CalvinBackup/apple_device-management
1
0
Fork 0
mirror of https://github.com/apple/device-management.git synced 2026-02-12 21:03:12 +00:00
Code Issues Packages Projects Releases Wiki Activity

Release_iOS-17-2_macOS-14-2

Browse Source
This commit is contained in:
Cyrus Daboo
2023-12-12 10:45:03 -05:00
parent f44981aed0
commit 1cb86e0e35
51 changed files with 1577 additions and 1181 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
README.md
View File

@@ -8,10 +8,10 @@ This release corresponds to the following OS versions
| OS | Version |
|---------|---------|
| iOS | 17.1 |
| macOS | 14.1 |
| tvOS | 17.1 |
| watchOS | 10.1 |
| iOS | 17.2 |
| macOS | 14.2 |
| tvOS | 17.2 |
| watchOS | 10.2 |
## What's Available

30
declarative/declarations/configurations/account.exchange.yaml
View File

@@ -156,8 +156,8 @@ payloadkeys:
- com.apple.asset.credential.identity
- com.apple.asset.credential.scep
presence: optional
content: Specifies the identifier of a credential asset declaration that contains
the identity that this account requires to authenticate with the Exchange server.
content: The identifier of a credential asset declaration that contains the identity
that this account requires to authenticate with the Exchange server.
- key: SMIME
title: S/MIME Settings
supportedOS:
@@ -254,7 +254,7 @@ payloadkeys:
type: <boolean>
presence: optional
default: true
content: If 'true', activates the mail service for this account.
content: If 'true', the system activates the mail service for this account.
- key: LockMailService
supportedOS:
macOS:
@@ -262,8 +262,8 @@ payloadkeys:
type: <boolean>
presence: optional
default: false
content: If 'true', prevents the user from changing the status of the mail service
for this account.
content: If 'true', the system prevents the user from changing the status of the
mail service for this account.
- key: ContactsServiceActive
supportedOS:
macOS:
@@ -279,8 +279,8 @@ payloadkeys:
type: <boolean>
presence: optional
default: false
content: If 'true', prevents the user from changing the status of the address book
service for this account.
content: If 'true', the system prevents the user from changing the status of the
address book service for this account.
- key: CalendarServiceActive
supportedOS:
macOS:
@@ -296,8 +296,8 @@ payloadkeys:
type: <boolean>
presence: optional
default: false
content: If 'true', prevents the user from changing the status of the calendar service
for this account.
content: If 'true', the system prevents the user from changing the status of the
calendar service for this account.
- key: RemindersServiceActive
supportedOS:
macOS:
@@ -305,7 +305,7 @@ payloadkeys:
type: <boolean>
presence: optional
default: true
content: If 'true', activates the reminders service for this account.
content: If 'true', the system activates the reminders service for this account.
- key: LockRemindersService
supportedOS:
macOS:
@@ -313,8 +313,8 @@ payloadkeys:
type: <boolean>
presence: optional
default: false
content: If 'true', prevents the user from changing the status of the reminders
service for this account.
content: If 'true', the system prevents the user from changing the status of the
reminders service for this account.
- key: NotesServiceActive
supportedOS:
macOS:
@@ -322,7 +322,7 @@ payloadkeys:
type: <boolean>
presence: optional
default: true
content: If 'true', activates the notes service for this account.
content: If 'true', the system activates the notes service for this account.
- key: LockNotesService
supportedOS:
macOS:
@@ -330,5 +330,5 @@ payloadkeys:
type: <boolean>
presence: optional
default: false
content: If 'true', prevents the user from changing the status of the notes service
for this account.
content: If 'true', the system prevents the user from changing the status of the
notes service for this account.

148
declarative/declarations/configurations/app.managed.yaml Normal file
View File

@@ -0,0 +1,148 @@
title: App:Managed
description: Use this configuration to define settings for a managed app.
payload:
declarationtype: com.apple.configuration.app.managed
supportedOS:
iOS:
introduced: '17.2'
allowed-enrollments:
- device
- user
allowed-scopes:
- system
sharedipad:
allowed-scopes:
- system
macOS:
introduced: n/a
tvOS:
introduced: n/a
watchOS:
introduced: n/a
beta: true
payloadkeys:
- key: AppStoreID
title: App Store ID
type: <string>
presence: optional
content: Specifies the App Store ID of the managed app. One and only one of `AppStoreID`,
`BundleID`, or `ManifestURL` must be present.
- key: BundleID
title: Bundle ID
type: <string>
presence: optional
content: Specifies the Bundle ID of the managed app. One and only one of `AppStoreID`,
`BundleID`, or `ManifestURL` must be present.
- key: ManifestURL
title: Manifest URL
type: <string>
presence: optional
content: Specifies the URL of the manifest for the managed app. One and only one
of `AppStoreID`, `BundleID`, or `ManifestURL` must be present.
- key: InstallBehavior
title: Install Behavior
type: <dictionary>
presence: optional
content: Describes how and when the app will be installed.
subkeys:
- key: Install
title: Install
type: <string>
presence: optional
rangelist:
- Optional
- Required
default: Optional
content: |-
Describes whether the app must remain on the device at all times, or if the user can freely install and remove it:
* Optional - the user can install and remove the app after the configuration is activated.
* Required - the app is installed when the configuration is activated. The user may not remove the app.
On supervised devices apps are installed automatically. Otherwise the device prompts the user to approve the install of the app.
- key: License
title: License
type: <dictionary>
presence: optional
content: Describes how the app is licensed.
subkeys:
- key: VPPType
title: VPP Type
type: <string>
presence: optional
rangelist:
- Device
- User
content: |-
Indicates what type of VPP license is used for the app when installed via the App Store:
* Device - the app has a VPP device license.
* User - the app has a VPP user license.
This key must be present when an App Store app is being installed.
- key: IncludeInBackup
title: Include in Backup
type: <boolean>
presence: optional
default: true
content: If `true`, backups will contain the app and its data. If `false`, backups
will not contain the app and its data.
- key: Attributes
title: App Attributes
supportedOS:
macOS:
introduced: n/a
type: <dictionary>
presence: optional
content: A dictionary of values associated with the app.
subkeys:
- key: AssociatedDomains
title: Associated Domains
type: <array>
presence: optional
content: An array of domain names to associate with the app.
subkeys:
- key: Domain
title: Domain
type: <string>
presence: required
content: A domain to be associated with the app.
- key: AssociatedDomainsEnableDirectDownloads
title: Associated Domains Enable Direct Downloads
type: <boolean>
presence: optional
default: false
content: If `true`, direct downloads will be enabled for associated domains.
- key: CellularSliceUUID
title: Cellular Slice UUID
type: <string>
presence: optional
content: Either data network name (DNN) or traffic category can be set as the
enterprise slice identifier. For DNN, the value must be encoded as "DNN:name”,
where "name" is the carrier provided DNN name. For app category, the value must
be encoded as "AppCategory:category", where "category" is a carrier provided
string like "Enterprise1".
- key: ContentFilterUUID
title: Content Filter UUID
type: <string>
presence: optional
content: The UUID of the content filter to associate with the app.
- key: DNSProxyUUID
title: DNS Proxy UUID
type: <string>
presence: optional
content: The UUID of the DNS proxy to associate with the app.
- key: RelayUUID
title: Relay UUID
type: <string>
presence: optional
content: The UUID of the Relay to associated with the app.
- key: TapToPayScreenLock
title: Tap to Pay Screen Lock
type: <boolean>
presence: optional
default: false
content: If `true`, the device will automatically lock after every transaction
that requires a customer's card PIN. If `false`, the user of the device may
choose the behavior they prefer.
- key: VPNUUID
title: VPN UUID
type: <string>
presence: optional
content: The UUID of the VPN to associate with the app.

23
declarative/declarations/configurations/passcode.settings.yaml
View File

@@ -36,7 +36,7 @@ payloadkeys:
type: <boolean>
presence: optional
default: false
content: If 'true', requires the user to set a passcode without any requirements
content: If 'true', the system requires the user to set a passcode without any requirements
about the length or quality of the passcode. The presence of any other keys implicitly
requires a passcode, and overrides this key's value.
- key: RequireAlphanumericPasscode
@@ -58,9 +58,9 @@ payloadkeys:
type: <boolean>
presence: optional
default: false
content: If 'true', requires a complex passcode. A complex passcode is one that
doesn't contain repeated characters or increasing or decreasing characters (such
as 123 or CBA).
content: If 'true', the system requires a complex passcode. A complex passcode is
one that doesn't contain repeated characters or increasing or decreasing characters
(such as 123 or CBA).
- key: MinimumLength
title: Minimum Passcode Length
type: <integer>
@@ -117,9 +117,10 @@ payloadkeys:
title: Maximum Grace Period
type: <integer>
presence: optional
content: |-
The maximum period that a user can select, during which the user can unlock the device without a passcode. A value of '0' means no grace period, and the device requires a passcode immediately. In the absence of this key, the user can select any period.
macOS translates this to screensaver settings.
content: The maximum period that a user can select, during which the user can unlock
the device without a passcode. A value of '0' means no grace period, and the device
requires a passcode immediately. In the absence of this key, the user can select
any period. In macOS, the system translates this to screensaver settings.
- key: MaximumInactivityInMinutes
title: Automatic Device Lock
type: <integer>
@@ -127,9 +128,11 @@ payloadkeys:
range:
min: 0
max: 15
content: |-
The maximum period that a user can select, during which the device can be idle before the system automatically locks it. When the device reaches this limit, the device locks and the user must enter the passcode to unlock it. In the absence of this key, the user can select any period.
macOS translates this to screensaver settings.
content: The maximum period that a user can select, during which the device can
be idle before the system automatically locks it. When the device reaches this
limit, the device locks and the user must enter the passcode to unlock it. In
the absence of this key, the user can select any period. In macOS, the system
translates this to screensaver settings.
- key: MaximumPasscodeAgeInDays
title: Maximum Passcode Age
supportedOS:

9
declarative/declarations/configurations/screensharing.connection.yaml
View File

@@ -38,7 +38,7 @@ payloadkeys:
title: TCP Port
type: <integer>
presence: optional
content: Specifies the TCP port number on the host to initiate the connection.
content: The TCP port number on the host to initiate the connection.
- key: DisplayConfiguration
title: Display Configuration
type: <dictionary>
@@ -53,6 +53,7 @@ payloadkeys:
- Virtual2
content: |-
The type of display for the connection, which has these allowed values:
* 'Virtual1': Create one virtual display.
* 'Virtual2': Create two virtual displays.
- key: AuthenticationCredentialsAssetReference
@@ -61,6 +62,6 @@ payloadkeys:
assettypes:
- com.apple.asset.credential.userpassword
presence: optional
content: Specifies the identifier of an asset declaration that contains the required
credentials for this connection to authenticate with the screen-sharing server.
Set the corresponding asset type to 'com.apple.asset.credential.userpassword'.
content: The identifier of an asset declaration that contains the required credentials
for this connection to authenticate with the screen-sharing server. Set the corresponding
asset type to 'com.apple.asset.credential.userpassword'.

4
declarative/declarations/configurations/security.certificate.yaml
View File

@@ -45,5 +45,5 @@ payloadkeys:
assettypes:
- com.apple.asset.credential.certificate
presence: required
content: Specifies the identifier of an asset declaration that contains the certificate
to install.
content: The identifier of an asset declaration that contains the certificate to
install.

