CalvinBackup/apple_device-management
1
0
Fork 0
mirror of https://github.com/apple/device-management.git synced 2026-02-12 12:52:53 +00:00
Code Issues Packages Projects Releases Wiki Activity

Release_iOS-16

Browse Source
This commit is contained in:
Cyrus Daboo
2022-09-13 21:21:03 -04:00
parent 605e649598
commit 0340fd30e0
84 changed files with 2109 additions and 73 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
README.md
View File

@@ -8,10 +8,9 @@ This release corresponds to the following OS versions
| OS | Version |
|---------|---------|
| iOS | 15.4 |
| macOS | 12.3 |
| tvOS | 15.4 |
| watchOS | 8.5 |
| iOS | 16.0 |
| tvOS | 16.0 |
| watchOS | 9.0 |
## What's Available

4
declarative/declarations/activations/simple.yaml
View File

@@ -5,6 +5,10 @@ payload:
supportedOS:
iOS:
introduced: '15.0'
macOS:
introduced: '13.0'
tvOS:
introduced: '16.0'
payloadkeys:
- key: StandardConfigurations
type: <array>

4
declarative/declarations/assets/credential.userpassword.yaml
View File

@@ -6,6 +6,10 @@ payload:
supportedOS:
iOS:
introduced: '15.0'
macOS:
introduced: '13.0'
tvOS:
introduced: '16.0'
payloadkeys:
- key: Reference
type: <dictionary>

4
declarative/declarations/assets/credentials/usernameandpassword.yaml
View File

@@ -5,6 +5,10 @@ payload:
supportedOS:
iOS:
introduced: '15.0'
macOS:
introduced: '13.0'
tvOS:
introduced: '16.0'
payloadkeys:
- key: UserName
type: <string>

4
declarative/declarations/assets/useridentity.yaml
View File

@@ -5,6 +5,10 @@ payload:
supportedOS:
iOS:
introduced: '15.0'
macOS:
introduced: '13.0'
tvOS:
introduced: '16.0'
payloadkeys:
- key: FullName
title: Full Name

14
declarative/declarations/configurations/account.caldav.yaml
View File

@@ -5,6 +5,20 @@ payload:
supportedOS:
iOS:
introduced: '15.0'
sharedipad:
mode: allowed
devicechannel: false
userchannel: true
userenrollment:
mode: allowed
macOS:
introduced: '13.0'
devicechannel: false
userchannel: true
userenrollment:
mode: allowed
tvOS:
introduced: n/a
content: A CalDAV configuration defines a CalDAV calendar and reminders account
for a user.
payloadkeys:

14
declarative/declarations/configurations/account.carddav.yaml
View File

@@ -5,6 +5,20 @@ payload:
supportedOS:
iOS:
introduced: '15.0'
sharedipad:
mode: allowed
devicechannel: false
userchannel: true
userenrollment:
mode: allowed
macOS:
introduced: '13.0'
devicechannel: false
userchannel: true
userenrollment:
mode: allowed
tvOS:
introduced: n/a
content: A CardDAV configuration defines a CardDAV contacts account for a user.
payloadkeys:
- key: VisibleName

14
declarative/declarations/configurations/account.exchange.yaml
View File

@@ -6,6 +6,20 @@ payload:
supportedOS:
iOS:
introduced: '15.0'
sharedipad:
mode: allowed
devicechannel: false
userchannel: true
userenrollment:
mode: allowed
macOS:
introduced: '13.0'
devicechannel: false
userchannel: true
userenrollment:
mode: allowed
tvOS:
introduced: n/a
content: This payload configures an Exchange ActiveSync account on an iOS device.
payloadkeys:
- key: VisibleName

14
declarative/declarations/configurations/account.google.yaml
View File

@@ -5,6 +5,20 @@ payload:
supportedOS:
iOS:
introduced: '15.0'
sharedipad:
mode: allowed
devicechannel: false
userchannel: true
userenrollment:
mode: allowed
macOS:
introduced: '13.0'
devicechannel: false
userchannel: true
userenrollment:
mode: allowed
tvOS:
introduced: n/a
content: A Google configuration defines a Google account for a user. The user will
be prompted to enter their credentials shortly after the configuration successfully
installs.

14
declarative/declarations/configurations/account.ldap.yaml
View File

@@ -5,6 +5,20 @@ payload:
supportedOS:
iOS:
introduced: '15.0'
sharedipad:
mode: allowed
devicechannel: false
userchannel: true
userenrollment:
mode: allowed
macOS:
introduced: '13.0'
devicechannel: false
userchannel: true
userenrollment:
mode: allowed
tvOS:
introduced: n/a
content: An LDAP configuration defines an LDAP directory account for a user.
payloadkeys:
- key: VisibleName

14
declarative/declarations/configurations/account.mail.yaml
View File

@@ -5,6 +5,20 @@ payload:
supportedOS:
iOS:
introduced: '15.0'
sharedipad:
mode: allowed
devicechannel: false
userchannel: true
userenrollment:
mode: allowed
macOS:
introduced: '13.0'
devicechannel: false
userchannel: true
userenrollment:
mode: allowed
tvOS:
introduced: n/a
content: An email configuration defines an email account for a user.
payloadkeys:
- key: VisibleName

10
declarative/declarations/configurations/account.subscribed-calendar.yaml
View File

@@ -5,6 +5,16 @@ payload:
supportedOS:
iOS:
introduced: '15.0'
sharedipad:
mode: allowed
devicechannel: false
userchannel: true
userenrollment:
mode: allowed
macOS:
introduced: n/a
tvOS:
introduced: n/a
content: A subscribed calendar configuration defines a subscribed calendar for a
user.
payloadkeys:

16
declarative/declarations/configurations/legacy.interactive.yaml
View File

@@ -6,14 +6,26 @@ payload:
supportedOS:
iOS:
introduced: '15.0'
sharedipad:
mode: forbidden
userenrollment:
mode: allowed
macOS:
introduced: '13.0'
devicechannel: true
userchannel: true
userenrollment:
mode: allowed
tvOS:
introduced: '16.0'
payloadkeys:
- key: ProfileURL
title: Profile's URL.
type: <string>
presence: required
content: |-
The URL of the profile to download and install. This must be an 'https://' URL. The system silently ignores any account or passcode payloads in the profile. Use their declarative configurations instead.
If a user enrollment triggers this configuration, the system silently ignores any MDM 1 payloads in macOS where the User Enrollment Mode setting is 'forbidden'. In iOS, the system rejects the entire profile.
The URL of the profile to download and install. This must be an 'https://' URL.
If a user enrollment triggers this configuration, the system silently ignores any MDM 1 payloads in macOS where the User Enrollment Mode setting is 'forbidden'. In iOS and tvOS, the system rejects the entire profile.
- key: VisibleName
title: Configuration Visible Name
type: <string>

18
declarative/declarations/configurations/legacy.yaml
View File

@@ -5,11 +5,25 @@ payload:
supportedOS:
iOS:
introduced: '15.0'
sharedipad:
mode: allowed
devicechannel: true
userchannel: true
userenrollment:
mode: allowed
macOS:
introduced: '13.0'
devicechannel: true
userchannel: true
userenrollment:
mode: allowed
tvOS:
introduced: '16.0'
payloadkeys:
- key: ProfileURL
title: Profile's URL.
type: <string>
presence: required
content: |-
The URL of the profile to download and install. This must be an 'https://' URL. The system silently ignores any account or passcode payloads in the profile. Use their declarative configurations instead.
If a user enrollment triggers this configuration, the system silently ignores any MDM 1 payloads in macOS where the User Enrollment Mode setting is 'forbidden'. In iOS, the system rejects the entire profile.
The URL of the profile to download and install. This must be an 'https://' URL.
If a user enrollment triggers this configuration, the system silently ignores any MDM 1 payloads in macOS where the User Enrollment Mode setting is 'forbidden'. In iOS and tvOS, the system rejects the entire profile.

14
declarative/declarations/configurations/management.status-subscriptions.yaml
View File

@@ -6,6 +6,20 @@ payload:
supportedOS:
iOS:
introduced: '15.0'
sharedipad:
mode: allowed
devicechannel: true
userchannel: true
userenrollment:
mode: allowed
macOS:
introduced: '13.0'
devicechannel: true
userchannel: true
userenrollment:
mode: allowed
tvOS:
introduced: '16.0'
payloadkeys:
- key: StatusItems
title: Status Items

14
declarative/declarations/configurations/management.test.yaml
View File

@@ -5,6 +5,20 @@ payload:
supportedOS:
iOS:
introduced: '15.0'
sharedipad:
mode: allowed
devicechannel: true
userchannel: true
userenrollment:
mode: allowed
macOS:
introduced: '13.0'
devicechannel: true
userchannel: true
userenrollment:
mode: allowed
tvOS:
introduced: '16.0'
payloadkeys:
- key: Echo
title: Status Echo

10
declarative/declarations/configurations/passcode.settings.yaml
View File

@@ -5,6 +5,16 @@ payload:
supportedOS:
iOS:
introduced: '15.0'
sharedipad:
mode: forbidden
userenrollment:
mode: allowed
macOS:
introduced: '13.0'
userenrollment:
mode: forbidden
tvOS:
introduced: n/a
payloadkeys:
- key: RequirePasscode
title: Require Passcode on Device

4
declarative/declarations/declarationbase.yaml
View File

@@ -5,6 +5,10 @@ payload:
supportedOS:
iOS:
introduced: '15.0'
macOS:
introduced: '13.0'
tvOS:
introduced: '16.0'
payloadkeys:
- key: Type
type: <string>

4
declarative/declarations/management/organization-info.yaml
View File

@@ -6,6 +6,10 @@ payload:
supportedOS:
iOS:
introduced: '15.0'
macOS:
introduced: '13.0'
tvOS:
introduced: '16.0'
payloadkeys:
- key: Name
title: Organization Name

17
declarative/declarations/management/properties.yaml Normal file
View File

@@ -0,0 +1,17 @@
title: Management:Properties
description: Use this declaration to set properties on the device.
payload:
declarationtype: com.apple.management.properties
supportedOS:
iOS:
introduced: '16.0'
macOS:
introduced: '13.0'
tvOS:
introduced: '16.0'
payloadkeys:
- key: ANY
title: Property
type: <any>
presence: optional
content: Each entry represents a property key/value.

4
declarative/declarations/management/server-capabilities.yaml
View File

@@ -5,6 +5,10 @@ payload:
supportedOS:
iOS:
introduced: '15.0'
macOS:
introduced: '13.0'
tvOS:
introduced: '16.0'
payloadkeys:
- key: Version
title: Protocol Version

4
declarative/protocol/declarationitemsresponse.yaml
View File

@@ -5,6 +5,10 @@ payload:
supportedOS:
iOS:
introduced: '15.0'
macOS:
introduced: '13.0'
tvOS:
introduced: '16.0'
payloadkeys:
- key: Declarations
title: Manifest Declaration Items

4
declarative/protocol/statusreport.yaml
View File

@@ -5,6 +5,10 @@ payload:
supportedOS:
iOS:
introduced: '15.0'
macOS:
introduced: '13.0'
tvOS:
introduced: '16.0'
payloadkeys:
- key: StatusItems
title: Status Items

4
declarative/protocol/tokensresponse.yaml
View File

@@ -5,6 +5,10 @@ payload:
supportedOS:
iOS:
introduced: '15.0'
macOS:
introduced: '13.0'
tvOS:
introduced: '16.0'
payloadkeys:
- key: SyncTokens
title: Synchronization Tokens

70
declarative/status/account.list.caldav.yaml Normal file
View File

@@ -0,0 +1,70 @@
title: Status Account List CalDAV
description: The client's CalDAV accounts.
payload:
statusitemtype: account.list.caldav
supportedOS:
iOS:
introduced: '16.0'
sharedipad:
mode: allowed
devicechannel: false
userchannel: true
macOS:
introduced: '13.0'
devicechannel: false
userchannel: true
tvOS:
introduced: n/a
payloadkeys:
- key: account.list.caldav
title: Status item value.
type: <array>
presence: required
content: The status value of the account.
subkeytype: Account
subkeys:
- key: status_value
type: <dictionary>
subkeys:
- key: identifier
title: Unique identifier of the account.
type: <string>
presence: required
content: The unique identifier for the account.
- key: declaration-identifier
title: Identifier of the declaration that installed the account.
type: <string>
presence: optional
content: The identifier of the declaration that installed the account. Only
present if a declaration installed the account.
- key: visible-name
title: Account name
type: <string>
presence: optional
content: The name of the account.
- key: hostname
title: Account hostname
type: <string>
presence: optional
content: The server host name for the account.
- key: port
title: Server Port
type: <integer>
presence: optional
content: The server port for the account.
- key: username
title: Account username
type: <string>
presence: optional
content: The user name for the account.
- key: are-calendars-enabled
title: Are calendars enabled
type: <boolean>
presence: optional
content: If 'true', the Calendar app is displaying calendars and events for
the account.
- key: are-reminders-enabled
title: Are reminders enabled
type: <boolean>
presence: optional
content: If 'true', the Reminders app is displaying reminders for the account.

60
declarative/status/account.list.carddav.yaml Normal file
View File

@@ -0,0 +1,60 @@
title: Status Account List CardDAV
description: The client's CardDAV accounts.
payload:
statusitemtype: account.list.carddav
supportedOS:
iOS:
introduced: '16.0'
sharedipad:
mode: allowed
devicechannel: false
userchannel: true
macOS:
introduced: '13.0'
devicechannel: false
userchannel: true
tvOS:
introduced: n/a
payloadkeys:
- key: account.list.carddav
title: Status item value.
type: <array>
presence: required
content: Status value.
subkeytype: Account
subkeys:
- key: status_value
type: <dictionary>
subkeys:
- key: identifier
title: Unique identifier of the account.
type: <string>
presence: required
content: The unique identifier of the account. This can be used as a "primary
key" to access a specific account.
- key: declaration-identifier
title: Identifier of the declaration that installed the account.
type: <string>
presence: optional
content: The identifier of the declaration that installed the account. Only
present if the account was installed by a declaration.
- key: visible-name
title: Account name
type: <string>
presence: optional
content: The name of the account.
- key: hostname
title: Account hostname
type: <string>
presence: optional
content: The server host name of the account.
- key: port
title: Server Port
type: <integer>
presence: optional
content: The server port for the account.
- key: username
title: Account username
type: <string>
presence: optional
content: The user name of the account.

86
declarative/status/account.list.exchange.yaml Normal file
View File

@@ -0,0 +1,86 @@
title: Status Account List Exchange
description: The client's exchange accounts.
payload:
statusitemtype: account.list.exchange
supportedOS:
iOS:
introduced: '16.0'
sharedipad:
mode: allowed
devicechannel: false
userchannel: true
macOS:
introduced: '13.0'
devicechannel: false
userchannel: true
tvOS:
introduced: n/a
payloadkeys:
- key: account.list.exchange
title: Status item value.
type: <array>
presence: required
content: Status value.
subkeytype: Account
subkeys:
- key: status_value
type: <dictionary>
subkeys:
- key: identifier
title: Unique identifier of the account.
type: <string>
presence: required
content: The unique identifier of the account. This can be used as a "primary
key" to access a specific account.
- key: declaration-identifier
title: Identifier of the declaration that installed the account.
type: <string>
presence: optional
content: The identifier of the declaration that installed the account. Only
present if the account was installed by a declaration.
- key: visible-name
title: Account name
type: <string>
presence: optional
content: The name of the account.
- key: hostname
title: Account hostname
type: <string>
presence: optional
content: The server host name of the account.
- key: port
title: Server Port
type: <integer>
presence: optional
content: The server port for the account.
- key: username
title: Account username
type: <string>
presence: optional
content: The user name of the account.
- key: is-mail-enabled
title: Is mail enabled
type: <boolean>
presence: optional
content: Indicates if mail for this account are being displayed in Mail.app.
- key: are-calendars-enabled
title: Are calendars enabled
type: <boolean>
presence: optional
content: Indicates if calendars and events for the account are being displayed
in Calendar.app.
- key: are-contacts-enabled
title: Are contacts enabled
type: <boolean>
presence: optional
content: Indicates if contacts for the account are being displayed in Contacts.app.
- key: are-notes-enabled
title: Are notes enabled
type: <boolean>
presence: optional
content: Indicates if notes for this account are being displayed in Notes.app.
- key: are-reminders-enabled
title: Are reminders enabled
type: <boolean>
presence: optional
content: Indicates if reminders for the account are being displayed in Reminders.app.

71
declarative/status/account.list.google.yaml Normal file
View File

@@ -0,0 +1,71 @@
title: Status Account List Google
description: The client's Google accounts.
payload:
statusitemtype: account.list.google
supportedOS:
iOS:
introduced: '16.0'
sharedipad:
mode: allowed
devicechannel: false
userchannel: true
macOS:
introduced: '13.0'
devicechannel: false
userchannel: true
tvOS:
introduced: n/a
payloadkeys:
- key: account.list.google
title: Status item value.
type: <array>
presence: required
content: Status value.
subkeytype: Account
subkeys:
- key: status_value
type: <dictionary>
subkeys:
- key: identifier
title: Unique identifier of the account.
type: <string>
presence: required
content: The unique identifier of the account. This can be used as a "primary
key" to access a specific account.
- key: declaration-identifier
title: Identifier of the declaration that installed the account.
type: <string>
presence: optional
content: The identifier of the declaration that installed the account. Only
present if the account was installed by a declaration.
- key: visible-name
title: Account name
type: <string>
presence: optional
content: The name of the account.
- key: username
title: Account username
type: <string>
presence: optional
content: The user name of the account.
- key: is-mail-enabled
title: Is mail enabled
type: <boolean>
presence: optional
content: Indicates if mail for this account are being displayed in Mail.app.
- key: are-calendars-enabled
title: Are calendars enabled
type: <boolean>
presence: optional
content: Indicates if calendars and events for the account are being displayed
in Calendar.app.
- key: are-contacts-enabled
title: Are contacts enabled
type: <boolean>
presence: optional
content: Indicates if contacts for the account are being displayed in Contacts.app.
- key: are-notes-enabled
title: Are notes enabled
type: <boolean>
presence: optional
content: Indicates if notes for this account are being displayed in Notes.app.

65
declarative/status/account.list.ldap.yaml Normal file
View File

@@ -0,0 +1,65 @@
title: Status Account List LDAP
description: The client's LDAP accounts.
payload:
statusitemtype: account.list.ldap
supportedOS:
iOS:
introduced: '16.0'
sharedipad:
mode: allowed
devicechannel: false
userchannel: true
macOS:
introduced: '13.0'
devicechannel: false
userchannel: true
tvOS:
introduced: n/a
payloadkeys:
- key: account.list.ldap
title: Status item value.
type: <array>
presence: required
content: Status value.
subkeytype: Account
subkeys:
- key: status_value
type: <dictionary>
subkeys:
- key: identifier
title: Unique identifier of the account.
type: <string>
presence: required
content: The unique identifier of the account. This can be used as a "primary
key" to access a specific account.
- key: declaration-identifier
title: Identifier of the declaration that installed the account.
type: <string>
presence: optional
content: The identifier of the declaration that installed the account. Only
present if the account was installed by a declaration.
- key: visible-name
title: Account name
type: <string>
presence: optional
content: The name of the account.
- key: hostname
title: Account hostname
type: <string>
presence: optional
content: The server host name for the account.
- key: port
title: Server Port
type: <integer>
presence: optional
content: The server port for the account.
- key: username
title: Account username
type: <string>
presence: optional
content: The user name for the account.
- key: is-enabled
title: Is account enabled
type: <boolean>
presence: optional
content: Indicates if the account is enabled for use with Contacts.app.

70
declarative/status/account.list.mail.incoming.yaml Normal file
View File

@@ -0,0 +1,70 @@
title: Status Account List Mail Incoming
description: The client's incoming mail accounts.
payload:
statusitemtype: account.list.mail.incoming
supportedOS:
iOS:
introduced: '16.0'
sharedipad:
mode: allowed
devicechannel: false
userchannel: true
macOS:
introduced: '13.0'
devicechannel: false
userchannel: true
tvOS:
introduced: n/a
payloadkeys:
- key: account.list.mail.incoming
title: Status item value.
type: <array>
presence: required
content: Status value.
subkeytype: Account
subkeys:
- key: status_value
type: <dictionary>
subkeys:
- key: identifier
title: Unique identifier of the account.
type: <string>
presence: required
content: The unique identifier of the account. This can be used as a "primary
key" to access a specific account.
- key: declaration-identifier
title: Identifier of the declaration that installed the account.
type: <string>
presence: optional
content: The identifier of the declaration that installed the account. Only
present if the account was installed by a declaration.
- key: visible-name
title: Account name
type: <string>
presence: optional
content: The name of the account.
- key: hostname
title: Account hostname
type: <string>
presence: optional
content: The server host name of the account.
- key: port
title: Server Port
type: <integer>
presence: optional
content: The server port for the account.
- key: username
title: Account username
type: <string>
presence: optional
content: The user name of the account.
- key: is-mail-enabled
title: Is mail enabled
type: <boolean>
presence: optional
content: Indicates if mail for this account are being displayed in Mail.app.
- key: are-notes-enabled
title: Are notes enabled
type: <boolean>
presence: optional
content: Indicates if notes for this account are being displayed in Notes.app.

60
declarative/status/account.list.mail.outgoing.yaml Normal file
View File

@@ -0,0 +1,60 @@
title: Status Account List Mail Outgoing
description: The client's outgoing mail accounts.
payload:
statusitemtype: account.list.mail.outgoing
supportedOS:
iOS:
introduced: '16.0'
sharedipad:
mode: allowed
devicechannel: false
userchannel: true
macOS:
introduced: '13.0'
devicechannel: false
userchannel: true
tvOS:
introduced: n/a
payloadkeys:
- key: account.list.mail.outgoing
title: Status item value.
type: <array>
presence: required
content: Status value.
subkeytype: Account
subkeys:
- key: status_value
type: <dictionary>
subkeys:
- key: identifier
title: Unique identifier of the account.
type: <string>
presence: required
content: The unique identifier of the account. This can be used as a "primary
key" to access a specific account.
- key: declaration-identifier
title: Identifier of the declaration that installed the account.
type: <string>
presence: optional
content: The identifier of the declaration that installed the account. Only
present if the account was installed by a declaration.
- key: visible-name
title: Account name
type: <string>
presence: optional
content: The name of the account.
- key: hostname
title: Account hostname
type: <string>
presence: optional
content: The server host name of the account.
- key: port
title: Server Port
type: <integer>
presence: optional
content: The server port for the account.
- key: username
title: Account username
type: <string>
presence: optional
content: The user name of the account.

58
declarative/status/account.list.subscribed-calendar.yaml Normal file
View File

@@ -0,0 +1,58 @@
title: Status Account List Subscribed Calendar
description: The client's subscribed calendar accounts.
payload:
statusitemtype: account.list.subscribed-calendar
supportedOS:
iOS:
introduced: '16.0'
sharedipad:
mode: allowed
devicechannel: false
userchannel: true
macOS:
introduced: n/a
tvOS:
introduced: n/a
payloadkeys:
- key: account.list.subscribed-calendar
title: Status item value.
type: <array>
presence: required
content: Status value.
subkeytype: Account
subkeys:
- key: status_value
type: <dictionary>
subkeys:
- key: identifier
title: Unique identifier of the account.
type: <string>
presence: required
content: The unique identifier of the account. This can be used as a "primary
key" to access a specific account.
- key: declaration-identifier
title: Identifier of the declaration that installed the account.
type: <string>
presence: optional
content: The identifier of the declaration that installed the account. Only
present if the account was installed by a declaration.
- key: visible-name
title: Account name
type: <string>
presence: optional
content: The name of the account.
- key: calendar-url
title: Account calendar URL
type: <string>
presence: optional
content: The URL of the subscribed calendar.
- key: username
title: Account username
type: <string>
presence: optional
content: The user name of the account.
- key: is-enabled
title: Is the calendar enabled
type: <boolean>
presence: optional
content: Indicates if the calendar is being displayed in Calendar.app.

21
declarative/status/device.identifier.serial-number.yaml Normal file
View File

@@ -0,0 +1,21 @@
title: Status Device Serial Number
description: The device's serial number.
payload:
statusitemtype: device.identifier.serial-number
supportedOS:
iOS:
introduced: '16.0'
userenrollment:
mode: forbidden
macOS:
introduced: '13.0'
userenrollment:
mode: forbidden
tvOS:
introduced: '16.0'
payloadkeys:
- key: device.identifier.serial-number
title: Status item value.
type: <string>
presence: required
content: Status value.

23
declarative/status/device.identifier.udid.yaml Normal file
View File

@@ -0,0 +1,23 @@
title: Status Device UDID
description: The device's UDID.
payload:
statusitemtype: device.identifier.udid
supportedOS:
iOS:
introduced: '16.0'
userenrollment:
mode: forbidden
macOS:
introduced: '13.0'
userenrollment:
mode: forbidden
tvOS:
introduced: '16.0'
payloadkeys:
- key: device.identifier.udid
title: Status item value.
type: <string>
presence: required
content: The device's UDID. This value is always available on the device channel.
This value is only available on user channels whose organization matches that
of the device channel.

4
declarative/status/device.model.family.yaml
View File

@@ -5,6 +5,10 @@ payload:
supportedOS:
iOS:
introduced: '15.0'
macOS:
introduced: '13.0'
tvOS:
introduced: '16.0'
payloadkeys:
- key: device.model.family
title: Status item value.

4
declarative/status/device.model.identifier.yaml
View File

@@ -5,6 +5,10 @@ payload:
supportedOS:
iOS:
introduced: '15.0'
macOS:
introduced: '13.0'
tvOS:
introduced: '16.0'
payloadkeys:
- key: device.model.identifier
title: Status item value.

7
declarative/status/device.model.marketing-name.yaml
View File

@@ -5,11 +5,14 @@ payload:
supportedOS:
iOS:
introduced: '15.0'
macOS:
introduced: '13.0'
tvOS:
introduced: '16.0'
payloadkeys:
- key: device.model.marketing-name
title: Status item value.
type: <string>
presence: required
content: A string that identifies the device's marketing name, such as 'iPhone 12'.
This value may not always be available. Alternatively, use 'device.model.configuration-code'
to look up the marketing name through the web API.
This value may not always be available.

4
declarative/status/device.operating-system.build-version.yaml
View File

@@ -5,6 +5,10 @@ payload:
supportedOS:
iOS:
introduced: '15.0'
macOS:
introduced: '13.0'
tvOS:
introduced: '16.0'
payloadkeys:
- key: device.operating-system.build-version
title: Status item value.

4
declarative/status/device.operating-system.family.yaml
View File

@@ -5,6 +5,10 @@ payload:
supportedOS:
iOS:
introduced: '15.0'
macOS:
introduced: '13.0'
tvOS:
introduced: '16.0'
payloadkeys:
- key: device.operating-system.family
title: Status item value.

4
declarative/status/device.operating-system.marketing-name.yaml
View File

@@ -5,6 +5,10 @@ payload:
supportedOS:
iOS:
introduced: '15.0'
macOS:
introduced: '13.0'
tvOS:
introduced: '16.0'
payloadkeys:
- key: device.operating-system.marketing-name
title: Status item value.

4
declarative/status/device.operating-system.version.yaml
View File

@@ -5,6 +5,10 @@ payload:
supportedOS:
iOS:
introduced: '15.0'
macOS:
introduced: '13.0'
tvOS:
introduced: '16.0'
payloadkeys:
- key: device.operating-system.version
title: Status item value.

4
declarative/status/management.client-capabilities.yaml
View File

@@ -5,6 +5,10 @@ payload:
supportedOS:
iOS:
introduced: '15.0'
macOS:
introduced: '13.0'
tvOS:
introduced: '16.0'
payloadkeys:
- key: management.client-capabilities
title: Status item value.

4
declarative/status/management.declarations.yaml
View File

@@ -5,6 +5,10 @@ payload:
supportedOS:
iOS:
introduced: '15.0'
macOS:
introduced: '13.0'
tvOS:
introduced: '16.0'
payloadkeys:
- key: management.declarations
title: Status item value.

78
declarative/status/mdm.app.yaml Normal file
View File

@@ -0,0 +1,78 @@
title: Status MDM App
description: The client's MDM installed apps.
payload:
statusitemtype: mdm.app
supportedOS:
iOS:
introduced: '16.0'
macOS:
introduced: n/a
tvOS:
introduced: '16.0'
payloadkeys:
- key: mdm.app
title: Status item value.
type: <array>
presence: required
content: The list of apps.
subkeytype: App
subkeys:
- key: status_value
type: <dictionary>
subkeys:
- key: identifier
title: Unique identifier of the app.
type: <string>
presence: required
content: The app's bundle id, which is unique.
- key: name
title: App name
type: <string>
presence: optional
content: The name of the app.
- key: external-version-id
title: External version id
type: <string>
presence: optional
content: The application's external version ID. Use Service Config to get the
'contentMetadataLookupUrl' endpoint. In the response from that URL, find a
key named 'externalId' at the path 'results.<adamId>.offers[0].version.externalId'.
If the current external version identifier of an app on the store doesn't
match the external version identifier reported by the device, there may be
an app update available for the device.
- key: version
title: Version
type: <string>
presence: optional
content: The version of the app.
- key: short-version
title: Short version
type: <string>
presence: optional
content: The short version of the app.
- key: state
title: Managed application list status
type: <string>
presence: optional
rangelist:
- queued
- needs-redemption
- redeeming
- prompting
- prompting-for-login
- validating-purchase
- prompting-for-update
- prompting-for-update-login
- prompting-for-management
- validating-update
- updating
- installing
- managed
- managed-but-uninstalled
- unknown
- user-installed-app
- user-rejected
- update-rejected
- management-rejected
- failed
content: The status of the app reported by ManagedApplicationListCommand.

20
declarative/status/passcode.is-compliant.yaml Normal file
View File

@@ -0,0 +1,20 @@
title: Status Passcode Compliance
description: The state of passcode compliance.
payload:
statusitemtype: passcode.is-compliant
supportedOS:
iOS:
introduced: '16.0'
macOS:
introduced: n/a
tvOS:
introduced: n/a
payloadkeys:
- key: passcode.is-compliant
title: Status item value.
type: <boolean>
presence: required
content: If 'true', the passcode is in compliance with all passcode policies set
on the device. If 'false', the passcode isn't in compliance with one or more passcode
policies set on the device. When there are no passcode policies on the device,
this value 'true'.

21
declarative/status/passcode.is-present.yaml Normal file
View File

@@ -0,0 +1,21 @@
title: Status Passcode Is Present
description: Whether a passcode is present ot not.
payload:
statusitemtype: passcode.is-present
supportedOS:
iOS:
introduced: '16.0'
macOS:
introduced: n/a
tvOS:
introduced: n/a
payloadkeys:
- key: passcode.is-present
title: Status item value.
type: <boolean>
presence: required
content: If 'true', a passcode is present on the device. If 'false', a passcode
isn't present on the device. When a passcode is present, the specific attributes
of the passcode (length, number of complex characters, etc), isn't reported. Instead,
use the 'passcode.is-compliant' status item to verify that the passcode complies
with all passcode policies set on the device.

4
declarative/status/statusreason.yaml
View File

@@ -5,6 +5,10 @@ payload:
supportedOS:
iOS:
introduced: '15.0'
macOS:
introduced: '13.0'
tvOS:
introduced: '16.0'
payloadkeys:
- key: code
title: Error Code

32
declarative/status/test.array-value.yaml Normal file
View File

@@ -0,0 +1,32 @@
title: Status Test Array Value
description: A test status item array.
payload:
statusitemtype: test.array-value
supportedOS:
iOS:
introduced: '16.0'
macOS:
introduced: '13.0'
tvOS:
introduced: '16.0'
payloadkeys:
- key: test.array-value
title: Status item value.
type: <array>
presence: required
content: Status value.
subkeytype: Array
subkeys:
- key: status_value
type: <dictionary>
subkeys:
- key: key1
title: First Key Value
type: <string>
presence: required
content: The value of the first sub-key.
- key: key2
title: Second Key Value
type: <string>
presence: optional
content: The value of the second sub-key.

17
declarative/status/test.boolean-value.yaml Normal file
View File

@@ -0,0 +1,17 @@
title: Status Test Boolean Value
description: A test status item boolean.
payload:
statusitemtype: test.boolean-value
supportedOS:
iOS:
introduced: '16.0'
macOS:
introduced: '13.0'
tvOS:
introduced: '16.0'
payloadkeys:
- key: test.boolean-value
title: Status item value.
type: <boolean>
presence: required
content: Status value.

29
declarative/status/test.dictionary-value.yaml Normal file
View File

@@ -0,0 +1,29 @@
title: Status Test Dictionary Value
description: A test status item dictionary.
payload:
statusitemtype: test.dictionary-value
supportedOS:
iOS:
introduced: '16.0'
macOS:
introduced: '13.0'
tvOS:
introduced: '16.0'
payloadkeys:
- key: test.dictionary-value
title: Status item value.
type: <dictionary>
presence: required
content: Status value.
subkeytype: Dictionary
subkeys:
- key: key1
title: First Key Value
type: <string>
presence: required
content: The value of the first sub-key.
- key: key2
title: Second Key Value
type: <string>
presence: optional
content: The value of the second sub-key.

17
declarative/status/test.error-value.yaml Normal file
View File

@@ -0,0 +1,17 @@
title: Status Test Error Value
description: A test status item for errors.
payload:
statusitemtype: test.error-value
supportedOS:
iOS:
introduced: '16.0'
macOS:
introduced: '13.0'
tvOS:
introduced: '16.0'
payloadkeys:
- key: test.error-value
title: Status item value.
type: <string>
presence: required
content: Status value.

17
declarative/status/test.integer-value.yaml Normal file
View File

@@ -0,0 +1,17 @@
title: Status Test Integer Value
description: A test status item integer.
payload:
statusitemtype: test.integer-value
supportedOS:
iOS:
introduced: '16.0'
macOS:
introduced: '13.0'
tvOS:
introduced: '16.0'
payloadkeys:
- key: test.integer-value
title: Status item value.
type: <integer>
presence: required
content: Status value.

17
declarative/status/test.real-value.yaml Normal file
View File

@@ -0,0 +1,17 @@
title: Status Test Real Value
description: A test status item real.
payload:
statusitemtype: test.real-value
supportedOS:
iOS:
introduced: '16.0'
macOS:
introduced: '13.0'
tvOS:
introduced: '16.0'
payloadkeys:
- key: test.real-value
title: Status item value.
type: <real>
presence: required
content: Status value.

17
declarative/status/test.string-value.yaml Normal file
View File

@@ -0,0 +1,17 @@
title: Status Test String Value
description: A test status item string.
payload:
statusitemtype: test.string-value
supportedOS:
iOS:
introduced: '16.0'
macOS:
introduced: '13.0'
tvOS:
introduced: '16.0'
payloadkeys:
- key: test.string-value
title: Status item value.
type: <string>
presence: required
content: Status value.

18
mdm/checkin/declarativemanagement.yaml
View File

@@ -8,9 +8,23 @@ payload:
supervised: false
requiresdep: false
sharedipad:
mode: forbidden
mode: allowed
devicechannel: true
userchannel: true
userenrollment:
mode: required
mode: allowed
macOS:
introduced: '13.0'
devicechannel: true
userchannel: true
supervised: false
requiresdep: false
userenrollment:
mode: allowed
tvOS:
introduced: '16.0'
supervised: false
requiresdep: false
content: Check-in protocol declarative management request and response.
payloadkeys:
- key: MessageType

28
mdm/commands/application.install.yaml
View File

@@ -1,6 +1,12 @@
title: Install Application Command
description: This command allows the server to install an application on a device.
If the app is already being managed, this command will update the app.
If the app is already being managed, this command will update the app. Prior to
iOS 16.0 and tvOS 16.0, this command would return NotNow when Setup Assistant was
running. Starting in iOS 16.0 and tvOS 16.0, the command may be sent to supervised
devices during Setup Assistant. However, you should only attempt to install device-based
VPP apps or enterprise apps while in the awaiting configuration state, as the device
will likely not yet have an App Store account configured, and thus commands that
depend on one will fail.
payload:
requesttype: InstallApplication
supportedOS:
@@ -118,6 +124,24 @@ payloadkeys:
presence: optional
content: A per-app VPN unique identifier for this app. This value is available
in iOS 7 and later, and tvOS 10.2 and later.
- key: ContentFilterUUID
supportedOS:
iOS:
introduced: '16.0'
tvOS:
introduced: n/a
type: <string>
presence: optional
content: Content Filter UUID assigned to this app.
- key: DNSProxyUUID
supportedOS:
iOS:
introduced: '16.0'
tvOS:
introduced: n/a
type: <string>
presence: optional
content: DNS Proxy UUID assigned to this app.
- key: AssociatedDomains
supportedOS:
iOS:
@@ -139,7 +163,7 @@ payloadkeys:
introduced: n/a
type: <boolean>
presence: optional
default: true
default: false
content: If 'true', perform claimed site association verification directly at
the domain instead of on Apple's servers. Only set this to 'true' for domains
that can't access the internet. This value is available in iOS 14 and later.

13
mdm/commands/application.installed.list.yaml
View File

@@ -82,6 +82,7 @@ payloadkeys:
- HasUpdateAvailable
- Identifier
- Installing
- IsAppClip
- IsValidated
- Name
- ShortVersion
@@ -245,3 +246,15 @@ responsekeys:
presence: optional
default: false
content: If 'true', the user canceled the download.
- key: IsAppClip
supportedOS:
iOS:
introduced: '16.0'
macOS:
introduced: n/a
tvOS:
introduced: n/a
type: <boolean>
presence: optional
default: false
content: If 'true', the app is an App Clip. Available in iOS 16 and later.

18
mdm/commands/declarativemanagement.yaml
View File

@@ -10,9 +10,23 @@ payload:
supervised: false
requiresdep: false
sharedipad:
mode: forbidden
mode: allowed
devicechannel: true
userchannel: true
userenrollment:
mode: required
mode: allowed
macOS:
introduced: '13.0'
devicechannel: true
userchannel: true
supervised: false
requiresdep: false
userenrollment:
mode: allowed
tvOS:
introduced: '16.0'
supervised: false
requiresdep: false
content: This command allows the server to turn on the Declarative Management engine
on the device (the first time it is used), or to trigger a Declarative Management
synchronization operation.

3
mdm/commands/device.erase.yaml
View File

@@ -100,6 +100,9 @@ payloadkeys:
If EACS preflight fails, the device responds with an 'Acknowledged' status and then attempts to erase itself.
If EACS preflight succeeds but EACS fails, then the device attempts to erase itself.
'Always':
The system doesn't attempt EACS. T2 and later devices always obliterate.
'Default':
If EACS preflight fails, the device responds to the server with an 'Error' status and then attempts to erase itself.
If EACS preflight succeeds but EACS fails, then the device attempts to erase itself.

2
mdm/commands/device.lostmode.disable.yaml
View File

@@ -1,4 +1,4 @@
title: Disable MDM Lost Mode Location
title: Disable MDM Lost Mode Command
description: This command allows the server to take the device out of MDM lost mode.
payload:
requesttype: DisableLostMode

2
mdm/commands/device.lostmode.enable.yaml
View File

@@ -1,4 +1,4 @@
title: Enable MDM Lost Mode Location
title: Enable MDM Lost Mode Command
description: This command allows the server to put the device in MDM lost mode, with
a message, phone number, and footnote text. A message or phone number must be provided.
payload:

230
mdm/commands/information.device.yaml
View File

@@ -278,6 +278,7 @@ payloadkeys:
- key: IMEI
supportedOS:
iOS:
deprecated: '16.0'
accessrights: AllowQueryDeviceInformation
userenrollment:
mode: forbidden
@@ -292,6 +293,7 @@ payloadkeys:
- key: MEID
supportedOS:
iOS:
deprecated: '16.0'
accessrights: AllowQueryDeviceInformation
userenrollment:
mode: forbidden
@@ -383,11 +385,13 @@ payloadkeys:
supportedOS:
iOS:
introduced: '7.0'
deprecated: '16.0'
accessrights: AllowQueryDeviceInformation
userenrollment:
mode: forbidden
macOS:
introduced: '10.15'
deprecated: '13.0'
accessrights: AllowQueryDeviceInformation
userenrollment:
mode: forbidden
@@ -671,6 +675,32 @@ payloadkeys:
introduced: n/a
type: <string>
content: If 'true', the device only allows temporary sessions.
- key: ManagedAppleIDDefaultDomains
supportedOS:
iOS:
introduced: '16.0'
accessrights: AllowQueryDeviceInformation
macOS:
introduced: n/a
tvOS:
introduced: n/a
type: <string>
content: |-
The list of domains that the device suggests on the Shared iPad login screen.
Available in iOS 16 and later.
- key: OnlineAuthenticationGracePeriod
supportedOS:
iOS:
introduced: '16.0'
accessrights: AllowQueryDeviceInformation
macOS:
introduced: n/a
tvOS:
introduced: n/a
type: <string>
content: |-
The grace period for Shared iPad online authentication (in days). 0 means the device requires online authentication for every login.
Available in iOS 16 and later.
- key: PushToken
supportedOS:
iOS:
@@ -734,6 +764,7 @@ payloadkeys:
- key: ICCID
supportedOS:
iOS:
deprecated: '16.0'
accessrights: AllowQueryNetworkInformation
userenrollment:
mode: forbidden
@@ -791,6 +822,7 @@ payloadkeys:
- key: CurrentCarrierNetwork
supportedOS:
iOS:
deprecated: '16.0'
accessrights: AllowQueryNetworkInformation
userenrollment:
mode: forbidden
@@ -820,6 +852,7 @@ payloadkeys:
supportedOS:
iOS:
introduced: '5.0'
deprecated: '16.0'
accessrights: AllowQueryNetworkInformation
userenrollment:
mode: forbidden
@@ -833,6 +866,7 @@ payloadkeys:
- key: CarrierSettingsVersion
supportedOS:
iOS:
deprecated: '16.0'
accessrights: AllowQueryNetworkInformation
userenrollment:
mode: forbidden
@@ -846,6 +880,7 @@ payloadkeys:
- key: PhoneNumber
supportedOS:
iOS:
deprecated: '16.0'
accessrights: AllowQueryNetworkInformation
userenrollment:
mode: forbidden
@@ -876,6 +911,7 @@ payloadkeys:
supportedOS:
iOS:
introduced: '5.0'
deprecated: '16.0'
accessrights: AllowQueryNetworkInformation
userenrollment:
mode: forbidden
@@ -933,6 +969,7 @@ payloadkeys:
supportedOS:
iOS:
introduced: 4.2.6
deprecated: '16.0'
accessrights: AllowQueryNetworkInformation
userenrollment:
mode: forbidden
@@ -947,6 +984,7 @@ payloadkeys:
supportedOS:
iOS:
introduced: 4.2.6
deprecated: '16.0'
accessrights: AllowQueryNetworkInformation
userenrollment:
mode: forbidden
@@ -960,6 +998,7 @@ payloadkeys:
- key: CurrentMCC
supportedOS:
iOS:
deprecated: '16.0'
accessrights: AllowQueryNetworkInformation
userenrollment:
mode: forbidden
@@ -973,6 +1012,7 @@ payloadkeys:
- key: CurrentMNC
supportedOS:
iOS:
deprecated: '16.0'
accessrights: AllowQueryNetworkInformation
userenrollment:
mode: forbidden
@@ -1051,8 +1091,60 @@ payloadkeys:
introduced: n/a
type: <string>
content: The key that represents the device identifier you use to look up available
OS updates via <https://gdmf.apple.com/v2/pmv>. Available in iOS 14.5 and
later.
OS updates through <https://gdmf.apple.com/v2/pmv>. Available in iOS 15 and
later, and macOS 12 and later.
- key: AccessibilitySettings
supportedOS:
iOS:
introduced: '16.0'
supervised: true
userenrollment:
mode: forbidden
macOS:
introduced: n/a
tvOS:
introduced: n/a
type: <string>
content: |-
The key to get the current state of settable accessibility settings.
Available in iOS 16 and later.
- key: DevicePropertiesAttestation
supportedOS:
iOS:
introduced: '16.0'
supervised: false
userenrollment:
mode: allowed
macOS:
introduced: n/a
tvOS:
introduced: '16.0'
type: <string>
content: |-
The key to get an attestation of the device's properties.
Available in iOS 16 and later and tvOS 16 and later.
- key: DeviceAttestationNonce
supportedOS:
iOS:
introduced: '16.0'
supervised: false
userenrollment:
mode: allowed
macOS:
introduced: n/a
tvOS:
introduced: '16.0'
type: <data>
presence: optional
content: Up to 32 bytes of data. If this is specified, Queries must contain DevicePropertiesAttestation.
The nonce appears in the resulting attestation to ensure it was recently generated.
To request a new attestation, provide a new nonce. The most recently generated
attestation is cached on the device. Requests for new attestations are rate limited.
If it has been fewer than 7 days since an attestation was generated, the device
returns the cached attestation rather than generating a new one. If DeviceAttestationNonce
is omitted or if the value matches the cached attestation, the cached attestation
is returned. Otherwise a new attestation containing the new nonce is requested
and returned.
responsekeys:
- key: QueryResponses
type: <dictionary>
@@ -1263,6 +1355,8 @@ responsekeys:
available in iOS 4 and later, and macOS 10.7 and later.
- key: IMEI
supportedOS:
iOS:
deprecated: '16.0'
macOS:
introduced: n/a
tvOS:
@@ -1273,6 +1367,8 @@ responsekeys:
later.
- key: MEID
supportedOS:
iOS:
deprecated: '16.0'
macOS:
introduced: n/a
tvOS:
@@ -1361,8 +1457,10 @@ responsekeys:
supportedOS:
iOS:
introduced: '7.0'
deprecated: '16.0'
macOS:
introduced: '10.9'
deprecated: '13.0'
tvOS:
introduced: n/a
type: <boolean>
@@ -1654,6 +1752,33 @@ responsekeys:
introduced: n/a
type: <boolean>
content: If 'true', the device only allows temporary sessions.
- key: ManagedAppleIDDefaultDomains
supportedOS:
iOS:
introduced: '16.0'
macOS:
introduced: n/a
tvOS:
introduced: n/a
type: <array>
content: |-
The list of domains that the device suggests on the Shared iPad login screen.
Available in iOS 16 and later.
subkeys:
- key: AppleID domain
type: <string>
- key: OnlineAuthenticationGracePeriod
supportedOS:
iOS:
introduced: '16.0'
macOS:
introduced: n/a
tvOS:
introduced: n/a
type: <real>
content: |-
The grace period for Shared iPad online authentication (in days). 0 means the device requires online authentication for every login.
Available in iOS 16 and later.
- key: PushToken
supportedOS:
iOS:
@@ -1703,6 +1828,8 @@ responsekeys:
in iOS 14 and later, and tvOS 14 and later.
- key: ICCID
supportedOS:
iOS:
deprecated: '16.0'
macOS:
introduced: n/a
tvOS:
@@ -1730,6 +1857,8 @@ responsekeys:
access right, and is available in macOS 10.7 and later.
- key: CurrentCarrierNetwork
supportedOS:
iOS:
deprecated: '16.0'
macOS:
introduced: n/a
tvOS:
@@ -1751,6 +1880,7 @@ responsekeys:
supportedOS:
iOS:
introduced: '5.0'
deprecated: '16.0'
macOS:
introduced: n/a
tvOS:
@@ -1760,6 +1890,8 @@ responsekeys:
Information access right, and is available in iOS 5 and later.
- key: CarrierSettingsVersion
supportedOS:
iOS:
deprecated: '16.0'
macOS:
introduced: n/a
tvOS:
@@ -1769,6 +1901,8 @@ responsekeys:
Information access right, and is available in iOS 4 and later.
- key: PhoneNumber
supportedOS:
iOS:
deprecated: '16.0'
macOS:
introduced: n/a
tvOS:
@@ -1792,6 +1926,7 @@ responsekeys:
supportedOS:
iOS:
introduced: '5.0'
deprecated: '16.0'
macOS:
introduced: n/a
tvOS:
@@ -1827,6 +1962,7 @@ responsekeys:
supportedOS:
iOS:
introduced: '4.2'
deprecated: '16.0'
macOS:
introduced: n/a
tvOS:
@@ -1858,6 +1994,7 @@ responsekeys:
supportedOS:
iOS:
introduced: 4.2.6
deprecated: '16.0'
macOS:
introduced: n/a
tvOS:
@@ -1869,6 +2006,7 @@ responsekeys:
supportedOS:
iOS:
introduced: 4.2.6
deprecated: '16.0'
macOS:
introduced: n/a
tvOS:
@@ -1878,6 +2016,8 @@ responsekeys:
the Network Information access right, and is available in iOS 4.2.6 and later.
- key: CurrentMCC
supportedOS:
iOS:
deprecated: '16.0'
macOS:
introduced: n/a
tvOS:
@@ -1887,6 +2027,8 @@ responsekeys:
Information access right, and is available in iOS 4 and later.
- key: CurrentMNC
supportedOS:
iOS:
deprecated: '16.0'
macOS:
introduced: n/a
tvOS:
@@ -1976,6 +2118,17 @@ responsekeys:
type: <string>
content: The description of the slot that contains the SIM representing this
subscription. This value is available in iOS 12 and later.
- key: SubscriberCarrierNetwork
supportedOS:
iOS:
introduced: '16.0'
macOS:
introduced: n/a
tvOS:
introduced: n/a
type: <string>
content: The name of the home carrier network. This value is available in
iOS 16 and later.
- key: PINRequiredForEraseDevice
supportedOS:
iOS:
@@ -2025,3 +2178,76 @@ responsekeys:
content: The key representing the device identifier to be used when looking up
available OS updates via <https://gdmf.apple.com/v2/pmv>. Available in iOS 14.5
and later.
- key: AccessibilitySettings
supportedOS:
iOS:
introduced: '16.0'
supervised: true
userenrollment:
mode: forbidden
macOS:
introduced: n/a
tvOS:
introduced: n/a
type: <dictionary>
content: |-
The the current state of settable accessibility settings.
Available in iOS 16 and later.
subkeys:
- key: BoldTextEnabled
type: <boolean>
content: If 'true', device has enabled bold text.
- key: IncreaseContrastEnabled
type: <boolean>
content: If 'true', device has enabled increase contrast.
- key: ReduceMotionEnabled
type: <boolean>
content: If 'true', device has enabled reduced motion.
- key: ReduceTransparencyEnabled
type: <boolean>
content: If 'true', device has enabled reduced transparency.
- key: TextSize
type: <integer>
rangelist:
- -1
- 0
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
content: The accessibility text size apps that support dynamic text use. 0 is
the smallest value, and 11 is the largest available.
- key: TouchAccommodationsEnabled
type: <boolean>
content: If 'true', device has enabled touch accommodations.
- key: VoiceOverEnabled
type: <boolean>
content: If 'true', device has enabled voiceover.
- key: ZoomEnabled
type: <boolean>
content: If 'true', device has enabled zoom.
- key: DevicePropertiesAttestation
supportedOS:
iOS:
introduced: '16.0'
supervised: false
userenrollment:
mode: allowed
macOS:
introduced: n/a
tvOS:
introduced: '16.0'
type: <array>
content: |-
The key to get an attestation of the device's properties.
Available in iOS 16 and later and tvOS 16 and later.
subkeys:
- key: AttestationCertificate
type: <data>

3
mdm/commands/lom.devicerequest.yaml
View File

@@ -38,7 +38,8 @@ payloadkeys:
- key: DeviceDNSName
type: <string>
presence: required
content: The DNS name of the device. This should match the 'dNSName' in SCEP.PayloadContent.SubjectAltName.
content: The DNS name of the device. This should match the 'dNSName' in SCEP.PayloadContent.SubjectAltName
or an equivalent in a PKCS12 identity.
- key: PrimaryIPv6AddressList
type: <array>
presence: required

24
mdm/commands/managed.application.attributes.yaml
View File

@@ -51,6 +51,28 @@ responsekeys:
type: <string>
presence: optional
content: A per-app VPN unique identifier for this app.
- key: ContentFilterUUID
supportedOS:
iOS:
introduced: '16.0'
tvOS:
introduced: n/a
type: <string>
presence: optional
content: |-
The content Filter UUID assigned to this app.
Available in iOS 16 and later.
- key: DNSProxyUUID
supportedOS:
iOS:
introduced: '16.0'
tvOS:
introduced: n/a
type: <string>
presence: optional
content: |-
The DNS Proxy UUID assigned to this app.
Available in iOS 16 and later.
- key: AssociatedDomains
supportedOS:
iOS:
@@ -72,7 +94,7 @@ responsekeys:
introduced: n/a
type: <boolean>
presence: optional
default: true
default: false
content: If 'true', perform claimed site association verification directly
at the domain instead of on Apple's servers. Only set this to 'true' for
domains that can't access the internet. This value is available in iOS 14

175
mdm/commands/settings.yaml
View File

@@ -11,7 +11,7 @@ payload:
sharedipad:
mode: allowed
devicechannel: true
userchannel: false
userchannel: true
userenrollment:
mode: allowed
macOS:
@@ -40,6 +40,10 @@ payloadkeys:
iOS:
introduced: '8.0'
supervised: true
sharedipad:
mode: allowed
devicechannel: true
userchannel: false
userenrollment:
mode: forbidden
macOS:
@@ -76,6 +80,10 @@ payloadkeys:
- key: DataRoaming
supportedOS:
iOS:
sharedipad:
mode: allowed
devicechannel: true
userchannel: false
userenrollment:
mode: forbidden
macOS:
@@ -102,6 +110,11 @@ payloadkeys:
- key: VoiceRoaming
supportedOS:
iOS:
deprecated: '16.0'
sharedipad:
mode: allowed
devicechannel: true
userchannel: false
userenrollment:
mode: forbidden
macOS:
@@ -130,6 +143,10 @@ payloadkeys:
supportedOS:
iOS:
accessrights: AllowQueryNetworkInformation
sharedipad:
mode: allowed
devicechannel: true
userchannel: false
userenrollment:
mode: forbidden
macOS:
@@ -157,6 +174,10 @@ payloadkeys:
iOS:
introduced: '11.3'
supervised: true
sharedipad:
mode: allowed
devicechannel: true
userchannel: false
userenrollment:
mode: forbidden
macOS:
@@ -188,6 +209,10 @@ payloadkeys:
iOS:
introduced: '7.0'
accessrights: AllowAppInstallation
sharedipad:
mode: allowed
devicechannel: true
userchannel: false
macOS:
introduced: '10.15'
accessrights: AllowAppInstallation
@@ -227,6 +252,10 @@ payloadkeys:
iOS:
introduced: '7.0'
accessrights: AllowAppInstallation
sharedipad:
mode: allowed
devicechannel: true
userchannel: false
macOS:
introduced: n/a
tvOS:
@@ -260,6 +289,24 @@ payloadkeys:
presence: optional
content: A per-app VPN unique identifier for this app. This value is available
in iOS 7 and later, and tvOS 10.2 and later.
- key: ContentFilterUUID
supportedOS:
iOS:
introduced: '16.0'
tvOS:
introduced: n/a
type: <string>
presence: optional
content: Content Filter UUID assigned to this app.
- key: DNSProxyUUID
supportedOS:
iOS:
introduced: '16.0'
tvOS:
introduced: n/a
type: <string>
presence: optional
content: DNS Proxy UUID assigned to this app.
- key: AssociatedDomains
supportedOS:
iOS:
@@ -281,7 +328,7 @@ payloadkeys:
introduced: n/a
type: <boolean>
presence: optional
default: true
default: false
content: If 'true', perform claimed site association verification directly
at the domain, instead of on Apple's servers. Only set this to 'true' for
domains that can't access the internet. This value is available in iOS 14
@@ -301,6 +348,10 @@ payloadkeys:
supportedOS:
iOS:
supervised: true
sharedipad:
mode: allowed
devicechannel: true
userchannel: false
userenrollment:
mode: forbidden
macOS:
@@ -350,6 +401,11 @@ payloadkeys:
content: The hostname for the device.
- key: OrganizationInfo
supportedOS:
iOS:
sharedipad:
mode: allowed
devicechannel: true
userchannel: false
macOS:
introduced: '10.9'
type: <dictionary>
@@ -411,6 +467,10 @@ payloadkeys:
supportedOS:
iOS:
introduced: '7.0'
sharedipad:
mode: allowed
devicechannel: true
userchannel: false
macOS:
introduced: '10.15'
userenrollment:
@@ -554,7 +614,7 @@ payloadkeys:
type: <integer>
presence: optional
content: |-
The timeout, in seconds, for the user session. The user session logs out automatically after the specified period of inactivity. The minimum value is 30 seconds. Setting this value to '0' removes the timeout.
The timeout, in seconds, for the user session. The user session logs out automatically after the specified period of inactivity. The minimum value is 30 seconds. Setting this value to '0' removes the timeout.
Available in iOS 14.5 and later.
- key: TemporarySessionTimeout
supportedOS:
@@ -576,6 +636,28 @@ payloadkeys:
If 'true', the user only sees the Guest Welcome pane and can only log in as a guest user.
If 'false', the user can sign in with a managed Apple ID (the existing behavior).
Available in iOS 14.5 and later.
- key: ManagedAppleIDDefaultDomains
supportedOS:
iOS:
introduced: '16.0'
type: <array>
presence: optional
content: |-
A list of domains that the Shared iPad login screen displays. The user can pick a domain from the list to complete their Managed Apple ID.
If this list contains more than 3 domains, the system picks 3 at random for display.Available in iOS 16 and later.
subkeys:
- key: AppleID domain
type: <string>
- key: OnlineAuthenticationGracePeriod
supportedOS:
iOS:
introduced: '16.0'
type: <integer>
presence: optional
content: |-
A grace period (in days) for Shared iPad online authentication. The Shared iPad only verifies the user's passcode locally during login for users that already exist on the device. However, the system requires an online authentication (against Apple's identity server) after the number of days specified by this setting.
Setting this value to 0 enforces online authentication every time.
Available in iOS 16 and later.
- key: DiagnosticSubmission
supportedOS:
iOS:
@@ -675,6 +757,10 @@ payloadkeys:
iOS:
introduced: '14.0'
supervised: true
sharedipad:
mode: allowed
devicechannel: true
userchannel: false
userenrollment:
mode: forbidden
macOS:
@@ -705,6 +791,10 @@ payloadkeys:
iOS:
introduced: '14.5'
supervised: true
sharedipad:
mode: allowed
devicechannel: true
userchannel: false
userenrollment:
mode: forbidden
macOS:
@@ -737,6 +827,85 @@ payloadkeys:
* '2': Presents only the highest numbered (most recent) release available for the device.
This value has no effect when there's only one available update; the system shows the single available update to the user regardless of the value of this setting.
Available in iOS 14.5 and later.
- key: AccessibilitySettings
supportedOS:
iOS:
introduced: '16.0'
supervised: true
sharedipad:
mode: allowed
devicechannel: false
userchannel: true
userenrollment:
mode: forbidden
macOS:
introduced: n/a
tvOS:
introduced: n/a
type: <dictionary>
presence: optional
subkeys:
- key: Item
type: <string>
presence: required
rangelist:
- AccessibilitySettings
content: Sets various accessibility settings. The system allows only keys with
explicitly provided values.
- key: BoldTextEnabled
type: <boolean>
presence: optional
default: false
content: If 'true', enables bold text.
- key: IncreaseContrastEnabled
type: <boolean>
presence: optional
default: false
content: If 'true', enables increase contrast.
- key: ReduceMotionEnabled
type: <boolean>
presence: optional
default: false
content: If 'true', enables reduced motion.
- key: ReduceTransparencyEnabled
type: <boolean>
presence: optional
default: false
content: If 'true', enables reduced transparency.
- key: TextSize
type: <integer>
presence: optional
rangelist:
- 0
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
default: 4
content: The accessibility text size apps that support dynamic text use. 0 is
the smallest value, and 11 is the largest available.
- key: TouchAccommodationsEnabled
type: <boolean>
presence: optional
default: false
content: If true, enables touch accommodations.
- key: VoiceOverEnabled
type: <boolean>
presence: optional
default: false
content: If true, enables voiceover.
- key: ZoomEnabled
type: <boolean>
presence: optional
default: false
content: If true, enables zoom.
responsekeys:
- key: Settings
type: <dictionary>

7
mdm/profiles/TopLevel.yaml
View File

@@ -116,9 +116,10 @@ payloadkeys:
presence: optional
default: false
content: |-
If present and set to 'true', the user cannot delete the profile (unless the profile has a removal password and the user provides it).
On macOS, as of 10.15, this key only affects removal of manually installed profiles. If set to 'true' and no profile removal payload is present, admin auth will be required to remove the profile.
On macOS versions prior to 10.15, this key would prevent admins from removing MDM installed profiles but as of macOS 10.15, MDM profiles can never be removed by a user, not even the admin.
If present and set to 'true', the user can't delete the profile (unless the profile has a removal password and the user provides it).
On macOS, as of 10.15, this key only affects removal of manually installed profiles. If set to 'true' and no profile removal payload is present, removing the profile requires admin auth.
On macOS versions prior to 10.15, this key would prevent admins from removing MDM installed profiles but as of macOS 10.15, users can never remove MDM profiles, not even the admin.
Requires a supervised device.
- key: PayloadScope
supportedOS:
macOS:

18
mdm/profiles/com.apple.TCC.configuration-profile-policy.yaml
View File

@@ -119,14 +119,14 @@ payloadkeys:
- key: Camera
type: <array>
presence: optional
content: A system camera. Access to the camera cannot be given in a profile; it
content: A system camera. Access to the camera can't be given in a profile; it
can only be denied.
subkeytype: Identity
subkeys: *id001
- key: Microphone
type: <array>
presence: optional
content: A system microphone. Access to the microphone cannot be given in a profile;
content: A system microphone. Access to the microphone can't be given in a profile;
it can only be denied.
subkeytype: Identity
subkeys: *id001
@@ -191,7 +191,7 @@ payloadkeys:
presence: optional
content: Allows the application to use CoreGraphics and HID APIs to listen to
(receive) CGEvents and HID events from all processes. Access to these events
cannot be given in a profile; it can only be denied.
can't be given in a profile; it can only be denied.
subkeytype: Identity
subkeys: *id001
- key: ScreenCapture
@@ -201,7 +201,7 @@ payloadkeys:
type: <array>
presence: optional
content: Allows the application to capture (read) the contents of the system display.
Access to the contents cannot be given in a profile; it can only be denied.
Access to the contents can't be given in a profile; it can only be denied.
subkeytype: Identity
subkeys: *id001
- key: SpeechRecognition
@@ -259,3 +259,13 @@ payloadkeys:
content: Allows the application to access files on removable volumes.
subkeytype: Identity
subkeys: *id001
- key: SystemPolicyAppBundles
supportedOS:
macOS:
introduced: '13.0'
type: <array>
presence: optional
content: Allows the application to update or delete other apps. Available in macOS
13 and later.
subkeytype: Identity
subkeys: *id001

5
mdm/profiles/com.apple.applicationaccess.new.yaml
View File

@@ -43,7 +43,8 @@ payloadkeys:
- key: appID
type: <data>
presence: required
content: The identifier of the app.
content: The identifier of the app. Obtain this value from the Security framework
using SecCodeCopyDesignatedRequirement.
- key: detachedSignature
type: <data>
presence: optional
@@ -52,7 +53,7 @@ payloadkeys:
type: <boolean>
presence: optional
default: false
content: If 'true', this app is not added to the allow list.
content: If 'true', this app isn't added to the allow list.
- key: subApps
type: <array>
presence: optional

98
mdm/profiles/com.apple.applicationaccess.yaml
View File

@@ -114,7 +114,7 @@ payloadkeys:
presence: optional
default: true
content: If 'false', disables incoming AirPlay requests. Requires a supervised device.
Available in tvOS 10.2 and later.
Available in macOS 12.3 and later, and tvOS 10.2 and later.
- key: allowAirPrint
title: Allow AirPrint
supportedOS:
@@ -435,7 +435,7 @@ payloadkeys:
default: true
content: If 'false', disables the camera, and its icon is removed from the Home
screen. Users are unable to take photographs. This restriction is deprecated on
unsupervised devices and will be supervised only in a future release. Available
unsupervised devices and will be supervised only in a future release. Available
in iOS 4 and later, and macOS 10.11 and later.
- key: allowCellularPlanModification
supportedOS:
@@ -501,8 +501,8 @@ payloadkeys:
type: <boolean>
presence: optional
default: true
content: If 'false', disables backing up the device to iCloud. This restriction
is deprecated on unsupervised devices and will be supervised only in a future
content: If 'false', disables backing up the device to iCloud. This restriction
is deprecated on unsupervised devices and will be supervised only in a future
release. Available in iOS 5 and later.
- key: allowCloudBookmarks
supportedOS:
@@ -555,6 +555,8 @@ payloadkeys:
iOS:
introduced: '5.0'
supervised: true
sharedipad:
mode: forbidden
userenrollment:
mode: forbidden
macOS:
@@ -566,7 +568,7 @@ payloadkeys:
type: <boolean>
presence: optional
default: true
content: If 'false', disables document and key-value syncing to iCloud. As of iOS
content: If 'false', disables document and key-value syncing to iCloud. As of iOS
13, this restriction requires a supervised device. Available in iOS 5 and later,
and macOS 10.11 and later.
- key: allowCloudKeychainSync
@@ -586,7 +588,7 @@ payloadkeys:
presence: optional
default: true
content: If 'false', disables iCloud keychain synchronization. This restriction
is deprecated on unsupervised devices and will be supervised only in a future
is deprecated on unsupervised devices and will be supervised only in a future
release. Available in iOS 7 and later and macOS 10.12 and later.
- key: allowCloudMail
supportedOS:
@@ -677,6 +679,7 @@ payloadkeys:
introduced: n/a
macOS:
introduced: '10.13'
userchannel: false
userenrollment:
mode: forbidden
tvOS:
@@ -823,8 +826,8 @@ payloadkeys:
presence: optional
default: true
content: |-
If 'false', disables the 'Enable Restrictions' option in the Restrictions UI in Settings.
In iOS 12 or later, if 'false', disables the 'Enable ScreenTime' option in the ScreenTime UI in Settings and disables ScreenTime if already enabled. Requires a supervised device. Available in iOS 8 and later.
If 'false', disables the Enable Restrictions option in the Restrictions UI in Settings.
In iOS 12 or later, if 'false', disables the Enable ScreenTime option in the ScreenTime UI in Settings and disables ScreenTime if already enabled. Requires a supervised device. Available in iOS 8 and later.
- key: allowEnterpriseAppTrust
title: Allow Trusting Enterprise Apps
supportedOS:
@@ -928,7 +931,7 @@ payloadkeys:
default: true
content: If 'false', hides explicit music or video content purchased from the iTunes
Store. Explicit content is marked as such by content providers, such as record
labels, when sold through the iTunes Store. As of iOS 13, requires a supervised
labels, when sold through the iTunes Store. As of iOS 13, requires a supervised
device. Available in iOS 4 and later, and tvOS 11.3 and later.
- key: allowFilesNetworkDriveAccess
supportedOS:
@@ -1486,7 +1489,7 @@ payloadkeys:
content: |-
If 'false', disables the AutoFill Passwords feature in iOS (with Keychain and third-party password managers) and the user isn't prompted to use a saved password in Safari or in apps.
This restriction also disables Automatic Strong Passwords, and strong passwords are no longer suggested to users.
It does not prevent AutoFill for contact info and credit cards in Safari.
It doesn't prevent AutoFill for contact info and credit cards in Safari.
Requires a supervised device. Available in iOS 12 and later, and macOS 10.14 and later.
- key: allowPasswordProximityRequests
supportedOS:
@@ -1625,6 +1628,42 @@ payloadkeys:
default: true
content: If 'false', disables Apple Music Radio. Requires a supervised device. Available
in iOS 9.3 and later.
- key: allowRapidSecurityResponseInstallation
title: Allow Rapid Security Response Installation
supportedOS:
iOS:
introduced: '16.0'
supervised: true
userenrollment:
mode: forbidden
macOS:
introduced: '13.0'
userenrollment:
mode: forbidden
tvOS:
introduced: n/a
type: <boolean>
presence: optional
default: true
content: If set to false, rapid security responses can't be installed.
- key: allowRapidSecurityResponseRemoval
title: Allow Rapid Security Response Removal
supportedOS:
iOS:
introduced: '16.0'
supervised: true
userenrollment:
mode: forbidden
macOS:
introduced: '13.0'
userenrollment:
mode: forbidden
tvOS:
introduced: n/a
type: <boolean>
presence: optional
default: true
content: If set to false, rapid security responses can't be removed.
- key: allowRemoteAppPairing
title: Allow pairing with Remote app
supportedOS:
@@ -1705,7 +1744,7 @@ payloadkeys:
type: <boolean>
presence: optional
default: true
content: If 'false', temporary sessions are not available on Shared iPad. Available
content: If 'false', temporary sessions aren't available on Shared iPad. Available
in iOS 13.4 and later.
- key: allowSharedStream
title: Allow Shared Stream
@@ -1800,7 +1839,9 @@ payloadkeys:
userenrollment:
mode: forbidden
macOS:
introduced: n/a
introduced: '13.0'
userenrollment:
mode: forbidden
tvOS:
introduced: n/a
type: <boolean>
@@ -1808,7 +1849,22 @@ payloadkeys:
default: true
content: If 'false', prohibits the user from installing configuration profiles and
certificates interactively. Requires a supervised device. Available in iOS 6 and
later.
later and macOS 13 and later.
- key: allowUniversalControl
title: Allow Universal Control
supportedOS:
iOS:
introduced: n/a
macOS:
introduced: '13.0'
userenrollment:
mode: forbidden
tvOS:
introduced: n/a
type: <boolean>
presence: optional
default: true
content: If 'false', disables Universal Control. Available in macOS 13 and later.
- key: allowUnmanagedToReadManagedContacts
title: Allow unmanaged apps to read managed contacts accounts
supportedOS:
@@ -1866,14 +1922,18 @@ payloadkeys:
userenrollment:
mode: forbidden
macOS:
introduced: n/a
introduced: '13.0'
userchannel: false
userenrollment:
mode: forbidden
tvOS:
introduced: n/a
type: <boolean>
presence: optional
default: true
content: If 'false', allows the device to always connect to USB accessories while
locked. Requires a supervised device. Available in iOS 11.4.1 and later.
content: |-
If 'false', allows the device to always connect to USB accessories while locked. On macOS, allows new USB accessories to connect without authorization.
This value is ignored if Lockdown mode is enabled. Requires a supervised device. Available in iOS 11.4.1 and later and macOS 13 and later.
- key: allowVideoConferencing
title: Allow Video Conferencing
supportedOS:
@@ -2043,7 +2103,7 @@ payloadkeys:
max: 90
default: 30
content: |-
Sets how many days to delay a software update on the device. With this restriction in place, the user doesn't see a software update until the specified number of days after the software update release date. This value is used by 'forceDelayedAppSoftwareUpdates' and 'forceDelayedSoftwareUpdates'.
Sets how many days to delay a software update on the device. With this restriction in place, the user doesn't see a software update until the specified number of days after the software update release date. This value is used by 'forceDelayedAppSoftwareUpdates' and 'forceDelayedSoftwareUpdates'.
Requires a supervised device in iOS and tvOS.
Available in iOS 11.3 and later, macOS 10.13.4 and later, and tvOS 12.2 and later.
- key: enforcedSoftwareUpdateMajorOSDeferredInstallDelay
@@ -2399,7 +2459,9 @@ payloadkeys:
type: <boolean>
presence: optional
default: false
content: If 'true', limits ad tracking. Available in iOS 7 and later.
content: |-
If 'true', limits ad tracking. Additionally, it disables app tracking and the Allow Apps To Request To Track setting.
Available in iOS 7 and later.
- key: forceOnDeviceOnlyDictation
supportedOS:
iOS:

2
mdm/profiles/com.apple.associated-domains.yaml
View File

@@ -37,7 +37,7 @@ payloadkeys:
presence: required
content: |-
The domains to be associated with the app. Each string is in the form of ''service:domain''. Domains should be fully qualified hostnames, like 'www.example.com'.
See Supporting Associated Domains for more information.
See Supporting associated domains for more information.
subkeys:
- key: AssociatedDomain
type: <string>

12
mdm/profiles/com.apple.cellular.yaml
View File

@@ -181,3 +181,15 @@ payloadkeys:
* '2': IPv6
* '3': Both
Available in iOS 10.3 and later.
- key: EnableXLAT464
title: Enable XLAT464
supportedOS:
iOS:
introduced: '16.0'
watchOS:
introduced: '9.0'
type: <boolean>
presence: optional
default: false
content: If 'true', enables XLAT464. Available in iOS 16 and later and watchOS
9 and later.

19
mdm/profiles/com.apple.dnsProxy.managed.yaml
View File

@@ -12,7 +12,7 @@ payload:
devicechannel: true
userchannel: false
userenrollment:
mode: forbidden
mode: allowed
macOS:
introduced: '10.15'
devicechannel: true
@@ -22,8 +22,9 @@ payload:
allowmanualinstall: true
userenrollment:
mode: forbidden
content: As of iOS 15.0 this payload can now be installed on unsupervised devices
via MDM and can now only be installed via MDM.
content: As of iOS 15.0 this payload can be installed on unsupervised devices via
MDM and can only be installed via MDM. As of iOS 16.0, this can be installed on
User Enrollments via MDM if DNSProxyUUID is specified.
payloadkeys:
- key: AppBundleIdentifier
title: App Bundle Identifier
@@ -47,3 +48,15 @@ payloadkeys:
type: <any>
presence: optional
content: Key/value pairs.
- key: DNSProxyUUID
title: DNS Proxy UUID
supportedOS:
iOS:
introduced: '16.0'
macOS:
introduced: n/a
type: <string>
presence: optional
content: A globally-unique identifier for this DNS proxy configuration. Managed
apps with the same 'DNSProxyUUID' in their app attributes have their DNS lookups
traffic processed by the proxy.

9
mdm/profiles/com.apple.domains.yaml
View File

@@ -29,8 +29,8 @@ payloadkeys:
type: <array>
presence: optional
content: |-
An array of domains. Email addresses that lack a suffix matching any of these strings are considered out of domain and marked in Mail.
This is the only field supported on macOS.
An array of domains. The system considers email addresses that lack a suffix matching any of these strings out of domain and marked in Mail.
Available in iOS 8 and later and macOS 10.10 and later.
subkeys:
- key: EmailDomainsItem
type: <string>
@@ -43,8 +43,9 @@ payloadkeys:
introduced: n/a
type: <array>
presence: optional
content: An array of domains. URLs matching the patterns listed here are considered
managed.
content: |-
An array of domains. The system considers URLs matching the patterns listed in this property managed.
Available in iOS 9.3 and later.
subkeys:
- key: WebDomainsItem
type: <string>

6
mdm/profiles/com.apple.education.yaml
View File

@@ -42,14 +42,14 @@ payloadkeys:
type: <string>
presence: optional
content: |-
The UUID of an identity certificate payload within the same profile to use for performing client authentication with other devices.
The UUID of an identity certificate payload within the same profile to use for performing client authentication with other devices. This property supports PKCS12 certificates.
This key is required to configure Classroom. It does not impact the configuration of the Shared iPad login screen.
- key: LeaderPayloadCertificateAnchorUUID
type: <array>
presence: optional
content: |-
The array of UUIDs referring to certificate payloads within the same profile that are used to authorize leader peer certificate identities. This array must contain all certificates needed to validate the entire chain of trust. Leader certificates must have the common name prefix leader (case insensitive).
Note: Identity payloads aren't supported.
Note: This property doesn't support identity payloads or PKCS12 certificates.
This key is required when configuring a student device for Classroom, and is ignored when configuring an instructor device. It does not impact the configuration of the Shared iPad login screen.
subkeys:
- key: LeaderPayloadCertificateAnchorUUIDItem
@@ -61,7 +61,7 @@ payloadkeys:
presence: optional
content: |-
The array of UUIDs referring to certificate payloads within the same profile that are used to authorize group member peer certificate identities. This array must contain all certificates needed to validate the entire chain of trust. Member certificates must have the common name prefix member (case insensitive).
Note: Identity payloads aren't supported.
Note: This property doesn't support identity payloads or PKCS12 certificates.
This key is required when configuring an instructor device for Classroom, and is ignored when configuring a student device. It does not impact the configuration of the Shared iPad login screen.
subkeys:
- key: MemberPayloadCertificateAnchorUUIDItem

36
mdm/profiles/com.apple.extensiblesso(kerberos).yaml
View File

@@ -342,6 +342,42 @@ payloadkeys:
type: <string>
presence: required
content: A host or domain name in the format of [protocol/]hostname[:port][/path]
- key: usePlatformSSOTGT
supportedOS:
iOS:
introduced: n/a
macOS:
introduced: '13.0'
type: <boolean>
presence: optional
default: false
content: |-
If 'true', requires this configuration uses a TGT from Platform SSO instead of requesting a new one.
Available in macOS 13 and later.
- key: allowPlatformSSOAuthFallback
supportedOS:
iOS:
introduced: n/a
macOS:
introduced: '13.0'
type: <boolean>
presence: optional
default: true
content: |-
If 'true' and 'usePlatformSSOTGT' is 'true', allows the user to manually sign in.
Available in macOS 13 and later.
- key: performKerberosOnly
supportedOS:
iOS:
introduced: '16.0'
macOS:
introduced: '13.0'
type: <boolean>
presence: optional
default: false
content: |-
If 'true', the Kerberos Extension handles Kerberos requests only. It doesn't check for password expiration, show the password expiration in the menu, check for external password changes, perform password sync, or retrieve the home directory.
Available in macOS 13 and later.
- key: Hosts
type: <array>
presence: optional

25
mdm/profiles/com.apple.extensiblesso.yaml
View File

@@ -117,3 +117,28 @@ payloadkeys:
type: <string>
presence: required
content: The bundle identifier of the app.
- key: AuthenticationMethod
supportedOS:
iOS:
introduced: n/a
macOS:
introduced: '13.0'
type: <string>
presence: optional
rangelist:
- Password
- UserSecureEnclaveKey
content: |-
The Platform SSO authentication method the extension uses. Requires that the SSO Extension also supports the method.
Available in macOS 13 and later.
- key: RegistrationToken
supportedOS:
iOS:
introduced: n/a
macOS:
introduced: '13.0'
type: <string>
presence: optional
content: |-
The token this device uses for registration with Platform SSO. Use it for silent registration with the Identity Provider. Requires that 'AuthenticationMethod' isn't empty.
Available in macOS 13 and later.

10
mdm/profiles/com.apple.lom.yaml
View File

@@ -21,7 +21,10 @@ payloadkeys:
type: <string>
presence: optional
content: The UUID certificate for the device. This key indicates the device can
receive 'PowerON', 'PowerOFF', and 'Reset' requests from a LOM controller.
receive 'PowerON', 'PowerOFF', and 'Reset' requests from a LOM controller. This
certificate must contain the Key Usage attributes of Digital Signature, Key Encipherment
and Data Encipherment. As well as the Extended Key Usage attributes of Server
Authentication and Client Authentication.
- key: ControllerCertificateUUID
title: Controller Certificate payload UUID
type: <string>
@@ -42,8 +45,9 @@ payloadkeys:
title: CA certificate payload UUIDs
type: <array>
presence: optional
content: Array of payload UUIDs containing CA certificates that devices use to evaluate
trust of controller certificates.
content: |-
Array of payload UUIDs containing CA certificates that devices use to evaluate trust of controller certificates.
This key configures the device to accept the LOMDeviceRequestCommand from MDM and then send it to the target device. This certificate must contain the Key Usage attributes of Digital Signature, Key Encipherment and Data Encipherment. As well as the Extended Key Usage attributes of Server Authentication and Client Authentication.
subkeys:
- key: ControllerCACertificateUUIDsItem
type: <string>

6
mdm/profiles/com.apple.mobiledevice.passwordpolicy.yaml
View File

@@ -30,9 +30,9 @@ payloadkeys:
type: <boolean>
presence: optional
default: true
content: If 'true', allows a simple passcode. A simple passcode contains repeated
characters, or increasing or decreasing characters (such as '123' or 'CBA'). Setting
this value to false has the same result as setting 'minComplexChars' to '1'.
content: If 'false', prevents use of a simple passcode. A simple passcode contains
repeated characters, or increasing or decreasing characters (such as '123' or
'CBA').
- key: forcePIN
title: Require Passcode on Device
supportedOS:

150
mdm/profiles/com.apple.security.acme.yaml Normal file
View File

@@ -0,0 +1,150 @@
title: ACME Certificate
description: Use this section to define settings to have an ACME server issue a client
certificate.
payload:
payloadtype: com.apple.security.acme
supportedOS:
iOS:
introduced: '16.0'
supervised: false
allowmanualinstall: true
sharedipad:
mode: allowed
devicechannel: true
userchannel: false
userenrollment:
mode: allowed
tvOS:
introduced: '16.0'
supervised: false
allowmanualinstall: true
content: Use this payload to specify settings that allow the device to request a
client certificate from an ACME server. The device generates an asymmetric key
pair based upon the KeyType, KeySize, and HardwareBound fields. If attest is true
it requests an attestation of the key and device properties. Then it communicates
with the ACME server to authenticate the device, provide the attestation, and
request a matching certificate based upon the ClientIdentifier, Subject, SubjectAltName,
KeyUsage, and ExtendedKeyUsage fields. The ACME server issues a certificate and
the device installs it in the keychain. Other payloads can reference the resulting
client identity by the payload's PayloadUUID.
payloadkeys:
- key: DirectoryURL
title: ACME directory URL
type: <string>
presence: required
content: The directory URL of the ACME server. The URL must use the https scheme.
- key: ClientIdentifier
title: Client identifier
type: <string>
presence: required
content: A unique string identifying a specific device. The server may use this
as a nonce to prevent issuing multiple certificates. This identifier also indicates
to the ACME server that the device has access to a valid client identifier issued
by the enterprise infrastructure. This can help the ACME server determine whether
to trust the device. Though this is a relatively weak indication because of the
risk that an attacker can intercept the client identifier.
- key: KeySize
title: Key Size
type: <integer>
presence: required
content: The valid values for 'KeySize' depend on the values of 'KeyType' and 'HardwareBound'.
See those keys for specific requirements.
- key: KeyType
title: Key Type
type: <string>
presence: required
rangelist:
- RSA
- ECSECPrimeRandom
content: |-
The type of key pair to generate.
* 'RSA': Specifies an RSA key pair. RSA key pairs must have a KeySize in the range [1024..4096] inclusive and a multiple of 8, and 'HardwareBound' must be false.
* 'ECSECPrimeRandom': Specifies a key pair on the P-192, P-256, P-384 or P-521 curves as defined in FIPS Pub 186-4. KeySize defines the particular curve, which must be 192, 256, 384 or 521. Hardware bound keys only support values of 256 and 384. Note that the key size is 521, not 512, even though the other key sizes are multiples of 64.
- key: HardwareBound
title: Hardware Bound
type: <boolean>
presence: required
content: |-
If 'false', the private key isn't bound to the device.
If 'true', the private key is bound to the device. The Secure Enclave generates the key pair, and the private key is cryptographically entangled with a system key. This prevents the system from exporting the private key.
If 'true', 'KeyType' must be 'ECSECPrimeRandom' and 'KeySize' must be 256 or 384.
- key: Subject
title: Subject
type: <array>
presence: required
content: |-
The device requests this subject for the certificate that the ACME server issues. The ACME server may override or ignore this field in the certificate it issues.
The representation of a X.500 name represented as an array of OID and value. For example, /C=US/O=Apple Inc./CN=foo/1.2.5.3=bar corresponds to:
[ [ [”C”, “US”] ], [ [”O”, “Apple Inc.”] ], ..., [ [ “1.2.5.3”, “bar” ] ] ]
Dotted numbers can represent OIDs , with shortcuts for country (C), locality (L), state (ST), organization (O), organizational unit (OU), and common name (CN).
subkeys:
- key: SCEPSubjectArrayInnerArray
title: Array Inside SCEP Subject Array
type: <array>
subkeys:
- key: SCEPSubjectArrayPair
title: Subject Array Pair
type: <array>
subkeys:
- key: SCEPSubjectArrayPairItem
title: SCEP Subject Array Pair Item
type: <string>
repetition:
min: 2
max: 2
- key: SubjectAltName
title: Subject Alt Name
type: <dictionary>
presence: optional
content: The Subject Alt Name that the device requests for the certificate that
the ACME server issues. The ACME server may override or ignore this field in the
certificate it issues.
subkeys:
- key: rfc822Name
title: RFC 822 Name
type: <string>
presence: optional
content: The RFC 822 (email address) string.
- key: dNSName
title: DNS Name
type: <string>
presence: optional
content: The DNS name.
- key: uniformResourceIdentifier
title: URI
type: <string>
presence: optional
content: The Uniform Resource Identifier.
- key: ntPrincipalName
title: NT Principal Name
type: <string>
presence: optional
content: The NT principal name.
- key: UsageFlags
title: Key Usage
type: <integer>
presence: optional
content: |-
This value is a bit field.
* Bit '0x01' indicates digital signature.
* Bit '0x10' indicates key agreement.
The device requests this key for the certificate that the ACME server issues. The ACME server may override or ignore this field in the certificate it issues.
- key: ExtendedKeyUsage
title: Extended Key Usage
type: <array>
presence: optional
content: |-
The value is an array of strings. Each string is an OID in dotted notation. For instance, [”1.3.6.1.5.5.7.3.2”, “1.3.6.1.5.5.7.3.4”] indicates client authentication and email protection.
The device requests this field for the certificate that the ACME server issues. The ACME server may override or ignore this field in the certificate it issues.
subkeys:
- key: OID
type: <string>
presence: optional
- key: Attest
title: Attest
type: <boolean>
presence: optional
default: false
content: |-
If 'true', the device provides attestations describing the device and the generated key to the ACME server. The server can use the attestations as strong evidence that the key is bound to the device, and that the device has properties listed in the attestation. The server can use that as part of a trust score to decide whether to issue the requested certificate.
When 'Attest' is 'true', 'HardwareBound' must also be 'true'.

52
mdm/profiles/com.apple.servicemanagement.yaml Normal file
View File

@@ -0,0 +1,52 @@
title: Service Management - Managed Login Items
description: Control the user experience for ServiceManagement login items (including
launchd agents and daemons) in Login Items Settings.
payload:
payloadtype: com.apple.servicemanagement
supportedOS:
macOS:
introduced: '13.0'
devicechannel: true
userchannel: false
requiresdep: false
userapprovedmdm: true
allowmanualinstall: false
userenrollment:
mode: forbidden
content: This payload defines rules for tagging login items as managed, which will
auto-enable and auto-allow matched items.
payloadkeys:
- key: Rules
title: Rules
type: <array>
presence: required
content: An array of rule dictionaries.
subkeys:
- key: Rule
title: Rule
type: <dictionary>
presence: required
content: A specification for matching one or more login items.
subkeys:
- key: RuleType
title: Rule Type
type: <string>
presence: required
rangelist:
- BundleIdentifier
- BundleIdentifierPrefix
- Label
- LabelPrefix
- TeamIdentifier
content: The type of comparision to make.
- key: RuleValue
title: Rule Value
type: <string>
presence: required
content: The value to compare with each login item's value, to determine a match
to this rule.
- key: Comment
title: Comment
type: <string>
presence: optional
content: An optional description of the rule.

67
mdm/profiles/com.apple.systempreferences.yaml
View File

@@ -4,6 +4,7 @@ payload:
supportedOS:
macOS:
introduced: '10.7'
deprecated: '13.0'
devicechannel: true
userchannel: true
requiresdep: false
@@ -12,13 +13,15 @@ payload:
userenrollment:
mode: forbidden
content: |-
Hide and show individual System Preference panes.
Hide and show individual System Preferences panes.
The following preference pane items are no longer supported on macOS 10.14:
• com.apple.preferences.appstore
The following preference pane items are no longer supported on macOS 10.15:
• com.apple.preference.ink
• com.apple.preferences.icloud
• com.apple.preferences.parentalcontrols
This payload is deprecated as of macOS 13. When new restrictions become available to control functionality exposed through System Settings, those restrictions should be used instead of disabling the entire preference pane. This allows for user transparency even when the user's control has been disabled by a restriction.
macOS 13 introduces a new DisabledSystemSettings key for controlling macOS 13 and newer System Settings extensions. However, note that System Settings extensions within the Privacy & Security section cannot be disabled. If DisabledSystemSettings is not provided, the system will attempt to honor the EnabledPreferencePanes and DisabledPreferencePanes by mapping the old preference pane value to one or more new settings extension values whose content was wholly contained in the old preference pane value.
payloadkeys:
- key: EnabledPreferencePanes
type: <array>
@@ -76,3 +79,65 @@ payloadkeys:
presence: optional
content: The list of disabled System Preferences panes.
subkeys: *id001
- key: DisabledSystemSettings
supportedOS:
macOS:
introduced: '13.0'
type: <array>
presence: optional
content: System settings extension IDs for items that will be disabled. All other
items will be enabled. When DisabledSystemSettings is specified, DisabledPreferencePanes
and EnabledPreferencePanes are ignored. Note that a given System Settings extension
may supply more than one section in System Settings; disabling such an extension
will disable all sections it supplies.
devpubs-override: The list of disabled System Settings extensions.
subkeys:
- key: SettingsExtensions
type: <string>
presence: optional
rangelist:
- com.apple.Accessibility-Settings.extension
- com.apple.AirDrop-Handoff-Settings.extension
- com.apple.Battery-Settings.extension
- com.apple.BluetoothSettings
- com.apple.CD-DVD-Settings.extension
- com.apple.ClassKit-Settings.extension
- com.apple.Classroom-Settings.extension
- com.apple.ControlCenter-Settings.extension
- com.apple.Date-Time-Settings.extension
- com.apple.Desktop-Settings.extension
- com.apple.Displays-Settings.extension
- com.apple.ExtensionsPreferences
- com.apple.Family-Settings.extension
- com.apple.Focus-Settings.extension
- com.apple.Game-Center-Settings.extension
- com.apple.Game-Controller-Settings.extension
- com.apple.HeadphoneSettings
- com.apple.Internet-Accounts-Settings.extension
- com.apple.Keyboard-Settings.extension
- com.apple.Localization-Settings.extension
- com.apple.Lock-Screen-Settings.extension
- com.apple.LoginItems-Settings.extension
- com.apple.Mouse-Settings.extension
- com.apple.Network-Settings.extension
- com.apple.NetworkExtensionSettingsUI.NESettingsUIExtension
- com.apple.Notifications-Settings.extension
- com.apple.Passwords-Settings.extension
- com.apple.Print-Scan-Settings.extension
- com.apple.Screen-Time-Settings.extension
- com.apple.ScreenSaver-Settings.extension
- com.apple.Sharing-Settings.extension
- com.apple.Siri-Settings.extension
- com.apple.Software-Update-Settings.extension
- com.apple.Sound-Settings.extension
- com.apple.Startup-Disk-Settings.extension
- com.apple.Time-Machine-Settings.extension
- com.apple.Touch-ID-Settings.extension
- com.apple.Trackpad-Settings.extension
- com.apple.Transfer-Reset-Settings.extension
- com.apple.Users-Groups-Settings.extension
- com.apple.WalletSettingsExtension
- com.apple.Wallpaper-Settings.extension
- com.apple.settings.Storage
- com.apple.systempreferences.AppleIDSettings
- com.apple.wifi-settings-extension

1
mdm/profiles/com.apple.systemuiserver.yaml
View File

@@ -5,6 +5,7 @@ payload:
supportedOS:
macOS:
introduced: '10.7'
deprecated: '11.0'
devicechannel: true
userchannel: true
requiresdep: false

2
mdm/profiles/com.apple.vpn.managed.applayer.yaml
View File

@@ -99,7 +99,7 @@ payloadkeys:
type: <array>
presence: optional
content: |-
An array with entries that must each specify a domain that triggers this VPN. The domains must also be part of the 'apple-app-site-association' file, as described in Supporting Associated Domains.
An array with entries that must each specify a domain that triggers this VPN. The domains must also be part of the 'apple-app-site-association' file, as described in Supporting associated domains.
Available in iOS 14 and later, and macOS 11 and later.
subkeys:
- key: AssociatedDomainsItem

19
mdm/profiles/com.apple.webcontent-filter.yaml
View File

@@ -5,14 +5,14 @@ payload:
supportedOS:
iOS:
introduced: '7.0'
supervised: true
supervised: false
allowmanualinstall: true
sharedipad:
mode: allowed
devicechannel: true
userchannel: false
userenrollment:
mode: forbidden
mode: allowed
macOS:
introduced: '10.15'
devicechannel: true
@@ -22,6 +22,9 @@ payload:
allowmanualinstall: true
userenrollment:
mode: forbidden
content: As of iOS 16.0, this can be installed on Device Enrollments and User Enrollments
if ContentFilterUUID is specified. Previously it could only be installed on supervised
devices.
payloadkeys:
- key: FilterType
title: FilterType
@@ -281,3 +284,15 @@ payloadkeys:
content: |-
This value is for deriving the relative order of content filters. Filters with a grade of 'firewall' see network traffic before filters with a grade of 'inspector'. The system doesn't define the order of filters within a grade.
Available in macOS 10.15 and later.
- key: ContentFilterUUID
title: Content Filter UUID
supportedOS:
iOS:
introduced: '16.0'
macOS:
introduced: n/a
type: <string>
presence: optional
content: A globally-unique identifier for this content filter configuration. Managed
apps with the same 'ContentFilterUUID' in their app attributes have their network
traffic processed by the content filter.