in iOS 14 and later and macOS 11 and later. + content: The text to display to the user at the bottom of the Kerberos login window. + You can also use this to display help information or disclaimer text. Available + in iOS 14 and later, and macOS 11 and later. - key: allowPasswordChange supportedOS: iOS: @@ -169,18 +175,19 @@ payloadkeys: type: presence: optional default: true - content: If 'false', disables password changes. Available in macOS 10.15 and later. + content: If 'false', the system disables password changes. Available in macOS + 10.15 and later. - key: allowAutomaticLogin type: presence: optional default: true - content: If 'false', passwords are not allowed to be saved to the keychain. + content: If 'false', the system doesn't allow saving passwords in the keychain. - key: requireUserPresence type: presence: optional default: false - content: If 'true', requires the user to provide Touch ID, Face ID or their passcode - to access the keychain entry. + content: If 'true', the system requires the user to provide Touch ID, Face ID + or their passcode to access the keychain entry. - key: pwExpireOverride supportedOS: iOS: @@ -189,8 +196,8 @@ payloadkeys: deprecated: '12.0' type: presence: optional - content: The number of days that passwords can be used on this domain. For most - domains, this can be calculated automatically. Available in macOS 10.15 and + content: The number of days that the system allows using passwords on this domain. + For most domains, this calculation is automatic. Available in macOS 10.15 and later. - key: pwNotificationDays supportedOS: @@ -199,8 +206,9 @@ payloadkeys: type: presence: optional default: 15 - content: The number of days prior to password expiration when a notification of - password expiration will be sent to the user. Available in macOS 10.15 and later. + content: The number of days prior to password expiration when the system sends + a notification of password expiration to the user. Available in macOS 10.15 + and later. - key: pwReqLength supportedOS: iOS: @@ -216,24 +224,24 @@ payloadkeys: type: presence: optional default: false - content: If 'true', passwords must meet Active Directory's definition of 'complex'.Available - in macOS 10.15 and later. + content: If 'true', the system requires passwords to meet Active Directory's definition + of 'complex'. Available in macOS 10.15 and later. - key: pwReqMinAge supportedOS: iOS: introduced: n/a type: presence: optional - content: The minimum age of passwords before they can be changed on this domain. - Available in macOS 10.15 and later. + content: The minimum age of passwords before the system allows changing them on + this domain. Available in macOS 10.15 and later. - key: pwReqHistory supportedOS: iOS: introduced: n/a type: presence: optional - content: The number of prior passwords that cannot be re-used on this domain.Available - in macOS 10.15 and later. + content: The number of prior passwords that the system disallows reuse on this + domain. Available in macOS 10.15 and later. - key: pwReqText supportedOS: iOS: @@ -258,8 +266,9 @@ payloadkeys: type: presence: optional default: false - content: If 'false', disables password sync. Note that this will not work if the - user is logged in with a mobile account. Available in macOS 10.15 and later. + content: If 'false', the system disables password sync. Note that this will not + work if the user is logged in with a mobile account. Available in macOS 10.15 + and later. - key: replicationTime supportedOS: iOS: @@ -271,8 +280,8 @@ payloadkeys: presence: optional default: 900 content: The time, in seconds, required to replicate changes in the Active Directory - domain. The Kerberos extension will use this when checking password age after - a change. Available in macOS 11 and later. + domain. The Kerberos extension uses this when checking password age after a + change. Available in macOS 11 and later. - key: delayUserSetup supportedOS: iOS: @@ -282,9 +291,9 @@ payloadkeys: type: presence: optional default: false - content: If 'true', doesn't prompt the user to setup the Kerberos extension until - either the administrator enables it with the 'app-sso' tool or a Kerberos challenge - is received. Available in macOS 11 and later. + content: If 'true', the system doesn't prompt the user to setup the Kerberos extension + until either the administrator enables it with the 'app-sso' tool or the system + receives a Kerberos challenge. Available in macOS 11 and later. - key: monitorCredentialsCache supportedOS: iOS: @@ -294,9 +303,9 @@ payloadkeys: type: presence: optional default: true - content: |- - If 'false', the credential is requested on the next matching Kerberos challenge or network state change. - If the credential is expired or missing, a new one will be created. Available in macOS 11 and later. + content: If 'false', the system requests the credential on the next matching Kerberos + challenge or network state change. If the credential is expired or missing, + the system creates a new one. Available in macOS 11 and later. - key: requireTLSForLDAP supportedOS: iOS: @@ -321,10 +330,12 @@ payloadkeys: - kerberosDefault default: always content: |- - This setting affects how the Kerberos Extension credential is used by other processes. Use of the following: - * 'always -' The extension credential will always be used if the SPN matches the Kerberos Extension 'Hosts' array. The credential will not be used if the calling app is not in the 'credentialBundleIDACL'. - * 'whenNotSpecified -' The credential will only be used when another credential has not been specified by the caller and the SPN matches the Kerberos Extensions 'Hosts' array. The credential will not be used if the calling app is not in the 'credentialBundleIDACL'. - * 'kerberosDefault - 'The default Kerberos processes for selecting credentials is used which normally uses the default Kerberos credential. This is the same as turning off this capability. + This setting affects how other processes use the Kerberos Extension credential. Allowed values: + + * 'always': The system always uses the credential if the SPN matches the Kerberos Extension 'Hosts' array and the caller hasn't specified another credential. However, the system won't use the credential if the calling app isn't in the 'credentialBundleIDACL'. + * 'whenNotSpecified': The system only uses the extension credential if the SPN matches the Kerberos Extension 'Hosts' array. However, the system won't use the credential if the calling app isn't in the 'credentialBundleIDACL'. + * 'kerberosDefault': The system uses the default Kerberos processes to select credentials, and normally uses the default Kerberos credential. This is the same as turning off this capability. + Available in macOS 11 and later. - key: preferredKDCs supportedOS: @@ -335,7 +346,7 @@ payloadkeys: type: presence: optional content: |- - The ordered list of preferred Key Distribution Centers (KDCs) to use for Kerberos traffic. Use this if the servers are not discoverable via DNS. If the servers are specified, then they are used for both connectivity checks and attempted first for Kerberos traffic. If the servers do not respond, then the device falls back to DNS discovery. Each entry is formatted the same as it would be in a 'krb5.conf' file. Examples of entries are: + The ordered list of preferred Key Distribution Centers (KDCs) to use for Kerberos traffic. Use this if the servers aren't discoverable through DNS. If the servers are specified, then the system uses them for both connectivity checks and attempts to use them first for Kerberos traffic. If the servers don't respond, the device falls back to DNS discovery. Format each entry the same as it would be in a 'krb5.conf' file, for example: * 'adserver1.example.com' * 'tcp/adserver1.example.com:88' * 'kkdcp://kerberosproxy.example.com:443/kkdcp' @@ -353,9 +364,8 @@ payloadkeys: type: presence: optional default: false - content: |- - If 'true', requires this configuration uses a TGT from Platform SSO instead of requesting a new one. - Available in macOS 13 and later. + content: If 'true', the system requires this configuration uses a TGT from Platform + SSO instead of requesting a new one. Available in macOS 13 and later. - key: allowPlatformSSOAuthFallback supportedOS: iOS: @@ -365,9 +375,8 @@ payloadkeys: type: presence: optional default: true - content: |- - If 'true' and 'usePlatformSSOTGT' is 'true', allows the user to manually sign in. - Available in macOS 13 and later. + content: If 'true' and 'usePlatformSSOTGT' is 'true', the system allows the user + to manually sign in. Available in macOS 13 and later. - key: performKerberosOnly supportedOS: iOS: @@ -377,15 +386,19 @@ payloadkeys: type: presence: optional default: false - content: |- - If 'true', the Kerberos Extension handles Kerberos requests only. It doesn't check for password expiration, show the password expiration in the menu, check for external password changes, perform password sync, or retrieve the home directory. - Available in macOS 13 and later. + content: If 'true', the Kerberos Extension handles Kerberos requests only. It + doesn't check for password expiration, show the password expiration in the menu, + check for external password changes, perform password sync, or retrieve the + home directory. Available in macOS 13 and later. - key: Hosts type: presence: optional content: |- - One or more host or domain names for which the app extension performs SSO. Host or domain names are matched case-insensitively, and all the host/domain names of all installed Extensible SSO payloads must be unique. - Hosts that begin with a “.” are wildcard suffixes and will match all subdomains, otherwise the host must be an exact match. + One or more host or domain names for which the app extension performs SSO. + The system: + * Matches host or domain names case-insensitively + * Requires that all the host and domain names of all installed Extensible SSO payloads are unique + Host names that begin with a “.” are wildcard suffixes that match all subdomains; otherwise the host name needs be an exact match. subkeys: - key: hostname type: diff --git a/mdm/profiles/com.apple.extensiblesso.yaml b/mdm/profiles/com.apple.extensiblesso.yaml index 9685186..f4bdedd 100644 --- a/mdm/profiles/com.apple.extensiblesso.yaml +++ b/mdm/profiles/com.apple.extensiblesso.yaml @@ -24,6 +24,17 @@ payload: allowmanualinstall: false userenrollment: mode: allowed + tvOS: + introduced: n/a + visionOS: + introduced: '1.1' + multiple: true + supervised: false + allowmanualinstall: false + userenrollment: + mode: allowed + watchOS: + introduced: n/a content: Configures an app extension that performs SSO on behalf of certain URLs. User channel support was added in macOS 11.0. payloadkeys: @@ -38,9 +49,8 @@ payloadkeys: introduced: n/a type: presence: optional - content: |- - The team identifier of the app extension. - This key is required on macOS and ignored elsewhere. + content: The team identifier of the app extension. This key is required on macOS + and ignored elsewhere. - key: Type type: presence: required @@ -51,9 +61,8 @@ payloadkeys: - key: Realm type: presence: optional - content: |- - The realm name for 'Credential' payloads. Use proper capitalization for this value. - This key is ignored for 'Redirect' payloads. + content: The realm name for 'Credential' payloads. Use proper capitalization for + this value. Ignored for 'Redirect' payloads. - key: ExtensionData type: presence: optional @@ -69,7 +78,11 @@ payloadkeys: content: |- An array of URL prefixes of identity providers where the app extension performs SSO. Required for 'Redirect' payloads. Ignored for 'Credential' payloads. - The URLs must begin with 'http://' or 'https://', the scheme and host name are matched case-insensitively, query parameters and URL fragments are not allowed, and the URLs of all installed Extensible SSO payloads must be unique. + The URLs need to begin with 'http://' or 'https://'. + The system: + * Matches scheme and host name case-insensitively + * Doesn't allow query parameters and URL fragments + * Requires that the URLs of all installed Extensible SSO payloads are unique subkeys: - key: URL type: @@ -79,10 +92,12 @@ payloadkeys: type: presence: optional content: |- - An array of host names or domain names that apps can authenticate through the app extension. + An array of host or domain names that apps can authenticate through the app extension. Required for 'Credential' payloads. Ignored for 'Redirect' payloads. - Host or domain names are matched case-insensitively, and all the host/domain names of all installed Extensible SSO payloads must be unique. - Hosts that begin with a “.” are wildcard suffixes and match all subdomains; otherwise the host must be an exact match. + The system: + * Matches host or domain names case-insensitively + * Requires that all the host and domain names of all installed Extensible SSO payloads are unique + Host names that begin with a “.” are wildcard suffixes that match all subdomains; otherwise the host name needs be an exact match. subkeys: - key: hostname type: @@ -100,9 +115,11 @@ payloadkeys: - Cancel - DoNotHandle default: Cancel - content: |- - If set to 'Cancel', the system cancels authentication requests when the screen is locked. If set to 'DoNotHandle', the request continues without SSO instead. This does not apply to requests where 'userInterfaceEnabled' is set to 'false' or background NSURLSession requests. - Available in iOS 15 and later and macOS 12 and later. + content: If set to 'Cancel', the system cancels authentication requests when the + screen is locked. If set to 'DoNotHandle', the request continues without SSO instead. + This doesn't apply to requests where 'userInterfaceEnabled' is 'false', or for + background NSURLSession requests. Available in iOS 15 and later, and macOS 12 + and later. - key: DeniedBundleIdentifiers supportedOS: iOS: @@ -111,9 +128,8 @@ payloadkeys: introduced: '12.0' type: presence: optional - content: |- - An array of bundle identifiers of apps that don't use SSO provided by this extension. - Available in iOS 15 and later and macOS 12 and later. + content: An array of bundle identifiers of apps that don't use SSO provided by this + extension. Available in iOS 15 and later, and macOS 12 and later. subkeys: - key: bundleIdentifier type: @@ -131,9 +147,9 @@ payloadkeys: rangelist: - Password - UserSecureEnclaveKey - content: |- - The Platform SSO authentication method the extension uses. Requires that the SSO Extension also supports the method. - Available in macOS 13 and later and deprecated in macOS 14. + content: The Platform SSO authentication method the extension uses. Requires that + the SSO Extension also supports the method. Available in macOS 13 and later, and + deprecated in macOS 14. - key: RegistrationToken supportedOS: iOS: @@ -142,9 +158,9 @@ payloadkeys: introduced: '13.0' type: presence: optional - content: |- - The token this device uses for registration with Platform SSO. Use it for silent registration with the Identity Provider. Requires that 'PlatformSSO' 'AuthenticationMethod' isn't empty. - Available in macOS 13 and later. + content: The token this device uses for registration with Platform SSO. Use it for + silent registration with the Identity Provider. Requires that 'PlatformSSO.AuthenticationMethod' + isn't empty. Available in macOS 13 and later. - key: PlatformSSO supportedOS: iOS: @@ -222,7 +238,8 @@ payloadkeys: - Admin - Groups content: |- - The permission to apply to newly created accounts at login, which has the following values: + The permission to apply to newly created accounts at login. Allowed values: + * 'Standard': The account is a standard user. * 'Admin': The system adds the account to the local administrators group. * 'Groups': The system assigns group to the account using 'AdministratorGroups', 'AdditionalGroups', or 'AuthorizationGroups'. @@ -234,7 +251,8 @@ payloadkeys: - Admin - Groups content: |- - The permission to apply to an account each time the user authenticates, which has the following values: + The permission to apply to an account each time the user authenticates. Allowed values: + * 'Standard': The account is a standard user. * 'Admin': The system adds the account to the local administrators group. * 'Groups': The system assigns group to the account using 'AdministratorGroups', 'AdditionalGroups', or 'AuthorizationGroups'. diff --git a/mdm/profiles/com.apple.familycontrols.contentfilter.yaml b/mdm/profiles/com.apple.familycontrols.contentfilter.yaml index 4e38b43..e4214fd 100644 --- a/mdm/profiles/com.apple.familycontrols.contentfilter.yaml +++ b/mdm/profiles/com.apple.familycontrols.contentfilter.yaml @@ -3,6 +3,8 @@ description: '' payload: payloadtype: com.apple.familycontrols.contentfilter supportedOS: + iOS: + introduced: n/a macOS: introduced: '10.7' multiple: false @@ -13,6 +15,12 @@ payload: allowmanualinstall: true userenrollment: mode: forbidden + tvOS: + introduced: n/a + visionOS: + introduced: n/a + watchOS: + introduced: n/a content: Parental controls web filter. payloadkeys: - key: restrictWeb diff --git a/mdm/profiles/com.apple.familycontrols.timelimits.v2.yaml b/mdm/profiles/com.apple.familycontrols.timelimits.v2.yaml index 30b5dd8..7a3600c 100644 --- a/mdm/profiles/com.apple.familycontrols.timelimits.v2.yaml +++ b/mdm/profiles/com.apple.familycontrols.timelimits.v2.yaml @@ -3,6 +3,8 @@ description: '' payload: payloadtype: com.apple.familycontrols.timelimits.v2 supportedOS: + iOS: + introduced: n/a macOS: introduced: '10.7' multiple: false @@ -13,6 +15,12 @@ payload: allowmanualinstall: true userenrollment: mode: forbidden + tvOS: + introduced: n/a + visionOS: + introduced: n/a + watchOS: + introduced: n/a content: Parental controls time limits. payloadkeys: - key: familyControlsEnabled @@ -41,9 +49,10 @@ payloadkeys: - 0 - 1 content: |- - The type of day range: - 0 = Weekday - 1 = Weekend + The type of day range, which has the following possible values: + + * '0': Weekday + * '1': Weekend - key: start type: presence: optional diff --git