3
declarative/declarations/configurations/security.identity.yaml
View File

@@ -47,8 +47,7 @@ payloadkeys:
- com.apple.asset.credential.scep
- com.apple.asset.credential.acme
presence: required
content: Specifies the identifier of an asset declaration that contains the identity
to install.
content: The identifier of an asset declaration that contains the identity to install.
- key: AllowAllAppsAccess
title: Allow all apps access
supportedOS:

6
declarative/declarations/configurations/security.passkey.attestation.yaml
View File

@@ -31,8 +31,8 @@ payloadkeys:
- com.apple.asset.credential.scep
- com.apple.asset.credential.acme
presence: required
content: Specifies the identifier of an asset declaration that contains the identity
to install and use for passkey attestation.
content: The identifier of an asset declaration that contains the identity to install
and use for passkey attestation.
- key: AttestationIdentityKeyIsExtractable
title: Attestation identity key is extractable
supportedOS:
@@ -47,7 +47,7 @@ payloadkeys:
title: Relying parties
type: <array>
presence: required
content: Relying parties to allow enterprise attestation.
content: An array of the relying parties to allow enterprise attestation.
subkeys:
- key: RelyingParty
title: Relying party

8
declarative/declarations/configurations/services.configuration-files.yaml
View File

@@ -21,9 +21,7 @@ payloadkeys:
type: <string>
presence: required
content: |-
The identifier of the system service with managed configuration files.
Use a reverse DNS style for this identifier. However, the system reserves 'com.apple.' prefix for built-in services.
The available built-in services are:
The identifier of the system service with managed configuration files. Use a reverse DNS style for this identifier. However, the system reserves 'com.apple.' prefix for built-in services. The available built-in services are:
* 'com.apple.sshd' configures sshd
* 'com.apple.sudo' configures sudo
* 'com.apple.pam' configures PAM
@@ -38,8 +36,10 @@ payloadkeys:
- com.apple.asset.data
presence: required
content: |-
Specifies the identifier of an asset declaration that contains a reference to the files to use for system service configuration. Ensure that the corresponding asset:
The identifier of an asset declaration that contains a reference to the files to use for system service configuration. Ensure that the corresponding asset:
* Is of type 'com.apple.asset.data'
* Is a zip archive of an entire directory
* Has a 'Reference' key that includes the 'ContentType' and 'Hash-SHA-256' keys, which the system requires
The system expands the zip archive and stores the data in a well-known location for the service.

3
declarative/declarations/configurations/softwareupdate.enforcement.specific.yaml
View File

@@ -28,8 +28,7 @@ payloadkeys:
type: <string>
presence: required
content: The target OS version to update the device to by the appropriate time.
This is the OS version number, for example, '16.1'. It may also include a supplemental
version identifier, for example, '16.1.1'.
This is the OS version number, for example, '16.1'.
- key: TargetBuildVersion
title: Target Build Version
type: <string>

6
declarative/declarations/configurations/watch.enrollment.yaml
View File

@@ -33,9 +33,9 @@ payloadkeys:
assettypes:
- com.apple.asset.credential.certificate
presence: optional
content: Specifies an array of identifiers of asset declarations that contain anchor
certificates to use to evaluate the trust of the enrollment profile server. Set
the type of the corresponding assets to 'com.apple.asset.credential.certificate'.
content: An array of identifiers of asset declarations that contain anchor certificates
to use to evaluate the trust of the enrollment profile server. Set the type of
the corresponding assets to 'com.apple.asset.credential.certificate'.
subkeys:
- key: AnchorCertificateAssetReferenceItem
type: <string>

191
declarative/status/app.managed.list.yaml Normal file
View File

@@ -0,0 +1,191 @@
title: Status App Managed List
description: The client's declarative managed apps.
payload:
statusitemtype: app.managed.list
supportedOS:
iOS:
introduced: '17.2'
allowed-enrollments:
- device
- user
allowed-scopes:
- system
sharedipad:
allowed-scopes:
- system
macOS:
introduced: n/a
tvOS:
introduced: n/a
watchOS:
introduced: n/a
beta: true
payloadkeys:
- key: app.managed.list
title: Status item value.
type: <array>
presence: required
content: Status value.
subkeytype: App
subkeys:
- key: status_value
type: <dictionary>
subkeys:
- key: identifier
title: Unique identifier of the app.
type: <string>
presence: required
content: The unique identifier of the app. This will be the app's bundle id.
- key: _removed
title: Indicates removal of the app.
type: <boolean>
presence: optional
default: false
content: To indicate removal of an app, this key's value is set to true, and
only this key and the "identifier" key will be present in the status item
object.
- key: declaration-identifier
title: Identifier of the declaration that controls the app.
type: <string>
presence: optional
content: The identifier of the declaration that controls the app.
- key: name
title: App name
type: <string>
presence: optional
content: The name of the app.
- key: external-version-id
title: External version id
type: <integer>
presence: optional
content: The application's external version ID. This can also be retrieved from
the store from the "contentMetadataLookupUrl" from the VPPServiceConfigSrv
endpoint. In the response from uclient-api.itunes.apple.com URL, there's a
key named "externalId" at the path results.<adamId>.offers[0].version.externalId.
If the current external version identifier of an app on the store does not
match the external version identifier reported by the device, there may be
an app update available for the device.
- key: version
title: Version
type: <string>
presence: optional
content: The version of the app.
- key: short-version
title: Short version
type: <string>
presence: optional
content: The short version of the app.
- key: state
title: Managed application list status
type: <string>
presence: optional
rangelist:
- optional
- queued
- prompting-for-consent
- prompting-for-login
- prompting-for-management
- downloading
- installing
- managed
- managed-but-uninstalled
- failed
content: |-
The status of the app.
* optional - the app is optional and the user has to trigger its installation
* queued - installation of the app has started
* prompting-for-consent - a prompt is being shown to the user to proceed with app installation
* prompting-for-login - a prompt to sign in to the App Store is being shown to the user to allow installation
* prompting-for-management - a prompt is being shown to the user to allow changing the installed app to a managed app
* downloading - an update is being downloaded
* installing - the app is being installed
* managed - the app is installed and managed
* managed-but-uninstalled - the app is managed, but has been removed by the user. If installed again, it will be managed
* failed - the app installation has failed
- key: update-state
title: Managed application update status
type: <string>
presence: optional
rangelist:
- available
- prompting-for-update
- prompting-for-update-login
- updating
- failed
content: |-
The update status of the app. This key is only present when the "state" key is set to "managed" and when there is an app update available.
* available - an update is available for the app
* prompting-for-update - a prompt is being shown to the user to proceed with app update
* prompting-for-update-login - a prompt to sign in to the App Store is being shown to the user to allow app update
* updating - the app is being updated
* failed - the app update has failed
- key: reasons
title: Status Reasons
type: <array>
presence: optional
content: Additional detail about app state, including errors.
subkeytype: StatusReason
subkeys:
- key: _reasons
title: Status Reason
type: <dictionary>
content: Information about a status error.
subkeytype: StatusReason
subkeys:
- key: code
title: Error Code
type: <string>
presence: required
content: The error code for this error.
- key: description
title: Error Description
type: <string>
presence: optional
content: The description of this error.
- key: details
title: Error Details
type: <dictionary>
presence: optional
content: A dictionary that contains further details about this error.
subkeys:
- key: ANY
type: <any>
presence: optional
content: Additional keys may be present.
reasons:
- value: Error.UnmanagedAppAlreadyInstalled
description: An unmanaged app is already installed and cannot be managed.
- value: Error.DuplicateConfiguredApp
description: The app is already being managed.
- value: Error.UserRejected
description: The user rejected management of the app.
- value: Error.AppStoreDisabled
description: The App Store is disabled.
- value: Error.LicenseNotFound
description: A license for the app was not available.
- value: Error.InvalidAppID
description: The app id could not be found.
- value: Error.NotAnApp
description: The downloaded data is not a valid app.
- value: Error.NotSupported
description: The app is not supported on this device.
- value: Error.DownloadFailed
description: The app download failed.
details:
- key: Timestamp
type: <string>
description: The RFC 3339 timestamp of the last download failure.
- value: Error.InstallFailed
description: The app install failed.
details:
- key: Timestamp
type: <string>
description: The RFC 3339 timestamp of the last install failure.
- value: Info.UpdateAvailable
description: An update is available for the app.
- value: Error.UpdateFailed
description: The app update failed.
details:
- key: Timestamp
type: <string>
description: The RFC 3339 timestamp of the last update failure.

3
declarative/status/mdm.app.yaml
View File

@@ -33,7 +33,8 @@ payloadkeys:
title: Status item value.
type: <array>
presence: required
content: The list of apps.
content: The list of apps. The response will not include apps that are managed by
Declarative Device Management.
subkeytype: App
subkeys:
- key: status_value

4
docs/errata.md
View File

@@ -31,3 +31,7 @@ strings. This has not been corrected as the schema does not support polymorphic
### profiles/com.apple.universalaccess.yaml
The `contrast` key in the `com.apple.universalaccess` profile payload incorrectly listed its type as `integer`. The correct type is `real`.
### profiles/com.apple.extensiblesso.yaml
The `AuthorizationGroups` key was updated as the key values-pairs in the dictionary were incorrectly stated.

6
docs/schema.yaml
View File

@@ -150,6 +150,9 @@ properties:
type: boolean
description: If true, indicates that the skip key's corresponding Setup pane is always skipped. If false, indicates
that the skip key's corresponding Setup pane may be shown, depending on exactly when during the setup flow it occurs.
beta:
type: boolean
description: Indicates that this payload should be considered a beta release for this OS. It may change in an incompatible way prior to final release.
macOS: *supportedOSItem
tvOS: *supportedOSItem
watchOS: *supportedOSItem
@@ -163,6 +166,9 @@ properties:
- single
- multiple
- combined
beta:
type: boolean
description: Indicates that this entire payload should be considered a beta release. It may change in an incompatible way prior to final release.
content:
type: string
description: Description of the payload.

2
mdm/commands/account.configuration.yaml
View File

@@ -71,7 +71,7 @@ payloadkeys:
default: false
content: |-
If 'true', and you provide values for 'PrimaryAccountFullName' or 'PrimaryAccountUserName', Setup Assistant disables editing for the corresponding fields. 'DontAutoPopulatePrimaryAccountInfo' must also be 0 (or missing).
If the user's password is also available from authentication via ConfigurationURL, Setup Assistant automatically creates the primary account with that information and skips showing the user interface to view or edit these fields.
If the user's password is also available from authentication through ConfigurationURL, Setup Assistant automatically creates the primary account with that information and skips showing the user interface to view or edit these fields.
This value is available in macOS 10.15 and later.
- key: AutoSetupAdminAccounts
type: <array>

30
mdm/commands/application.install.enterprise.yaml
View File

@@ -21,7 +21,7 @@ payloadkeys:
presence: optional
content: A dictionary that specifies where to download the app. This value is backward-compatible
with the manifest for the InstallApplicationCommand; however, it also allows you
to specify 'sha256s' and 'sha256'-size for SHA-256 hashes.
to specify 'sha256s' and 'sha256-size' for SHA-256 hashes.
subkeys:
- key: ANY
type: <any>
@@ -32,7 +32,7 @@ payloadkeys:
- key: ManifestURL
type: <string>
presence: optional
content: The URL of the app manifest, which must begin with 'https:'.
content: The URL of the app manifest, which needs to begin with 'https:'.
- key: ManifestURLPinningCerts
type: <array>
presence: optional
@@ -59,9 +59,9 @@ payloadkeys:
presence: optional
default: false
content: |-
If 'true', install the app as a managed app.
For manifest-based installs, if 'true' the system considers only the .app bundles installed into '/Applications' as managed (macOS 11 through 13 required the pkg to contain a single .app bundle). Reinstalling a managed app without this flag causes it to become unmanaged.
This value is available in macOS 11 and later.
If 'true', install the app as a managed app. Otherwise, the system installs the app as unmanaged. If you reinstall a manged app and omit this value or set it to 'false', the app becomes unmanaged.
For manifest-based installs, if 'true', the system only considers apps installed in '/Applications' as managed. In macOS 11 through 13, the system requires that the 'pkg' only contains a single signed app.
Available in macOS 11 and later.
- key: ManagementFlags
supportedOS:
macOS:
@@ -73,9 +73,11 @@ payloadkeys:
rangelist:
- 1
content: |-
The management flags. The only supported flag is:
* '1': Remove the app upon removal of the MDM profile. This also requires that you pass 'true' for 'InstallAsManaged'.
This value is available in macOS 11 and later.
The management flags. The possible values are:
* '1': If 'InstallAsManaged' is 'true', remove the app upon removal of the MDM profile.
Available in macOS 11 and later.
- key: Configuration
supportedOS:
macOS:
@@ -83,12 +85,12 @@ payloadkeys:
type: <dictionary>
presence: optional
content: A dictionary that contains the initial configuration of the app, if you
choose to provide it. This value is available in macOS 11 and later.
choose to provide it. Available in macOS 11 and later.
subkeys:
- key: ANY
type: <any>
presence: optional
content: An app configuration key.
content: An app configuration.
- key: ChangeManagementState
supportedOS:
macOS:
@@ -100,9 +102,11 @@ payloadkeys:
rangelist:
- Managed
content: |-
The change management state. The only supported state is:
* 'Managed': Take management of the app if the user installed it already. This also requires that you pass 'true' for 'InstallAsManaged'.
This value is available in macOS 11 and later.
The change management state. This value doesn't work with the User Enrollment feature introduced in iOS 13. The only possible value is:
* 'Managed': Take management of the app if the user installed it already and 'InstallAsManaged' is 'true'.
Available in macOS 11 and later.
- key: iOSApp
supportedOS:
iOS:

36
mdm/commands/application.install.yaml
View File

@@ -38,7 +38,8 @@ payload:
accessrights: AllowAppInstallation
supervised: false
content: This command allows the server to install an application on a device. If
the app is already being managed, this command will update the app. macOS change
the app is already being managed, this command will update the app. This command
will fail for apps that are managed by Declarative Device Management. macOS change
- 10.9 user channel for VPP, 10.10 device channel, 10.11 both.
payloadkeys:
- key: iTunesStoreID
@@ -80,7 +81,7 @@ payloadkeys:
introduced: '7.0'
type: <string>
presence: optional
content: The URL of the app manifest, which must begin with 'https:'.
content: The URL of the app manifest, which needs to begin with 'https:'.
- key: ManagementFlags
supportedOS:
macOS:
@@ -94,10 +95,13 @@ payloadkeys:
- 4
- 5
content: |-
The bitwise OR of the following management flags:
* '1': Remove app upon removal of MDM profile. This also requires that you pass 'true' for 'InstallAsManaged'.
A bitwise OR of the management flags. The possible values are:
* '1': If 'InstallAsManaged' is 'true', remove the app upon removal of the MDM profile.
* '4': Prevent backup of app data.
This value is available in iOS 5 and later, macOS 11 and later, and tvOS 10.2 and later.
* '5': Both '1' and '4'.
Available in iOS 5 and later, macOS 11 and later, and tvOS 10.2 and later.
- key: Configuration
supportedOS:
iOS:
@@ -107,8 +111,8 @@ payloadkeys:
type: <dictionary>
presence: optional
content: A dictionary that contains the initial configuration of the app, if you
choose to provide it. This value is available in iOS 7 and later, macOS 11 and
later, and tvOS 10.2 and later.
choose to provide it. Available in iOS 7 and later, macOS 11 and later, and tvOS
10.2 and later.
subkeys:
- key: ANY
type: <any>
@@ -123,7 +127,7 @@ payloadkeys:
type: <dictionary>
presence: optional
content: A dictionary that contains the initial attributes of the app, if you choose
to provide it. This value is available in iOS 7 and later, and tvOS 10.2 and later.
to provide it. Available in iOS 7 and later, and tvOS 10.2 and later.
subkeys:
- key: VPNUUID
supportedOS:
@@ -227,7 +231,7 @@ payloadkeys:
type: <string>
presence: optional
content: |-
The data network name (DNN) or app category. For DNN, the value is 'DNN:name', where 'name' is the carrier provided DNN name. For app category, the value is 'AppCategory:category', where 'category' is a carrier provided string like “Enterprise1”.
The data network name (DNN) or app category. For DNN, the value is 'DNN:name', where 'name' is the carrier-provided DNN name. For app category, the value is 'AppCategory:category', where 'category' is a carrier-provided string like “Enterprise1”.
Available in iOS 17 and later.
- key: ChangeManagementState
supportedOS:
@@ -244,10 +248,11 @@ payloadkeys:
rangelist:
- Managed
content: |-
The change management state. The only supported state is:
The change management state. The only possible value is:
* 'Managed': Take management of the app if the user installed it already. This also requires that you pass 'true' for 'InstallAsManaged'.
This value doesn't work with Profile Based User Enrollment, Account Driven User Enrollment and Account Driven Device Enrollment.
Available in iOS 9 and later, macOS 11 and later, and tvOS 10.2 and later.
This value doesn't work with the User Enrollment feature introduced in iOS 13. Available in iOS 9 and later, macOS 11 and later, and tvOS 10.2 and later.
- key: InstallAsManaged
supportedOS:
iOS:
@@ -264,10 +269,9 @@ payloadkeys:
presence: optional
default: false
content: |-
If 'true', install the app as a managed app.
For manifest-based installs, if this value is 'true', the system only considers the '.app' bundles installed into '/Applications 'as managed (macOS 11 through 13 required the 'pkg' to contain a single '.app' bundle).
Reinstall a managed app with this value set to 'false' to change the app to an unmanaged app.
This value is available in macOS 11 and later.
If 'true', install the app as a managed app. Otherwise, the system installs the app as unmanaged. If you reinstall a manged app and omit this value or set it to 'false', the app becomes unmanaged.
For manifest-based installs, if 'true', the system only considers apps installed in '/Applications' as managed. In macOS 11 through 13, the system requires that the 'pkg' only contains a single signed app.
Available in macOS 11 and later.
- key: iOSApp
supportedOS:
iOS:

29
mdm/commands/application.installed.list.yaml
View File

@@ -40,9 +40,14 @@ payloadkeys:
introduced: '10.15'
type: <array>
presence: optional
content: |-
An array of app identifiers. Provide this value to limit the response to only include these apps. This value is available in iOS 7 and later, macOS 10.15 and later, and tvOS 10.2 and later.
For a watchOS app, the identifier needs to be the watch's bundle identifier, which differs from the main bundle identifier for the iPhone to which the watch is paired. Obtain the watch's bundle identifier for an app with a watch bundle, in the 'watchBundleId' key that's part of the Content Metadata query. For more information on this query, see Getting App and Book Information (Legacy).
content: An array of app identifiers. Provide this value to limit the response to
only include these apps. This value is available in iOS 7 and later, macOS 10.15
and later, and tvOS 10.2 and later. For a watchOS app, the identifier needs to
be the watch's bundle identifier, which differs from the main bundle identifier
for the iPhone to which the watch is paired. Obtain the watch's bundle identifier
for an app with a watch bundle, in the 'watchBundleId' key that's part of the
Content Metadata query. For more information on this query, see Getting App and
Book Information (Legacy).
subkeys:
- key: IdentifiersItem
type: <string>
@@ -55,8 +60,9 @@ payloadkeys:
type: <boolean>
presence: optional
default: false
content: If 'true', only get a list of managed apps. This value is available in
iOS 7 and later, macOS 10.15 and later, and tvOS 10.2 and later.
content: If 'true', only get a list of managed apps excluding ones that are managed
by Declarative Device Management. This value is available in iOS 7 and later,
macOS 10.15 and later, and tvOS 10.2 and later.
- key: Items
supportedOS:
iOS:
@@ -67,11 +73,9 @@ payloadkeys:
introduced: '14.0'
type: <array>
presence: optional
content: An array of strings representing keys in the InstalledApplicationListItem
dictionary. If provided, the response will contain only the keys listed here.
The "Identifier" key is always included. If not present, the response will contain
all keys. Always request just the set of keys that will actually be used, as some
key values can take significant time and power to calculate on the device.
content: |-
An array of strings that represent keys in InstalledApplicationListResponse.InstalledApplicationListItem. If present, the response only contains the keys listed here, except 'Identifier' is always included. If not present, the response contains all keys.
Only request the keys that you need, because some key values can take significant time and power to calculate on the device.
subkeys:
- key: ItemsItem
type: <string>
@@ -265,3 +269,8 @@ responsekeys:
presence: optional
default: false
content: If 'true', the app is an App Clip. Available in iOS 16 and later.
- key: Source
type: <string>
presence: optional
content: Source of the application. This value will be set to "Declarative Device
Management" when the app is managed by Declarative Device Management.

3
mdm/commands/application.managed.list.yaml
View File

@@ -53,7 +53,8 @@ responsekeys:
- key: ManagedApplicationList
type: <dictionary>
presence: required
content: A dictionary that contains status information about each managed app.
content: A dictionary that contains status information about each managed app. The
response will not include apps that are managed by Declarative Device Management.
subkeytype: ManagedApplicationListItem
subkeys:
- key: ANY app identifier

3
mdm/commands/application.remove.yaml
View File

@@ -29,7 +29,8 @@ payload:
introduced: '10.0'
accessrights: AllowAppInstallation
supervised: false
content: This command allows a server to remove a managed app.
content: This command allows a server to remove a managed app. This command will
fail for apps that are managed by Declarative Device Management.
payloadkeys:
- key: Identifier
type: <string>

15
mdm/commands/device.erase.yaml
View File

@@ -102,19 +102,12 @@ payloadkeys:
Upon receiving this command, the device performs preflight checks to determine if the device is in a state that allows EACS. The 'status' of the EraseDeviceResponse is either 'Acknowledged' or 'Error'.
The following values define the device's fallback behavior:
'DoNotObliterate':
If EACS preflight fails, the device responds to the server with an 'Error' status and doesn't attempt to erase itself.
* 'DoNotObliterate': If EACS preflight fails, the device responds to the server with an 'Error' status and doesn't attempt to erase itself.
If EACS preflight succeeds but EACS fails, then the device doesn't attempt to erase itself.
'ObliterateWithWarning':
If EACS preflight fails, the device responds with an 'Acknowledged' status and then attempts to erase itself.
* 'ObliterateWithWarning': If EACS preflight fails, the device responds with an 'Acknowledged' status and then attempts to erase itself.
If EACS preflight succeeds but EACS fails, then the device attempts to erase itself.
'Always':
The system doesn't attempt EACS. T2 and later devices always obliterate.
'Default':
If EACS preflight fails, the device responds to the server with an 'Error' status and then attempts to erase itself.
* 'Always': The system doesn't attempt EACS. T2 and later devices always obliterate.
* 'Default': If EACS preflight fails, the device responds to the server with an 'Error' status and then attempts to erase itself.
If EACS preflight succeeds but EACS fails, then the device attempts to erase itself.
- key: ReturnToService
supportedOS:

681
mdm/commands/information.device.yaml
View File

File diff suppressed because it is too large Load Diff

4
mdm/commands/information.security.yaml
View File

@@ -78,7 +78,7 @@ responsekeys:
introduced: n/a
type: <boolean>
content: If 'true', the user's passcode is compliant with requirements from profiles.
This key does not apply to User-Enrolled devices. This value is available in
This key doesn't apply to User-Enrolled devices. This value is available in
iOS 4 and later, and tvOS 6 and later.
- key: PasscodeLockGracePeriod
supportedOS:
@@ -121,7 +121,7 @@ responsekeys:
introduced: n/a
type: <integer>
content: The number of seconds before a device goes to sleep after being idle.
This value is only available for Shared iPad.
This value is only available on Shared iPad in iOS 17 and later.
- key: FDE_Enabled
supportedOS:
iOS:

3
mdm/commands/managed.application.attributes.yaml
View File

@@ -24,7 +24,8 @@ payload:
accessrights: AllowAppInstallation
supervised: false
content: Queries managed application attributes. Attributes can be set on managed
apps. These attributes can be changed over time.
apps. These attributes can be changed over time. The response will not include
apps that are managed by Declarative Device Management.
payloadkeys:
- key: Identifiers
type: <array>

3
mdm/commands/managed.application.configuration.yaml
View File

@@ -35,7 +35,8 @@ payload:
accessrights: AllowAppInstallation
supervised: false
content: This command queries the device for the current configuration of managed
applications. This command requires the App Management right.
applications. This command requires the App Management right. The response will
not include apps that are managed by Declarative Device Management.
payloadkeys:
- key: Identifiers
type: <array>

5
mdm/commands/managed.application.feedback.yaml
View File

@@ -27,7 +27,8 @@ payload:
accessrights: AllowAppInstallation
supervised: false
content: This command queries the device for application feedback information. This
command requires the App Management right.
command requires the App Management right. The response will not include apps
that are managed by Declarative Device Management.
payloadkeys:
- key: Identifiers
type: <array>
@@ -41,7 +42,7 @@ payloadkeys:
presence: optional
default: false
content: If 'true', delete the app's feedback dictionary after the server reads
it.
it. Apps that are managed by Declarative Device Management will be ignored.
responsekeys:
- key: ManagedApplicationFeedback
type: <array>

10
mdm/commands/profile.list.yaml
View File

@@ -133,15 +133,15 @@ responsekeys:
- key: PayloadType
type: <string>
presence: required
content: The payload type, which each payload domains reference page specifies.
content: The type of payload, such as 'com.apple.wifi.managed'.
- key: PayloadVersion
type: <integer>
presence: required
content: The version of the configuration payload. The value should be '1'.
content: The version of the payload. The value should be '1'.
- key: PayloadIdentifier
type: <string>
presence: required
content: The reverse-DNS-style identifier of the payload; for example, 'com.example.myprofile.payload1'.
content: The reverse-DNS-style identifier of the payload, such as 'com.example.mypayload'.
- key: PayloadUUID
supportedOS:
iOS:
@@ -152,7 +152,7 @@ responsekeys:
introduced: '17.0'
type: <string>
presence: required
content: The unique identifier for the profile.
content: The unique identifier of the payload.
- key: PayloadDisplayName
type: <string>
presence: optional
@@ -160,7 +160,7 @@ responsekeys:
- key: PayloadDescription
type: <string>
presence: optional
content: The description of the payload.
content: A description of the payload.
- key: PayloadOrganization
type: <string>
presence: optional

57
mdm/commands/settings.yaml
View File

@@ -243,7 +243,8 @@ payloadkeys:
content: A dictionary that contains the configurations to apply to the app. Omit
this setting to remove existing configurations. This setting requires the App
Management access right, supports User Enrollment, and is available in iOS 7
and later, macOS 10.15 and later, and tvOS 10.2 and later.
and later, macOS 10.15 and later, and tvOS 10.2 and later. This setting will
fail for apps that are managed by Declarative Device Management.
subkeys:
- key: Item
type: <string>
@@ -287,7 +288,8 @@ payloadkeys:
presence: optional
content: A dictionary that contains the attributes to apply to the app. Omit this
setting to remove existing attributes. This setting supports User Enrollment,
is available in iOS 7 and later, and tvOS 10.2 and later.
is available in iOS 7 and later, and tvOS 10.2 and later. This setting will
fail for apps that are managed by Declarative Device Management.
subkeys:
- key: Item
type: <string>
@@ -410,7 +412,7 @@ payloadkeys:
type: <string>
presence: optional
content: |-
The data network name (DNN) or app category. For DNN, the value is 'DNN:name', where 'name' is the carrier provided DNN name. For app category, the value is 'AppCategory:category', where 'category' is a carrier provided string like “Enterprise1”'.'
The data network name (DNN) or app category. For DNN, the value is 'DNN:name', where 'name' is the carrier-provided DNN name. For app category, the value is 'AppCategory:category', where 'category' is a carrier-provided string like “Enterprise1”'.'
Available in iOS 17 and later.
- key: DeviceName
supportedOS:
@@ -760,15 +762,15 @@ payloadkeys:
type: <boolean>
presence: required
content: If 'true', the device stops at a Setup Assistant pane after user
login. The user won't be able to use the device until a UserConfiguredCommand
command is received.
login. The user won't be able to use the device until the device receives
a UserConfiguredCommand command.
- key: PasscodePolicy
supportedOS:
iOS:
introduced: '17.0'
type: <dictionary>
presence: optional
content: A dictionary that contains passcode related policies.
content: A dictionary that contains passcode policies.
subkeys:
- key: PasscodeLockGracePeriod
type: <integer>
@@ -780,28 +782,18 @@ payloadkeys:
- 900
- 3600
- 14400
content: Sets the user preference for the amount of time (in seconds) the
screen must be locked before unlock attempts will require the device passcode.
This should ideally be set when no passcode is set on device. If a passcode
is on device, only more restrictive values than the currently enforced passcode
lock grace period will take effect; any changes to a less restrictive value
will not take effect until the user logs out. This setting will not take
effect if TemporarySessionOnly is set to true (since there is no passcode
for the temporary session). This setting can only be applied on Shared iPads.
devpubs-override: The number of seconds before a locked screen requires the
user to enter the device passcode to unlock it. The minimum value is '0'
seconds and the maximum value is '14400' seconds. If a device has a passcode,
a change to a larger value doesn't take effect until the user logs out or
removes the passcode. For this reason, it's better to set this value before
the user sets a passcode. If the value set is less than one of the known
values the next lowest value will be used. For example a value of 299 will
content: |-
The number of seconds before a locked screen requires the user to enter the device passcode to unlock it. The minimum value is '0' seconds and the maximum value is '14400' seconds.
If a device has a passcode, a change to a larger value doesn't take effect until the user logs out or removes the passcode. For this reason, it's better to set this value before the user sets a passcode.
If the value set is less than one of the known
values, the next lowest value will be used. For example a value of 299 will
result in an effective setting of 60.
This setting won't take effect if 'TemporarySessionOnly' is 'true' because there's no passcode for a temporary session.
- key: AutoLockTime
type: <integer>
presence: optional
content: Sets the user preference for the amount of time (in seconds) before
a device goes to sleep after being idle. The minimum value for this setting
is 120 seconds. This setting can only be applied on Shared iPad.
content: The number of seconds before a device goes to sleep after being idle.
The minimum value for this setting is '120' seconds.
- key: DiagnosticSubmission
supportedOS:
iOS:
@@ -887,9 +879,9 @@ payloadkeys:
introduced: n/a
type: <dictionary>
presence: optional
content: A dictionary that contains password lock grace period settings. This
setting doesn't support User Enrollment, and is only available for Shared iPad.
Available in iOS 9.3.2 and later.
content: |-
A dictionary that contains password lock grace period settings. This setting doesn't support User Enrollment, and is only available for Shared iPad. Available in iOS 9.3.2 and later.
This key is deprecated. Use 'PasscodeLockGracePeriod' in SettingsCommand.Command.Settings.SharedDeviceConfiguration.PasscodePolicy instead.
subkeys:
- key: Item
type: <string>
@@ -907,14 +899,13 @@ payloadkeys:
- 900
- 3600
- 14400
content: The number of seconds before a locked screen requires the user to enter
the device passcode to unlock it. The minimum value is '0' seconds and the
maximum value is '14400' seconds. If a device has a passcode, a change to
a larger value doesn't take effect until the user logs out or removes the
passcode. For this reason, it's better to set this value before the user sets
a passcode. If the value set is less than one of the known values the next
content: |-
The number of seconds before a locked screen requires the user to enter the device passcode to unlock it. The minimum value is '0' seconds and the maximum value is '14400' seconds.
If a device has a passcode, a change to a larger value doesn't take effect until the user logs out or removes the passcode. For this reason, it's better to set this value before the user sets a passcode.
If the value set is less than one of the known values, the next
lowest value will be used. For example a value of 299 will result in an effective
setting of 60.
This setting won't take effect if 'TemporarySessionOnly' is 'true' because there's no passcode for a temporary session.
- key: TimeZone
supportedOS:
iOS:

7
mdm/commands/system.update.available.yaml
View File

@@ -35,10 +35,9 @@ responsekeys:
- key: AvailableOSUpdates
type: <array>
presence: required
content: An array of dictionaries that contains only the most recent available updates
in iOS and tvOS, and possibly multiple available updates in macOS. Follow the
instructions in the Managed Apps and Updates section of the Apple Software Lookup
Service to find a complete catalog of iOS and tvOS updates.
content: |-
An array of dictionaries that contains only the most recent available updates in iOS and tvOS, and possibly multiple available updates in macOS. Follow the instructions in the Managed Apps and Updates section of the Apple Software Lookup Service to find a complete catalog of iOS and tvOS updates.
In macOS 14 and later, 'AvailableOSUpdates' doesn't include InstallAssistant-based, full-replacement installers. It only contains over-the-air (OTA) updates. OTA updates can update or upgrade the OS and support all 'InstallAction' options.
subkeys:
- key: AvailableOSUpdatesItem
type: <dictionary>

10
mdm/commands/system.update.schedule.yaml
View File

@@ -56,10 +56,9 @@ payloadkeys:
introduced: '12.2'
type: <string>
presence: optional
content: The version of the update, which the system requires if 'ProductKey'
isn't present. Rapid Security Response updates are not able to be installed
using this command. This value is available in iOS 11.3 and later, macOS 12
and later, and tvOS 12.2 and later.
content: |-
The version of the update, which the system requires if 'ProductKey' isn't present. This value is available in iOS 11.3 and later, macOS 12 and later, and tvOS 12.2 and later.
This value isn't available for use with Rapid Security Response (RSR) updates.
- key: InstallAction
type: <string>
presence: required
@@ -72,12 +71,15 @@ payloadkeys:
- InstallForceRestart
content: |-
The install action, which is one of the following values:
* 'Default': Download or install the update, depending on the current state. You can check the 'UpdateResults' dictionary to review scheduled updates. This value is available in iOS 9 and later, macOS 10.11 and later, and tvOS 12 and later.
* 'DownloadOnly': Download the software update without installing it. This value is available in iOS 9 and later, macOS 11 and later, and tvOS 12 and later.
* 'InstallASAP': In iOS and tvOS, install a previously downloaded software update. In macOS, download the software update and trigger the restart countdown notification. This value is available in iOS 9 and later, macOS 10.11 and later, and tvOS 12 and later.
* 'NotifyOnly': Download the software update and notify the user through the App Store. This value is available in macOS 10.11 and later.
* 'InstallLater': Download the software update and install it at a later time. This value is available in macOS 10.11 and later.
* 'InstallForceRestart': Perform the 'Default' action, and then force a restart if the update requires it. This value is available in macOS 11 and later.
'InstallForceRestart' may result in data loss.
- key: MaxUserDeferrals
supportedOS:

4
mdm/commands/system.update.status.yaml
View File

@@ -35,9 +35,7 @@ responsekeys:
type: <array>
presence: required
content: An array of dictionaries that describes the statuses of software updates.
The array is empty if there are no software updates currently in progress. If
an activated declaration of configuration.softwareupdate.enforcement.specific
is present on a Mac, OSUpdateStatus will only return non OS update statuses.
The array is empty if there are no software updates currently in progress.
subkeys:
- key: OSUpdateStatusItem
type: <dictionary>

73
mdm/profiles/TopLevel.yaml
View File

@@ -38,8 +38,8 @@ payloadkeys:
type: <string>
presence: required
content: The reverse-DNS style identifier ('com.example.myprofile', for example)
that identifies the profile. This string is used to determine whether a new profile
should replace an existing one or should be added.
that identifies the profile. The system uses this string to determine whether
to replace an existing profile or add it as a new profile.
- key: PayloadUUID
type: <string>
presence: required
@@ -56,9 +56,9 @@ payloadkeys:
presence: required
rangelist:
- 1
content: The version number of the profile format. This number represents the version
of the configuration profile as a whole, not of the individual profiles within
it. The value should be 1.
content: The version number of the profile format, which needs to be '1'. This number
represents the version of the configuration profile as a whole, not of the individual
profiles within it.
- key: IsEncrypted
type: <boolean>
presence: optional
@@ -85,22 +85,22 @@ payloadkeys:
type: <string>
presence: optional
content: The description of the profile, shown on the Detail screen for the profile.
This description should be detailed enough to help the user decide whether to
install the profile.
Make this description detailed enough to help the user decide whether to install
the profile.
- key: PayloadDisplayName
type: <string>
presence: optional
content: The human-readable name for the profile. This value is displayed on the
Detail screen. It doesn't have to be unique.
content: The human-readable name for the profile, which doesn't need to be unique.
The system displays this value on the Detail screen.
- key: HasRemovalPasscode
type: <boolean>
presence: optional
default: false
content: Set to 'true' if there is a removal passcode.
content: Set to 'true' if there's a removal passcode.
- key: PayloadOrganization
type: <string>
presence: optional
content: The human-readable string containing the name of the organization that
content: The human-readable string that contains the name of the organization that
provided the profile.
- key: PayloadRemovalDisallowed
supportedOS:
@@ -116,9 +116,9 @@ payloadkeys:
presence: optional
default: false
content: |-
If present and set to 'true', the user can't delete the profile (unless the profile has a removal password and the user provides it).
On macOS, as of 10.15, this key only affects removal of manually installed profiles. If set to 'true' and no profile removal payload is present, removing the profile requires admin auth.
On macOS versions prior to 10.15, this key would prevent admins from removing MDM installed profiles but as of macOS 10.15, users can never remove MDM profiles, not even the admin.
If present and set to 'true', the user can't delete the profile unless the profile has a removal password and the user provides it.
On macOS 10.15 and later, this key only affects removal of manually installed profiles. If set to 'true' and no profile removal payload is present, removing the profile requires admin auth.
On macOS versions prior to 10.15, this key prevents admins from removing MDM installed profiles. However, as of macOS 10.15, users can never remove MDM profiles, not even the admin.
Requires a supervised device.
- key: PayloadScope
supportedOS:
@@ -129,27 +129,28 @@ payloadkeys:
rangelist:
- System
- User
content: A string that defines whether the profile should be installed for the system
or the user. In many cases, it determines the location of certificate items, such
as keychains. Though it isn't possible to declare different payload scopes, payloads,
like VPN, may automatically install their items in both scopes, if needed.
content: A string that defines whether to install the profile for the system or
the user. In many cases, it determines the location of certificate items, such
as keychains. Though it's not possible to declare different payload scopes, payloads
like VPN can automatically install their items in both scopes, if needed.
- key: RemovalDate
type: <date>
presence: optional
content: The date when the profile is automatically removed.
content: The date when the system automatically removes the profile.
- key: DurationUntilRemoval
type: <real>
presence: optional
content: The number of seconds until the profile is automatically removed. If the
'RemovalDate' key is present, whichever field yields the earliest date is used.
'RemovalDate' key is present, the system uses whichever field yields the earliest
date.
- key: PayloadExpirationDate
supportedOS:
watchOS:
introduced: n/a
type: <date>
presence: optional
content: The date when a profile is no longer valid and an update button is presented
to the user.
content: The date when a profile is no longer valid and the system presents an update
button to the user.
- key: TargetDeviceType
supportedOS:
iOS:
@@ -172,24 +173,26 @@ payloadkeys:
default: 0
content: |-
The type of platform of the target device. Specifying the platform type helps prevent unintended installations.
For interactive installations on iOS devices, specifying a target platform avoids the interstitial alerts that prompt the user to choose a profile target when multiple targets are eligible.
0 = Any/unspecified
1 = iPhone/iPad/iPod Touch
2 = Apple Watch
3 = HomePod
4 = Apple TV
5 = Mac
For interactive installations on iOS devices, specifying a target platform avoids interstitial alerts that prompt the user to choose a profile target when multiple targets are eligible.
Possible values include:
* '0': Any/unspecified
* '1': iPhone/iPad/iPod Touch
* '2': Apple Watch
* '3': HomePod
* '4': Apple TV
* '5': Mac
- key: ConsentText
type: <dictionary>
presence: optional
content: |-
A dictionary containing a key that consists of the IETF BCP 47 identifier for a language (for example, en or jp) and a value consisting of the agreement localized to that language. The agreement is displayed in a dialog, and the user must agree before installing the profile.
A dictionary that includes:
* A key that contains the IETF BCP 47 identifier for a language, such as en or jp
* A value that contains the agreement localized to language specified by the key
The dictionary can also contain an optional key, 'default', with its value consisting of the unlocalized (usually in en) agreement.
The system chooses a localized version in the order of preference specified by the user (macOS) or based on the user's current language setting (iOS). If no exact match is found, the default localization is used. If there is no default localization, the en localization is used. If there is no en localization, the first available localization is used.
Provide a default value, if possible. No warning is displayed if the user's locale doesn't match any localization in the 'ConsentText' dictionary.
The system always displays the agreement in a dialog, and the user needs to agree before the system can install the profile.
The system chooses a localized version in the order of preference that the user specifies in macOS, or based on the user's current language setting in iOS. If there's no exact match, the system uses the default localization. If there's no default localization, the system uses the en localization. If there's no en localization, the system uses the first available localization.
Provide a default value, if possible. The system won't display a warning if the user's locale doesn't match any localization in the 'ConsentText' dictionary.
subkeys:
- key: ConsentTextItem
type: <dictionary>

8
mdm/profiles/com.apple.MCX(TimeServer).yaml
View File

@@ -13,12 +13,16 @@ payload:
allowmanualinstall: true
userenrollment:
mode: forbidden
content: Settings for time zone and server
content: Settings for time zone and server. If multiple profiles with this payload
are sent, the device's time server will be set to the value in the last payload
installed. Removing the payload will not change the settings back to the prior
settings.
payloadkeys:
- key: timeServer
type: <string>
presence: optional
content: The NTP server to connect to. Use commas to separate multiple time servers.
content: The NTP server to connect to. As of macOS 10.13 only one time server is
supported.
- key: timeZone
type: <string>
presence: optional

25
mdm/profiles/com.apple.SetupAssistant.managed.yaml
View File

@@ -34,7 +34,7 @@ payloadkeys:
type: <boolean>
presence: optional
default: false
content: If 'true', the system skips the Apple ID setup window.
content: If 'true', the system skips the Apple ID setup pane.
- key: SkipSiriSetup
supportedOS:
iOS:
@@ -42,7 +42,7 @@ payloadkeys:
type: <boolean>
presence: optional
default: false
content: If 'true', the system skips the Siri setup window.
content: If 'true', the system skips the Siri setup pane.
- key: SkipPrivacySetup
supportedOS:
iOS:
@@ -52,7 +52,7 @@ payloadkeys:
type: <boolean>
presence: optional
default: false
content: If 'true', the system skips the Privacy consent window.
content: If 'true', the system skips the Privacy consent pane.
- key: SkipiCloudStorageSetup
supportedOS:
iOS:
@@ -62,7 +62,7 @@ payloadkeys:
type: <boolean>
presence: optional
default: false
content: If 'true', the system skips the iCloud Storage window.
content: If 'true', the system skips the iCloud Storage pane.
- key: SkipTrueTone
supportedOS:
iOS:
@@ -72,7 +72,7 @@ payloadkeys:
type: <boolean>
presence: optional
default: false
content: If 'true', the system skips the True Tone Display window.
content: If 'true', the system skips the True Tone Display pane.
- key: SkipAppearance
supportedOS:
iOS:
@@ -82,7 +82,7 @@ payloadkeys:
type: <boolean>
presence: optional
default: false
content: If 'true', the system skips the Choose Your Look window.
content: If 'true', the system skips the Choose Your Look pane.
- key: SkipTouchIDSetup
supportedOS:
iOS:
@@ -92,7 +92,7 @@ payloadkeys:
type: <boolean>
presence: optional
default: false
content: If 'true', the system skips the Touch ID setup window.
content: If 'true', the system skips the Touch ID setup pane.
- key: SkipScreenTime
supportedOS:
iOS:
@@ -102,7 +102,7 @@ payloadkeys:
type: <boolean>
presence: optional
default: false
content: If 'true', the system skips the Screen Time window.
content: If 'true', the system skips the Screen Time pane.
- key: SkipAccessibility
supportedOS:
iOS:
@@ -112,7 +112,7 @@ payloadkeys:
type: <boolean>
presence: optional
default: false
content: If 'true', the system skips the Accessibility window.
content: If 'true', the system skips the Accessibility pane.
- key: SkipSetupItems
supportedOS:
iOS:
@@ -121,9 +121,8 @@ payloadkeys:
introduced: n/a
type: <array>
presence: optional
content: |-
An array strings describing setup items to skip. SkipKeys provides a list of valid strings and their meanings.
Available in iOS 14 and later.
content: An array strings that describe the setup items to skip. SkipKeys provides
a list of valid strings and their meanings. Available in iOS 14 and later.
subkeys:
- key: SkipSetupItems
type: <string>
@@ -136,7 +135,7 @@ payloadkeys:
type: <boolean>
presence: optional
default: false
content: If 'true', the system skips the Unlock With Apple Watch window.
content: If 'true', the system skips the Unlock With Apple Watch pane.
- key: SkipWallpaper
supportedOS:
iOS:

12
mdm/profiles/com.apple.apn.managed.yaml
View File

@@ -37,18 +37,18 @@ payloadkeys:
- key: apn
type: <string>
presence: required
content: This string specifies the Access Point Name.
content: The access point name.
- key: username
type: <string>
presence: optional
content: This string specifies the user name for this APN. If it is missing,
the device prompts for it during profile installation.
content: The user name. If missing, the device prompts for it during profile
installation.
- key: password
type: <data>
presence: optional
content: This data represents the password for the user for this APN. For
obfuscation purposes, the password is encoded. If it is missing from the
payload, the device prompts for the password during profile installation.
content: The password for the user. For obfuscation purposes, the system encodes
the password. If missing, the device prompts for the password during profile
installation.
- key: proxy
type: <string>
presence: optional

873
mdm/profiles/com.apple.applicationaccess.yaml
View File

File diff suppressed because it is too large Load Diff

35
mdm/profiles/com.apple.cellular.yaml
View File

@@ -47,12 +47,12 @@ payloadkeys:
title: User name
type: <string>
presence: optional
content: The user name for the APN.
content: The user name.
- key: Password
title: Password
type: <string>
presence: optional
content: The password for the APN.
content: The password for the user.
- key: AllowedProtocolMask
title: Supported IP Versions
supportedOS:
@@ -65,15 +65,16 @@ payloadkeys:
- 2
- 3
content: |-
The supported Internet Protocol versions. Possible values are:
1 = IPv4
2 = IPv6
3 = Both
The Internet Protocol versions that the system supports. Possible values are:
* '1': IPv4
* '2': IPv6
* '3': Both
- key: APNs
title: APNs
type: <array>
presence: optional
content: An array of access point dictionaries.
content: An array of access point name (APN) dictionaries.
subkeys:
- key: APNsItem
type: <dictionary>
@@ -127,11 +128,11 @@ payloadkeys:
- 2
- 3
content: |-
Deprecated. The default Internet Protocol versions. Possible values are:
The default Internet Protocol versions. Available in iOS 10.3 but no longer used in iOS 11 and later. Possible values are:
* '1': IPv4
* '2': IPv6
* '3': Both
Available in iOS 10.3 but no longer used in iOS 11 and later.
- key: AllowedProtocolMask
title: Supported IP Versions
supportedOS:
@@ -144,11 +145,11 @@ payloadkeys:
- 2
- 3
content: |-
The supported Internet Protocol versions. Possible values are:
The Internet Protocol versions that the system supports. Available in iOS 10.3 and later. Possible values are:
* '1': IPv4
* '2': IPv6
* '3': Both
Available in iOS 10.3 and later.
- key: AllowedProtocolMaskInRoaming
title: Supported Roaming IP Versions
supportedOS:
@@ -161,11 +162,11 @@ payloadkeys:
- 2
- 3
content: |-
The supported Internet Protocol versions while roaming. Possible values are:
The Internet Protocol versions that the system supports while roaming. Available in iOS 10.3 and later. Possible values are:
* '1': IPv4
* '2': IPv6
* '3': Both
Available in iOS 10.3 and later.
- key: AllowedProtocolMaskInDomesticRoaming
title: Supported Roaming IP Versions
supportedOS:
@@ -178,11 +179,11 @@ payloadkeys:
- 2
- 3
content: |-
The supported Internet Protocol versions while roaming domestically. Possible values are:
The Internet Protocol versions that the system supports while roaming. Available in iOS 10.3 and later. Possible values are:
* '1': IPv4
* '2': IPv6
* '3': Both
Available in iOS 10.3 and later.
- key: EnableXLAT464
title: Enable XLAT464
supportedOS:
@@ -193,5 +194,5 @@ payloadkeys:
type: <boolean>
presence: optional
default: false
content: If 'true', enables XLAT464. Available in iOS 16 and later and watchOS
9 and later.
content: If 'true', the system enables XLAT464. Available in iOS 16 and later
and watchOS 9 and later.

16
mdm/profiles/com.apple.extensiblesso.yaml
View File

@@ -165,11 +165,14 @@ payloadkeys:
content: The Platform SSO authentication method to use with the extension. Requires
that the SSO Extension also support the method.
- key: UseSharedDeviceKeys
supportedOS:
macOS:
userchannel: false
type: <boolean>
presence: optional
default: false
content: If 'true', the system uses the same signing and encryption keys for all
users.
users. Only supported on the device channel.
- key: AccountDisplayName
type: <string>
presence: optional
@@ -260,11 +263,8 @@ payloadkeys:
content: The pairing of Authorization Rights to group names. The system updates
the Authorization Right to use the group when used.
subkeys:
- key: Authorization Right
- key: ANY
type: <string>
presence: required
content: The Authorization Right to update.
- key: Group
type: <string>
presence: required
content: The group to use for the Authorization Right.
presence: optional
content: The key is an access right value, the value is the group to be associated
with that access right.

10
mdm/profiles/com.apple.finder.yaml
View File

@@ -48,24 +48,24 @@ payloadkeys:
type: <boolean>
presence: optional
default: true
content: If 'false', external hard drives don't appear on the Desktop.
content: If 'false', the system doesn't show external hard drives on the Desktop.
- key: ShowHardDrivesOnDesktop
type: <boolean>
presence: optional
default: false
content: If 'false', internal hard drives don't appear on the Desktop.
content: If 'false', the system doesn't show internal hard drives on the Desktop.
- key: ShowMountedServersOnDesktop
type: <boolean>
presence: optional
default: false
content: If 'false', mounted file servers don't appear on the Desktop.
content: If 'false', the system doesn't show mounted file servers on the Desktop.
- key: ShowRemovableMediaOnDesktop
type: <boolean>
presence: optional
default: true
content: If 'false', removable media items don't appear on the Desktop.
content: If 'false', the system doesn't show removable media items on the Desktop.
- key: WarnOnEmptyTrash
type: <boolean>
presence: optional
default: true
content: If 'false', the user isn't warned before emptying the trash.
content: If 'false', the system doesn't warn the user before emptying the trash.

2
mdm/profiles/com.apple.mobiledevice.passwordpolicy.yaml
View File

@@ -216,7 +216,7 @@ payloadkeys:
- key: passwordContentRegex
type: <string>
presence: required
content: A regular expression string that they system matches against the password
content: A regular expression string that the system matches against the password
to determine whether it complies with a policy. The regular expression uses
the ICU syntax (<https://unicode-org.github.io/icu/userguide/strings/regexp.html>).
The string must not exceed 2048 characters in length.

56
mdm/profiles/com.apple.relay.managed.yaml
View File

@@ -29,8 +29,8 @@ payloadkeys:
title: Relays
type: <array>
presence: required
content: An array of dictionaries that describes one or more relay servers that
can be chained together.
content: An array of dictionaries that describe one or more relay servers that the
system can chain together.
subkeys:
- key: Relay
title: Network Relay
@@ -40,26 +40,24 @@ payloadkeys:
title: HTTP/3 Relay URL
type: <string>
presence: optional
content: The URL or URI template (such as defined in RFC 9298) of a relay server
that is reachable using HTTP/3 and supports proxying TCP and UDP using the
CONNECT method. Each relay must have at least one URL, for either HTTP/3 or
HTTP/2, and may support both.
content: |-
The URL or URI template, as defined in RFC 9298, of a relay server that's reachable using HTTP/3 and supports proxying TCP and UDP using the CONNECT method.
Each relay needs to include either 'HTTP2RelayURL' or 'HTTP3RelayURL', or it can include both.
- key: HTTP2RelayURL
title: HTTP/2 Relay URL
type: <string>
presence: optional
content: The URL or URI template (such as defined in RFC 9298) of a relay server
that is reachable using HTTP/2 and supports proxying TCP and UDP using the
CONNECT method. Each relay must have at least one URL, for either HTTP/3 or
HTTP/2, and may support both.
content: |-
The URL or URI template, as defined in RFC 9298, of a relay server that's reachable using HTTP/2 and supports proxying TCP and UDP using the CONNECT method.
Each relay needs to include either 'HTTP2RelayURL' or 'HTTP3RelayURL', or it can include both.
- key: AdditionalHTTPHeaderFields
title: Additional HTTP Header Fields
type: <dictionary>
presence: optional
content: A dictionary of custom HTTP header keys and values to add to each request
to the relay. The dictionary key name represents the HTTP header field name
to use, and the dictionary value is the string to use as the HTTP header field
value.
content: A dictionary that contains custom HTTP header keys and values to add
to each request. The dictionary key name represents the HTTP header field
name to use, and the dictionary value is the string to use as the HTTP header
field value.
subkeys:
- key: ANY
type: <string>
@@ -70,16 +68,15 @@ payloadkeys:
type: <string>
presence: optional
format: ^[0-9A-Za-z]{8}-[0-9A-Za-z]{4}-[0-9A-Za-z]{4}-[0-9A-Za-z]{4}-[0-9A-Za-z]{12}$
content: UUID pointing to an identity certificate payload. This identity will
be used to authenticate the user to the relay server.
content: The UUID that points to an identity certificate payload, which the
system uses to authenticate the user to the relay server.
- key: RawPublicKeys
title: Raw Public Keys
type: <array>
presence: optional
content: An array of raw public keys used to authenticate the server during
a TLS handshake. The server must use one of the keys in the handshake in order
to authenticate. If no keys are specified, default TLS trust evaluation is
used.
content: |-
An array of raw public keys that the system uses to authenticate the server during a TLS handshake. The server needs to use one of the keys in the handshake to authenticate.
If this array is empty, the system uses the default TLS trust evaluation.
subkeys:
- key: RawPublicKeysElement
title: Raw Public Key Element
@@ -88,11 +85,10 @@ payloadkeys:
title: Match Domains
type: <array>
presence: optional
content: A list of domain strings used to determine which connection should be routed
through the servers contained in Relays. Any connection that matches the domain
exactly or is a subdomain of the listed domain will use the relay servers, unless
they match an excluded domain. If no domains are listed, traffic to all domains,
except those matching an excluded domain, will be routed to the relay servers.
content: |-
A list of domain strings that the system uses to determine which connection to route through the servers in 'Relays'.
Any connection that matches a domain in the list exactly or is a subdomain of the listed domain uses the relay servers, unless it matches a domain in 'ExcludedDomains'.
If this list is empty, the system routes traffic to all domains to the relay servers, except those that match an excluded domain.
subkeys:
- key: MatchDomainsElement
title: Match Domains Element
@@ -101,9 +97,9 @@ payloadkeys:
title: Excluded Domains
type: <array>
presence: optional
content: A list of domain strings that should not be routed through the servers
contained in Relays. Any connection that matches the domain exactly or is a subdomain
of the listed domain will not use the relay server.
content: A list of domain strings to exclude from routing through the servers in
'Relays'. Any connection that matches a domain in the list exactly or is a subdomain
of the listed domain won't use the relay server.
subkeys:
- key: ExcludedDomainsElement
title: Excluded Domains Element
@@ -111,5 +107,5 @@ payloadkeys:
- key: RelayUUID
type: <string>
presence: optional
content: A globally-unique identifier for this relay configuration. This UUID is
used to route managed apps through the servers contained in Relays.
content: A globally-unique identifier for this relay configuration. The system uses
this UUID to route managed apps through the servers in 'Relays'.

17
mdm/profiles/com.apple.security.acme.yaml
View File

@@ -43,7 +43,10 @@ payload:
request a matching certificate based upon the ClientIdentifier, Subject, SubjectAltName,
UsageFlags, and ExtendedKeyUsage fields. The ACME server issues a certificate
and the device installs it in the keychain. Other payloads can reference the resulting
client identity by the payload's PayloadUUID.
client identity by the payload's PayloadUUID. For details on the content of the
attestation provided to the ACME server, see the documentation of the DevicePropertiesAttestation
key in the DeviceInformation response. In the attestation certificate the value
of the nonce OID matches the nonce specified by the ACME server via the ACME protocol.
payloadkeys:
- key: DirectoryURL
title: ACME directory URL
@@ -85,15 +88,15 @@ payloadkeys:
If 'false', the private key isn't bound to the device.
If 'true', the private key is bound to the device. The Secure Enclave generates the key pair, and the private key is cryptographically entangled with a system key. This prevents the system from exporting the private key.
If 'true', 'KeyType' must be 'ECSECPrimeRandom' and 'KeySize' must be 256 or 384.
This key is supported as of macOS 14 on Apple Silicon and Intel devices that have a T2 chip. Older macOS versions or other Mac devices require this key but it must have a value of 'false'.
This key is supported as of macOS 14 on Apple Silicon and Intel devices that have a T2 chip. Older macOS versions or other Mac devices require this key but it must have a value of false.
- key: Subject
title: Subject
type: <array>
presence: required
content: |-
The device requests this subject for the certificate that the ACME server issues. The ACME server may override or ignore this field in the certificate it issues.
The representation of a X.500 name represented as an array of OID and value. For example, /C=US/O=Apple Inc./CN=foo/1.2.5.3=bar corresponds to:
[ [ [”C”, “US”] ], [ [”O”, “Apple Inc.”] ], ..., [ [ “1.2.5.3”, “bar” ] ] ]
The representation of a X.500 name represented as an array of OID and value. For example, '/C=US/O=Apple Inc./CN=foo/1.2.5.3=bar' corresponds to:
'[ [ [”C”, “US”] ], [ [”O”, “Apple Inc.”] ], ..., [ [ “1.2.5.3”, “bar” ] ] ]'
Dotted numbers can represent OIDs , with shortcuts for country (C), locality (L), state (ST), organization (O), organizational unit (OU), and common name (CN).
subkeys:
- key: ACMESubjectArrayInnerArray
@@ -152,7 +155,7 @@ payloadkeys:
type: <array>
presence: optional
content: |-
The value is an array of strings. Each string is an OID in dotted notation. For instance, [”1.3.6.1.5.5.7.3.2”, “1.3.6.1.5.5.7.3.4”] indicates client authentication and email protection.
The value is an array of strings. Each string is an OID in dotted notation. For instance, '[”1.3.6.1.5.5.7.3.2”, “1.3.6.1.5.5.7.3.4”]' indicates client authentication and email protection.
The device requests this field for the certificate that the ACME server issues. The ACME server may override or ignore this field in the certificate it issues.
subkeys:
- key: OID
@@ -181,8 +184,8 @@ payloadkeys:
type: <boolean>
presence: optional
default: true
content: If true, the private key of the identity obtained via SCEP should be tagged
as “non-extractable” in the keychain.
content: If 'true', the private key of the identity obtained through Simple Certificate
Enrollment Protocol (SCEP) needs to be tagged as “non-extractable” in the keychain.
- key: AllowAllAppsAccess
title: Allow All Apps Access
supportedOS:

28
mdm/profiles/com.apple.security.firewall.yaml
View File

@@ -22,19 +22,19 @@ payloadkeys:
- key: EnableFirewall
type: <boolean>
presence: required
content: If 'true', enables the firewall.
content: If 'true', the system enables the firewall.
- key: BlockAllIncoming
type: <boolean>
presence: optional
content: If 'true', enables blocking of all incoming connections.
content: If 'true', the system enables blocking all incoming connections.
- key: EnableStealthMode
type: <boolean>
presence: optional
content: If 'true', enables stealth mode.
content: If 'true', the system enables stealth mode.
- key: Applications
type: <array>
presence: optional
content: The list of apps with connections controlled by the firewall.
content: The list of apps with connections that the firewall controls.
subkeys:
- key: ApplicationsItem
title: Applications
@@ -44,21 +44,19 @@ payloadkeys:
title: Application Identifier
type: <string>
presence: required
content: The bundle identifier for an app.
content: The bundle identifier for the app.
- key: Allowed
title: Allow connections
type: <boolean>
presence: required
content: If true, allows connections for the app.
content: If 'true', the system allows connections for the app.
- key: EnableLogging
supportedOS:
macOS:
introduced: '12.0'
type: <boolean>
presence: optional
content: |-
If 'true', enables logging.
Available in macOS 12 and later.
content: If 'true', the system enables logging. Available in macOS 12 and later.
- key: LoggingOption
supportedOS:
macOS:
@@ -69,9 +67,7 @@ payloadkeys:
- throttled
- brief
- detail
content: |-
This string specifies the type of logging.
Available in macOS 12 and later.
content: The type of logging. Available in macOS 12 and later.
- key: AllowSigned
supportedOS:
macOS:
@@ -80,8 +76,8 @@ payloadkeys:
presence: optional
default: true
content: |-
If 'true', allows built-in software to receive incoming connections.
Available in macOS 12.3 and later.
If 'true', the system allows built-in software to receive incoming connections. Available in macOS 12.3 and later.
The system ensures that 'AllowSigned' always has a value. If missing from the payload, the system sets it to 'true'.
- key: AllowSignedApp
supportedOS:
macOS:
@@ -90,5 +86,5 @@ payloadkeys:
presence: optional
default: true
content: |-
If 'true', allows downloaded signed software to receive incoming connections.
Available in macOS 12.3 and later.
If 'true', the system allows downloaded signed software to receive incoming connections. Available in macOS 12.3 and later.
The system ensures that 'AllowSignedApp' always has a value. If missing from the payload, the system sets it to 'true'.

6
mdm/profiles/com.apple.security.pkcs12.yaml
View File

@@ -49,9 +49,7 @@ payloadkeys:
title: Password
type: <string>
presence: optional
content: |-
This is the password to the identity.
Security Caution: Because the password string is stored in the clear (unencrypted) in the profile, you should encrypt the entire profile.
content: The password to the identity.
- key: AllowAllAppsAccess
title: Allow All Apps Access
supportedOS:
@@ -81,4 +79,4 @@ payloadkeys:
type: <boolean>
presence: optional
default: true
content: If 'false', does not tag the private key data as extractable in the keychain.
content: If 'false', doesn't tag the private key data as extractable in the keychain.

3
mdm/profiles/com.apple.shareddeviceconfiguration.yaml
View File

@@ -28,7 +28,8 @@ payloadkeys:
title: If Lost message
supportedOS:
iOS:
introduced: 9.3.1
introduced: '9.3'
deprecated: 9.3.1
type: <string>
presence: optional
content: Deprecated. Use 'LockScreenFootnote' instead.

29
mdm/profiles/com.apple.vpn.managed.yaml
View File

@@ -49,6 +49,13 @@ payloadkeys:
title: VPN Subtype
type: <string>
presence: optional
rangelist:
- com.cisco.anyconnect
- net.pulsesecure.PulseSecure.vpnplugin
- com.f5.F5-Edge-Client.vpnplugin
- com.sonicwall.SonicWALL-SSLVPN.vpnplugin
- com.arubanetworks.aruba-via.vpnplugin
- com.checkpoint.CheckPoint-VPN.vpnplugin
content: |-
An identifier for a vendor-specified configuration dictionary when the value for 'VPNType' is 'VPN'.
If 'VPNType' is 'VPN', the system requires this field. If the configuration targets a VPN solution that uses a network extension provider, then this field contains the bundle identifier of the app that contains the provider. Contact the VPN solution vendor for the value of the identifier.
@@ -71,25 +78,26 @@ payloadkeys:
title: Realm
type: <string>
presence: optional
content: The Kerberos realm name. This value needs to be properly capitalized.
Not available in watchOS.
content: The Kerberos realm name, which needs to be properly capitalized. Valid
only for Juniper SSL/Pulse Secure. Not available in watchOS.
- key: Role
title: Role
type: <string>
presence: optional
content: The role to select when connecting to the server. This key is valid only
for Juniper SSL. Not available in watchOS.
content: The role to select when connecting to the server. Valid only for Juniper
SSL and Pulse Secure. Not available in watchOS.
- key: Group
title: Group
type: <string>
presence: optional
content: The group to connect to on the head end. This key is only valid for Cisco
AnyConnect. Not available in watchOS.
content: The group to connect to on the head end. Valid for Cisco AnyConnect and
Cisco Legacy AnyConnect. Not available in watchOS.
- key: LoginGroupOrDomain
title: Login Group or Domain
type: <string>
presence: optional
content: The login group or domain. Not available in watchOS.
content: The login group or domain. Valid only for SonicWALL Mobile Connect. Not
available in watchOS.
- key: VPN
title: VPN
type: <dictionary>
@@ -479,8 +487,8 @@ payloadkeys:
title: Account Password
type: <string>
presence: optional
content: If 'TokenCard' is '1', use this password for authentication. This keyis
for use with L2TP and PPTP networks.
content: If 'TokenCard' is '1', use this password for authentication. This key
is for use with L2TP and PPTP networks.
- key: TokenCard
title: Use Token Card
type: <integer>
@@ -1562,7 +1570,8 @@ payloadkeys:
presence: optional
content: The dictionary to use when 'VPNType' is 'TransparentProxy'. The keys in
this dictionary are the same as the keys in the 'VPN' dictionary with the addition
of the fields shown in the VPN.TransparentProxy dictionary. Not available in watchOS.
of the fields shown in the VPN.TransparentProxy dictionary. Available in macOS
14 and later. Not available in watchOS.
subkeys:
- key: Order
title: Order

35
mdm/profiles/com.apple.webClip.managed.yaml
View File

@@ -33,7 +33,7 @@ payloadkeys:
type: <boolean>
presence: optional
default: false
content: If 'true', prevents SpringBoard from adding 'shine' to the icon.
content: If 'true', the system prevents SpringBoard from adding shine to the icon.
- key: FullScreen
title: Full Screen
supportedOS:
@@ -42,21 +42,24 @@ payloadkeys:
type: <boolean>
presence: optional
default: false
content: If 'true', launches the web clip as a full-screen web app.
content: If 'true', the system launches the web clip as a full-screen web app.
- key: URL
title: URL
type: <string>
subtype: <url>
presence: required
content: The URL that the web clip should open when clicked.
content: The URL of the web clip.
- key: Icon
title: Icon
type: <data>
presence: optional
content: |-
The PNG icon to be shown on the Home screen.
For best results, provide a square image that's no larger than 400 x 400 pixels and less than 1 MB when uncompressed. The graphics file is automatically scaled and cropped to fit, if necessary, and converted to PNG format. Web clip icons are 144 x 144 pixels for iPad devices with a Retina display, and 114 x 114 pixels for iPhone devices. To prevent the device from adding a shine to the image, set 'Precomposed' to 'true'.
If this property isn't specified, a white square is shown.
content: The PNG icon to show on the Home screen. If not set, the system displays
a white square. For best results, provide a square image that's no larger than
400 x 400 pixels and less than 1 MB when uncompressed. The graphics file is automatically
scaled and cropped to fit, if necessary, and converted to PNG format. Web clip
icons are 144 x 144 pixels for iPad devices with a Retina display, and 114 x 114
pixels for iPhone devices. To prevent the device from adding a shine to the image,
set 'Precomposed' to 'true'.
- key: IsRemovable
title: Removable
supportedOS:
@@ -65,12 +68,12 @@ payloadkeys:
type: <boolean>
presence: optional
default: true
content: If 'true', enables removing the web clip.
content: If 'true', the system enables removing the web clip.
- key: Label
title: Label
type: <string>
presence: required
content: The name of the web clip as displayed on the Home screen.
content: The name of the web clip that the system displays on the Home screen.
- key: IgnoreManifestScope
title: Ignore Web Clip manifest scope
supportedOS:
@@ -81,10 +84,10 @@ payloadkeys:
type: <boolean>
presence: optional
default: false
content: |-
If 'true', a full screen web clip can navigate to an external web site without showing Safari UI. Otherwise, Safari UI appears when navigating away from the web clip's URL.
This key has no effect when 'FullScreen' is 'false'.
Available in iOS 14 and later.
content: If 'true', a full screen web clip can navigate to an external web site
without showing Safari UI. Otherwise, Safari UI appears when navigating away from
the web clip's URL. This key has no effect when 'FullScreen' is 'false'. Available
in iOS 14 and later.
- key: TargetApplicationBundleIdentifier
title: Target Application Bundle Identifier
supportedOS:
@@ -94,6 +97,6 @@ payloadkeys:
introduced: n/a
type: <string>
presence: optional
content: |-
The application bundle identifier that specifies the application which opens the URL. To use this property, the profile must be installed through an MDM.
Available in iOS 14 and later.
content: The application bundle identifier of the application that opens the URL.
To use this property, install the profile through MDM. Available in iOS 14 and
later.

100
mdm/profiles/com.apple.webcontent-filter.yaml
View File

@@ -39,8 +39,8 @@ payloadkeys:
- BuiltIn
- Plugin
default: BuiltIn
content: The type of filter, built-in or plug-in. In macOS, the system supports
only the plug-in value.
content: The type of filter, built-in or plug-in. In macOS, the system only supports
the plug-in value.
- key: AutoFilterEnabled
title: Web filter enabled
supportedOS:
@@ -49,10 +49,8 @@ payloadkeys:
type: <boolean>
presence: optional
default: false
content: If 'true', automatic filtering is in an enabled state. This function evaluates
each web page as it loads and attempts to identify and block content not suitable
for children. The search algorithm is complex and may vary from release to release,
but it's basically looking for adult language.
content: If 'true', the system enables automatic filtering. Use when 'FilterType'
is 'BuiltIn'.
- key: PermittedURLs
title: PermittedURLs
supportedOS:
@@ -61,8 +59,8 @@ payloadkeys:
type: <array>
presence: optional
content: An array or URLs that are accessible whether or not the automatic filter
allows access. The system uses this array only when 'AutoFilterEnabled' is 'true'.
Otherwise, it ignores this field.
allows access. Use when 'FilterType' is 'BuiltIn'. Requires that 'AutoFilterEnabled'
is 'true'.
subkeys:
- key: PermittedURLItems
title: Permitted url items
@@ -90,8 +88,8 @@ payloadkeys:
introduced: n/a
type: <array>
presence: optional
content: An array of URLs that are inaccessible. Limit the number of these URLs
to about 500.
content: An array of URLs that are inaccessible. Use when 'FilterType' is 'BuiltIn'.
Limit the number of these URLs to about 500.
subkeys:
- key: DenyListURLItems
title: Denylisted url items
@@ -130,7 +128,8 @@ payloadkeys:
introduced: n/a
type: <array>
presence: optional
content: An array of dictionaries defining the pages that the user can visit.
content: An array of dictionaries that define the pages that the user can bookmark
or visit. Use when 'FilterType' is 'BuiltIn'.
subkeys:
- key: AllowListBookmarksItem
title: Identifier
@@ -150,43 +149,50 @@ payloadkeys:
title: UserDefinedName
type: <string>
presence: optional
content: The display name for this filtering configuration.
content: The display name for this filtering configuration. Required when 'FilterType'
is 'Plugin'.
- key: PluginBundleID
title: PluginBundleID
type: <string>
presence: optional
content: The bundle ID of the plug-in that provides filtering service.
content: The bundle ID of the plug-in that provides filtering service. Required
when 'FilterType' is 'Plugin'. Otherwise, it ignores this value. Consult your
filtering solution vendor to determine what to specify for this value. Required
when 'FilterType' is 'Plugin'.
- key: ServerAddress
title: ServerAddress
type: <string>
presence: optional
content: The server address, which may be the IP address, hostname, or URL.
content: The server address, which may be the IP address, hostname, or URL. Use
when 'FilterType' is 'Plugin'.
- key: UserName
title: Username
type: <string>
presence: optional
content: The user name for the service.
content: The user name for the service. Use when 'FilterType' is 'Plugin'.
- key: Password
title: Password
type: <string>
presence: optional
content: The password for the service.
content: The password for the service. Use when 'FilterType' is 'Plugin'.
- key: PayloadCertificateUUID
title: Certificate UUID
type: <string>
presence: optional
format: ^[0-9A-Za-z]{8}-[0-9A-Za-z]{4}-[0-9A-Za-z]{4}-[0-9A-Za-z]{4}-[0-9A-Za-z]{12}$
content: The UUID of the certificate payload within the same profile that the system
uses to authenticate the user.
uses to authenticate the user. Use when 'FilterType' is 'Plugin'.
- key: Organization
title: Organization
type: <string>
presence: optional
content: The organization string that passes to the third-party plug-in.
content: The organization string to pass to the third-party plug-in. Use when 'FilterType'
is 'Plugin'.
- key: VendorConfig
type: <dictionary>
presence: optional
content: The custom dictionary that the filtering service plug-in needs.
content: The custom dictionary that the filtering service plug-in needs. Use when
'FilterType' is 'Plugin'.
subkeys:
- key: ANY
type: <any>
@@ -200,15 +206,17 @@ payloadkeys:
type: <boolean>
presence: optional
default: false
content: If 'true', enables the filtering of WebKit traffic. Either 'FilterBrowsers'
or 'FilterSockets' must be 'true'.
content: |-
If 'true', the system enables filtering WebKit traffic. Use when 'FilterType' is 'Plugin'.
At least one of 'FilterBrowsers' or 'FilterSockets' needs to be 'true'.
- key: FilterSockets
title: FilterSockets
type: <boolean>
presence: optional
default: false
content: If 'true', enables the filtering of socket traffic. Either 'FilterBrowsers'
or 'FilterSockets' must be 'true'.
content: |-
If 'true', enables the filtering of socket traffic. Use when 'FilterType' is 'Plugin'.
At least one of 'FilterBrowsers' or 'FilterSockets' needs to be 'true'.
- key: FilterDataProviderDesignatedRequirement
title: Filter Data Provider Designated Requirement
supportedOS:
@@ -218,9 +226,9 @@ payloadkeys:
introduced: '10.15'
type: <string>
presence: optional
content: |-
The designated requirement string that the system embeds in the code signature of the filter data provider system extension. This string identifies the filter data provider when the filter starts running. This field is a requirement if 'FilterSockets' is 'true'.
Available in macOS 10.15 and later.
content: The designated requirement string that the system embeds in the code signature
of the filter data provider system extension. This string identifies the filter
data provider when the filter starts running. Required if 'FilterSockets' is 'true'.
- key: FilterDataProviderBundleIdentifier
title: Filter Data Provider Bundle Identifier
supportedOS:
@@ -230,9 +238,9 @@ payloadkeys:
introduced: '10.15'
type: <string>
presence: optional
content: |-
The bundle identifier string of the filter data provider system extension. This string identifies the filter data provider when the filter starts running. This field is a requirement if 'FilterSockets' is 'true'.
Available in macOS 10.15 and later.
content: The bundle identifier string of the filter data provider system extension.
This string identifies the filter data provider when the filter starts running.
Required if 'FilterSockets' is 'true'.
- key: FilterPackets
title: Filter Network Packets
supportedOS:
@@ -244,10 +252,8 @@ payloadkeys:
presence: optional
default: false
content: |-
If this value is 'true', the property enables the filtering of network packets.
Either 'FilterPackets' or 'FilterSockets' must be 'true'.
You can only use this when 'FilterType' is 'Plugin'.
Available in macOS 10.15 and later.
If 'true' and 'FilterType' is 'Plugin', the system enables filtering network packets. Use when 'FilterType' is 'Plugin'.
At least one of 'FilterPackets' or 'FilterSockets' needs to be 'true'.
- key: FilterPacketProviderDesignatedRequirement
title: Filter Packet Provider Designated Requirement
supportedOS:
@@ -257,9 +263,10 @@ payloadkeys:
introduced: '10.15'
type: <string>
presence: optional
content: |-
The designated requirement string that the system embeds in the code signature of the filter packet provider system extension. This string identifies the filter packet provider when the filter starts running. This field is a requirement if 'FilterPackets' is 'true'.
Available in macOS 10.15 and later.
content: The designated requirement string that the system embeds in the code signature
of the filter packet provider system extension. This string identifies the filter
packet provider when the filter starts running. Required if 'FilterPackets' is
'true'.
- key: FilterPacketProviderBundleIdentifier
title: Filter Packet Provider Bundle Identifier
supportedOS:
@@ -269,9 +276,9 @@ payloadkeys:
introduced: '10.15'
type: <string>
presence: optional
content: |-
The bundle identifier string of the filter packet provider system extension. This string identifies the filter packet provider when the filter starts running. This field is a requirement if 'FilterPackets' is 'true'.
Available in macOS 10.15 and later.
content: The bundle identifier string of the filter packet provider system extension.
This string identifies the filter packet provider when the filter starts running.
Required if 'FilterPackets' is 'true'.
- key: FilterGrade
title: Filter Grade
supportedOS:
@@ -285,9 +292,10 @@ payloadkeys:
- firewall
- inspector
default: firewall
content: |-
This value is for deriving the relative order of content filters. Filters with a grade of 'firewall' see network traffic before filters with a grade of 'inspector'. The system doesn't define the order of filters within a grade.
Available in macOS 10.15 and later.
content: The system uses this value to derive the relative order of content filters.
Filters with a grade of 'firewall' see network traffic before filters with a grade
of 'inspector'. However, the system doesn't define the order of filters within
a grade.
- key: ContentFilterUUID
title: Content Filter UUID
supportedOS:
@@ -297,7 +305,7 @@ payloadkeys:
introduced: n/a
type: <string>
presence: optional
content: A globally-unique identifier for this content filter configuration. Managed
apps with the same 'ContentFilterUUID' in their app attributes have their network
traffic processed by the content filter. This key must be present for unsupervised
devices and user enrollments.
content: A globally unique identifier for this content filter configuration. The
content filter processes network traffic for managed apps with the same 'ContentFilterUUID'
in their app attributes. Use when 'FilterType' is 'Plugin'. This key must be present
for unsupervised devices and user enrollments.

74
mdm/profiles/com.apple.wifi.managed.yaml
View File

@@ -53,8 +53,8 @@ payloadkeys:
introduced: '7.0'
type: <string>
presence: optional
content: The SSID of the Wi-Fi network to be used. In iOS 7.0 and later, the SSID
is optional if a 'DomainName' value is provided.
content: The SSID of the Wi-Fi network to use. In iOS 7.0 and later, the SSID is
optional if a value exists for 'DomainName' value.
- key: HIDDEN_NETWORK
title: Hidden
type: <boolean>
@@ -74,9 +74,11 @@ payloadkeys:
- Manual
- Auto
default: None
content: |-
The proxy type, if any, to use. If you choose the manual proxy type, you need the proxy server address, including its port and optionally a user name and password into the proxy server. If you choose the auto proxy type, you can enter a proxy autoconfiguration (PAC) URL.
Available in iOS 5.0 and later, and on all versions of macOS.
content: The proxy type, if any, to use. If you choose the manual proxy type, you
need the proxy server address, including its port and optionally a user name and
password into the proxy server. If you choose the auto proxy type, you can enter
a proxy autoconfiguration (PAC) URL. Available in iOS 5.0 and later, and on all
versions of macOS.
- key: EncryptionType
title: Encryption Type
type: <string>
@@ -96,7 +98,7 @@ payloadkeys:
* 'WPA' allows joining WPA or WPA2 networks
* 'WPA2' allows joining WPA2 or WPA3 networks
* 'WPA3' allows joining WPA3 networks only
* 'Any' allows joining WPA, WPA2, WPA3, and WEP networks.
* 'Any' allows joining WPA, WPA2, WPA3, and WEP networks
Prior to iOS 16, tvOS 16, and watchOS 9, specifying 'WPA', 'WPA2', and 'WPA3' were equivalent and would allow joining any WPA network.
Prior to macOS 13, the encryption type, if specified explicitly, needed to match the encryption type of the network exactly.
- key: Password
@@ -343,9 +345,9 @@ payloadkeys:
introduced: '10.9'
type: <string>
presence: optional
content: |-
The operator name to display when connected to this network. Used only with Wi-Fi Hotspot 2.0 access points.
Available in iOS 7.0 and later, and in macOS 10.9 and later.
content: The operator name to display when connected to this network. Used only
with Wi-Fi Hotspot 2.0 access points. Available in iOS 7.0 and later, and in macOS
10.9 and later.
- key: DomainName
title: Domain Name
supportedOS:
@@ -355,9 +357,8 @@ payloadkeys:
introduced: '10.9'
type: <string>
presence: optional
content: |-
The primary domain of the tunnel.
Available in iOS 7.0 and later, and in macOS 10.9 and later.
content: The primary domain of the tunnel. Available in iOS 7.0 and later, and in
macOS 10.9 and later.
- key: RoamingConsortiumOIs
title: Roaming OIs
supportedOS:
@@ -367,9 +368,9 @@ payloadkeys:
introduced: '10.9'
type: <array>
presence: optional
content: |-
An array of Roaming Consortium Organization Identifiers used for Wi-Fi Hotspot 2.0 negotiation.
Available in iOS 7.0 and later, and in macOS 10.9 and later.
content: An array of Roaming Consortium Organization Identifiers used for Wi-Fi
Hotspot 2.0 negotiation. Available in iOS 7.0 and later, and in macOS 10.9 and
later.
subkeys:
- key: RoamingConsortiumOI
type: <string>
@@ -384,9 +385,8 @@ payloadkeys:
type: <boolean>
presence: optional
default: false
content: |-
If 'true', allows connection to roaming service providers.
Available in iOS 7.0 and later, and in macOS 10.9 and later.
content: If 'true', allows connection to roaming service providers. Available in
iOS 7.0 and later, and in macOS 10.9 and later.
- key: IsHotspot
title: Is Hotspot
supportedOS:
@@ -397,9 +397,8 @@ payloadkeys:
type: <boolean>
presence: optional
default: false
content: |-
If 'true', the device treats the network as a hotspot.
Available in iOS 7.0 and later, and in macOS 10.9 and later.
content: If 'true', the device treats the network as a hotspot. Available in iOS
7.0 and later, and in macOS 10.9 and later.
- key: HESSID
supportedOS:
iOS:
@@ -416,9 +415,8 @@ payloadkeys:
introduced: '10.9'
type: <array>
presence: optional
content: |-
An array of Network Access Identifier Realm names used for Wi-Fi Hotspot 2.0 negotiation.
Available in iOS 7.0 and later, and in macOS 10.9 and later.
content: An array of Network Access Identifier Realm names used for Wi-Fi Hotspot
2.0 negotiation. Available in iOS 7.0 and later, and in macOS 10.9 and later.
subkeys:
- key: NAIRealmName
type: <string>
@@ -431,9 +429,9 @@ payloadkeys:
introduced: n/a
type: <array>
presence: optional
content: |-
An array of Mobile Country Code/Mobile Network Code (MCC/MNC) pairs used for Wi-Fi Hotspot 2.0 negotiation. Each string must contain exactly six digits.
Available in iOS 7.0 and later. This feature is not supported in macOS.
content: An array of Mobile Country Code/Mobile Network Code (MCC/MNC) pairs used
for Wi-Fi Hotspot 2.0 negotiation. Each string must contain exactly six digits.
Available in iOS 7.0 and later. This feature isn't supported in macOS.
subkeys:
- key: MCCAndMNC
type: <string>
@@ -448,9 +446,8 @@ payloadkeys:
type: <boolean>
presence: optional
default: false
content: |-
If 'true', Captive Network detection will be bypassed when the device connects to the network.
Available in iOS 10.0 and later.
content: If 'true', the system bypasses Captive Network detection when the device
connects to the network. Available in iOS 10.0 and later.
- key: QoSMarkingPolicy
title: QoS Marking Policy
supportedOS:
@@ -460,9 +457,10 @@ payloadkeys:
introduced: '10.13'
type: <dictionary>
presence: optional
content: |-
A dictionary that contains the list of apps that are allowed to benefit from L2 and L3 marking. When this dictionary isn't present, all apps are allowed to use L2 and L3 marking when the Wi-Fi network supports Cisco QoS fast lane.
Available in iOS 10.0 and later, and in macOS 10.13 and later.
content: A dictionary that contains the list of apps that the system allows to benefit
from L2 and L3 marking. When this dictionary isn't present, the system allows
all apps to use L2 and L3 marking when the Wi-Fi network supports Cisco QoS fast
lane. Available in iOS 10.0 and later, and in macOS 10.13 and later.
subkeys:
- key: QoSMarkingAllowListAppIdentifiers
title: Allowlisted App Identifiers
@@ -521,7 +519,7 @@ payloadkeys:
introduced: n/a
type: <array>
presence: optional
content: An array of strings that contain the type of connection mode to be attached.
content: An array of strings that contain the type of connection mode to attach.
subkeys:
- key: SetupModesItem
type: <string>
@@ -540,9 +538,8 @@ payloadkeys:
type: <boolean>
presence: optional
default: false
content: |-
If 'true', allows for two-factor authentication for EAP-TTLS, PEAP, or EAP-FAST.
If 'false', allows for zero-factor authentication for EAP-TLS.
content: If 'true', allows for two-factor authentication for EAP-TTLS, PEAP, or
EAP-FAST. If 'false', allows for zero-factor authentication for EAP-TLS.
- key: ProxyServer
title: Proxy Server
supportedOS:
@@ -636,5 +633,4 @@ payloadkeys:
content: |-
If 'true,' disables MAC address randomization for a Wi-Fi network while associated with that network. This feature also shows a privacy warning in Settings indicating that the network has reduced privacy protections.
If 'false', then the system enables MAC address randomization.
This value is only locked when the profile is installed by MDM. If the profile is manually installed, the value is set but the user can change it.
Available in iOS 14 and later, and watchOS 7 and later.
This value is only locked when MDM installs the profile. If the profile is manually installed, the system sets the value but the user can change it. Available in iOS 14 and later, and watchOS 7 and later.

2
other/skipkeys.yaml
View File

@@ -28,7 +28,7 @@ payloadkeys:
type: <string>
presence: optional
content: The key to skip the Accessibility pane, when creating additional users.
This key is available in macOS 11 and later.
This key is not available in macOS.
- key: Android
title: Prevents migration from Android device
supportedOS: