From 0340fd30e0bf820ded4797aa658a3ba8b6ab6c6e Mon Sep 17 00:00:00 2001 From: Cyrus Daboo Date: Tue, 13 Sep 2022 21:21:03 -0400 Subject: [PATCH] Release_iOS-16 --- README.md | 7 +- .../declarations/activations/simple.yaml | 4 + .../assets/credential.userpassword.yaml | 4 + .../credentials/usernameandpassword.yaml | 4 + .../declarations/assets/useridentity.yaml | 4 + .../configurations/account.caldav.yaml | 14 ++ .../configurations/account.carddav.yaml | 14 ++ .../configurations/account.exchange.yaml | 14 ++ .../configurations/account.google.yaml | 14 ++ .../configurations/account.ldap.yaml | 14 ++ .../configurations/account.mail.yaml | 14 ++ .../account.subscribed-calendar.yaml | 10 + .../configurations/legacy.interactive.yaml | 16 +- .../declarations/configurations/legacy.yaml | 18 +- .../management.status-subscriptions.yaml | 14 ++ .../configurations/management.test.yaml | 14 ++ .../configurations/passcode.settings.yaml | 10 + declarative/declarations/declarationbase.yaml | 4 + .../management/organization-info.yaml | 4 + .../declarations/management/properties.yaml | 17 ++ .../management/server-capabilities.yaml | 4 + .../protocol/declarationitemsresponse.yaml | 4 + declarative/protocol/statusreport.yaml | 4 + declarative/protocol/tokensresponse.yaml | 4 + declarative/status/account.list.caldav.yaml | 70 ++++++ declarative/status/account.list.carddav.yaml | 60 +++++ declarative/status/account.list.exchange.yaml | 86 +++++++ declarative/status/account.list.google.yaml | 71 ++++++ declarative/status/account.list.ldap.yaml | 65 +++++ .../status/account.list.mail.incoming.yaml | 70 ++++++ .../status/account.list.mail.outgoing.yaml | 60 +++++ .../account.list.subscribed-calendar.yaml | 58 +++++ .../device.identifier.serial-number.yaml | 21 ++ .../status/device.identifier.udid.yaml | 23 ++ declarative/status/device.model.family.yaml | 4 + .../status/device.model.identifier.yaml | 4 + .../status/device.model.marketing-name.yaml | 7 +- ...device.operating-system.build-version.yaml | 4 + .../device.operating-system.family.yaml | 4 + ...evice.operating-system.marketing-name.yaml | 4 + .../device.operating-system.version.yaml | 4 + .../management.client-capabilities.yaml | 4 + .../status/management.declarations.yaml | 4 + declarative/status/mdm.app.yaml | 78 ++++++ declarative/status/passcode.is-compliant.yaml | 20 ++ declarative/status/passcode.is-present.yaml | 21 ++ declarative/status/statusreason.yaml | 4 + declarative/status/test.array-value.yaml | 32 +++ declarative/status/test.boolean-value.yaml | 17 ++ declarative/status/test.dictionary-value.yaml | 29 +++ declarative/status/test.error-value.yaml | 17 ++ declarative/status/test.integer-value.yaml | 17 ++ declarative/status/test.real-value.yaml | 17 ++ declarative/status/test.string-value.yaml | 17 ++ mdm/checkin/declarativemanagement.yaml | 18 +- mdm/commands/application.install.yaml | 28 ++- mdm/commands/application.installed.list.yaml | 13 + mdm/commands/declarativemanagement.yaml | 18 +- mdm/commands/device.erase.yaml | 3 + mdm/commands/device.lostmode.disable.yaml | 2 +- mdm/commands/device.lostmode.enable.yaml | 2 +- mdm/commands/information.device.yaml | 230 +++++++++++++++++- mdm/commands/lom.devicerequest.yaml | 3 +- .../managed.application.attributes.yaml | 24 +- mdm/commands/settings.yaml | 175 ++++++++++++- mdm/profiles/TopLevel.yaml | 7 +- ...pple.TCC.configuration-profile-policy.yaml | 18 +- .../com.apple.applicationaccess.new.yaml | 5 +- mdm/profiles/com.apple.applicationaccess.yaml | 98 ++++++-- .../com.apple.associated-domains.yaml | 2 +- mdm/profiles/com.apple.cellular.yaml | 12 + mdm/profiles/com.apple.dnsProxy.managed.yaml | 19 +- mdm/profiles/com.apple.domains.yaml | 9 +- mdm/profiles/com.apple.education.yaml | 6 +- .../com.apple.extensiblesso(kerberos).yaml | 36 +++ mdm/profiles/com.apple.extensiblesso.yaml | 25 ++ mdm/profiles/com.apple.lom.yaml | 10 +- ...com.apple.mobiledevice.passwordpolicy.yaml | 6 +- mdm/profiles/com.apple.security.acme.yaml | 150 ++++++++++++ mdm/profiles/com.apple.servicemanagement.yaml | 52 ++++ mdm/profiles/com.apple.systempreferences.yaml | 67 ++++- mdm/profiles/com.apple.systemuiserver.yaml | 1 + .../com.apple.vpn.managed.applayer.yaml | 2 +- mdm/profiles/com.apple.webcontent-filter.yaml | 19 +- 84 files changed, 2109 insertions(+), 73 deletions(-) create mode 100644 declarative/declarations/management/properties.yaml create mode 100644 declarative/status/account.list.caldav.yaml create mode 100644 declarative/status/account.list.carddav.yaml create mode 100644 declarative/status/account.list.exchange.yaml create mode 100644 declarative/status/account.list.google.yaml create mode 100644 declarative/status/account.list.ldap.yaml create mode 100644 declarative/status/account.list.mail.incoming.yaml create mode 100644 declarative/status/account.list.mail.outgoing.yaml create mode 100644 declarative/status/account.list.subscribed-calendar.yaml create mode 100644 declarative/status/device.identifier.serial-number.yaml create mode 100644 declarative/status/device.identifier.udid.yaml create mode 100644 declarative/status/mdm.app.yaml create mode 100644 declarative/status/passcode.is-compliant.yaml create mode 100644 declarative/status/passcode.is-present.yaml create mode 100644 declarative/status/test.array-value.yaml create mode 100644 declarative/status/test.boolean-value.yaml create mode 100644 declarative/status/test.dictionary-value.yaml create mode 100644 declarative/status/test.error-value.yaml create mode 100644 declarative/status/test.integer-value.yaml create mode 100644 declarative/status/test.real-value.yaml create mode 100644 declarative/status/test.string-value.yaml create mode 100644 mdm/profiles/com.apple.security.acme.yaml create mode 100644 mdm/profiles/com.apple.servicemanagement.yaml diff --git a/README.md b/README.md index 963bb38..4e08a09 100644 --- a/README.md +++ b/README.md @@ -8,10 +8,9 @@ This release corresponds to the following OS versions | OS | Version | |---------|---------| -| iOS | 15.4 | -| macOS | 12.3 | -| tvOS | 15.4 | -| watchOS | 8.5 | +| iOS | 16.0 | +| tvOS | 16.0 | +| watchOS | 9.0 | ## What's Available diff --git a/declarative/declarations/activations/simple.yaml b/declarative/declarations/activations/simple.yaml index 417250e..b07b98d 100644 --- a/declarative/declarations/activations/simple.yaml +++ b/declarative/declarations/activations/simple.yaml @@ -5,6 +5,10 @@ payload: supportedOS: iOS: introduced: '15.0' + macOS: + introduced: '13.0' + tvOS: + introduced: '16.0' payloadkeys: - key: StandardConfigurations type: diff --git a/declarative/declarations/assets/credential.userpassword.yaml b/declarative/declarations/assets/credential.userpassword.yaml index e4d5a00..45a9e0b 100644 --- a/declarative/declarations/assets/credential.userpassword.yaml +++ b/declarative/declarations/assets/credential.userpassword.yaml @@ -6,6 +6,10 @@ payload: supportedOS: iOS: introduced: '15.0' + macOS: + introduced: '13.0' + tvOS: + introduced: '16.0' payloadkeys: - key: Reference type: diff --git a/declarative/declarations/assets/credentials/usernameandpassword.yaml b/declarative/declarations/assets/credentials/usernameandpassword.yaml index 4ae0d05..d2b3c99 100644 --- a/declarative/declarations/assets/credentials/usernameandpassword.yaml +++ b/declarative/declarations/assets/credentials/usernameandpassword.yaml @@ -5,6 +5,10 @@ payload: supportedOS: iOS: introduced: '15.0' + macOS: + introduced: '13.0' + tvOS: + introduced: '16.0' payloadkeys: - key: UserName type: diff --git a/declarative/declarations/assets/useridentity.yaml b/declarative/declarations/assets/useridentity.yaml index 0510ce5..dad12ef 100644 --- a/declarative/declarations/assets/useridentity.yaml +++ b/declarative/declarations/assets/useridentity.yaml @@ -5,6 +5,10 @@ payload: supportedOS: iOS: introduced: '15.0' + macOS: + introduced: '13.0' + tvOS: + introduced: '16.0' payloadkeys: - key: FullName title: Full Name diff --git a/declarative/declarations/configurations/account.caldav.yaml b/declarative/declarations/configurations/account.caldav.yaml index 96c6a92..0d0f01f 100644 --- a/declarative/declarations/configurations/account.caldav.yaml +++ b/declarative/declarations/configurations/account.caldav.yaml @@ -5,6 +5,20 @@ payload: supportedOS: iOS: introduced: '15.0' + sharedipad: + mode: allowed + devicechannel: false + userchannel: true + userenrollment: + mode: allowed + macOS: + introduced: '13.0' + devicechannel: false + userchannel: true + userenrollment: + mode: allowed + tvOS: + introduced: n/a content: A CalDAV configuration defines a CalDAV calendar and reminders account for a user. payloadkeys: diff --git a/declarative/declarations/configurations/account.carddav.yaml b/declarative/declarations/configurations/account.carddav.yaml index c0e13ea..777e00a 100644 --- a/declarative/declarations/configurations/account.carddav.yaml +++ b/declarative/declarations/configurations/account.carddav.yaml @@ -5,6 +5,20 @@ payload: supportedOS: iOS: introduced: '15.0' + sharedipad: + mode: allowed + devicechannel: false + userchannel: true + userenrollment: + mode: allowed + macOS: + introduced: '13.0' + devicechannel: false + userchannel: true + userenrollment: + mode: allowed + tvOS: + introduced: n/a content: A CardDAV configuration defines a CardDAV contacts account for a user. payloadkeys: - key: VisibleName diff --git a/declarative/declarations/configurations/account.exchange.yaml b/declarative/declarations/configurations/account.exchange.yaml index bb24270..7e1329d 100644 --- a/declarative/declarations/configurations/account.exchange.yaml +++ b/declarative/declarations/configurations/account.exchange.yaml @@ -6,6 +6,20 @@ payload: supportedOS: iOS: introduced: '15.0' + sharedipad: + mode: allowed + devicechannel: false + userchannel: true + userenrollment: + mode: allowed + macOS: + introduced: '13.0' + devicechannel: false + userchannel: true + userenrollment: + mode: allowed + tvOS: + introduced: n/a content: This payload configures an Exchange ActiveSync account on an iOS device. payloadkeys: - key: VisibleName diff --git a/declarative/declarations/configurations/account.google.yaml b/declarative/declarations/configurations/account.google.yaml index 7c619e0..3ed2386 100644 --- a/declarative/declarations/configurations/account.google.yaml +++ b/declarative/declarations/configurations/account.google.yaml @@ -5,6 +5,20 @@ payload: supportedOS: iOS: introduced: '15.0' + sharedipad: + mode: allowed + devicechannel: false + userchannel: true + userenrollment: + mode: allowed + macOS: + introduced: '13.0' + devicechannel: false + userchannel: true + userenrollment: + mode: allowed + tvOS: + introduced: n/a content: A Google configuration defines a Google account for a user. The user will be prompted to enter their credentials shortly after the configuration successfully installs. diff --git a/declarative/declarations/configurations/account.ldap.yaml b/declarative/declarations/configurations/account.ldap.yaml index 32bea36..8c51bc8 100644 --- a/declarative/declarations/configurations/account.ldap.yaml +++ b/declarative/declarations/configurations/account.ldap.yaml @@ -5,6 +5,20 @@ payload: supportedOS: iOS: introduced: '15.0' + sharedipad: + mode: allowed + devicechannel: false + userchannel: true + userenrollment: + mode: allowed + macOS: + introduced: '13.0' + devicechannel: false + userchannel: true + userenrollment: + mode: allowed + tvOS: + introduced: n/a content: An LDAP configuration defines an LDAP directory account for a user. payloadkeys: - key: VisibleName diff --git a/declarative/declarations/configurations/account.mail.yaml b/declarative/declarations/configurations/account.mail.yaml index e8eeb76..2a9d9b4 100644 --- a/declarative/declarations/configurations/account.mail.yaml +++ b/declarative/declarations/configurations/account.mail.yaml @@ -5,6 +5,20 @@ payload: supportedOS: iOS: introduced: '15.0' + sharedipad: + mode: allowed + devicechannel: false + userchannel: true + userenrollment: + mode: allowed + macOS: + introduced: '13.0' + devicechannel: false + userchannel: true + userenrollment: + mode: allowed + tvOS: + introduced: n/a content: An email configuration defines an email account for a user. payloadkeys: - key: VisibleName diff --git a/declarative/declarations/configurations/account.subscribed-calendar.yaml b/declarative/declarations/configurations/account.subscribed-calendar.yaml index 769c0d4..09a2332 100644 --- a/declarative/declarations/configurations/account.subscribed-calendar.yaml +++ b/declarative/declarations/configurations/account.subscribed-calendar.yaml @@ -5,6 +5,16 @@ payload: supportedOS: iOS: introduced: '15.0' + sharedipad: + mode: allowed + devicechannel: false + userchannel: true + userenrollment: + mode: allowed + macOS: + introduced: n/a + tvOS: + introduced: n/a content: A subscribed calendar configuration defines a subscribed calendar for a user. payloadkeys: diff --git a/declarative/declarations/configurations/legacy.interactive.yaml b/declarative/declarations/configurations/legacy.interactive.yaml index f055b03..96051a0 100644 --- a/declarative/declarations/configurations/legacy.interactive.yaml +++ b/declarative/declarations/configurations/legacy.interactive.yaml @@ -6,14 +6,26 @@ payload: supportedOS: iOS: introduced: '15.0' + sharedipad: + mode: forbidden + userenrollment: + mode: allowed + macOS: + introduced: '13.0' + devicechannel: true + userchannel: true + userenrollment: + mode: allowed + tvOS: + introduced: '16.0' payloadkeys: - key: ProfileURL title: Profile's URL. type: presence: required content: |- - The URL of the profile to download and install. This must be an 'https://' URL. The system silently ignores any account or passcode payloads in the profile. Use their declarative configurations instead. - If a user enrollment triggers this configuration, the system silently ignores any MDM 1 payloads in macOS where the User Enrollment Mode setting is 'forbidden'. In iOS, the system rejects the entire profile. + The URL of the profile to download and install. This must be an 'https://' URL. + If a user enrollment triggers this configuration, the system silently ignores any MDM 1 payloads in macOS where the User Enrollment Mode setting is 'forbidden'. In iOS and tvOS, the system rejects the entire profile. - key: VisibleName title: Configuration Visible Name type: diff --git a/declarative/declarations/configurations/legacy.yaml b/declarative/declarations/configurations/legacy.yaml index 06e0ce8..222df33 100644 --- a/declarative/declarations/configurations/legacy.yaml +++ b/declarative/declarations/configurations/legacy.yaml @@ -5,11 +5,25 @@ payload: supportedOS: iOS: introduced: '15.0' + sharedipad: + mode: allowed + devicechannel: true + userchannel: true + userenrollment: + mode: allowed + macOS: + introduced: '13.0' + devicechannel: true + userchannel: true + userenrollment: + mode: allowed + tvOS: + introduced: '16.0' payloadkeys: - key: ProfileURL title: Profile's URL. type: presence: required content: |- - The URL of the profile to download and install. This must be an 'https://' URL. The system silently ignores any account or passcode payloads in the profile. Use their declarative configurations instead. - If a user enrollment triggers this configuration, the system silently ignores any MDM 1 payloads in macOS where the User Enrollment Mode setting is 'forbidden'. In iOS, the system rejects the entire profile. + The URL of the profile to download and install. This must be an 'https://' URL. + If a user enrollment triggers this configuration, the system silently ignores any MDM 1 payloads in macOS where the User Enrollment Mode setting is 'forbidden'. In iOS and tvOS, the system rejects the entire profile. diff --git a/declarative/declarations/configurations/management.status-subscriptions.yaml b/declarative/declarations/configurations/management.status-subscriptions.yaml index b4668a9..501617b 100644 --- a/declarative/declarations/configurations/management.status-subscriptions.yaml +++ b/declarative/declarations/configurations/management.status-subscriptions.yaml @@ -6,6 +6,20 @@ payload: supportedOS: iOS: introduced: '15.0' + sharedipad: + mode: allowed + devicechannel: true + userchannel: true + userenrollment: + mode: allowed + macOS: + introduced: '13.0' + devicechannel: true + userchannel: true + userenrollment: + mode: allowed + tvOS: + introduced: '16.0' payloadkeys: - key: StatusItems title: Status Items diff --git a/declarative/declarations/configurations/management.test.yaml b/declarative/declarations/configurations/management.test.yaml index 2801190..212b69f 100644 --- a/declarative/declarations/configurations/management.test.yaml +++ b/declarative/declarations/configurations/management.test.yaml @@ -5,6 +5,20 @@ payload: supportedOS: iOS: introduced: '15.0' + sharedipad: + mode: allowed + devicechannel: true + userchannel: true + userenrollment: + mode: allowed + macOS: + introduced: '13.0' + devicechannel: true + userchannel: true + userenrollment: + mode: allowed + tvOS: + introduced: '16.0' payloadkeys: - key: Echo title: Status Echo diff --git a/declarative/declarations/configurations/passcode.settings.yaml b/declarative/declarations/configurations/passcode.settings.yaml index ba262f8..08565df 100644 --- a/declarative/declarations/configurations/passcode.settings.yaml +++ b/declarative/declarations/configurations/passcode.settings.yaml @@ -5,6 +5,16 @@ payload: supportedOS: iOS: introduced: '15.0' + sharedipad: + mode: forbidden + userenrollment: + mode: allowed + macOS: + introduced: '13.0' + userenrollment: + mode: forbidden + tvOS: + introduced: n/a payloadkeys: - key: RequirePasscode title: Require Passcode on Device diff --git a/declarative/declarations/declarationbase.yaml b/declarative/declarations/declarationbase.yaml index 0c8745d..9849230 100644 --- a/declarative/declarations/declarationbase.yaml +++ b/declarative/declarations/declarationbase.yaml @@ -5,6 +5,10 @@ payload: supportedOS: iOS: introduced: '15.0' + macOS: + introduced: '13.0' + tvOS: + introduced: '16.0' payloadkeys: - key: Type type: diff --git a/declarative/declarations/management/organization-info.yaml b/declarative/declarations/management/organization-info.yaml index cdde995..728e99f 100644 --- a/declarative/declarations/management/organization-info.yaml +++ b/declarative/declarations/management/organization-info.yaml @@ -6,6 +6,10 @@ payload: supportedOS: iOS: introduced: '15.0' + macOS: + introduced: '13.0' + tvOS: + introduced: '16.0' payloadkeys: - key: Name title: Organization Name diff --git a/declarative/declarations/management/properties.yaml b/declarative/declarations/management/properties.yaml new file mode 100644 index 0000000..94621d4 --- /dev/null +++ b/declarative/declarations/management/properties.yaml @@ -0,0 +1,17 @@ +title: Management:Properties +description: Use this declaration to set properties on the device. +payload: + declarationtype: com.apple.management.properties + supportedOS: + iOS: + introduced: '16.0' + macOS: + introduced: '13.0' + tvOS: + introduced: '16.0' +payloadkeys: +- key: ANY + title: Property + type: + presence: optional + content: Each entry represents a property key/value. diff --git a/declarative/declarations/management/server-capabilities.yaml b/declarative/declarations/management/server-capabilities.yaml index 2c38bbc..7f8f94d 100644 --- a/declarative/declarations/management/server-capabilities.yaml +++ b/declarative/declarations/management/server-capabilities.yaml @@ -5,6 +5,10 @@ payload: supportedOS: iOS: introduced: '15.0' + macOS: + introduced: '13.0' + tvOS: + introduced: '16.0' payloadkeys: - key: Version title: Protocol Version diff --git a/declarative/protocol/declarationitemsresponse.yaml b/declarative/protocol/declarationitemsresponse.yaml index 6933094..94d1ece 100644 --- a/declarative/protocol/declarationitemsresponse.yaml +++ b/declarative/protocol/declarationitemsresponse.yaml @@ -5,6 +5,10 @@ payload: supportedOS: iOS: introduced: '15.0' + macOS: + introduced: '13.0' + tvOS: + introduced: '16.0' payloadkeys: - key: Declarations title: Manifest Declaration Items diff --git a/declarative/protocol/statusreport.yaml b/declarative/protocol/statusreport.yaml index 0bbd634..46245ab 100644 --- a/declarative/protocol/statusreport.yaml +++ b/declarative/protocol/statusreport.yaml @@ -5,6 +5,10 @@ payload: supportedOS: iOS: introduced: '15.0' + macOS: + introduced: '13.0' + tvOS: + introduced: '16.0' payloadkeys: - key: StatusItems title: Status Items diff --git a/declarative/protocol/tokensresponse.yaml b/declarative/protocol/tokensresponse.yaml index ad2a370..3aa8e6e 100644 --- a/declarative/protocol/tokensresponse.yaml +++ b/declarative/protocol/tokensresponse.yaml @@ -5,6 +5,10 @@ payload: supportedOS: iOS: introduced: '15.0' + macOS: + introduced: '13.0' + tvOS: + introduced: '16.0' payloadkeys: - key: SyncTokens title: Synchronization Tokens diff --git a/declarative/status/account.list.caldav.yaml b/declarative/status/account.list.caldav.yaml new file mode 100644 index 0000000..798821f --- /dev/null +++ b/declarative/status/account.list.caldav.yaml @@ -0,0 +1,70 @@ +title: Status Account List CalDAV +description: The client's CalDAV accounts. +payload: + statusitemtype: account.list.caldav + supportedOS: + iOS: + introduced: '16.0' + sharedipad: + mode: allowed + devicechannel: false + userchannel: true + macOS: + introduced: '13.0' + devicechannel: false + userchannel: true + tvOS: + introduced: n/a +payloadkeys: +- key: account.list.caldav + title: Status item value. + type: + presence: required + content: The status value of the account. + subkeytype: Account + subkeys: + - key: status_value + type: + subkeys: + - key: identifier + title: Unique identifier of the account. + type: + presence: required + content: The unique identifier for the account. + - key: declaration-identifier + title: Identifier of the declaration that installed the account. + type: + presence: optional + content: The identifier of the declaration that installed the account. Only + present if a declaration installed the account. + - key: visible-name + title: Account name + type: + presence: optional + content: The name of the account. + - key: hostname + title: Account hostname + type: + presence: optional + content: The server host name for the account. + - key: port + title: Server Port + type: + presence: optional + content: The server port for the account. + - key: username + title: Account username + type: + presence: optional + content: The user name for the account. + - key: are-calendars-enabled + title: Are calendars enabled + type: + presence: optional + content: If 'true', the Calendar app is displaying calendars and events for + the account. + - key: are-reminders-enabled + title: Are reminders enabled + type: + presence: optional + content: If 'true', the Reminders app is displaying reminders for the account. diff --git a/declarative/status/account.list.carddav.yaml b/declarative/status/account.list.carddav.yaml new file mode 100644 index 0000000..fd53e13 --- /dev/null +++ b/declarative/status/account.list.carddav.yaml @@ -0,0 +1,60 @@ +title: Status Account List CardDAV +description: The client's CardDAV accounts. +payload: + statusitemtype: account.list.carddav + supportedOS: + iOS: + introduced: '16.0' + sharedipad: + mode: allowed + devicechannel: false + userchannel: true + macOS: + introduced: '13.0' + devicechannel: false + userchannel: true + tvOS: + introduced: n/a +payloadkeys: +- key: account.list.carddav + title: Status item value. + type: + presence: required + content: Status value. + subkeytype: Account + subkeys: + - key: status_value + type: + subkeys: + - key: identifier + title: Unique identifier of the account. + type: + presence: required + content: The unique identifier of the account. This can be used as a "primary + key" to access a specific account. + - key: declaration-identifier + title: Identifier of the declaration that installed the account. + type: + presence: optional + content: The identifier of the declaration that installed the account. Only + present if the account was installed by a declaration. + - key: visible-name + title: Account name + type: + presence: optional + content: The name of the account. + - key: hostname + title: Account hostname + type: + presence: optional + content: The server host name of the account. + - key: port + title: Server Port + type: + presence: optional + content: The server port for the account. + - key: username + title: Account username + type: + presence: optional + content: The user name of the account. diff --git a/declarative/status/account.list.exchange.yaml b/declarative/status/account.list.exchange.yaml new file mode 100644 index 0000000..c75397f --- /dev/null +++ b/declarative/status/account.list.exchange.yaml @@ -0,0 +1,86 @@ +title: Status Account List Exchange +description: The client's exchange accounts. +payload: + statusitemtype: account.list.exchange + supportedOS: + iOS: + introduced: '16.0' + sharedipad: + mode: allowed + devicechannel: false + userchannel: true + macOS: + introduced: '13.0' + devicechannel: false + userchannel: true + tvOS: + introduced: n/a +payloadkeys: +- key: account.list.exchange + title: Status item value. + type: + presence: required + content: Status value. + subkeytype: Account + subkeys: + - key: status_value + type: + subkeys: + - key: identifier + title: Unique identifier of the account. + type: + presence: required + content: The unique identifier of the account. This can be used as a "primary + key" to access a specific account. + - key: declaration-identifier + title: Identifier of the declaration that installed the account. + type: + presence: optional + content: The identifier of the declaration that installed the account. Only + present if the account was installed by a declaration. + - key: visible-name + title: Account name + type: + presence: optional + content: The name of the account. + - key: hostname + title: Account hostname + type: + presence: optional + content: The server host name of the account. + - key: port + title: Server Port + type: + presence: optional + content: The server port for the account. + - key: username + title: Account username + type: + presence: optional + content: The user name of the account. + - key: is-mail-enabled + title: Is mail enabled + type: + presence: optional + content: Indicates if mail for this account are being displayed in Mail.app. + - key: are-calendars-enabled + title: Are calendars enabled + type: + presence: optional + content: Indicates if calendars and events for the account are being displayed + in Calendar.app. + - key: are-contacts-enabled + title: Are contacts enabled + type: + presence: optional + content: Indicates if contacts for the account are being displayed in Contacts.app. + - key: are-notes-enabled + title: Are notes enabled + type: + presence: optional + content: Indicates if notes for this account are being displayed in Notes.app. + - key: are-reminders-enabled + title: Are reminders enabled + type: + presence: optional + content: Indicates if reminders for the account are being displayed in Reminders.app. diff --git a/declarative/status/account.list.google.yaml b/declarative/status/account.list.google.yaml new file mode 100644 index 0000000..81d8da5 --- /dev/null +++ b/declarative/status/account.list.google.yaml @@ -0,0 +1,71 @@ +title: Status Account List Google +description: The client's Google accounts. +payload: + statusitemtype: account.list.google + supportedOS: + iOS: + introduced: '16.0' + sharedipad: + mode: allowed + devicechannel: false + userchannel: true + macOS: + introduced: '13.0' + devicechannel: false + userchannel: true + tvOS: + introduced: n/a +payloadkeys: +- key: account.list.google + title: Status item value. + type: + presence: required + content: Status value. + subkeytype: Account + subkeys: + - key: status_value + type: + subkeys: + - key: identifier + title: Unique identifier of the account. + type: + presence: required + content: The unique identifier of the account. This can be used as a "primary + key" to access a specific account. + - key: declaration-identifier + title: Identifier of the declaration that installed the account. + type: + presence: optional + content: The identifier of the declaration that installed the account. Only + present if the account was installed by a declaration. + - key: visible-name + title: Account name + type: + presence: optional + content: The name of the account. + - key: username + title: Account username + type: + presence: optional + content: The user name of the account. + - key: is-mail-enabled + title: Is mail enabled + type: + presence: optional + content: Indicates if mail for this account are being displayed in Mail.app. + - key: are-calendars-enabled + title: Are calendars enabled + type: + presence: optional + content: Indicates if calendars and events for the account are being displayed + in Calendar.app. + - key: are-contacts-enabled + title: Are contacts enabled + type: + presence: optional + content: Indicates if contacts for the account are being displayed in Contacts.app. + - key: are-notes-enabled + title: Are notes enabled + type: + presence: optional + content: Indicates if notes for this account are being displayed in Notes.app. diff --git a/declarative/status/account.list.ldap.yaml b/declarative/status/account.list.ldap.yaml new file mode 100644 index 0000000..93ff64f --- /dev/null +++ b/declarative/status/account.list.ldap.yaml @@ -0,0 +1,65 @@ +title: Status Account List LDAP +description: The client's LDAP accounts. +payload: + statusitemtype: account.list.ldap + supportedOS: + iOS: + introduced: '16.0' + sharedipad: + mode: allowed + devicechannel: false + userchannel: true + macOS: + introduced: '13.0' + devicechannel: false + userchannel: true + tvOS: + introduced: n/a +payloadkeys: +- key: account.list.ldap + title: Status item value. + type: + presence: required + content: Status value. + subkeytype: Account + subkeys: + - key: status_value + type: + subkeys: + - key: identifier + title: Unique identifier of the account. + type: + presence: required + content: The unique identifier of the account. This can be used as a "primary + key" to access a specific account. + - key: declaration-identifier + title: Identifier of the declaration that installed the account. + type: + presence: optional + content: The identifier of the declaration that installed the account. Only + present if the account was installed by a declaration. + - key: visible-name + title: Account name + type: + presence: optional + content: The name of the account. + - key: hostname + title: Account hostname + type: + presence: optional + content: The server host name for the account. + - key: port + title: Server Port + type: + presence: optional + content: The server port for the account. + - key: username + title: Account username + type: + presence: optional + content: The user name for the account. + - key: is-enabled + title: Is account enabled + type: + presence: optional + content: Indicates if the account is enabled for use with Contacts.app. diff --git a/declarative/status/account.list.mail.incoming.yaml b/declarative/status/account.list.mail.incoming.yaml new file mode 100644 index 0000000..d4d7bdb --- /dev/null +++ b/declarative/status/account.list.mail.incoming.yaml @@ -0,0 +1,70 @@ +title: Status Account List Mail Incoming +description: The client's incoming mail accounts. +payload: + statusitemtype: account.list.mail.incoming + supportedOS: + iOS: + introduced: '16.0' + sharedipad: + mode: allowed + devicechannel: false + userchannel: true + macOS: + introduced: '13.0' + devicechannel: false + userchannel: true + tvOS: + introduced: n/a +payloadkeys: +- key: account.list.mail.incoming + title: Status item value. + type: + presence: required + content: Status value. + subkeytype: Account + subkeys: + - key: status_value + type: + subkeys: + - key: identifier + title: Unique identifier of the account. + type: + presence: required + content: The unique identifier of the account. This can be used as a "primary + key" to access a specific account. + - key: declaration-identifier + title: Identifier of the declaration that installed the account. + type: + presence: optional + content: The identifier of the declaration that installed the account. Only + present if the account was installed by a declaration. + - key: visible-name + title: Account name + type: + presence: optional + content: The name of the account. + - key: hostname + title: Account hostname + type: + presence: optional + content: The server host name of the account. + - key: port + title: Server Port + type: + presence: optional + content: The server port for the account. + - key: username + title: Account username + type: + presence: optional + content: The user name of the account. + - key: is-mail-enabled + title: Is mail enabled + type: + presence: optional + content: Indicates if mail for this account are being displayed in Mail.app. + - key: are-notes-enabled + title: Are notes enabled + type: + presence: optional + content: Indicates if notes for this account are being displayed in Notes.app. diff --git a/declarative/status/account.list.mail.outgoing.yaml b/declarative/status/account.list.mail.outgoing.yaml new file mode 100644 index 0000000..61af9d6 --- /dev/null +++ b/declarative/status/account.list.mail.outgoing.yaml @@ -0,0 +1,60 @@ +title: Status Account List Mail Outgoing +description: The client's outgoing mail accounts. +payload: + statusitemtype: account.list.mail.outgoing + supportedOS: + iOS: + introduced: '16.0' + sharedipad: + mode: allowed + devicechannel: false + userchannel: true + macOS: + introduced: '13.0' + devicechannel: false + userchannel: true + tvOS: + introduced: n/a +payloadkeys: +- key: account.list.mail.outgoing + title: Status item value. + type: + presence: required + content: Status value. + subkeytype: Account + subkeys: + - key: status_value + type: + subkeys: + - key: identifier + title: Unique identifier of the account. + type: + presence: required + content: The unique identifier of the account. This can be used as a "primary + key" to access a specific account. + - key: declaration-identifier + title: Identifier of the declaration that installed the account. + type: + presence: optional + content: The identifier of the declaration that installed the account. Only + present if the account was installed by a declaration. + - key: visible-name + title: Account name + type: + presence: optional + content: The name of the account. + - key: hostname + title: Account hostname + type: + presence: optional + content: The server host name of the account. + - key: port + title: Server Port + type: + presence: optional + content: The server port for the account. + - key: username + title: Account username + type: + presence: optional + content: The user name of the account. diff --git a/declarative/status/account.list.subscribed-calendar.yaml b/declarative/status/account.list.subscribed-calendar.yaml new file mode 100644 index 0000000..f7bf21a --- /dev/null +++ b/declarative/status/account.list.subscribed-calendar.yaml @@ -0,0 +1,58 @@ +title: Status Account List Subscribed Calendar +description: The client's subscribed calendar accounts. +payload: + statusitemtype: account.list.subscribed-calendar + supportedOS: + iOS: + introduced: '16.0' + sharedipad: + mode: allowed + devicechannel: false + userchannel: true + macOS: + introduced: n/a + tvOS: + introduced: n/a +payloadkeys: +- key: account.list.subscribed-calendar + title: Status item value. + type: + presence: required + content: Status value. + subkeytype: Account + subkeys: + - key: status_value + type: + subkeys: + - key: identifier + title: Unique identifier of the account. + type: + presence: required + content: The unique identifier of the account. This can be used as a "primary + key" to access a specific account. + - key: declaration-identifier + title: Identifier of the declaration that installed the account. + type: + presence: optional + content: The identifier of the declaration that installed the account. Only + present if the account was installed by a declaration. + - key: visible-name + title: Account name + type: + presence: optional + content: The name of the account. + - key: calendar-url + title: Account calendar URL + type: + presence: optional + content: The URL of the subscribed calendar. + - key: username + title: Account username + type: + presence: optional + content: The user name of the account. + - key: is-enabled + title: Is the calendar enabled + type: + presence: optional + content: Indicates if the calendar is being displayed in Calendar.app. diff --git a/declarative/status/device.identifier.serial-number.yaml b/declarative/status/device.identifier.serial-number.yaml new file mode 100644 index 0000000..3d41630 --- /dev/null +++ b/declarative/status/device.identifier.serial-number.yaml @@ -0,0 +1,21 @@ +title: Status Device Serial Number +description: The device's serial number. +payload: + statusitemtype: device.identifier.serial-number + supportedOS: + iOS: + introduced: '16.0' + userenrollment: + mode: forbidden + macOS: + introduced: '13.0' + userenrollment: + mode: forbidden + tvOS: + introduced: '16.0' +payloadkeys: +- key: device.identifier.serial-number + title: Status item value. + type: + presence: required + content: Status value. diff --git a/declarative/status/device.identifier.udid.yaml b/declarative/status/device.identifier.udid.yaml new file mode 100644 index 0000000..65f8b67 --- /dev/null +++ b/declarative/status/device.identifier.udid.yaml @@ -0,0 +1,23 @@ +title: Status Device UDID +description: The device's UDID. +payload: + statusitemtype: device.identifier.udid + supportedOS: + iOS: + introduced: '16.0' + userenrollment: + mode: forbidden + macOS: + introduced: '13.0' + userenrollment: + mode: forbidden + tvOS: + introduced: '16.0' +payloadkeys: +- key: device.identifier.udid + title: Status item value. + type: + presence: required + content: The device's UDID. This value is always available on the device channel. + This value is only available on user channels whose organization matches that + of the device channel. diff --git a/declarative/status/device.model.family.yaml b/declarative/status/device.model.family.yaml index 0607552..074495c 100644 --- a/declarative/status/device.model.family.yaml +++ b/declarative/status/device.model.family.yaml @@ -5,6 +5,10 @@ payload: supportedOS: iOS: introduced: '15.0' + macOS: + introduced: '13.0' + tvOS: + introduced: '16.0' payloadkeys: - key: device.model.family title: Status item value. diff --git a/declarative/status/device.model.identifier.yaml b/declarative/status/device.model.identifier.yaml index 7bb92d0..37e7d10 100644 --- a/declarative/status/device.model.identifier.yaml +++ b/declarative/status/device.model.identifier.yaml @@ -5,6 +5,10 @@ payload: supportedOS: iOS: introduced: '15.0' + macOS: + introduced: '13.0' + tvOS: + introduced: '16.0' payloadkeys: - key: device.model.identifier title: Status item value. diff --git a/declarative/status/device.model.marketing-name.yaml b/declarative/status/device.model.marketing-name.yaml index 7a29f6a..5162d88 100644 --- a/declarative/status/device.model.marketing-name.yaml +++ b/declarative/status/device.model.marketing-name.yaml @@ -5,11 +5,14 @@ payload: supportedOS: iOS: introduced: '15.0' + macOS: + introduced: '13.0' + tvOS: + introduced: '16.0' payloadkeys: - key: device.model.marketing-name title: Status item value. type: presence: required content: A string that identifies the device's marketing name, such as 'iPhone 12'. - This value may not always be available. Alternatively, use 'device.model.configuration-code' - to look up the marketing name through the web API. + This value may not always be available. diff --git a/declarative/status/device.operating-system.build-version.yaml b/declarative/status/device.operating-system.build-version.yaml index 88b7468..f4ac429 100644 --- a/declarative/status/device.operating-system.build-version.yaml +++ b/declarative/status/device.operating-system.build-version.yaml @@ -5,6 +5,10 @@ payload: supportedOS: iOS: introduced: '15.0' + macOS: + introduced: '13.0' + tvOS: + introduced: '16.0' payloadkeys: - key: device.operating-system.build-version title: Status item value. diff --git a/declarative/status/device.operating-system.family.yaml b/declarative/status/device.operating-system.family.yaml index 4acaa3c..1007afd 100644 --- a/declarative/status/device.operating-system.family.yaml +++ b/declarative/status/device.operating-system.family.yaml @@ -5,6 +5,10 @@ payload: supportedOS: iOS: introduced: '15.0' + macOS: + introduced: '13.0' + tvOS: + introduced: '16.0' payloadkeys: - key: device.operating-system.family title: Status item value. diff --git a/declarative/status/device.operating-system.marketing-name.yaml b/declarative/status/device.operating-system.marketing-name.yaml index 9ef8346..e081fcf 100644 --- a/declarative/status/device.operating-system.marketing-name.yaml +++ b/declarative/status/device.operating-system.marketing-name.yaml @@ -5,6 +5,10 @@ payload: supportedOS: iOS: introduced: '15.0' + macOS: + introduced: '13.0' + tvOS: + introduced: '16.0' payloadkeys: - key: device.operating-system.marketing-name title: Status item value. diff --git a/declarative/status/device.operating-system.version.yaml b/declarative/status/device.operating-system.version.yaml index 291294b..6abb9e8 100644 --- a/declarative/status/device.operating-system.version.yaml +++ b/declarative/status/device.operating-system.version.yaml @@ -5,6 +5,10 @@ payload: supportedOS: iOS: introduced: '15.0' + macOS: + introduced: '13.0' + tvOS: + introduced: '16.0' payloadkeys: - key: device.operating-system.version title: Status item value. diff --git a/declarative/status/management.client-capabilities.yaml b/declarative/status/management.client-capabilities.yaml index adcd11d..adb3a97 100644 --- a/declarative/status/management.client-capabilities.yaml +++ b/declarative/status/management.client-capabilities.yaml @@ -5,6 +5,10 @@ payload: supportedOS: iOS: introduced: '15.0' + macOS: + introduced: '13.0' + tvOS: + introduced: '16.0' payloadkeys: - key: management.client-capabilities title: Status item value. diff --git a/declarative/status/management.declarations.yaml b/declarative/status/management.declarations.yaml index 9d50590..63840fd 100644 --- a/declarative/status/management.declarations.yaml +++ b/declarative/status/management.declarations.yaml @@ -5,6 +5,10 @@ payload: supportedOS: iOS: introduced: '15.0' + macOS: + introduced: '13.0' + tvOS: + introduced: '16.0' payloadkeys: - key: management.declarations title: Status item value. diff --git a/declarative/status/mdm.app.yaml b/declarative/status/mdm.app.yaml new file mode 100644 index 0000000..97f4c77 --- /dev/null +++ b/declarative/status/mdm.app.yaml @@ -0,0 +1,78 @@ +title: Status MDM App +description: The client's MDM installed apps. +payload: + statusitemtype: mdm.app + supportedOS: + iOS: + introduced: '16.0' + macOS: + introduced: n/a + tvOS: + introduced: '16.0' +payloadkeys: +- key: mdm.app + title: Status item value. + type: + presence: required + content: The list of apps. + subkeytype: App + subkeys: + - key: status_value + type: + subkeys: + - key: identifier + title: Unique identifier of the app. + type: + presence: required + content: The app's bundle id, which is unique. + - key: name + title: App name + type: + presence: optional + content: The name of the app. + - key: external-version-id + title: External version id + type: + presence: optional + content: The application's external version ID. Use Service Config to get the + 'contentMetadataLookupUrl' endpoint. In the response from that URL, find a + key named 'externalId' at the path 'results..offers[0].version.externalId'. + If the current external version identifier of an app on the store doesn't + match the external version identifier reported by the device, there may be + an app update available for the device. + - key: version + title: Version + type: + presence: optional + content: The version of the app. + - key: short-version + title: Short version + type: + presence: optional + content: The short version of the app. + - key: state + title: Managed application list status + type: + presence: optional + rangelist: + - queued + - needs-redemption + - redeeming + - prompting + - prompting-for-login + - validating-purchase + - prompting-for-update + - prompting-for-update-login + - prompting-for-management + - validating-update + - updating + - installing + - managed + - managed-but-uninstalled + - unknown + - user-installed-app + - user-rejected + - update-rejected + - management-rejected + - failed + content: The status of the app reported by ManagedApplicationListCommand. diff --git a/declarative/status/passcode.is-compliant.yaml b/declarative/status/passcode.is-compliant.yaml new file mode 100644 index 0000000..03a5b66 --- /dev/null +++ b/declarative/status/passcode.is-compliant.yaml @@ -0,0 +1,20 @@ +title: Status Passcode Compliance +description: The state of passcode compliance. +payload: + statusitemtype: passcode.is-compliant + supportedOS: + iOS: + introduced: '16.0' + macOS: + introduced: n/a + tvOS: + introduced: n/a +payloadkeys: +- key: passcode.is-compliant + title: Status item value. + type: + presence: required + content: If 'true', the passcode is in compliance with all passcode policies set + on the device. If 'false', the passcode isn't in compliance with one or more passcode + policies set on the device. When there are no passcode policies on the device, + this value 'true'. diff --git a/declarative/status/passcode.is-present.yaml b/declarative/status/passcode.is-present.yaml new file mode 100644 index 0000000..2b9056e --- /dev/null +++ b/declarative/status/passcode.is-present.yaml @@ -0,0 +1,21 @@ +title: Status Passcode Is Present +description: Whether a passcode is present ot not. +payload: + statusitemtype: passcode.is-present + supportedOS: + iOS: + introduced: '16.0' + macOS: + introduced: n/a + tvOS: + introduced: n/a +payloadkeys: +- key: passcode.is-present + title: Status item value. + type: + presence: required + content: If 'true', a passcode is present on the device. If 'false', a passcode + isn't present on the device. When a passcode is present, the specific attributes + of the passcode (length, number of complex characters, etc), isn't reported. Instead, + use the 'passcode.is-compliant' status item to verify that the passcode complies + with all passcode policies set on the device. diff --git a/declarative/status/statusreason.yaml b/declarative/status/statusreason.yaml index bb55842..a35dde8 100644 --- a/declarative/status/statusreason.yaml +++ b/declarative/status/statusreason.yaml @@ -5,6 +5,10 @@ payload: supportedOS: iOS: introduced: '15.0' + macOS: + introduced: '13.0' + tvOS: + introduced: '16.0' payloadkeys: - key: code title: Error Code diff --git a/declarative/status/test.array-value.yaml b/declarative/status/test.array-value.yaml new file mode 100644 index 0000000..3672c79 --- /dev/null +++ b/declarative/status/test.array-value.yaml @@ -0,0 +1,32 @@ +title: Status Test Array Value +description: A test status item array. +payload: + statusitemtype: test.array-value + supportedOS: + iOS: + introduced: '16.0' + macOS: + introduced: '13.0' + tvOS: + introduced: '16.0' +payloadkeys: +- key: test.array-value + title: Status item value. + type: + presence: required + content: Status value. + subkeytype: Array + subkeys: + - key: status_value + type: + subkeys: + - key: key1 + title: First Key Value + type: + presence: required + content: The value of the first sub-key. + - key: key2 + title: Second Key Value + type: + presence: optional + content: The value of the second sub-key. diff --git a/declarative/status/test.boolean-value.yaml b/declarative/status/test.boolean-value.yaml new file mode 100644 index 0000000..954f1ed --- /dev/null +++ b/declarative/status/test.boolean-value.yaml @@ -0,0 +1,17 @@ +title: Status Test Boolean Value +description: A test status item boolean. +payload: + statusitemtype: test.boolean-value + supportedOS: + iOS: + introduced: '16.0' + macOS: + introduced: '13.0' + tvOS: + introduced: '16.0' +payloadkeys: +- key: test.boolean-value + title: Status item value. + type: + presence: required + content: Status value. diff --git a/declarative/status/test.dictionary-value.yaml b/declarative/status/test.dictionary-value.yaml new file mode 100644 index 0000000..087fe50 --- /dev/null +++ b/declarative/status/test.dictionary-value.yaml @@ -0,0 +1,29 @@ +title: Status Test Dictionary Value +description: A test status item dictionary. +payload: + statusitemtype: test.dictionary-value + supportedOS: + iOS: + introduced: '16.0' + macOS: + introduced: '13.0' + tvOS: + introduced: '16.0' +payloadkeys: +- key: test.dictionary-value + title: Status item value. + type: + presence: required + content: Status value. + subkeytype: Dictionary + subkeys: + - key: key1 + title: First Key Value + type: + presence: required + content: The value of the first sub-key. + - key: key2 + title: Second Key Value + type: + presence: optional + content: The value of the second sub-key. diff --git a/declarative/status/test.error-value.yaml b/declarative/status/test.error-value.yaml new file mode 100644 index 0000000..da0ccbc --- /dev/null +++ b/declarative/status/test.error-value.yaml @@ -0,0 +1,17 @@ +title: Status Test Error Value +description: A test status item for errors. +payload: + statusitemtype: test.error-value + supportedOS: + iOS: + introduced: '16.0' + macOS: + introduced: '13.0' + tvOS: + introduced: '16.0' +payloadkeys: +- key: test.error-value + title: Status item value. + type: + presence: required + content: Status value. diff --git a/declarative/status/test.integer-value.yaml b/declarative/status/test.integer-value.yaml new file mode 100644 index 0000000..85bd379 --- /dev/null +++ b/declarative/status/test.integer-value.yaml @@ -0,0 +1,17 @@ +title: Status Test Integer Value +description: A test status item integer. +payload: + statusitemtype: test.integer-value + supportedOS: + iOS: + introduced: '16.0' + macOS: + introduced: '13.0' + tvOS: + introduced: '16.0' +payloadkeys: +- key: test.integer-value + title: Status item value. + type: + presence: required + content: Status value. diff --git a/declarative/status/test.real-value.yaml b/declarative/status/test.real-value.yaml new file mode 100644 index 0000000..740d4d5 --- /dev/null +++ b/declarative/status/test.real-value.yaml @@ -0,0 +1,17 @@ +title: Status Test Real Value +description: A test status item real. +payload: + statusitemtype: test.real-value + supportedOS: + iOS: + introduced: '16.0' + macOS: + introduced: '13.0' + tvOS: + introduced: '16.0' +payloadkeys: +- key: test.real-value + title: Status item value. + type: + presence: required + content: Status value. diff --git a/declarative/status/test.string-value.yaml b/declarative/status/test.string-value.yaml new file mode 100644 index 0000000..c330ace --- /dev/null +++ b/declarative/status/test.string-value.yaml @@ -0,0 +1,17 @@ +title: Status Test String Value +description: A test status item string. +payload: + statusitemtype: test.string-value + supportedOS: + iOS: + introduced: '16.0' + macOS: + introduced: '13.0' + tvOS: + introduced: '16.0' +payloadkeys: +- key: test.string-value + title: Status item value. + type: + presence: required + content: Status value. diff --git a/mdm/checkin/declarativemanagement.yaml b/mdm/checkin/declarativemanagement.yaml index 6dc47ef..14169e0 100644 --- a/mdm/checkin/declarativemanagement.yaml +++ b/mdm/checkin/declarativemanagement.yaml @@ -8,9 +8,23 @@ payload: supervised: false requiresdep: false sharedipad: - mode: forbidden + mode: allowed + devicechannel: true + userchannel: true userenrollment: - mode: required + mode: allowed + macOS: + introduced: '13.0' + devicechannel: true + userchannel: true + supervised: false + requiresdep: false + userenrollment: + mode: allowed + tvOS: + introduced: '16.0' + supervised: false + requiresdep: false content: Check-in protocol declarative management request and response. payloadkeys: - key: MessageType diff --git a/mdm/commands/application.install.yaml b/mdm/commands/application.install.yaml index e7cd4d6..7523343 100644 --- a/mdm/commands/application.install.yaml +++ b/mdm/commands/application.install.yaml @@ -1,6 +1,12 @@ title: Install Application Command description: This command allows the server to install an application on a device. - If the app is already being managed, this command will update the app. + If the app is already being managed, this command will update the app. Prior to + iOS 16.0 and tvOS 16.0, this command would return NotNow when Setup Assistant was + running. Starting in iOS 16.0 and tvOS 16.0, the command may be sent to supervised + devices during Setup Assistant. However, you should only attempt to install device-based + VPP apps or enterprise apps while in the awaiting configuration state, as the device + will likely not yet have an App Store account configured, and thus commands that + depend on one will fail. payload: requesttype: InstallApplication supportedOS: @@ -118,6 +124,24 @@ payloadkeys: presence: optional content: A per-app VPN unique identifier for this app. This value is available in iOS 7 and later, and tvOS 10.2 and later. + - key: ContentFilterUUID + supportedOS: + iOS: + introduced: '16.0' + tvOS: + introduced: n/a + type: + presence: optional + content: Content Filter UUID assigned to this app. + - key: DNSProxyUUID + supportedOS: + iOS: + introduced: '16.0' + tvOS: + introduced: n/a + type: + presence: optional + content: DNS Proxy UUID assigned to this app. - key: AssociatedDomains supportedOS: iOS: @@ -139,7 +163,7 @@ payloadkeys: introduced: n/a type: presence: optional - default: true + default: false content: If 'true', perform claimed site association verification directly at the domain instead of on Apple's servers. Only set this to 'true' for domains that can't access the internet. This value is available in iOS 14 and later. diff --git a/mdm/commands/application.installed.list.yaml b/mdm/commands/application.installed.list.yaml index 3a9c2c5..66bc873 100644 --- a/mdm/commands/application.installed.list.yaml +++ b/mdm/commands/application.installed.list.yaml @@ -82,6 +82,7 @@ payloadkeys: - HasUpdateAvailable - Identifier - Installing + - IsAppClip - IsValidated - Name - ShortVersion @@ -245,3 +246,15 @@ responsekeys: presence: optional default: false content: If 'true', the user canceled the download. + - key: IsAppClip + supportedOS: + iOS: + introduced: '16.0' + macOS: + introduced: n/a + tvOS: + introduced: n/a + type: + presence: optional + default: false + content: If 'true', the app is an App Clip. Available in iOS 16 and later. diff --git a/mdm/commands/declarativemanagement.yaml b/mdm/commands/declarativemanagement.yaml index 959d8be..82cfb54 100644 --- a/mdm/commands/declarativemanagement.yaml +++ b/mdm/commands/declarativemanagement.yaml @@ -10,9 +10,23 @@ payload: supervised: false requiresdep: false sharedipad: - mode: forbidden + mode: allowed + devicechannel: true + userchannel: true userenrollment: - mode: required + mode: allowed + macOS: + introduced: '13.0' + devicechannel: true + userchannel: true + supervised: false + requiresdep: false + userenrollment: + mode: allowed + tvOS: + introduced: '16.0' + supervised: false + requiresdep: false content: This command allows the server to turn on the Declarative Management engine on the device (the first time it is used), or to trigger a Declarative Management synchronization operation. diff --git a/mdm/commands/device.erase.yaml b/mdm/commands/device.erase.yaml index 85b8246..4f40b44 100644 --- a/mdm/commands/device.erase.yaml +++ b/mdm/commands/device.erase.yaml @@ -100,6 +100,9 @@ payloadkeys: If EACS preflight fails, the device responds with an 'Acknowledged' status and then attempts to erase itself. If EACS preflight succeeds but EACS fails, then the device attempts to erase itself. + 'Always': + The system doesn't attempt EACS. T2 and later devices always obliterate. + 'Default': If EACS preflight fails, the device responds to the server with an 'Error' status and then attempts to erase itself. If EACS preflight succeeds but EACS fails, then the device attempts to erase itself. diff --git a/mdm/commands/device.lostmode.disable.yaml b/mdm/commands/device.lostmode.disable.yaml index b48b173..4fe0289 100644 --- a/mdm/commands/device.lostmode.disable.yaml +++ b/mdm/commands/device.lostmode.disable.yaml @@ -1,4 +1,4 @@ -title: Disable MDM Lost Mode Location +title: Disable MDM Lost Mode Command description: This command allows the server to take the device out of MDM lost mode. payload: requesttype: DisableLostMode diff --git a/mdm/commands/device.lostmode.enable.yaml b/mdm/commands/device.lostmode.enable.yaml index 1bca8d9..d2f1f86 100644 --- a/mdm/commands/device.lostmode.enable.yaml +++ b/mdm/commands/device.lostmode.enable.yaml @@ -1,4 +1,4 @@ -title: Enable MDM Lost Mode Location +title: Enable MDM Lost Mode Command description: This command allows the server to put the device in MDM lost mode, with a message, phone number, and footnote text. A message or phone number must be provided. payload: diff --git a/mdm/commands/information.device.yaml b/mdm/commands/information.device.yaml index 727019b..d38facc 100644 --- a/mdm/commands/information.device.yaml +++ b/mdm/commands/information.device.yaml @@ -278,6 +278,7 @@ payloadkeys: - key: IMEI supportedOS: iOS: + deprecated: '16.0' accessrights: AllowQueryDeviceInformation userenrollment: mode: forbidden @@ -292,6 +293,7 @@ payloadkeys: - key: MEID supportedOS: iOS: + deprecated: '16.0' accessrights: AllowQueryDeviceInformation userenrollment: mode: forbidden @@ -383,11 +385,13 @@ payloadkeys: supportedOS: iOS: introduced: '7.0' + deprecated: '16.0' accessrights: AllowQueryDeviceInformation userenrollment: mode: forbidden macOS: introduced: '10.15' + deprecated: '13.0' accessrights: AllowQueryDeviceInformation userenrollment: mode: forbidden @@ -671,6 +675,32 @@ payloadkeys: introduced: n/a type: content: If 'true', the device only allows temporary sessions. + - key: ManagedAppleIDDefaultDomains + supportedOS: + iOS: + introduced: '16.0' + accessrights: AllowQueryDeviceInformation + macOS: + introduced: n/a + tvOS: + introduced: n/a + type: + content: |- + The list of domains that the device suggests on the Shared iPad login screen. + Available in iOS 16 and later. + - key: OnlineAuthenticationGracePeriod + supportedOS: + iOS: + introduced: '16.0' + accessrights: AllowQueryDeviceInformation + macOS: + introduced: n/a + tvOS: + introduced: n/a + type: + content: |- + The grace period for Shared iPad online authentication (in days). 0 means the device requires online authentication for every login. + Available in iOS 16 and later. - key: PushToken supportedOS: iOS: @@ -734,6 +764,7 @@ payloadkeys: - key: ICCID supportedOS: iOS: + deprecated: '16.0' accessrights: AllowQueryNetworkInformation userenrollment: mode: forbidden @@ -791,6 +822,7 @@ payloadkeys: - key: CurrentCarrierNetwork supportedOS: iOS: + deprecated: '16.0' accessrights: AllowQueryNetworkInformation userenrollment: mode: forbidden @@ -820,6 +852,7 @@ payloadkeys: supportedOS: iOS: introduced: '5.0' + deprecated: '16.0' accessrights: AllowQueryNetworkInformation userenrollment: mode: forbidden @@ -833,6 +866,7 @@ payloadkeys: - key: CarrierSettingsVersion supportedOS: iOS: + deprecated: '16.0' accessrights: AllowQueryNetworkInformation userenrollment: mode: forbidden @@ -846,6 +880,7 @@ payloadkeys: - key: PhoneNumber supportedOS: iOS: + deprecated: '16.0' accessrights: AllowQueryNetworkInformation userenrollment: mode: forbidden @@ -876,6 +911,7 @@ payloadkeys: supportedOS: iOS: introduced: '5.0' + deprecated: '16.0' accessrights: AllowQueryNetworkInformation userenrollment: mode: forbidden @@ -933,6 +969,7 @@ payloadkeys: supportedOS: iOS: introduced: 4.2.6 + deprecated: '16.0' accessrights: AllowQueryNetworkInformation userenrollment: mode: forbidden @@ -947,6 +984,7 @@ payloadkeys: supportedOS: iOS: introduced: 4.2.6 + deprecated: '16.0' accessrights: AllowQueryNetworkInformation userenrollment: mode: forbidden @@ -960,6 +998,7 @@ payloadkeys: - key: CurrentMCC supportedOS: iOS: + deprecated: '16.0' accessrights: AllowQueryNetworkInformation userenrollment: mode: forbidden @@ -973,6 +1012,7 @@ payloadkeys: - key: CurrentMNC supportedOS: iOS: + deprecated: '16.0' accessrights: AllowQueryNetworkInformation userenrollment: mode: forbidden @@ -1051,8 +1091,60 @@ payloadkeys: introduced: n/a type: content: The key that represents the device identifier you use to look up available - OS updates via . Available in iOS 14.5 and - later. + OS updates through . Available in iOS 15 and + later, and macOS 12 and later. + - key: AccessibilitySettings + supportedOS: + iOS: + introduced: '16.0' + supervised: true + userenrollment: + mode: forbidden + macOS: + introduced: n/a + tvOS: + introduced: n/a + type: + content: |- + The key to get the current state of settable accessibility settings. + Available in iOS 16 and later. + - key: DevicePropertiesAttestation + supportedOS: + iOS: + introduced: '16.0' + supervised: false + userenrollment: + mode: allowed + macOS: + introduced: n/a + tvOS: + introduced: '16.0' + type: + content: |- + The key to get an attestation of the device's properties. + Available in iOS 16 and later and tvOS 16 and later. +- key: DeviceAttestationNonce + supportedOS: + iOS: + introduced: '16.0' + supervised: false + userenrollment: + mode: allowed + macOS: + introduced: n/a + tvOS: + introduced: '16.0' + type: + presence: optional + content: Up to 32 bytes of data. If this is specified, Queries must contain DevicePropertiesAttestation. + The nonce appears in the resulting attestation to ensure it was recently generated. + To request a new attestation, provide a new nonce. The most recently generated + attestation is cached on the device. Requests for new attestations are rate limited. + If it has been fewer than 7 days since an attestation was generated, the device + returns the cached attestation rather than generating a new one. If DeviceAttestationNonce + is omitted or if the value matches the cached attestation, the cached attestation + is returned. Otherwise a new attestation containing the new nonce is requested + and returned. responsekeys: - key: QueryResponses type: @@ -1263,6 +1355,8 @@ responsekeys: available in iOS 4 and later, and macOS 10.7 and later. - key: IMEI supportedOS: + iOS: + deprecated: '16.0' macOS: introduced: n/a tvOS: @@ -1273,6 +1367,8 @@ responsekeys: later. - key: MEID supportedOS: + iOS: + deprecated: '16.0' macOS: introduced: n/a tvOS: @@ -1361,8 +1457,10 @@ responsekeys: supportedOS: iOS: introduced: '7.0' + deprecated: '16.0' macOS: introduced: '10.9' + deprecated: '13.0' tvOS: introduced: n/a type: @@ -1654,6 +1752,33 @@ responsekeys: introduced: n/a type: content: If 'true', the device only allows temporary sessions. + - key: ManagedAppleIDDefaultDomains + supportedOS: + iOS: + introduced: '16.0' + macOS: + introduced: n/a + tvOS: + introduced: n/a + type: + content: |- + The list of domains that the device suggests on the Shared iPad login screen. + Available in iOS 16 and later. + subkeys: + - key: AppleID domain + type: + - key: OnlineAuthenticationGracePeriod + supportedOS: + iOS: + introduced: '16.0' + macOS: + introduced: n/a + tvOS: + introduced: n/a + type: + content: |- + The grace period for Shared iPad online authentication (in days). 0 means the device requires online authentication for every login. + Available in iOS 16 and later. - key: PushToken supportedOS: iOS: @@ -1703,6 +1828,8 @@ responsekeys: in iOS 14 and later, and tvOS 14 and later. - key: ICCID supportedOS: + iOS: + deprecated: '16.0' macOS: introduced: n/a tvOS: @@ -1730,6 +1857,8 @@ responsekeys: access right, and is available in macOS 10.7 and later. - key: CurrentCarrierNetwork supportedOS: + iOS: + deprecated: '16.0' macOS: introduced: n/a tvOS: @@ -1751,6 +1880,7 @@ responsekeys: supportedOS: iOS: introduced: '5.0' + deprecated: '16.0' macOS: introduced: n/a tvOS: @@ -1760,6 +1890,8 @@ responsekeys: Information access right, and is available in iOS 5 and later. - key: CarrierSettingsVersion supportedOS: + iOS: + deprecated: '16.0' macOS: introduced: n/a tvOS: @@ -1769,6 +1901,8 @@ responsekeys: Information access right, and is available in iOS 4 and later. - key: PhoneNumber supportedOS: + iOS: + deprecated: '16.0' macOS: introduced: n/a tvOS: @@ -1792,6 +1926,7 @@ responsekeys: supportedOS: iOS: introduced: '5.0' + deprecated: '16.0' macOS: introduced: n/a tvOS: @@ -1827,6 +1962,7 @@ responsekeys: supportedOS: iOS: introduced: '4.2' + deprecated: '16.0' macOS: introduced: n/a tvOS: @@ -1858,6 +1994,7 @@ responsekeys: supportedOS: iOS: introduced: 4.2.6 + deprecated: '16.0' macOS: introduced: n/a tvOS: @@ -1869,6 +2006,7 @@ responsekeys: supportedOS: iOS: introduced: 4.2.6 + deprecated: '16.0' macOS: introduced: n/a tvOS: @@ -1878,6 +2016,8 @@ responsekeys: the Network Information access right, and is available in iOS 4.2.6 and later. - key: CurrentMCC supportedOS: + iOS: + deprecated: '16.0' macOS: introduced: n/a tvOS: @@ -1887,6 +2027,8 @@ responsekeys: Information access right, and is available in iOS 4 and later. - key: CurrentMNC supportedOS: + iOS: + deprecated: '16.0' macOS: introduced: n/a tvOS: @@ -1976,6 +2118,17 @@ responsekeys: type: content: The description of the slot that contains the SIM representing this subscription. This value is available in iOS 12 and later. + - key: SubscriberCarrierNetwork + supportedOS: + iOS: + introduced: '16.0' + macOS: + introduced: n/a + tvOS: + introduced: n/a + type: + content: The name of the home carrier network. This value is available in + iOS 16 and later. - key: PINRequiredForEraseDevice supportedOS: iOS: @@ -2025,3 +2178,76 @@ responsekeys: content: The key representing the device identifier to be used when looking up available OS updates via . Available in iOS 14.5 and later. + - key: AccessibilitySettings + supportedOS: + iOS: + introduced: '16.0' + supervised: true + userenrollment: + mode: forbidden + macOS: + introduced: n/a + tvOS: + introduced: n/a + type: + content: |- + The the current state of settable accessibility settings. + Available in iOS 16 and later. + subkeys: + - key: BoldTextEnabled + type: + content: If 'true', device has enabled bold text. + - key: IncreaseContrastEnabled + type: + content: If 'true', device has enabled increase contrast. + - key: ReduceMotionEnabled + type: + content: If 'true', device has enabled reduced motion. + - key: ReduceTransparencyEnabled + type: + content: If 'true', device has enabled reduced transparency. + - key: TextSize + type: + rangelist: + - -1 + - 0 + - 1 + - 2 + - 3 + - 4 + - 5 + - 6 + - 7 + - 8 + - 9 + - 10 + - 11 + content: The accessibility text size apps that support dynamic text use. 0 is + the smallest value, and 11 is the largest available. + - key: TouchAccommodationsEnabled + type: + content: If 'true', device has enabled touch accommodations. + - key: VoiceOverEnabled + type: + content: If 'true', device has enabled voiceover. + - key: ZoomEnabled + type: + content: If 'true', device has enabled zoom. + - key: DevicePropertiesAttestation + supportedOS: + iOS: + introduced: '16.0' + supervised: false + userenrollment: + mode: allowed + macOS: + introduced: n/a + tvOS: + introduced: '16.0' + type: + content: |- + The key to get an attestation of the device's properties. + Available in iOS 16 and later and tvOS 16 and later. + subkeys: + - key: AttestationCertificate + type: diff --git a/mdm/commands/lom.devicerequest.yaml b/mdm/commands/lom.devicerequest.yaml index 33ef38e..4684dd0 100644 --- a/mdm/commands/lom.devicerequest.yaml +++ b/mdm/commands/lom.devicerequest.yaml @@ -38,7 +38,8 @@ payloadkeys: - key: DeviceDNSName type: presence: required - content: The DNS name of the device. This should match the 'dNSName' in SCEP.PayloadContent.SubjectAltName. + content: The DNS name of the device. This should match the 'dNSName' in SCEP.PayloadContent.SubjectAltName + or an equivalent in a PKCS12 identity. - key: PrimaryIPv6AddressList type: presence: required diff --git a/mdm/commands/managed.application.attributes.yaml b/mdm/commands/managed.application.attributes.yaml index 7f74664..d0cc1c7 100644 --- a/mdm/commands/managed.application.attributes.yaml +++ b/mdm/commands/managed.application.attributes.yaml @@ -51,6 +51,28 @@ responsekeys: type: presence: optional content: A per-app VPN unique identifier for this app. + - key: ContentFilterUUID + supportedOS: + iOS: + introduced: '16.0' + tvOS: + introduced: n/a + type: + presence: optional + content: |- + The content Filter UUID assigned to this app. + Available in iOS 16 and later. + - key: DNSProxyUUID + supportedOS: + iOS: + introduced: '16.0' + tvOS: + introduced: n/a + type: + presence: optional + content: |- + The DNS Proxy UUID assigned to this app. + Available in iOS 16 and later. - key: AssociatedDomains supportedOS: iOS: @@ -72,7 +94,7 @@ responsekeys: introduced: n/a type: presence: optional - default: true + default: false content: If 'true', perform claimed site association verification directly at the domain instead of on Apple's servers. Only set this to 'true' for domains that can't access the internet. This value is available in iOS 14 diff --git a/mdm/commands/settings.yaml b/mdm/commands/settings.yaml index 58c2bfa..1a4dcb1 100644 --- a/mdm/commands/settings.yaml +++ b/mdm/commands/settings.yaml @@ -11,7 +11,7 @@ payload: sharedipad: mode: allowed devicechannel: true - userchannel: false + userchannel: true userenrollment: mode: allowed macOS: @@ -40,6 +40,10 @@ payloadkeys: iOS: introduced: '8.0' supervised: true + sharedipad: + mode: allowed + devicechannel: true + userchannel: false userenrollment: mode: forbidden macOS: @@ -76,6 +80,10 @@ payloadkeys: - key: DataRoaming supportedOS: iOS: + sharedipad: + mode: allowed + devicechannel: true + userchannel: false userenrollment: mode: forbidden macOS: @@ -102,6 +110,11 @@ payloadkeys: - key: VoiceRoaming supportedOS: iOS: + deprecated: '16.0' + sharedipad: + mode: allowed + devicechannel: true + userchannel: false userenrollment: mode: forbidden macOS: @@ -130,6 +143,10 @@ payloadkeys: supportedOS: iOS: accessrights: AllowQueryNetworkInformation + sharedipad: + mode: allowed + devicechannel: true + userchannel: false userenrollment: mode: forbidden macOS: @@ -157,6 +174,10 @@ payloadkeys: iOS: introduced: '11.3' supervised: true + sharedipad: + mode: allowed + devicechannel: true + userchannel: false userenrollment: mode: forbidden macOS: @@ -188,6 +209,10 @@ payloadkeys: iOS: introduced: '7.0' accessrights: AllowAppInstallation + sharedipad: + mode: allowed + devicechannel: true + userchannel: false macOS: introduced: '10.15' accessrights: AllowAppInstallation @@ -227,6 +252,10 @@ payloadkeys: iOS: introduced: '7.0' accessrights: AllowAppInstallation + sharedipad: + mode: allowed + devicechannel: true + userchannel: false macOS: introduced: n/a tvOS: @@ -260,6 +289,24 @@ payloadkeys: presence: optional content: A per-app VPN unique identifier for this app. This value is available in iOS 7 and later, and tvOS 10.2 and later. + - key: ContentFilterUUID + supportedOS: + iOS: + introduced: '16.0' + tvOS: + introduced: n/a + type: + presence: optional + content: Content Filter UUID assigned to this app. + - key: DNSProxyUUID + supportedOS: + iOS: + introduced: '16.0' + tvOS: + introduced: n/a + type: + presence: optional + content: DNS Proxy UUID assigned to this app. - key: AssociatedDomains supportedOS: iOS: @@ -281,7 +328,7 @@ payloadkeys: introduced: n/a type: presence: optional - default: true + default: false content: If 'true', perform claimed site association verification directly at the domain, instead of on Apple's servers. Only set this to 'true' for domains that can't access the internet. This value is available in iOS 14 @@ -301,6 +348,10 @@ payloadkeys: supportedOS: iOS: supervised: true + sharedipad: + mode: allowed + devicechannel: true + userchannel: false userenrollment: mode: forbidden macOS: @@ -350,6 +401,11 @@ payloadkeys: content: The hostname for the device. - key: OrganizationInfo supportedOS: + iOS: + sharedipad: + mode: allowed + devicechannel: true + userchannel: false macOS: introduced: '10.9' type: @@ -411,6 +467,10 @@ payloadkeys: supportedOS: iOS: introduced: '7.0' + sharedipad: + mode: allowed + devicechannel: true + userchannel: false macOS: introduced: '10.15' userenrollment: @@ -554,7 +614,7 @@ payloadkeys: type: presence: optional content: |- - The timeout, in seconds, for the user session. The user session logs out automatically after the specified period of inactivity. The minimum value is 30 seconds. Setting this value to '0' removes the timeout. + The timeout, in seconds, for the user session. The user session logs out automatically after the specified period of inactivity. The minimum value is 30 seconds. Setting this value to '0' removes the timeout. Available in iOS 14.5 and later. - key: TemporarySessionTimeout supportedOS: @@ -576,6 +636,28 @@ payloadkeys: If 'true', the user only sees the Guest Welcome pane and can only log in as a guest user. If 'false', the user can sign in with a managed Apple ID (the existing behavior). Available in iOS 14.5 and later. + - key: ManagedAppleIDDefaultDomains + supportedOS: + iOS: + introduced: '16.0' + type: + presence: optional + content: |- + A list of domains that the Shared iPad login screen displays. The user can pick a domain from the list to complete their Managed Apple ID. + If this list contains more than 3 domains, the system picks 3 at random for display.Available in iOS 16 and later. + subkeys: + - key: AppleID domain + type: + - key: OnlineAuthenticationGracePeriod + supportedOS: + iOS: + introduced: '16.0' + type: + presence: optional + content: |- + A grace period (in days) for Shared iPad online authentication. The Shared iPad only verifies the user's passcode locally during login for users that already exist on the device. However, the system requires an online authentication (against Apple's identity server) after the number of days specified by this setting. + Setting this value to 0 enforces online authentication every time. + Available in iOS 16 and later. - key: DiagnosticSubmission supportedOS: iOS: @@ -675,6 +757,10 @@ payloadkeys: iOS: introduced: '14.0' supervised: true + sharedipad: + mode: allowed + devicechannel: true + userchannel: false userenrollment: mode: forbidden macOS: @@ -705,6 +791,10 @@ payloadkeys: iOS: introduced: '14.5' supervised: true + sharedipad: + mode: allowed + devicechannel: true + userchannel: false userenrollment: mode: forbidden macOS: @@ -737,6 +827,85 @@ payloadkeys: * '2': Presents only the highest numbered (most recent) release available for the device. This value has no effect when there's only one available update; the system shows the single available update to the user regardless of the value of this setting. Available in iOS 14.5 and later. + - key: AccessibilitySettings + supportedOS: + iOS: + introduced: '16.0' + supervised: true + sharedipad: + mode: allowed + devicechannel: false + userchannel: true + userenrollment: + mode: forbidden + macOS: + introduced: n/a + tvOS: + introduced: n/a + type: + presence: optional + subkeys: + - key: Item + type: + presence: required + rangelist: + - AccessibilitySettings + content: Sets various accessibility settings. The system allows only keys with + explicitly provided values. + - key: BoldTextEnabled + type: + presence: optional + default: false + content: If 'true', enables bold text. + - key: IncreaseContrastEnabled + type: + presence: optional + default: false + content: If 'true', enables increase contrast. + - key: ReduceMotionEnabled + type: + presence: optional + default: false + content: If 'true', enables reduced motion. + - key: ReduceTransparencyEnabled + type: + presence: optional + default: false + content: If 'true', enables reduced transparency. + - key: TextSize + type: + presence: optional + rangelist: + - 0 + - 1 + - 2 + - 3 + - 4 + - 5 + - 6 + - 7 + - 8 + - 9 + - 10 + - 11 + default: 4 + content: The accessibility text size apps that support dynamic text use. 0 is + the smallest value, and 11 is the largest available. + - key: TouchAccommodationsEnabled + type: + presence: optional + default: false + content: If true, enables touch accommodations. + - key: VoiceOverEnabled + type: + presence: optional + default: false + content: If true, enables voiceover. + - key: ZoomEnabled + type: + presence: optional + default: false + content: If true, enables zoom. responsekeys: - key: Settings type: diff --git a/mdm/profiles/TopLevel.yaml b/mdm/profiles/TopLevel.yaml index f6b9807..3164c8b 100644 --- a/mdm/profiles/TopLevel.yaml +++ b/mdm/profiles/TopLevel.yaml @@ -116,9 +116,10 @@ payloadkeys: presence: optional default: false content: |- - If present and set to 'true', the user cannot delete the profile (unless the profile has a removal password and the user provides it). - On macOS, as of 10.15, this key only affects removal of manually installed profiles. If set to 'true' and no profile removal payload is present, admin auth will be required to remove the profile. - On macOS versions prior to 10.15, this key would prevent admins from removing MDM installed profiles but as of macOS 10.15, MDM profiles can never be removed by a user, not even the admin. + If present and set to 'true', the user can't delete the profile (unless the profile has a removal password and the user provides it). + On macOS, as of 10.15, this key only affects removal of manually installed profiles. If set to 'true' and no profile removal payload is present, removing the profile requires admin auth. + On macOS versions prior to 10.15, this key would prevent admins from removing MDM installed profiles but as of macOS 10.15, users can never remove MDM profiles, not even the admin. + Requires a supervised device. - key: PayloadScope supportedOS: macOS: diff --git a/mdm/profiles/com.apple.TCC.configuration-profile-policy.yaml b/mdm/profiles/com.apple.TCC.configuration-profile-policy.yaml index a94eb90..10444d9 100644 --- a/mdm/profiles/com.apple.TCC.configuration-profile-policy.yaml +++ b/mdm/profiles/com.apple.TCC.configuration-profile-policy.yaml @@ -119,14 +119,14 @@ payloadkeys: - key: Camera type: presence: optional - content: A system camera. Access to the camera cannot be given in a profile; it + content: A system camera. Access to the camera can't be given in a profile; it can only be denied. subkeytype: Identity subkeys: *id001 - key: Microphone type: presence: optional - content: A system microphone. Access to the microphone cannot be given in a profile; + content: A system microphone. Access to the microphone can't be given in a profile; it can only be denied. subkeytype: Identity subkeys: *id001 @@ -191,7 +191,7 @@ payloadkeys: presence: optional content: Allows the application to use CoreGraphics and HID APIs to listen to (receive) CGEvents and HID events from all processes. Access to these events - cannot be given in a profile; it can only be denied. + can't be given in a profile; it can only be denied. subkeytype: Identity subkeys: *id001 - key: ScreenCapture @@ -201,7 +201,7 @@ payloadkeys: type: presence: optional content: Allows the application to capture (read) the contents of the system display. - Access to the contents cannot be given in a profile; it can only be denied. + Access to the contents can't be given in a profile; it can only be denied. subkeytype: Identity subkeys: *id001 - key: SpeechRecognition @@ -259,3 +259,13 @@ payloadkeys: content: Allows the application to access files on removable volumes. subkeytype: Identity subkeys: *id001 + - key: SystemPolicyAppBundles + supportedOS: + macOS: + introduced: '13.0' + type: + presence: optional + content: Allows the application to update or delete other apps. Available in macOS + 13 and later. + subkeytype: Identity + subkeys: *id001 diff --git a/mdm/profiles/com.apple.applicationaccess.new.yaml b/mdm/profiles/com.apple.applicationaccess.new.yaml index b967289..3177ecd 100644 --- a/mdm/profiles/com.apple.applicationaccess.new.yaml +++ b/mdm/profiles/com.apple.applicationaccess.new.yaml @@ -43,7 +43,8 @@ payloadkeys: - key: appID type: presence: required - content: The identifier of the app. + content: The identifier of the app. Obtain this value from the Security framework + using SecCodeCopyDesignatedRequirement. - key: detachedSignature type: presence: optional @@ -52,7 +53,7 @@ payloadkeys: type: presence: optional default: false - content: If 'true', this app is not added to the allow list. + content: If 'true', this app isn't added to the allow list. - key: subApps type: presence: optional diff --git a/mdm/profiles/com.apple.applicationaccess.yaml b/mdm/profiles/com.apple.applicationaccess.yaml index ff30c3a..7e0d36e 100644 --- a/mdm/profiles/com.apple.applicationaccess.yaml +++ b/mdm/profiles/com.apple.applicationaccess.yaml @@ -114,7 +114,7 @@ payloadkeys: presence: optional default: true content: If 'false', disables incoming AirPlay requests. Requires a supervised device. - Available in tvOS 10.2 and later. + Available in macOS 12.3 and later, and tvOS 10.2 and later. - key: allowAirPrint title: Allow AirPrint supportedOS: @@ -435,7 +435,7 @@ payloadkeys: default: true content: If 'false', disables the camera, and its icon is removed from the Home screen. Users are unable to take photographs. This restriction is deprecated on - unsupervised devices and will be supervised only in a future release. Available + unsupervised devices and will be supervised only in a future release. Available in iOS 4 and later, and macOS 10.11 and later. - key: allowCellularPlanModification supportedOS: @@ -501,8 +501,8 @@ payloadkeys: type: presence: optional default: true - content: If 'false', disables backing up the device to iCloud. This restriction - is deprecated on unsupervised devices and will be supervised only in a future + content: If 'false', disables backing up the device to iCloud. This restriction + is deprecated on unsupervised devices and will be supervised only in a future release. Available in iOS 5 and later. - key: allowCloudBookmarks supportedOS: @@ -555,6 +555,8 @@ payloadkeys: iOS: introduced: '5.0' supervised: true + sharedipad: + mode: forbidden userenrollment: mode: forbidden macOS: @@ -566,7 +568,7 @@ payloadkeys: type: presence: optional default: true - content: If 'false', disables document and key-value syncing to iCloud. As of iOS + content: If 'false', disables document and key-value syncing to iCloud. As of iOS 13, this restriction requires a supervised device. Available in iOS 5 and later, and macOS 10.11 and later. - key: allowCloudKeychainSync @@ -586,7 +588,7 @@ payloadkeys: presence: optional default: true content: If 'false', disables iCloud keychain synchronization. This restriction - is deprecated on unsupervised devices and will be supervised only in a future + is deprecated on unsupervised devices and will be supervised only in a future release. Available in iOS 7 and later and macOS 10.12 and later. - key: allowCloudMail supportedOS: @@ -677,6 +679,7 @@ payloadkeys: introduced: n/a macOS: introduced: '10.13' + userchannel: false userenrollment: mode: forbidden tvOS: @@ -823,8 +826,8 @@ payloadkeys: presence: optional default: true content: |- - If 'false', disables the 'Enable Restrictions' option in the Restrictions UI in Settings. - In iOS 12 or later, if 'false', disables the 'Enable ScreenTime' option in the ScreenTime UI in Settings and disables ScreenTime if already enabled. Requires a supervised device. Available in iOS 8 and later. + If 'false', disables the “Enable Restrictions” option in the Restrictions UI in Settings. + In iOS 12 or later, if 'false', disables the “Enable ScreenTime” option in the ScreenTime UI in Settings and disables ScreenTime if already enabled. Requires a supervised device. Available in iOS 8 and later. - key: allowEnterpriseAppTrust title: Allow Trusting Enterprise Apps supportedOS: @@ -928,7 +931,7 @@ payloadkeys: default: true content: If 'false', hides explicit music or video content purchased from the iTunes Store. Explicit content is marked as such by content providers, such as record - labels, when sold through the iTunes Store. As of iOS 13, requires a supervised + labels, when sold through the iTunes Store. As of iOS 13, requires a supervised device. Available in iOS 4 and later, and tvOS 11.3 and later. - key: allowFilesNetworkDriveAccess supportedOS: @@ -1486,7 +1489,7 @@ payloadkeys: content: |- If 'false', disables the AutoFill Passwords feature in iOS (with Keychain and third-party password managers) and the user isn't prompted to use a saved password in Safari or in apps. This restriction also disables Automatic Strong Passwords, and strong passwords are no longer suggested to users. - It does not prevent AutoFill for contact info and credit cards in Safari. + It doesn't prevent AutoFill for contact info and credit cards in Safari. Requires a supervised device. Available in iOS 12 and later, and macOS 10.14 and later. - key: allowPasswordProximityRequests supportedOS: @@ -1625,6 +1628,42 @@ payloadkeys: default: true content: If 'false', disables Apple Music Radio. Requires a supervised device. Available in iOS 9.3 and later. +- key: allowRapidSecurityResponseInstallation + title: Allow Rapid Security Response Installation + supportedOS: + iOS: + introduced: '16.0' + supervised: true + userenrollment: + mode: forbidden + macOS: + introduced: '13.0' + userenrollment: + mode: forbidden + tvOS: + introduced: n/a + type: + presence: optional + default: true + content: If set to false, rapid security responses can't be installed. +- key: allowRapidSecurityResponseRemoval + title: Allow Rapid Security Response Removal + supportedOS: + iOS: + introduced: '16.0' + supervised: true + userenrollment: + mode: forbidden + macOS: + introduced: '13.0' + userenrollment: + mode: forbidden + tvOS: + introduced: n/a + type: + presence: optional + default: true + content: If set to false, rapid security responses can't be removed. - key: allowRemoteAppPairing title: Allow pairing with Remote app supportedOS: @@ -1705,7 +1744,7 @@ payloadkeys: type: presence: optional default: true - content: If 'false', temporary sessions are not available on Shared iPad. Available + content: If 'false', temporary sessions aren't available on Shared iPad. Available in iOS 13.4 and later. - key: allowSharedStream title: Allow Shared Stream @@ -1800,7 +1839,9 @@ payloadkeys: userenrollment: mode: forbidden macOS: - introduced: n/a + introduced: '13.0' + userenrollment: + mode: forbidden tvOS: introduced: n/a type: @@ -1808,7 +1849,22 @@ payloadkeys: default: true content: If 'false', prohibits the user from installing configuration profiles and certificates interactively. Requires a supervised device. Available in iOS 6 and - later. + later and macOS 13 and later. +- key: allowUniversalControl + title: Allow Universal Control + supportedOS: + iOS: + introduced: n/a + macOS: + introduced: '13.0' + userenrollment: + mode: forbidden + tvOS: + introduced: n/a + type: + presence: optional + default: true + content: If 'false', disables Universal Control. Available in macOS 13 and later. - key: allowUnmanagedToReadManagedContacts title: Allow unmanaged apps to read managed contacts accounts supportedOS: @@ -1866,14 +1922,18 @@ payloadkeys: userenrollment: mode: forbidden macOS: - introduced: n/a + introduced: '13.0' + userchannel: false + userenrollment: + mode: forbidden tvOS: introduced: n/a type: presence: optional default: true - content: If 'false', allows the device to always connect to USB accessories while - locked. Requires a supervised device. Available in iOS 11.4.1 and later. + content: |- + If 'false', allows the device to always connect to USB accessories while locked. On macOS, allows new USB accessories to connect without authorization. + This value is ignored if Lockdown mode is enabled. Requires a supervised device. Available in iOS 11.4.1 and later and macOS 13 and later. - key: allowVideoConferencing title: Allow Video Conferencing supportedOS: @@ -2043,7 +2103,7 @@ payloadkeys: max: 90 default: 30 content: |- - Sets how many days to delay a software update on the device. With this restriction in place, the user doesn't see a software update until the specified number of days after the software update release date. This value is used by 'forceDelayedAppSoftwareUpdates' and 'forceDelayedSoftwareUpdates'. + Sets how many days to delay a software update on the device. With this restriction in place, the user doesn't see a software update until the specified number of days after the software update release date. This value is used by 'forceDelayedAppSoftwareUpdates' and 'forceDelayedSoftwareUpdates'. Requires a supervised device in iOS and tvOS. Available in iOS 11.3 and later, macOS 10.13.4 and later, and tvOS 12.2 and later. - key: enforcedSoftwareUpdateMajorOSDeferredInstallDelay @@ -2399,7 +2459,9 @@ payloadkeys: type: presence: optional default: false - content: If 'true', limits ad tracking. Available in iOS 7 and later. + content: |- + If 'true', limits ad tracking. Additionally, it disables app tracking and the Allow Apps To Request To Track setting. + Available in iOS 7 and later. - key: forceOnDeviceOnlyDictation supportedOS: iOS: diff --git a/mdm/profiles/com.apple.associated-domains.yaml b/mdm/profiles/com.apple.associated-domains.yaml index ad3eb25..2460f98 100644 --- a/mdm/profiles/com.apple.associated-domains.yaml +++ b/mdm/profiles/com.apple.associated-domains.yaml @@ -37,7 +37,7 @@ payloadkeys: presence: required content: |- The domains to be associated with the app. Each string is in the form of ''service:domain''. Domains should be fully qualified hostnames, like 'www.example.com'. - See Supporting Associated Domains for more information. + See Supporting associated domains for more information. subkeys: - key: AssociatedDomain type: diff --git a/mdm/profiles/com.apple.cellular.yaml b/mdm/profiles/com.apple.cellular.yaml index 52b484c..5790a5b 100644 --- a/mdm/profiles/com.apple.cellular.yaml +++ b/mdm/profiles/com.apple.cellular.yaml @@ -181,3 +181,15 @@ payloadkeys: * '2': IPv6 * '3': Both Available in iOS 10.3 and later. + - key: EnableXLAT464 + title: Enable XLAT464 + supportedOS: + iOS: + introduced: '16.0' + watchOS: + introduced: '9.0' + type: + presence: optional + default: false + content: If 'true', enables XLAT464. Available in iOS 16 and later and watchOS + 9 and later. diff --git a/mdm/profiles/com.apple.dnsProxy.managed.yaml b/mdm/profiles/com.apple.dnsProxy.managed.yaml index 3338916..a5aac9b 100644 --- a/mdm/profiles/com.apple.dnsProxy.managed.yaml +++ b/mdm/profiles/com.apple.dnsProxy.managed.yaml @@ -12,7 +12,7 @@ payload: devicechannel: true userchannel: false userenrollment: - mode: forbidden + mode: allowed macOS: introduced: '10.15' devicechannel: true @@ -22,8 +22,9 @@ payload: allowmanualinstall: true userenrollment: mode: forbidden - content: As of iOS 15.0 this payload can now be installed on unsupervised devices - via MDM and can now only be installed via MDM. + content: As of iOS 15.0 this payload can be installed on unsupervised devices via + MDM and can only be installed via MDM. As of iOS 16.0, this can be installed on + User Enrollments via MDM if DNSProxyUUID is specified. payloadkeys: - key: AppBundleIdentifier title: App Bundle Identifier @@ -47,3 +48,15 @@ payloadkeys: type: presence: optional content: Key/value pairs. +- key: DNSProxyUUID + title: DNS Proxy UUID + supportedOS: + iOS: + introduced: '16.0' + macOS: + introduced: n/a + type: + presence: optional + content: A globally-unique identifier for this DNS proxy configuration. Managed + apps with the same 'DNSProxyUUID' in their app attributes have their DNS lookups + traffic processed by the proxy. diff --git a/mdm/profiles/com.apple.domains.yaml b/mdm/profiles/com.apple.domains.yaml index 3495c67..7c16477 100644 --- a/mdm/profiles/com.apple.domains.yaml +++ b/mdm/profiles/com.apple.domains.yaml @@ -29,8 +29,8 @@ payloadkeys: type: presence: optional content: |- - An array of domains. Email addresses that lack a suffix matching any of these strings are considered out of domain and marked in Mail. - This is the only field supported on macOS. + An array of domains. The system considers email addresses that lack a suffix matching any of these strings out of domain and marked in Mail. + Available in iOS 8 and later and macOS 10.10 and later. subkeys: - key: EmailDomainsItem type: @@ -43,8 +43,9 @@ payloadkeys: introduced: n/a type: presence: optional - content: An array of domains. URLs matching the patterns listed here are considered - managed. + content: |- + An array of domains. The system considers URLs matching the patterns listed in this property managed. + Available in iOS 9.3 and later. subkeys: - key: WebDomainsItem type: diff --git a/mdm/profiles/com.apple.education.yaml b/mdm/profiles/com.apple.education.yaml index de541eb..3433883 100644 --- a/mdm/profiles/com.apple.education.yaml +++ b/mdm/profiles/com.apple.education.yaml @@ -42,14 +42,14 @@ payloadkeys: type: presence: optional content: |- - The UUID of an identity certificate payload within the same profile to use for performing client authentication with other devices. + The UUID of an identity certificate payload within the same profile to use for performing client authentication with other devices. This property supports PKCS12 certificates. This key is required to configure Classroom. It does not impact the configuration of the Shared iPad login screen. - key: LeaderPayloadCertificateAnchorUUID type: presence: optional content: |- The array of UUIDs referring to certificate payloads within the same profile that are used to authorize leader peer certificate identities. This array must contain all certificates needed to validate the entire chain of trust. Leader certificates must have the common name prefix leader (case insensitive). - Note: Identity payloads aren't supported. + Note: This property doesn't support identity payloads or PKCS12 certificates. This key is required when configuring a student device for Classroom, and is ignored when configuring an instructor device. It does not impact the configuration of the Shared iPad login screen. subkeys: - key: LeaderPayloadCertificateAnchorUUIDItem @@ -61,7 +61,7 @@ payloadkeys: presence: optional content: |- The array of UUIDs referring to certificate payloads within the same profile that are used to authorize group member peer certificate identities. This array must contain all certificates needed to validate the entire chain of trust. Member certificates must have the common name prefix member (case insensitive). - Note: Identity payloads aren't supported. + Note: This property doesn't support identity payloads or PKCS12 certificates. This key is required when configuring an instructor device for Classroom, and is ignored when configuring a student device. It does not impact the configuration of the Shared iPad login screen. subkeys: - key: MemberPayloadCertificateAnchorUUIDItem diff --git a/mdm/profiles/com.apple.extensiblesso(kerberos).yaml b/mdm/profiles/com.apple.extensiblesso(kerberos).yaml index f6671db..cd081eb 100644 --- a/mdm/profiles/com.apple.extensiblesso(kerberos).yaml +++ b/mdm/profiles/com.apple.extensiblesso(kerberos).yaml @@ -342,6 +342,42 @@ payloadkeys: type: presence: required content: A host or domain name in the format of [protocol/]hostname[:port][/path] + - key: usePlatformSSOTGT + supportedOS: + iOS: + introduced: n/a + macOS: + introduced: '13.0' + type: + presence: optional + default: false + content: |- + If 'true', requires this configuration uses a TGT from Platform SSO instead of requesting a new one. + Available in macOS 13 and later. + - key: allowPlatformSSOAuthFallback + supportedOS: + iOS: + introduced: n/a + macOS: + introduced: '13.0' + type: + presence: optional + default: true + content: |- + If 'true' and 'usePlatformSSOTGT' is 'true', allows the user to manually sign in. + Available in macOS 13 and later. + - key: performKerberosOnly + supportedOS: + iOS: + introduced: '16.0' + macOS: + introduced: '13.0' + type: + presence: optional + default: false + content: |- + If 'true', the Kerberos Extension handles Kerberos requests only. It doesn't check for password expiration, show the password expiration in the menu, check for external password changes, perform password sync, or retrieve the home directory. + Available in macOS 13 and later. - key: Hosts type: presence: optional diff --git a/mdm/profiles/com.apple.extensiblesso.yaml b/mdm/profiles/com.apple.extensiblesso.yaml index 6d64888..0e1e383 100644 --- a/mdm/profiles/com.apple.extensiblesso.yaml +++ b/mdm/profiles/com.apple.extensiblesso.yaml @@ -117,3 +117,28 @@ payloadkeys: type: presence: required content: The bundle identifier of the app. +- key: AuthenticationMethod + supportedOS: + iOS: + introduced: n/a + macOS: + introduced: '13.0' + type: + presence: optional + rangelist: + - Password + - UserSecureEnclaveKey + content: |- + The Platform SSO authentication method the extension uses. Requires that the SSO Extension also supports the method. + Available in macOS 13 and later. +- key: RegistrationToken + supportedOS: + iOS: + introduced: n/a + macOS: + introduced: '13.0' + type: + presence: optional + content: |- + The token this device uses for registration with Platform SSO. Use it for silent registration with the Identity Provider. Requires that 'AuthenticationMethod' isn't empty. + Available in macOS 13 and later. diff --git a/mdm/profiles/com.apple.lom.yaml b/mdm/profiles/com.apple.lom.yaml index 13cf09f..d8d5d9d 100644 --- a/mdm/profiles/com.apple.lom.yaml +++ b/mdm/profiles/com.apple.lom.yaml @@ -21,7 +21,10 @@ payloadkeys: type: presence: optional content: The UUID certificate for the device. This key indicates the device can - receive 'PowerON', 'PowerOFF', and 'Reset' requests from a LOM controller. + receive 'PowerON', 'PowerOFF', and 'Reset' requests from a LOM controller. This + certificate must contain the Key Usage attributes of Digital Signature, Key Encipherment + and Data Encipherment. As well as the Extended Key Usage attributes of Server + Authentication and Client Authentication. - key: ControllerCertificateUUID title: Controller Certificate payload UUID type: @@ -42,8 +45,9 @@ payloadkeys: title: CA certificate payload UUIDs type: presence: optional - content: Array of payload UUIDs containing CA certificates that devices use to evaluate - trust of controller certificates. + content: |- + Array of payload UUIDs containing CA certificates that devices use to evaluate trust of controller certificates. + This key configures the device to accept the LOMDeviceRequestCommand from MDM and then send it to the target device. This certificate must contain the Key Usage attributes of Digital Signature, Key Encipherment and Data Encipherment. As well as the Extended Key Usage attributes of Server Authentication and Client Authentication. subkeys: - key: ControllerCACertificateUUIDsItem type: diff --git a/mdm/profiles/com.apple.mobiledevice.passwordpolicy.yaml b/mdm/profiles/com.apple.mobiledevice.passwordpolicy.yaml index ea21ad9..6a931ec 100644 --- a/mdm/profiles/com.apple.mobiledevice.passwordpolicy.yaml +++ b/mdm/profiles/com.apple.mobiledevice.passwordpolicy.yaml @@ -30,9 +30,9 @@ payloadkeys: type: presence: optional default: true - content: If 'true', allows a simple passcode. A simple passcode contains repeated - characters, or increasing or decreasing characters (such as '123' or 'CBA'). Setting - this value to false has the same result as setting 'minComplexChars' to '1'. + content: If 'false', prevents use of a simple passcode. A simple passcode contains + repeated characters, or increasing or decreasing characters (such as '123' or + 'CBA'). - key: forcePIN title: Require Passcode on Device supportedOS: diff --git a/mdm/profiles/com.apple.security.acme.yaml b/mdm/profiles/com.apple.security.acme.yaml new file mode 100644 index 0000000..b7c0d7f --- /dev/null +++ b/mdm/profiles/com.apple.security.acme.yaml @@ -0,0 +1,150 @@ +title: ACME Certificate +description: Use this section to define settings to have an ACME server issue a client + certificate. +payload: + payloadtype: com.apple.security.acme + supportedOS: + iOS: + introduced: '16.0' + supervised: false + allowmanualinstall: true + sharedipad: + mode: allowed + devicechannel: true + userchannel: false + userenrollment: + mode: allowed + tvOS: + introduced: '16.0' + supervised: false + allowmanualinstall: true + content: Use this payload to specify settings that allow the device to request a + client certificate from an ACME server. The device generates an asymmetric key + pair based upon the KeyType, KeySize, and HardwareBound fields. If attest is true + it requests an attestation of the key and device properties. Then it communicates + with the ACME server to authenticate the device, provide the attestation, and + request a matching certificate based upon the ClientIdentifier, Subject, SubjectAltName, + KeyUsage, and ExtendedKeyUsage fields. The ACME server issues a certificate and + the device installs it in the keychain. Other payloads can reference the resulting + client identity by the payload's PayloadUUID. +payloadkeys: +- key: DirectoryURL + title: ACME directory URL + type: + presence: required + content: The directory URL of the ACME server. The URL must use the https scheme. +- key: ClientIdentifier + title: Client identifier + type: + presence: required + content: A unique string identifying a specific device. The server may use this + as a nonce to prevent issuing multiple certificates. This identifier also indicates + to the ACME server that the device has access to a valid client identifier issued + by the enterprise infrastructure. This can help the ACME server determine whether + to trust the device. Though this is a relatively weak indication because of the + risk that an attacker can intercept the client identifier. +- key: KeySize + title: Key Size + type: + presence: required + content: The valid values for 'KeySize' depend on the values of 'KeyType' and 'HardwareBound'. + See those keys for specific requirements. +- key: KeyType + title: Key Type + type: + presence: required + rangelist: + - RSA + - ECSECPrimeRandom + content: |- + The type of key pair to generate. + * 'RSA': Specifies an RSA key pair. RSA key pairs must have a KeySize in the range [1024..4096] inclusive and a multiple of 8, and 'HardwareBound' must be false. + * 'ECSECPrimeRandom': Specifies a key pair on the P-192, P-256, P-384 or P-521 curves as defined in FIPS Pub 186-4. KeySize defines the particular curve, which must be 192, 256, 384 or 521. Hardware bound keys only support values of 256 and 384. Note that the key size is 521, not 512, even though the other key sizes are multiples of 64. +- key: HardwareBound + title: Hardware Bound + type: + presence: required + content: |- + If 'false', the private key isn't bound to the device. + If 'true', the private key is bound to the device. The Secure Enclave generates the key pair, and the private key is cryptographically entangled with a system key. This prevents the system from exporting the private key. + If 'true', 'KeyType' must be 'ECSECPrimeRandom' and 'KeySize' must be 256 or 384. +- key: Subject + title: Subject + type: + presence: required + content: |- + The device requests this subject for the certificate that the ACME server issues. The ACME server may override or ignore this field in the certificate it issues. + The representation of a X.500 name represented as an array of OID and value. For example, /C=US/O=Apple Inc./CN=foo/1.2.5.3=bar corresponds to: + [ [ [”C”, “US”] ], [ [”O”, “Apple Inc.”] ], ..., [ [ “1.2.5.3”, “bar” ] ] ] + Dotted numbers can represent OIDs , with shortcuts for country (C), locality (L), state (ST), organization (O), organizational unit (OU), and common name (CN). + subkeys: + - key: SCEPSubjectArrayInnerArray + title: Array Inside SCEP Subject Array + type: + subkeys: + - key: SCEPSubjectArrayPair + title: Subject Array Pair + type: + subkeys: + - key: SCEPSubjectArrayPairItem + title: SCEP Subject Array Pair Item + type: + repetition: + min: 2 + max: 2 +- key: SubjectAltName + title: Subject Alt Name + type: + presence: optional + content: The Subject Alt Name that the device requests for the certificate that + the ACME server issues. The ACME server may override or ignore this field in the + certificate it issues. + subkeys: + - key: rfc822Name + title: RFC 822 Name + type: + presence: optional + content: The RFC 822 (email address) string. + - key: dNSName + title: DNS Name + type: + presence: optional + content: The DNS name. + - key: uniformResourceIdentifier + title: URI + type: + presence: optional + content: The Uniform Resource Identifier. + - key: ntPrincipalName + title: NT Principal Name + type: + presence: optional + content: The NT principal name. +- key: UsageFlags + title: Key Usage + type: + presence: optional + content: |- + This value is a bit field. + * Bit '0x01' indicates digital signature. + * Bit '0x10' indicates key agreement. + The device requests this key for the certificate that the ACME server issues. The ACME server may override or ignore this field in the certificate it issues. +- key: ExtendedKeyUsage + title: Extended Key Usage + type: + presence: optional + content: |- + The value is an array of strings. Each string is an OID in dotted notation. For instance, [”1.3.6.1.5.5.7.3.2”, “1.3.6.1.5.5.7.3.4”] indicates client authentication and email protection. + The device requests this field for the certificate that the ACME server issues. The ACME server may override or ignore this field in the certificate it issues. + subkeys: + - key: OID + type: + presence: optional +- key: Attest + title: Attest + type: + presence: optional + default: false + content: |- + If 'true', the device provides attestations describing the device and the generated key to the ACME server. The server can use the attestations as strong evidence that the key is bound to the device, and that the device has properties listed in the attestation. The server can use that as part of a trust score to decide whether to issue the requested certificate. + When 'Attest' is 'true', 'HardwareBound' must also be 'true'. diff --git a/mdm/profiles/com.apple.servicemanagement.yaml b/mdm/profiles/com.apple.servicemanagement.yaml new file mode 100644 index 0000000..4970d66 --- /dev/null +++ b/mdm/profiles/com.apple.servicemanagement.yaml @@ -0,0 +1,52 @@ +title: Service Management - Managed Login Items +description: Control the user experience for ServiceManagement login items (including + launchd agents and daemons) in Login Items Settings. +payload: + payloadtype: com.apple.servicemanagement + supportedOS: + macOS: + introduced: '13.0' + devicechannel: true + userchannel: false + requiresdep: false + userapprovedmdm: true + allowmanualinstall: false + userenrollment: + mode: forbidden + content: This payload defines rules for tagging login items as managed, which will + auto-enable and auto-allow matched items. +payloadkeys: +- key: Rules + title: Rules + type: + presence: required + content: An array of rule dictionaries. + subkeys: + - key: Rule + title: Rule + type: + presence: required + content: A specification for matching one or more login items. + subkeys: + - key: RuleType + title: Rule Type + type: + presence: required + rangelist: + - BundleIdentifier + - BundleIdentifierPrefix + - Label + - LabelPrefix + - TeamIdentifier + content: The type of comparision to make. + - key: RuleValue + title: Rule Value + type: + presence: required + content: The value to compare with each login item's value, to determine a match + to this rule. + - key: Comment + title: Comment + type: + presence: optional + content: An optional description of the rule. diff --git a/mdm/profiles/com.apple.systempreferences.yaml b/mdm/profiles/com.apple.systempreferences.yaml index 7d68e15..d0bad09 100644 --- a/mdm/profiles/com.apple.systempreferences.yaml +++ b/mdm/profiles/com.apple.systempreferences.yaml @@ -4,6 +4,7 @@ payload: supportedOS: macOS: introduced: '10.7' + deprecated: '13.0' devicechannel: true userchannel: true requiresdep: false @@ -12,13 +13,15 @@ payload: userenrollment: mode: forbidden content: |- - Hide and show individual System Preference panes. + Hide and show individual System Preferences panes. The following preference pane items are no longer supported on macOS 10.14: • com.apple.preferences.appstore The following preference pane items are no longer supported on macOS 10.15: • com.apple.preference.ink • com.apple.preferences.icloud • com.apple.preferences.parentalcontrols + This payload is deprecated as of macOS 13. When new restrictions become available to control functionality exposed through System Settings, those restrictions should be used instead of disabling the entire preference pane. This allows for user transparency even when the user's control has been disabled by a restriction. + macOS 13 introduces a new DisabledSystemSettings key for controlling macOS 13 and newer System Settings extensions. However, note that System Settings extensions within the Privacy & Security section cannot be disabled. If DisabledSystemSettings is not provided, the system will attempt to honor the EnabledPreferencePanes and DisabledPreferencePanes by mapping the old preference pane value to one or more new settings extension values whose content was wholly contained in the old preference pane value. payloadkeys: - key: EnabledPreferencePanes type: @@ -76,3 +79,65 @@ payloadkeys: presence: optional content: The list of disabled System Preferences panes. subkeys: *id001 +- key: DisabledSystemSettings + supportedOS: + macOS: + introduced: '13.0' + type: + presence: optional + content: System settings extension IDs for items that will be disabled. All other + items will be enabled. When DisabledSystemSettings is specified, DisabledPreferencePanes + and EnabledPreferencePanes are ignored. Note that a given System Settings extension + may supply more than one section in System Settings; disabling such an extension + will disable all sections it supplies. + devpubs-override: The list of disabled System Settings extensions. + subkeys: + - key: SettingsExtensions + type: + presence: optional + rangelist: + - com.apple.Accessibility-Settings.extension + - com.apple.AirDrop-Handoff-Settings.extension + - com.apple.Battery-Settings.extension + - com.apple.BluetoothSettings + - com.apple.CD-DVD-Settings.extension + - com.apple.ClassKit-Settings.extension + - com.apple.Classroom-Settings.extension + - com.apple.ControlCenter-Settings.extension + - com.apple.Date-Time-Settings.extension + - com.apple.Desktop-Settings.extension + - com.apple.Displays-Settings.extension + - com.apple.ExtensionsPreferences + - com.apple.Family-Settings.extension + - com.apple.Focus-Settings.extension + - com.apple.Game-Center-Settings.extension + - com.apple.Game-Controller-Settings.extension + - com.apple.HeadphoneSettings + - com.apple.Internet-Accounts-Settings.extension + - com.apple.Keyboard-Settings.extension + - com.apple.Localization-Settings.extension + - com.apple.Lock-Screen-Settings.extension + - com.apple.LoginItems-Settings.extension + - com.apple.Mouse-Settings.extension + - com.apple.Network-Settings.extension + - com.apple.NetworkExtensionSettingsUI.NESettingsUIExtension + - com.apple.Notifications-Settings.extension + - com.apple.Passwords-Settings.extension + - com.apple.Print-Scan-Settings.extension + - com.apple.Screen-Time-Settings.extension + - com.apple.ScreenSaver-Settings.extension + - com.apple.Sharing-Settings.extension + - com.apple.Siri-Settings.extension + - com.apple.Software-Update-Settings.extension + - com.apple.Sound-Settings.extension + - com.apple.Startup-Disk-Settings.extension + - com.apple.Time-Machine-Settings.extension + - com.apple.Touch-ID-Settings.extension + - com.apple.Trackpad-Settings.extension + - com.apple.Transfer-Reset-Settings.extension + - com.apple.Users-Groups-Settings.extension + - com.apple.WalletSettingsExtension + - com.apple.Wallpaper-Settings.extension + - com.apple.settings.Storage + - com.apple.systempreferences.AppleIDSettings + - com.apple.wifi-settings-extension diff --git a/mdm/profiles/com.apple.systemuiserver.yaml b/mdm/profiles/com.apple.systemuiserver.yaml index b0b6c28..08443c1 100644 --- a/mdm/profiles/com.apple.systemuiserver.yaml +++ b/mdm/profiles/com.apple.systemuiserver.yaml @@ -5,6 +5,7 @@ payload: supportedOS: macOS: introduced: '10.7' + deprecated: '11.0' devicechannel: true userchannel: true requiresdep: false diff --git a/mdm/profiles/com.apple.vpn.managed.applayer.yaml b/mdm/profiles/com.apple.vpn.managed.applayer.yaml index c5c7f9c..f106b81 100644 --- a/mdm/profiles/com.apple.vpn.managed.applayer.yaml +++ b/mdm/profiles/com.apple.vpn.managed.applayer.yaml @@ -99,7 +99,7 @@ payloadkeys: type: presence: optional content: |- - An array with entries that must each specify a domain that triggers this VPN. The domains must also be part of the 'apple-app-site-association' file, as described in Supporting Associated Domains. + An array with entries that must each specify a domain that triggers this VPN. The domains must also be part of the 'apple-app-site-association' file, as described in Supporting associated domains. Available in iOS 14 and later, and macOS 11 and later. subkeys: - key: AssociatedDomainsItem diff --git a/mdm/profiles/com.apple.webcontent-filter.yaml b/mdm/profiles/com.apple.webcontent-filter.yaml index acf4d98..65df872 100644 --- a/mdm/profiles/com.apple.webcontent-filter.yaml +++ b/mdm/profiles/com.apple.webcontent-filter.yaml @@ -5,14 +5,14 @@ payload: supportedOS: iOS: introduced: '7.0' - supervised: true + supervised: false allowmanualinstall: true sharedipad: mode: allowed devicechannel: true userchannel: false userenrollment: - mode: forbidden + mode: allowed macOS: introduced: '10.15' devicechannel: true @@ -22,6 +22,9 @@ payload: allowmanualinstall: true userenrollment: mode: forbidden + content: As of iOS 16.0, this can be installed on Device Enrollments and User Enrollments + if ContentFilterUUID is specified. Previously it could only be installed on supervised + devices. payloadkeys: - key: FilterType title: FilterType @@ -281,3 +284,15 @@ payloadkeys: content: |- This value is for deriving the relative order of content filters. Filters with a grade of 'firewall' see network traffic before filters with a grade of 'inspector'. The system doesn't define the order of filters within a grade. Available in macOS 10.15 and later. +- key: ContentFilterUUID + title: Content Filter UUID + supportedOS: + iOS: + introduced: '16.0' + macOS: + introduced: n/a + type: + presence: optional + content: A globally-unique identifier for this content filter configuration. Managed + apps with the same 'ContentFilterUUID' in their app attributes have their network + traffic processed by the content filter.