a/mdm/profiles/com.apple.fileproviderd.yaml b/mdm/profiles/com.apple.fileproviderd.yaml index 476a887..73b4ddc 100644 --- a/mdm/profiles/com.apple.fileproviderd.yaml +++ b/mdm/profiles/com.apple.fileproviderd.yaml @@ -3,6 +3,8 @@ description: '' payload: payloadtype: com.apple.fileproviderd supportedOS: + iOS: + introduced: n/a macOS: introduced: '11.0' multiple: false @@ -13,6 +15,12 @@ payload: allowmanualinstall: false userenrollment: mode: allowed + tvOS: + introduced: n/a + visionOS: + introduced: n/a + watchOS: + introduced: n/a payloadkeys: - key: AllowManagedFileProvidersToRequestAttribution type: diff --git a/mdm/profiles/com.apple.finder.yaml b/mdm/profiles/com.apple.finder.yaml index f5ab91c..35ef053 100644 --- a/mdm/profiles/com.apple.finder.yaml +++ b/mdm/profiles/com.apple.finder.yaml @@ -3,6 +3,8 @@ description: '' payload: payloadtype: com.apple.finder supportedOS: + iOS: + introduced: n/a macOS: introduced: '10.7' multiple: false @@ -13,6 +15,12 @@ payload: allowmanualinstall: true userenrollment: mode: forbidden + tvOS: + introduced: n/a + visionOS: + introduced: n/a + watchOS: + introduced: n/a payloadkeys: - key: ProhibitBurn type: diff --git a/mdm/profiles/com.apple.firstactiveethernet.managed.yaml b/mdm/profiles/com.apple.firstactiveethernet.managed.yaml index e28c166..0fd65f4 100644 --- a/mdm/profiles/com.apple.firstactiveethernet.managed.yaml +++ b/mdm/profiles/com.apple.firstactiveethernet.managed.yaml @@ -3,6 +3,8 @@ description: '' payload: payloadtype: com.apple.firstactiveethernet.managed supportedOS: + iOS: + introduced: n/a macOS: introduced: '10.7' multiple: false @@ -13,10 +15,16 @@ payload: allowmanualinstall: true userenrollment: mode: allowed + tvOS: + introduced: n/a + visionOS: + introduced: n/a + watchOS: + introduced: n/a payloadkeys: - key: ANY type: presence: optional - content: Keys relevant to 802.1x configuration. User enrollment payloads do not + content: Keys relevant to 802.1x configuration. User enrollment payloads do not support the various proxy keys including ProxyType, ProxyServer, ProxyServerPort, ProxyUsername, ProxyPassword,, ProxyPACURL and ProxyPACFallbackAllowed. diff --git a/mdm/profiles/com.apple.firstethernet.managed.yaml b/mdm/profiles/com.apple.firstethernet.managed.yaml index c9b2a9c..b8068f6 100644 --- a/mdm/profiles/com.apple.firstethernet.managed.yaml +++ b/mdm/profiles/com.apple.firstethernet.managed.yaml @@ -3,6 +3,8 @@ description: '' payload: payloadtype: com.apple.firstethernet.managed supportedOS: + iOS: + introduced: n/a macOS: introduced: '10.7' multiple: false @@ -13,10 +15,16 @@ payload: allowmanualinstall: true userenrollment: mode: allowed + tvOS: + introduced: n/a + visionOS: + introduced: n/a + watchOS: + introduced: n/a payloadkeys: - key: ANY type: presence: optional - content: Keys relevant to 802.1x configuration. User enrollment payloads do not + content: Keys relevant to 802.1x configuration. User enrollment payloads do not support the various proxy keys including ProxyType, ProxyServer, ProxyServerPort, ProxyUsername, ProxyPassword,, ProxyPACURL and ProxyPACFallbackAllowed. diff --git a/mdm/profiles/com.apple.font.yaml b/mdm/profiles/com.apple.font.yaml index 118fcb6..0c92a8f 100644 --- a/mdm/profiles/com.apple.font.yaml +++ b/mdm/profiles/com.apple.font.yaml @@ -22,6 +22,12 @@ payload: allowmanualinstall: true userenrollment: mode: allowed + tvOS: + introduced: n/a + visionOS: + introduced: n/a + watchOS: + introduced: n/a content: |- Each payload may contain one font file. Font files may be in TrueType (.ttf) or OpenType (.otf) file format. Collection types (.ttc or .otc) formats are not supported. Fonts are uniquely identified internally by their embedded PostScript name. Two fonts with the same PostScript name will be considered the same font, even if their contents differ. Installing two different fonts with the same PostScript name is not supported, and it is undefined which font will remain installed. diff --git a/mdm/profiles/com.apple.gamed.yaml b/mdm/profiles/com.apple.gamed.yaml index 28c84a0..6c65de6 100644 --- a/mdm/profiles/com.apple.gamed.yaml +++ b/mdm/profiles/com.apple.gamed.yaml @@ -3,6 +3,8 @@ description: '' payload: payloadtype: com.apple.gamed supportedOS: + iOS: + introduced: n/a macOS: introduced: '10.9' multiple: false @@ -13,6 +15,12 @@ payload: allowmanualinstall: true userenrollment: mode: forbidden + tvOS: + introduced: n/a + visionOS: + introduced: n/a + watchOS: + introduced: n/a content: Parental controls Game Center restrictions. payloadkeys: - key: GKFeatureGameCenterAllowed diff --git a/mdm/profiles/com.apple.globalethernet.managed.yaml b/mdm/profiles/com.apple.globalethernet.managed.yaml index d69c150..5c83209 100644 --- a/mdm/profiles/com.apple.globalethernet.managed.yaml +++ b/mdm/profiles/com.apple.globalethernet.managed.yaml @@ -29,10 +29,14 @@ payload: multiple: false supervised: false allowmanualinstall: true + visionOS: + introduced: n/a + watchOS: + introduced: n/a payloadkeys: - key: ANY type: presence: optional - content: Keys relevant to 802.1X configuration. User enrollment payloads do not - support the various proxy keys including ProxyType, ProxyServer, ProxyServerPort, - ProxyUsername, ProxyPassword, ProxyPACURL and ProxyPACFallbackAllowed. + content: Keys relevant to 802.1X configuration. User enrollment payloads don't support + the various proxy keys, including 'ProxyType', 'ProxyServer', 'ProxyServerPort', + 'ProxyUsername', 'ProxyPassword', 'ProxyPACURL' and 'ProxyPACFallbackAllowed'. diff --git a/mdm/profiles/com.apple.google-oauth.yaml b/mdm/profiles/com.apple.google-oauth.yaml index 7e62555..276b054 100644 --- a/mdm/profiles/com.apple.google-oauth.yaml +++ b/mdm/profiles/com.apple.google-oauth.yaml @@ -15,6 +15,19 @@ payload: userchannel: true userenrollment: mode: allowed + macOS: + introduced: n/a + tvOS: + introduced: n/a + visionOS: + introduced: '1.1' + multiple: true + supervised: false + allowmanualinstall: true + userenrollment: + mode: allowed + watchOS: + introduced: n/a content: A Google account payload sets up a Google email address as well as any other Google services the user enables after authentication. Google accounts must be installed via MDM or by Apple Configurator 2 (if the device is supervised). @@ -57,7 +70,7 @@ payloadkeys: introduced: n/a type: presence: optional - content: A dictionary defining which app to use for audio calls made from this + content: A dictionary that defines which app to use for audio calls from this account. subkeys: - key: AudioCall @@ -69,8 +82,8 @@ payloadkeys: introduced: n/a type: presence: optional - content: A string containing the bundle identifier for the default application - that handles audio calls made to contacts from this account. + content: The bundle identifier for the default application that handles audio + calls to contacts from this account. - key: VPNUUID title: VPNUUID supportedOS: @@ -78,6 +91,5 @@ payloadkeys: introduced: '14.0' type: presence: optional - content: |- - The VPNUUID of the per-app VPN the account uses for network communication. + content: The VPNUUID of the per-app VPN the account uses for network communication. Available in iOS 14 and later. diff --git a/mdm/profiles/com.apple.homescreenlayout.yaml b/mdm/profiles/com.apple.homescreenlayout.yaml index 72bcbfd..ebf872c 100644 --- a/mdm/profiles/com.apple.homescreenlayout.yaml +++ b/mdm/profiles/com.apple.homescreenlayout.yaml @@ -14,11 +14,17 @@ payload: userchannel: true userenrollment: mode: forbidden + macOS: + introduced: n/a tvOS: introduced: '11.0' multiple: false supervised: true allowmanualinstall: true + visionOS: + introduced: n/a + watchOS: + introduced: n/a content: The payload defines a layout of apps, folders, & web clips for the Home screen. payloadkeys: diff --git a/mdm/profiles/com.apple.ironwood.support.yaml b/mdm/profiles/com.apple.ironwood.support.yaml index 4e9ac2f..74aeb78 100644 --- a/mdm/profiles/com.apple.ironwood.support.yaml +++ b/mdm/profiles/com.apple.ironwood.support.yaml @@ -3,6 +3,8 @@ description: Parental controls for restricting Siri, Dictation and Profanity payload: payloadtype: com.apple.ironwood.support supportedOS: + iOS: + introduced: n/a macOS: introduced: '10.9' deprecated: '10.13' @@ -14,6 +16,12 @@ payload: allowmanualinstall: true userenrollment: mode: forbidden + tvOS: + introduced: n/a + visionOS: + introduced: n/a + watchOS: + introduced: n/a payloadkeys: - key: Profanity Allowed type: diff --git a/mdm/profiles/com.apple.jabber.account.yaml b/mdm/profiles/com.apple.jabber.account.yaml index 1440279..bf564cc 100644 --- a/mdm/profiles/com.apple.jabber.account.yaml +++ b/mdm/profiles/com.apple.jabber.account.yaml @@ -4,6 +4,8 @@ description: Use this section to define settings for configuration access to Jab payload: payloadtype: com.apple.jabber.account supportedOS: + iOS: + introduced: n/a macOS: introduced: '10.7' deprecated: '10.14' @@ -16,6 +18,12 @@ payload: allowmanualinstall: true userenrollment: mode: forbidden + tvOS: + introduced: n/a + visionOS: + introduced: n/a + watchOS: + introduced: n/a content: A Jabber payload creates a Jabber account on the device. payloadkeys: - key: JabberAccountDescription diff --git a/mdm/profiles/com.apple.ldap.account.yaml b/mdm/profiles/com.apple.ldap.account.yaml index e59a044..9db4e7d 100644 --- a/mdm/profiles/com.apple.ldap.account.yaml +++ b/mdm/profiles/com.apple.ldap.account.yaml @@ -25,6 +25,17 @@ payload: allowmanualinstall: true userenrollment: mode: allowed + tvOS: + introduced: n/a + visionOS: + introduced: '1.1' + multiple: true + supervised: false + allowmanualinstall: true + userenrollment: + mode: allowed + watchOS: + introduced: n/a payloadkeys: - key: LDAPAccountDescription title: Account Description @@ -45,13 +56,13 @@ payloadkeys: title: Account Password type: presence: optional - content: The user's password. The password is enabled only with encrypted profiles. + content: The user's password. Only use this with encrypted profiles. - key: LDAPAccountUseSSL title: Use SSL type: presence: optional default: true - content: If 'true', enables SSL. + content: If 'true', the system enables SSL. - key: LDAPSearchSettings title: Search Settings type: @@ -82,10 +93,11 @@ payloadkeys: - LDAPSearchSettingScopeSubtree default: LDAPSearchSettingScopeSubtree content: |- - The type of recursion to use in the search. It is one of the following values: - * 'LDAPSearchSettingScopeBase': Only the immediate node that the search base points to. - * 'LDAPSearchSettingScopeOneLevel': The node plus its immediate children. - * 'LDAPSearchSettingScopeSubtree': The node plus all children, regardless of depth. + The type of recursion to use in the search. Allowed values: + + * 'LDAPSearchSettingScopeBase': Only the immediate node that the search base points to + * 'LDAPSearchSettingScopeOneLevel': The node plus its immediate children + * 'LDAPSearchSettingScopeSubtree': The node plus all children, regardless of depth - key: VPNUUID title: VPNUUID supportedOS: @@ -95,6 +107,5 @@ payloadkeys: introduced: n/a type: presence: optional - content: |- - The VPNUUID of the per-app VPN the account uses for network communication. + content: The VPNUUID of the per-app VPN the account uses for network communication. Available in iOS 14 and later. diff --git a/mdm/profiles/com.apple.loginitems.managed.yaml b/mdm/profiles/com.apple.loginitems.managed.yaml index 306ea2a..b842f5b 100644 --- a/mdm/profiles/com.apple.loginitems.managed.yaml +++ b/mdm/profiles/com.apple.loginitems.managed.yaml @@ -3,6 +3,8 @@ description: '' payload: payloadtype: com.apple.loginitems.managed supportedOS: + iOS: + introduced: n/a macOS: introduced: '10.13' multiple: true @@ -13,6 +15,12 @@ payload: allowmanualinstall: true userenrollment: mode: allowed + tvOS: + introduced: n/a + visionOS: + introduced: n/a + watchOS: + introduced: n/a content: This payload handles login items usage on macOS. payloadkeys: - key: AutoLaunchedApplicationDictionary-managed @@ -33,4 +41,5 @@ payloadkeys: type: presence: optional default: false - content: If 'true', hide this item in the Users & Groups login items list. + content: If 'true', the system hides this item in the Users & Groups login items + list. diff --git a/mdm/profiles/com.apple.loginwindow.yaml b/mdm/profiles/com.apple.loginwindow.yaml index df86b03..71e03eb 100644 --- a/mdm/profiles/com.apple.loginwindow.yaml +++ b/mdm/profiles/com.apple.loginwindow.yaml @@ -3,6 +3,8 @@ description: '' payload: payloadtype: com.apple.loginwindow supportedOS: + iOS: + introduced: n/a macOS: introduced: '10.7' multiple: true @@ -13,6 +15,12 @@ payload: allowmanualinstall: true userenrollment: mode: forbidden + tvOS: + introduced: n/a + visionOS: + introduced: n/a + watchOS: + introduced: n/a content: The com.apple.loginwindow payload creates managed preferences on macOS for system/device profiles. payloadkeys: @@ -20,28 +28,29 @@ payloadkeys: type: presence: optional default: false - content: If 'true', shows the name and password dialog; if 'false', displays a list - of users. + content: If 'true', the system shows the name and password dialog. If 'false', the + system displays a list of users. - key: HideLocalUsers type: presence: optional default: false - content: If 'true', shows only network and system users when showing a user list. + content: If 'true', the system shows only network and system users when showing + a user list. - key: IncludeNetworkUser type: presence: optional default: false - content: If 'true', shows network users when showing a user list. + content: If 'true', the system shows network users when showing a user list. - key: HideAdminUsers type: presence: optional default: false - content: If 'true', hides administrator users when showing a user list. + content: If 'true', the system hides administrator users when showing a user list. - key: SHOWOTHERUSERS_MANAGED type: presence: optional default: false - content: If 'true', displays Other... when showing a list of users. + content: If 'true', the system displays “Other...” when it shows a list of users. - key: AdminHostInfo type: presence: optional @@ -49,16 +58,16 @@ payloadkeys: - HostName - SystemVersion - IPAddress - content: If this key is included in the payload, its value is displayed in the login - window as additional computer information. Before macOS 10.10, this string could - contain only certain information (host name, system version, or IP address). After + content: The admin host info. If present in the payload, the system displays its + value in the login window as additional computer information. Before macOS 10.10, + this string could only contain host name, system version, or IP address. After macOS 10.10, setting this key to any value allows the user to click the time area of the menu bar to toggle through various computer information values. - key: AllowList type: presence: optional - content: The list of user GUIDs or group GUIDs of users that are allowed to log - in. An asterisk '*' string specifies all users or groups. + content: The list of user GUIDs or group GUIDs of users that the system allows to + log in. An asterisk ('*') string specifies all users or groups. subkeys: - key: AllowListItem type: @@ -67,8 +76,8 @@ payloadkeys: - key: DenyList type: presence: optional - content: The list of user GUIDs or group GUIDs of users that cannot log in. This - list takes priority over the list in the 'AllowList' key. + content: The list of user GUIDs or group GUIDs of users that the system disallows + to log in. This list takes priority over the list in the 'AllowList' key. subkeys: - key: DenyListItem type: @@ -78,29 +87,29 @@ payloadkeys: type: presence: optional default: false - content: If 'true', hides mobile account users in a user list. In some cases, mobile - users show up as network users. + content: If 'true', the system hides mobile account users in a user list. In some + cases, mobile users show up as network users. - key: ShutDownDisabled type: presence: optional default: false - content: If 'true', disables the Shut Down button. + content: If 'true', the system disables the Shut Down button. - key: RestartDisabled type: presence: optional default: false - content: If 'true', disables the Restart item. + content: If 'true', the system disables the Restart item. - key: SleepDisabled type: presence: optional default: false - content: If 'true', disables the Sleep button. + content: If 'true', the system disables the Sleep button. - key: DisableConsoleAccess type: presence: optional default: false - content: If 'true', disregards the '>console' special user name, which will provide - a command line UI. + content: If 'true', the system disregards the '>console' special user name, which + provides a command line UI. - key: LoginwindowText type: presence: optional @@ -109,17 +118,20 @@ payloadkeys: type: presence: optional default: false - content: If 'true', disables the Shut Down menu item when the user is logged in. + content: If 'true', the system disables the Shut Down menu item when the user is + logged in. - key: RestartDisabledWhileLoggedIn type: presence: optional default: false - content: If 'true', disables the Restart menu item when the user is logged in. + content: If 'true', the system disables the Restart menu item when the user is logged + in. - key: PowerOffDisabledWhileLoggedIn type: presence: optional default: false - content: If 'true', disables the Power Off menu item when the user is logged in. + content: If 'true', the system disables the Power Off menu item when the user is + logged in. - key: LogOutDisabledWhileLoggedIn supportedOS: macOS: @@ -127,8 +139,8 @@ payloadkeys: type: presence: optional default: false - content: If 'true', disables the Log Out menu item when the user is logged in. Available - in macOS 10.13 and later. + content: If 'true', the system disables the Log Out menu item when the user is logged + in. Available in macOS 10.13 and later. - key: DisableScreenLockImmediate supportedOS: macOS: @@ -136,8 +148,8 @@ payloadkeys: type: presence: optional default: false - content: If 'true', disables the immediate Screen Lock functions. Available in macOS - 10.13 and later. + content: If 'true', the system disables the immediate Screen Lock functions. Available + in macOS 10.13 and later. - key: showInputMenu supportedOS: macOS: @@ -145,7 +157,7 @@ payloadkeys: type: presence: optional default: false - content: If 'true', shows the Input Menu in the login window. + content: If 'true', the system shows the Input Menu in the login window. - key: DisableFDEAutoLogin supportedOS: macOS: @@ -153,7 +165,7 @@ payloadkeys: type: presence: optional default: false - content: If 'true', disables the automatic login option when using FileVault. + content: If 'true', the system disables the automatic login option when using FileVault. - key: AutologinUsername supportedOS: macOS: diff --git a/mdm/profiles/com.apple.lom.yaml b/mdm/profiles/com.apple.lom.yaml index 9395f25..95f6d9a 100644 --- a/mdm/profiles/com.apple.lom.yaml +++ b/mdm/profiles/com.apple.lom.yaml @@ -4,6 +4,8 @@ description: Configures a computer to send or receive "PowerON". "PowerOFF", "Re payload: payloadtype: com.apple.lom supportedOS: + iOS: + introduced: n/a macOS: introduced: '11.0' multiple: false @@ -14,6 +16,12 @@ payload: allowmanualinstall: false userenrollment: mode: forbidden + tvOS: + introduced: n/a + visionOS: + introduced: n/a + watchOS: + introduced: n/a content: Configures a computer to send or receive "PowerON". "PowerOFF", "Reset" requests. payloadkeys: @@ -37,7 +45,7 @@ payloadkeys: title: CA certificate payload UUIDs type: presence: optional - content: Array of payload UUIDs containing CA certificates that controllers use + content: An array of payload UUIDs containing CA certificates that controllers use to evaluate trust of device certificates. subkeys: - key: DeviceCACertificateUUIDsItem @@ -47,7 +55,7 @@ payloadkeys: type: presence: optional content: |- - Array of payload UUIDs containing CA certificates that devices use to evaluate trust of controller certificates. + An array of payload UUIDs containing CA certificates that devices use to evaluate trust of controller certificates. This key configures the device to accept the LOMDeviceRequestCommand from MDM and then send it to the target device. This certificate must contain the Key Usage attributes of Digital Signature, Key Encipherment and Data Encipherment. As well as the Extended Key Usage attributes of Server Authentication and Client Authentication. subkeys: - key: ControllerCACertificateUUIDsItem diff --git a/mdm/profiles/com.apple.mail.managed.yaml b/mdm/profiles/com.apple.mail.managed.yaml index d5b2569..f4060a6 100644 --- a/mdm/profiles/com.apple.mail.managed.yaml +++ b/mdm/profiles/com.apple.mail.managed.yaml @@ -24,6 +24,17 @@ payload: allowmanualinstall: true userenrollment: mode: allowed + tvOS: + introduced: n/a + visionOS: + introduced: '1.1' + multiple: true + supervised: false + allowmanualinstall: true + userenrollment: + mode: allowed + watchOS: + introduced: n/a content: An email payload creates an email account on the device. payloadkeys: - key: EmailAccountDescription @@ -36,7 +47,8 @@ payloadkeys: title: Account Name type: presence: optional - content: The full user name for the account. This name is shown in sent messages. + content: The full user name for the account. The system displays this name in sent + messages. - key: EmailAccountType title: Account Type type: @@ -44,14 +56,14 @@ payloadkeys: rangelist: - EmailTypeIMAP - EmailTypePOP - content: Defines the protocol to be used for the account. + content: Defines the protocol to use for the account. - key: EmailAddress title: Email Address type: presence: optional content: The full email address for the account. If this string isn't present in - the payload, the device prompts for this string during interactive profile installation - in Settings or System Preferences. + the payload, the device prompts the user for this string during interactive profile + installation in Settings or System Preferences. - key: IncomingMailServerAuthentication title: Incoming Mail Server Authentication type: @@ -72,42 +84,43 @@ payloadkeys: title: Port type: presence: optional - content: The incoming mail server port number. If no port number is specified, the - default port for a given protocol is used. + content: The incoming mail server port number. If not set, the system uses the default + port for a given protocol. - key: IncomingMailServerUseSSL title: Use SSL type: presence: optional default: false - content: If 'true', enables SSL for authentication on the incoming mail server. + content: If 'true', the system enables SSL for authentication on the incoming mail + server. - key: IncomingMailServerUsername title: Username type: presence: optional content: The user name for the email account, usually the same as the email address - up to the @ character. If the user name isn't present in the payload and the account - is set up to require authentication for incoming email, the device prompts for - this string during interactive profile installation in Settings or System Preferences. + up to the “@” character. If not set and the account requires authentication for + incoming email, the device prompts the user for this string during interactive + profile installation in Settings or System Preferences. - key: IncomingPassword title: Password type: presence: optional - content: The password for the incoming mail server. This password is used only with - encrypted profiles. + content: The password for the incoming mail server. Only use this with encrypted + profiles. - key: OutgoingPassword title: Password type: presence: optional - content: The password for the outgoing mail server. This password is used only with - encrypted profiles. + content: The password for the outgoing mail server. Only uses this with encrypted + profiles. - key: OutgoingPasswordSameAsIncomingPassword title: Outgoing Password Same As Incoming type: presence: optional default: false content: |- - If 'true', the user is prompted only once for the password, which is used for both outgoing and incoming mail. - This setting is only supported by interactive profile installations. Not supported by non-interactive installations (like MDM on iOS). + If 'true', the system prompts the user only once for the password, which it uses for both outgoing and incoming mail. + This setting is only supported by interactive profile installations. Not supported by non-interactive installations, such as MDM on iOS. - key: OutgoingMailServerAuthentication title: Authentication Type type: @@ -128,22 +141,22 @@ payloadkeys: title: Port type: presence: optional - content: The outgoing mail server port number. If no port number is specified, ports - 25, 587, and 465 are used, in that order. + content: The outgoing mail server port number. If not set, the system uses ports + 25, 587, and 465, in that order. - key: OutgoingMailServerUseSSL title: Use SSL type: presence: optional default: false - content: If 'true', enables SSL authentication on the outgoing mail server. + content: If 'true', the system enables SSL authentication on the outgoing mail server. - key: OutgoingMailServerUsername title: Username type: presence: optional content: The user name for the email account, usually the same as the email address - up to the @ character. If the user name isn't present in the payload and the account - is set up to require authentication for outgoing email, the device prompts for - this string during interactive profile installation in Settings or System Preferences. + up to the “@” character. If not set and the account requires authentication for + outgoing email, the device prompts the user for this string during interactive + profile installation in Settings or System Preferences. - key: PreventMove title: Prevent Move supportedOS: @@ -154,9 +167,9 @@ payloadkeys: type: presence: optional default: false - content: If 'true', prevents messages from being moved out of this email account + content: If 'true', the system prevents moving messages out of this email account and into another account. It also prevents forwarding or replying from an account - other than one the message was sent to. + other than the recipient of the message. - key: PreventAppSheet title: Prevent App Sheet supportedOS: @@ -167,8 +180,8 @@ payloadkeys: type: presence: optional default: false - content: If 'true', prevents this account from sending mail in any app other than - the Apple Mail app. + content: If 'true', the system prevents this account from sending mail in any app + other than the Apple Mail app. - key: SMIMEEnabled title: S/MIME Enabled supportedOS: @@ -179,8 +192,8 @@ payloadkeys: type: presence: optional default: false - content: If 'true', enables S/MIME encryption. In iOS 10.0 and later, this key is - ignored. + content: If 'true', the system enables S/MIME encryption. The system ignores this + key in iOS 10.0 and later. - key: SMIMESigningEnabled title: S/MIME Signing Enabled supportedOS: @@ -191,7 +204,7 @@ payloadkeys: type: presence: optional default: false - content: If 'true', enables S/MIME signing for this account. + content: If 'true', the system enables S/MIME signing for this account. - key: SMIMESigningCertificateUUID title: S/MIME Signing Certificate supportedOS: @@ -214,7 +227,7 @@ payloadkeys: type: presence: optional default: false - content: If 'true', enables S/MIME encryption for this account. + content: If 'true', the system enables S/MIME encryption for this account. - key: SMIMEEncryptionCertificateUUID title: S/MIME Encryption Certificate supportedOS: @@ -226,9 +239,9 @@ payloadkeys: presence: optional format: ^[0-9A-Za-z]{8}-[0-9A-Za-z]{4}-[0-9A-Za-z]{4}-[0-9A-Za-z]{4}-[0-9A-Za-z]{12}$ content: The UUID of the identity certificate used to decrypt messages sent to this - account. The public certificate is attached to outgoing mail to allow encrypted - mail to be sent to this user. When the user sends encrypted mail, the public certificate - is used to encrypt the copy of the mail in their Sent mailbox. + account. The system attaches the public certificate to outgoing mail to allow + the user to receive encrypted mail. When the user sends encrypted mail, the system + uses the public certificate to encrypt the copy of the mail in their Sent mailbox. - key: SMIMEEnablePerMessageSwitch title: S/MIME Enable Per-Message Switch supportedOS: @@ -237,13 +250,14 @@ payloadkeys: deprecated: '10.0' macOS: introduced: n/a + visionOS: + introduced: n/a type: presence: optional default: false - content: |- - If 'true', displays the per-message encryption switch in the Mail Compose UI. - - As of iOS 12.0, this key is deprecated. Use 'SMIMEEnableEncryptionPerMessageSwitch' instead. + content: If 'true', the system displays the per-message encryption switch in the + Mail Compose UI. Deprecated in iOS 12.0. Use 'SMIMEEnableEncryptionPerMessageSwitch' + instead. - key: disableMailRecentsSyncing title: Disable Mail Recents Syncing supportedOS: @@ -252,7 +266,7 @@ payloadkeys: type: presence: optional default: false - content: If 'true', excludes this account from Recent Addresses syncing. + content: If 'true', the system excludes this account from Recent Addresses syncing. - key: allowMailDrop title: Allow Mail Drop supportedOS: @@ -263,7 +277,7 @@ payloadkeys: type: presence: optional default: false - content: If 'true', enables this account to use Mail Drop. + content: If 'true', the system enables this account to use Mail Drop. - key: IncomingMailServerIMAPPathPrefix title: Path Prefix type: @@ -298,7 +312,7 @@ payloadkeys: type: presence: optional default: false - content: If 'true', enables S/MIME encryption by default. + content: If 'true', the system enables S/MIME encryption by default. - key: SMIMEEncryptByDefaultUserOverrideable supportedOS: iOS: @@ -330,8 +344,8 @@ payloadkeys: type: presence: optional default: false - content: If 'true', displays the per-message encryption switch in the Mail Compose - UI. + content: If 'true', the system displays the per-message encryption switch in the + Mail Compose UI. - key: VPNUUID title: VPNUUID supportedOS: @@ -341,6 +355,5 @@ payloadkeys: introduced: n/a type: presence: optional - content: |- - The VPNUUID of the per-app VPN the account uses for network communication. + content: The VPNUUID of the per-app VPN the account uses for network communication. Available in iOS 14 and later. diff --git a/mdm/profiles/com.apple.mcxMenuExtras.yaml b/mdm/profiles/com.apple.mcxMenuExtras.yaml index 50c571c..bf263ac 100644 --- a/mdm/profiles/com.apple.mcxMenuExtras.yaml +++ b/mdm/profiles/com.apple.mcxMenuExtras.yaml @@ -2,6 +2,8 @@ title: Managed Menu Extras payload: payloadtype: com.apple.mcxMenuExtras supportedOS: + iOS: + introduced: n/a macOS: introduced: '10.7' multiple: false @@ -12,6 +14,12 @@ payload: allowmanualinstall: true userenrollment: mode: forbidden + tvOS: + introduced: n/a + visionOS: + introduced: n/a + watchOS: + introduced: n/a content: |- Specified menu extras will be added or removed from the menu bar after user login. Standard menu extra may be specified by file diff --git a/mdm/profiles/com.apple.mcxloginscripts.yaml b/mdm/profiles/com.apple.mcxloginscripts.yaml index e93470b..b7882b8 100644 --- a/mdm/profiles/com.apple.mcxloginscripts.yaml +++ b/mdm/profiles/com.apple.mcxloginscripts.yaml @@ -3,6 +3,8 @@ description: '' payload: payloadtype: com.apple.mcxloginscripts supportedOS: + iOS: + introduced: n/a macOS: introduced: '10.7' multiple: false @@ -13,6 +15,12 @@ payload: allowmanualinstall: true userenrollment: mode: forbidden + tvOS: + introduced: n/a + visionOS: + introduced: n/a + watchOS: + introduced: n/a content: Login and logout managed script handling payloadkeys: - key: loginscripts @@ -42,9 +50,9 @@ payloadkeys: type: presence: optional default: false - content: If 'true', doesn't execute the login scripts during login. + content: If 'true', the system doesn't execute the login scripts during login. - key: skipLogoutHook type: presence: optional default: false - content: If 'true', doesn't execute the logout scripts during logout. + content: If 'true', the system doesn't execute the logout scripts during logout. diff --git a/mdm/profiles/com.apple.mcxprinting.yaml b/mdm/profiles/com.apple.mcxprinting.yaml index e21029e..ded8ed8 100644 --- a/mdm/profiles/com.apple.mcxprinting.yaml +++ b/mdm/profiles/com.apple.mcxprinting.yaml @@ -2,6 +2,8 @@ title: Printing payload: payloadtype: com.apple.mcxprinting supportedOS: + iOS: + introduced: n/a macOS: introduced: '10.7' multiple: false @@ -12,6 +14,12 @@ payload: allowmanualinstall: true userenrollment: mode: forbidden + tvOS: + introduced: n/a + visionOS: + introduced: n/a + watchOS: + introduced: n/a payloadkeys: - key: RequireAdminToAddPrinters type: diff --git a/mdm/profiles/com.apple.mdm.yaml b/mdm/profiles/com.apple.mdm.yaml index f23eea9..b3ff5c8 100644 --- a/mdm/profiles/com.apple.mdm.yaml +++ b/mdm/profiles/com.apple.mdm.yaml @@ -29,6 +29,13 @@ payload: multiple: false supervised: false allowmanualinstall: true + visionOS: + introduced: '1.1' + multiple: false + supervised: false + allowmanualinstall: true + userenrollment: + mode: allowed watchOS: introduced: '10.0' multiple: false @@ -64,7 +71,7 @@ payloadkeys: format: ^https://.*$ content: The URL that the device should use to check in during installation. The URL must begin with the 'https://' URL scheme and may contain a port number (':1234', - for example). If this URL isn't given, 'ServerURL' is used for both purposes. + for example). If not set, the system uses 'ServerURL'. - key: SignMessage title: Sign Message type: @@ -81,25 +88,29 @@ payloadkeys: macOS: userenrollment: mode: ignored + visionOS: + userenrollment: + mode: ignored type: presence: optional content: |- Logical OR of the following bit flags: - '1': Allow inspection of installed configuration profiles. - '2': Allow installation and removal of configuration profiles. - '4': Allow device lock and passcode removal. - '8': Allow device erase. - '16': Allow query of device information (device capacity, serial number). - '32': Allow query of network information (phone/SIM numbers, MAC addresses). - '64': Allow inspection of installed provisioning profiles. - '128': Allow installation and removal of provisioning profiles. - '256': Allow inspection of installed applications. - '512': Allow restriction-related queries. - '1024': Allow security-related queries. - '2048': Allow manipulation of settings. - '4096': Allow app management. - The value can't be '0'. If '2' is specified, '1' must also be specified. If '128' is specified, '64' must also be specified. - If the 'ManagedAppleID' is included, then 'AccessRights' are ignored. + + * '1': Allow inspection of installed configuration profiles. + * '2': Allow installation and removal of configuration profiles. + * '4': Allow device lock and passcode removal. + * '8': Allow device erase. + * '16': Allow query of device information (device capacity, serial number). + * '32': Allow query of network information (phone/SIM numbers, MAC addresses). + * '64': Allow inspection of installed provisioning profiles. + * '128': Allow installation and removal of provisioning profiles. + * '256': Allow inspection of installed applications. + * '512': Allow restriction-related queries. + * '1024': Allow security-related queries. + * '2048': Allow manipulation of settings. + * '4096': Allow app management. + + Don't set to '0'. Specify '1' if you specify '2'. Specify '64' if you specify '128'. Ignored if you set a value for 'ManagedAppleID'. - key: UseDevelopmentAPNS title: Use Development APNS type: @@ -107,7 +118,7 @@ payloadkeys: default: false content: |- If 'true', the device uses the development APNS servers. Otherwise, the device uses the production servers. - Note that this property must be set to 'false' if your Apple Push Notification Service certificate was issued by the Apple Push Certificate Portal ('https://identity.apple.com/pushcert'). That portal only issues certificates for the production push environment. + Set to 'false' if your Apple Push Notification Service certificate was issued by the Apple Push Certificate Portal ('https://identity.apple.com/pushcert'). That portal only issues certificates for the production push environment. - key: ManagedAppleID title: Managed Apple ID supportedOS: @@ -123,15 +134,16 @@ payloadkeys: mode: required tvOS: introduced: n/a + visionOS: + introduced: n/a watchOS: introduced: n/a type: presence: optional - content: The Managed Apple ID of the user. Available in iOS 13.1 and later, and - macOS 10.15 and later. This is only used with the profile-driven BYOD enrollment - flow, and must not be present in the BYOD and ADDE account-driven enrollment flows. - As of iOS 17 and macOS 14, profile-driven user enrollments are deprecated and - will be removed in a future release. + content: The Managed Apple ID of the user. Required for profile-driven user enrollment. + Don't set for account-driven enrollment. Available in iOS 13.1 and later, and + macOS 10.15 and later. As of iOS 17 and macOS 14, profile-driven user enrollment + is deprecated and will be removed in a future release. - key: AssignedManagedAppleID title: Assigned Managed Apple ID supportedOS: @@ -145,9 +157,9 @@ payloadkeys: introduced: n/a type: presence: optional - content: The Managed Apple ID pre-assigned to the authenticated user. This is required - for the BYOD and ADDE account-driven enrollment flows, and must not be present - in other enrollment flows. Available in iOS 15 and macOS 14, and later. + content: The Managed Apple ID pre-assigned to the authenticated user. The system + only uses this value with account-driven enrollment. Don't set this value for + profile-driven user enrollment. Available in iOS 15 and later. - key: EnrollmentMode title: Enrollment Mode supportedOS: @@ -164,10 +176,9 @@ payloadkeys: rangelist: - BYOD - ADDE - content: The enrollment mode the server indicates must be used when enrolling. This - key must be present for BYOD and ADDE account-driven enrollments, and must not - be present in the profile-driven user enrollment flow. Available in iOS 15 and - macOS 14, and later. + content: The enrollment mode the server indicates to use when enrolling. Required + for account-driven enrollment. Don't set for profile-driven user enrollment. Available + in iOS 15 and macOS 14, and later. - key: ServerURLPinningCertificateUUIDs supportedOS: iOS: @@ -178,8 +189,8 @@ payloadkeys: introduced: '13.4' type: presence: optional - content: An array of strings, each containing the UUID of a certificate to be used - when evaluating trust to the '.../connect/' URLs of MDM servers. + content: An array of strings, each containing the UUID of a certificate to use when + evaluating trust to the '.../connect/' URLs of MDM servers. subkeys: - key: ServerURLPinningCertificateUUIDsItem type: @@ -196,7 +207,7 @@ payloadkeys: type: presence: optional content: An array of strings, each containing the payload UUID of a certificate - to be used when evaluating trust to the '.../checkin/' URLs of MDM servers. + to use when evaluating trust to the '.../checkin/' URLs of MDM servers. subkeys: - key: CheckInURLPinningCertificateUUIDsItem type: @@ -214,14 +225,14 @@ payloadkeys: presence: optional default: false content: |- - If 'true', fails the connection attempt unless a verified positive response is obtained during certificate revocation checks. - If 'false', revocation checks are done on a best-attempt basis, where failure to reach the server isn't considered fatal. + If 'true', the system fails the connection attempt unless it obtains a verified positive response during certificate revocation checks. + If 'false', the system performs revocation checks on a best-attempt basis, where failure to reach the server isn't considered fatal. - key: ServerCapabilities type: presence: optional content: |- A unique array of strings indicating server capabilities. If the server manages macOS devices or a Shared iPad, this field is mandatory and must contain the value 'com.apple.mdm.per-user-connections', which indicates that the server supports both device and user connections. - Starting with macOS 11, it is also recommended that macOS device enrollment profiles contain the value 'com.apple.mdm.bootstraptoken' to ensure the Bootstrap Token is created and escrowed with the MDM server at enrollment time. + Starting with macOS 11, it's also recommended that macOS device enrollment profiles contain the value 'com.apple.mdm.bootstraptoken' to ensure the Bootstrap Token is created and escrowed with the MDM server at enrollment time. If the server supports the "GetToken" CheckIn message type, then this key must be present and must include "com.apple.mdm.token" as one of its values. subkeys: - key: ServerCapabilitiesItems @@ -249,8 +260,8 @@ payloadkeys: type: presence: optional content: |- - This property specifies an iTunes Store ID for an app the system can install with the InstallApplicationCommand, without any approval from the user. The MDM vendor or managing organization generally provides this app, which enhances the management experience for the user. The device shows the user details about this app in the account-driven enrollment process prior to installing the MDM profile. Use this property with account-driven MDM enrollments that normally require user approval for app installs through MDM. - Only account-driven user enrollments support this property and other enrollment types ignore it. + This property specifies an iTunes Store ID for an app the system can install with the InstallApplicationCommand, without any approval from the user. The MDM vendor or managing organization generally provides this app, which enhances the management experience for the user. The device shows the user details about this app in the account-driven enrollment process prior to installing the MDM profile. Use this property with account-driven MDM enrollment that normally requires user approval for app installs through MDM. + Only account-driven enrollment supports this property and other enrollment types ignore it. Available in iOS 15.1 and later. - key: PromptUserToAllowBootstrapTokenForAuthentication supportedOS: @@ -260,13 +271,15 @@ payloadkeys: introduced: '11.0' tvOS: introduced: n/a + visionOS: + introduced: n/a watchOS: introduced: n/a type: presence: optional default: false content: |- - If 'true', warns the user that they need to reboot into RecoveryOS and allow the MDM to use the Bootstrap Token for authentication for certain sensitive operations such as enabling kernel extensions or installing some types of software updates. If the MDM doesn't need to perform these operations, it can leave this key set to 'false', and the user won't be notified. + If 'true', the system warns the user that they need to reboot into RecoveryOS and allow the MDM to use the Bootstrap Token for authentication for certain sensitive operations such as enabling kernel extensions or installing some types of software updates. If the MDM doesn't need to perform these operations, it can leave this key set to 'false', and the user isn't notified. The SettingsCommand.Command.Settings.MDMOptions.MDMOptions command overrides this default value. This setting only applies to devices that have 'BootstrapTokenRequiredForSoftwareUpdate' or 'BootstrapTokenRequiredForKernelExtensionApproval' set to 'true' in their SecurityInfoResponse.SecurityInfo. DEP-enrolled devices are automatically allowed to use the Bootstrap Token for authentication. diff --git a/mdm/profiles/com.apple.mobiledevice.passwordpolicy.yaml b/mdm/profiles/com.apple.mobiledevice.passwordpolicy.yaml index 30bdf4f..2093af4 100644 --- a/mdm/profiles/com.apple.mobiledevice.passwordpolicy.yaml +++ b/mdm/profiles/com.apple.mobiledevice.passwordpolicy.yaml @@ -22,6 +22,10 @@ payload: allowmanualinstall: true userenrollment: mode: forbidden + tvOS: + introduced: n/a + visionOS: + introduced: n/a watchOS: introduced: '10.0' multiple: true diff --git a/mdm/profiles/com.apple.networkusagerules.yaml b/mdm/profiles/com.apple.networkusagerules.yaml index c36e045..329148c 100644 --- a/mdm/profiles/com.apple.networkusagerules.yaml +++ b/mdm/profiles/com.apple.networkusagerules.yaml @@ -14,6 +14,14 @@ payload: userchannel: false userenrollment: mode: forbidden + macOS: + introduced: n/a + tvOS: + introduced: n/a + visionOS: + introduced: n/a + watchOS: + introduced: n/a content: Network Usage Rules allow enterprises to specify how devices use networks, such as cellular data networks. iOS 9-12 support only ApplicationRules. In iOS 13, ApplicationRules, SIMRules, or both must be present. @@ -78,6 +86,9 @@ payloadkeys: - 2 - 3 content: |- - The Wi-Fi Assist policy to apply to the SIM cards specified in the ICCIDs. See About Wi-Fi Assist to learn more. + The Wi-Fi Assist policy to apply to the SIM cards specified in the ICCIDs. Allowed values: + * '2': Use the default system policy for the specified SIM card(s). * '3': Make Wi-Fi Assist switch more aggressively from a poor Wi-Fi connection to cellular data for the specified SIM card(s). This setting may increase cellular data use and may impact battery life. + + For more information, see About Wi-Fi Assist . diff --git a/mdm/profiles/com.apple.notificationsettings.yaml b/mdm/profiles/com.apple.notificationsettings.yaml index 38355d1..817e43a 100644 --- a/mdm/profiles/com.apple.notificationsettings.yaml +++ b/mdm/profiles/com.apple.notificationsettings.yaml @@ -23,6 +23,12 @@ payload: allowmanualinstall: true userenrollment: mode: forbidden + tvOS: + introduced: n/a + visionOS: + introduced: n/a + watchOS: + introduced: n/a content: A notification settings payload specifies the restriction enforced notification settings for apps using their bundle identifier. The profile specifies notification settings by bundle identifier (even for apps that aren’t installed on the device diff --git a/mdm/profiles/com.apple.osxserver.account.yaml b/mdm/profiles/com.apple.osxserver.account.yaml index aedf6ca..420c5bc 100644 --- a/mdm/profiles/com.apple.osxserver.account.yaml +++ b/mdm/profiles/com.apple.osxserver.account.yaml @@ -14,6 +14,14 @@ payload: mode: forbidden userenrollment: mode: forbidden + macOS: + introduced: n/a + tvOS: + introduced: n/a + visionOS: + introduced: n/a + watchOS: + introduced: n/a payloadkeys: - key: HostName title: Account Hostname diff --git a/mdm/profiles/com.apple.preference.security.yaml b/mdm/profiles/com.apple.preference.security.yaml index 4b81426..4b777a4 100644 --- a/mdm/profiles/com.apple.preference.security.yaml +++ b/mdm/profiles/com.apple.preference.security.yaml @@ -2,6 +2,8 @@ title: Security Preferences payload: payloadtype: com.apple.preference.security supportedOS: + iOS: + introduced: n/a macOS: introduced: '10.10' multiple: false @@ -12,6 +14,12 @@ payload: allowmanualinstall: true userenrollment: mode: forbidden + tvOS: + introduced: n/a + visionOS: + introduced: n/a + watchOS: + introduced: n/a payloadkeys: - key: dontAllowPasswordResetUI type: diff --git a/mdm/profiles/com.apple.preferences.users.yaml b/mdm/profiles/com.apple.preferences.users.yaml index cab2f3f..0615e68 100644 --- a/mdm/profiles/com.apple.preferences.users.yaml +++ b/mdm/profiles/com.apple.preferences.users.yaml @@ -2,6 +2,8 @@ title: User Preferences payload: payloadtype: com.apple.preference.users supportedOS: + iOS: + introduced: n/a macOS: introduced: '10.12' multiple: false @@ -12,6 +14,12 @@ payload: allowmanualinstall: true userenrollment: mode: allowed + tvOS: + introduced: n/a + visionOS: + introduced: n/a + watchOS: + introduced: n/a payloadkeys: - key: DisableUsingiCloudPassword type: diff --git a/mdm/profiles/com.apple.profileRemovalPassword.yaml b/mdm/profiles/com.apple.profileRemovalPassword.yaml index c4509b7..5398666 100644 --- a/mdm/profiles/com.apple.profileRemovalPassword.yaml +++ b/mdm/profiles/com.apple.profileRemovalPassword.yaml @@ -27,9 +27,13 @@ payload: multiple: false supervised: true allowmanualinstall: true + visionOS: + introduced: n/a + watchOS: + introduced: n/a payloadkeys: - key: RemovalPassword title: Removal Password type: presence: optional - content: The password for allowing the profile to be removed. + content: The password to allow removing the profile. diff --git a/mdm/profiles/com.apple.proxy.http.global.yaml b/mdm/profiles/com.apple.proxy.http.global.yaml index b9b498a..38aad22 100644 --- a/mdm/profiles/com.apple.proxy.http.global.yaml +++ b/mdm/profiles/com.apple.proxy.http.global.yaml @@ -29,6 +29,10 @@ payload: multiple: false supervised: true allowmanualinstall: true + visionOS: + introduced: n/a + watchOS: + introduced: n/a content: PEM-encoded cer payloadkeys: - key: ProxyType diff --git a/mdm/profiles/com.apple.relay.managed.yaml b/mdm/profiles/com.apple.relay.managed.yaml index 3bfc078..f23a9b3 100644 --- a/mdm/profiles/com.apple.relay.managed.yaml +++ b/mdm/profiles/com.apple.relay.managed.yaml @@ -24,6 +24,17 @@ payload: allowmanualinstall: true userenrollment: mode: forbidden + tvOS: + introduced: n/a + visionOS: + introduced: '1.0' + multiple: true + supervised: false + allowmanualinstall: true + userenrollment: + mode: forbidden + watchOS: + introduced: n/a payloadkeys: - key: Relays title: Relays diff --git a/mdm/profiles/com.apple.screensaver.user.yaml b/mdm/profiles/com.apple.screensaver.user.yaml index ee1f2fd..0d07e22 100644 --- a/mdm/profiles/com.apple.screensaver.user.yaml +++ b/mdm/profiles/com.apple.screensaver.user.yaml @@ -3,6 +3,8 @@ description: '' payload: payloadtype: com.apple.screensaver.user supportedOS: + iOS: + introduced: n/a macOS: introduced: '10.11' multiple: false @@ -13,6 +15,12 @@ payload: allowmanualinstall: true userenrollment: mode: forbidden + tvOS: + introduced: n/a + visionOS: + introduced: n/a + watchOS: + introduced: n/a content: Specifies *user* screensaver settings. (Settings for loginwindow screensaver use a different payload) payloadkeys: diff --git a/mdm/profiles/com.apple.screensaver.yaml b/mdm/profiles/com.apple.screensaver.yaml index e1b22cd..f237193 100644 --- a/mdm/profiles/com.apple.screensaver.yaml +++ b/mdm/profiles/com.apple.screensaver.yaml @@ -3,6 +3,8 @@ description: '' payload: payloadtype: com.apple.screensaver supportedOS: + iOS: + introduced: n/a macOS: introduced: '10.11' multiple: false @@ -13,6 +15,12 @@ payload: allowmanualinstall: true userenrollment: mode: forbidden + tvOS: + introduced: n/a + visionOS: + introduced: n/a + watchOS: + introduced: n/a content: Specifies grace period for screensaver locking payloadkeys: - key: askForPassword diff --git a/mdm/profiles/com.apple.secondactiveethernet.managed.yaml b/mdm/profiles/com.apple.secondactiveethernet.managed.yaml index 5b3f80b..07cacec 100644 --- a/mdm/profiles/com.apple.secondactiveethernet.managed.yaml +++ b/mdm/profiles/com.apple.secondactiveethernet.managed.yaml @@ -3,6 +3,8 @@ description: '' payload: payloadtype: com.apple.secondactiveethernet.managed supportedOS: + iOS: + introduced: n/a macOS: introduced: '10.7' multiple: false @@ -13,10 +15,16 @@ payload: allowmanualinstall: true userenrollment: mode: allowed + tvOS: + introduced: n/a + visionOS: + introduced: n/a + watchOS: + introduced: n/a payloadkeys: - key: ANY type: presence: optional - content: Keys relevant to 802.1x configuration. User enrollment payloads do not + content: Keys relevant to 802.1x configuration. User enrollment payloads do not support the various proxy keys including ProxyType, ProxyServer, ProxyServerPort, ProxyUsername, ProxyPassword,, ProxyPACURL and ProxyPACFallbackAllowed. diff --git a/mdm/profiles/com.apple.secondethernet.managed.yaml b/mdm/profiles/com.apple.secondethernet.managed.yaml index 784310b..da06a38 100644 --- a/mdm/profiles/com.apple.secondethernet.managed.yaml +++ b/mdm/profiles/com.apple.secondethernet.managed.yaml @@ -3,6 +3,8 @@ description: '' payload: payloadtype: com.apple.secondethernet.managed supportedOS: + iOS: + introduced: n/a macOS: introduced: '10.7' multiple: false @@ -13,10 +15,16 @@ payload: allowmanualinstall: true userenrollment: mode: allowed + tvOS: + introduced: n/a + visionOS: + introduced: n/a + watchOS: + introduced: n/a payloadkeys: - key: ANY type: presence: optional - content: Keys relevant to 802.1x configuration. User enrollment payloads do not + content: Keys relevant to 802.1x configuration. User enrollment payloads do not support the various proxy keys including ProxyType, ProxyServer, ProxyServerPort, ProxyUsername, ProxyPassword,, ProxyPACURL and ProxyPACFallbackAllowed. diff --git a/mdm/profiles/com.apple.security.FDERecoveryKeyEscrow.yaml b/mdm/profiles/com.apple.security.FDERecoveryKeyEscrow.yaml index 7c72416..15faa48 100644 --- a/mdm/profiles/com.apple.security.FDERecoveryKeyEscrow.yaml +++ b/mdm/profiles/com.apple.security.FDERecoveryKeyEscrow.yaml @@ -3,6 +3,8 @@ description: '' payload: payloadtype: com.apple.security.FDERecoveryKeyEscrow supportedOS: + iOS: + introduced: n/a macOS: introduced: '10.13' multiple: false @@ -13,6 +15,12 @@ payload: allowmanualinstall: true userenrollment: mode: forbidden + tvOS: + introduced: n/a + visionOS: + introduced: n/a + watchOS: + introduced: n/a content: |- If FileVault is enabled after this payload is installed on the system, the FileVault PRK will be encrypted with the specified certificate, wrapped with a CMS envelope and stored at: /var/db/FileVaultPRK.dat @@ -27,18 +35,17 @@ payloadkeys: - key: Location type: presence: required - content: The description of the location where the recovery key will be escrowed. - This text will be inserted into the message the user sees when enabling FileVault. + content: The description of the location where the system escrows the recovery key. + The system inserts this text into the message the user sees when it enables FileVault. - key: EncryptCertPayloadUUID type: presence: required content: The UUID of a payload within the same profile that contains the certificate - that will be used to encrypt the recovery key. The referenced payload must be - of type 'com.apple.security.pkcs1'. + that the system uses to encrypt the recovery key. The referenced payload must + be of type 'com.apple.security.pkcs1'. - key: DeviceKey type: presence: optional content: |- The string that's included in help text if the user appears to have forgotten the password. Site admins can use this key to look up the escrowed key for the particular computer. - - This key replaces the 'RecordNumber' key used in the previous escrow mechanism. If the key is missing, the device serial number is used instead. + This key replaces the 'RecordNumber' key used in the previous escrow mechanism. If the key is missing, the system uses the device serial number instead. diff --git a/mdm/profiles/com.apple.security.FDERecoveryRedirect.yaml b/mdm/profiles/com.apple.security.FDERecoveryRedirect.yaml index cd80dc6..e1cd116 100644 --- a/mdm/profiles/com.apple.security.FDERecoveryRedirect.yaml +++ b/mdm/profiles/com.apple.security.FDERecoveryRedirect.yaml @@ -3,6 +3,8 @@ description: '' payload: payloadtype: com.apple.security.FDERecoveryRedirect supportedOS: + iOS: + introduced: n/a macOS: introduced: '10.9' deprecated: '10.13' @@ -14,6 +16,12 @@ payload: allowmanualinstall: true userenrollment: mode: forbidden + tvOS: + introduced: n/a + visionOS: + introduced: n/a + watchOS: + introduced: n/a content: |- *** This payload will be ignored on macOS 10.13 and later. See "com.apple.security.FDERecoveryKeyEscrow" payload. *** Old notes: diff --git a/mdm/profiles/com.apple.security.acme.yaml b/mdm/profiles/com.apple.security.acme.yaml index b544a5c..5cff7de 100644 --- a/mdm/profiles/com.apple.security.acme.yaml +++ b/mdm/profiles/com.apple.security.acme.yaml @@ -30,6 +30,13 @@ payload: multiple: true supervised: false allowmanualinstall: true + visionOS: + introduced: '1.0' + multiple: true + supervised: false + allowmanualinstall: true + userenrollment: + mode: allowed watchOS: introduced: '9.0' multiple: true @@ -77,9 +84,11 @@ payloadkeys: - RSA - ECSECPrimeRandom content: |- - The type of key pair to generate. - * 'RSA': Specifies an RSA key pair. RSA key pairs must have a KeySize in the range [1024..4096] inclusive and a multiple of 8, and 'HardwareBound' must be false. - * 'ECSECPrimeRandom': Specifies a key pair on the P-192, P-256, P-384 or P-521 curves as defined in FIPS Pub 186-4. KeySize defines the particular curve, which must be 192, 256, 384 or 521. Hardware bound keys only support values of 256 and 384. Note that the key size is 521, not 512, even though the other key sizes are multiples of 64. + The type of key pair to generate. Allowed values: + + * 'RSA': Specifies an RSA key pair. RSA key pairs need to have a 'KeySize' that's a multiple of 8 in the range of 1024 through 4096 (inclusive), and 'HardwareBound' needs to be 'false'. + * 'ECSECPrimeRandom': Specifies a key pair on the P-192, P-256, P-384, or P-521 curves as defined in FIPS Pub 186-4. 'KeySize' defines the particular curve, which needs to be '192', '256', '384', or '521'. Hardware bound keys only support values of '256' and '384'. + Note that the key size is '521', not '512', even though the other key sizes are multiples of 64. - key: HardwareBound title: Hardware Bound type: @@ -88,7 +97,7 @@ payloadkeys: If 'false', the private key isn't bound to the device. If 'true', the private key is bound to the device. The Secure Enclave generates the key pair, and the private key is cryptographically entangled with a system key. This prevents the system from exporting the private key. If 'true', 'KeyType' must be 'ECSECPrimeRandom' and 'KeySize' must be 256 or 384. - This key is supported as of macOS 14 on Apple Silicon and Intel devices that have a T2 chip. Older macOS versions or other Mac devices require this key but it must have a value of false. + Setting this key to 'true' is supported as of macOS 14 on Apple Silicon and Intel devices that have a T2 chip. Older macOS versions or other Mac devices require this key but it must have a value of 'false'. - key: Subject title: Subject type: @@ -170,8 +179,8 @@ payloadkeys: presence: optional default: false content: |- - If 'true', the device provides attestations describing the device and the generated key to the ACME server. The server can use the attestations as strong evidence that the key is bound to the device, and that the device has properties listed in the attestation. The server can use that as part of a trust score to decide whether to issue the requested certificate. - When 'Attest' is 'true', 'HardwareBound' must also be 'true'. + If 'true', the device provides attestations that describe the device and the generated key to the ACME server. The server can use the attestations as strong evidence that the key is bound to the device, and that the device has properties listed in the attestation. The server can use that as part of a trust score to decide whether to issue the requested certificate. + When 'Attest' is 'true', 'HardwareBound' also needs to be 'true'. This key is supported as of macOS 14 on Apple Silicon and Intel devices that have a T2 chip. If this key is specified for older macOS versions or other Mac devices, it must have a value of 'false'. - key: KeyIsExtractable supportedOS: @@ -179,6 +188,8 @@ payloadkeys: introduced: n/a tvOS: introduced: n/a + visionOS: + introduced: n/a watchOS: introduced: n/a type: @@ -193,6 +204,8 @@ payloadkeys: introduced: n/a tvOS: introduced: n/a + visionOS: + introduced: n/a watchOS: introduced: n/a type: diff --git a/mdm/profiles/com.apple.security.certificatepreference.yaml b/mdm/profiles/com.apple.security.certificatepreference.yaml index 2dbb030..a741354 100644 --- a/mdm/profiles/com.apple.security.certificatepreference.yaml +++ b/mdm/profiles/com.apple.security.certificatepreference.yaml @@ -3,6 +3,8 @@ description: '' payload: payloadtype: com.apple.security.certificatepreference supportedOS: + iOS: + introduced: n/a macOS: introduced: '10.12' multiple: true @@ -13,6 +15,12 @@ payload: allowmanualinstall: true userenrollment: mode: allowed + tvOS: + introduced: n/a + visionOS: + introduced: n/a + watchOS: + introduced: n/a content: Defines a Certificate Preference item in the user's keychain that references a certificate payload included in the same profile. Can only appear in a user profile (not a device profile). See also "com.apple.security.identitypreference" diff --git a/mdm/profiles/com.apple.security.certificaterevocation.yaml b/mdm/profiles/com.apple.security.certificaterevocation.yaml index 6aaffd0..fad9feb 100644 --- a/mdm/profiles/com.apple.security.certificaterevocation.yaml +++ b/mdm/profiles/com.apple.security.certificaterevocation.yaml @@ -14,6 +14,19 @@ payload: userchannel: false userenrollment: mode: allowed + macOS: + introduced: n/a + tvOS: + introduced: n/a + visionOS: + introduced: '1.1' + multiple: true + supervised: false + allowmanualinstall: true + userenrollment: + mode: allowed + watchOS: + introduced: n/a content: Policies that affect system-wide certificate revocation checking. payloadkeys: - key: EnabledForCerts @@ -23,7 +36,7 @@ payloadkeys: content: |- An array of certificates that the system checks for revocation. Specifying a certificate authority (CA) enables revocation checking for all certificates chaining up to that CA. - It is not necessary to specify trusted root certificates because they are implicitly specified. See for the available trusted root certificates for Apple operating systems. + It's not necessary to specify trusted root certificates because they're implicitly specified. See for the available trusted root certificates for Apple operating systems. subkeys: - key: SubjectPublicKeyInfoHashDict type: diff --git a/mdm/profiles/com.apple.security.certificatetransparency.yaml b/mdm/profiles/com.apple.security.certificatetransparency.yaml index f3991b0..535c996 100644 --- a/mdm/profiles/com.apple.security.certificatetransparency.yaml +++ b/mdm/profiles/com.apple.security.certificatetransparency.yaml @@ -29,6 +29,13 @@ payload: multiple: true supervised: false allowmanualinstall: true + visionOS: + introduced: '1.0' + multiple: true + supervised: false + allowmanualinstall: true + userenrollment: + mode: allowed watchOS: introduced: 5.1.1 multiple: true @@ -41,10 +48,10 @@ payloadkeys: type: presence: optional content: |- - An array of certificates for which certificate transparency is disabled. For Certificate Transparency enforcement to be disabled when this policy is set, one of the following conditions must be met: + An array of certificates for which certificate transparency is disabled. One of the following conditions needs to be met to disable certificate transparency enforcement when this policy is set: * The hash is of the server certificate's 'subjectPublicKeyInfo'. - * The hash is of a 'subjectPublicKeyInfo' that appears in a CA certificate in the certificate chain; the CA certificate is constrained through the X.509v3 'nameConstraints' extension; one or more 'directoryName' 'nameConstraints' are present in the 'permittedSubtrees;' and the 'directoryName' contains an 'organizationName' attribute. - * The hash is of a 'subjectPublicKeyInfo' that appears in a CA certificate in the certificate chain; the CA certificate has one or more 'organizationName' attributes in the certificate 'Subject;' and the server's certificate contains the same number of 'organizationName' attributes, in the same order, and with byte-for-byte identical values. + * The hash is of a 'subjectPublicKeyInfo' that appears in a CA certificate in the certificate chain; the CA certificate is constrained through the X.509v3 'nameConstraints' extension. One or more 'directoryName' 'nameConstraints' are present in the 'permittedSubtrees', and the 'directoryName' contains an 'organizationName' attribute. + * The hash is of a 'subjectPublicKeyInfo' that appears in a CA certificate in the certificate chain. The CA certificate has one or more 'organizationName' attributes in the certificate 'Subject', and the server's certificate contains the same number of 'organizationName' attributes, in the same order, and with byte-for-byte identical values. subkeys: - key: SubjectPublicKeyInfoHashDict type: @@ -65,9 +72,10 @@ payloadkeys: title: Disabled domains type: presence: optional - content: |- - An array of strings representing the domains to be excluded from certificate transparency enforcement. A leading period (.) is supported to signify subdomains. - Wildcard domains are not supported. If a leading period (.) is specified, the domain cannot be a top-level domain (for example, '.com' and '.co.uk' are disallowed). + content: An array of strings that represent the domains to exclude from certificate + transparency enforcement. The system supports using a leading period ('.') to + signify subdomains. However, the system doesn't support wildcards. If you include + a leading period, the domain can't be a top-level domain, such as '.com' and '.co.uk'. subkeys: - key: domain type: diff --git a/mdm/profiles/com.apple.security.firewall.yaml b/mdm/profiles/com.apple.security.firewall.yaml index 1b524f8..57101d5 100644 --- a/mdm/profiles/com.apple.security.firewall.yaml +++ b/mdm/profiles/com.apple.security.firewall.yaml @@ -3,6 +3,8 @@ description: '' payload: payloadtype: com.apple.security.firewall supportedOS: + iOS: + introduced: n/a macOS: introduced: '10.12' multiple: true @@ -13,6 +15,12 @@ payload: allowmanualinstall: true userenrollment: mode: forbidden + tvOS: + introduced: n/a + visionOS: + introduced: n/a + watchOS: + introduced: n/a content: |- Manages the Application Firewall settings (e.g. Security pref pane -> Firewall). Notes: diff --git a/mdm/profiles/com.apple.security.identitypreference.yaml b/mdm/profiles/com.apple.security.identitypreference.yaml index 59337ea..3483529 100644 --- a/mdm/profiles/com.apple.security.identitypreference.yaml +++ b/mdm/profiles/com.apple.security.identitypreference.yaml @@ -3,6 +3,8 @@ description: '' payload: payloadtype: com.apple.security.identitypreference supportedOS: + iOS: + introduced: n/a macOS: introduced: '10.12' multiple: true @@ -13,6 +15,12 @@ payload: allowmanualinstall: true userenrollment: mode: allowed + tvOS: + introduced: n/a + visionOS: + introduced: n/a + watchOS: + introduced: n/a content: Defines an Identity Preference item in the user's keychain that references a identity payload included in the same profile. Can only appear in a user profile (not a device profile). See also "com.apple.security.certificatepreference" for diff --git a/mdm/profiles/com.apple.security.pem.yaml b/mdm/profiles/com.apple.security.pem.yaml index 913f692..7e1610f 100644 --- a/mdm/profiles/com.apple.security.pem.yaml +++ b/mdm/profiles/com.apple.security.pem.yaml @@ -29,6 +29,13 @@ payload: multiple: true supervised: false allowmanualinstall: true + visionOS: + introduced: '1.0' + multiple: true + supervised: false + allowmanualinstall: true + userenrollment: + mode: allowed watchOS: introduced: '3.0' multiple: true diff --git a/mdm/profiles/com.apple.security.pkcs1.yaml b/mdm/profiles/com.apple.security.pkcs1.yaml index 7f4e64f..51d8eed 100644 --- a/mdm/profiles/com.apple.security.pkcs1.yaml +++ b/mdm/profiles/com.apple.security.pkcs1.yaml @@ -29,6 +29,13 @@ payload: multiple: true supervised: false allowmanualinstall: true + visionOS: + introduced: '1.0' + multiple: true + supervised: false + allowmanualinstall: true + userenrollment: + mode: allowed watchOS: introduced: '3.0' multiple: true diff --git a/mdm/profiles/com.apple.security.pkcs12.yaml b/mdm/profiles/com.apple.security.pkcs12.yaml index f1035e0..053fcce 100644 --- a/mdm/profiles/com.apple.security.pkcs12.yaml +++ b/mdm/profiles/com.apple.security.pkcs12.yaml @@ -29,6 +29,13 @@ payload: multiple: true supervised: false allowmanualinstall: true + visionOS: + introduced: '1.0' + multiple: true + supervised: false + allowmanualinstall: true + userenrollment: + mode: allowed watchOS: introduced: '3.0' multiple: true @@ -59,13 +66,15 @@ payloadkeys: introduced: '10.10' tvOS: introduced: n/a + visionOS: + introduced: n/a watchOS: introduced: n/a type: presence: optional default: false - content: If 'true', allows apps access to the private key. Available in macOS 10.10 - and later. + content: If 'true', the system allows apps access to the private key. Available + in macOS 10.10 and later. - key: KeyIsExtractable supportedOS: iOS: @@ -74,9 +83,12 @@ payloadkeys: introduced: '10.15' tvOS: introduced: n/a + visionOS: + introduced: n/a watchOS: introduced: n/a type: presence: optional default: true - content: If 'false', doesn't tag the private key data as extractable in the keychain. + content: If 'false', the system doesn't tag the private key data as extractable + in the keychain. diff --git a/mdm/profiles/com.apple.security.root.yaml b/mdm/profiles/com.apple.security.root.yaml index e979518..4ad4136 100644 --- a/mdm/profiles/com.apple.security.root.yaml +++ b/mdm/profiles/com.apple.security.root.yaml @@ -29,6 +29,13 @@ payload: multiple: true supervised: false allowmanualinstall: true + visionOS: + introduced: '1.0' + multiple: true + supervised: false + allowmanualinstall: true + userenrollment: + mode: allowed watchOS: introduced: '3.0' multiple: true diff --git a/mdm/profiles/com.apple.security.scep.yaml b/mdm/profiles/com.apple.security.scep.yaml index f33739c..2db4c6a 100644 --- a/mdm/profiles/com.apple.security.scep.yaml +++ b/mdm/profiles/com.apple.security.scep.yaml @@ -30,6 +30,13 @@ payload: multiple: true supervised: false allowmanualinstall: true + visionOS: + introduced: '1.0' + multiple: true + supervised: false + allowmanualinstall: true + userenrollment: + mode: allowed watchOS: introduced: '3.0' multiple: true @@ -66,7 +73,6 @@ payloadkeys: content: |- The representation of an X.500 name as an array of OID and value. For example, '/C=US/O=Apple Inc./CN=foo/1.2.5.3=bar' translates to '[ [ [“C”, “US”] ], [ [“O”, “Apple Inc.'] ], …, [ [ “1.2.5.3”, “bar” ] ] ]'. - OIDs can be represented as dotted numbers, with shortcuts for country (C), locality (L), state (ST), organization (O), organizational unit (OU), and common name (CN). subkeys: - key: SCEPSubjectArrayInnerArray @@ -113,9 +119,11 @@ payloadkeys: presence: optional default: 0 content: |- - A bitmask indicating the use of the key. + A bitmask indicating the use of the key. Possible values: + * 1: Signing * 4: Encryption + Some certificate authorities, such as Windows CA, support only encryption or signing, but not both at the same time. - key: CAFingerprint title: Fingerprint @@ -180,7 +188,7 @@ payloadkeys: type: presence: optional default: true - content: If 'false', disables exporting the private key from the keychain. + content: If 'false', the system disables exporting the private key from the keychain. - key: AllowAllAppsAccess title: Allow All Apps Access supportedOS: diff --git a/mdm/profiles/com.apple.security.smartcard.yaml b/mdm/profiles/com.apple.security.smartcard.yaml index 493b4ad..066a7b3 100644 --- a/mdm/profiles/com.apple.security.smartcard.yaml +++ b/mdm/profiles/com.apple.security.smartcard.yaml @@ -3,6 +3,8 @@ description: '' payload: payloadtype: com.apple.security.smartcard supportedOS: + iOS: + introduced: n/a macOS: introduced: 10.12.4 multiple: false @@ -13,6 +15,12 @@ payload: allowmanualinstall: true userenrollment: mode: forbidden + tvOS: + introduced: n/a + visionOS: + introduced: n/a + watchOS: + introduced: n/a content: Restrictions and settings for SmartCard pairing on macOS payloadkeys: - key: UserPairing @@ -25,9 +33,10 @@ payloadkeys: type: presence: optional default: true - content: If 'false', disables the SmartCard for logins, authorizations, and screen - saver unlocking. It is still allowed for other functions, such as signing emails - and accessing the web. A restart is required for a setting change to take effect. + content: If 'false', the system disables the SmartCard for logins, authorizations, + and screen saver unlocking. It is still allowed for other functions, such as signing + emails and accessing the web. A restart is required for a setting change to take + effect. - key: checkCertificateTrust type: presence: optional @@ -38,11 +47,12 @@ payloadkeys: - 3 default: 0 content: |- - Valid values are 0 to 3: - '0': Turns off certificate trust check. - '1': Turns on certificate trust check. A standard validity check is performed but doesn't include additional revocation checks. - '2': Turns on certificate trust check. A soft revocation check is also performed. Until the certificate is explicitly rejected by CRL/OCSP, it's considered valid. This setting means that unavailable or unreachable CRL/OCSP allow this check to succeed. - '3': Turns on certificate trust check. A hard revocation check is also performed. Unless CRL/OCSP explicitly says 'This certificate is OK,' it's considered invalid. This option is the most secure. + Configures the certificate trust check and has one of the following possible values: + + * '0': Turns off certificate trust check. + * '1': Turns on certificate trust check. A standard validity check is performed but doesn't include additional revocation checks. + * '2': Turns on certificate trust check. A soft revocation check is also performed. Until the certificate is explicitly rejected by CRL/OCSP, it's considered valid. This setting means that unavailable or unreachable CRL/OCSP allow this check to succeed. + * '3': Turns on certificate trust check. A hard revocation check is also performed. Unless CRL/OCSP explicitly says “This certificate is OK,” it's considered invalid. This option is the most secure. - key: oneCardPerUser type: presence: optional @@ -59,8 +69,8 @@ payloadkeys: - 0 - 1 default: 0 - content: If '1', enables the screen saver when the SmartCard is removed. Available - in macOS 10.13.4 and later. + content: If '1', the system enables the screen saver when the SmartCard is removed. + Available in macOS 10.13.4 and later. - key: enforceSmartCard supportedOS: macOS: diff --git a/mdm/profiles/com.apple.servicemanagement.yaml b/mdm/profiles/com.apple.servicemanagement.yaml index f4a4195..49e0c5d 100644 --- a/mdm/profiles/com.apple.servicemanagement.yaml +++ b/mdm/profiles/com.apple.servicemanagement.yaml @@ -4,6 +4,8 @@ description: Control the user experience for ServiceManagement login items (incl payload: payloadtype: com.apple.servicemanagement supportedOS: + iOS: + introduced: n/a macOS: introduced: '13.0' multiple: true @@ -14,6 +16,12 @@ payload: allowmanualinstall: false userenrollment: mode: forbidden + tvOS: + introduced: n/a + visionOS: + introduced: n/a + watchOS: + introduced: n/a content: This payload defines rules for tagging login items as managed, which will auto-enable and auto-allow matched items. payloadkeys: diff --git a/mdm/profiles/com.apple.shareddeviceconfiguration.yaml b/mdm/profiles/com.apple.shareddeviceconfiguration.yaml index 2187e76..291afe5 100644 --- a/mdm/profiles/com.apple.shareddeviceconfiguration.yaml +++ b/mdm/profiles/com.apple.shareddeviceconfiguration.yaml @@ -15,6 +15,14 @@ payload: userchannel: false userenrollment: mode: forbidden + macOS: + introduced: n/a + tvOS: + introduced: n/a + visionOS: + introduced: n/a + watchOS: + introduced: n/a content: Allows admins to specify optional text displayed on the login window and lock screen (i.e. a footnote and Asset Tag Information). payloadkeys: diff --git a/mdm/profiles/com.apple.sso.yaml b/mdm/profiles/com.apple.sso.yaml index 5311e94..4c658b8 100644 --- a/mdm/profiles/com.apple.sso.yaml +++ b/mdm/profiles/com.apple.sso.yaml @@ -12,6 +12,14 @@ payload: mode: forbidden userenrollment: mode: allowed + macOS: + introduced: n/a + tvOS: + introduced: n/a + visionOS: + introduced: n/a + watchOS: + introduced: n/a payloadkeys: - key: Name type: @@ -25,29 +33,29 @@ payloadkeys: - key: PrincipalName type: presence: optional - content: The principal name. If not provided, the user will be prompted for one - during profile installation. This field is required for MDM installation. + content: The principal name. If not provided, the system prompts the user for + one during profile installation. Required for MDM installation. - key: PayloadCertificateUUID supportedOS: iOS: introduced: '8.0' type: presence: optional - content: The 'PayloadUUID' of an identity certificate payload that can be used - to renew the Kerberos credential without user interaction. The certificate payload - must have either the 'com.apple.security.pkcs12' or 'com.apple.security.scep' - payload type. Both the Single Sign On payload and the identity certificate payload - must be included in the same configuration profile. + content: The 'PayloadUUID' of an identity certificate payload that the system + can use to renew the Kerberos credential without user interaction. Set the payload + type to either 'com.apple.security.pkcs12' or 'com.apple.security.scep' in the + certificate payload. The configuration file needs to contain both the SSO payload + and the identity certificate payload. - key: Realm type: presence: required - content: The realm name. This value should be properly capitalized. + content: The properly capitalized realm name. - key: URLPrefixMatches type: presence: optional content: |- - The list of URL prefixes that must be matched in order to use this account for Kerberos authentication over HTTP. If this key is missing, the account will be eligible to match all 'http://' and 'https://' URLs. - The URL matching patterns must begin with either 'http://' or 'https://'. A simple string match is performed, so the URL prefix 'http://www.apple.com/' will not match 'http://www.apple.com:80/'. However, if a matching pattern does not end in '/', a '/' will be appended to it. + The list of URL prefixes to match in order to use this account for Kerberos authentication over HTTP. If this key is missing, the system makes the account eligible to match all 'http://' and 'https://' URLs. + Begin the URL matching patterns with either 'http://' or 'https://'. The system performs a simple string match, so the URL prefix 'http://www.apple.com/' doesn't match 'http://www.apple.com:80/'. However, if a matching pattern doesn't end in '/', the system automatically append a '/' to it. subkeys: - key: URLPrefixMatchesItem type: @@ -57,9 +65,8 @@ payloadkeys: type: presence: optional content: |- - The list of app identifiers that are allowed to use this login. If this field missing, this login will match all app identifiers. - This array may not be empty. - This array must contain strings that match App Bundle IDs. These strings may be exact matches, e.g. 'com.mycompany.myapp' or may specify a prefix match on the Bundle ID by using the '*' wildcard character. The wildcard character must appear after a period character ('.'), and may only appear once, at the end of the string, e.g. 'com.mycompany.*'. When a wildcard is given, any app whose Bundle ID begins with the prefix will be granted access to the account. + The list of app identifiers that the system allows to use this login. If this field missing, the system matches all app identifiers with this login. + Don't set an empty array. The array needs to contain strings that match App Bundle IDs. These strings can be exact matches such as 'com.mycompany.myapp', or they may specify a prefix match on the Bundle ID by using the '*' wildcard character. The wildcard character needs to appear after a period ('.'), and may only appear once, at the end of the string, for example, 'com.mycompany.*'. When you provide a wildcard, the system grants access to the account to any app with a Bundle ID that begins with the prefix. subkeys: - key: AppIdentifierMatchesItem type: diff --git a/mdm/profiles/com.apple.subscribedcalendar.account.yaml b/mdm/profiles/com.apple.subscribedcalendar.account.yaml index 463fe9f..15a6dae 100644 --- a/mdm/profiles/com.apple.subscribedcalendar.account.yaml +++ b/mdm/profiles/com.apple.subscribedcalendar.account.yaml @@ -14,6 +14,19 @@ payload: userchannel: true userenrollment: mode: allowed + macOS: + introduced: n/a + tvOS: + introduced: n/a + visionOS: + introduced: '1.1' + multiple: true + supervised: false + allowmanualinstall: true + userenrollment: + mode: allowed + watchOS: + introduced: n/a payloadkeys: - key: SubCalAccountDescription title: Description @@ -40,7 +53,7 @@ payloadkeys: type: presence: optional default: false - content: If 'true', enables SSL. + content: If 'true', the system enables SSL. - key: VPNUUID title: VPNUUID supportedOS: @@ -48,6 +61,5 @@ payloadkeys: introduced: '14.0' type: presence: optional - content: |- - The VPNUUID of the per-app VPN the account uses for network communication. + content: The VPNUUID of the per-app VPN the account uses for network communication. Available in iOS 14 and later. diff --git a/mdm/profiles/com.apple.syspolicy.kernel-extension-policy.yaml b/mdm/profiles/com.apple.syspolicy.kernel-extension-policy.yaml index e4cb3e4..10abaeb 100644 --- a/mdm/profiles/com.apple.syspolicy.kernel-extension-policy.yaml +++ b/mdm/profiles/com.apple.syspolicy.kernel-extension-policy.yaml @@ -3,6 +3,8 @@ description: '' payload: payloadtype: com.apple.syspolicy.kernel-extension-policy supportedOS: + iOS: + introduced: n/a macOS: introduced: 10.13.2 multiple: true @@ -13,6 +15,12 @@ payload: allowmanualinstall: false userenrollment: mode: forbidden + tvOS: + introduced: n/a + visionOS: + introduced: n/a + watchOS: + introduced: n/a content: Provides a way of enabling a set of team identifiers or specific kernel extensions for loading without user approval. Also provides a way to block users from approving additional kernel extensions. Payload must be user-approved only. diff --git a/mdm/profiles/com.apple.system-extension-policy.yaml b/mdm/profiles/com.apple.system-extension-policy.yaml index 8632829..5edb5b3 100644 --- a/mdm/profiles/com.apple.system-extension-policy.yaml +++ b/mdm/profiles/com.apple.system-extension-policy.yaml @@ -3,6 +3,8 @@ description: '' payload: payloadtype: com.apple.system-extension-policy supportedOS: + iOS: + introduced: n/a macOS: introduced: '10.15' multiple: true @@ -13,6 +15,12 @@ payload: allowmanualinstall: false userenrollment: mode: forbidden + tvOS: + introduced: n/a + visionOS: + introduced: n/a + watchOS: + introduced: n/a content: Provides a way of enabling a set of team identifiers or specific system extensions for loading without user approval. Also provides a way to block users from approving additional system extensions. Payload must be user-approved only. diff --git a/mdm/profiles/com.apple.system.logging.yaml b/mdm/profiles/com.apple.system.logging.yaml index c1e235c..ab821e0 100644 --- a/mdm/profiles/com.apple.system.logging.yaml +++ b/mdm/profiles/com.apple.system.logging.yaml @@ -17,6 +17,8 @@ payload: mode: forbidden tvOS: introduced: n/a + visionOS: + introduced: n/a watchOS: introduced: n/a payloadkeys: diff --git a/mdm/profiles/com.apple.systemmigration.yaml b/mdm/profiles/com.apple.systemmigration.yaml index ee1aa6e..433deb6 100644 --- a/mdm/profiles/com.apple.systemmigration.yaml +++ b/mdm/profiles/com.apple.systemmigration.yaml @@ -3,6 +3,8 @@ description: '' payload: payloadtype: com.apple.systemmigration supportedOS: + iOS: + introduced: n/a macOS: introduced: 10.12.4 multiple: false @@ -13,6 +15,12 @@ payload: allowmanualinstall: true userenrollment: mode: forbidden + tvOS: + introduced: n/a + visionOS: + introduced: n/a + watchOS: + introduced: n/a content: Provides a way of customizing items migrated during System Migration. payloadkeys: - key: CustomBehavior diff --git a/mdm/profiles/com.apple.systempolicy.control.yaml b/mdm/profiles/com.apple.systempolicy.control.yaml index f046ccb..0a30e65 100644 --- a/mdm/profiles/com.apple.systempolicy.control.yaml +++ b/mdm/profiles/com.apple.systempolicy.control.yaml @@ -3,6 +3,8 @@ description: '' payload: payloadtype: com.apple.systempolicy.control supportedOS: + iOS: + introduced: n/a macOS: introduced: '10.8' multiple: true @@ -13,6 +15,12 @@ payload: allowmanualinstall: true userenrollment: mode: forbidden + tvOS: + introduced: n/a + visionOS: + introduced: n/a + watchOS: + introduced: n/a content: Provides a way of enabling System Policy assessment processing. This corresponds to the Gatekeeper UI in the Security pref pane. payloadkeys: diff --git a/mdm/profiles/com.apple.systempolicy.managed.yaml b/mdm/profiles/com.apple.systempolicy.managed.yaml index 5d8b51c..6f5a6cd 100644 --- a/mdm/profiles/com.apple.systempolicy.managed.yaml +++ b/mdm/profiles/com.apple.systempolicy.managed.yaml @@ -3,6 +3,8 @@ description: '' payload: payloadtype: com.apple.systempolicy.managed supportedOS: + iOS: + introduced: n/a macOS: introduced: '10.8' multiple: true @@ -13,6 +15,12 @@ payload: allowmanualinstall: true userenrollment: mode: forbidden + tvOS: + introduced: n/a + visionOS: + introduced: n/a + watchOS: + introduced: n/a content: Provides a way of disabling the Finder's contextual menu that allows bypass of System Policy restrictions. payloadkeys: diff --git a/mdm/profiles/com.apple.systempolicy.rule.yaml b/mdm/profiles/com.apple.systempolicy.rule.yaml index 0afa13a..218a8c2 100644 --- a/mdm/profiles/com.apple.systempolicy.rule.yaml +++ b/mdm/profiles/com.apple.systempolicy.rule.yaml @@ -3,6 +3,8 @@ description: '' payload: payloadtype: com.apple.systempolicy.rule supportedOS: + iOS: + introduced: n/a macOS: introduced: '10.8' multiple: true @@ -13,6 +15,12 @@ payload: allowmanualinstall: true userenrollment: mode: forbidden + tvOS: + introduced: n/a + visionOS: + introduced: n/a + watchOS: + introduced: n/a content: This payload allows control over Gatekeeper's system policy rules. The keys and functionality are tightly related to the spctl command line tool. For more information, see the manual page for spctl. diff --git a/mdm/profiles/com.apple.systempreferences.yaml b/mdm/profiles/com.apple.systempreferences.yaml index f3174fc..16bd13c 100644 --- a/mdm/profiles/com.apple.systempreferences.yaml +++ b/mdm/profiles/com.apple.systempreferences.yaml @@ -2,6 +2,8 @@ title: System Preferences payload: payloadtype: com.apple.systempreferences supportedOS: + iOS: + introduced: n/a macOS: introduced: '10.7' deprecated: '13.0' @@ -13,6 +15,12 @@ payload: allowmanualinstall: true userenrollment: mode: forbidden + tvOS: + introduced: n/a + visionOS: + introduced: n/a + watchOS: + introduced: n/a content: |- Hide and show individual System Preferences panes. The following preference pane items are no longer supported on macOS 10.14: diff --git a/mdm/profiles/com.apple.systemuiserver.yaml b/mdm/profiles/com.apple.systemuiserver.yaml index 1d1251e..8949b42 100644 --- a/mdm/profiles/com.apple.systemuiserver.yaml +++ b/mdm/profiles/com.apple.systemuiserver.yaml @@ -3,6 +3,8 @@ description: '' payload: payloadtype: com.apple.systemuiserver supportedOS: + iOS: + introduced: n/a macOS: introduced: '10.7' deprecated: '11.0' @@ -14,6 +16,12 @@ payload: allowmanualinstall: true userenrollment: mode: forbidden + tvOS: + introduced: n/a + visionOS: + introduced: n/a + watchOS: + introduced: n/a payloadkeys: - key: logout-eject type: diff --git a/mdm/profiles/com.apple.thirdactiveethernet.managed.yaml b/mdm/profiles/com.apple.thirdactiveethernet.managed.yaml index 8df0f77..d97992d 100644 --- a/mdm/profiles/com.apple.thirdactiveethernet.managed.yaml +++ b/mdm/profiles/com.apple.thirdactiveethernet.managed.yaml @@ -3,6 +3,8 @@ description: '' payload: payloadtype: com.apple.thirdactiveethernet.managed supportedOS: + iOS: + introduced: n/a macOS: introduced: '10.7' multiple: false @@ -13,10 +15,16 @@ payload: allowmanualinstall: true userenrollment: mode: allowed + tvOS: + introduced: n/a + visionOS: + introduced: n/a + watchOS: + introduced: n/a payloadkeys: - key: ANY type: presence: optional - content: Keys relevant to 802.1x configuration. User enrollment payloads do not + content: Keys relevant to 802.1x configuration. User enrollment payloads do not support the various proxy keys including ProxyType, ProxyServer, ProxyServerPort, ProxyUsername, ProxyPassword,, ProxyPACURL and ProxyPACFallbackAllowed. diff --git a/mdm/profiles/com.apple.thirdethernet.managed.yaml b/mdm/profiles/com.apple.thirdethernet.managed.yaml index b5d64c9..33a07f6 100644 --- a/mdm/profiles/com.apple.thirdethernet.managed.yaml +++ b/mdm/profiles/com.apple.thirdethernet.managed.yaml @@ -3,6 +3,8 @@ description: '' payload: payloadtype: com.apple.thirdethernet.managed supportedOS: + iOS: + introduced: n/a macOS: introduced: '10.7' multiple: false @@ -13,10 +15,16 @@ payload: allowmanualinstall: true userenrollment: mode: allowed + tvOS: + introduced: n/a + visionOS: + introduced: n/a + watchOS: + introduced: n/a payloadkeys: - key: ANY type: presence: optional - content: Keys relevant to 802.1x configuration. User enrollment payloads do not + content: Keys relevant to 802.1x configuration. User enrollment payloads do not support the various proxy keys including ProxyType, ProxyServer, ProxyServerPort, ProxyUsername, ProxyPassword,, ProxyPACURL and ProxyPACFallbackAllowed. diff --git a/mdm/profiles/com.apple.tvremote.yaml b/mdm/profiles/com.apple.tvremote.yaml index 7785de4..981710d 100644 --- a/mdm/profiles/com.apple.tvremote.yaml +++ b/mdm/profiles/com.apple.tvremote.yaml @@ -14,11 +14,17 @@ payload: userchannel: true userenrollment: mode: forbidden + macOS: + introduced: n/a tvOS: introduced: '11.3' multiple: false supervised: true allowmanualinstall: true + visionOS: + introduced: n/a + watchOS: + introduced: n/a payloadkeys: - key: AllowedRemotes supportedOS: @@ -35,7 +41,7 @@ payloadkeys: type: presence: required content: The MAC address of a permitted iOS device that can control this Apple - TV. Use the format xx:xx:xx:xx:xx:xx. The field isn't case sensitive. + TV. Use the format 'xx:xx:xx:xx:xx:xx', which isn't case-sensitive. - key: AllowedTVs supportedOS: tvOS: @@ -50,13 +56,13 @@ payloadkeys: - key: TVDeviceID type: presence: required - content: The MAC address of an Apple TV device that this iOS device is permitted - to control. Use the format 'xx:xx:xx:xx:xx:xx'. The field isn't case sensitive. + content: The MAC address of an Apple TV device that the system permits this + iOS device to control. Use the format 'xx:xx:xx:xx:xx:xx', which isn't case-sensitive. - key: TVDeviceName supportedOS: iOS: introduced: '15.0' type: presence: optional - content: The name of an Apple TV device that this iOS device is permitted to - control. + content: The name of an Apple TV device that the system permits this iOS device + to control. diff --git a/mdm/profiles/com.apple.universalaccess.yaml b/mdm/profiles/com.apple.universalaccess.yaml index 96aa209..28b74db 100644 --- a/mdm/profiles/com.apple.universalaccess.yaml +++ b/mdm/profiles/com.apple.universalaccess.yaml @@ -2,6 +2,8 @@ title: Accessibility payload: payloadtype: com.apple.universalaccess supportedOS: + iOS: + introduced: n/a macOS: introduced: '10.9' multiple: false @@ -12,6 +14,12 @@ payload: allowmanualinstall: true userenrollment: mode: forbidden + tvOS: + introduced: n/a + visionOS: + introduced: n/a + watchOS: + introduced: n/a payloadkeys: - key: closeViewFarPoint type: diff --git a/mdm/profiles/com.apple.vpn.managed.applayer.yaml b/mdm/profiles/com.apple.vpn.managed.applayer.yaml index 9701bbb..489b0dc 100644 --- a/mdm/profiles/com.apple.vpn.managed.applayer.yaml +++ b/mdm/profiles/com.apple.vpn.managed.applayer.yaml @@ -26,6 +26,13 @@ payload: mode: allowed tvOS: introduced: n/a + visionOS: + introduced: '1.1' + multiple: true + supervised: false + allowmanualinstall: true + userenrollment: + mode: allowed watchOS: introduced: '10.0' multiple: true @@ -58,6 +65,8 @@ payloadkeys: deprecated: '13.4' macOS: introduced: '10.15' + visionOS: + introduced: n/a watchOS: introduced: n/a type: @@ -77,6 +86,8 @@ payloadkeys: deprecated: '13.4' macOS: introduced: '10.15' + visionOS: + introduced: n/a watchOS: introduced: n/a type: @@ -96,6 +107,8 @@ payloadkeys: deprecated: '13.4' macOS: introduced: '10.15' + visionOS: + introduced: n/a watchOS: introduced: n/a type: diff --git a/mdm/profiles/com.apple.vpn.managed.appmapping.yaml b/mdm/profiles/com.apple.vpn.managed.appmapping.yaml index 3356508..649e14f 100644 --- a/mdm/profiles/com.apple.vpn.managed.appmapping.yaml +++ b/mdm/profiles/com.apple.vpn.managed.appmapping.yaml @@ -3,6 +3,8 @@ description: '' payload: payloadtype: com.apple.vpn.managed.appmapping supportedOS: + iOS: + introduced: n/a macOS: introduced: '10.9' multiple: false @@ -13,6 +15,12 @@ payload: allowmanualinstall: true userenrollment: mode: allowed + tvOS: + introduced: n/a + visionOS: + introduced: n/a + watchOS: + introduced: n/a content: This payload is only valid on macOS. payloadkeys: - key: AppLayerVPNMapping diff --git a/mdm/profiles/com.apple.vpn.managed.yaml b/mdm/profiles/com.apple.vpn.managed.yaml index 5742d83..d7d1234 100644 --- a/mdm/profiles/com.apple.vpn.managed.yaml +++ b/mdm/profiles/com.apple.vpn.managed.yaml @@ -29,6 +29,15 @@ payload: multiple: true supervised: false allowmanualinstall: true + visionOS: + introduced: '1.0' + multiple: true + supervised: false + allowmanualinstall: true + userenrollment: + mode: forbidden + watchOS: + introduced: n/a payloadkeys: - key: VPNType title: Type @@ -49,13 +58,6 @@ payloadkeys: title: VPN Subtype type: presence: optional - rangelist: - - com.cisco.anyconnect - - net.pulsesecure.PulseSecure.vpnplugin - - com.f5.F5-Edge-Client.vpnplugin - - com.sonicwall.SonicWALL-SSLVPN.vpnplugin - - com.arubanetworks.aruba-via.vpnplugin - - com.checkpoint.CheckPoint-VPN.vpnplugin content: |- An identifier for a vendor-specified configuration dictionary when the value for 'VPNType' is 'VPN'. If 'VPNType' is 'VPN', the system requires this field. If the configuration targets a VPN solution that uses a network extension provider, then this field contains the bundle identifier of the app that contains the provider. Contact the VPN solution vendor for the value of the identifier. @@ -79,7 +81,7 @@ payloadkeys: type: presence: optional content: The Kerberos realm name, which needs to be properly capitalized. Valid - only for Juniper SSL/Pulse Secure. Not available in watchOS. + only for Juniper SSL and Pulse Secure. Not available in watchOS. - key: Role title: Role type: @@ -102,8 +104,7 @@ payloadkeys: title: VPN type: presence: optional - content: The dictionary to use to specify a VPN when 'VPNType' is 'VPN', 'IPSec', - or 'IKEv2'. + content: The VPN dictionary is used when VPNType is VPN. subkeys: - key: AuthenticationMethod title: Authentication Method @@ -138,6 +139,8 @@ payloadkeys: introduced: n/a macOS: introduced: '10.15' + visionOS: + introduced: n/a type: presence: optional content: If the VPN provider is implemented as a system extension, this field @@ -183,7 +186,7 @@ payloadkeys: - 1 default: 0 content: |- - If '1', routes all traffic through the VPN, with some exclusions. Several of the exclusions can be controlled with the ExcludeLocalNetworks, ExcludeCellularServices, and ExcludeAPNs properties. See the documentation for those properties. The following traffic is always excluded from the tunnel. Not available in watchOS. + If '1', routes all traffic through the VPN, with some exclusions. Several of the exclusions can be controlled with the ExcludeLocalNetworks, ExcludeCellularServices, ExcludeAPNs and ExcludeDeviceCommunication properties. See the documentation for those properties. The following traffic is always excluded from the tunnel. Not available in watchOS. * Traffic necessary for connecting and maintaining the device's network connection, such as DHCP. * Traffic necessary for connecting to captive networks. @@ -261,6 +264,25 @@ payloadkeys: content: If '1' and 'IncludeAllNetworks' is '1', then the system excludes the network traffic for the Apple Push Notification service (APNs) from the tunnel. Not available in watchOS. + - key: ExcludeDeviceCommunication + title: Exclude Device Communication + supportedOS: + iOS: + introduced: '17.4' + macOS: + introduced: '14.4' + tvOS: + introduced: n/a + visionOS: + introduced: '1.1' + type: + presence: optional + rangelist: + - 0 + - 1 + default: 1 + content: If 1 and IncludeAllNetworks is 1, then network traffic used for communicating + with devices connected via USB or Wi-Fi is excluded from the tunnel. - key: OnDemandEnabled title: Enable VPN On Demand type: @@ -287,11 +309,15 @@ payloadkeys: configuration. Available in iOS 14 and later. Not available in watchOS. - key: OnDemandMatchDomainsAlways title: On Demand Match Domains Always + supportedOS: + iOS: + deprecated: '7.0' type: presence: optional - content: A list of domain names. The system treats associated domain names as - though they're associated with the 'OnDemandMatchDomainsOnRetry' key. This behavior - can be overridden by 'OnDemandRules'. Not available in watchOS. + content: |- + A list of domain names. The system treats associated domain names as though they're associated with the 'OnDemandMatchDomainsOnRetry' key. This behavior can be overridden by 'OnDemandRules'. + In iOS 7 and later, this key is deprecated (but still supported) in favor of 'EvaluateConnection' actions in the 'OnDemandRules' dictionaries. + Not available in watchOS. subkeytype: MatchDomainAlwaysElement subkeys: &id001 - key: MatchDomainAlwaysElement @@ -299,6 +325,9 @@ payloadkeys: type: - key: OnDemandMatchDomainsNever title: On Demand Match Domains Never + supportedOS: + iOS: + deprecated: '7.0' type: presence: optional content: |- @@ -312,6 +341,9 @@ payloadkeys: type: - key: OnDemandMatchDomainsOnRetry title: On Demand Match Domains On Retry + supportedOS: + iOS: + deprecated: '7.0' type: presence: optional content: |- @@ -354,52 +386,61 @@ payloadkeys: Only the 'Disconnect' action is available on watchOS 10 and later. - key: ActionParameters title: Action Parameters - type: + type: presence: optional - content: A dictionary that provides rules similar to the 'OnDemandRules' dictionary, - but evaluated on each connection instead of when the network changes. This - value is only for use with dictionaries in which the 'Action' value is 'EvaluateConnection'. - The system evaluates these dictionaries in order and the first dictionary - that matches determines the behavior. Not available in watchOS. + content: An array of dictionaries that provides rules similar to the 'OnDemandRules' + dictionary, but evaluated on each connection instead of when the network + changes. This value is only for use with dictionaries in which the 'Action' + value is 'EvaluateConnection'. The system evaluates these dictionaries in + order and the first dictionary that matches determines the behavior. Not + available in watchOS. subkeys: - - key: Domains - title: Domains - type: - presence: required - content: The domains to apply this evaluation. - subkeys: - - key: DomainsElement - title: Domains Element - type: - - key: DomainAction - title: Domain Action - type: - presence: required - rangelist: - - ConnectIfNeeded - - NeverConnect - content: |- - Defines the VPN behavior for the specified domains. Allowed values are: - * 'ConnectIfNeeded': The specified domains should trigger a VPN connection attempt if domain name resolution fails, such as when the DNS server indicates that it can't resolve the domain, responds with a redirection to a different server, or fails to respond (timeout). - * 'NeverConnect': The specified domains should never trigger a VPN connection attempt. - - key: RequiredDNSServers - title: Required DNS Servers - type: + - key: ActionParameter + title: Action Parameter + type: presence: optional content: |- - An array of IP addresses of DNS servers to use for resolving the specified domains. These servers don't need to be part of the device's current network configuration. If these DNS servers aren't reachable, the system establishes a VPN connection. These DNS servers need to be either internal DNS servers or trusted external DNS servers. - This key is valid only if the value of 'DomainAction' is 'ConnectIfNeeded'. + A dictionary that provides rules similar to the OnDemandRules dictionary, but evaluated on each connection instead of when the network changes. These dictionaries are evaluated in order, and the behavior is determined by the first dictionary that matches. + The keys allowed in each dictionary are described below. Note: This array is used only for dictionaries in which EvaluateConnection is the Action value. subkeys: - - key: RequiredDNSServersElement - title: Required DNS Servers Element + - key: Domains + title: Domains + type: + presence: required + content: The domains to apply this evaluation. + subkeys: + - key: DomainsElement + title: Domains Element + type: + - key: DomainAction + title: Domain Action type: - - key: RequiredURLStringProbe - title: Required URL String Probe - type: - presence: optional - content: |- - An HTTP or HTTPS (preferred) URL to probe, using a GET request. If the URL's hostname can't be resolved, if the server is unreachable, or if the server doesn't respond with a 200 HTTP status code, a VPN connection is established in response. - This key is valid only if the value of 'DomainAction' is 'ConnectIfNeeded'. + presence: required + rangelist: + - ConnectIfNeeded + - NeverConnect + content: |- + Defines the VPN behavior for the specified domains. Allowed values are: + * 'ConnectIfNeeded': The specified domains should trigger a VPN connection attempt if domain name resolution fails, such as when the DNS server indicates that it can't resolve the domain, responds with a redirection to a different server, or fails to respond (timeout). + * 'NeverConnect': The specified domains should never trigger a VPN connection attempt. + - key: RequiredDNSServers + title: Required DNS Servers + type: + presence: optional + content: |- + An array of IP addresses of DNS servers to use for resolving the specified domains. These servers don't need to be part of the device's current network configuration. If these DNS servers aren't reachable, the system establishes a VPN connection. These DNS servers need to be either internal DNS servers or trusted external DNS servers. + This key is valid only if the value of 'DomainAction' is 'ConnectIfNeeded'. + subkeys: + - key: RequiredDNSServersElement + title: Required DNS Servers Element + type: + - key: RequiredURLStringProbe + title: Required URL String Probe + type: + presence: optional + content: |- + An HTTP or HTTPS (preferred) URL to probe, using a GET request. If the URL's hostname can't be resolved, if the server is unreachable, or if the server doesn't respond with a 200 HTTP status code, a VPN connection is established in response. + This key is valid only if the value of 'DomainAction' is 'ConnectIfNeeded'. - key: DNSDomainMatch title: DNS Domain Match type: @@ -467,7 +508,8 @@ payloadkeys: - 0 - 1 default: 0 - content: If '1', the system sends all network traffic over VPN. + content: If '1', the system sends all network traffic over VPN. Only applies to + Cisco IPsec and L2TP VPN types. - key: PPP title: PPP supportedOS: @@ -686,6 +728,9 @@ payloadkeys: content: If '1', enables bringing the VPN connection up on demand. - key: OnDemandMatchDomainsAlways title: On Demand Match Domains Always + supportedOS: + iOS: + deprecated: '7.0' type: presence: optional content: Deprecated. A list of domain names. In iOS 7 and later, if this key is @@ -696,6 +741,9 @@ payloadkeys: subkeys: *id001 - key: OnDemandMatchDomainsNever title: On Demand Match Domains Never + supportedOS: + iOS: + deprecated: '7.0' type: presence: optional content: Deprecated. A list of domain names. In iOS 7 and later, this key is deprecated @@ -705,6 +753,9 @@ payloadkeys: subkeys: *id002 - key: OnDemandMatchDomainsOnRetry title: On Demand Match Domains On Retry + supportedOS: + iOS: + deprecated: '7.0' type: presence: optional content: Deprecated. A list of domain names. In iOS 7 and later, this field is @@ -776,6 +827,35 @@ payloadkeys: the system sends this certificate out for IKEv2 machine authentication. If extended authentication (EAP) is used, the system sends this certificate out for EAP-TLS authentication. + - key: Password + title: Account Password + type: + presence: optional + content: The password to use for the account credentials. Only used if 'AuthenticationMethod' + is 'Password'. + - key: ProviderBundleIdentifier + title: Provider Bundle Identifier + type: + presence: optional + content: If the VPNSubType field contains the bundle identifier of an app that + contains multiple VPN providers of the same type (app-proxy or packet-tunnel), + then the system uses this field to choose which provider to use for this configuration. + If the VPN provider is implemented as a System Extension, then this field is + required. + - key: ProviderDesignatedRequirement + title: Provider Designated Requirement + supportedOS: + iOS: + introduced: n/a + macOS: + introduced: '10.15' + visionOS: + introduced: n/a + type: + presence: optional + content: If the VPN provider is implemented as a System Extension, then this field + is required. Available in macOS 10.15 and later, tvOS 17 and later, and watchOS + 10 and later. - key: SharedSecret title: SharedSecret type: @@ -935,6 +1015,21 @@ payloadkeys: default: 0 content: If '1', the system disables IKEv2 redirect. If not set, the system redirects an IKEv2 connection when it receives a redirect request from the server. + - key: DisconnectOnIdle + title: Enable Disconnect on Idle + type: + presence: optional + rangelist: + - 0 + - 1 + default: 0 + content: If '1', the VPN disconnects automatically after a period defined by 'DisconnectOnIdleTimer'. + - key: DisconnectOnIdleTimer + title: Disconnect on Idle time + type: + presence: optional + content: Only used if 'DisconnectOnIdle' is '1'. The number of seconds before + the VPN disconnects. On watchOS, maximum allowed value is 15 seconds - key: NATKeepAliveOffloadEnable title: NAT Keep Alive Offload Enable supportedOS: @@ -1022,6 +1117,16 @@ payloadkeys: content: The Maximum Transmission Unit (MTU) specifies the maximum size in bytes of each packet that the system sends over the IKEv2 VPN interface. Available in iOS 14 and later, and macOS 11 and later. + - key: ProviderType + type: + presence: optional + rangelist: + - packet-tunnel + - app-proxy + default: packet-tunnel + content: If the value of this key is 'app-proxy', the VPN service tunnels traffic + at the application layer. If the value of this key is 'packet-tunnel', the VPN + service tunnels traffic at the IP layer. - key: IncludeAllNetworks title: Include All Networks supportedOS: @@ -1031,6 +1136,8 @@ payloadkeys: introduced: '10.15' tvOS: introduced: n/a + watchOS: + introduced: n/a type: presence: optional rangelist: @@ -1038,7 +1145,7 @@ payloadkeys: - 1 default: 0 content: |- - If '1', then the system routes all network traffic through the VPN, with some controllable exclusions, such as 'ExcludeLocalNetworks', 'ExcludeCellularServices', and 'ExcludeAPNs' properties. The system always excludes the following traffic from the tunnel: + If '1', then the system routes all network traffic through the VPN, with some controllable exclusions, such as 'ExcludeLocalNetworks', 'ExcludeCellularServices', 'ExcludeAPNs', and 'ExcludeDeviceCommunication' properties. The system always excludes the following traffic from the tunnel: * Traffic necessary for connecting and maintaining the device's network connection, such as DHCP. * Traffic necessary for connecting to captive networks. * Certain cellular services traffic that's not routable over the internet and is instead directly routed to the cellular network. See the 'ExcludeCellularServices' field for more information. @@ -1050,6 +1157,8 @@ payloadkeys: introduced: '14.2' macOS: introduced: '11.0' + watchOS: + introduced: n/a type: presence: optional rangelist: @@ -1067,6 +1176,8 @@ payloadkeys: introduced: '10.15' tvOS: introduced: n/a + watchOS: + introduced: n/a type: presence: optional rangelist: @@ -1084,6 +1195,8 @@ payloadkeys: introduced: '13.3' tvOS: introduced: n/a + watchOS: + introduced: n/a type: presence: optional rangelist: @@ -1104,6 +1217,8 @@ payloadkeys: introduced: '13.3' tvOS: introduced: n/a + watchOS: + introduced: n/a type: presence: optional rangelist: @@ -1112,6 +1227,27 @@ payloadkeys: default: 1 content: If '1' and 'IncludeAllNetworks' is '1', the system excludes network traffic for the Apple Push Notification service (APNs) from the tunnel. + - key: ExcludeDeviceCommunication + title: Exclude Device Communication + supportedOS: + iOS: + introduced: '17.4' + macOS: + introduced: '14.4' + tvOS: + introduced: n/a + visionOS: + introduced: '1.1' + watchOS: + introduced: n/a + type: + presence: optional + rangelist: + - 0 + - 1 + default: 1 + content: If 1 and IncludeAllNetworks is 1, then network traffic used for communicating + with devices connected via USB or Wi-Fi is excluded from the tunnel. - key: IKESecurityAssociationParameters title: IKESecurityAssociationParameters type: @@ -1479,9 +1615,12 @@ payloadkeys: - VoiceMail - AirPrint - CellularServices + - DeviceCommunication content: The name of a service that's exempt from Always On VPN. 'CellularServices' is available in iOS 11.3 and later; it exempts 'VoLTE', 'IMS' and 'MMS'. - WiFiCalling is exempted in iOS 13.4 and later. + WiFiCalling is exempted in iOS 13.4 and later. DeviceCommunication is available + in iOS 17.4 and later; it exempts network traffic used for communicating + with devices connected via USB or Wi-Fi. - key: Action title: Action type: @@ -1566,20 +1705,116 @@ payloadkeys: introduced: '14.0' tvOS: introduced: n/a + visionOS: + introduced: n/a type: presence: optional - content: The dictionary to use when 'VPNType' is 'TransparentProxy'. The keys in - this dictionary are the same as the keys in the 'VPN' dictionary with the addition - of the fields shown in the VPN.TransparentProxy dictionary. Available in macOS - 14 and later. Not available in watchOS. + content: The dictionary to use when 'VPNType' is 'TransparentProxy'. Available in + macOS 14 and later. subkeys: - - key: Order - title: Order - supportedOS: - iOS: - introduced: n/a - macOS: - introduced: '14.0' + - key: AuthenticationMethod + title: Authentication Method + type: + presence: optional + rangelist: + - Password + - Certificate + - Password+Certificate + default: Password + content: |- + The type of authentication method to use: 'Password', 'Certificate', or 'Password+Certificate'. + Available in macOS 14 and later. + - key: DisconnectOnIdle + title: Enable Disconnect on Idle type: presence: optional - content: A positive integer. + rangelist: + - 0 + - 1 + default: 0 + content: |- + If '1', the VPN disconnects automatically disconnect after a period defined by 'DisconnectOnIdleTimer'. + Available in macOS 14 and later. + - key: DisconnectOnIdleTimer + title: Disconnect on Idle time + type: + presence: optional + content: |- + The number of seconds before the VPN disconnects. This value is only used if 'DisconnectOnIdle' is '1'. + Available in macOS 14 and later. + - key: EnforceRoutes + title: Enforce Routes + type: + presence: optional + rangelist: + - 0 + - 1 + default: 0 + content: |- + If '1', then all the VPN's non-default routes take precedence over any locally-defined routes. If 'IncludeAllNetworks' is '1', the system ignores the value of 'EnforceRoutes'. + Available in macOS 14 and later. + - key: OnDemandEnabled + title: Enable VPN On Demand + type: + presence: optional + rangelist: + - 0 + - 1 + default: 0 + content: |- + If '1', the system brings up the VPN on demand. + Available in macOS 14 and later. + - key: OnDemandRules + title: On Demand Rules + type: + presence: optional + content: |- + Determines when and how the system uses an OnDemand VPN. + Available in macOS 14 and later. + subkeytype: OnDemandRulesElement + subkeys: *id004 + - key: PayloadCertificateUUID + title: PayloadCertificateUUID + type: + presence: optional + content: |- + The UUID of the identity certificate as the account credential. If 'AuthenticationMethod' is 'Certificate', and extended authentication (EAP) isn't used, this certificate is sent out for IKE client authentication. If extended authentication is used, this certificate can be used for EAP-TLS. + Available in macOS 14 and later. + - key: Password + title: Account Password + type: + presence: optional + content: |- + The password to use for the account credentials. Only used if 'AuthenticationMethod' is 'Password'. + Available in macOS 14 and later. + - key: ProviderBundleIdentifier + title: Provider Bundle Identifier + type: + presence: optional + content: |- + If the VPNSubType field contains the bundle identifier of an app that contains multiple VPN providers of the same type (app-proxy or packet-tunnel), then the system uses this field to choose which provider to use for this configuration. If the VPN provider is implemented as a System Extension, then this field is required. + Available in macOS 14 and later. + - key: ProviderDesignatedRequirement + title: Provider Designated Requirement + type: + presence: optional + content: |- + If the VPN provider is implemented as a System Extension, then this field is required. + Available in macOS 14 and later. + - key: ProviderType + type: + presence: optional + rangelist: + - packet-tunnel + - app-proxy + default: packet-tunnel + content: |- + If the value of this key is 'app-proxy', the VPN service tunnels traffic at the application layer. If the value of this key is 'packet-tunnel', the VPN service tunnels traffic at the IP layer. + Available in macOS 14 and later. + - key: Order + title: Order + type: + presence: optional + content: |- + A positive integer. + Available in macOS 14 and later. diff --git a/mdm/profiles/com.apple.webClip.managed.yaml b/mdm/profiles/com.apple.webClip.managed.yaml index 6736440..a17e3e2 100644 --- a/mdm/profiles/com.apple.webClip.managed.yaml +++ b/mdm/profiles/com.apple.webClip.managed.yaml @@ -24,6 +24,12 @@ payload: allowmanualinstall: true userenrollment: mode: allowed + tvOS: + introduced: n/a + visionOS: + introduced: n/a + watchOS: + introduced: n/a payloadkeys: - key: Precomposed title: Precomposed Icon diff --git a/mdm/profiles/com.apple.webcontent-filter.yaml b/mdm/profiles/com.apple.webcontent-filter.yaml index 834d349..1bee61a 100644 --- a/mdm/profiles/com.apple.webcontent-filter.yaml +++ b/mdm/profiles/com.apple.webcontent-filter.yaml @@ -24,9 +24,20 @@ payload: allowmanualinstall: true userenrollment: mode: forbidden - content: As of iOS 16.0, this can be installed on unsupervised devices and user - enrollments if ContentFilterUUID is specified. Previously it could only be installed - on supervised devices. + tvOS: + introduced: n/a + visionOS: + introduced: '1.1' + multiple: true + supervised: false + allowmanualinstall: true + userenrollment: + mode: allowed + watchOS: + introduced: n/a + content: As of iOS 16.0 and visionOS 1.1, this can be installed on unsupervised + devices and user enrollments if ContentFilterUUID is specified. Previously it + could only be installed on supervised devices. payloadkeys: - key: FilterType title: FilterType @@ -72,6 +83,8 @@ payloadkeys: deprecated: '14.5' macOS: introduced: n/a + visionOS: + introduced: n/a type: presence: optional content: Use 'DenyListURLs' instead. @@ -101,6 +114,8 @@ payloadkeys: deprecated: '14.5' macOS: introduced: n/a + visionOS: + introduced: n/a type: presence: optional content: Use 'AllowListBookmarks' instead. @@ -224,6 +239,8 @@ payloadkeys: introduced: n/a macOS: introduced: '10.15' + visionOS: + introduced: n/a type: presence: optional content: The designated requirement string that the system embeds in the code signature @@ -236,6 +253,8 @@ payloadkeys: introduced: n/a macOS: introduced: '10.15' + visionOS: + introduced: n/a type: presence: optional content: The bundle identifier string of the filter data provider system extension. @@ -248,6 +267,8 @@ payloadkeys: introduced: n/a macOS: introduced: '10.15' + visionOS: + introduced: n/a type: presence: optional default: false @@ -261,6 +282,8 @@ payloadkeys: introduced: n/a macOS: introduced: '10.15' + visionOS: + introduced: n/a type: presence: optional content: The designated requirement string that the system embeds in the code signature @@ -274,6 +297,8 @@ payloadkeys: introduced: n/a macOS: introduced: '10.15' + visionOS: + introduced: n/a type: presence: optional content: The bundle identifier string of the filter packet provider system extension. @@ -286,6 +311,8 @@ payloadkeys: introduced: n/a macOS: introduced: '10.15' + visionOS: + introduced: n/a type: presence: optional rangelist: diff --git a/mdm/profiles/com.apple.wifi.managed.yaml b/mdm/profiles/com.apple.wifi.managed.yaml index 6035493..f92467c 100644 --- a/mdm/profiles/com.apple.wifi.managed.yaml +++ b/mdm/profiles/com.apple.wifi.managed.yaml @@ -29,6 +29,13 @@ payload: multiple: true supervised: false allowmanualinstall: true + visionOS: + introduced: '1.0' + multiple: true + supervised: false + allowmanualinstall: true + userenrollment: + mode: allowed watchOS: introduced: '3.2' multiple: true @@ -67,6 +74,9 @@ payloadkeys: iOS: userenrollment: mode: forbidden + visionOS: + userenrollment: + mode: forbidden type: presence: optional rangelist: @@ -124,14 +134,15 @@ payloadkeys: type: presence: required content: |- - The system accepts the following EAP types: - 13 = TLS - 17 = LEAP - 18 = EAP-SIM - 21 = TTLS - 23 = EAP-AKA - 25 = PEAP - 43 = EAP-FAST + The EAP types that the system accepts. Allowed values: + + * 13: TLS + * 17: LEAP + * 18: EAP-SIM + * 21: TTLS + * 23: EAP-AKA + * 25: PEAP + * 43: EAP-FAST For EAP-TLS authentication without a network payload, install the necessary identity certificates and have your users select EAP-TLS mode in the 802.1X credentials dialog that appears when they connect to the network. For other EAP types, a network payload is necessary and must specify the correct settings for the network. subkeys: @@ -201,6 +212,8 @@ payloadkeys: supportedOS: iOS: removed: '8.0' + visionOS: + introduced: n/a type: presence: optional default: true @@ -486,6 +499,8 @@ payloadkeys: deprecated: '14.5' macOS: deprecated: '14.0' + visionOS: + introduced: n/a type: presence: optional content: Use 'QoSMarkingAllowListAppIdentifiers' instead. @@ -515,6 +530,8 @@ payloadkeys: introduced: '10.7' tvOS: introduced: n/a + visionOS: + introduced: n/a watchOS: introduced: n/a type: @@ -549,6 +566,9 @@ payloadkeys: macOS: userenrollment: mode: forbidden + visionOS: + userenrollment: + mode: forbidden type: presence: optional content: The proxy server's network address. @@ -561,6 +581,9 @@ payloadkeys: macOS: userenrollment: mode: forbidden + visionOS: + userenrollment: + mode: forbidden type: presence: optional range: @@ -576,6 +599,9 @@ payloadkeys: macOS: userenrollment: mode: forbidden + visionOS: + userenrollment: + mode: forbidden type: presence: optional content: The user name used to authenticate to the proxy server. @@ -585,6 +611,9 @@ payloadkeys: iOS: userenrollment: mode: forbidden + visionOS: + userenrollment: + mode: forbidden type: presence: optional content: The password used to authenticate to the proxy server. @@ -597,6 +626,9 @@ payloadkeys: macOS: userenrollment: mode: forbidden + visionOS: + userenrollment: + mode: forbidden type: presence: optional content: The URL of the PAC file that defines the proxy configuration. @@ -609,6 +641,9 @@ payloadkeys: macOS: userenrollment: mode: forbidden + visionOS: + userenrollment: + mode: forbidden type: presence: optional default: false @@ -625,6 +660,9 @@ payloadkeys: introduced: n/a tvOS: introduced: n/a + visionOS: + userenrollment: + mode: forbidden watchOS: introduced: '7.0' type: diff --git a/mdm/profiles/com.apple.xsan.preferences.yaml b/mdm/profiles/com.apple.xsan.preferences.yaml index 8ce3b63..897f83e 100644 --- a/mdm/profiles/com.apple.xsan.preferences.yaml +++ b/mdm/profiles/com.apple.xsan.preferences.yaml @@ -3,6 +3,8 @@ description: '' payload: payloadtype: com.apple.xsan.preferences supportedOS: + iOS: + introduced: n/a macOS: introduced: '10.11' multiple: true @@ -13,6 +15,12 @@ payload: allowmanualinstall: true userenrollment: mode: forbidden + tvOS: + introduced: n/a + visionOS: + introduced: n/a + watchOS: + introduced: n/a content: The Xsan preferences payload can be used to configure which volumes automatically mount at startup. For StorNext volumes this payload also determines whether the mount uses Fibre Channel or Distributed LAN Client (DLC). diff --git a/mdm/profiles/com.apple.xsan.yaml b/mdm/profiles/com.apple.xsan.yaml index 065a8db..8e47fee 100644 --- a/mdm/profiles/com.apple.xsan.yaml +++ b/mdm/profiles/com.apple.xsan.yaml @@ -3,6 +3,8 @@ description: '' payload: payloadtype: com.apple.xsan supportedOS: + iOS: + introduced: n/a macOS: introduced: '10.10' multiple: false @@ -13,6 +15,12 @@ payload: allowmanualinstall: true userenrollment: mode: forbidden + tvOS: + introduced: n/a + visionOS: + introduced: n/a + watchOS: + introduced: n/a content: Sets up Xsan clients and controls certain Xsan volume mount behaviors. payloadkeys: - key: sanName diff --git a/mdm/profiles/loginwindow.yaml b/mdm/profiles/loginwindow.yaml index 27fb1e0..8c5ba21 100644 --- a/mdm/profiles/loginwindow.yaml +++ b/mdm/profiles/loginwindow.yaml @@ -3,6 +3,8 @@ description: '' payload: payloadtype: loginwindow supportedOS: + iOS: + introduced: n/a macOS: introduced: '10.7' multiple: false @@ -13,6 +15,12 @@ payload: allowmanualinstall: true userenrollment: mode: forbidden + tvOS: + introduced: n/a + visionOS: + introduced: n/a + watchOS: + introduced: n/a content: This payload handles login items management. payloadkeys: - key: DisableLoginItemsSuppression @@ -22,5 +30,5 @@ payloadkeys: type: presence: optional default: false - content: If 'true', prevents the user from disabling login item launches by using - the Shift key. + content: If 'true', the system prevents the user from disabling login item launches + by using the Shift key. diff --git a/other/esso.yaml b/other/esso.yaml index 6980a34..9a788f3 100644 --- a/other/esso.yaml +++ b/other/esso.yaml @@ -5,6 +5,14 @@ payload: supportedOS: iOS: introduced: '16.0' + macOS: + introduced: n/a + tvOS: + introduced: n/a + visionOS: + introduced: n/a + watchOS: + introduced: n/a payloadkeys: - key: iTunesStoreID title: iTunes Store ID diff --git a/other/machineinfo.yaml b/other/machineinfo.yaml index 8eeccda..9ef7801 100644 --- a/other/machineinfo.yaml +++ b/other/machineinfo.yaml @@ -10,6 +10,8 @@ payload: introduced: '10.9' tvOS: introduced: '10.2' + visionOS: + introduced: '1.1' watchOS: introduced: '10.0' payloadkeys: @@ -25,6 +27,9 @@ payloadkeys: tvOS: userenrollment: mode: forbidden + visionOS: + userenrollment: + mode: forbidden type: presence: required content: The device's UDID. @@ -40,6 +45,9 @@ payloadkeys: tvOS: userenrollment: mode: forbidden + visionOS: + userenrollment: + mode: forbidden type: presence: required content: The device's serial number. @@ -96,11 +104,11 @@ payloadkeys: userenrollment: mode: forbidden macOS: - userenrollment: - mode: forbidden + introduced: n/a tvOS: - userenrollment: - mode: forbidden + introduced: n/a + visionOS: + introduced: n/a type: presence: optional content: The device's IMEI (if available). @@ -111,11 +119,11 @@ payloadkeys: userenrollment: mode: forbidden macOS: - userenrollment: - mode: forbidden + introduced: n/a tvOS: - userenrollment: - mode: forbidden + introduced: n/a + visionOS: + introduced: n/a type: presence: optional content: The device's MEID (if available). @@ -133,6 +141,8 @@ payloadkeys: introduced: '14.0' tvOS: introduced: n/a + visionOS: + introduced: n/a watchOS: introduced: n/a type: @@ -149,6 +159,21 @@ payloadkeys: introduced: n/a tvOS: introduced: n/a + visionOS: + introduced: n/a type: presence: optional content: The pairing token to validate when a watch is enrolling. +- key: SOFTWARE_UPDATE_DEVICE_ID + title: Software Update Device ID + supportedOS: + iOS: + introduced: '17.4' + macOS: + introduced: '14.4' + tvOS: + introduced: n/a + type: + presence: optional + content: The device model identifier used to lookup available OS updates through + https://gdmf.apple.com/v2/pmv. diff --git a/other/manifesturl.yaml b/other/manifesturl.yaml index 26560aa..748ed25 100644 --- a/other/manifesturl.yaml +++ b/other/manifesturl.yaml @@ -16,6 +16,8 @@ payload: mode: allowed tvOS: introduced: '10.2' + visionOS: + introduced: '1.1' watchOS: introduced: '10.0' payloadkeys: @@ -93,6 +95,8 @@ payloadkeys: removed: '0' tvOS: removed: '0' + visionOS: + removed: '0' watchOS: introduced: n/a type: @@ -134,6 +138,8 @@ payloadkeys: removed: '0' tvOS: removed: '0' + visionOS: + removed: '0' watchOS: introduced: n/a type: @@ -158,6 +164,8 @@ payloadkeys: removed: '0' tvOS: removed: '0' + visionOS: + removed: '0' watchOS: introduced: n/a type: diff --git a/other/passwordhash.yaml b/other/passwordhash.yaml index b316b18..e84cb58 100644 --- a/other/passwordhash.yaml +++ b/other/passwordhash.yaml @@ -4,10 +4,18 @@ description: The passwordHash object used in the AccountConfiguration and SetAut payload: payloadtype: passwordHash supportedOS: + iOS: + introduced: n/a macOS: introduced: '10.11' userenrollment: mode: allowed + tvOS: + introduced: n/a + visionOS: + introduced: n/a + watchOS: + introduced: n/a payloadkeys: - key: SALTED-SHA512-PBKDF2 title: SALTED-SHA512-PBKDF2 diff --git a/other/skipkeys.yaml b/other/skipkeys.yaml index 771d14e..96db4bf 100644 --- a/other/skipkeys.yaml +++ b/other/skipkeys.yaml @@ -12,6 +12,8 @@ payload: tvOS: introduced: '10.2' always-skippable: true + visionOS: + introduced: n/a watchOS: introduced: n/a payloadkeys: @@ -29,6 +31,19 @@ payloadkeys: presence: optional content: The key to skip the Accessibility pane, when creating additional users. This key is not available in macOS. +- key: ActionButton + title: Skip Action Button setup pane + supportedOS: + iOS: + introduced: '17.0' + macOS: + introduced: n/a + tvOS: + introduced: n/a + type: + presence: optional + content: The key to skip the Action Button configuration pane. This key is available + in iOS 17 and later. - key: Android title: Prevents migration from Android device supportedOS: @@ -465,8 +480,9 @@ payloadkeys: introduced: n/a type: presence: optional - content: If the key is included in the SkipSetup array the Wallpaper pane will be - skipped. + content: |- + The key to skip Wallpaper setup. + This key is available in macOS 14.1 and later, - key: WatchMigration title: Skip watch migration supportedOS: