CalvinBackup/apple-device-management-mdm
1
0
Fork 0
mirror of https://github.com/apple/device-management.git synced 2026-02-12 17:52:47 +00:00
Code Issues Packages Projects Releases Wiki Activity

Release_iOS-17-0_macOS-14-0

Browse Source
This commit is contained in:
Cyrus Daboo
2023-09-14 17:37:05 -04:00
parent 5a8fb0deb2
commit 72c2a0a69f
254 changed files with 6787 additions and 969 deletions
Download Patch File Download Diff File Expand all files Collapse all files

9
README.md
View File

@@ -8,10 +8,10 @@ This release corresponds to the following OS versions
| OS | Version |
|---------|---------|
| iOS | 16.4 |
| macOS | 13.3 |
| tvOS | 16.4 |
| watchOS | 9.4 |
| iOS | 17.0 |
| macOS | 14.0 |
| tvOS | 17.0 |
| watchOS | 10.0 |
## What's Available
@@ -20,6 +20,7 @@ The following schema items are available:
* MDM commands - `mdm/commands`
* MDM check-in requests - `mdm/checkin`
* MDM profiles - `mdm/profiles`
* MDM errors - `mdm/errors`
* Declarative device management declarations - `declarative/declarations`
* Declarative device management status items - `declarative/status`

2
declarative/declarations/activations/simple.yaml
View File

@@ -9,6 +9,8 @@ payload:
introduced: '13.0'
tvOS:
introduced: '16.0'
watchOS:
introduced: '10.0'
payloadkeys:
- key: StandardConfigurations
type: <array>

68
declarative/declarations/assets/credential.acme.yaml Normal file
View File

@@ -0,0 +1,68 @@
title: Asset:Credential ACME
description: A reference to an ACME identity.
payload:
declarationtype: com.apple.asset.credential.acme
supportedOS:
iOS:
introduced: '17.0'
macOS:
introduced: '14.0'
tvOS:
introduced: '17.0'
watchOS:
introduced: '10.0'
payloadkeys:
- key: Reference
type: <dictionary>
presence: required
content: |-
The external reference. Ensure that the asset data:
* Is a JSON document that represents the 'com.apple.credential.acme' credential type
* Uses a media type of 'application/json', and if it includes a 'ContentType' sub-key, that sub-key media type is also 'application/json'
subkeys:
- key: DataURL
type: <string>
presence: required
content: The URL that hosts the credential data. The URL must start with 'https://'.
- key: ContentType
type: <string>
presence: optional
content: The media type that describes the data.
- key: Size
type: <integer>
presence: optional
content: The size of the data at the 'DataURL'. Use this value to verify that
the returned data is the expected data. Use this value to detect when the data
changes.
- key: Hash-SHA-256
type: <string>
presence: optional
content: |-
A SHA-256 hash of the data at the 'DataURL'. Use this value to verify that the returned data is the expected data. Use this value to detect when the data changes.
If 'Size' is '0', clients need to ignore this value or set it to an empty string.
- key: Authentication
type: <dictionary>
presence: optional
content: The server authentication details.
subkeys:
- key: Type
type: <string>
presence: required
rangelist:
- MDM
- None
content: |-
Type of authentication:
* MDM - a request using MDM semantics (includes the device identity certificate, and any user authentication). Equivalent to an MDM request made to the CheckInURL or ServerURL. This option can only be used when using declarative device management.
* None - a standard GET request is carried out.
- key: Accessible
type: <string>
presence: optional
rangelist:
- Default
- AfterFirstUnlock
default: Default
content: |-
The keychain accessibility that determines when the keychain item is available for use, which has these allowed values:
* 'Default': The most restrictive accessibility that still satisfies all uses of the asset by configurations that reference it.
* 'AfterFirstUnlock': The keychain item is only available after the first unlock of the device.

57
declarative/declarations/assets/credential.certificate.yaml Normal file
View File

@@ -0,0 +1,57 @@
title: Asset:Credential Certificate
description: 'A reference to a PKCS #1 or PEM encoded certificate.'
payload:
declarationtype: com.apple.asset.credential.certificate
supportedOS:
iOS:
introduced: '17.0'
macOS:
introduced: '14.0'
tvOS:
introduced: '17.0'
watchOS:
introduced: '10.0'
payloadkeys:
- key: Reference
type: <dictionary>
presence: required
content: The external reference. Ensure that the asset data uses a media type of
'application/pkcs1' or 'application/pem' to correctly identify the type of encoded
certificate. If the asset data includes a 'ContentType' sub-key, set it to the
corresponding media type.
subkeys:
- key: DataURL
type: <string>
presence: required
content: The URL that hosts the credential data. The URL must start with 'https://'.
- key: ContentType
type: <string>
presence: optional
content: The media type that describes the data.
- key: Size
type: <integer>
presence: optional
content: The size of the data at the 'DataURL'. Use this value to verify that
the returned data is the expected data. Use this value to detect when the data
changes.
- key: Hash-SHA-256
type: <string>
presence: optional
content: |-
A SHA-256 hash of the data at the 'DataURL'. Use this value to verify that the returned data is the expected data. Use this value to detect when the data changes.
If 'Size' is '0', clients need to ignore this value or set it to an empty string.
- key: Authentication
type: <dictionary>
presence: optional
content: The server authentication details.
subkeys:
- key: Type
type: <string>
presence: required
rangelist:
- MDM
- None
content: |-
Type of authentication:
* MDM - a request using MDM semantics (includes the device identity certificate, and any user authentication). Equivalent to an MDM request made to the CheckInURL or ServerURL. This option can only be used when using declarative device management.
* None - a standard GET request is carried out.

68
declarative/declarations/assets/credential.identity.yaml Normal file
View File

@@ -0,0 +1,68 @@
title: Asset:Credential Identity
description: 'A reference to a PKCS #12 password-protected identity.'
payload:
declarationtype: com.apple.asset.credential.identity
supportedOS:
iOS:
introduced: '17.0'
macOS:
introduced: '14.0'
tvOS:
introduced: '17.0'
watchOS:
introduced: '10.0'
payloadkeys:
- key: Reference
type: <dictionary>
presence: required
content: |-
The external reference. Ensure that the asset data:
* Is a JSON document that represents the 'com.apple.credential.identity' credential type
* Uses a media type of 'application/json', and if it includes a 'ContentType' sub-key, that sub-key media type is also 'application/json'
subkeys:
- key: DataURL
type: <string>
presence: required
content: The URL that hosts the credential data. The URL must start with 'https://'.
- key: ContentType
type: <string>
presence: optional
content: The media type that describes the data.
- key: Size
type: <integer>
presence: optional
content: The size of the data at the 'DataURL'. Use this value to verify that
the returned data is the expected data. Use this value to detect when the data
changes.
- key: Hash-SHA-256
type: <string>
presence: optional
content: |-
A SHA-256 hash of the data at the 'DataURL'. Use this value to verify that the returned data is the expected data. Use this value to detect when the data changes.
If 'Size' is '0', clients need to ignore this value or set it to an empty string.
- key: Authentication
type: <dictionary>
presence: optional
content: The server authentication details.
subkeys:
- key: Type
type: <string>
presence: required
rangelist:
- MDM
- None
content: |-
Type of authentication:
* MDM - a request using MDM semantics (includes the device identity certificate, and any user authentication). Equivalent to an MDM request made to the CheckInURL or ServerURL. This option can only be used when using declarative device management.
* None - a standard GET request is carried out.
- key: Accessible
type: <string>
presence: optional
rangelist:
- Default
- AfterFirstUnlock
default: Default
content: |-
The keychain accessibility that determines when the keychain item is available for use, which has these allowed values:
* 'Default': The most restrictive accessibility that still satisfies all uses of the asset by configurations that reference it.
* 'AfterFirstUnlock': The keychain item is only available after the first unlock of the device.

68
declarative/declarations/assets/credential.scep.yaml Normal file
View File

@@ -0,0 +1,68 @@
title: Asset:Credential SCEP
description: A reference to a SCEP identity.
payload:
declarationtype: com.apple.asset.credential.scep
supportedOS:
iOS:
introduced: '17.0'
macOS:
introduced: '14.0'
tvOS:
introduced: '17.0'
watchOS:
introduced: '10.0'
payloadkeys:
- key: Reference
type: <dictionary>
presence: required
content: |-
The external reference. Ensure that the asset data:
* Is a JSON document that represents the 'com.apple.credential.scep' credential type
* Uses a media type of 'application/json', and if it includes a 'ContentType' sub-key, that sub-key media type is also 'application/json'
subkeys:
- key: DataURL
type: <string>
presence: required
content: The URL that hosts the credential data. The URL must start with 'https://'.
- key: ContentType
type: <string>
presence: optional
content: The media type that describes the data.
- key: Size
type: <integer>
presence: optional
content: The size of the data at the 'DataURL'. Use this value to verify that
the returned data is the expected data. Use this value to detect when the data
changes.
- key: Hash-SHA-256
type: <string>
presence: optional
content: |-
A SHA-256 hash of the data at the 'DataURL'. Use this value to verify that the returned data is the expected data. Use this value to detect when the data changes.
If 'Size' is '0', clients need to ignore this value or set it to an empty string.
- key: Authentication
type: <dictionary>
presence: optional
content: The server authentication details.
subkeys:
- key: Type
type: <string>
presence: required
rangelist:
- MDM
- None
content: |-
Type of authentication:
* MDM - a request using MDM semantics (includes the device identity certificate, and any user authentication). Equivalent to an MDM request made to the CheckInURL or ServerURL. This option can only be used when using declarative device management.
* None - a standard GET request is carried out.
- key: Accessible
type: <string>
presence: optional
rangelist:
- Default
- AfterFirstUnlock
default: Default
content: |-
The keychain accessibility that determines when the keychain item is available for use, which has these allowed values:
* 'Default': The most restrictive accessibility that still satisfies all uses of the asset by configurations that reference it.
* 'AfterFirstUnlock': The keychain item is only available after the first unlock of the device.

41
declarative/declarations/assets/credential.userpassword.yaml
View File

@@ -1,6 +1,6 @@
title: Credential:User Name and Password
title: Asset:Credential User Name and Password
description: A reference to data describing a credential representing a user name
and password. Note that this should always be considered as security sensitive data.
and password.
payload:
declarationtype: com.apple.asset.credential.userpassword
supportedOS:
@@ -10,11 +10,16 @@ payload:
introduced: '13.0'
tvOS:
introduced: '16.0'
watchOS:
introduced: '10.0'
payloadkeys:
- key: Reference
type: <dictionary>
presence: required
content: The reference to the credential.
content: |-
The external reference. Ensure that the asset data:
* Is a JSON document that represents the 'com.apple.credential.usernameandpassword' credential type
* Uses a media type of 'application/json', and if it includes a 'ContentType' sub-key, that sub-key media type is also 'application/json'
subkeys:
- key: DataURL
type: <string>
@@ -22,17 +27,41 @@ payloadkeys:
content: The URL that hosts the credential data. The URL must start with 'https://'.
- key: ContentType
type: <string>
presence: required
presence: optional
content: The media type that describes the data.
- key: Size
type: <integer>
presence: required
presence: optional
content: The size of the data at the 'DataURL'. Use this value to verify that
the returned data is the expected data. Use this value to detect when the data
changes.
- key: Hash-SHA-256
type: <string>
presence: required
presence: optional
content: |-
A SHA-256 hash of the data at the 'DataURL'. Use this value to verify that the returned data is the expected data. Use this value to detect when the data changes.
If 'Size' is '0', clients need to ignore this value or set it to an empty string.
- key: Authentication
supportedOS:
iOS:
introduced: '17.0'
macOS:
introduced: '14.0'
tvOS:
introduced: '17.0'
watchOS:
introduced: '10.0'
type: <dictionary>
presence: optional
content: The server authentication details.
subkeys:
- key: Type
type: <string>
presence: required
rangelist:
- MDM
- None
content: |-
Type of authentication:
* MDM - a request using MDM semantics (includes the device identity certificate, and any user authentication). Equivalent to an MDM request made to the CheckInURL or ServerURL. This option can only be used when using declarative device management.
* None - a standard GET request is carried out.

138
declarative/declarations/assets/credentials/acme.yaml Normal file
View File

@@ -0,0 +1,138 @@
title: ACME Credential
description: An ACME identity that should be generated by the device.
payload:
credentialtype: com.apple.credential.acme
supportedOS:
iOS:
introduced: '17.0'
macOS:
introduced: '14.0'
tvOS:
introduced: '17.0'
watchOS:
introduced: '10.0'
payloadkeys:
- key: DirectoryURL
title: ACME directory URL
type: <string>
presence: required
content: Specifies the directory URL of the ACME server. Use the 'https' scheme
for the URL.
- key: ClientIdentifier
title: Client identifier
type: <string>
presence: required
content: The server can use this as a nonce to prevent issuing multiple certificates.
It also indicates to the ACME server that the device has access to a valid client
identifier that the enterprise infrastructure issued. This can help the ACME server
determine whether to trust the device, however this is a relatively weak indication
because of the risk that an attacker may intercept and duplicate the client identifier.
- key: KeySize
title: Key Size
type: <integer>
presence: required
content: The valid values for 'KeySize' depend on the values of 'KeyType' and 'HardwareBound'.
See those keys for specific requirements.
- key: KeyType
title: Key Type
type: <string>
presence: required
rangelist:
- RSA
- ECSECPrimeRandom
content: |-
Specifies the type of key pair to generate.
'RSA' specifies an RSA key pair. If you set this value to 'RSA', set 'KeySize' in the range '[1024..4096]' inclusive and a multiple of '8', and set 'HardwareBound' to 'false'.
'ECSECPrimeRandom' specifies a key pair on the P-256, P-384 or P-521 curves as defined in FIPS Pub 186-4, and 'KeySize' determines the specific curve. If you set this value to 'ECSECPrimeRandom', set 'KeySize' to '256', '384', or '521'. The system only supports '256' and '384' for hardware bound keys.
The key size is '521', not '512', even though the other key sizes are multiples of '64'.
- key: HardwareBound
title: Hardware Bound
type: <boolean>
presence: required
content: |-
If 'false', the private key isn't bound to the device.
If 'true', the private key is bound to the device. The Secure Enclave generates the key pair, and the private key is cryptographically entangled with a system key. This protects the private key from being exported.
If 'true', 'KeyType' needs to be 'ECSECPrimeRandom' and 'KeySize' needs to be '256' or '384'.
On macOS, this is a required key. Set the value to 'false'.
- key: Subject
title: Subject
type: <array>
presence: required
content: |-
The device requests this subject for the certificate that the ACME server issues. The ACME server may override or ignore this field in the certificate it issues.
The representation of an X.500 name is an array of OID and value. For example, '/C=US/O=Apple Inc./CN=foo/1.2.5.3=bar' corresponds to:
'[ [ [”C”, “US”] ], [ [”O”, “Apple Inc.”] ], [ [ “CN”, “foo”] ], [ [ “1.2.5.3”, “bar” ] ] ]'
You can represent OIDs as dotted numbers or use shortcuts for country ('C'), locality ('L'), state ('ST'), organization ('O'), organizational unit ('OU'), and common name ('CN').
subkeys:
- key: ACMESubjectArrayInnerArray
title: Array Inside ACME Subject Array
type: <array>
subkeys:
- key: ACMESubjectArrayPair
title: Subject Array Pair
type: <array>
subkeys:
- key: ACMESubjectArrayPairItem
title: ACME Subject Array Pair Item
type: <string>
repetition:
min: 2
max: 2
content: One item in the array representing a pair of OID and value
- key: SubjectAltName
title: Subject Alt Name
type: <dictionary>
presence: optional
content: Specifies the subject's alternative name that the device requests for the
certificate that the ACME server issues. The ACME server may override or ignore
this field in the certificate it issues.
subkeys:
- key: rfc822Name
title: RFC 822 Name
type: <string>
presence: optional
content: The RFC 822 email address.
- key: dNSName
title: DNS Name
type: <string>
presence: optional
content: The DNS name.
- key: uniformResourceIdentifier
title: URI
type: <string>
presence: optional
content: The uniform resource identifier.
- key: ntPrincipalName
title: NT Principal Name
type: <string>
presence: optional
content: The NT principal name.
- key: UsageFlags
title: Key Usage
type: <integer>
presence: optional
content: |-
The device requests this key usage for the certificate that the ACME server issues. The ACME server may override or ignore this field in the certificate it issues.
The value is a bit field. Bit '0x01' indicates digital signature, and bit '0x04' indicates key encipherment.
- key: ExtendedKeyUsage
title: Extended Key Usage
type: <array>
presence: optional
content: |-
The device requests this extended key usage for the certificate that the ACME server issues. The ACME server may override or ignore this field in the certificate it issues.
The value is an array of strings. Each string is an OID in dotted notation. For example, '[”1.3.6.1.5.5.7.3.2”, “1.3.6.1.5.5.7.3.4”]' indicates client authentication and email protection.
subkeys:
- key: OID
type: <string>
presence: optional
- key: Attest
title: Attest
type: <boolean>
presence: optional
default: false
content: If 'true', the device provides attestations that describe the device and
the generated key to the ACME server. The server can use the attestations as strong
evidence that the key is bound to the device, and that the device has properties
listed in the attestation. The server can use that as part of a trust score to
decide whether to issue the requested certificate. When 'Attest' is 'true', set
'HardwareBound' to 'true'. On macOS, set this key, if present, to 'false'.

22
declarative/declarations/assets/credentials/identity.yaml Normal file
View File

@@ -0,0 +1,22 @@
title: Identity Credential
description: 'Data for a PKCS #12 password-protected identity.'
payload:
credentialtype: com.apple.credential.identity
supportedOS:
iOS:
introduced: '17.0'
macOS:
introduced: '14.0'
tvOS:
introduced: '17.0'
watchOS:
introduced: '10.0'
payloadkeys:
- key: Password
type: <string>
presence: required
content: 'The password required to decrypt the PKCS #12 identity data.'
- key: Identity
type: <data>
presence: required
content: 'The PKCS #12 identity data.'

125
declarative/declarations/assets/credentials/scep.yaml Normal file
View File

@@ -0,0 +1,125 @@
title: SCEP Credential
description: A SCEP identity that should be generated by the device.
payload:
credentialtype: com.apple.credential.scep
supportedOS:
iOS:
introduced: '17.0'
macOS:
introduced: '14.0'
tvOS:
introduced: '17.0'
watchOS:
introduced: '10.0'
payloadkeys:
- key: URL
title: URL
type: <string>
presence: required
content: The SCEP URL.
- key: Name
title: Name
type: <string>
presence: optional
content: Any string that the SCEP server recognizes. For example, it could be a
domain name such as 'example.org'. If a certificate authority has multiple CA
certificates, you can use this field to specify the required certificate.
- key: Subject
title: Subject
type: <array>
presence: optional
content: |-
The representation of an X.500 name is an array of OID and value. For example, '/C=US/O=Apple Inc./CN=foo/1.2.5.3=bar' corresponds to:
'[ [ [”C”, “US”] ], [ [”O”, “Apple Inc.”] ], [ [ “CN”, “foo”] ], [ [ “1.2.5.3”, “bar” ] ] ]'
You can represent OIDs as dotted numbers or use shortcuts for country ('C'), locality ('L'), state ('ST'), organization ('O'), organizational unit ('OU'), and common name ('CN').
subkeys:
- key: SCEPSubjectArrayInnerArray
title: Array Inside SCEP Subject Array
type: <array>
subkeys:
- key: SCEPSubjectArrayPair
title: Subject Array Pair
type: <array>
subkeys:
- key: SCEPSubjectArrayPairItem
title: SCEP Subject Array Pair Item
type: <string>
repetition:
min: 2
max: 2
content: One item in the array representing a pair of OID and value
- key: Challenge
title: Challenge
type: <string>
presence: optional
content: A preshared secret.
- key: Keysize
title: Key Size
type: <integer>
presence: optional
rangelist:
- 1024
- 2048
- 4096
default: 1024
content: The key size in bits, either '1024', '2048', or '4096'.
- key: Key Type
title: Key Type
type: <string>
presence: optional
default: RSA
content: The key type, which always has the value 'RSA'.
- key: Key Usage
title: Key Usage
type: <integer>
presence: optional
default: 0
content: 'A bitmask that specifies the use of the key: ''1'' is signing, ''4'' is
encryption, and ''5'' is both signing and encryption. Some certificate authorities,
such as Windows CA, support only encryption or signing, but not both at the same
time.'
- key: CAFingerprint
title: Fingerprint
type: <data>
presence: optional
content: The fingerprint of the Certificate Authority certificate.
- key: Retries
title: Retries
type: <integer>
presence: optional
default: 3
content: The number of times the device should retry if the server sends a 'PENDING'
response.
- key: RetryDelay
title: Retry Delay
type: <integer>
presence: optional
default: 10
content: The number of seconds to wait between subsequent retries. The system makes
the first retry without this delay.
- key: SubjectAltName
title: Subject Alt Name
type: <dictionary>
presence: optional
content: The subject's alternative name for the certificate.
subkeys:
- key: rfc822Name
title: RFC 822 Name
type: <string>
presence: optional
content: The RFC 822 email address.
- key: dNSName
title: DNS Name
type: <string>
presence: optional
content: The DNS name.
- key: uniformResourceIdentifier
title: URI
type: <string>
presence: optional
content: The uniform resource identifier.
- key: ntPrincipalName
title: NT Principal Name
type: <string>
presence: optional
content: The NT principal name.

8
declarative/declarations/assets/credentials/usernameandpassword.yaml
View File

@@ -1,4 +1,4 @@
title: User Name and Password Credentials
title: User Name and Password Credential
description: Data describing a credential representing a user name and password.
payload:
credentialtype: com.apple.credential.usernameandpassword
@@ -9,12 +9,14 @@ payload:
introduced: '13.0'
tvOS:
introduced: '16.0'
watchOS:
introduced: '10.0'
payloadkeys:
- key: UserName
type: <string>
presence: required
content: The user's user name for the credential.
content: The user name for this credential.
- key: Password
type: <string>
presence: optional
content: The user's password for the credential.
content: The password for this credential.

54
declarative/declarations/assets/data.yaml Normal file
View File

@@ -0,0 +1,54 @@
title: Asset:Data
description: A reference to arbitrary data with a specific media type.
payload:
declarationtype: com.apple.asset.data
supportedOS:
iOS:
introduced: '17.0'
macOS:
introduced: '14.0'
tvOS:
introduced: '17.0'
watchOS:
introduced: '10.0'
payloadkeys:
- key: Reference
type: <dictionary>
presence: required
content: The external reference.
subkeys:
- key: DataURL
type: <string>
presence: required
content: The URL that hosts the credential data. The URL must start with 'https://'.
- key: ContentType
type: <string>
presence: optional
content: The media type that describes the data.
- key: Size
type: <integer>
presence: optional
content: The size of the data at the 'DataURL'. Use this value to verify that
the returned data is the expected data. Use this value to detect when the data
changes.
- key: Hash-SHA-256
type: <string>
presence: optional
content: |-
A SHA-256 hash of the data at the 'DataURL'. Use this value to verify that the returned data is the expected data. Use this value to detect when the data changes.
If 'Size' is '0', clients need to ignore this value or set it to an empty string.
- key: Authentication
type: <dictionary>
presence: optional
content: The server authentication details.
subkeys:
- key: Type
type: <string>
presence: required
rangelist:
- MDM
- None
content: |-
Type of authentication:
* MDM - a request using MDM semantics (includes the device identity certificate, and any user authentication). Equivalent to an MDM request made to the CheckInURL or ServerURL. This option can only be used when using declarative device management.
* None - a standard GET request is carried out.

6
declarative/declarations/assets/useridentity.yaml
View File

@@ -1,4 +1,4 @@
title: User Identity
title: Asset:User Identity
description: User identity data.
payload:
declarationtype: com.apple.asset.useridentity
@@ -9,6 +9,8 @@ payload:
introduced: '13.0'
tvOS:
introduced: '16.0'
watchOS:
introduced: '10.0'
payloadkeys:
- key: FullName
title: Full Name
@@ -19,4 +21,4 @@ payloadkeys:
title: Email Address
type: <string>
presence: optional
content: The user's email address.
content: The email address of the user.

31
declarative/declarations/configurations/account.caldav.yaml
View File

@@ -5,20 +5,27 @@ payload:
supportedOS:
iOS:
introduced: '15.0'
allowed-enrollments:
- device
- user
- local
allowed-scopes:
- system
sharedipad:
mode: allowed
devicechannel: false
userchannel: true
userenrollment:
mode: allowed
allowed-scopes:
- user
macOS:
introduced: '13.0'
devicechannel: false
userchannel: true
userenrollment:
mode: allowed
allowed-enrollments:
- device
- user
- local
allowed-scopes:
- user
tvOS:
introduced: n/a
watchOS:
introduced: n/a
content: A CalDAV configuration defines a CalDAV calendar and reminders account
for a user.
payloadkeys:
@@ -32,7 +39,7 @@ payloadkeys:
title: Server Host Name
type: <string>
presence: required
content: The hostname of the CalDAV server (or IP address).
content: The hostname or IP address of the CalDAV server.
- key: Port
title: Server Port
type: <integer>
@@ -46,6 +53,8 @@ payloadkeys:
- key: AuthenticationCredentialsAssetReference
title: Authentication Credentials Asset Reference
type: <string>
assettypes:
- com.apple.asset.credential.userpassword
presence: optional
content: The identifier of an asset declaration that contains the credentials for
this account. The corresponding asset must be of type CredentialUserNameAndPassword.
this account. Set the corresponding asset type to 'CredentialUserNameAndPassword'.

31
declarative/declarations/configurations/account.carddav.yaml
View File

@@ -5,20 +5,27 @@ payload:
supportedOS:
iOS:
introduced: '15.0'
allowed-enrollments:
- device
- user
- local
allowed-scopes:
- system
sharedipad:
mode: allowed
devicechannel: false
userchannel: true
userenrollment:
mode: allowed
allowed-scopes:
- user
macOS:
introduced: '13.0'
devicechannel: false
userchannel: true
userenrollment:
mode: allowed
allowed-enrollments:
- device
- user
- local
allowed-scopes:
- user
tvOS:
introduced: n/a
watchOS:
introduced: n/a
content: A CardDAV configuration defines a CardDAV contacts account for a user.
payloadkeys:
- key: VisibleName
@@ -31,7 +38,7 @@ payloadkeys:
title: Server Host Name
type: <string>
presence: required
content: The hostname of the CardDAV server (or IP address).
content: The hostname or IP address of the CardDAV server.
- key: Port
title: Server Port
type: <integer>
@@ -45,6 +52,8 @@ payloadkeys:
- key: AuthenticationCredentialsAssetReference
title: Authentication Credentials Asset Reference
type: <string>
assettypes:
- com.apple.asset.credential.userpassword
presence: optional
content: The identifier of an asset declaration that contains the credentials for
this account. The corresponding asset must be of type CredentialUserNameAndPassword.
this account. Set the corresponding asset type to 'CredentialUserNameAndPassword'.

134
declarative/declarations/configurations/account.exchange.yaml
View File

@@ -6,20 +6,27 @@ payload:
supportedOS:
iOS:
introduced: '15.0'
allowed-enrollments:
- device
- user
- local
allowed-scopes:
- system
sharedipad:
mode: allowed
devicechannel: false
userchannel: true
userenrollment:
mode: allowed
allowed-scopes:
- user
macOS:
introduced: '13.0'
devicechannel: false
userchannel: true
userenrollment:
mode: allowed
allowed-enrollments:
- device
- user
- local
allowed-scopes:
- user
tvOS:
introduced: n/a
watchOS:
introduced: n/a
content: This payload configures an Exchange ActiveSync account on an iOS device.
payloadkeys:
- key: VisibleName
@@ -48,9 +55,11 @@ payloadkeys:
- key: UserIdentityAssetReference
title: User Identity Asset Reference
type: <string>
assettypes:
- com.apple.asset.useridentity
presence: optional
content: The identifier of an asset declaration that contains the user identity
for this account. The corresponding asset must be of type UserIdentity.
for this account. The corresponding asset must be of type 'UserIdentity'.
- key: HostName
title: Server Host Name
type: <string>
@@ -133,10 +142,111 @@ payloadkeys:
- key: AuthenticationCredentialsAssetReference
title: Authentication Credentials Asset Reference
type: <string>
assettypes:
- com.apple.asset.credential.userpassword
presence: optional
content: The identifier of an asset declaration that contains the credentials for
this account to authenticate with an Exchange server. The corresponding asset
must be of type CredentialUserNameAndPassword.
this account to authenticate with an Exchange server. Set the corresponding asset
type to 'CredentialUserNameAndPassword'.
- key: AuthenticationIdentityAssetReference
title: Authentication Identity Asset Reference
type: <string>
assettypes:
- com.apple.asset.credential.acme
- com.apple.asset.credential.identity
- com.apple.asset.credential.scep
presence: optional
content: Specifies the identifier of a credential asset declaration that contains
the identity that this account requires to authenticate with the Exchange server.
- key: SMIME
title: S/MIME Settings
supportedOS:
iOS:
introduced: '17.0'
macOS:
introduced: n/a
type: <dictionary>
presence: optional
content: Settings for S/MIME.
subkeys:
- key: Signing
title: S/MIME Signing Settings
type: <dictionary>
presence: optional
content: Settings for S/MIME signing.
subkeys:
- key: Enabled
title: Signing Enabled
type: <boolean>
presence: required
content: If 'true', the system enables S/MIME signing.
- key: IdentityAssetReference
title: S/MIME Signing Identity Asset Reference
type: <string>
assettypes:
- com.apple.asset.credential.acme
- com.apple.asset.credential.identity
- com.apple.asset.credential.scep
presence: optional
content: Specifies the identifier of an asset declaration containing the identity
required for S/MIME signing of messages sent from this account.
- key: UserOverrideable
title: Signing User Overrideable
type: <boolean>
presence: optional
default: false
content: If 'true', the user can turn S/MIME signing on or off in Settings.
- key: IdentityUserOverrideable
title: Signing Identity User Overrideable
type: <boolean>
presence: optional
default: false
content: If 'true', the user can select an S/MIME signing identity in Settings.
- key: Encryption
title: S/MIME Encryption Settings
type: <dictionary>
presence: optional
content: Settings for S/MIME encryption.
subkeys:
- key: Enabled
title: Encryption By Default Enabled
type: <boolean>
presence: required
content: If 'true', the system enables S/MIME encryption by default, which the
user can't override if 'PerMessageSwitchEnabled' is 'false'.
- key: IdentityAssetReference
title: S/MIME Encryption Identity Asset Reference
type: <string>
assettypes:
- com.apple.asset.credential.acme
- com.apple.asset.credential.identity
- com.apple.asset.credential.scep
presence: optional
content: Specifies the identifier of an asset declaration containing the identity
required for S/MIME encryption. The system attaches the public certificate
to outgoing mail to allow the user to receive encrypted mail. When the user
sends encrypted mail, the system uses the public certificate to encrypt the
copy of the mail in their Sent mailbox.
- key: UserOverrideable
title: Encryption By Default User Overrideable
type: <boolean>
presence: optional
default: false
content: If 'true', the user can turn S/MIME encryption by default on or off
in Settings.
- key: IdentityUserOverrideable
title: Encryption Identity User Overrideable
type: <boolean>
presence: optional
default: false
content: If 'true', the user can select an S/MIME signing identity in Settings.
- key: PerMessageSwitchEnabled
title: Per Message Switch Enabled
type: <boolean>
presence: optional
default: false
content: If 'true', the system enables the per-message encryption switch in
the compose view.
- key: MailServiceActive
supportedOS:
macOS:

31
declarative/declarations/configurations/account.google.yaml
View File

@@ -5,20 +5,27 @@ payload:
supportedOS:
iOS:
introduced: '15.0'
allowed-enrollments:
- device
- user
- local
allowed-scopes:
- system
sharedipad:
mode: allowed
devicechannel: false
userchannel: true
userenrollment:
mode: allowed
allowed-scopes:
- user
macOS:
introduced: '13.0'
devicechannel: false
userchannel: true
userenrollment:
mode: allowed
allowed-enrollments:
- device
- user
- local
allowed-scopes:
- user
tvOS:
introduced: n/a
watchOS:
introduced: n/a
content: A Google configuration defines a Google account for a user. The user will
be prompted to enter their credentials shortly after the configuration successfully
installs.
@@ -32,8 +39,10 @@ payloadkeys:
- key: UserIdentityAssetReference
title: User Identity Asset Reference
type: <string>
assettypes:
- com.apple.asset.useridentity
presence: required
content: The identifier of an asset declaration that contains the user identity
for this Google account. The corresponding asset must be of type UserIdentity.
The asset must contain an 'EmailAddress' key that specifies the full Google email
for this Google account. Set the corresponding asset type to 'UserIdentity' and
ensure that it contains an 'EmailAddress' key that specifies the full Google email
address for the account.

33
declarative/declarations/configurations/account.ldap.yaml
View File

@@ -5,20 +5,27 @@ payload:
supportedOS:
iOS:
introduced: '15.0'
allowed-enrollments:
- device
- user
- local
allowed-scopes:
- system
sharedipad:
mode: allowed
devicechannel: false
userchannel: true
userenrollment:
mode: allowed
allowed-scopes:
- user
macOS:
introduced: '13.0'
devicechannel: false
userchannel: true
userenrollment:
mode: allowed
allowed-enrollments:
- device
- user
- local
allowed-scopes:
- user
tvOS:
introduced: n/a
watchOS:
introduced: n/a
content: An LDAP configuration defines an LDAP directory account for a user.
payloadkeys:
- key: VisibleName
@@ -31,18 +38,20 @@ payloadkeys:
title: Server Host Name
type: <string>
presence: required
content: The hostname of the LDAP server (or IP address).
content: The hostname or IP address of the LDAP server.
- key: Port
title: Server Port
type: <integer>
presence: optional
content: The port number of the LDAP server (or IP address).
content: The port number or IP address of the LDAP server.
- key: AuthenticationCredentialsAssetReference
title: Authentication Credentials Asset Reference
type: <string>
assettypes:
- com.apple.asset.credential.userpassword
presence: optional
content: The identifier of an asset declaration that contains the credentials for
this account. The corresponding asset must be of type CredentialUserNameAndPassword.
this account. Set the corresponding asset type to 'CredentialUserNameAndPassword'.
- key: SearchSettings
title: Search Settings
type: <array>

126
declarative/declarations/configurations/account.mail.yaml
View File

@@ -5,20 +5,27 @@ payload:
supportedOS:
iOS:
introduced: '15.0'
allowed-enrollments:
- device
- user
- local
allowed-scopes:
- system
sharedipad:
mode: allowed
devicechannel: false
userchannel: true
userenrollment:
mode: allowed
allowed-scopes:
- user
macOS:
introduced: '13.0'
devicechannel: false
userchannel: true
userenrollment:
mode: allowed
allowed-enrollments:
- device
- user
- local
allowed-scopes:
- user
tvOS:
introduced: n/a
watchOS:
introduced: n/a
content: An email configuration defines an email account for a user.
payloadkeys:
- key: VisibleName
@@ -30,9 +37,11 @@ payloadkeys:
- key: UserIdentityAssetReference
title: User Identity Asset Reference
type: <string>
assettypes:
- com.apple.asset.useridentity
presence: optional
content: The identifier of an asset declaration that contains the user identity
for this account. The corresponding asset must be of type UserIdentity.
for this account. Set the corresponding asset type to 'UserIdentity'.
- key: IncomingServer
title: Incoming Server Settings
type: <dictionary>
@@ -71,9 +80,11 @@ payloadkeys:
- key: AuthenticationCredentialsAssetReference
title: Authentication Credentials Asset Reference
type: <string>
assettypes:
- com.apple.asset.credential.userpassword
presence: optional
content: |-
The identifier of an asset declaration that contains the credentials for this account to authenticate with an incoming mail server. The corresponding asset must be of type CredentialUserNameAndPassword.
The identifier of an asset declaration that contains the credentials for this account to authenticate with an incoming mail server. The corresponding asset must be of type 'CredentialUserNameAndPassword'.
If the 'AuthenticationMethod' is 'None', this field must be blank. Otherwise, the declaration must contain this field.
- key: IMAPPathPrefix
title: IMAP Path Prefix
@@ -111,7 +122,98 @@ payloadkeys:
- key: AuthenticationCredentialsAssetReference
title: Authentication Credentials Asset Reference
type: <string>
assettypes:
- com.apple.asset.credential.userpassword
presence: optional
content: |-
The identifier of an asset declaration that contains the credentials for this account to authenticate with an outgoing mail server. The corresponding asset must be of type CredentialUserNameAndPassword.
The identifier of an asset declaration that contains the credentials for this account to authenticate with an outgoing mail server. The corresponding asset must be of type 'CredentialUserNameAndPassword'.
If the 'AuthenticationMethod' is 'None', this field must be blank. Otherwise, the declaration must contain this field.
- key: SMIME
title: S/MIME Settings
supportedOS:
iOS:
introduced: '17.0'
macOS:
introduced: n/a
type: <dictionary>
presence: optional
content: Settings for S/MIME.
subkeys:
- key: Signing
title: S/MIME Signing Settings
type: <dictionary>
presence: optional
content: Settings for S/MIME signing.
subkeys:
- key: Enabled
title: Signing Enabled
type: <boolean>
presence: required
content: If 'true', the system enables S/MIME signing.
- key: IdentityAssetReference
title: S/MIME Signing Identity Asset Reference
type: <string>
assettypes:
- com.apple.asset.credential.acme
- com.apple.asset.credential.identity
- com.apple.asset.credential.scep
presence: optional
content: Specifies the identifier of an asset declaration containing the identity
required for S/MIME signing of messages sent from this account.
- key: UserOverrideable
title: Signing User Overrideable
type: <boolean>
presence: optional
default: false
content: If 'true', the user can turn S/MIME signing on or off in Settings.
- key: IdentityUserOverrideable
title: Signing Identity User Overrideable
type: <boolean>
presence: optional
default: false
content: If 'true', the user can select an S/MIME signing identity in Settings.
- key: Encryption
title: S/MIME Encryption Settings
type: <dictionary>
presence: optional
content: Settings for S/MIME encryption.
subkeys:
- key: Enabled
title: Encryption By Default Enabled
type: <boolean>
presence: required
content: If 'true', the system enables S/MIME encryption by default, which the
user can't override if 'PerMessageSwitchEnabled' is 'false'.
- key: IdentityAssetReference
title: S/MIME Encryption Identity Asset Reference
type: <string>
assettypes:
- com.apple.asset.credential.acme
- com.apple.asset.credential.identity
- com.apple.asset.credential.scep
presence: optional
content: Specifies the identifier of an asset declaration containing the identity
required for S/MIME encryption. The system attaches the public certificate
to outgoing mail to allow the user to receive encrypted mail. When the user
sends encrypted mail, the system uses the public certificate to encrypt the
copy of the mail in their Sent mailbox.
- key: UserOverrideable
title: Encryption By Default User Overrideable
type: <boolean>
presence: optional
default: false
content: If 'true', the user can set the default value for S/MIME encryption
to on or off in Settings.
- key: IdentityUserOverrideable
title: Encryption Identity User Overrideable
type: <boolean>
presence: optional
default: false
content: If 'true', the user can select an S/MIME signing identity in Settings.
- key: PerMessageSwitchEnabled
title: Per Message Switch Enabled
type: <boolean>
presence: optional
default: false
content: If 'true', the system enables the per-message encryption switch in
the compose view.

31
declarative/declarations/configurations/account.subscribed-calendar.yaml
View File

@@ -5,16 +5,27 @@ payload:
supportedOS:
iOS:
introduced: '15.0'
allowed-enrollments:
- device
- user
- local
allowed-scopes:
- system
sharedipad:
mode: allowed
devicechannel: false
userchannel: true
userenrollment:
mode: allowed
allowed-scopes:
- user
macOS:
introduced: n/a
introduced: '14.0'
allowed-enrollments:
- device
- user
- local
allowed-scopes:
- user
tvOS:
introduced: n/a
watchOS:
introduced: n/a
content: A subscribed calendar configuration defines a subscribed calendar for a
user.
payloadkeys:
@@ -28,11 +39,13 @@ payloadkeys:
title: Calendar URL
type: <string>
presence: required
content: The URL of the subscribed calendar. The URL must start with 'https://'.
content: The URL of the subscribed calendar, which needs to start with 'https://'.
- key: AuthenticationCredentialsAssetReference
title: Authentication Credentials Asset Reference
type: <string>
assettypes:
- com.apple.asset.credential.userpassword
presence: optional
content: The identifier of an asset declaration that contains the credentials for
this account to authenticate with a calendar server. The corresponding asset must
be of type CredentialUserNameAndPassword.
this account to authenticate with a calendar server. Set the corresponding asset
type to 'CredentialUserNameAndPassword'.

29
declarative/declarations/configurations/legacy.interactive.yaml
View File

@@ -6,26 +6,37 @@ payload:
supportedOS:
iOS:
introduced: '15.0'
allowed-enrollments:
- device
- user
allowed-scopes:
- system
sharedipad:
mode: forbidden
userenrollment:
mode: allowed
allowed-scopes: []
macOS:
introduced: '13.0'
devicechannel: true
userchannel: true
userenrollment:
mode: allowed
allowed-enrollments:
- device
- user
allowed-scopes:
- system
- user
tvOS:
introduced: '16.0'
allowed-enrollments:
- device
allowed-scopes:
- system
watchOS:
introduced: n/a
payloadkeys:
- key: ProfileURL
title: Profile's URL.
type: <string>
presence: required
content: |-
The URL of the profile to download and install. This must be an 'https://' URL.
If a user enrollment triggers this configuration, the system silently ignores any MDM 1 payloads in macOS where the User Enrollment Mode setting is 'forbidden'. In iOS and tvOS, the system rejects the entire profile.
The URL of the profile to download and install, which needs to start with 'https://', and must be hosted by the MDM server. The system silently ignores any account or passcode payloads in the profile. Use their declarative configurations instead.
If a user enrollment triggers this configuration, the system silently ignores any MDM 1 payloads in macOS where the User Enrollment Mode setting is 'forbidden'. In iOS, the system rejects the entire profile.
- key: VisibleName
title: Configuration Visible Name
type: <string>

39
declarative/declarations/configurations/legacy.yaml
View File

@@ -5,25 +5,44 @@ payload:
supportedOS:
iOS:
introduced: '15.0'
allowed-enrollments:
- device
- user
- local
allowed-scopes:
- system
sharedipad:
mode: allowed
devicechannel: true
userchannel: true
userenrollment:
mode: allowed
allowed-scopes:
- system
- user
macOS:
introduced: '13.0'
devicechannel: true
userchannel: true
userenrollment:
mode: allowed
allowed-enrollments:
- device
- user
- local
allowed-scopes:
- system
- user
tvOS:
introduced: '16.0'
allowed-enrollments:
- device
- local
allowed-scopes:
- system
watchOS:
introduced: '10.0'
allowed-enrollments:
- device
- local
allowed-scopes:
- system
payloadkeys:
- key: ProfileURL
title: Profile's URL.
type: <string>
presence: required
content: |-
The URL of the profile to download and install. This must be an 'https://' URL.
The URL of the profile to download and install, which needs to start with 'https://', and must be hosted by the MDM server. The system silently ignores any account or passcode payloads in the profile. Use their declarative configurations instead.
If a user enrollment triggers this configuration, the system silently ignores any MDM 1 payloads in macOS where the User Enrollment Mode setting is 'forbidden'. In iOS and tvOS, the system rejects the entire profile.

33
declarative/declarations/configurations/management.status-subscriptions.yaml
View File

@@ -6,20 +6,35 @@ payload:
supportedOS:
iOS:
introduced: '15.0'
allowed-enrollments:
- device
- user
allowed-scopes:
- system
sharedipad:
mode: allowed
devicechannel: true
userchannel: true
userenrollment:
mode: allowed
allowed-scopes:
- system
- user
macOS:
introduced: '13.0'
devicechannel: true
userchannel: true
userenrollment:
mode: allowed
allowed-enrollments:
- device
- user
allowed-scopes:
- system
- user
tvOS:
introduced: '16.0'
allowed-enrollments:
- device
allowed-scopes:
- system
watchOS:
introduced: '10.0'
allowed-enrollments:
- device
allowed-scopes:
- system
payloadkeys:
- key: StatusItems
title: Status Items

52
declarative/declarations/configurations/management.test.yaml
View File

@@ -5,26 +5,60 @@ payload:
supportedOS:
iOS:
introduced: '15.0'
allowed-enrollments:
- device
- user
- local
allowed-scopes:
- system
sharedipad:
mode: allowed
devicechannel: true
userchannel: true
userenrollment:
mode: allowed
allowed-scopes:
- system
- user
macOS:
introduced: '13.0'
devicechannel: true
userchannel: true
userenrollment:
mode: allowed
allowed-enrollments:
- device
- user
- local
allowed-scopes:
- system
- user
tvOS:
introduced: '16.0'
allowed-enrollments:
- device
- local
allowed-scopes:
- system
watchOS:
introduced: '10.0'
allowed-enrollments:
- device
- local
allowed-scopes:
- system
payloadkeys:
- key: Echo
title: Status Echo
type: <string>
presence: required
content: The string to echo back in a status response reason.
- key: EchoDataAssetReference
title: Status Echo from Asset
supportedOS:
iOS:
introduced: '17.0'
macOS:
introduced: '14.0'
tvOS:
introduced: '17.0'
type: <string>
assettypes:
- com.apple.asset.data
presence: optional
content: The string to read from a data asset to echo back in status response reason
description.
- key: ReturnStatus
title: Status to Return
type: <string>

100
declarative/declarations/configurations/passcode.settings.yaml
View File

@@ -5,16 +5,31 @@ payload:
supportedOS:
iOS:
introduced: '15.0'
allowed-enrollments:
- device
- user
- local
allowed-scopes:
- system
sharedipad:
mode: forbidden
userenrollment:
mode: allowed
allowed-scopes: []
macOS:
introduced: '13.0'
userenrollment:
mode: forbidden
allowed-enrollments:
- device
- local
allowed-scopes:
- system
- user
tvOS:
introduced: n/a
watchOS:
introduced: '10.0'
allowed-enrollments:
- device
- local
allowed-scopes:
- system
payloadkeys:
- key: RequirePasscode
title: Require Passcode on Device
@@ -31,18 +46,20 @@ payloadkeys:
introduced: '16.2'
macOS:
introduced: '13.1'
watchOS:
introduced: n/a
type: <boolean>
presence: optional
default: false
content: If set to true, the passcode must consist of at least one alphabetic characters
("abcd"), and at least one number.
content: If 'true', the passcode needs to consist of at least one alphabetic character
and at least one number.
- key: RequireComplexPasscode
title: Require Complex Passcode
type: <boolean>
presence: optional
default: false
content: If 'true', requires a complex passcode. A complex passcode is one that
doesn't contain repeated characters or increasing/decreasing characters (such
doesn't contain repeated characters or increasing or decreasing characters (such
as 123 or CBA).
- key: MinimumLength
title: Minimum Passcode Length
@@ -60,14 +77,17 @@ payloadkeys:
introduced: '16.2'
macOS:
introduced: '13.1'
watchOS:
introduced: n/a
type: <integer>
presence: optional
range:
min: 0
max: 4
default: 1
content: Specifies the minimum number of complex characters that must be present.
Only used when RequireComplexPasscode is true.
default: 0
content: Specifies the minimum number of complex characters in the password. A complex
character is a character other than a number or a letter, such as '&', '%', '$',
and '#'.
- key: MaximumFailedAttempts
title: Maximum Number of Failed Attempts
type: <integer>
@@ -86,11 +106,13 @@ payloadkeys:
introduced: n/a
macOS:
introduced: '13.1'
watchOS:
introduced: n/a
type: <integer>
presence: optional
content: The number of minutes before the login will be reset after the maximum
number of failed attempts has been reached. The MaximumFailedAttempts key must
be set for this to take effect.
content: The number of minutes before the login is reset after the maximum number
of failed attempts. Also set the 'MaximumFailedAttempts' key for this to take
effect.
- key: MaximumGracePeriodInMinutes
title: Maximum Grace Period
type: <integer>
@@ -120,9 +142,9 @@ payloadkeys:
range:
min: 0
max: 730
content: Specifies the maximum number of days for which the passcode can remain
unchanged. After this number of days, the user is forced to change the passcode
before the device is unlocked.
content: Specifies the maximum number of days that the passcode can remain unchanged.
After this number of days, the system forces the user to change the passcode before
it unlocks the device.
- key: PasscodeReuseLimit
title: Passcode Reuse Limit
type: <integer>
@@ -141,10 +163,46 @@ payloadkeys:
introduced: n/a
macOS:
introduced: '13.1'
watchOS:
introduced: n/a
type: <boolean>
presence: optional
default: false
content: If set to true, forces a password reset to occur the next time the user
tries to authenticate. If this key is set in a configuration in the system scope
(device channel), the setting takes effect for all users, and admin authentications
may fail until the admin user password is also reset.
content: If 'true', the system forces a password reset the next time the user tries
to authenticate. If you set this key in a configuration in the system scope (device
channel), the setting takes effect for all users, and admin authentication may
fail until the admin user password is also reset.
- key: CustomRegex
supportedOS:
iOS:
introduced: n/a
macOS:
introduced: '14.0'
watchOS:
introduced: n/a
type: <dictionary>
presence: optional
content: Specifies a regular expression, and its description, to enforce password
compliance. Use the simpler passcode settings whenever possible, and rely on regular
expression matching only when necessary. Mistakes in regular expressions can lead
to frustrating user experiences, such as unsatisfiable passcode policies, or policy
descriptions that don't match the enforced policy.
subkeys:
- key: Regex
type: <string>
presence: required
content: A regular expression string to match against the password to determine
whether it complies with a policy. The regular expression uses the ICU syntax.
The string can't exceed 2048 characters in length.
- key: Description
type: <dictionary>
presence: optional
content: A dictionary with supported OS language IDs for the keys (such as 'en-US'),
and values that represent a localized description of the policy that the regular
expression enforces. Use the special 'default' key for languages that the dictionary
doesn't contain.
subkeys:
- key: ANY
type: <string>
presence: optional
content: A localized description.

42
declarative/declarations/configurations/screensharing.connection.group.yaml Normal file
View File

@@ -0,0 +1,42 @@
title: Screen Sharing:Connection Group
description: Use this configuration to define a group of Screen Sharing connections.
payload:
declarationtype: com.apple.configuration.screensharing.connection.group
supportedOS:
iOS:
introduced: n/a
macOS:
introduced: '14.0'
allowed-enrollments:
- device
- user
- local
allowed-scopes:
- system
- user
tvOS:
introduced: n/a
watchOS:
introduced: n/a
payloadkeys:
- key: ConnectionGroupUUID
title: Unique Identifier
type: <string>
presence: required
content: A string which uniquely identifies this connection group.
- key: GroupName
title: Group Name
type: <string>
presence: required
content: The name of the Connection Group.
- key: Members
title: Group Members
type: <array>
presence: required
content: |-
Array of ConnectionUUIDs (matching a connection declared in a
com.apple.configuration.screensharing.connection configuration) of the Connections
that should be members of this group.
subkeys:
- key: ConnectionUUID
type: <string>

66
declarative/declarations/configurations/screensharing.connection.yaml Normal file
View File

@@ -0,0 +1,66 @@
title: Screen Sharing:Connection
description: Use this configuration to define a connection to a Screen Sharing host.
payload:
declarationtype: com.apple.configuration.screensharing.connection
supportedOS:
iOS:
introduced: n/a
macOS:
introduced: '14.0'
allowed-enrollments:
- device
- user
- local
allowed-scopes:
- system
- user
tvOS:
introduced: n/a
watchOS:
introduced: n/a
payloadkeys:
- key: ConnectionUUID
title: Unique Identifier
type: <string>
presence: required
content: A unique identifier for this connection when it's in a connection group.
- key: DisplayName
title: The name of the connection.
type: <string>
presence: required
content: The name of the connection.
- key: HostName
title: Host Name
type: <string>
presence: required
content: The host name or IP address of the Mac that hosts the screen-sharing connection.
- key: Port
title: TCP Port
type: <integer>
presence: optional
content: Specifies the TCP port number on the host to initiate the connection.
- key: DisplayConfiguration
title: Display Configuration
type: <dictionary>
presence: required
content: The display configuration for this connection.
subkeys:
- key: DisplayType
type: <string>
presence: required
rangelist:
- Virtual1
- Virtual2
content: |-
The type of display for the connection, which has these allowed values:
* 'Virtual1': Create one virtual display.
* 'Virtual2': Create two virtual displays.
- key: AuthenticationCredentialsAssetReference
title: Authentication Credentials Asset Reference
type: <string>
assettypes:
- com.apple.asset.credential.userpassword
presence: optional
content: Specifies the identifier of an asset declaration that contains the required
credentials for this connection to authenticate with the screen-sharing server.
Set the corresponding asset type to 'com.apple.asset.credential.userpassword'.

58
declarative/declarations/configurations/screensharing.host.settings.yaml Normal file
View File

@@ -0,0 +1,58 @@
title: Screen Sharing:Host Settings
description: Use this configuration to define Screen Sharing host settings and restrictions.
payload:
declarationtype: com.apple.configuration.screensharing.host.settings
supportedOS:
iOS:
introduced: n/a
macOS:
introduced: '14.0'
allowed-enrollments:
- device
- local
allowed-scopes:
- system
tvOS:
introduced: n/a
watchOS:
introduced: n/a
payloadkeys:
- key: MaximumVirtualDisplays
title: Maximum number of Virtual Displays
type: <integer>
presence: optional
range:
min: 0
max: 2
content: Sets the maximum number of Virtual Displays to make available to clients.
- key: PortBase
title: UDP Port base
type: <integer>
presence: optional
range:
min: 1024
max: 65535
content: |-
Specifies the initial UDP port number for connecting to the host. Screen Sharing needs multiple connections
so additional connections will increment this base port number by 1 for each needed connection. This does not
change the port number used to initially establish a connection with a host, which is always TCP port 5900.
- key: PreventCopyFilesFromHost
title: Prevent copying files from host
type: <boolean>
presence: optional
default: false
content: Set to true to prevent users from copying files from the Screen Sharing
host.
- key: PreventCopyFilesToHost
title: Prevent copying files to host
type: <boolean>
presence: optional
default: false
content: Set to true to prevent users from copying files to the Screen Sharing host.
- key: PreventHighPerformanceConnections
title: Prevent High Performance connections
type: <boolean>
presence: optional
default: false
content: Set to true to prevent clients from establishing High Performance connections
to the host.

49
declarative/declarations/configurations/security.certificate.yaml Normal file
View File

@@ -0,0 +1,49 @@
title: Security:Certificate
description: Use this configuration to add a certificate to the device.
payload:
declarationtype: com.apple.configuration.security.certificate
supportedOS:
iOS:
introduced: '17.0'
allowed-enrollments:
- device
- user
- local
allowed-scopes:
- system
sharedipad:
allowed-scopes:
- system
- user
macOS:
introduced: '14.0'
allowed-enrollments:
- device
- user
- local
allowed-scopes:
- system
- user
tvOS:
introduced: '17.0'
allowed-enrollments:
- device
- local
allowed-scopes:
- system
watchOS:
introduced: '10.0'
allowed-enrollments:
- device
- local
allowed-scopes:
- system
payloadkeys:
- key: CredentialAssetReference
title: Credential asset reference
type: <string>
assettypes:
- com.apple.asset.credential.certificate
presence: required
content: Specifies the identifier of an asset declaration that contains the certificate
to install.

73
declarative/declarations/configurations/security.identity.yaml Normal file
View File

@@ -0,0 +1,73 @@
title: Security:Identity
description: Use this configuration to install an identity on the device.
payload:
declarationtype: com.apple.configuration.security.identity
supportedOS:
iOS:
introduced: '17.0'
allowed-enrollments:
- device
- user
- local
allowed-scopes:
- system
sharedipad:
allowed-scopes:
- system
- user
macOS:
introduced: '14.0'
allowed-enrollments:
- device
- user
- local
allowed-scopes:
- system
- user
tvOS:
introduced: '17.0'
allowed-enrollments:
- device
- local
allowed-scopes:
- system
watchOS:
introduced: '10.0'
allowed-enrollments:
- device
- local
allowed-scopes:
- system
payloadkeys:
- key: CredentialAssetReference
title: Credential asset reference
type: <string>
assettypes:
- com.apple.asset.credential.identity
- com.apple.asset.credential.scep
- com.apple.asset.credential.acme
presence: required
content: Specifies the identifier of an asset declaration that contains the identity
to install.
- key: AllowAllAppsAccess
title: Allow all apps access
supportedOS:
iOS:
introduced: n/a
tvOS:
introduced: n/a
type: <boolean>
presence: optional
default: false
content: If 'true', apps can access the private key.
- key: KeyIsExtractable
title: Key is extractable
supportedOS:
iOS:
introduced: n/a
tvOS:
introduced: n/a
type: <boolean>
presence: optional
default: true
content: If 'true', the private key is extractable in the keychain.

54
declarative/declarations/configurations/security.passkey.attestation.yaml Normal file
View File

@@ -0,0 +1,54 @@
title: Security:Passkey:Attestation
description: Configures the device to allow WebAuthn enterprise attestation for certain
passkeys.
payload:
declarationtype: com.apple.configuration.security.passkey.attestation
supportedOS:
iOS:
introduced: '17.0'
allowed-enrollments:
- device
allowed-scopes:
- system
sharedipad:
allowed-scopes: []
macOS:
introduced: '14.0'
allowed-enrollments:
- device
allowed-scopes:
- user
tvOS:
introduced: n/a
watchOS:
introduced: n/a
payloadkeys:
- key: AttestationIdentityAssetReference
title: Attestation identity asset reference.
type: <string>
assettypes:
- com.apple.asset.credential.identity
- com.apple.asset.credential.scep
- com.apple.asset.credential.acme
presence: required
content: Specifies the identifier of an asset declaration that contains the identity
to install and use for passkey attestation.
- key: AttestationIdentityKeyIsExtractable
title: Attestation identity key is extractable
supportedOS:
iOS:
introduced: n/a
type: <boolean>
presence: optional
default: true
content: If 'true', the private key for the attestation identity is extractable
in the keychain.
- key: RelyingParties
title: Relying parties
type: <array>
presence: required
content: Relying parties to allow enterprise attestation.
subkeys:
- key: RelyingParty
title: Relying party
type: <string>

45
declarative/declarations/configurations/services.configuration-files.yaml Normal file
View File

@@ -0,0 +1,45 @@
title: Services Configuration Files
description: Specifies managed configuration files for services
payload:
declarationtype: com.apple.configuration.services.configuration-files
supportedOS:
iOS:
introduced: n/a
macOS:
introduced: '14.0'
allowed-enrollments:
- device
allowed-scopes:
- system
tvOS:
introduced: n/a
watchOS:
introduced: n/a
payloadkeys:
- key: ServiceType
title: Service Type
type: <string>
presence: required
content: |-
The identifier of the system service with managed configuration files.
Use a reverse DNS style for this identifier. However, the system reserves 'com.apple.' prefix for built-in services.
The available built-in services are:
* 'com.apple.sshd' configures sshd
* 'com.apple.sudo' configures sudo
* 'com.apple.pam' configures PAM
* 'com.apple.cups' configures CUPS
* 'com.apple.apache.httpd' configures Apache httpd
* 'com.apple.bash' configures bash
* 'com.apple.zsh' configures zsh
- key: DataAssetReference
title: Data Asset Reference
type: <string>
assettypes:
- com.apple.asset.data
presence: required
content: |-
Specifies the identifier of an asset declaration that contains a reference to the files to use for system service configuration. Ensure that the corresponding asset:
* Is of type 'com.apple.asset.data'
* Is a zip archive of an entire directory
* Has a 'Reference' key that includes the 'ContentType' and 'Hash-SHA-256' keys, which the system requires
The system expands the zip archive and stores the data in a well-known location for the service.

55
declarative/declarations/configurations/softwareupdate.enforcement.specific.yaml Normal file
View File

@@ -0,0 +1,55 @@
title: Software Update:Enforcement:Specific
description: A software update enforcement policy for a specific OS release
payload:
declarationtype: com.apple.configuration.softwareupdate.enforcement.specific
supportedOS:
iOS:
introduced: '17.0'
allowed-enrollments:
- device
allowed-scopes:
- system
sharedipad:
allowed-scopes:
- system
macOS:
introduced: '14.0'
allowed-enrollments:
- device
allowed-scopes:
- system
tvOS:
introduced: n/a
watchOS:
introduced: n/a
payloadkeys:
- key: TargetOSVersion
title: Target OS Version
type: <string>
presence: required
content: The target OS version to update the device to by the appropriate time.
This is the OS version number, for example, '16.1'. It may also include a supplemental
version identifier, for example, '16.1.1'.
- key: TargetBuildVersion
title: Target Build Version
type: <string>
presence: optional
content: The target build version to update the device to by the appropriate time,
for example, '20A242'. The system uses the build version for testing during seeding
periods. The build version can include a supplemental version identifier, for
example, '20A242a'. If the build version isn't consistent with the target OS version
specified in the 'TargetOSVersion' key, the target OS version takes precedence.
- key: TargetLocalDateTime
title: Target Local Date Time
type: <string>
presence: required
content: The local date time value that specifies when to force install the software
update. Use the format 'yyyy-mm-ddThh:mm:ss', which is derived from RFC3339 but
doesn't include a time zone offset. If the user doesn't trigger the software update
before this time, the device force installs it.
- key: DetailsURL
title: Details URL
type: <string>
presence: optional
content: The URL of a web page that shows details that the organization provides
about the enforced update.

43
declarative/declarations/configurations/watch.enrollment.yaml Normal file
View File

@@ -0,0 +1,43 @@
title: Watch:Enrollment
description: Specifies an MDMv1 Apple Watch enrollment profile
payload:
declarationtype: com.apple.configuration.watch.enrollment
supportedOS:
iOS:
introduced: '17.0'
allowed-enrollments:
- device
allowed-scopes:
- system
sharedipad:
allowed-scopes: []
macOS:
introduced: n/a
tvOS:
introduced: n/a
watchOS:
introduced: n/a
payloadkeys:
- key: EnrollmentProfileURL
title: Watch Enrollment Profile's URL.
type: <string>
presence: required
content: The URL of the profile that the Apple Watch downloads and installs if the
user opts in to management during the pairing process, which needs to start with
'https://'. Successful enrollment requires that the pairing iPhone is supervised
and the profile contains an MDM payload. Apple Watch attempts to install each
payload that the profile contains.
- key: AnchorCertificateAssetReferences
title: Anchor Certificate Asset References.
type: <array>
assettypes:
- com.apple.asset.credential.certificate
presence: optional
content: Specifies an array of identifiers of asset declarations that contain anchor
certificates to use to evaluate the trust of the enrollment profile server. Set
the type of the corresponding assets to 'com.apple.asset.credential.certificate'.
subkeys:
- key: AnchorCertificateAssetReferenceItem
type: <string>
content: Specifies the identifier of an asset declaration containing the anchor
certificate to be used.

211
declarative/declarations/declarationbase.yaml
View File

@@ -9,6 +9,8 @@ payload:
introduced: '13.0'
tvOS:
introduced: '16.0'
watchOS:
introduced: '10.0'
payloadkeys:
- key: Type
type: <string>
@@ -27,3 +29,212 @@ payloadkeys:
type: <dictionary>
presence: required
content: The payload describing this declaration.
reasons:
- value: Error.ActivationFailed
description: A configuration or asset cannot be activated due to an activation that
failed.
details:
- key: Identifier
type: <string>
description: The `Identifier` of the declaration.
- key: ServerToken
type: <string>
description: The `ServerToken` of the declaration.
- value: Error.AssetCannotBeDeserialized
description: The asset data does not conform to the expected data type.
details:
- key: Error
type: <string>
description: Description of the underlying NSError.
- value: Error.AssetCannotBeDownloaded
description: The asset data cannot be downloaded.
details:
- key: Error
type: <string>
description: Description of the underlying NSError.
- value: Error.AssetCannotBeVerified
description: The downloaded asset data cannot be verified.
details:
- key: Error
type: <string>
description: Description of the underlying NSError.
- value: Error.ConfigurationCannotBeApplied
description: The configuration cannot be applied to the device.
details:
- key: Error
type: <string>
description: Description of the underlying NSError.
- value: Error.ConfigurationCannotBeDeserialized
description: The configuration is not valid.
details:
- key: Error
type: <string>
description: Description of the underlying NSError.
- value: Error.ConfigurationFailed
description: An asset cannot be activated due to a configuration that failed.
details:
- key: Identifier
type: <string>
description: The `Identifier` of the declaration.
- key: ServerToken
type: <string>
description: The `ServerToken` of the declaration.
- value: Error.ConfigurationIsInvalid
description: The configuration is not valid for applying to the device.
details:
- key: Error
type: <string>
description: Description of the underlying NSError.
- value: Error.ConfigurationNotSupported
description: The configuration is not supported for this platform, scope, or enrollment
type.
details:
- key: Identifier
type: <string>
description: The `Identifier` of the configuration.
- key: ServerToken
type: <string>
description: The `ServerToken` of the configuration.
- value: Error.InvalidPayload
description: A declaration is not fully loaded.
details:
- key: Identifier
type: <string>
description: The `Identifier` of the declaration.
- key: ServerToken
type: <string>
description: The `ServerToken` of the declaration.
- value: Error.MissingAssets
description: A configuration being activated references assets that are not present.
details:
- key: Identifier
type: <string>
description: The `Identifier` of the configuration.
- key: ServerToken
type: <string>
description: The `ServerToken` of the configuration.
- key: AssetIdentifiers
type: <array>
description: Array of strings containing each missing asset `Identifier` value.
- value: Error.MissingConfigurations
description: An activation being activated references configurations that are not
present.
details:
- key: Identifier
type: <string>
description: The `Identifier` of the activation.
- key: ServerToken
type: <string>
description: The `ServerToken` of the activation.
- key: ConfigurationIdentifiers
type: <array>
description: Array of strings containing each missing configuration `Identifier`
value.
- value: Error.MissingState
description: A declaration is missing internal state information.
details:
- key: Identifier
type: <string>
description: The `Identifier` of the declaration.
- key: ServerToken
type: <string>
description: The `ServerToken` of the declaration.
- value: Error.PredicateFailed
description: A predicate evaluation failed.
details:
- key: Identifier
type: <string>
description: The `Identifier` of the activation whose predicate failed.
- key: ServerToken
type: <string>
description: The `ServerToken` of the activation whose predicate failed.
- key: Predicate
type: <string>
description: The predicate description of the predicate that failed.
- key: Domain
type: <string>
description: Underlying NSError's domain.
- key: Code
type: <string>
description: Underlying NSError's code.
- value: Error.UnableToEvaluatePredicate
description: A predicate cannot be evaluated.
details:
- key: Identifier
type: <string>
description: The `Identifier` of the activation whose predicate failed to evaluate.
- key: ServerToken
type: <string>
description: The `ServerToken` of the activation whose predicate failed to evaluate.
- key: Predicate
type: <string>
description: The predicate description of the predicate that failed to evaluate.
- value: Error.UnableToParsePredicate
description: A predicate expression cannot be parsed.
details:
- key: Identifier
type: <string>
description: The `Identifier` of the activation whose predicate failed to parse.
- key: ServerToken
type: <string>
description: The `ServerToken` of the activation whose predicate failed to parse.
- key: Predicate
type: <string>
description: The predicate description of the predicate that failed to parse.
- value: Error.UnableToParsePredicateWithCustomOperator
description: A predicate expression with a custom operator cannot be parsed.
details:
- key: Identifier
type: <string>
description: The `Identifier` of the activation whose predicate failed to parse.
- key: ServerToken
type: <string>
description: The `ServerToken` of the activation whose predicate failed to parse.
- key: Predicate
type: <string>
description: The predicate description of the predicate that failed to parse.
- value: Error.Unknown
description: An unrecognized NSError was generated.
details:
- key: Domain
type: <string>
description: NSError's domain.
- key: Code
type: <string>
description: NSError's code.
- value: Error.UnknownPayloadKeys
description: A declaration contains unknown payloads keys.
details:
- key: UnknownPayloadKeys
type: <array>
description: Array of strings containing each unknown key-path.
- value: Info.NotReferencedByActivation
description: A configuration is not referenced in any activation.
details:
- key: Identifier
type: <string>
description: The `Identifier` of the configuration.
- key: ServerToken
type: <string>
description: The `ServerToken` of the configuration.
- value: Info.NotReferencedByConfiguration
description: An asset is not referenced in any configuration.
details:
- key: Identifier
type: <string>
description: The `Identifier` of the asset.
- key: ServerToken
type: <string>
description: The `ServerToken` of the asset.
- value: Info.Predicate
description: A predicate evaluated to false.
details:
- key: Identifier
type: <string>
description: The `Identifier` of the activation whose predicate is false.
- key: ServerToken
type: <string>
description: The `ServerToken` of the activation whose predicate is false.
- key: Predicate
type: <string>
description: The predicate description of the predicate that is false.

2
declarative/declarations/management/organization-info.yaml
View File

@@ -10,6 +10,8 @@ payload:
introduced: '13.0'
tvOS:
introduced: '16.0'
watchOS:
introduced: '10.0'
payloadkeys:
- key: Name
title: Organization Name

2
declarative/declarations/management/properties.yaml
View File

@@ -9,6 +9,8 @@ payload:
introduced: '13.0'
tvOS:
introduced: '16.0'
watchOS:
introduced: '10.0'
payloadkeys:
- key: ANY
title: Property

2
declarative/declarations/management/server-capabilities.yaml
View File

@@ -9,6 +9,8 @@ payload:
introduced: '13.0'
tvOS:
introduced: '16.0'
watchOS:
introduced: '10.0'
payloadkeys:
- key: Version
title: Protocol Version

2
declarative/protocol/declarationitemsresponse.yaml
View File

@@ -9,6 +9,8 @@ payload:
introduced: '13.0'
tvOS:
introduced: '16.0'
watchOS:
introduced: '10.0'
payloadkeys:
- key: Declarations
title: Manifest Declaration Items

20
declarative/protocol/statusreport.yaml
View File

@@ -9,6 +9,8 @@ payload:
introduced: '13.0'
tvOS:
introduced: '16.0'
watchOS:
introduced: '10.0'
payloadkeys:
- key: StatusItems
title: Status Items
@@ -59,3 +61,21 @@ payloadkeys:
type: <dictionary>
presence: optional
content: A dictionary that contains further details about this error.
- key: FullReport
title: Full Report
supportedOS:
iOS:
introduced: '17.0'
macOS:
introduced: '14.0'
tvOS:
introduced: '17.0'
type: <boolean>
presence: optional
default: false
content: When set to "true", this indicates that the status report contains the
full set of current status, and is not an incremental report. This will include
the full set of items in any status array item (not just the changes). Servers
can use this to replace their entire set of status for the device, rather than
do incremental update processing. Devices will set this to "true" when sending
a "safety sync" status report, which is typically sent every 24 hours or so.

2
declarative/protocol/tokensresponse.yaml
View File

@@ -9,6 +9,8 @@ payload:
introduced: '13.0'
tvOS:
introduced: '16.0'
watchOS:
introduced: '10.0'
payloadkeys:
- key: SyncTokens
title: Synchronization Tokens

28
declarative/status/account.list.caldav.yaml
View File

@@ -5,22 +5,33 @@ payload:
supportedOS:
iOS:
introduced: '16.0'
allowed-enrollments:
- device
- user
- local
allowed-scopes:
- system
sharedipad:
mode: allowed
devicechannel: false
userchannel: true
allowed-scopes:
- user
macOS:
introduced: '13.0'
devicechannel: false
userchannel: true
allowed-enrollments:
- device
- user
- local
allowed-scopes:
- user
tvOS:
introduced: n/a
watchOS:
introduced: n/a
payloadkeys:
- key: account.list.caldav
title: Status item value.
type: <array>
presence: required
content: The status value of the account.
content: A list of status values for the CalDAV accounts.
subkeytype: Account
subkeys:
- key: status_value
@@ -36,9 +47,8 @@ payloadkeys:
type: <boolean>
presence: optional
default: false
content: To indicate removal of an account, this key's value is set to true,
and only this key and the "identifier" key will be present in the status item
object.
content: If 'true', the account is removed and the status item object only contains
this key and the 'identifier' key.
- key: declaration-identifier
title: Identifier of the declaration that installed the account.
type: <string>

37
declarative/status/account.list.carddav.yaml
View File

@@ -5,22 +5,33 @@ payload:
supportedOS:
iOS:
introduced: '16.0'
allowed-enrollments:
- device
- user
- local
allowed-scopes:
- system
sharedipad:
mode: allowed
devicechannel: false
userchannel: true
allowed-scopes:
- user
macOS:
introduced: '13.0'
devicechannel: false
userchannel: true
allowed-enrollments:
- device
- user
- local
allowed-scopes:
- user
tvOS:
introduced: n/a
watchOS:
introduced: n/a
payloadkeys:
- key: account.list.carddav
title: Status item value.
type: <array>
presence: required
content: Status value.
content: A list of status values for the CardDAV accounts.
subkeytype: Account
subkeys:
- key: status_value
@@ -30,22 +41,20 @@ payloadkeys:
title: Unique identifier of the account.
type: <string>
presence: required
content: The unique identifier of the account. This can be used as a "primary
key" to access a specific account.
content: The unique identifier for the account.
- key: _removed
title: Indicates removal of the account.
type: <boolean>
presence: optional
default: false
content: To indicate removal of an account, this key's value is set to true,
and only this key and the "identifier" key will be present in the status item
object.
content: If 'true', the account is removed and the status item object only contains
this key and the 'identifier' key.
- key: declaration-identifier
title: Identifier of the declaration that installed the account.
type: <string>
presence: optional
content: The identifier of the declaration that installed the account. Only
present if the account was installed by a declaration.
present if a declaration installed the account.
- key: visible-name
title: Account name
type: <string>
@@ -55,7 +64,7 @@ payloadkeys:
title: Account hostname
type: <string>
presence: optional
content: The server host name of the account.
content: The server host name for the account.
- key: port
title: Server Port
type: <integer>
@@ -65,4 +74,4 @@ payloadkeys:
title: Account username
type: <string>
presence: optional
content: The user name of the account.
content: The user name for the account.

53
declarative/status/account.list.exchange.yaml
View File

@@ -5,22 +5,33 @@ payload:
supportedOS:
iOS:
introduced: '16.0'
allowed-enrollments:
- device
- user
- local
allowed-scopes:
- system
sharedipad:
mode: allowed
devicechannel: false
userchannel: true
allowed-scopes:
- user
macOS:
introduced: '13.0'
devicechannel: false
userchannel: true
allowed-enrollments:
- device
- user
- local
allowed-scopes:
- user
tvOS:
introduced: n/a
watchOS:
introduced: n/a
payloadkeys:
- key: account.list.exchange
title: Status item value.
type: <array>
presence: required
content: Status value.
content: A list of status values for the exchange accounts.
subkeytype: Account
subkeys:
- key: status_value
@@ -30,22 +41,20 @@ payloadkeys:
title: Unique identifier of the account.
type: <string>
presence: required
content: The unique identifier of the account. This can be used as a "primary
key" to access a specific account.
content: The unique identifier for the account.
- key: _removed
title: Indicates removal of the account.
type: <boolean>
presence: optional
default: false
content: To indicate removal of an account, this key's value is set to true,
and only this key and the "identifier" key will be present in the status item
object.
content: If 'true', the account is removed and the status item object only contains
this key and the 'identifier' key.
- key: declaration-identifier
title: Identifier of the declaration that installed the account.
type: <string>
presence: optional
content: The identifier of the declaration that installed the account. Only
present if the account was installed by a declaration.
present if a declaration installed the account.
- key: visible-name
title: Account name
type: <string>
@@ -55,7 +64,7 @@ payloadkeys:
title: Account hostname
type: <string>
presence: optional
content: The server host name of the account.
content: The server host name for the account.
- key: port
title: Server Port
type: <integer>
@@ -65,30 +74,34 @@ payloadkeys:
title: Account username
type: <string>
presence: optional
content: The user name of the account.
content: The user name for the account.
- key: is-mail-enabled
title: Is mail enabled
type: <boolean>
presence: optional
content: Indicates if mail for this account are being displayed in Mail.app.
content: A Boolean value that indicates whether the Mail app displays mail for
this account.
- key: are-calendars-enabled
title: Are calendars enabled
type: <boolean>
presence: optional
content: Indicates if calendars and events for the account are being displayed
in Calendar.app.
content: A Boolean value that indicates whether the Calendar app displays calendars
and events for this account.
- key: are-contacts-enabled
title: Are contacts enabled
type: <boolean>
presence: optional
content: Indicates if contacts for the account are being displayed in Contacts.app.
content: A Boolean value that indicates whether the Contacts app displays contacts
for this account.
- key: are-notes-enabled
title: Are notes enabled
type: <boolean>
presence: optional
content: Indicates if notes for this account are being displayed in Notes.app.
content: A Boolean value that indicates whether the Notes app displays notes
for this account.
- key: are-reminders-enabled
title: Are reminders enabled
type: <boolean>
presence: optional
content: Indicates if reminders for the account are being displayed in Reminders.app.
content: A Boolean value that indicates whether the Reminders app displays reminders
for this account.

48
declarative/status/account.list.google.yaml
View File

@@ -5,22 +5,33 @@ payload:
supportedOS:
iOS:
introduced: '16.0'
allowed-enrollments:
- device
- user
- local
allowed-scopes:
- system
sharedipad:
mode: allowed
devicechannel: false
userchannel: true
allowed-scopes:
- user
macOS:
introduced: '13.0'
devicechannel: false
userchannel: true
allowed-enrollments:
- device
- user
- local
allowed-scopes:
- user
tvOS:
introduced: n/a
watchOS:
introduced: n/a
payloadkeys:
- key: account.list.google
title: Status item value.
type: <array>
presence: required
content: Status value.
content: A list of status values for the Google accounts.
subkeytype: Account
subkeys:
- key: status_value
@@ -30,22 +41,20 @@ payloadkeys:
title: Unique identifier of the account.
type: <string>
presence: required
content: The unique identifier of the account. This can be used as a "primary
key" to access a specific account.
content: The unique identifier for the account.
- key: _removed
title: Indicates removal of the account.
type: <boolean>
presence: optional
default: false
content: To indicate removal of an account, this key's value is set to true,
and only this key and the "identifier" key will be present in the status item
object.
content: If 'true', the account is removed and the status item object only contains
this key and the 'identifier' key.
- key: declaration-identifier
title: Identifier of the declaration that installed the account.
type: <string>
presence: optional
content: The identifier of the declaration that installed the account. Only
present if the account was installed by a declaration.
present if a declaration installed the account.
- key: visible-name
title: Account name
type: <string>
@@ -55,25 +64,28 @@ payloadkeys:
title: Account username
type: <string>
presence: optional
content: The user name of the account.
content: The user name for the account.
- key: is-mail-enabled
title: Is mail enabled
type: <boolean>
presence: optional
content: Indicates if mail for this account are being displayed in Mail.app.
content: A Boolean value that indicates whether the Mail app displays mail for
this account.
- key: are-calendars-enabled
title: Are calendars enabled
type: <boolean>
presence: optional
content: Indicates if calendars and events for the account are being displayed
in Calendar.app.
content: A Boolean value that indicates whether the Calendar app displays calendars
and events for this account.
- key: are-contacts-enabled
title: Are contacts enabled
type: <boolean>
presence: optional
content: Indicates if contacts for the account are being displayed in Contacts.app.
content: A Boolean value that indicates whether the Contacts app displays contacts
for this account.
- key: are-notes-enabled
title: Are notes enabled
type: <boolean>
presence: optional
content: Indicates if notes for this account are being displayed in Notes.app.
content: A Boolean value that indicates whether the Notes app displays notes
for this account.

36
declarative/status/account.list.ldap.yaml
View File

@@ -5,22 +5,33 @@ payload:
supportedOS:
iOS:
introduced: '16.0'
allowed-enrollments:
- device
- user
- local
allowed-scopes:
- system
sharedipad:
mode: allowed
devicechannel: false
userchannel: true
allowed-scopes:
- user
macOS:
introduced: '13.0'
devicechannel: false
userchannel: true
allowed-enrollments:
- device
- user
- local
allowed-scopes:
- user
tvOS:
introduced: n/a
watchOS:
introduced: n/a
payloadkeys:
- key: account.list.ldap
title: Status item value.
type: <array>
presence: required
content: Status value.
content: A list of status values for the LDAP accounts.
subkeytype: Account
subkeys:
- key: status_value
@@ -30,22 +41,20 @@ payloadkeys:
title: Unique identifier of the account.
type: <string>
presence: required
content: The unique identifier of the account. This can be used as a "primary
key" to access a specific account.
content: The unique identifier for the account.
- key: _removed
title: Indicates removal of the account.
type: <boolean>
presence: optional
default: false
content: To indicate removal of an account, this key's value is set to true,
and only this key and the "identifier" key will be present in the status item
object.
content: If 'true', the account is removed and the status item object only contains
this key and the 'identifier' key.
- key: declaration-identifier
title: Identifier of the declaration that installed the account.
type: <string>
presence: optional
content: The identifier of the declaration that installed the account. Only
present if the account was installed by a declaration.
present if a declaration installed the account.
- key: visible-name
title: Account name
type: <string>
@@ -70,4 +79,5 @@ payloadkeys:
title: Is account enabled
type: <boolean>
presence: optional
content: Indicates if the account is enabled for use with Contacts.app.
content: A Boolean value that indicates whether the account is enabled for use
with the Contacts app.

43
declarative/status/account.list.mail.incoming.yaml
View File

@@ -5,22 +5,33 @@ payload:
supportedOS:
iOS:
introduced: '16.0'
allowed-enrollments:
- device
- user
- local
allowed-scopes:
- system
sharedipad:
mode: allowed
devicechannel: false
userchannel: true
allowed-scopes:
- user
macOS:
introduced: '13.0'
devicechannel: false
userchannel: true
allowed-enrollments:
- device
- user
- local
allowed-scopes:
- user
tvOS:
introduced: n/a
watchOS:
introduced: n/a
payloadkeys:
- key: account.list.mail.incoming
title: Status item value.
type: <array>
presence: required
content: Status value.
content: A list of status values for the incoming mail accounts.
subkeytype: Account
subkeys:
- key: status_value
@@ -30,22 +41,20 @@ payloadkeys:
title: Unique identifier of the account.
type: <string>
presence: required
content: The unique identifier of the account. This can be used as a "primary
key" to access a specific account.
content: The unique identifier for the account.
- key: _removed
title: Indicates removal of the account.
type: <boolean>
presence: optional
default: false
content: To indicate removal of an account, this key's value is set to true,
and only this key and the "identifier" key will be present in the status item
object.
content: If 'true', the account is removed and the status item object only contains
this key and the 'identifier' key.
- key: declaration-identifier
title: Identifier of the declaration that installed the account.
type: <string>
presence: optional
content: The identifier of the declaration that installed the account. Only
present if the account was installed by a declaration.
present if a declaration installed the account.
- key: visible-name
title: Account name
type: <string>
@@ -55,7 +64,7 @@ payloadkeys:
title: Account hostname
type: <string>
presence: optional
content: The server host name of the account.
content: The server host name for the account.
- key: port
title: Server Port
type: <integer>
@@ -65,14 +74,16 @@ payloadkeys:
title: Account username
type: <string>
presence: optional
content: The user name of the account.
content: The user name for the account.
- key: is-mail-enabled
title: Is mail enabled
type: <boolean>
presence: optional
content: Indicates if mail for this account are being displayed in Mail.app.
content: A Boolean value that indicates whether the Mail app displays mail for
this account.
- key: are-notes-enabled
title: Are notes enabled
type: <boolean>
presence: optional
content: Indicates if notes for this account are being displayed in Notes.app.
content: A Boolean value that indicates whether the Notes app displays notes
for this account.

37
declarative/status/account.list.mail.outgoing.yaml
View File

@@ -5,22 +5,33 @@ payload:
supportedOS:
iOS:
introduced: '16.0'
allowed-enrollments:
- device
- user
- local
allowed-scopes:
- system
sharedipad:
mode: allowed
devicechannel: false
userchannel: true
allowed-scopes:
- user
macOS:
introduced: '13.0'
devicechannel: false
userchannel: true
allowed-enrollments:
- device
- user
- local
allowed-scopes:
- user
tvOS:
introduced: n/a
watchOS:
introduced: n/a
payloadkeys:
- key: account.list.mail.outgoing
title: Status item value.
type: <array>
presence: required
content: Status value.
content: A list of status values for the outgoing mail accounts.
subkeytype: Account
subkeys:
- key: status_value
@@ -30,22 +41,20 @@ payloadkeys:
title: Unique identifier of the account.
type: <string>
presence: required
content: The unique identifier of the account. This can be used as a "primary
key" to access a specific account.
content: The unique identifier for the account.
- key: _removed
title: Indicates removal of the account.
type: <boolean>
presence: optional
default: false
content: To indicate removal of an account, this key's value is set to true,
and only this key and the "identifier" key will be present in the status item
object.
content: If 'true', the account is removed and the status item object only contains
this key and the 'identifier' key.
- key: declaration-identifier
title: Identifier of the declaration that installed the account.
type: <string>
presence: optional
content: The identifier of the declaration that installed the account. Only
present if the account was installed by a declaration.
present if a declaration installed the account.
- key: visible-name
title: Account name
type: <string>
@@ -55,7 +64,7 @@ payloadkeys:
title: Account hostname
type: <string>
presence: optional
content: The server host name of the account.
content: The server host name for the account.
- key: port
title: Server Port
type: <integer>
@@ -65,4 +74,4 @@ payloadkeys:
title: Account username
type: <string>
presence: optional
content: The user name of the account.
content: The user name for the account.

38
declarative/status/account.list.subscribed-calendar.yaml
View File

@@ -5,20 +5,33 @@ payload:
supportedOS:
iOS:
introduced: '16.0'
allowed-enrollments:
- device
- user
- local
allowed-scopes:
- system
sharedipad:
mode: allowed
devicechannel: false
userchannel: true
allowed-scopes:
- user
macOS:
introduced: n/a
introduced: '14.0'
allowed-enrollments:
- device
- user
- local
allowed-scopes:
- user
tvOS:
introduced: n/a
watchOS:
introduced: n/a
payloadkeys:
- key: account.list.subscribed-calendar
title: Status item value.
type: <array>
presence: required
content: Status value.
content: A list of status values for the calendar accounts.
subkeytype: Account
subkeys:
- key: status_value
@@ -28,22 +41,20 @@ payloadkeys:
title: Unique identifier of the account.
type: <string>
presence: required
content: The unique identifier of the account. This can be used as a "primary
key" to access a specific account.
content: The unique identifier for the account.
- key: _removed
title: Indicates removal of the account.
type: <boolean>
presence: optional
default: false
content: To indicate removal of an account, this key's value is set to true,
and only this key and the "identifier" key will be present in the status item
object.
content: If 'true', the account is removed and the status item object only contains
this key and the 'identifier' key.
- key: declaration-identifier
title: Identifier of the declaration that installed the account.
type: <string>
presence: optional
content: The identifier of the declaration that installed the account. Only
present if the account was installed by a declaration.
present if a declaration installed the account.
- key: visible-name
title: Account name
type: <string>
@@ -58,9 +69,10 @@ payloadkeys:
title: Account username
type: <string>
presence: optional
content: The user name of the account.
content: The user name for the account.
- key: is-enabled
title: Is the calendar enabled
type: <boolean>
presence: optional
content: Indicates if the calendar is being displayed in Calendar.app.
content: A Boolean value that indicates whether the Calendar app displays this
calendar.

33
declarative/status/device.identifier.serial-number.yaml
View File

@@ -5,17 +5,40 @@ payload:
supportedOS:
iOS:
introduced: '16.0'
userenrollment:
mode: forbidden
allowed-enrollments:
- device
- local
allowed-scopes:
- system
sharedipad:
allowed-scopes:
- system
- user
macOS:
introduced: '13.0'
userenrollment:
mode: forbidden
allowed-enrollments:
- device
- local
allowed-scopes:
- system
- user
tvOS:
introduced: '16.0'
allowed-enrollments:
- device
- local
allowed-scopes:
- system
watchOS:
introduced: '10.0'
allowed-enrollments:
- device
- local
allowed-scopes:
- system
payloadkeys:
- key: device.identifier.serial-number
title: Status item value.
type: <string>
presence: required
content: Status value.
content: The device's serial number.

31
declarative/status/device.identifier.udid.yaml
View File

@@ -5,14 +5,37 @@ payload:
supportedOS:
iOS:
introduced: '16.0'
userenrollment:
mode: forbidden
allowed-enrollments:
- device
- local
allowed-scopes:
- system
sharedipad:
allowed-scopes:
- system
- user
macOS:
introduced: '13.0'
userenrollment:
mode: forbidden
allowed-enrollments:
- device
- local
allowed-scopes:
- system
- user
tvOS:
introduced: '16.0'
allowed-enrollments:
- device
- local
allowed-scopes:
- system
watchOS:
introduced: '10.0'
allowed-enrollments:
- device
- local
allowed-scopes:
- system
payloadkeys:
- key: device.identifier.udid
title: Status item value.

32
declarative/status/device.model.family.yaml
View File

@@ -5,14 +5,42 @@ payload:
supportedOS:
iOS:
introduced: '15.0'
allowed-enrollments:
- device
- user
- local
allowed-scopes:
- system
sharedipad:
allowed-scopes:
- system
- user
macOS:
introduced: '13.0'
allowed-enrollments:
- device
- user
- local
allowed-scopes:
- system
- user
tvOS:
introduced: '16.0'
allowed-enrollments:
- device
- local
allowed-scopes:
- system
watchOS:
introduced: '10.0'
allowed-enrollments:
- device
- local
allowed-scopes:
- system
payloadkeys:
- key: device.model.family
title: Status item value.
type: <string>
presence: required
content: A string that describes the hardware family of the device, such as 'Mac',
'iPhone', or 'iPad'.
content: The hardware family of the device, such as 'Mac', 'iPhone', or 'iPad'.

39
declarative/status/device.model.identifier.yaml
View File

@@ -5,17 +5,46 @@ payload:
supportedOS:
iOS:
introduced: '15.0'
allowed-enrollments:
- device
- user
- local
allowed-scopes:
- system
sharedipad:
allowed-scopes:
- system
- user
macOS:
introduced: '13.0'
allowed-enrollments:
- device
- user
- local
allowed-scopes:
- system
- user
tvOS:
introduced: '16.0'
allowed-enrollments:
- device
- local
allowed-scopes:
- system
watchOS:
introduced: '10.0'
allowed-enrollments:
- device
- local
allowed-scopes:
- system
payloadkeys:
- key: device.model.identifier
title: Status item value.
type: <string>
presence: required
content: A two-part string that uniquely identifies the device's model. The first
part describes device's model family, and the second part describes the model's
version. The model's version is a comma-separated number where the first part
of the number is the version, and the second part is a variant, such as 'MacBookPro15,1'
or 'iPhone13,2'.
content: A two-part string that specifies the device's model. The first part specifies
device's model family, and the second part specifies the model's version. The
model's version is a comma-separated number where the first part of the number
is the version, and the second part is a variant, such as 'MacBookPro15,1' or
'iPhone13,2'.

34
declarative/status/device.model.marketing-name.yaml
View File

@@ -5,14 +5,44 @@ payload:
supportedOS:
iOS:
introduced: '15.0'
allowed-enrollments:
- device
- user
- local
allowed-scopes:
- system
sharedipad:
allowed-scopes:
- system
- user
macOS:
introduced: '13.0'
allowed-enrollments:
- device
- user
- local
allowed-scopes:
- system
- user
tvOS:
introduced: '16.0'
allowed-enrollments:
- device
- local
allowed-scopes:
- system
watchOS:
introduced: '10.0'
allowed-enrollments:
- device
- local
allowed-scopes:
- system
payloadkeys:
- key: device.model.marketing-name
title: Status item value.
type: <string>
presence: required
content: A string that identifies the device's marketing name, such as 'iPhone 12'.
This value may not always be available.
content: The device's marketing name, such as 'iPhone 12'. This value may not always
be available. Alternatively, use 'device.model.configuration-code' to look up
the marketing name through the web API.

46
declarative/status/device.model.number.yaml Normal file
View File

@@ -0,0 +1,46 @@
title: Status Device Model Number
description: The device's hardware number.
payload:
statusitemtype: device.model.number
supportedOS:
iOS:
introduced: '17.0'
allowed-enrollments:
- device
- user
- local
allowed-scopes:
- system
sharedipad:
allowed-scopes:
- system
- user
macOS:
introduced: '14.0'
allowed-enrollments:
- device
- user
- local
allowed-scopes:
- system
- user
tvOS:
introduced: '17.0'
allowed-enrollments:
- device
- local
allowed-scopes:
- system
watchOS:
introduced: '10.0'
allowed-enrollments:
- device
- local
allowed-scopes:
- system
payloadkeys:
- key: device.model.number
title: Status item value.
type: <string>
presence: required
content: The device's model number.

32
declarative/status/device.operating-system.build-version.yaml
View File

@@ -5,14 +5,42 @@ payload:
supportedOS:
iOS:
introduced: '15.0'
allowed-enrollments:
- device
- user
- local
allowed-scopes:
- system
sharedipad:
allowed-scopes:
- system
- user
macOS:
introduced: '13.0'
allowed-enrollments:
- device
- user
- local
allowed-scopes:
- system
- user
tvOS:
introduced: '16.0'
allowed-enrollments:
- device
- local
allowed-scopes:
- system
watchOS:
introduced: '10.0'
allowed-enrollments:
- device
- local
allowed-scopes:
- system
payloadkeys:
- key: device.operating-system.build-version
title: Status item value.
type: <string>
presence: required
content: A string that identifies the operating system's build version on the device,
such as '18F132'.
content: The operating system's build version on the device, such as '18F132'.

32
declarative/status/device.operating-system.family.yaml
View File

@@ -5,14 +5,42 @@ payload:
supportedOS:
iOS:
introduced: '15.0'
allowed-enrollments:
- device
- user
- local
allowed-scopes:
- system
sharedipad:
allowed-scopes:
- system
- user
macOS:
introduced: '13.0'
allowed-enrollments:
- device
- user
- local
allowed-scopes:
- system
- user
tvOS:
introduced: '16.0'
allowed-enrollments:
- device
- local
allowed-scopes:
- system
watchOS:
introduced: '10.0'
allowed-enrollments:
- device
- local
allowed-scopes:
- system
payloadkeys:
- key: device.operating-system.family
title: Status item value.
type: <string>
presence: required
content: A string that identifies the operating system family in use on the device,
such as 'macOS' or 'iOS'.
content: The operating system family in use on the device, such as 'macOS' or 'iOS'.

32
declarative/status/device.operating-system.marketing-name.yaml
View File

@@ -5,14 +5,42 @@ payload:
supportedOS:
iOS:
introduced: '15.0'
allowed-enrollments:
- device
- user
- local
allowed-scopes:
- system
sharedipad:
allowed-scopes:
- system
- user
macOS:
introduced: '13.0'
allowed-enrollments:
- device
- user
- local
allowed-scopes:
- system
- user
tvOS:
introduced: '16.0'
allowed-enrollments:
- device
- local
allowed-scopes:
- system
watchOS:
introduced: '10.0'
allowed-enrollments:
- device
- local
allowed-scopes:
- system
payloadkeys:
- key: device.operating-system.marketing-name
title: Status item value.
type: <string>
presence: required
content: A string that identifies the operating system's marketing name in use on
the device, such as 'Catalina'.
content: The operating system's marketing name in use on the device, such as 'Catalina'.

33
declarative/status/device.operating-system.supplemental.build-version.yaml
View File

@@ -5,14 +5,43 @@ payload:
supportedOS:
iOS:
introduced: '16.1'
allowed-enrollments:
- device
- user
- local
allowed-scopes:
- system
sharedipad:
allowed-scopes:
- system
- user
macOS:
introduced: '13.0'
allowed-enrollments:
- device
- user
- local
allowed-scopes:
- system
- user
tvOS:
introduced: '16.1'
allowed-enrollments:
- device
- local
allowed-scopes:
- system
watchOS:
introduced: '10.0'
allowed-enrollments:
- device
- local
allowed-scopes:
- system
payloadkeys:
- key: device.operating-system.supplemental.build-version
title: Status item value.
type: <string>
presence: required
content: Identifies the operating system's build and rapid security response versions
in use on the device (for example, '20A123a', or '20B27c').
content: The operating system's build and rapid security response versions in use
on the device, for example, '20A123a' or '20B27c'.

33
declarative/status/device.operating-system.supplemental.extra-version.yaml
View File

@@ -5,14 +5,43 @@ payload:
supportedOS:
iOS:
introduced: '16.1'
allowed-enrollments:
- device
- user
- local
allowed-scopes:
- system
sharedipad:
allowed-scopes:
- system
- user
macOS:
introduced: '13.0'
allowed-enrollments:
- device
- user
- local
allowed-scopes:
- system
- user
tvOS:
introduced: '16.1'
allowed-enrollments:
- device
- local
allowed-scopes:
- system
watchOS:
introduced: '10.0'
allowed-enrollments:
- device
- local
allowed-scopes:
- system
payloadkeys:
- key: device.operating-system.supplemental.extra-version
title: Status item value.
type: <string>
presence: required
content: Identifies the operating system's rapid security response version in use
on the device (for example, 'a').
content: The operating system's rapid security response version in use on the device,
for example, 'a'.

32
declarative/status/device.operating-system.version.yaml
View File

@@ -5,14 +5,42 @@ payload:
supportedOS:
iOS:
introduced: '15.0'
allowed-enrollments:
- device
- user
- local
allowed-scopes:
- system
sharedipad:
allowed-scopes:
- system
- user
macOS:
introduced: '13.0'
allowed-enrollments:
- device
- user
- local
allowed-scopes:
- system
- user
tvOS:
introduced: '16.0'
allowed-enrollments:
- device
- local
allowed-scopes:
- system
watchOS:
introduced: '10.0'
allowed-enrollments:
- device
- local
allowed-scopes:
- system
payloadkeys:
- key: device.operating-system.version
title: Status item value.
type: <string>
presence: required
content: A string that identifies the operating system's version in use on the device,
such as '15.0'.
content: The operating system's version in use on the device, such as '15.0'.

40
declarative/status/device.power.battery-health.yaml Normal file
View File

@@ -0,0 +1,40 @@
title: Status Device Battery Health
description: The health of the battery.
payload:
statusitemtype: device.power.battery-health
supportedOS:
iOS:
introduced: '17.0'
allowed-enrollments:
- device
- local
allowed-scopes:
- system
sharedipad:
allowed-scopes:
- system
macOS:
introduced: n/a
tvOS:
introduced: n/a
watchOS:
introduced: n/a
payloadkeys:
- key: device.power.battery-health
title: Status item value.
type: <string>
presence: required
rangelist:
- non-genuine
- normal
- service-recommended
- unknown
- unsupported
content: |-
The battery health status:
* non-genuine - the battery is not a genuine Apple battery
* normal - the battery is operating normally
* service-recommended - battery service is recommended
* unknown - battery health information could not be determined
* unsupported - battery health reporting is not supported on the device
Only supported on iPhones. iPads will return "unsupported".

24
declarative/status/diskmanagement.filevault.enabled.yaml Normal file
View File

@@ -0,0 +1,24 @@
title: Status Disk Management File Vault Enabled
description: The enabled status of the File Vault.
payload:
statusitemtype: diskmanagement.filevault.enabled
supportedOS:
iOS:
introduced: n/a
macOS:
introduced: '14.0'
allowed-enrollments:
- device
- local
allowed-scopes:
- system
tvOS:
introduced: n/a
watchOS:
introduced: n/a
payloadkeys:
- key: diskmanagement.filevault.enabled
title: Status item value.
type: <boolean>
presence: required
content: A Boolean value that specifies the File Vault enabled status on the device.

25
declarative/status/management.client-capabilities.yaml
View File

@@ -5,10 +5,35 @@ payload:
supportedOS:
iOS:
introduced: '15.0'
allowed-enrollments:
- device
- user
allowed-scopes:
- system
sharedipad:
allowed-scopes:
- system
- user
macOS:
introduced: '13.0'
allowed-enrollments:
- device
- user
allowed-scopes:
- system
- user
tvOS:
introduced: '16.0'
allowed-enrollments:
- device
allowed-scopes:
- system
watchOS:
introduced: '10.0'
allowed-enrollments:
- device
allowed-scopes:
- system
payloadkeys:
- key: management.client-capabilities
title: Status item value.

25
declarative/status/management.declarations.yaml
View File

@@ -5,10 +5,35 @@ payload:
supportedOS:
iOS:
introduced: '15.0'
allowed-enrollments:
- device
- user
allowed-scopes:
- system
sharedipad:
allowed-scopes:
- system
- user
macOS:
introduced: '13.0'
allowed-enrollments:
- device
- user
allowed-scopes:
- system
- user
tvOS:
introduced: '16.0'
allowed-enrollments:
- device
allowed-scopes:
- system
watchOS:
introduced: '10.0'
allowed-enrollments:
- device
allowed-scopes:
- system
payloadkeys:
- key: management.declarations
title: Status item value.

24
declarative/status/mdm.app.yaml
View File

@@ -5,10 +5,29 @@ payload:
supportedOS:
iOS:
introduced: '16.0'
allowed-enrollments:
- device
- user
allowed-scopes:
- system
sharedipad:
allowed-scopes:
- system
- user
macOS:
introduced: n/a
tvOS:
introduced: '16.0'
allowed-enrollments:
- device
allowed-scopes:
- system
watchOS:
introduced: '10.0'
allowed-enrollments:
- device
allowed-scopes:
- system
payloadkeys:
- key: mdm.app
title: Status item value.
@@ -30,9 +49,8 @@ payloadkeys:
type: <boolean>
presence: optional
default: false
content: To indicate removal of an app, this key's value is set to true, and
only this key and the "identifier" key will be present in the status item
object.
content: If 'true', the app is removed and the status item object only contains
this key and the 'identifier' key.
- key: name
title: App name
type: <string>

17
declarative/status/passcode.is-compliant.yaml
View File

@@ -5,10 +5,27 @@ payload:
supportedOS:
iOS:
introduced: '16.0'
allowed-enrollments:
- device
- user
- local
allowed-scopes:
- system
sharedipad:
allowed-scopes:
- system
- user
macOS:
introduced: n/a
tvOS:
introduced: n/a
watchOS:
introduced: '10.0'
allowed-enrollments:
- device
- local
allowed-scopes:
- system
payloadkeys:
- key: passcode.is-compliant
title: Status item value.

23
declarative/status/passcode.is-present.yaml
View File

@@ -5,10 +5,27 @@ payload:
supportedOS:
iOS:
introduced: '16.0'
allowed-enrollments:
- device
- user
- local
allowed-scopes:
- system
sharedipad:
allowed-scopes:
- system
- user
macOS:
introduced: n/a
tvOS:
introduced: n/a
watchOS:
introduced: '10.0'
allowed-enrollments:
- device
- local
allowed-scopes:
- system
payloadkeys:
- key: passcode.is-present
title: Status item value.
@@ -16,6 +33,6 @@ payloadkeys:
presence: required
content: If 'true', a passcode is present on the device. If 'false', a passcode
isn't present on the device. When a passcode is present, the specific attributes
of the passcode (length, number of complex characters, etc), isn't reported. Instead,
use the 'passcode.is-compliant' status item to verify that the passcode complies
with all passcode policies set on the device.
of the passcode, such as length or number of complex characters, aren't reported.
Instead, use the 'passcode.is-compliant' status item to verify that the passcode
complies with all passcode policies set on the device.

85
declarative/status/security.certificate.list.yaml Normal file
View File

@@ -0,0 +1,85 @@
title: Status Security Certificate List
description: The client's managed certificates.
payload:
statusitemtype: security.certificate.list
supportedOS:
iOS:
introduced: '17.0'
allowed-enrollments:
- device
- user
- local
allowed-scopes:
- system
sharedipad:
allowed-scopes:
- system
- user
macOS:
introduced: '14.0'
allowed-enrollments:
- device
- user
- local
allowed-scopes:
- system
- user
tvOS:
introduced: '17.0'
allowed-enrollments:
- device
- local
allowed-scopes:
- system
watchOS:
introduced: '10.0'
allowed-enrollments:
- device
- local
allowed-scopes:
- system
payloadkeys:
- key: security.certificate.list
title: Status item value.
type: <array>
presence: required
content: A list of the device's managed certificates.
subkeytype: Certificate
subkeys:
- key: status_value
type: <dictionary>
subkeys:
- key: identifier
title: Unique identifier of the certificate.
type: <string>
presence: required
content: The unique identifier of the certificate which the system uses as the
primary key.
- key: _removed
title: Indicates removal of the certificate.
type: <boolean>
presence: optional
default: false
content: If 'true', the certificate is removed and the status item object only
contains this key and the 'identifier' key.
- key: declaration-identifier
title: Asset declaration identifier.
type: <string>
presence: optional
content: The identifier of the asset declaration that installed the certificate,
which is only present if a declaration installed the certificate.
- key: subject-summary
title: Subject summary
type: <string>
presence: required
content: The summary of the certificate's subject.
- key: is-identity
title: Is Identity
type: <boolean>
presence: required
content: If 'true', the certificate is an identity certificate.
- key: data
title: Certificate Data
type: <data>
presence: required
content: The certificate data in DER-encoded X.509 format.

110
declarative/status/services.background-task.yaml Normal file
View File

@@ -0,0 +1,110 @@
title: Status Services Background Task
description: The client's background task details.
payload:
statusitemtype: services.background-task
supportedOS:
iOS:
introduced: n/a
macOS:
introduced: '14.0'
allowed-enrollments:
- device
- local
allowed-scopes:
- system
tvOS:
introduced: n/a
watchOS:
introduced: n/a
payloadkeys:
- key: services.background-task
title: Status item value.
type: <array>
presence: required
content: The background task.
subkeytype: Background Task
subkeys:
- key: status_value
type: <dictionary>
subkeys:
- key: identifier
title: Identifier
type: <string>
presence: required
content: The background task UUID which the system uses as the primary key.
- key: _removed
title: Indicates removal of a background task.
type: <boolean>
presence: optional
default: false
content: If 'true', the background task is removed and the status item object
only contains this key and the 'identifier' key.
- key: code-signature
title: Code signature
type: <string>
presence: optional
content: For types other than 'agent' or 'daemon', this is the code signature
designated requirement of the item, if available.
- key: uid
title: Numeric user identifier
type: <integer>
presence: required
content: The numeric user identifier of the owner of the background task.
- key: path
title: Path
type: <string>
presence: required
content: For an 'agent' or 'daemon', the path to the 'launchd' 'plist' file.
For other types, the path to the app or the document.
- key: state
title: Background task state
type: <string>
presence: required
rangelist:
- not-registered
- enabled
- requires-approval
- not-found
content: The SMAppServiceStatus enumeration.
- key: type
title: Background task type
type: <string>
presence: required
rangelist:
- daemon
- agent
- login-item
- app
- user-item
content: The daemon, agent, or SFL login item type.
- key: launchd
title: Launchd background task
type: <dictionary>
presence: optional
content: Details about a 'launchd'-based background task, which is only present
when the type is 'daemon' or 'agent'.
subkeys:
- key: label
title: Label
type: <string>
presence: required
content: The label of the 'launchd'-based background task.
- key: program
title: Program
type: <string>
presence: required
content: The program that the 'launchd' 'plist' file specifies.
- key: program-arguments
title: Program arguments
type: <array>
presence: optional
content: The program arguments that the 'launchd' 'plist' file specifies.
subkeys:
- key: program-arguments-item
title: Program argument
type: <string>
- key: checksum
title: The hash value of the launchd plist.
type: <string>
presence: required
content: The hash value of the 'launchd' 'plist' file.

51
declarative/status/softwareupdate.failure-reason.yaml Normal file
View File

@@ -0,0 +1,51 @@
title: Status Software Update Failure Reason
description: The software update failure reason state.
payload:
statusitemtype: softwareupdate.failure-reason
supportedOS:
iOS:
introduced: '17.0'
allowed-enrollments:
- device
allowed-scopes:
- system
sharedipad:
allowed-scopes:
- system
macOS:
introduced: '14.0'
allowed-enrollments:
- device
allowed-scopes:
- system
tvOS:
introduced: n/a
watchOS:
introduced: n/a
payloadkeys:
- key: softwareupdate.failure-reason
title: The software update failure reason state.
type: <dictionary>
presence: required
content: Details about a software update failure.
subkeytype: Dictionary
subkeys:
- key: count
title: The software update failure count.
type: <integer>
presence: required
content: The number of times the current software update failed. If there are
no failures, or no pending software update, this is '0'.
- key: reason
title: The reason for the software update failure.
type: <string>
presence: optional
content: If present, this describes the reason for last software update failure.
This key isn't present if there are no failures or no pending software update.
- key: timestamp
title: The timestamp of the software update failure.
type: <string>
presence: optional
content: If present, this is the RFC 3339 timestamp of the last software update
failure. This key isn't present if there are no failures or no pending software
update.

69
declarative/status/softwareupdate.install-reason.yaml Normal file
View File

@@ -0,0 +1,69 @@
title: Status Software Update Install Reason
description: The software update install reason state.
payload:
statusitemtype: softwareupdate.install-reason
supportedOS:
iOS:
introduced: '17.0'
allowed-enrollments:
- device
allowed-scopes:
- system
sharedipad:
allowed-scopes:
- system
macOS:
introduced: '14.0'
allowed-enrollments:
- device
allowed-scopes:
- system
tvOS:
introduced: n/a
watchOS:
introduced: n/a
payloadkeys:
- key: softwareupdate.install-reason
title: The software update install reason state.
type: <dictionary>
presence: required
content: Details about the reason for a pending software update.
subkeytype: Dictionary
subkeys:
- key: reason
title: The software update install reason state.
type: <array>
presence: required
content: A list of reasons for the pending software update. An empty list indicates
that no software update is pending.
subkeys:
- key: softwareupdate-reason
title: The software update install reason.
type: <string>
presence: required
rangelist:
- system-settings
- install-tonight
- auto-update
- notification
- setup-assistant
- command-line
- mdm
- declaration
content: |-
The software update install reason state:
* system-settings - software update was triggered via Settings.app
* install-tonight - software update was triggered via install tonight action
* auto-update - software update was triggered via an automatic update
* notification - software update was triggered via user notification action
* setup-assistant - software update was triggered via Setup Assistant
* command-line - software update was triggered via `softwareupdate` command line tool
* mdm - software update was triggered via an MDM command
* declaration - software update was triggered via a declarative device management configuration
- key: declaration-id
title: The identifier of the declaration causing the software update to occur.
type: <string>
presence: optional
content: The identifier of the declaration that caused the software update to
occur. This key is present only if the 'reason' array contains the 'declaration'
value.

43
declarative/status/softwareupdate.install-state.yaml Normal file
View File

@@ -0,0 +1,43 @@
title: Status Software Update Install State
description: The software update install state.
payload:
statusitemtype: softwareupdate.install-state
supportedOS:
iOS:
introduced: '17.0'
allowed-enrollments:
- device
allowed-scopes:
- system
sharedipad:
allowed-scopes:
- system
macOS:
introduced: '14.0'
allowed-enrollments:
- device
allowed-scopes:
- system
tvOS:
introduced: n/a
watchOS:
introduced: n/a
payloadkeys:
- key: softwareupdate.install-state
title: The software update install state.
type: <string>
presence: required
rangelist:
- none
- downloading
- prepared
- installing
- failed
content: |-
The software update install status:
* 'none': There's no software update pending, and any previous software update succeeded.
* 'waiting': A software update is waiting to start.
* 'downloading': The system is downloading data for a software update.
* 'prepared': The system prepared the software update and it's ready for installation.
* 'installing': The system is installing the software update.
* 'failed': The software update failed.

45
declarative/status/softwareupdate.pending-version.yaml Normal file
View File

@@ -0,0 +1,45 @@
title: Status Software Update Pending Version
description: The pending software update version.
payload:
statusitemtype: softwareupdate.pending-version
supportedOS:
iOS:
introduced: '17.0'
allowed-enrollments:
- device
allowed-scopes:
- system
sharedipad:
allowed-scopes:
- system
macOS:
introduced: '14.0'
allowed-enrollments:
- device
allowed-scopes:
- system
tvOS:
introduced: n/a
watchOS:
introduced: n/a
payloadkeys:
- key: softwareupdate.pending-version
title: Pending software update version.
type: <dictionary>
presence: required
content: A dictionary that contains the build and OS versions of the software update
that's pending on the device.
subkeytype: Dictionary
subkeys:
- key: os-version
title: The OS version
type: <string>
presence: required
content: The OS version of the pending software update, including any rapid security
response version. This string is empty if no update is pending.
- key: build-version
title: The build version
type: <string>
presence: required
content: The build version of the pending software update, including any rapid
security response version. This string is empty if no update is pending.

2
declarative/status/statusreason.yaml
View File

@@ -9,6 +9,8 @@ payload:
introduced: '13.0'
tvOS:
introduced: '16.0'
watchOS:
introduced: '10.0'
payloadkeys:
- key: code
title: Error Code

31
declarative/status/test.array-value.yaml
View File

@@ -5,16 +5,45 @@ payload:
supportedOS:
iOS:
introduced: '16.0'
allowed-enrollments:
- device
- user
- local
allowed-scopes:
- system
sharedipad:
allowed-scopes:
- system
- user
macOS:
introduced: '13.0'
allowed-enrollments:
- device
- user
- local
allowed-scopes:
- system
- user
tvOS:
introduced: '16.0'
allowed-enrollments:
- device
- local
allowed-scopes:
- system
watchOS:
introduced: '10.0'
allowed-enrollments:
- device
- local
allowed-scopes:
- system
payloadkeys:
- key: test.array-value
title: Status item value.
type: <array>
presence: required
content: Status value.
content: The test status item array value.
subkeytype: Array
subkeys:
- key: status_value

31
declarative/status/test.boolean-value.yaml
View File

@@ -5,13 +5,42 @@ payload:
supportedOS:
iOS:
introduced: '16.0'
allowed-enrollments:
- device
- user
- local
allowed-scopes:
- system
sharedipad:
allowed-scopes:
- system
- user
macOS:
introduced: '13.0'
allowed-enrollments:
- device
- user
- local
allowed-scopes:
- system
- user
tvOS:
introduced: '16.0'
allowed-enrollments:
- device
- local
allowed-scopes:
- system
watchOS:
introduced: '10.0'
allowed-enrollments:
- device
- local
allowed-scopes:
- system
payloadkeys:
- key: test.boolean-value
title: Status item value.
type: <boolean>
presence: required
content: Status value.
content: The test status Boolean value.

31
declarative/status/test.dictionary-value.yaml
View File

@@ -5,16 +5,45 @@ payload:
supportedOS:
iOS:
introduced: '16.0'
allowed-enrollments:
- device
- user
- local
allowed-scopes:
- system
sharedipad:
allowed-scopes:
- system
- user
macOS:
introduced: '13.0'
allowed-enrollments:
- device
- user
- local
allowed-scopes:
- system
- user
tvOS:
introduced: '16.0'
allowed-enrollments:
- device
- local
allowed-scopes:
- system
watchOS:
introduced: '10.0'
allowed-enrollments:
- device
- local
allowed-scopes:
- system
payloadkeys:
- key: test.dictionary-value
title: Status item value.
type: <dictionary>
presence: required
content: Status value.
content: The test status dictionary value.
subkeytype: Dictionary
subkeys:
- key: key1

31
declarative/status/test.error-value.yaml
View File

@@ -5,13 +5,42 @@ payload:
supportedOS:
iOS:
introduced: '16.0'
allowed-enrollments:
- device
- user
- local
allowed-scopes:
- system
sharedipad:
allowed-scopes:
- system
- user
macOS:
introduced: '13.0'
allowed-enrollments:
- device
- user
- local
allowed-scopes:
- system
- user
tvOS:
introduced: '16.0'
allowed-enrollments:
- device
- local
allowed-scopes:
- system
watchOS:
introduced: '10.0'
allowed-enrollments:
- device
- local
allowed-scopes:
- system
payloadkeys:
- key: test.error-value
title: Status item value.
type: <string>
presence: required
content: Status value.
content: The test status error value.

31
declarative/status/test.integer-value.yaml
View File

@@ -5,13 +5,42 @@ payload:
supportedOS:
iOS:
introduced: '16.0'
allowed-enrollments:
- device
- user
- local
allowed-scopes:
- system
sharedipad:
allowed-scopes:
- system
- user
macOS:
introduced: '13.0'
allowed-enrollments:
- device
- user
- local
allowed-scopes:
- system
- user
tvOS:
introduced: '16.0'
allowed-enrollments:
- device
- local
allowed-scopes:
- system
watchOS:
introduced: '10.0'
allowed-enrollments:
- device
- local
allowed-scopes:
- system
payloadkeys:
- key: test.integer-value
title: Status item value.
type: <integer>
presence: required
content: Status value.
content: The test status integer value.

31
declarative/status/test.real-value.yaml
View File

@@ -5,13 +5,42 @@ payload:
supportedOS:
iOS:
introduced: '16.0'
allowed-enrollments:
- device
- user
- local
allowed-scopes:
- system
sharedipad:
allowed-scopes:
- system
- user
macOS:
introduced: '13.0'
allowed-enrollments:
- device
- user
- local
allowed-scopes:
- system
- user
tvOS:
introduced: '16.0'
allowed-enrollments:
- device
- local
allowed-scopes:
- system
watchOS:
introduced: '10.0'
allowed-enrollments:
- device
- local
allowed-scopes:
- system
payloadkeys:
- key: test.real-value
title: Status item value.
type: <real>
presence: required
content: Status value.
content: The test status real value.

31
declarative/status/test.string-value.yaml
View File

@@ -5,13 +5,42 @@ payload:
supportedOS:
iOS:
introduced: '16.0'
allowed-enrollments:
- device
- user
- local
allowed-scopes:
- system
sharedipad:
allowed-scopes:
- system
- user
macOS:
introduced: '13.0'
allowed-enrollments:
- device
- user
- local
allowed-scopes:
- system
- user
tvOS:
introduced: '16.0'
allowed-enrollments:
- device
- local
allowed-scopes:
- system
watchOS:
introduced: '10.0'
allowed-enrollments:
- device
- local
allowed-scopes:
- system
payloadkeys:
- key: test.string-value
title: Status item value.
type: <string>
presence: required
content: Status value.
content: The test status string value.

33
docs/errata.md Normal file
View File

@@ -0,0 +1,33 @@
# Schema Errata
This document lists errata for the YAML schema. This is used when older versions of the schema are incorrect, and a fix was made in later schema to correct the problem.
## iOS 17 / macOS 14
### profiles/com.apple.vpn.managed.yaml
The `CertificateType` key in the `com.apple.vpn.managed` profile payload incorrectly listed `Ed25519` as a supported certificate type. That type was never supported and has now been removed.
The `PPTP` VPNType has not been supported since iOS 10 and macOS 10.12, see https://support.apple.com/en-us/HT206844. The `PPTP` VPNType has been removed.
### mdmprotocol/commands passcode.firmware.set.yaml passcode.firmware.verify.yaml
The response keys were incorrectly listed as being top-level keys in the response dictionary when in fact they were nested one-level deep.
### profiles/com.apple.vpn.managed.applayer.yaml
The `OnDemandMatchAppEnabled` key in the `com.apple.vpn.managed.applayer` profile payload incorrectly listed its type as `integer`. The correct type is `boolean`.
### profiles/com.apple.wifi.managed.yaml
The EAPClientConfiguration dictionary listed both OneTimePassword and OneTimeUserPassword as valid keys. The erroneous OneTimePassword key has been removed.
### profiles/com.apple.security.scep.yaml
The documentation indicated that all the keys in the SubjectAltName value could be either string or array types. The ntPrincipalName cannot be an array and must be a
string. This has been clarified in the description. Note that the type field for the rfc822Name, dNSName, and uniformResourceIdentifier still indicates these are
strings. This has not been corrected as the schema does not support polymorphic types.
### profiles/com.apple.universalaccess.yaml
The `contrast` key in the `com.apple.universalaccess` profile payload incorrectly listed its type as `integer`. The correct type is `real`.

48
docs/schema.md
View File

@@ -13,6 +13,7 @@ The definition of the schema used here is in the `schema.yaml` file. That file c
| payload | object | Information about the object as a whole |
| payloadkeys | array | A list of YAML objects representing the command request |
| responsekeys | array | A list of YAML objects representing the command response |
| reasons | array | A list of YAML objects representing declarative device management status reason codes |
### Payload Object
@@ -24,6 +25,7 @@ The definition of the schema used here is in the `schema.yaml` file. That file c
| statusitemtype | string | Type of the status payload |
| credentialtype | string | Type of the credential asset data |
| supportedOS | object | Identifies the range of supported OS versions that support the entire payload |
| apply | string | Indicates how multiple configurations of the same type are applied |
| content | string | Description of the payload |
### supportedOS Object
@@ -41,29 +43,33 @@ The `supportedOS` object is used in the `payload` object to indicate overall sup
### iOS, macOS, tvOS, watchOS Objects
| Name | Type | Description |
|--------------------|---------|-------------|
| introduced | string | OS version where feature was introduced |
| deprecated | string | OS version where feature was deprecated |
| removed | string | OS version where feature was removed |
| accessrights | string | The MDM protocol access rights required on the device to execute the command |
| devicechannel | boolean | Indicates whether the command is supported on the device channel |
| userchannel | boolean | indicates whether the command is supported on the user channel |
| supervised | boolean | Indicates whether the command can only be executed on supervised devices |
| requiresdep | boolean | If True, the command can only be executed on devices provisioned in DEP |
| userapprovedmdm | boolean | If True, the command can only be executed on devices with user approved MDM enrollment |
| allowmanualinstall | boolean | If True, the profile can be installed manually by a user on the device |
| sharedipad | object | Additional behavior specific to shared iPad devices |
| userenrollment | object | Additional behavior when user enrollment is in effect |
| always-skippable | boolean | If True, indicates that the skip key's corresponding Setup pane is always skipped. If False, indicates that the skip key's corresponding Setup pane may be shown, depending on exactly when during the setup flow it occurs. This is only used in skipkeys.yaml. |
| Name | Type | Description |
|---------------------|---------|-------------|
| introduced | string | OS version where feature was introduced |
| deprecated | string | OS version where feature was deprecated |
| removed | string | OS version where feature was removed |
| accessrights | string | The MDM protocol access rights required on the device to execute the command |
| multiple | boolean | Indicates whether multiple copies of the payload can be installed |
| devicechannel | boolean | Indicates whether the command or profile is supported on the device channel |
| userchannel | boolean | indicates whether the command or profile is supported on the user channel |
| supervised | boolean | Indicates whether the command or profile can only be executed on supervised devices |
| requiresdep | boolean | If True, the command can only be executed on devices provisioned in DEP |
| userapprovedmdm | boolean | If True, the command can only be executed on devices with user-approved MDM enrollment |
| allowmanualinstall | boolean | If True, the profile can be installed manually by a user on the device |
| sharedipad | object | Additional behavior specific to shared iPad devices |
| userenrollment | object | Additional behavior when user enrollment is in effect |
| always-skippable | boolean | If True, indicates that the skip key's corresponding Setup pane is always skipped. If False, indicates that the skip key's corresponding Setup pane may be shown, depending on exactly when during the setup flow it occurs. This is only used in skipkeys.yaml. |
| allowed-enrollments | string | Array of allowed enrollment types for declarative device management |
| allowed-scopes | string | Array of allowed enrollment scopes for declarative device management |
### Shared iPad Object
| Name | Type | Description |
|---------------|---------|-------------|
| mode | string | Indicates whether a payload or payload key can used with shared iPad |
| devicechannel | boolean | Defines if the payload can be installed on the device MDM channel |
| userchannel | boolean | Defines if the payload can be installed on the user MDM channel |
| Name | Type | Description |
|----------------|---------|-------------|
| mode | string | Indicates whether a payload or payload key can used with shared iPad |
| devicechannel | boolean | Defines if the payload can be installed on the device MDM channel |
| userchannel | boolean | Defines if the payload can be installed on the user MDM channel |
| allowed-scopes | string | Array of allowed enrollment scopes for declarative device management |
__Notes__
@@ -89,12 +95,14 @@ The `mode` can have one of four values: `allowed`, `required`, `forbidden`, and
| supportedOS | object | Identifies the range of supported OS versions that support the key |
| type | string | The type of key |
| subtype | string | Indicates the expected format of the string value of the key |
| assettypes | string | Indicates the set of allowed asset types |
| presence | string | Whether the key is required or optional |
| rangelist | array | List of allowed values for this key |
| range | object | Bounds for the value of this key |
| default | scalar | The default value for the key |
| format | string | The format for the value expressed as a regular expression |
| repetition | object | Cardinality for this value |
| combinetype | string | Indicates how this key is combined with ones from other configurations |
| content | string | Description of the payload key |
| subkeytype | string | A name that uniquely represents the structured subkey object |
| subkeys | array | An array of payload keys |

120
docs/schema.yaml
View File

@@ -52,24 +52,44 @@ properties:
accessrights:
type: string
description: The MDM protocol access rights required on the device to execute the command.
multiple:
type: boolean
description: Indicates whether multiple copies of the payload can be installed
devicechannel:
type: boolean
description: Indicates whether the command is supported on the device channel. If this key is present it overrides the the `devicechannel` key in the top-level payload !!(payload) key.
description: Indicates whether the command or profile is supported on the device channel. If this key is present it overrides the the `devicechannel` key in the top-level payload !!(payload) key.
userchannel:
type: boolean
description: indicates whether the command is supported on the user channel. If this key is present it overrides the the `userchannel` key in the top-level payload !!(payload) key.
description: indicates whether the command or profile is supported on the user channel. If this key is present it overrides the the `userchannel` key in the top-level payload !!(payload) key.
supervised:
type: boolean
description: Indicates whether the command can only be executed on supervised devices. If this key is present it overrides the the `supervised` key in the top-level payload !!(payload) key.
description: Indicates whether the command or profile can only be executed on supervised devices. If this key is present it overrides the the `supervised` key in the top-level payload !!(payload) key.
requiresdep:
type: boolean
description: If True, the command can only be executed on devices provisioned in DEP.
userapprovedmdm:
type: boolean
description: If True, the command can only be executed on devices with user approved MDM enrollment.
description: If True, the command can only be executed on devices with user-approved MDM enrollment.
allowmanualinstall:
type: boolean
description: If True, the profile can be installed manually by a user on the device.
allowed-enrollments:
type: array
description: Array of allowed enrollment types.
items:
type: string
enum:
- device
- user
- local
allowed-scopes:
type: array
description: Array of allowed scopes.
items:
type: string
enum:
- system
- user
sharedipad:
type: object
description: Additional behavior specific to shared iPad devices.
@@ -94,6 +114,15 @@ properties:
userchannel:
type: boolean
description: Defines if the payload can be installed on the user MDM channel.
allowed-scopes:
type: array
description: Array of allowed scopes.
items:
type: string
enum:
- system
- user
- local
userenrollment:
type: object
description: Additional behavior when user enrollment is in effect.
@@ -124,6 +153,16 @@ properties:
macOS: *supportedOSItem
tvOS: *supportedOSItem
watchOS: *supportedOSItem
apply:
type: string
description: Indicates how multiple configurations of the same type are applied.
If set to 'single', then only one configuration will be applied.
If set to 'multiple', then each configuration is applied separately.
If set to 'combined', then all configurations are combined into a single effective configuration.
enum:
- single
- multiple
- combined
content:
type: string
description: Description of the payload.
@@ -168,6 +207,11 @@ properties:
- <url>
- <hostname>
- <email>
assettypes:
type: array
description: Indicates the set of allowed asset types.
items:
type: string
presence:
type: string
description: Whether the key is required or optional.
@@ -202,6 +246,7 @@ properties:
- string
- integer
- number
- boolean
description: The default value (if any) for the key.
format:
type: string
@@ -220,6 +265,31 @@ properties:
max:
type: integer
description: Upper bound.
combinetype:
type: string
description: |-
For a configuration that will be combined, indicates how this key is combined with ones from other configurations.
* boolean-or - multiple <boolean> values are combined using a logical OR operation
* boolean-and - multiple <boolean> values are combined using a logical AND operation
* number-min - multiple <integer> or <real> values are combined by using the smallest value
* number-max - multiple <integer> or <real> values are combined by using the largest value
* enum-lowest - multiple <string> values with a rangelist are combined by using the value whose position is lowest in the range list
* enum-highest - multiple <string> values with a rangelist are combined by using the value whose position is highest in the range list
* first - multiple values are combined by using the first value that is processed
* array-append - multiple <array> values are combined by concatenating the values in each array into a new array
* set-union - multiple <array> values are combined by returning the unique union of all values in each array
* set-intersection - multiple <array> values are combined by returning the unique intersection of all values in each array
enum:
- boolean-or
- boolean-and
- number-min
- number-max
- enum-lowest
- enum-highest
- first
- array-append
- set-union
- set-intersection
content:
type: string
description: Description of the payload key.
@@ -229,3 +299,45 @@ properties:
subkeys: *payloadKeys
responsekeys: *payloadKeys
reasons:
type: array
description: An array of Remote Management status reason codes.
items:
type: object
description: An Remote Management reason code.
additionalProperties: false
properties:
value:
type: string
description: The Remote Management reason code.
description:
type: string
description: Description of the Remote Management reason code.
details:
type: array
description: Keys defined in the Details dictionary
items:
type: object
description: Details dictionary keys
additionalProperties: false
properties:
key:
type: string
description: The name of the dictionary key.
description:
type: string
description: Description of the dictionary item.
type:
type: string
description: The type of the dictionary value.
enum:
- <string>
- <integer>
- <real>
- <boolean>
- <date>
- <data>
- <array>
- <dictionary>
- <any>

29
mdm/checkin/authenticate.yaml
View File

@@ -23,6 +23,9 @@ payload:
tvOS:
introduced: '10.2'
supervised: false
watchOS:
introduced: '10.0'
supervised: false
content: Check-in protocol authenticate request and response.
payloadkeys:
- key: DeviceName
@@ -31,6 +34,8 @@ payloadkeys:
introduced: n/a
tvOS:
introduced: n/a
watchOS:
introduced: n/a
type: <string>
presence: required
content: The device's name.
@@ -40,6 +45,8 @@ payloadkeys:
introduced: n/a
tvOS:
introduced: n/a
watchOS:
introduced: n/a
type: <string>
presence: required
content: The device's model name.
@@ -49,6 +56,8 @@ payloadkeys:
introduced: n/a
tvOS:
introduced: n/a
watchOS:
introduced: n/a
type: <string>
presence: required
content: The device's model.
@@ -85,6 +94,8 @@ payloadkeys:
mode: required
tvOS:
introduced: n/a
watchOS:
introduced: n/a
type: <string>
presence: required
content: The per-enrollment identifier for the device. Available in macOS 10.15
@@ -94,6 +105,9 @@ payloadkeys:
iOS:
introduced: '9.0'
accessrights: AllowQueryDeviceInformation
watchOS:
introduced: '10.0'
accessrights: AllowQueryDeviceInformation
type: <string>
presence: optional
content: The device's OS version.
@@ -102,6 +116,9 @@ payloadkeys:
iOS:
introduced: '9.0'
accessrights: AllowQueryDeviceInformation
watchOS:
introduced: '10.0'
accessrights: AllowQueryDeviceInformation
type: <string>
presence: optional
content: The device's build version.
@@ -110,6 +127,9 @@ payloadkeys:
iOS:
introduced: '9.0'
accessrights: AllowQueryDeviceInformation
watchOS:
introduced: '10.0'
accessrights: AllowQueryDeviceInformation
type: <string>
presence: optional
content: The device's product name ('iPhone3,1').
@@ -124,6 +144,9 @@ payloadkeys:
accessrights: AllowQueryDeviceInformation
userenrollment:
mode: forbidden
watchOS:
introduced: '10.0'
accessrights: AllowQueryDeviceInformation
type: <string>
presence: optional
content: The device's serial number.
@@ -138,6 +161,9 @@ payloadkeys:
introduced: n/a
tvOS:
introduced: n/a
watchOS:
introduced: '10.0'
accessrights: AllowQueryDeviceInformation
type: <string>
presence: optional
content: The device's IMEI (International Mobile Station Equipment Identity).
@@ -152,6 +178,9 @@ payloadkeys:
introduced: n/a
tvOS:
introduced: n/a
watchOS:
introduced: '10.0'
accessrights: AllowQueryDeviceInformation
type: <string>
presence: optional
content: The device's MEID (Mobile Equipment Identifier).

5
mdm/checkin/checkout.yaml
View File

@@ -23,6 +23,9 @@ payload:
tvOS:
introduced: '10.2'
supervised: false
watchOS:
introduced: '10.0'
supervised: false
content: Check-in protocol check out request and response.
payloadkeys:
- key: MessageType
@@ -55,6 +58,8 @@ payloadkeys:
mode: required
tvOS:
introduced: n/a
watchOS:
introduced: n/a
type: <string>
presence: required
content: The per-enrollment identifier for the device. Available in macOS 10.15

14
mdm/checkin/declarativemanagement.yaml
View File

@@ -25,6 +25,10 @@ payload:
introduced: '16.0'
supervised: false
requiresdep: false
watchOS:
introduced: '10.0'
supervised: false
requiresdep: false
content: Check-in protocol declarative management request and response.
payloadkeys:
- key: MessageType
@@ -67,6 +71,8 @@ payloadkeys:
mode: required
tvOS:
introduced: n/a
watchOS:
introduced: n/a
type: <string>
presence: required
content: The per-enrollment identifier for the device.
@@ -80,6 +86,8 @@ payloadkeys:
mode: required
tvOS:
introduced: n/a
watchOS:
introduced: n/a
type: <string>
presence: required
content: A per-enrollment identifier that identifies the user for user enrollments.
@@ -92,6 +100,8 @@ payloadkeys:
devicechannel: false
tvOS:
introduced: n/a
watchOS:
introduced: n/a
type: <string>
presence: optional
content: On Shared iPad, this value returns the Managed Apple ID of the user. When
@@ -106,6 +116,8 @@ payloadkeys:
devicechannel: false
tvOS:
introduced: n/a
watchOS:
introduced: n/a
type: <string>
presence: optional
content: On macOS, this value always returns the ID of the user. On Shared iPad,
@@ -119,6 +131,8 @@ payloadkeys:
devicechannel: false
tvOS:
introduced: n/a
watchOS:
introduced: n/a
type: <string>
presence: required
content: The full name of the user.

160
mdm/checkin/gettoken.yaml Normal file
View File

@@ -0,0 +1,160 @@
title: Get Token
description: Check-in protocol get token data.
payload:
requesttype: GetToken
supportedOS:
iOS:
introduced: '17.0'
supervised: false
requiresdep: false
sharedipad:
mode: allowed
devicechannel: true
userchannel: true
userenrollment:
mode: allowed
macOS:
introduced: '14.0'
devicechannel: true
userchannel: true
supervised: false
requiresdep: false
userenrollment:
mode: allowed
tvOS:
introduced: n/a
watchOS:
introduced: n/a
content: Check-in protocol get token data request and response.
payloadkeys:
- key: MessageType
type: <string>
presence: required
rangelist:
- GetToken
content: A string that specifies this is a get-token request.
- key: TokenServiceType
type: <string>
presence: required
rangelist:
- com.apple.maid
- com.apple.watch.pairing
content: A string that specifies the service for the requested token.
- key: TokenParameters
type: <dictionary>
presence: optional
content: Parameters that the system uses to generate the token.
subkeys:
- key: SecurityToken
title: Security Token
supportedOS:
iOS:
sharedipad:
mode: forbidden
userenrollment:
mode: forbidden
macOS:
introduced: n/a
type: <string>
presence: optional
content: A security token to generate the server token. Required by the 'com.apple.watch.pairing'
service type.
- key: PhoneUDID
title: Phone Identifier
supportedOS:
iOS:
sharedipad:
mode: forbidden
userenrollment:
mode: forbidden
macOS:
introduced: n/a
type: <string>
presence: optional
content: The identifier of the phone paired to the watch. Required by the 'com.apple.watch.pairing'
service type.
- key: WatchUDID
title: Watch Identifier
supportedOS:
iOS:
sharedipad:
mode: forbidden
userenrollment:
mode: forbidden
macOS:
introduced: n/a
type: <string>
presence: optional
content: The identifier of the watch paired to the phone. Required by the 'com.apple.watch.pairing'
service type.
- key: UDID
supportedOS:
iOS:
userenrollment:
mode: forbidden
macOS:
userenrollment:
mode: forbidden
type: <string>
presence: required
content: The device's UDID.
- key: EnrollmentID
supportedOS:
iOS:
userenrollment:
mode: required
macOS:
userenrollment:
mode: required
type: <string>
presence: required
content: A per-enrollment identifier that identifies the device for user enrollments.
- key: EnrollmentUserID
supportedOS:
iOS:
introduced: n/a
macOS:
devicechannel: false
userenrollment:
mode: required
type: <string>
presence: required
content: A per-enrollment identifier that identifies the user for user enrollments.
- key: UserShortName
supportedOS:
iOS:
sharedipad:
mode: required
macOS:
devicechannel: false
type: <string>
presence: optional
content: On Shared iPad, this value returns the Managed Apple ID of the user. When
present, it indicates that the token is for the user channel. In macOS, this value
returns the short name of the user.
- key: UserID
supportedOS:
iOS:
sharedipad:
mode: required
macOS:
devicechannel: false
type: <string>
presence: optional
content: In macOS, this value returns the ID of the user. On Shared iPad, this value
is 'FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFF' to indicate that no authentication occurs.
- key: UserLongName
supportedOS:
iOS:
introduced: n/a
macOS:
devicechannel: false
type: <string>
presence: required
content: The full name of the user.
responsekeys:
- key: TokenData
type: <data>
presence: required
content: The token represented as data. If the token is a string value, this will
be the UTF-8 encoded string data.

26
mdm/checkin/tokenupdate.yaml
View File

@@ -23,6 +23,9 @@ payload:
tvOS:
introduced: '10.2'
supervised: false
watchOS:
introduced: '10.0'
supervised: false
content: Check-in protocol token update request and response.
payloadkeys:
- key: NotOnConsole
@@ -32,9 +35,11 @@ payloadkeys:
macOS:
introduced: '10.11'
devicechannel: false
watchOS:
introduced: n/a
type: <boolean>
presence: required
content: If true, the device is not on console.
content: If 'true', the device is not on console.
- key: MessageType
type: <string>
presence: required
@@ -68,6 +73,8 @@ payloadkeys:
mode: required
tvOS:
introduced: n/a
watchOS:
introduced: n/a
type: <string>
presence: required
content: The per-enrollment identifier for the device. Available in macOS 10.15
@@ -83,6 +90,8 @@ payloadkeys:
mode: required
tvOS:
introduced: n/a
watchOS:
introduced: n/a
type: <string>
presence: required
content: The per-enrollment identifier for the user. Available in macOS 10.15 and
@@ -97,6 +106,8 @@ payloadkeys:
devicechannel: false
tvOS:
introduced: n/a
watchOS:
introduced: n/a
type: <string>
presence: optional
content: |-
@@ -112,6 +123,8 @@ payloadkeys:
devicechannel: false
tvOS:
introduced: n/a
watchOS:
introduced: n/a
type: <string>
presence: optional
content: |-
@@ -125,6 +138,8 @@ payloadkeys:
devicechannel: false
tvOS:
introduced: n/a
watchOS:
introduced: n/a
type: <string>
presence: required
content: The full name of the user.
@@ -146,6 +161,8 @@ payloadkeys:
mode: forbidden
macOS:
introduced: n/a
watchOS:
accessrights: AllowPasscodeRemovalAndLock
type: <data>
presence: optional
content: The data that can be used to unlock the device. If provided, the server
@@ -157,8 +174,11 @@ payloadkeys:
macOS:
introduced: '10.11'
userchannel: false
watchOS:
introduced: n/a
type: <boolean>
presence: optional
default: false
content: If 'true', the device is awaiting a Release Device from Await Configuration
MDM command before proceeding through Setup Assistant.
content: |-
If 'true' from the device channel, the device is awaiting a Release Device from Await Configuration MDM command before proceeding through Setup Assistant.
If 'true' from the user channel (Shared iPad only), the device is awaiting a UserConfiguredCommand MDM command before proceeding through Setup Assistant.

10
mdm/commands/account.configuration.yaml
View File

@@ -91,20 +91,20 @@ payloadkeys:
title: fullName
type: <string>
presence: optional
content: The full name of the user. This defaults to shortName if not specified.
content: The full name of the user, which defaults to 'shortName' if not specified.
- key: passwordHash
title: passwordHash
type: <data>
presence: optional
content: Contains the pre-created salted PBKDF2 SHA512 password hash for the
account.
content: Data that contains the pre-created salted PBKDF2 SHA512 password hash
for the account.
- key: hidden
title: hidden
type: <boolean>
presence: optional
default: false
content: If true, this sets the account attribute to make the account hidden
to loginwindow and Users&Groups. OD attribute dsAttrTypeNative:IsHidden.
content: If 'true', this sets the account attribute to make the account hidden
in the login window and Users & Groups.
- key: ManagedLocalUserShortName
supportedOS:
macOS:

4
mdm/commands/application.install.enterprise.yaml
View File

@@ -59,8 +59,8 @@ payloadkeys:
presence: optional
default: false
content: |-
If 'true', install the app as a managed app. For manifest-based installation, if this value is 'true', but the package doesn't meet the criteria for management, the installation fails. Reinstall a managed app with this value set to 'false' to change the app to an unmanaged app.
To satisfy the criteria for management, the pkg must contain a single, signed application installed into '/Applications'.
If 'true', install the app as a managed app.
For manifest-based installs, if 'true' the system considers only the .app bundles installed into '/Applications' as managed (macOS 11 through 13 required the pkg to contain a single .app bundle). Reinstalling a managed app without this flag causes it to become unmanaged.
This value is available in macOS 11 and later.
- key: ManagementFlags
supportedOS:

100
mdm/commands/application.install.yaml
View File

@@ -33,6 +33,10 @@ payload:
introduced: '10.2'
accessrights: AllowAppInstallation
supervised: false
watchOS:
introduced: '10.0'
accessrights: AllowAppInstallation
supervised: false
content: This command allows the server to install an application on a device. If
the app is already being managed, this command will update the app. macOS change
- 10.9 user channel for VPP, 10.10 device channel, 10.11 both.
@@ -120,28 +124,46 @@ payloadkeys:
to provide it. This value is available in iOS 7 and later, and tvOS 10.2 and later.
subkeys:
- key: VPNUUID
supportedOS:
tvOS:
introduced: n/a
type: <string>
presence: optional
content: A per-app VPN unique identifier for this app. This value is available
in iOS 7 and later, and tvOS 10.2 and later.
content: A per-app VPN unique identifier for this app. Available in iOS 7 and
later.
- key: ContentFilterUUID
supportedOS:
iOS:
introduced: '16.0'
tvOS:
introduced: n/a
watchOS:
introduced: n/a
type: <string>
presence: optional
content: Content Filter UUID assigned to this app.
content: The content filter UUID for this app. Available in iOS 16 and later.
- key: DNSProxyUUID
supportedOS:
iOS:
introduced: '16.0'
tvOS:
introduced: n/a
watchOS:
introduced: n/a
type: <string>
presence: optional
content: DNS Proxy UUID assigned to this app.
content: The DNS proxy UUID for this app. Available in iOS 16 and later.
- key: RelayUUID
supportedOS:
iOS:
introduced: '17.0'
tvOS:
introduced: n/a
watchOS:
introduced: n/a
type: <string>
presence: optional
content: The relay UUID for this app. Available in iOS 17 and later.
- key: AssociatedDomains
supportedOS:
iOS:
@@ -150,8 +172,8 @@ payloadkeys:
introduced: n/a
type: <array>
presence: optional
content: An array that contains the associated domains to add to this app. This
value is available in iOS 13 and later.
content: An array that contains the associated domains to add to this app. Available
in iOS 13 and later.
subkeys:
- key: AssociatedDomain
type: <string>
@@ -166,7 +188,7 @@ payloadkeys:
default: false
content: If 'true', perform claimed site association verification directly at
the domain instead of on Apple's servers. Only set this to 'true' for domains
that can't access the internet. This value is available in iOS 14 and later.
that can't access the internet. Available in iOS 14 and later.
- key: Removable
supportedOS:
iOS:
@@ -176,23 +198,35 @@ payloadkeys:
type: <boolean>
presence: optional
default: true
content: If 'false', this app isn't removable while it's a managed app. This value
is available in iOS 14 and later, and tvOS 14 and later.
content: If 'false', this app isn't removable while it's a managed app. Available
in iOS 14 and later, and tvOS 14 and later.
- key: TapToPayScreenLock
supportedOS:
iOS:
introduced: '16.4'
macOS:
introduced: n/a
tvOS:
introduced: n/a
watchOS:
introduced: n/a
type: <boolean>
presence: optional
default: false
content: Enabling this setting will require Tap to Pay on iPhone users to use
Face ID or a passcode to unlock their device after every transaction that requires
a customers card PIN. Disabling this setting will allow users to configure
this setting on their device based on personal preference.
content: |-
If 'true', Tap to Pay on iPhone requires users to use Face ID or a passcode to unlock their device after every transaction that requires a customer's card PIN. If 'false', the user can configure this setting on their device.
Available in iOS 16.4 and later.
- key: CellularSliceUUID
supportedOS:
iOS:
introduced: '17.0'
tvOS:
introduced: n/a
watchOS:
introduced: n/a
type: <string>
presence: optional
content: |-
The data network name (DNN) or app category. For DNN, the value is 'DNN:name', where 'name' is the carrier provided DNN name. For app category, the value is 'AppCategory:category', where 'category' is a carrier provided string like “Enterprise1”.
Available in iOS 17 and later.
- key: ChangeManagementState
supportedOS:
iOS:
@@ -210,7 +244,7 @@ payloadkeys:
content: |-
The change management state. The only supported state is:
* 'Managed': Take management of the app if the user installed it already. This also requires that you pass 'true' for 'InstallAsManaged'.
This value doesn't work with the User Enrollment feature introduced in iOS 13.
This value doesn't work with Profile Based User Enrollment, Account Driven User Enrollment and Account Driven Device Enrollment.
Available in iOS 9 and later, macOS 11 and later, and tvOS 10.2 and later.
- key: InstallAsManaged
supportedOS:
@@ -222,14 +256,16 @@ payloadkeys:
mode: forbidden
tvOS:
introduced: n/a
watchOS:
introduced: n/a
type: <boolean>
presence: optional
default: false
content: If 'true', install the app as a managed app. For manifest-based installation,
if this value is 'true', but the package doesn't meet the criteria for management,
the installation fails. Reinstall a managed app with this value set to 'false'
to change the app to an unmanaged app. This value is available in macOS 11 and
later.
content: |-
If 'true', install the app as a managed app.
For manifest-based installs, if this value is 'true', the system only considers the '.app' bundles installed into '/Applications 'as managed (macOS 11 through 13 required the 'pkg' to contain a single '.app' bundle).
Reinstall a managed app with this value set to 'false' to change the app to an unmanaged app.
This value is available in macOS 11 and later.
- key: iOSApp
supportedOS:
iOS:
@@ -238,6 +274,8 @@ payloadkeys:
introduced: '11.0'
tvOS:
introduced: n/a
watchOS:
introduced: n/a
type: <boolean>
presence: optional
default: false
@@ -251,6 +289,26 @@ responsekeys:
- key: State
type: <string>
presence: optional
rangelist:
- Queued
- NeedsRedemption
- Redeeming
- Prompting
- PromptingForLogin
- ValidatingPurchase
- Installing
- Managed
- ManagedButUninstalled
- UserInstalledApp
- UserRejectedFailed
- PromptingForUpdate
- PromptingForUpdateLogin
- ValidatingUpdate
- Updating
- UpdateRejected
- PromptingForManagement
- ManagementRejected
- Unknown
content: The app's installation state, if the user accepted the request. If this
value is 'NeedsRedemption', the server must send a redemption code to complete
the app installation.

6
mdm/commands/application.installed.list.yaml
View File

@@ -26,6 +26,10 @@ payload:
introduced: '10.2'
accessrights: AllowQueryApplications
supervised: false
watchOS:
introduced: '10.0'
accessrights: AllowQueryApplications
supervised: false
content: This command allows the server to query for installed 3rd party applications.
payloadkeys:
- key: Identifiers
@@ -254,6 +258,8 @@ responsekeys:
introduced: n/a
tvOS:
introduced: n/a
watchOS:
introduced: n/a
type: <boolean>
presence: optional
default: false

3
mdm/commands/application.invitetoprogram.yaml
View File

@@ -25,7 +25,8 @@ payload:
content: This command allows a server to invite a user to join a program. This command
issues the invitation, but does not allow the server to monitor whether the user
has joined the program. This command is supported in the user channel. This command
will yield a NotNow status until the user exits Setup Assistant.
will yield a NotNow status until the user exits Setup Assistant. This command
does not work with Account Driven Device Enrollment.
payloadkeys:
- key: ProgramID
type: <string>

6
mdm/commands/application.managed.list.yaml
View File

@@ -28,6 +28,10 @@ payload:
introduced: '10.2'
accessrights: AllowAppInstallation
supervised: false
watchOS:
introduced: '10.0'
accessrights: AllowAppInstallation
supervised: false
content: This command allows the server to query the status of managed apps. Certain
statuses are transient. Once they are reported to the server, the entries for
the apps are removed from the next query. macOS supports this command on the user
@@ -50,7 +54,7 @@ responsekeys:
content: A dictionary that contains status information about each managed app.
subkeytype: ManagedApplicationListItem
subkeys:
- key: <app identifier>
- key: ANY app identifier
type: <dictionary>
presence: required
content: The bundle identifier of the managed app.

4
mdm/commands/application.remove.yaml
View File

@@ -25,6 +25,10 @@ payload:
introduced: '10.2'
accessrights: AllowAppInstallation
supervised: false
watchOS:
introduced: '10.0'
accessrights: AllowAppInstallation
supervised: false
content: This command allows a server to remove a managed app.
payloadkeys:
- key: Identifier

4
mdm/commands/certificate.list.yaml
View File

@@ -32,6 +32,10 @@ payload:
introduced: '6.0'
accessrights: AllowInspection
supervised: false
watchOS:
introduced: '10.0'
accessrights: AllowInspection
supervised: false
content: |-
This command allows the server to retrieve the list of installed certificates on the device. The command requires that the server has the Inspect Profile Manifest privilege.
For userenrollment, this request will limit to certificates pushed via MDM.

3
mdm/commands/declarativemanagement.yaml
View File

@@ -27,6 +27,9 @@ payload:
introduced: '16.0'
supervised: false
requiresdep: false
watchOS:
introduced: '10.0'
supervised: false
content: This command allows the server to turn on the Declarative Management engine
on the device (the first time it is used), or to trigger a Declarative Management
synchronization operation.

2
mdm/commands/device.activationlock.bypasscode.yaml
View File

@@ -1,5 +1,5 @@
title: Activation Lock Bypass Code Command
description: Retrievies the Activation Lock bypass code from the device.
description: Retrieves the Activation Lock bypass code from the device.
payload:
requesttype: ActivationLockBypassCode
supportedOS:

Some files were not shown because too many files have changed in this diff Show More