diff --git a/README.md b/README.md index 0704638..1958eda 100644 --- a/README.md +++ b/README.md @@ -8,10 +8,10 @@ This release corresponds to the following OS versions | OS | Version | |---------|---------| -| iOS | 17.1 | -| macOS | 14.1 | -| tvOS | 17.1 | -| watchOS | 10.1 | +| iOS | 17.2 | +| macOS | 14.2 | +| tvOS | 17.2 | +| watchOS | 10.2 | ## What's Available diff --git a/declarative/declarations/configurations/account.exchange.yaml b/declarative/declarations/configurations/account.exchange.yaml index 6bdf25b..0313a55 100644 --- a/declarative/declarations/configurations/account.exchange.yaml +++ b/declarative/declarations/configurations/account.exchange.yaml @@ -156,8 +156,8 @@ payloadkeys: - com.apple.asset.credential.identity - com.apple.asset.credential.scep presence: optional - content: Specifies the identifier of a credential asset declaration that contains - the identity that this account requires to authenticate with the Exchange server. + content: The identifier of a credential asset declaration that contains the identity + that this account requires to authenticate with the Exchange server. - key: SMIME title: S/MIME Settings supportedOS: @@ -254,7 +254,7 @@ payloadkeys: type: presence: optional default: true - content: If 'true', activates the mail service for this account. + content: If 'true', the system activates the mail service for this account. - key: LockMailService supportedOS: macOS: @@ -262,8 +262,8 @@ payloadkeys: type: presence: optional default: false - content: If 'true', prevents the user from changing the status of the mail service - for this account. + content: If 'true', the system prevents the user from changing the status of the + mail service for this account. - key: ContactsServiceActive supportedOS: macOS: @@ -279,8 +279,8 @@ payloadkeys: type: presence: optional default: false - content: If 'true', prevents the user from changing the status of the address book - service for this account. + content: If 'true', the system prevents the user from changing the status of the + address book service for this account. - key: CalendarServiceActive supportedOS: macOS: @@ -296,8 +296,8 @@ payloadkeys: type: presence: optional default: false - content: If 'true', prevents the user from changing the status of the calendar service - for this account. + content: If 'true', the system prevents the user from changing the status of the + calendar service for this account. - key: RemindersServiceActive supportedOS: macOS: @@ -305,7 +305,7 @@ payloadkeys: type: presence: optional default: true - content: If 'true', activates the reminders service for this account. + content: If 'true', the system activates the reminders service for this account. - key: LockRemindersService supportedOS: macOS: @@ -313,8 +313,8 @@ payloadkeys: type: presence: optional default: false - content: If 'true', prevents the user from changing the status of the reminders - service for this account. + content: If 'true', the system prevents the user from changing the status of the + reminders service for this account. - key: NotesServiceActive supportedOS: macOS: @@ -322,7 +322,7 @@ payloadkeys: type: presence: optional default: true - content: If 'true', activates the notes service for this account. + content: If 'true', the system activates the notes service for this account. - key: LockNotesService supportedOS: macOS: @@ -330,5 +330,5 @@ payloadkeys: type: presence: optional default: false - content: If 'true', prevents the user from changing the status of the notes service - for this account. + content: If 'true', the system prevents the user from changing the status of the + notes service for this account. diff --git a/declarative/declarations/configurations/app.managed.yaml b/declarative/declarations/configurations/app.managed.yaml new file mode 100644 index 0000000..a9819f8 --- /dev/null +++ b/declarative/declarations/configurations/app.managed.yaml @@ -0,0 +1,148 @@ +title: App:Managed +description: Use this configuration to define settings for a managed app. +payload: + declarationtype: com.apple.configuration.app.managed + supportedOS: + iOS: + introduced: '17.2' + allowed-enrollments: + - device + - user + allowed-scopes: + - system + sharedipad: + allowed-scopes: + - system + macOS: + introduced: n/a + tvOS: + introduced: n/a + watchOS: + introduced: n/a + beta: true +payloadkeys: +- key: AppStoreID + title: App Store ID + type: + presence: optional + content: Specifies the App Store ID of the managed app. One and only one of `AppStoreID`, + `BundleID`, or `ManifestURL` must be present. +- key: BundleID + title: Bundle ID + type: + presence: optional + content: Specifies the Bundle ID of the managed app. One and only one of `AppStoreID`, + `BundleID`, or `ManifestURL` must be present. +- key: ManifestURL + title: Manifest URL + type: + presence: optional + content: Specifies the URL of the manifest for the managed app. One and only one + of `AppStoreID`, `BundleID`, or `ManifestURL` must be present. +- key: InstallBehavior + title: Install Behavior + type: + presence: optional + content: Describes how and when the app will be installed. + subkeys: + - key: Install + title: Install + type: + presence: optional + rangelist: + - Optional + - Required + default: Optional + content: |- + Describes whether the app must remain on the device at all times, or if the user can freely install and remove it: + * Optional - the user can install and remove the app after the configuration is activated. + * Required - the app is installed when the configuration is activated. The user may not remove the app. + On supervised devices apps are installed automatically. Otherwise the device prompts the user to approve the install of the app. + - key: License + title: License + type: + presence: optional + content: Describes how the app is licensed. + subkeys: + - key: VPPType + title: VPP Type + type: + presence: optional + rangelist: + - Device + - User + content: |- + Indicates what type of VPP license is used for the app when installed via the App Store: + * Device - the app has a VPP device license. + * User - the app has a VPP user license. + This key must be present when an App Store app is being installed. +- key: IncludeInBackup + title: Include in Backup + type: + presence: optional + default: true + content: If `true`, backups will contain the app and its data. If `false`, backups + will not contain the app and its data. +- key: Attributes + title: App Attributes + supportedOS: + macOS: + introduced: n/a + type: + presence: optional + content: A dictionary of values associated with the app. + subkeys: + - key: AssociatedDomains + title: Associated Domains + type: + presence: optional + content: An array of domain names to associate with the app. + subkeys: + - key: Domain + title: Domain + type: + presence: required + content: A domain to be associated with the app. + - key: AssociatedDomainsEnableDirectDownloads + title: Associated Domains Enable Direct Downloads + type: + presence: optional + default: false + content: If `true`, direct downloads will be enabled for associated domains. + - key: CellularSliceUUID + title: Cellular Slice UUID + type: + presence: optional + content: Either data network name (DNN) or traffic category can be set as the + enterprise slice identifier. For DNN, the value must be encoded as "DNN:name”, + where "name" is the carrier provided DNN name. For app category, the value must + be encoded as "AppCategory:category", where "category" is a carrier provided + string like "Enterprise1". + - key: ContentFilterUUID + title: Content Filter UUID + type: + presence: optional + content: The UUID of the content filter to associate with the app. + - key: DNSProxyUUID + title: DNS Proxy UUID + type: + presence: optional + content: The UUID of the DNS proxy to associate with the app. + - key: RelayUUID + title: Relay UUID + type: + presence: optional + content: The UUID of the Relay to associated with the app. + - key: TapToPayScreenLock + title: Tap to Pay Screen Lock + type: + presence: optional + default: false + content: If `true`, the device will automatically lock after every transaction + that requires a customer's card PIN. If `false`, the user of the device may + choose the behavior they prefer. + - key: VPNUUID + title: VPN UUID + type: + presence: optional + content: The UUID of the VPN to associate with the app. diff --git a/declarative/declarations/configurations/passcode.settings.yaml b/declarative/declarations/configurations/passcode.settings.yaml index d5a3a2d..904db84 100644 --- a/declarative/declarations/configurations/passcode.settings.yaml +++ b/declarative/declarations/configurations/passcode.settings.yaml @@ -36,7 +36,7 @@ payloadkeys: type: presence: optional default: false - content: If 'true', requires the user to set a passcode without any requirements + content: If 'true', the system requires the user to set a passcode without any requirements about the length or quality of the passcode. The presence of any other keys implicitly requires a passcode, and overrides this key's value. - key: RequireAlphanumericPasscode @@ -58,9 +58,9 @@ payloadkeys: type: presence: optional default: false - content: If 'true', requires a complex passcode. A complex passcode is one that - doesn't contain repeated characters or increasing or decreasing characters (such - as 123 or CBA). + content: If 'true', the system requires a complex passcode. A complex passcode is + one that doesn't contain repeated characters or increasing or decreasing characters + (such as 123 or CBA). - key: MinimumLength title: Minimum Passcode Length type: @@ -117,9 +117,10 @@ payloadkeys: title: Maximum Grace Period type: presence: optional - content: |- - The maximum period that a user can select, during which the user can unlock the device without a passcode. A value of '0' means no grace period, and the device requires a passcode immediately. In the absence of this key, the user can select any period. - macOS translates this to screensaver settings. + content: The maximum period that a user can select, during which the user can unlock + the device without a passcode. A value of '0' means no grace period, and the device + requires a passcode immediately. In the absence of this key, the user can select + any period. In macOS, the system translates this to screensaver settings. - key: MaximumInactivityInMinutes title: Automatic Device Lock type: @@ -127,9 +128,11 @@ payloadkeys: range: min: 0 max: 15 - content: |- - The maximum period that a user can select, during which the device can be idle before the system automatically locks it. When the device reaches this limit, the device locks and the user must enter the passcode to unlock it. In the absence of this key, the user can select any period. - macOS translates this to screensaver settings. + content: The maximum period that a user can select, during which the device can + be idle before the system automatically locks it. When the device reaches this + limit, the device locks and the user must enter the passcode to unlock it. In + the absence of this key, the user can select any period. In macOS, the system + translates this to screensaver settings. - key: MaximumPasscodeAgeInDays title: Maximum Passcode Age supportedOS: diff --git a/declarative/declarations/configurations/screensharing.connection.yaml b/declarative/declarations/configurations/screensharing.connection.yaml index 5f5671a..7d68759 100644 --- a/declarative/declarations/configurations/screensharing.connection.yaml +++ b/declarative/declarations/configurations/screensharing.connection.yaml @@ -38,7 +38,7 @@ payloadkeys: title: TCP Port type: presence: optional - content: Specifies the TCP port number on the host to initiate the connection. + content: The TCP port number on the host to initiate the connection. - key: DisplayConfiguration title: Display Configuration type: @@ -53,6 +53,7 @@ payloadkeys: - Virtual2 content: |- The type of display for the connection, which has these allowed values: + * 'Virtual1': Create one virtual display. * 'Virtual2': Create two virtual displays. - key: AuthenticationCredentialsAssetReference @@ -61,6 +62,6 @@ payloadkeys: assettypes: - com.apple.asset.credential.userpassword presence: optional - content: Specifies the identifier of an asset declaration that contains the required - credentials for this connection to authenticate with the screen-sharing server. - Set the corresponding asset type to 'com.apple.asset.credential.userpassword'. + content: The identifier of an asset declaration that contains the required credentials + for this connection to authenticate with the screen-sharing server. Set the corresponding + asset type to 'com.apple.asset.credential.userpassword'. diff --git a/declarative/declarations/configurations/security.certificate.yaml b/declarative/declarations/configurations/security.certificate.yaml index 91b3f80..f5474a2 100644 --- a/declarative/declarations/configurations/security.certificate.yaml +++ b/declarative/declarations/configurations/security.certificate.yaml @@ -45,5 +45,5 @@ payloadkeys: assettypes: - com.apple.asset.credential.certificate presence: required - content: Specifies the identifier of an asset declaration that contains the certificate - to install. + content: The identifier of an asset declaration that contains the certificate to + install. diff --git a/declarative/declarations/configurations/security.identity.yaml b/declarative/declarations/configurations/security.identity.yaml index d47218d..e4c4ba5 100644 --- a/declarative/declarations/configurations/security.identity.yaml +++ b/declarative/declarations/configurations/security.identity.yaml @@ -47,8 +47,7 @@ payloadkeys: - com.apple.asset.credential.scep - com.apple.asset.credential.acme presence: required - content: Specifies the identifier of an asset declaration that contains the identity - to install. + content: The identifier of an asset declaration that contains the identity to install. - key: AllowAllAppsAccess title: Allow all apps access supportedOS: diff --git a/declarative/declarations/configurations/security.passkey.attestation.yaml b/declarative/declarations/configurations/security.passkey.attestation.yaml index 21e82a1..b8d62a8 100644 --- a/declarative/declarations/configurations/security.passkey.attestation.yaml +++ b/declarative/declarations/configurations/security.passkey.attestation.yaml @@ -31,8 +31,8 @@ payloadkeys: - com.apple.asset.credential.scep - com.apple.asset.credential.acme presence: required - content: Specifies the identifier of an asset declaration that contains the identity - to install and use for passkey attestation. + content: The identifier of an asset declaration that contains the identity to install + and use for passkey attestation. - key: AttestationIdentityKeyIsExtractable title: Attestation identity key is extractable supportedOS: @@ -47,7 +47,7 @@ payloadkeys: title: Relying parties type: presence: required - content: Relying parties to allow enterprise attestation. + content: An array of the relying parties to allow enterprise attestation. subkeys: - key: RelyingParty title: Relying party diff --git a/declarative/declarations/configurations/services.configuration-files.yaml b/declarative/declarations/configurations/services.configuration-files.yaml index 5584f0b..7d9b0a4 100644 --- a/declarative/declarations/configurations/services.configuration-files.yaml +++ b/declarative/declarations/configurations/services.configuration-files.yaml @@ -21,9 +21,7 @@ payloadkeys: type: presence: required content: |- - The identifier of the system service with managed configuration files. - Use a reverse DNS style for this identifier. However, the system reserves 'com.apple.' prefix for built-in services. - The available built-in services are: + The identifier of the system service with managed configuration files. Use a reverse DNS style for this identifier. However, the system reserves 'com.apple.' prefix for built-in services. The available built-in services are: * 'com.apple.sshd' configures sshd * 'com.apple.sudo' configures sudo * 'com.apple.pam' configures PAM @@ -38,8 +36,10 @@ payloadkeys: - com.apple.asset.data presence: required content: |- - Specifies the identifier of an asset declaration that contains a reference to the files to use for system service configuration. Ensure that the corresponding asset: + The identifier of an asset declaration that contains a reference to the files to use for system service configuration. Ensure that the corresponding asset: + * Is of type 'com.apple.asset.data' * Is a zip archive of an entire directory * Has a 'Reference' key that includes the 'ContentType' and 'Hash-SHA-256' keys, which the system requires + The system expands the zip archive and stores the data in a well-known location for the service. diff --git a/declarative/declarations/configurations/softwareupdate.enforcement.specific.yaml b/declarative/declarations/configurations/softwareupdate.enforcement.specific.yaml index 0f5b261..60b1823 100644 --- a/declarative/declarations/configurations/softwareupdate.enforcement.specific.yaml +++ b/declarative/declarations/configurations/softwareupdate.enforcement.specific.yaml @@ -28,8 +28,7 @@ payloadkeys: type: presence: required content: The target OS version to update the device to by the appropriate time. - This is the OS version number, for example, '16.1'. It may also include a supplemental - version identifier, for example, '16.1.1'. + This is the OS version number, for example, '16.1'. - key: TargetBuildVersion title: Target Build Version type: diff --git a/declarative/declarations/configurations/watch.enrollment.yaml b/declarative/declarations/configurations/watch.enrollment.yaml index be634e8..1ddd7bb 100644 --- a/declarative/declarations/configurations/watch.enrollment.yaml +++ b/declarative/declarations/configurations/watch.enrollment.yaml @@ -33,9 +33,9 @@ payloadkeys: assettypes: - com.apple.asset.credential.certificate presence: optional - content: Specifies an array of identifiers of asset declarations that contain anchor - certificates to use to evaluate the trust of the enrollment profile server. Set - the type of the corresponding assets to 'com.apple.asset.credential.certificate'. + content: An array of identifiers of asset declarations that contain anchor certificates + to use to evaluate the trust of the enrollment profile server. Set the type of + the corresponding assets to 'com.apple.asset.credential.certificate'. subkeys: - key: AnchorCertificateAssetReferenceItem type: diff --git a/declarative/status/app.managed.list.yaml b/declarative/status/app.managed.list.yaml new file mode 100644 index 0000000..0ff21ee --- /dev/null +++ b/declarative/status/app.managed.list.yaml @@ -0,0 +1,191 @@ +title: Status App Managed List +description: The client's declarative managed apps. +payload: + statusitemtype: app.managed.list + supportedOS: + iOS: + introduced: '17.2' + allowed-enrollments: + - device + - user + allowed-scopes: + - system + sharedipad: + allowed-scopes: + - system + macOS: + introduced: n/a + tvOS: + introduced: n/a + watchOS: + introduced: n/a + beta: true +payloadkeys: +- key: app.managed.list + title: Status item value. + type: + presence: required + content: Status value. + subkeytype: App + subkeys: + - key: status_value + type: + subkeys: + - key: identifier + title: Unique identifier of the app. + type: + presence: required + content: The unique identifier of the app. This will be the app's bundle id. + - key: _removed + title: Indicates removal of the app. + type: + presence: optional + default: false + content: To indicate removal of an app, this key's value is set to true, and + only this key and the "identifier" key will be present in the status item + object. + - key: declaration-identifier + title: Identifier of the declaration that controls the app. + type: + presence: optional + content: The identifier of the declaration that controls the app. + - key: name + title: App name + type: + presence: optional + content: The name of the app. + - key: external-version-id + title: External version id + type: + presence: optional + content: The application's external version ID. This can also be retrieved from + the store from the "contentMetadataLookupUrl" from the VPPServiceConfigSrv + endpoint. In the response from uclient-api.itunes.apple.com URL, there's a + key named "externalId" at the path results..offers[0].version.externalId. + If the current external version identifier of an app on the store does not + match the external version identifier reported by the device, there may be + an app update available for the device. + - key: version + title: Version + type: + presence: optional + content: The version of the app. + - key: short-version + title: Short version + type: + presence: optional + content: The short version of the app. + - key: state + title: Managed application list status + type: + presence: optional + rangelist: + - optional + - queued + - prompting-for-consent + - prompting-for-login + - prompting-for-management + - downloading + - installing + - managed + - managed-but-uninstalled + - failed + content: |- + The status of the app. + * optional - the app is optional and the user has to trigger its installation + * queued - installation of the app has started + * prompting-for-consent - a prompt is being shown to the user to proceed with app installation + * prompting-for-login - a prompt to sign in to the App Store is being shown to the user to allow installation + * prompting-for-management - a prompt is being shown to the user to allow changing the installed app to a managed app + * downloading - an update is being downloaded + * installing - the app is being installed + * managed - the app is installed and managed + * managed-but-uninstalled - the app is managed, but has been removed by the user. If installed again, it will be managed + * failed - the app installation has failed + - key: update-state + title: Managed application update status + type: + presence: optional + rangelist: + - available + - prompting-for-update + - prompting-for-update-login + - updating + - failed + content: |- + The update status of the app. This key is only present when the "state" key is set to "managed" and when there is an app update available. + * available - an update is available for the app + * prompting-for-update - a prompt is being shown to the user to proceed with app update + * prompting-for-update-login - a prompt to sign in to the App Store is being shown to the user to allow app update + * updating - the app is being updated + * failed - the app update has failed + - key: reasons + title: Status Reasons + type: + presence: optional + content: Additional detail about app state, including errors. + subkeytype: StatusReason + subkeys: + - key: _reasons + title: Status Reason + type: + content: Information about a status error. + subkeytype: StatusReason + subkeys: + - key: code + title: Error Code + type: + presence: required + content: The error code for this error. + - key: description + title: Error Description + type: + presence: optional + content: The description of this error. + - key: details + title: Error Details + type: + presence: optional + content: A dictionary that contains further details about this error. + subkeys: + - key: ANY + type: + presence: optional + content: Additional keys may be present. +reasons: +- value: Error.UnmanagedAppAlreadyInstalled + description: An unmanaged app is already installed and cannot be managed. +- value: Error.DuplicateConfiguredApp + description: The app is already being managed. +- value: Error.UserRejected + description: The user rejected management of the app. +- value: Error.AppStoreDisabled + description: The App Store is disabled. +- value: Error.LicenseNotFound + description: A license for the app was not available. +- value: Error.InvalidAppID + description: The app id could not be found. +- value: Error.NotAnApp + description: The downloaded data is not a valid app. +- value: Error.NotSupported + description: The app is not supported on this device. +- value: Error.DownloadFailed + description: The app download failed. + details: + - key: Timestamp + type: + description: The RFC 3339 timestamp of the last download failure. +- value: Error.InstallFailed + description: The app install failed. + details: + - key: Timestamp + type: + description: The RFC 3339 timestamp of the last install failure. +- value: Info.UpdateAvailable + description: An update is available for the app. +- value: Error.UpdateFailed + description: The app update failed. + details: + - key: Timestamp + type: + description: The RFC 3339 timestamp of the last update failure. diff --git a/declarative/status/mdm.app.yaml b/declarative/status/mdm.app.yaml index a188855..1166a35 100644 --- a/declarative/status/mdm.app.yaml +++ b/declarative/status/mdm.app.yaml @@ -33,7 +33,8 @@ payloadkeys: title: Status item value. type: presence: required - content: The list of apps. + content: The list of apps. The response will not include apps that are managed by + Declarative Device Management. subkeytype: App subkeys: - key: status_value diff --git a/docs/errata.md b/docs/errata.md index 4fda272..9c97ebd 100644 --- a/docs/errata.md +++ b/docs/errata.md @@ -31,3 +31,7 @@ strings. This has not been corrected as the schema does not support polymorphic ### profiles/com.apple.universalaccess.yaml The `contrast` key in the `com.apple.universalaccess` profile payload incorrectly listed its type as `integer`. The correct type is `real`. + +### profiles/com.apple.extensiblesso.yaml + +The `AuthorizationGroups` key was updated as the key values-pairs in the dictionary were incorrectly stated. diff --git a/docs/schema.yaml b/docs/schema.yaml index 53aad3e..cc2af83 100644 --- a/docs/schema.yaml +++ b/docs/schema.yaml @@ -150,6 +150,9 @@ properties: type: boolean description: If true, indicates that the skip key's corresponding Setup pane is always skipped. If false, indicates that the skip key's corresponding Setup pane may be shown, depending on exactly when during the setup flow it occurs. + beta: + type: boolean + description: Indicates that this payload should be considered a beta release for this OS. It may change in an incompatible way prior to final release. macOS: *supportedOSItem tvOS: *supportedOSItem watchOS: *supportedOSItem @@ -163,6 +166,9 @@ properties: - single - multiple - combined + beta: + type: boolean + description: Indicates that this entire payload should be considered a beta release. It may change in an incompatible way prior to final release. content: type: string description: Description of the payload. diff --git a/mdm/commands/account.configuration.yaml b/mdm/commands/account.configuration.yaml index f9cf2b3..3bc1e87 100644 --- a/mdm/commands/account.configuration.yaml +++ b/mdm/commands/account.configuration.yaml @@ -71,7 +71,7 @@ payloadkeys: default: false content: |- If 'true', and you provide values for 'PrimaryAccountFullName' or 'PrimaryAccountUserName', Setup Assistant disables editing for the corresponding fields. 'DontAutoPopulatePrimaryAccountInfo' must also be 0 (or missing). - If the user's password is also available from authentication via ConfigurationURL, Setup Assistant automatically creates the primary account with that information and skips showing the user interface to view or edit these fields. + If the user's password is also available from authentication through ConfigurationURL, Setup Assistant automatically creates the primary account with that information and skips showing the user interface to view or edit these fields. This value is available in macOS 10.15 and later. - key: AutoSetupAdminAccounts type: diff --git a/mdm/commands/application.install.enterprise.yaml b/mdm/commands/application.install.enterprise.yaml index 59eb9f5..3c600ec 100644 --- a/mdm/commands/application.install.enterprise.yaml +++ b/mdm/commands/application.install.enterprise.yaml @@ -21,7 +21,7 @@ payloadkeys: presence: optional content: A dictionary that specifies where to download the app. This value is backward-compatible with the manifest for the InstallApplicationCommand; however, it also allows you - to specify 'sha256s' and 'sha256'-size for SHA-256 hashes. + to specify 'sha256s' and 'sha256-size' for SHA-256 hashes. subkeys: - key: ANY type: @@ -32,7 +32,7 @@ payloadkeys: - key: ManifestURL type: presence: optional - content: The URL of the app manifest, which must begin with 'https:'. + content: The URL of the app manifest, which needs to begin with 'https:'. - key: ManifestURLPinningCerts type: presence: optional @@ -59,9 +59,9 @@ payloadkeys: presence: optional default: false content: |- - If 'true', install the app as a managed app. - For manifest-based installs, if 'true' the system considers only the .app bundles installed into '/Applications' as managed (macOS 11 through 13 required the pkg to contain a single .app bundle). Reinstalling a managed app without this flag causes it to become unmanaged. - This value is available in macOS 11 and later. + If 'true', install the app as a managed app. Otherwise, the system installs the app as unmanaged. If you reinstall a manged app and omit this value or set it to 'false', the app becomes unmanaged. + For manifest-based installs, if 'true', the system only considers apps installed in '/Applications' as managed. In macOS 11 through 13, the system requires that the 'pkg' only contains a single signed app. + Available in macOS 11 and later. - key: ManagementFlags supportedOS: macOS: @@ -73,9 +73,11 @@ payloadkeys: rangelist: - 1 content: |- - The management flags. The only supported flag is: - * '1': Remove the app upon removal of the MDM profile. This also requires that you pass 'true' for 'InstallAsManaged'. - This value is available in macOS 11 and later. + The management flags. The possible values are: + + * '1': If 'InstallAsManaged' is 'true', remove the app upon removal of the MDM profile. + + Available in macOS 11 and later. - key: Configuration supportedOS: macOS: @@ -83,12 +85,12 @@ payloadkeys: type: presence: optional content: A dictionary that contains the initial configuration of the app, if you - choose to provide it. This value is available in macOS 11 and later. + choose to provide it. Available in macOS 11 and later. subkeys: - key: ANY type: presence: optional - content: An app configuration key. + content: An app configuration. - key: ChangeManagementState supportedOS: macOS: @@ -100,9 +102,11 @@ payloadkeys: rangelist: - Managed content: |- - The change management state. The only supported state is: - * 'Managed': Take management of the app if the user installed it already. This also requires that you pass 'true' for 'InstallAsManaged'. - This value is available in macOS 11 and later. + The change management state. This value doesn't work with the User Enrollment feature introduced in iOS 13. The only possible value is: + + * 'Managed': Take management of the app if the user installed it already and 'InstallAsManaged' is 'true'. + + Available in macOS 11 and later. - key: iOSApp supportedOS: iOS: diff --git a/mdm/commands/application.install.yaml b/mdm/commands/application.install.yaml index a6c92ba..813d322 100644 --- a/mdm/commands/application.install.yaml +++ b/mdm/commands/application.install.yaml @@ -38,7 +38,8 @@ payload: accessrights: AllowAppInstallation supervised: false content: This command allows the server to install an application on a device. If - the app is already being managed, this command will update the app. macOS change + the app is already being managed, this command will update the app. This command + will fail for apps that are managed by Declarative Device Management. macOS change - 10.9 user channel for VPP, 10.10 device channel, 10.11 both. payloadkeys: - key: iTunesStoreID @@ -80,7 +81,7 @@ payloadkeys: introduced: '7.0' type: presence: optional - content: The URL of the app manifest, which must begin with 'https:'. + content: The URL of the app manifest, which needs to begin with 'https:'. - key: ManagementFlags supportedOS: macOS: @@ -94,10 +95,13 @@ payloadkeys: - 4 - 5 content: |- - The bitwise OR of the following management flags: - * '1': Remove app upon removal of MDM profile. This also requires that you pass 'true' for 'InstallAsManaged'. + A bitwise OR of the management flags. The possible values are: + + * '1': If 'InstallAsManaged' is 'true', remove the app upon removal of the MDM profile. * '4': Prevent backup of app data. - This value is available in iOS 5 and later, macOS 11 and later, and tvOS 10.2 and later. + * '5': Both '1' and '4'. + + Available in iOS 5 and later, macOS 11 and later, and tvOS 10.2 and later. - key: Configuration supportedOS: iOS: @@ -107,8 +111,8 @@ payloadkeys: type: presence: optional content: A dictionary that contains the initial configuration of the app, if you - choose to provide it. This value is available in iOS 7 and later, macOS 11 and - later, and tvOS 10.2 and later. + choose to provide it. Available in iOS 7 and later, macOS 11 and later, and tvOS + 10.2 and later. subkeys: - key: ANY type: @@ -123,7 +127,7 @@ payloadkeys: type: presence: optional content: A dictionary that contains the initial attributes of the app, if you choose - to provide it. This value is available in iOS 7 and later, and tvOS 10.2 and later. + to provide it. Available in iOS 7 and later, and tvOS 10.2 and later. subkeys: - key: VPNUUID supportedOS: @@ -227,7 +231,7 @@ payloadkeys: type: presence: optional content: |- - The data network name (DNN) or app category. For DNN, the value is 'DNN:name', where 'name' is the carrier provided DNN name. For app category, the value is 'AppCategory:category', where 'category' is a carrier provided string like “Enterprise1”. + The data network name (DNN) or app category. For DNN, the value is 'DNN:name', where 'name' is the carrier-provided DNN name. For app category, the value is 'AppCategory:category', where 'category' is a carrier-provided string like “Enterprise1”. Available in iOS 17 and later. - key: ChangeManagementState supportedOS: @@ -244,10 +248,11 @@ payloadkeys: rangelist: - Managed content: |- - The change management state. The only supported state is: + The change management state. The only possible value is: + * 'Managed': Take management of the app if the user installed it already. This also requires that you pass 'true' for 'InstallAsManaged'. - This value doesn't work with Profile Based User Enrollment, Account Driven User Enrollment and Account Driven Device Enrollment. - Available in iOS 9 and later, macOS 11 and later, and tvOS 10.2 and later. + + This value doesn't work with the User Enrollment feature introduced in iOS 13. Available in iOS 9 and later, macOS 11 and later, and tvOS 10.2 and later. - key: InstallAsManaged supportedOS: iOS: @@ -264,10 +269,9 @@ payloadkeys: presence: optional default: false content: |- - If 'true', install the app as a managed app. - For manifest-based installs, if this value is 'true', the system only considers the '.app' bundles installed into '/Applications 'as managed (macOS 11 through 13 required the 'pkg' to contain a single '.app' bundle). - Reinstall a managed app with this value set to 'false' to change the app to an unmanaged app. - This value is available in macOS 11 and later. + If 'true', install the app as a managed app. Otherwise, the system installs the app as unmanaged. If you reinstall a manged app and omit this value or set it to 'false', the app becomes unmanaged. + For manifest-based installs, if 'true', the system only considers apps installed in '/Applications' as managed. In macOS 11 through 13, the system requires that the 'pkg' only contains a single signed app. + Available in macOS 11 and later. - key: iOSApp supportedOS: iOS: diff --git a/mdm/commands/application.installed.list.yaml b/mdm/commands/application.installed.list.yaml index 3b49987..03a1031 100644 --- a/mdm/commands/application.installed.list.yaml +++ b/mdm/commands/application.installed.list.yaml @@ -40,9 +40,14 @@ payloadkeys: introduced: '10.15' type: presence: optional - content: |- - An array of app identifiers. Provide this value to limit the response to only include these apps. This value is available in iOS 7 and later, macOS 10.15 and later, and tvOS 10.2 and later. - For a watchOS app, the identifier needs to be the watch's bundle identifier, which differs from the main bundle identifier for the iPhone to which the watch is paired. Obtain the watch's bundle identifier for an app with a watch bundle, in the 'watchBundleId' key that's part of the Content Metadata query. For more information on this query, see Getting App and Book Information (Legacy). + content: An array of app identifiers. Provide this value to limit the response to + only include these apps. This value is available in iOS 7 and later, macOS 10.15 + and later, and tvOS 10.2 and later. For a watchOS app, the identifier needs to + be the watch's bundle identifier, which differs from the main bundle identifier + for the iPhone to which the watch is paired. Obtain the watch's bundle identifier + for an app with a watch bundle, in the 'watchBundleId' key that's part of the + Content Metadata query. For more information on this query, see Getting App and + Book Information (Legacy). subkeys: - key: IdentifiersItem type: @@ -55,8 +60,9 @@ payloadkeys: type: presence: optional default: false - content: If 'true', only get a list of managed apps. This value is available in - iOS 7 and later, macOS 10.15 and later, and tvOS 10.2 and later. + content: If 'true', only get a list of managed apps excluding ones that are managed + by Declarative Device Management. This value is available in iOS 7 and later, + macOS 10.15 and later, and tvOS 10.2 and later. - key: Items supportedOS: iOS: @@ -67,11 +73,9 @@ payloadkeys: introduced: '14.0' type: presence: optional - content: An array of strings representing keys in the InstalledApplicationListItem - dictionary. If provided, the response will contain only the keys listed here. - The "Identifier" key is always included. If not present, the response will contain - all keys. Always request just the set of keys that will actually be used, as some - key values can take significant time and power to calculate on the device. + content: |- + An array of strings that represent keys in InstalledApplicationListResponse.InstalledApplicationListItem. If present, the response only contains the keys listed here, except 'Identifier' is always included. If not present, the response contains all keys. + Only request the keys that you need, because some key values can take significant time and power to calculate on the device. subkeys: - key: ItemsItem type: @@ -265,3 +269,8 @@ responsekeys: presence: optional default: false content: If 'true', the app is an App Clip. Available in iOS 16 and later. + - key: Source + type: + presence: optional + content: Source of the application. This value will be set to "Declarative Device + Management" when the app is managed by Declarative Device Management. diff --git a/mdm/commands/application.managed.list.yaml b/mdm/commands/application.managed.list.yaml index d0465f8..ea1378a 100644 --- a/mdm/commands/application.managed.list.yaml +++ b/mdm/commands/application.managed.list.yaml @@ -53,7 +53,8 @@ responsekeys: - key: ManagedApplicationList type: presence: required - content: A dictionary that contains status information about each managed app. + content: A dictionary that contains status information about each managed app. The + response will not include apps that are managed by Declarative Device Management. subkeytype: ManagedApplicationListItem subkeys: - key: ANY app identifier diff --git a/mdm/commands/application.remove.yaml b/mdm/commands/application.remove.yaml index 54f226d..cfc7657 100644 --- a/mdm/commands/application.remove.yaml +++ b/mdm/commands/application.remove.yaml @@ -29,7 +29,8 @@ payload: introduced: '10.0' accessrights: AllowAppInstallation supervised: false - content: This command allows a server to remove a managed app. + content: This command allows a server to remove a managed app. This command will + fail for apps that are managed by Declarative Device Management. payloadkeys: - key: Identifier type: diff --git a/mdm/commands/device.erase.yaml b/mdm/commands/device.erase.yaml index 475f088..e9b29bb 100644 --- a/mdm/commands/device.erase.yaml +++ b/mdm/commands/device.erase.yaml @@ -102,19 +102,12 @@ payloadkeys: Upon receiving this command, the device performs preflight checks to determine if the device is in a state that allows EACS. The 'status' of the EraseDeviceResponse is either 'Acknowledged' or 'Error'. The following values define the device's fallback behavior: - 'DoNotObliterate': - If EACS preflight fails, the device responds to the server with an 'Error' status and doesn't attempt to erase itself. + * 'DoNotObliterate': If EACS preflight fails, the device responds to the server with an 'Error' status and doesn't attempt to erase itself. If EACS preflight succeeds but EACS fails, then the device doesn't attempt to erase itself. - - 'ObliterateWithWarning': - If EACS preflight fails, the device responds with an 'Acknowledged' status and then attempts to erase itself. + * 'ObliterateWithWarning': If EACS preflight fails, the device responds with an 'Acknowledged' status and then attempts to erase itself. If EACS preflight succeeds but EACS fails, then the device attempts to erase itself. - - 'Always': - The system doesn't attempt EACS. T2 and later devices always obliterate. - - 'Default': - If EACS preflight fails, the device responds to the server with an 'Error' status and then attempts to erase itself. + * 'Always': The system doesn't attempt EACS. T2 and later devices always obliterate. + * 'Default': If EACS preflight fails, the device responds to the server with an 'Error' status and then attempts to erase itself. If EACS preflight succeeds but EACS fails, then the device attempts to erase itself. - key: ReturnToService supportedOS: diff --git a/mdm/commands/information.device.yaml b/mdm/commands/information.device.yaml index 2cb6ed1..59d8246 100644 --- a/mdm/commands/information.device.yaml +++ b/mdm/commands/information.device.yaml @@ -57,7 +57,7 @@ payloadkeys: watchOS: accessrights: n/a type: - content: The key to get the unique identifier of the device. + content: The unique identifier of the device. - key: ProvisioningUDID supportedOS: iOS: @@ -87,7 +87,7 @@ payloadkeys: watchOS: accessrights: n/a type: - content: The key to get the contents of SettingsCommand.Command.Settings.OrganizationInfo.OrganizationInfo. + content: The contents of SettingsCommand.Command.Settings.OrganizationInfo.OrganizationInfo. - key: MDMOptions supportedOS: iOS: @@ -101,7 +101,7 @@ payloadkeys: watchOS: introduced: '10.0' type: - content: The key to get the contents of SettingsCommand.Command.Settings.MDMOptions.MDMOptions. + content: The contents of SettingsCommand.Command.Settings.MDMOptions.MDMOptions. - key: LastCloudBackupDate supportedOS: iOS: @@ -115,8 +115,7 @@ payloadkeys: watchOS: introduced: n/a type: - content: The key to get the date of the most recent iCloud backup. This value - is available in iOS 8 and later. + content: The date of the most recent iCloud backup. Available in iOS 8 and later. - key: AwaitingConfiguration supportedOS: iOS: @@ -135,10 +134,9 @@ payloadkeys: watchOS: accessrights: n/a type: - content: If true from device channel, device is still waiting for a DeviceConfigured - message from MDM to continue through Setup Assistant. If true from user channel - (Shared iPad only), device is still waiting for a UserConfigured message from - MDM to continue through Setup Assistant and finish login. Always available. + content: Specifies whether the device is waiting for a DeviceConfigured or UserConfigured + command to continue through Setup Assistant on the device channel or user + channel, respectively. - key: iTunesStoreAccountIsActive supportedOS: iOS: @@ -157,8 +155,8 @@ payloadkeys: watchOS: accessrights: AllowAppInstallation type: - content: The key to determine if an iTunes Store account is active. This value - requires the App Installation access right. + content: Specifies whether an iTunes Store account is active. Requires the App + Installation access right. - key: iTunesStoreAccountHash supportedOS: iOS: @@ -177,8 +175,8 @@ payloadkeys: watchOS: accessrights: AllowAppInstallation type: - content: The key to get a hash of the logged-in iTunes Store account. Also see - GetVppUserRequest. This value requires the App Installation access right. + content: A hash of the logged-in iTunes Store account. Also see GetVppUserRequest. + This value requires the App Installation access right. - key: DeviceName supportedOS: iOS: @@ -190,8 +188,7 @@ payloadkeys: watchOS: accessrights: AllowQueryDeviceInformation type: - content: The key to get the device name. This value requires the Device Information - access right. + content: The device name. Requires the Device Information access right. - key: OSVersion supportedOS: iOS: @@ -203,8 +200,8 @@ payloadkeys: watchOS: accessrights: AllowQueryDeviceInformation type: - content: The key to get the operating system version. This value requires the - Device Information access right. + content: The operating system version. Requires the Device Information access + right. - key: SupplementalOSVersionExtra supportedOS: iOS: @@ -219,9 +216,9 @@ payloadkeys: watchOS: introduced: n/a type: - content: The key to get the OS update rapid security response version letter, - if a rapid security response update is installed. This value requires the - Device Information access right. + content: The OS update rapid security response version letter, if a rapid security + response update is installed. This value requires the Device Information access + right. - key: BuildVersion supportedOS: iOS: @@ -233,8 +230,8 @@ payloadkeys: watchOS: accessrights: AllowQueryDeviceInformation type: - content: The key to get the operating system version. This value requires the - Device Information access right. + content: The operating system version. This value requires the Device Information + access right. - key: SupplementalBuildVersion supportedOS: iOS: @@ -249,10 +246,9 @@ payloadkeys: watchOS: accessrights: AllowQueryDeviceInformation type: - content: The key to get the build version for the currently installed rapid - security response. If there's no installed rapid security response, this value - is the same as 'BuildVersion'. This value requires the Device Information - access right. + content: The build version for the currently installed rapid security response. + If there's no installed rapid security response, this value is the same as + 'BuildVersion'. Requires the Device Information access right. - key: ModelName supportedOS: iOS: @@ -264,8 +260,8 @@ payloadkeys: watchOS: accessrights: AllowQueryDeviceInformation type: - content: The key to get the model name; for example, iPhone. This value requires - the Device Information access right. + content: The model name, such as iPhone. Requires the Device Information access + right. - key: Model supportedOS: iOS: @@ -277,8 +273,7 @@ payloadkeys: watchOS: accessrights: AllowQueryDeviceInformation type: - content: The key to get the model. This value requires the Device Information - access right. + content: The model. Requires the Device Information access right. - key: ModelNumber supportedOS: iOS: @@ -293,9 +288,8 @@ payloadkeys: watchOS: introduced: n/a type: - content: The key to get the device's hardware model number including region - info, for example, 'MK1A3LL/A'. This value requires the Device Information - right, and it requires Apple silicon on macOS. + content: The device's hardware model number including region info, such as 'MK1A3LL/A'. + Requires the Device Information access right. Requires Apple silicon on macOS. - key: IsAppleSilicon supportedOS: iOS: @@ -308,9 +302,8 @@ payloadkeys: watchOS: introduced: n/a type: - content: |- - If 'true', the device is a Mac with Apple silicon (for example, an Apple M1 chip). - Available in macOS 12 and later. + content: Specifies whether the device is a Mac with Apple silicon (for example, + an Apple M1 chip). Available in macOS 12 and later. - key: ProductName supportedOS: iOS: @@ -322,8 +315,8 @@ payloadkeys: watchOS: accessrights: AllowQueryDeviceInformation type: - content: The key to get the product name, such as iPad8,12. This value requires - the Device Information access right. + content: The product name, such as iPad8,12. This value requires the Device + Information access right. - key: SerialNumber supportedOS: iOS: @@ -339,8 +332,7 @@ payloadkeys: watchOS: accessrights: AllowQueryDeviceInformation type: - content: The key to get the serial number. This value requires the Device Information - access right. + content: The serial number. Requires the Device Information access right. - key: DeviceCapacity supportedOS: iOS: @@ -352,9 +344,8 @@ payloadkeys: watchOS: accessrights: AllowQueryDeviceInformation type: - content: The key to get the device's total capacity. This value requires the - Device Information access right, and is available in iOS 4 and later, and - macOS 10.7 and later. + content: The device's total capacity. Requires the Device Information access + right. Available in iOS 4 and later, and macOS 10.7 and later. - key: AvailableDeviceCapacity supportedOS: iOS: @@ -366,9 +357,8 @@ payloadkeys: watchOS: accessrights: AllowQueryDeviceInformation type: - content: The key to get the available capacity. This value requires the Device - Information access right, and is available in iOS 4 and later, and macOS 10.7 - and later. + content: The available capacity. Requires the Device Information access right. + Available in iOS 4 and later, and macOS 10.7 and later. - key: IMEI supportedOS: iOS: @@ -383,9 +373,9 @@ payloadkeys: watchOS: introduced: n/a type: - content: The key to get the International Mobile Equipment Identity (IMEI) number. - This value requires the Device Information access right. It's available as - of iOS 4 and deprecated in iOS 16. + content: The International Mobile Equipment Identity (IMEI) number. Requires + the Device Information access right. Available as of iOS 4 and deprecated + in iOS 16. - key: MEID supportedOS: iOS: @@ -400,9 +390,8 @@ payloadkeys: watchOS: introduced: n/a type: - content: The key to get the mobile equipment ID (MEID). This value requires - the Device Information access right. It's available as of iOS 4 and deprecated - in iOS 16. + content: The mobile equipment ID (MEID). Requires the Device Information access + right. Available as of iOS 4 and deprecated in iOS 16. - key: ModemFirmwareVersion supportedOS: iOS: @@ -416,8 +405,8 @@ payloadkeys: watchOS: introduced: n/a type: - content: The key to get the modem firmware version. This value requires the - Device Information access right, and is available in iOS 4 and later. + content: The modem firmware version. Requires the Device Information access + right. Available in iOS 4 and later. - key: CellularTechnology supportedOS: iOS: @@ -430,8 +419,8 @@ payloadkeys: watchOS: introduced: n/a type: - content: The key to get the cellular technology type. This value requires the - Device Information access right, and is available in iOS 4.2.6 and later. + content: The cellular technology type. Requires the Device Information access + right. Available in iOS 4.2.6 and later. - key: BatteryLevel supportedOS: iOS: @@ -445,8 +434,8 @@ payloadkeys: watchOS: accessrights: AllowQueryDeviceInformation type: - content: The key to get the battery level. This value requires the Device Information - access right, and is available in iOS 5 and later. + content: The battery level. Requires the Device Information access right. Available + in iOS 5 and later. - key: HasBattery supportedOS: iOS: @@ -459,7 +448,7 @@ payloadkeys: watchOS: introduced: n/a type: - content: The key to determine whether the device has an internal battery. + content: Specifies whether the device has an internal battery. - key: IsSupervised supportedOS: iOS: @@ -473,9 +462,9 @@ payloadkeys: watchOS: accessrights: AllowQueryDeviceInformation type: - content: The key to determine if the device is a supervised device. This value - requires the Device Information access right, and is available in iOS 6 and - later, macOS 10.15 and later, and tvOS 9 and later. + content: Specifies whether the device is supervised. Requires the Device Information + access right. Available in iOS 6 and later, macOS 10.15 and later, and tvOS + 9 and later. - key: IsMultiUser supportedOS: iOS: @@ -488,9 +477,8 @@ payloadkeys: watchOS: introduced: n/a type: - content: The key to determine if the device is in ephemeral multiuser mode. - This value requires the Device Information access right, and is available - in iOS 9.3 and later. + content: Specifies whether the device is a Shared iPad. Requires the Device + Information access right. Available in iOS 9.3 and later. - key: IsDeviceLocatorServiceEnabled supportedOS: iOS: @@ -503,9 +491,9 @@ payloadkeys: watchOS: accessrights: AllowQueryDeviceInformation type: - content: The key to determine if a device locator service, such as Find My, - is in an enabled state on the device. This value requires the Device Information - access right, and is available in iOS 7 and later. + content: Specifies whether a device locator service such as Find My is enabled + on the device. Requires the Device Information access right. Available in + iOS 7 and later. - key: IsActivationLockEnabled supportedOS: iOS: @@ -526,9 +514,9 @@ payloadkeys: deprecated: '10.0' accessrights: AllowQueryDeviceInformation type: - content: The key to determine if Activation Lock is in an enabled state on the - device. This value requires the Device Information access right. It's available - as of iOS 7 and macOS 10.15, and deprecated in iOS 16 and macOS 13. + content: Specifies whether Activation Lock is enabled on the device. Requires + the Device Information access right. Available as of iOS 7 and macOS 10.15, + and deprecated in iOS 16 and macOS 13. - key: IsActivationLockSupported supportedOS: iOS: @@ -543,9 +531,9 @@ payloadkeys: watchOS: introduced: n/a type: - content: The key to determine if the device supports Activation Lock. Also see - 'IsActivationLockManageable' in SecurityInfoResponse.SecurityInfo.ManagementStatus. - This value is available in macOS 10.9 and later. + content: Specifies whether the device supports Activation Lock. Also see 'IsActivationLockManageable' + in SecurityInfoResponse.SecurityInfo.ManagementStatus. Available in macOS + 10.9 and later. - key: IsDoNotDisturbInEffect supportedOS: iOS: @@ -560,9 +548,8 @@ payloadkeys: watchOS: accessrights: AllowQueryDeviceInformation type: - content: The key to determine if the device is in Do Not Disturb (DND) mode. - This value requires the Device Information access right, and is available - in iOS 7 and later. + content: Specifies whether the device is in Do Not Disturb (DND) mode. Requires + the Device Information access right. Available in iOS 7 and later. - key: DeviceID supportedOS: iOS: @@ -575,8 +562,8 @@ payloadkeys: watchOS: introduced: n/a type: - content: The key to get the device ID. This value requires the Device Information - access right, and is available in tvOS 6 and later. + content: The device ID. Requires the Device Information access right. Available + in tvOS 6 and later. - key: EASDeviceIdentifier supportedOS: iOS: @@ -589,9 +576,8 @@ payloadkeys: watchOS: introduced: n/a type: - content: The key to get the device identifier for Exchange ActiveSync (EAS). - This value requires the Device Information access right, and is available - in iOS 7 and later. + content: The device identifier for Exchange ActiveSync (EAS). Requires the Device + Information access right. Available in iOS 7 and later. - key: IsCloudBackupEnabled supportedOS: iOS: @@ -606,9 +592,8 @@ payloadkeys: watchOS: introduced: n/a type: - content: The key to determine if iCloud Backup is in an enabled state on the - device. This value requires the Device Information access right, and is available - in iOS 7.1 and later. + content: Specifies whether iCloud Backup is enabled on the device. Requires + the Device Information access right. Available in iOS 7.1 and later. - key: ActiveManagedUsers supportedOS: iOS: @@ -622,9 +607,8 @@ payloadkeys: watchOS: introduced: n/a type: - content: The key to get an array of directory GUIDs for logged-in managed users. - This value requires the Device Information access right, and is available - in macOS 10.11 and later. + content: An array of directory GUIDs for logged-in managed users. Requires the + Device Information access right. Available in macOS 10.11 and later. - key: OSUpdateSettings supportedOS: iOS: @@ -639,9 +623,9 @@ payloadkeys: watchOS: introduced: n/a type: - content: The key to get the contents of DeviceInformationResponse.QueryResponses.OSUpdateSettings. - This value requires the Device Information access right, and is available - in macOS 10.11 and later. + content: The contents of DeviceInformationResponse.QueryResponses.OSUpdateSettings. + Requires the Device Information access right. Available in macOS 10.11 and + later. - key: LocalHostName supportedOS: iOS: @@ -654,8 +638,7 @@ payloadkeys: watchOS: introduced: n/a type: - content: The key to get the local hostname from Bonjour. This value is available - in macOS 10.11 and later. + content: The local hostname from Bonjour. Available in macOS 10.11 and later. - key: HostName supportedOS: iOS: @@ -668,8 +651,7 @@ payloadkeys: watchOS: introduced: n/a type: - content: The key to get the hostname. This value is available in macOS 10.11 - and later. + content: The hostname. Available in macOS 10.11 and later. - key: AutoSetupAdminAccounts supportedOS: iOS: @@ -685,10 +667,9 @@ payloadkeys: watchOS: introduced: n/a type: - content: The key to get the contents of DeviceInformationResponse.QueryResponses.AutoSetupAdminAccountsItem, - which Setup Assistant automatically creates during enrollment. This value - requires the Device Information access right, and is available in macOS 10.11 - and later. + content: The contents of DeviceInformationResponse.QueryResponses.AutoSetupAdminAccountsItem, + which Setup Assistant automatically creates during enrollment. Requires the + Device Information access right. Available in macOS 10.11 and later. - key: SystemIntegrityProtectionEnabled supportedOS: iOS: @@ -701,9 +682,9 @@ payloadkeys: watchOS: introduced: n/a type: - content: The key to determine if System Integrity Protection is in an enabled - state on the device. This value requires the Device Information access right, - and is available in macOS 10.12 and later. + content: Specifies whether System Integrity Protection is enabled on the device. + This value requires the Device Information access right, and is available + in macOS 10.12 and later. - key: SupportsLOMDevice supportedOS: iOS: @@ -716,9 +697,9 @@ payloadkeys: watchOS: introduced: n/a type: - content: The key to determine if the device can receive 'PowerON', 'PowerOFF', - and 'Reset' commands from a lights-out management (LOM) controller. This query - is available in macOS 11 and later. + content: Specifies whether the device can receive 'PowerON', 'PowerOFF', and + 'Reset' commands from a lights-out management (LOM) controller. Available + in macOS 11 and later. - key: IsMDMLostModeEnabled supportedOS: iOS: @@ -733,9 +714,8 @@ payloadkeys: watchOS: accessrights: AllowQueryDeviceInformation type: - content: The key to determine if Managed Lost Mode is in an enabled state on - the device. This value requires the Device Information access right, and is - available in iOS 9.3 and later. + content: Specifies whether Managed Lost Mode is enabled on the device. Requires + the Device Information access right. Available in iOS 9.3 and later. - key: MaximumResidentUsers supportedOS: iOS: @@ -756,10 +736,9 @@ payloadkeys: watchOS: introduced: n/a type: - content: The key to get the maximum number of users that can use this Shared - iPad device. Beginning with iOS 13.4, the value that returns is always '32'. - This value requires the Device Information access right, and is available - in iOS 9.3 and later. + content: The maximum number of users that can use this Shared iPad device. In + iOS 13.4 and later, this value is always '32'. Requires the Device Information + access right. Available in iOS 9.3 and later. - key: EstimatedResidentUsers supportedOS: iOS: @@ -780,10 +759,9 @@ payloadkeys: watchOS: introduced: n/a type: - content: The key to get the estimated number of users that can use this Shared - iPad device, according to the available space of the device and each user's - quota. This value requires the Device Information access right, and is available - in iOS 14 and later. + content: The estimated number of users that can use this Shared iPad device, + according to the available space of the device and each user's quota. Requires + the Device Information access right. Available in iOS 14 and later. - key: QuotaSize supportedOS: iOS: @@ -804,9 +782,8 @@ payloadkeys: watchOS: introduced: n/a type: - content: The key to get the quota size for each user on this Shared iPad device. - This value requires the Device Information access right, and is available - in iOS 13.4 and later. + content: The quota size for each user on this Shared iPad device. Requires the + Device Information access right. Available in iOS 13.4 and later. - key: ResidentUsers supportedOS: iOS: @@ -827,9 +804,8 @@ payloadkeys: watchOS: introduced: n/a type: - content: The key to get the number of users currently on this Shared iPad device. - This value requires the Device Information access right, and is available - in iOS 13.4 and later. + content: The number of users currently on this Shared iPad device. Requires + the Device Information access right. Available in iOS 13.4 and later. - key: UserSessionTimeout supportedOS: iOS: @@ -850,7 +826,7 @@ payloadkeys: watchOS: introduced: n/a type: - content: The timeout interval for the user session. '0' means no timeout. + content: The timeout interval for the user session. - key: TemporarySessionTimeout supportedOS: iOS: @@ -871,7 +847,7 @@ payloadkeys: watchOS: introduced: n/a type: - content: The timeout interval for the temporary session. '0' means no timeout. + content: The timeout interval for the temporary session. - key: TemporarySessionOnly supportedOS: iOS: @@ -892,7 +868,7 @@ payloadkeys: watchOS: introduced: n/a type: - content: If 'true', the device only allows temporary sessions. + content: Specifies whether the device only allows temporary sessions. - key: ManagedAppleIDDefaultDomains supportedOS: iOS: @@ -913,9 +889,8 @@ payloadkeys: watchOS: introduced: n/a type: - content: |- - The list of domains that the device suggests on the Shared iPad login screen. - Available in iOS 16 and later. + content: The list of domains that the device suggests on the Shared iPad login + screen. Available in iOS 16 and later. - key: OnlineAuthenticationGracePeriod supportedOS: iOS: @@ -936,9 +911,8 @@ payloadkeys: watchOS: introduced: n/a type: - content: |- - The grace period for Shared iPad online authentication (in days). 0 means the device requires online authentication for every login. - Available in iOS 16 and later. + content: The grace period for Shared iPad online authentication (in days). Available + in iOS 16 and later. - key: SkipLanguageAndLocaleSetupForNewUsers supportedOS: iOS: @@ -959,7 +933,7 @@ payloadkeys: watchOS: introduced: n/a type: - content: The key to determine whether the system skips the language and country/region + content: Specifies whether the system skips the language and country/region panes for new users on Shared iPad. - key: PushToken supportedOS: @@ -977,10 +951,9 @@ payloadkeys: watchOS: introduced: n/a type: - content: The key to get the push token for the current user-channel connection. - The MDM server ignores this query for the device channel. This value requires - the Device Information access right, and is available in iOS 9.3 and later, - and macOS 10.12 and later. + content: The push token for the current user-channel connection. The MDM server + ignores this query for the device channel. Requires the Device Information + access right. Available in iOS 9.3 and later, and macOS 10.12 and later. - key: DiagnosticSubmissionEnabled supportedOS: iOS: @@ -993,9 +966,9 @@ payloadkeys: watchOS: accessrights: AllowQueryDeviceInformation type: - content: The key to determine if the diagnostic submission setting is in an - enabled state on the device. This value requires the Device Information access - right, and is available in iOS 9.3 and later. + content: Specifies whether the diagnostic submission setting is enabled on the + device. Requires the Device Information access right. Available in iOS 9.3 + and later. - key: AppAnalyticsEnabled supportedOS: iOS: @@ -1008,9 +981,9 @@ payloadkeys: watchOS: accessrights: AllowQueryDeviceInformation type: - content: The key to determine if the device is sharing app analytics. This value - requires the Device Information access right, and is available in iOS 4 and - later, and macOS 10.7 and later. + content: Specifies whether the device is sharing app analytics. Requires the + Device Information access right. Available in iOS 4 and later, and macOS 10.7 + and later. - key: TimeZone supportedOS: iOS: @@ -1024,9 +997,9 @@ payloadkeys: watchOS: accessrights: AllowQueryDeviceInformation type: - content: The key to get the current Internet Assigned Numbers Authority (IANA) - time zone database name. This value requires the Device Information access - right, and is available in iOS 14 and later, and tvOS 14 and later. + content: The current Internet Assigned Numbers Authority (IANA) time zone database + name. Requires the Device Information access right. Available in iOS 14 and + later, and tvOS 14 and later. - key: ICCID supportedOS: iOS: @@ -1041,9 +1014,9 @@ payloadkeys: watchOS: introduced: n/a type: - content: The key to get the integrated circuit card (ICC) identifier for the - installed SIM card. This value requires the Network Information access right. - It's available as of iOS 4 and deprecated in iOS 16. + content: The integrated circuit card (ICC) identifier for the installed SIM + card. Requires the Network Information access right. Available as of iOS 4 + and deprecated in iOS 16. - key: BluetoothMAC supportedOS: iOS: @@ -1059,8 +1032,8 @@ payloadkeys: watchOS: introduced: n/a type: - content: The key to get the Bluetooth media access control (MAC) address. This - value requires the Network Information access right. + content: The Bluetooth media access control (MAC) address. Requires the Network + Information access right. - key: WiFiMAC supportedOS: iOS: @@ -1076,8 +1049,7 @@ payloadkeys: watchOS: accessrights: AllowQueryNetworkInformation type: - content: The key to get the Wi-Fi MAC address. This value requires the Network - Information access right. + content: The Wi-Fi MAC address. Requires the Network Information access right. - key: EthernetMAC supportedOS: iOS: @@ -1091,8 +1063,8 @@ payloadkeys: watchOS: introduced: n/a type: - content: The key to get the primary Ethernet MAC address. This value requires - the Network Information access right, and is available in macOS 10.7 and later. + content: The primary Ethernet MAC address. Requires the Network Information + access right. Available in macOS 10.7 and later. - key: CurrentCarrierNetwork supportedOS: iOS: @@ -1107,9 +1079,8 @@ payloadkeys: watchOS: introduced: n/a type: - content: The key to get the name of the current carrier network. This value - requires the Network Information access right. It's available as of iOS 4 - and deprecated in iOS 16. + content: The name of the current carrier network. Requires the Network Information + access right. Available as of iOS 4 and deprecated in iOS 16. - key: SIMCarrierNetwork supportedOS: iOS: @@ -1141,9 +1112,8 @@ payloadkeys: watchOS: introduced: n/a type: - content: The key to get the name of the home carrier network. This value requires - the Network Information access right. It's available as of iOS 5 and deprecated - in iOS 16. + content: The home carrier network. Requires the Network Information access right. + Available as of iOS 5 and deprecated in iOS 16. - key: CarrierSettingsVersion supportedOS: iOS: @@ -1158,9 +1128,8 @@ payloadkeys: watchOS: introduced: n/a type: - content: The key to get the version of the carrier settings. This value requires - the Network Information access right. It's available as of iOS 4 and deprecated - in iOS 16. + content: The version of the carrier settings.Requires the Network Information + access right. Available as of iOS 4 and deprecated in iOS 16. - key: PhoneNumber supportedOS: iOS: @@ -1175,9 +1144,9 @@ payloadkeys: watchOS: introduced: n/a type: - content: The key to get the raw phone number, without punctuation, and including - the country code. This value requires the Network Information access right. - It's available as of iOS 4 and deprecated in iOS 16. + content: The raw phone number, without punctuation, and including the country + code. Requires the Network Information access right. Available as of iOS 4 + and deprecated in iOS 16. - key: DataRoamingEnabled supportedOS: iOS: @@ -1192,9 +1161,8 @@ payloadkeys: watchOS: introduced: n/a type: - content: The key to determine if data roaming is in an enabled state on the - device. This value requires the Network Information access right, and is available - in iOS 5 and later. + content: Specifies whether data roaming is enabled on the device. Requires the + Network Information access right. Available in iOS 5 and later. - key: VoiceRoamingEnabled supportedOS: iOS: @@ -1210,10 +1178,9 @@ payloadkeys: watchOS: introduced: n/a type: - content: The key to determine whether voice roaming, which isn't available for - all carriers, is in an enabled state on the device. This value requires the - Network Information access right. It's available as of iOS 5 and deprecated - in iOS 16. + content: Specifies whether voice roaming, which isn't available for all carriers, + is enabled on the device. Requires the Network Information access right. Available + as of iOS 5 and deprecated in iOS 16. - key: PersonalHotspotEnabled supportedOS: iOS: @@ -1228,9 +1195,9 @@ payloadkeys: watchOS: introduced: n/a type: - content: The key to determine if Personal Hotspot, which isn't available for - all carriers, is in an enabled state on the device. This value requires the - Network Information access right, and is available in iOS 7 and later. + content: Specifies whether Personal Hotspot, which isn't available for all carriers, + is enabled on the device. Requires the Network Information access right. Available + in iOS 7 and later. - key: IsNetworkTethered supportedOS: iOS: @@ -1243,9 +1210,8 @@ payloadkeys: watchOS: introduced: n/a type: - content: The key to determine if the device is network-tethered. This value - requires the Network Information access right, and is available in iOS 10.3 - and later. + content: Specifies whether the device is network-tethered. Requires the Network + Information access right. Available in iOS 10.3 and later. - key: IsRoaming supportedOS: iOS: @@ -1260,8 +1226,8 @@ payloadkeys: watchOS: introduced: n/a type: - content: The key to determine if the device is roaming. This value requires - the Network Information access right and is available in iOS 4.2 and later. + content: Specifies whether the device is roaming. Requires the Network Information + access right. Available in iOS 4.2 and later. - key: SubscriberMCC supportedOS: iOS: @@ -1277,9 +1243,8 @@ payloadkeys: watchOS: introduced: n/a type: - content: The key to get the home mobile country code. This value requires the - Network Information access right. It's available as of iOS 4.2.6 and deprecated - in iOS 16. + content: The home mobile country code. Requires the Network Information access + right. Available as of iOS 4.2.6 and deprecated in iOS 16. - key: SubscriberMNC supportedOS: iOS: @@ -1295,9 +1260,8 @@ payloadkeys: watchOS: introduced: n/a type: - content: The key to get the home mobile network code. This value requires the - Network Information access right. It's available as of iOS 4.2.6 and deprecated - in iOS 16. + content: The home mobile network code. Requires the Network Information access + right. Available as of iOS 4.2.6 and deprecated in iOS 16. - key: CurrentMCC supportedOS: iOS: @@ -1312,9 +1276,8 @@ payloadkeys: watchOS: introduced: n/a type: - content: The key to get the current mobile country code (MCC). This value requires - the Network Information access right. It's available as of iOS 4 and deprecated - in iOS 16. + content: The current mobile country code (MCC). Requires the Network Information + access right. It's available as of iOS 4 and deprecated in iOS 16. - key: CurrentMNC supportedOS: iOS: @@ -1329,9 +1292,8 @@ payloadkeys: watchOS: introduced: n/a type: - content: The key to get the current mobile network code (MNC). TThis value requires - the Network Information access right. It's available as of iOS 4 and deprecated - in iOS 16. + content: The current mobile network code (MNC). Requires the Network Information + access right. Available as of iOS 4 and deprecated in iOS 16. - key: ServiceSubscriptions supportedOS: iOS: @@ -1346,8 +1308,8 @@ payloadkeys: watchOS: introduced: n/a type: - content: The key to get the contents of DeviceInformationResponse.QueryResponses.ServiceSubscriptionProperty. - This value requires the Network Information access right. + content: The contents of DeviceInformationResponse.QueryResponses.ServiceSubscriptionProperty. + Requires the Network Information access right. - key: PINRequiredForEraseDevice supportedOS: iOS: @@ -1360,8 +1322,8 @@ payloadkeys: tvOS: introduced: n/a type: - content: The key to determine if the EraseDeviceCommand requires a PIN. This - value is available in macOS 11 and later. + content: Specifies whether the EraseDeviceCommand requires a PIN. Available + in macOS 11 and later. - key: PINRequiredForDeviceLock supportedOS: iOS: @@ -1376,8 +1338,8 @@ payloadkeys: watchOS: introduced: n/a type: - content: The key to determine if the DeviceLockCommand requires a PIN. This - value is available in macOS 11 and later. + content: Specifies whether the DeviceLockCommand requires a PIN. Available in + macOS 11 and later. - key: SupportsiOSAppInstalls supportedOS: iOS: @@ -1390,8 +1352,8 @@ payloadkeys: watchOS: introduced: n/a type: - content: The key to determine whether the macOS device supports iOS/iPadOS app - installs. This query is available in macOS 11 and later. + content: Specifies whether the macOS device supports iOS/iPadOS app installs. + Available in macOS 11 and later. - key: SoftwareUpdateDeviceID supportedOS: iOS: @@ -1407,9 +1369,9 @@ payloadkeys: watchOS: introduced: n/a type: - content: The key that represents the device identifier you use to look up available - OS updates through . Available in iOS 15 and - later, and macOS 12 and later. + content: The device identifier that you use to look up available OS updates + through . Available in iOS 15 and later, and + macOS 12 and later. - key: SoftwareUpdateSettings supportedOS: iOS: @@ -1423,8 +1385,8 @@ payloadkeys: watchOS: introduced: n/a type: - content: The key to get the device settings that control which updates appear - in the Software Update pane in Settings. Available in iOS 14.5 and later. + content: The device settings that control which updates appear in the Software + Update pane in Settings. Available in iOS 14.5 and later. - key: AccessibilitySettings supportedOS: iOS: @@ -1442,8 +1404,8 @@ payloadkeys: watchOS: supervised: true type: - content: The key to get the current state of settable accessibility settings. - Available in iOS 16 and later. + content: The current state of settable accessibility settings. Available in + iOS 16 and later. - key: DevicePropertiesAttestation supportedOS: iOS: @@ -1456,9 +1418,8 @@ payloadkeys: tvOS: introduced: '16.0' type: - content: The key to get an attestation of the device's properties. Available - in iOS 16 and later, macOS 14 and later, tvOS 16 and later, and watchOS 10 - and later. + content: An attestation of the device's properties. Available in iOS 16 and + later, macOS 14 and later, tvOS 16 and later, and watchOS 10 and later. - key: EACSPreflight supportedOS: iOS: @@ -1474,8 +1435,8 @@ payloadkeys: watchOS: introduced: n/a type: - content: The key to determine whether the device can perform an EraseDeviceCommand - using Erase All Content and Settings (EACS). + content: Specifies whether the device can perform an EraseDeviceCommand using + Erase All Content and Settings (EACS). - key: DeviceAttestationNonce supportedOS: iOS: @@ -1622,8 +1583,7 @@ responsekeys: watchOS: introduced: n/a type: - content: The date of the last iCloud backup. This query is available in iOS 8 - and later. + content: The date of the last iCloud backup. Available in iOS 8 and later. - key: AwaitingConfiguration supportedOS: iOS: @@ -1645,8 +1605,8 @@ responsekeys: tvOS: introduced: '9.0' type: - content: If 'true', the device has an active iTunes Store account. This value - requires the App Installation access right. + content: If 'true', the device has an active iTunes Store account. Requires the + App Installation access right. - key: iTunesStoreAccountHash supportedOS: iOS: @@ -1657,14 +1617,14 @@ responsekeys: introduced: '9.0' type: content: A hash of the logged-in iTunes Store account. Also see GetVppUserRequest. - This value requires the App Installation access right. + Requires the App Installation access right. - key: DeviceName type: - content: The device name. This value requires the Device Information access right. + content: The device name. Requires the Device Information access right. - key: OSVersion type: - content: The operating system version. This value requires the Device Information - access right. + content: The operating system version. Requires the Device Information access + right. - key: SupplementalOSVersionExtra supportedOS: watchOS: @@ -1673,26 +1633,26 @@ responsekeys: content: The OS update rapid security response version letter. - key: BuildVersion type: - content: The operating system version. This value requires the Device Information - access right. + content: The operating system version. Requires the Device Information access + right. - key: SupplementalBuildVersion type: content: The supplemental OS build version. - key: ModelName type: - content: The model name, for example, iPhone. This value requires the Device Information - access right. + content: The model name, such as iPhone. Requires the Device Information access + right. - key: Model type: - content: The model. This value requires the Device Information access right. + content: The model. Requires the Device Information access right. - key: ModelNumber supportedOS: watchOS: introduced: n/a type: content: The device's hardware model number including region info, for example, - 'MK1A3LL/A'. This value requires the Device Information right, and it requires - Apple silicon on macOS. + 'MK1A3LL/A'. Requires the Device Information access right. Requires Apple silicon + on macOS. - key: IsAppleSilicon supportedOS: iOS: @@ -1707,12 +1667,11 @@ responsekeys: content: If 'true', the macOS device uses an Apple silicon chip. - key: ProductName type: - content: The product name, such as iPad8,12. This value requires the Device Information - access right. + content: The product name, such as iPad8,12. Requires the Device Information access + right. - key: SerialNumber type: - content: The serial number. This value requires the Device Information access - right. + content: The serial number. Requires the Device Information access right. - key: DeviceCapacity supportedOS: tvOS: @@ -1720,8 +1679,8 @@ responsekeys: type: content: The total capacity in floating-point base-10 gigabytes (GB) on iOS and macOS 12 or later. The capacity is in base-2 gibibytes (GiB) on macOS 11 and - earlier. This value requires the Device Information access right, and is available - in iOS 4 and later, and macOS 10.7 and later. + earlier. Requires the Device Information access right. Available in iOS 4 and + later, and macOS 10.7 and later. - key: AvailableDeviceCapacity supportedOS: tvOS: @@ -1729,8 +1688,8 @@ responsekeys: type: content: The available capacity in floating-point base-10 gigabytes (GB) on iOS and macOS 12 or later. The capacity is in base-2 gibibytes (GiB) on macOS 11 - and earlier. This value requires the Device Information access right, and is - available in iOS 4 and later, and macOS 10.7 and later. + and earlier. Requires the Device Information access right. Available in iOS + 4 and later, and macOS 10.7 and later. - key: IMEI supportedOS: iOS: @@ -1742,9 +1701,9 @@ responsekeys: watchOS: introduced: n/a type: - content: The International Mobile Equipment Identity (IMEI) number. This value - requires the Device Information access right. It's available as of iOS 4 and - deprecated in iOS 16. + content: The International Mobile Equipment Identity (IMEI) number. Requires the + Device Information access right. Available as of iOS 4 and deprecated in iOS + 16. - key: MEID supportedOS: iOS: @@ -1756,9 +1715,8 @@ responsekeys: watchOS: introduced: n/a type: - content: The mobile equipment identifier (MEID) number. This value requires the - Device Information access right. It's available as of iOS 4 and deprecated in - iOS 16. + content: The mobile equipment identifier (MEID) number. Requires the Device Information + access right. Available as of iOS 4 and deprecated in iOS 16. - key: ModemFirmwareVersion supportedOS: macOS: @@ -1768,8 +1726,8 @@ responsekeys: watchOS: introduced: n/a type: - content: The modem firmware version. This value requires the Device Information - access right, and is available in iOS 4.0 and later. + content: The modem firmware version. Requires the Device Information access right. + Available in iOS 4.0 and later. - key: CellularTechnology supportedOS: iOS: @@ -1788,11 +1746,13 @@ responsekeys: - 3 content: |- The cellular technology type, which is one of the following values: - * '0':' 'None' - * '1':' 'GSM' - * '2':' 'CDMA' - * '3':' 'Both' - This value requires the Device Information access right, and is available in iOS 4.2.6 and later. + + * '0': None + * '1': GSM + * '2': CDMA + * '3': GSM and CDMA + + Requires the Device Information access right. Available in iOS 4.2.6 and later. - key: BatteryLevel supportedOS: iOS: @@ -1803,8 +1763,8 @@ responsekeys: introduced: n/a type: content: The battery level, between '0.0' and '1.0', or '-1.0' if MDM can't determine - the battery level. This value requires the Device Information access right, - and is available in iOS 5 and later. + the battery level. Requires the Device Information access right. Available in + iOS 5 and later. - key: HasBattery supportedOS: iOS: @@ -1826,9 +1786,9 @@ responsekeys: tvOS: introduced: '9.0' type: - content: If 'true', it's a supervised device. This value requires the Device Information - access right, and is available in iOS 6 and later, macOS 10.15 and later, and - tvOS 9 and later. + content: If 'true', it's a supervised device. Requires the Device Information + access right. Available in iOS 6 and later, macOS 10.15 and later, and tvOS + 9 and later. - key: IsMultiUser supportedOS: iOS: @@ -1840,8 +1800,8 @@ responsekeys: watchOS: introduced: n/a type: - content: If 'true', the device is in ephemeral multiuser mode. This value requires - the Device Information access right, and is available in iOS 9.3 and later. + content: If 'true', the device is a Shared iPad. Requires the Device Information + access right. Available in iOS 9.3 and later. - key: IsDeviceLocatorServiceEnabled supportedOS: iOS: @@ -1852,8 +1812,7 @@ responsekeys: introduced: n/a type: content: If 'true', the device has enabled a device locator service, such as Find - My. This value requires the Device Information access right, and is available - in iOS 7 and later. + My. Requires the Device Information access right. Available in iOS 7 and later. - key: IsActivationLockEnabled supportedOS: iOS: @@ -1867,9 +1826,9 @@ responsekeys: watchOS: deprecated: '10.0' type: - content: If 'true', the device has enabled Activation Lock. This value requires - the Device Information access right. It's available as of iOS 7 and macOS 10.9, - and deprecated in iOS 16 and macOS 13. + content: If 'true', the device has enabled Activation Lock. Requires the Device + Information access right. Available as of iOS 7 and macOS 10.9, and deprecated + in iOS 16 and macOS 13. - key: IsActivationLockSupported supportedOS: iOS: @@ -1882,8 +1841,8 @@ responsekeys: introduced: n/a type: content: If 'true', the device supports Activation Lock. Also see 'IsActivationLockManageable' - in SecurityInfoResponse.SecurityInfo.ManagementStatus. This value is available - in macOS 10.9 and later. + in SecurityInfoResponse.SecurityInfo.ManagementStatus. Available in macOS 10.9 + and later. - key: IsDoNotDisturbInEffect supportedOS: iOS: @@ -1894,8 +1853,8 @@ responsekeys: introduced: n/a type: content: If 'true', the device is in Do Not Disturb (DND) mode. This value is - 'true' even if DND is only in effect for a locked device. This value requires - the Device Information access right, and is available in iOS 7 and later. + 'true' even if DND is only in effect for a locked device. Requires the Device + Information access right. Available in iOS 7 and later. - key: SupportsLOMDevice supportedOS: iOS: @@ -1908,8 +1867,8 @@ responsekeys: introduced: n/a type: content: If 'true', the device can receive 'PowerON', 'PowerOFF', and 'Reset' - commands from a lights-out management (LOM) controller. This query is available - in macOS 11 and later. + commands from a lights-out management (LOM) controller. Available in macOS 11 + and later. - key: DeviceID supportedOS: iOS: @@ -1921,8 +1880,8 @@ responsekeys: watchOS: introduced: n/a type: - content: The device identifier. This value requires the Device Information access - right, and is available in tvOS 6 and later. + content: The device identifier. Requires the Device Information access right. + Available in tvOS 6 and later. - key: EASDeviceIdentifier supportedOS: iOS: @@ -1934,8 +1893,8 @@ responsekeys: watchOS: introduced: n/a type: - content: The device identifier for Exchange Active Sync (EAS). This value requires - the Device Information access right, and is available in iOS 7 and later. + content: The device identifier for Exchange Active Sync (EAS). Requires the Device + Information access right. Available in iOS 7 and later. - key: IsCloudBackupEnabled supportedOS: iOS: @@ -1947,8 +1906,8 @@ responsekeys: watchOS: introduced: n/a type: - content: If 'true', the device has enabled iCloud backup. This value requires - the Device Information access right, and is available in iOS 7.1 and later. + content: If 'true', the device has enabled iCloud backup. Requires the Device + Information access right. Available in iOS 7.1 and later. - key: ActiveManagedUsers supportedOS: iOS: @@ -1962,8 +1921,8 @@ responsekeys: type: content: An array of the directory GUIDs of the logged-in managed users. If one of these users is currently logged in to the console, the 'CurrentConsoleManagedUser' - key returns the GUID of that user. This value requires the Device Information - access right, and is available in macOS 10.11 and later. + key returns the GUID of that user. Requires the Device Information access right. + Available in macOS 10.11 and later. subkeys: - key: ActiveManagedUsersItems type: @@ -1979,8 +1938,7 @@ responsekeys: introduced: n/a type: content: The contents of DeviceInformationResponse.QueryResponses.OSUpdateSettings. - This value requires the Device Information access right, and is available in - macOS 10.11 and later. + Requires the Device Information access right. Available in macOS 10.11 and later. subkeys: - key: CatalogURL type: @@ -2033,8 +1991,7 @@ responsekeys: watchOS: introduced: n/a type: - content: The local host name from Bonjour. This value is available in macOS 10.11 - and later. + content: The local host name from Bonjour. Available in macOS 10.11 and later. - key: HostName supportedOS: iOS: @@ -2046,7 +2003,7 @@ responsekeys: watchOS: introduced: n/a type: - content: The host name. This value is available in macOS 10.11 and later. + content: The host name. Available in macOS 10.11 and later. - key: AutoSetupAdminAccounts supportedOS: iOS: @@ -2059,9 +2016,8 @@ responsekeys: introduced: n/a type: content: The contents of DeviceInformationResponse.QueryResponses.AutoSetupAdminAccountsItem, - which Setup Assistant automatically created during DEP enrollment. This value - requires the Device Information access right, and is available in macOS 10.11 - and later. + which Setup Assistant automatically created during DEP enrollment. Requires + the Device Information access right. Available in macOS 10.11 and later. subkeys: - key: AutoSetupAdminAccountsItem type: @@ -2085,9 +2041,8 @@ responsekeys: watchOS: introduced: n/a type: - content: If 'true', the device has enabled System Integrity Protection. This value - requires the Device Information access right, and is available in macOS 10.12 - and later. + content: If 'true', the device has enabled System Integrity Protection. Requires + the Device Information access right. Available in macOS 10.12 and later. - key: IsMDMLostModeEnabled supportedOS: iOS: @@ -2097,8 +2052,8 @@ responsekeys: tvOS: introduced: n/a type: - content: If 'true', the device has enabled Managed Lost Mode. This value requires - the Device Information access right, and is available in iOS 9.3 and later. + content: If 'true', the device has enabled Managed Lost Mode. Requires the Device + Information access right. Available in iOS 9.3 and later. - key: MaximumResidentUsers supportedOS: iOS: @@ -2111,8 +2066,8 @@ responsekeys: introduced: n/a type: content: The maximum number of users that can use this shared iPad device. Starting - with iOS 13.4, the value that returns is always '32'. This value requires the - Device Information access right, and is available in iOS 9.3 and later. + with iOS 13.4, the value that returns is always '32'. Requires the Device Information + access right. Available in iOS 9.3 and later. - key: EstimatedResidentUsers supportedOS: iOS: @@ -2125,8 +2080,8 @@ responsekeys: introduced: n/a type: content: The estimated number of users that can use this shared iPad device, according - to the space available on the device and each user's quota. This value requires - the Device Information access right, and is available in iOS 14 and later. + to the space available on the device and each user's quota. Requires the Device + Information access right. Available in iOS 14 and later. - key: QuotaSize supportedOS: iOS: @@ -2139,8 +2094,7 @@ responsekeys: introduced: n/a type: content: The quota size in megabytes for each user on this shared iPad device. - This value requires the Device Information access right, and is available in - iOS 13.4 and later. + Requires the Device Information access right. Available in iOS 13.4 and later. - key: ResidentUsers supportedOS: iOS: @@ -2152,9 +2106,8 @@ responsekeys: watchOS: introduced: n/a type: - content: The number of users currently on this shared iPad device. This value - requires the Device Information access right, and is available in iOS 13.4 and - later. + content: The number of users currently on this shared iPad device. Requires the + Device Information access right. Available in iOS 13.4 and later. - key: UserSessionTimeout supportedOS: iOS: @@ -2166,7 +2119,8 @@ responsekeys: watchOS: introduced: n/a type: - content: The timeout interval for the user session. '0' means no timeout. + content: The timeout interval for the user session. A value of '0' indicates that + there's no timeout. - key: TemporarySessionTimeout supportedOS: iOS: @@ -2178,7 +2132,8 @@ responsekeys: watchOS: introduced: n/a type: - content: The timeout interval for the temporary session. '0' means no timeout. + content: The timeout interval for the temporary session. A value of '0' indicates + that there's no timeout. - key: TemporarySessionOnly supportedOS: iOS: @@ -2202,9 +2157,8 @@ responsekeys: watchOS: introduced: n/a type: - content: |- - The list of domains that the device suggests on the Shared iPad login screen. - Available in iOS 16 and later. + content: The list of domains that the device suggests on the Shared iPad login + screen. Available in iOS 16 and later. subkeys: - key: AppleID domain type: @@ -2219,8 +2173,8 @@ responsekeys: watchOS: introduced: n/a type: - content: |- - The grace period for Shared iPad online authentication (in days). 0 means the device requires online authentication for every login. + content: The grace period for Shared iPad online authentication (in days). A value + of '0' indicates that the device requires online authentication for every login. Available in iOS 16 and later. - key: SkipLanguageAndLocaleSetupForNewUsers supportedOS: @@ -2247,9 +2201,9 @@ responsekeys: introduced: n/a type: content: The push token for the user-channel connection, in the same format as - in TokenUpdateRequest. MDM ignores this query for the device channel. This value - requires the Device Information access right, and is available in iOS 9.3 and - later, and macOS 10.12 and later. + in TokenUpdateRequest. MDM ignores this query for the device channel. Requires + the Device Information access right. Available in iOS 9.3 and later, and macOS + 10.12 and later. - key: DiagnosticSubmissionEnabled supportedOS: iOS: @@ -2259,8 +2213,8 @@ responsekeys: tvOS: introduced: n/a type: - content: If 'true', the device has enabled diagnostic submission. This value requires - the Device Information access right, and is available in iOS 9.3 and later. + content: If 'true', the device has enabled diagnostic submission. Requires the + Device Information access right. Available in iOS 9.3 and later. - key: AppAnalyticsEnabled supportedOS: iOS: @@ -2270,8 +2224,8 @@ responsekeys: tvOS: introduced: n/a type: - content: If 'true', the device is sharing app analytics. This value requires the - Device Information access right, and is available in iOS 9.3 and later. + content: If 'true', the device is sharing app analytics. Requires the Device Information + access right. Available in iOS 9.3 and later. - key: TimeZone supportedOS: iOS: @@ -2282,8 +2236,8 @@ responsekeys: introduced: '14.0' type: content: The current Internet Assigned Numbers Authority (IANA) time zone database - name. This value requires the Device Information access right, and is available - in iOS 14 and later, and tvOS 14 and later. + name. Requires the Device Information access right. Available in iOS 14 and + later, and tvOS 14 and later. - key: ICCID supportedOS: iOS: @@ -2296,19 +2250,18 @@ responsekeys: introduced: n/a type: content: The integrated circuit card (ICC) identifier for the installed SIM card. - This value requires the Network Information access right. It's available as - of iOS 4 and deprecated in iOS 16. + Requires the Network Information access right. Available as of iOS 4 and deprecated + in iOS 16. - key: BluetoothMAC supportedOS: watchOS: introduced: n/a type: - content: The Bluetooth media access control (MAC) address. This value requires - the Network Information access right. + content: The Bluetooth media access control (MAC) address. Requires the Network + Information access right. - key: WiFiMAC type: - content: The Wi-Fi MAC address. This value requires the Network Information access - right. + content: The Wi-Fi MAC address. Requires the Network Information access right. - key: EthernetMAC supportedOS: iOS: @@ -2318,8 +2271,8 @@ responsekeys: watchOS: introduced: n/a type: - content: The primary Ethernet MAC address. This value requires the Network Information - access right, and is available in macOS 10.7 and later. + content: The primary Ethernet MAC address. Requires the Network Information access + right. Available in macOS 10.7 and later. - key: CurrentCarrierNetwork supportedOS: iOS: @@ -2331,8 +2284,8 @@ responsekeys: watchOS: introduced: n/a type: - content: The name of the current carrier network. This value requires the Network - Information access right. It's available as of iOS 4 and deprecated in iOS 16. + content: The name of the current carrier network. Requires the Network Information + access right. Available as of iOS 4 and deprecated in iOS 16. - key: SIMCarrierNetwork supportedOS: iOS: @@ -2357,8 +2310,8 @@ responsekeys: watchOS: introduced: n/a type: - content: The name of the home carrier network. This value requires the Network - Information access right. It's available as of iOS 5 and deprecated in iOS 16. + content: The name of the home carrier network. Requires the Network Information + access right. Available as of iOS 5 and deprecated in iOS 16. - key: CarrierSettingsVersion supportedOS: iOS: @@ -2370,8 +2323,8 @@ responsekeys: watchOS: introduced: n/a type: - content: The version of the carrier settings. This value requires the Network - Information access right. It's available as of iOS 4 and deprecated in iOS 16. + content: The version of the carrier settings. Requires the Network Information + access right. Available as of iOS 4 and deprecated in iOS 16. - key: PhoneNumber supportedOS: iOS: @@ -2384,8 +2337,8 @@ responsekeys: introduced: n/a type: content: The raw phone number without punctuation and including the country code. - This value requires the Network Information access right. It's available as - of iOS 4 and deprecated in iOS 16. + Requires the Network Information access right. Available as of iOS 4 and deprecated + in iOS 16. - key: DataRoamingEnabled supportedOS: iOS: @@ -2397,8 +2350,8 @@ responsekeys: watchOS: introduced: n/a type: - content: If 'true', the device has enabled data roaming. This value requires the - Network Information access right, and is available in iOS 5 and later. + content: If 'true', the device has enabled data roaming. Requires the Network + Information access right. Available in iOS 5 and later. - key: VoiceRoamingEnabled supportedOS: iOS: @@ -2412,8 +2365,9 @@ responsekeys: introduced: n/a type: content: If 'true', the device has enabled voice roaming, which isn't available - for all carriers. This value requires the Network Information access right. - It's available as of iOS 5 and deprecated in iOS 16. + for all carriers. Requires the Network Information access right. Requires the + Device Information access right. Available as of iOS 5 and deprecated in iOS + 16. - key: PersonalHotspotEnabled supportedOS: iOS: @@ -2426,8 +2380,8 @@ responsekeys: introduced: n/a type: content: If 'true,' the device has enabled Personal Hotspot, which isn't available - for all carriers. This value requires the Network Information access right, - and is available in iOS 7.0 and later. + for all carriers. Requires the Network Information access right. Available in + iOS 7.0 and later. - key: IsNetworkTethered supportedOS: iOS: @@ -2439,8 +2393,8 @@ responsekeys: watchOS: introduced: n/a type: - content: If 'true', the device is network-tethered. This value requires the Network - Information access right, and is available in iOS 10.3 and later. + content: If 'true', the device is network-tethered. Requires the Network Information + access right. Available in iOS 10.3 and later. - key: IsRoaming supportedOS: iOS: @@ -2453,8 +2407,8 @@ responsekeys: watchOS: introduced: n/a type: - content: If 'true', the device is roaming. This value requires the Network Information - access right. It's available as of iOS 4.2 and deprecated in iOS 16. + content: If 'true', the device is roaming. Requires the Network Information access + right. IAvailable as of iOS 4.2 and deprecated in iOS 16. - key: SIMMCC supportedOS: iOS: @@ -2491,8 +2445,8 @@ responsekeys: watchOS: introduced: n/a type: - content: The home Mobile Country Code (MCC). This value requires the Network Information - access right. It's available as of iOS 4.2.6 and deprecated in iOS 16. + content: The home Mobile Country Code (MCC). Requires the Network Information + access right. Available as of iOS 4.2.6 and deprecated in iOS 16. - key: SubscriberMNC supportedOS: iOS: @@ -2505,9 +2459,8 @@ responsekeys: watchOS: introduced: n/a type: - content: The key to get the home Mobile Network Code (MNC). This value requires - the Network Information access right. It's available as of iOS 4.2.6 and deprecated - in iOS 16. + content: The key to get the home Mobile Network Code (MNC). Requires the Network + Information access right. Available as of iOS 4.2.6 and deprecated in iOS 16. - key: CurrentMCC supportedOS: iOS: @@ -2519,8 +2472,8 @@ responsekeys: watchOS: introduced: n/a type: - content: The current mobile country code (MCC).This value requires the Network - Information access right. It's available as of iOS 4 and deprecated in iOS 16. + content: The current mobile country code (MCC). Requires the Network Information + access right. Available as of iOS 4 and deprecated in iOS 16. - key: CurrentMNC supportedOS: iOS: @@ -2532,8 +2485,8 @@ responsekeys: watchOS: introduced: n/a type: - content: The current mobile network code (MNC). This value requires the Network - Information access right. It's available as of iOS 4 and deprecated in iOS 16. + content: The current mobile network code (MNC). Requires the Network Information + access right. Available as of iOS 4 and deprecated in iOS 16. - key: ServiceSubscriptions supportedOS: iOS: @@ -2546,7 +2499,7 @@ responsekeys: introduced: n/a type: content: The contents of DeviceInformationResponse.QueryResponses.ServiceSubscriptionProperty. - This value requires the Network Information access right. + Requires the Network Information access right. subkeys: - key: ServiceSubscriptionProperty type: @@ -2640,8 +2593,8 @@ responsekeys: watchOS: introduced: n/a type: - content: If 'true', the EraseDeviceCommand requires a PIN. This value is available - in macOS 11 and later. + content: If 'true', the EraseDeviceCommand requires a PIN. Available in macOS + 11 and later. - key: PINRequiredForDeviceLock supportedOS: iOS: @@ -2653,8 +2606,8 @@ responsekeys: watchOS: introduced: n/a type: - content: If 'true', the DeviceLockCommand requires a PIN. This value is available - in macOS 11 and later. + content: If 'true', the DeviceLockCommand requires a PIN. Available in macOS 11 + and later. - key: SupportsiOSAppInstalls supportedOS: iOS: @@ -2666,8 +2619,8 @@ responsekeys: watchOS: introduced: n/a type: - content: If 'true', the device supports iOS/iPadOS app installs through MDM. This - query is available in macOS 11 and later. + content: If 'true', the device supports iOS/iPadOS app installs through MDM. Available + in macOS 11 and later. - key: SoftwareUpdateDeviceID supportedOS: iOS: @@ -2683,9 +2636,9 @@ responsekeys: watchOS: introduced: n/a type: - content: The key representing the device identifier to use when looking up available - OS updates through . Available in iOS 14.5 and - later. + content: The device identifier that you use to look up available OS updates through + . Available in iOS 15 and later, and macOS 12 + and later. - key: SoftwareUpdateSettings supportedOS: iOS: @@ -2811,9 +2764,9 @@ responsekeys: introduced: n/a type: content: |- - Specifies whether the device can perform an EraseDeviceCommand using Erase All Content and Settings (EACS). - Responses can include: - · 'success': The device supports EACS - · 'not supported': The device is too old to support EACS - · 'unknown failure': A problem occurred for which there isn't a more specific error message - · '(other string)': A reason why the device can't perform EACS, for example, “System is not sealed” + Specifies whether the device can perform an EraseDeviceCommand using Erase All Content and Settings (EACS), which is one of the following values: + + * 'success': The device supports EACS. + * 'not supported': The device is too old to support EACS. + * 'unknown failure': A problem occurred for which there isn't a more specific error message. + * '(other string)': A reason why the device can't perform EACS, such as “System is not sealed” diff --git a/mdm/commands/information.security.yaml b/mdm/commands/information.security.yaml index 8c04ba5..7b19007 100644 --- a/mdm/commands/information.security.yaml +++ b/mdm/commands/information.security.yaml @@ -78,7 +78,7 @@ responsekeys: introduced: n/a type: content: If 'true', the user's passcode is compliant with requirements from profiles. - This key does not apply to User-Enrolled devices. This value is available in + This key doesn't apply to User-Enrolled devices. This value is available in iOS 4 and later, and tvOS 6 and later. - key: PasscodeLockGracePeriod supportedOS: @@ -121,7 +121,7 @@ responsekeys: introduced: n/a type: content: The number of seconds before a device goes to sleep after being idle. - This value is only available for Shared iPad. + This value is only available on Shared iPad in iOS 17 and later. - key: FDE_Enabled supportedOS: iOS: diff --git a/mdm/commands/managed.application.attributes.yaml b/mdm/commands/managed.application.attributes.yaml index 1998854..9f4fcc2 100644 --- a/mdm/commands/managed.application.attributes.yaml +++ b/mdm/commands/managed.application.attributes.yaml @@ -24,7 +24,8 @@ payload: accessrights: AllowAppInstallation supervised: false content: Queries managed application attributes. Attributes can be set on managed - apps. These attributes can be changed over time. + apps. These attributes can be changed over time. The response will not include + apps that are managed by Declarative Device Management. payloadkeys: - key: Identifiers type: diff --git a/mdm/commands/managed.application.configuration.yaml b/mdm/commands/managed.application.configuration.yaml index e8c72cd..c3cea80 100644 --- a/mdm/commands/managed.application.configuration.yaml +++ b/mdm/commands/managed.application.configuration.yaml @@ -35,7 +35,8 @@ payload: accessrights: AllowAppInstallation supervised: false content: This command queries the device for the current configuration of managed - applications. This command requires the App Management right. + applications. This command requires the App Management right. The response will + not include apps that are managed by Declarative Device Management. payloadkeys: - key: Identifiers type: diff --git a/mdm/commands/managed.application.feedback.yaml b/mdm/commands/managed.application.feedback.yaml index 1a0ab1d..ba16522 100644 --- a/mdm/commands/managed.application.feedback.yaml +++ b/mdm/commands/managed.application.feedback.yaml @@ -27,7 +27,8 @@ payload: accessrights: AllowAppInstallation supervised: false content: This command queries the device for application feedback information. This - command requires the App Management right. + command requires the App Management right. The response will not include apps + that are managed by Declarative Device Management. payloadkeys: - key: Identifiers type: @@ -41,7 +42,7 @@ payloadkeys: presence: optional default: false content: If 'true', delete the app's feedback dictionary after the server reads - it. + it. Apps that are managed by Declarative Device Management will be ignored. responsekeys: - key: ManagedApplicationFeedback type: diff --git a/mdm/commands/profile.list.yaml b/mdm/commands/profile.list.yaml index 4f9a072..c05462d 100644 --- a/mdm/commands/profile.list.yaml +++ b/mdm/commands/profile.list.yaml @@ -133,15 +133,15 @@ responsekeys: - key: PayloadType type: presence: required - content: The payload type, which each payload domain’s reference page specifies. + content: The type of payload, such as 'com.apple.wifi.managed'. - key: PayloadVersion type: presence: required - content: The version of the configuration payload. The value should be '1'. + content: The version of the payload. The value should be '1'. - key: PayloadIdentifier type: presence: required - content: The reverse-DNS-style identifier of the payload; for example, 'com.example.myprofile.payload1'. + content: The reverse-DNS-style identifier of the payload, such as 'com.example.mypayload'. - key: PayloadUUID supportedOS: iOS: @@ -152,7 +152,7 @@ responsekeys: introduced: '17.0' type: presence: required - content: The unique identifier for the profile. + content: The unique identifier of the payload. - key: PayloadDisplayName type: presence: optional @@ -160,7 +160,7 @@ responsekeys: - key: PayloadDescription type: presence: optional - content: The description of the payload. + content: A description of the payload. - key: PayloadOrganization type: presence: optional diff --git a/mdm/commands/settings.yaml b/mdm/commands/settings.yaml index 06b2112..a0dc9ea 100644 --- a/mdm/commands/settings.yaml +++ b/mdm/commands/settings.yaml @@ -243,7 +243,8 @@ payloadkeys: content: A dictionary that contains the configurations to apply to the app. Omit this setting to remove existing configurations. This setting requires the App Management access right, supports User Enrollment, and is available in iOS 7 - and later, macOS 10.15 and later, and tvOS 10.2 and later. + and later, macOS 10.15 and later, and tvOS 10.2 and later. This setting will + fail for apps that are managed by Declarative Device Management. subkeys: - key: Item type: @@ -287,7 +288,8 @@ payloadkeys: presence: optional content: A dictionary that contains the attributes to apply to the app. Omit this setting to remove existing attributes. This setting supports User Enrollment, - is available in iOS 7 and later, and tvOS 10.2 and later. + is available in iOS 7 and later, and tvOS 10.2 and later. This setting will + fail for apps that are managed by Declarative Device Management. subkeys: - key: Item type: @@ -410,7 +412,7 @@ payloadkeys: type: presence: optional content: |- - The data network name (DNN) or app category. For DNN, the value is 'DNN:name', where 'name' is the carrier provided DNN name. For app category, the value is 'AppCategory:category', where 'category' is a carrier provided string like “Enterprise1”'.' + The data network name (DNN) or app category. For DNN, the value is 'DNN:name', where 'name' is the carrier-provided DNN name. For app category, the value is 'AppCategory:category', where 'category' is a carrier-provided string like “Enterprise1”'.' Available in iOS 17 and later. - key: DeviceName supportedOS: @@ -760,15 +762,15 @@ payloadkeys: type: presence: required content: If 'true', the device stops at a Setup Assistant pane after user - login. The user won't be able to use the device until a UserConfiguredCommand - command is received. + login. The user won't be able to use the device until the device receives + a UserConfiguredCommand command. - key: PasscodePolicy supportedOS: iOS: introduced: '17.0' type: presence: optional - content: A dictionary that contains passcode related policies. + content: A dictionary that contains passcode policies. subkeys: - key: PasscodeLockGracePeriod type: @@ -780,28 +782,18 @@ payloadkeys: - 900 - 3600 - 14400 - content: Sets the user preference for the amount of time (in seconds) the - screen must be locked before unlock attempts will require the device passcode. - This should ideally be set when no passcode is set on device. If a passcode - is on device, only more restrictive values than the currently enforced passcode - lock grace period will take effect; any changes to a less restrictive value - will not take effect until the user logs out. This setting will not take - effect if TemporarySessionOnly is set to true (since there is no passcode - for the temporary session). This setting can only be applied on Shared iPads. - devpubs-override: The number of seconds before a locked screen requires the - user to enter the device passcode to unlock it. The minimum value is '0' - seconds and the maximum value is '14400' seconds. If a device has a passcode, - a change to a larger value doesn't take effect until the user logs out or - removes the passcode. For this reason, it's better to set this value before - the user sets a passcode. If the value set is less than one of the known - values the next lowest value will be used. For example a value of 299 will + content: |- + The number of seconds before a locked screen requires the user to enter the device passcode to unlock it. The minimum value is '0' seconds and the maximum value is '14400' seconds. + If a device has a passcode, a change to a larger value doesn't take effect until the user logs out or removes the passcode. For this reason, it's better to set this value before the user sets a passcode. + If the value set is less than one of the known + values, the next lowest value will be used. For example a value of 299 will result in an effective setting of 60. + This setting won't take effect if 'TemporarySessionOnly' is 'true' because there's no passcode for a temporary session. - key: AutoLockTime type: presence: optional - content: Sets the user preference for the amount of time (in seconds) before - a device goes to sleep after being idle. The minimum value for this setting - is 120 seconds. This setting can only be applied on Shared iPad. + content: The number of seconds before a device goes to sleep after being idle. + The minimum value for this setting is '120' seconds. - key: DiagnosticSubmission supportedOS: iOS: @@ -887,9 +879,9 @@ payloadkeys: introduced: n/a type: presence: optional - content: A dictionary that contains password lock grace period settings. This - setting doesn't support User Enrollment, and is only available for Shared iPad. - Available in iOS 9.3.2 and later. + content: |- + A dictionary that contains password lock grace period settings. This setting doesn't support User Enrollment, and is only available for Shared iPad. Available in iOS 9.3.2 and later. + This key is deprecated. Use 'PasscodeLockGracePeriod' in SettingsCommand.Command.Settings.SharedDeviceConfiguration.PasscodePolicy instead. subkeys: - key: Item type: @@ -907,14 +899,13 @@ payloadkeys: - 900 - 3600 - 14400 - content: The number of seconds before a locked screen requires the user to enter - the device passcode to unlock it. The minimum value is '0' seconds and the - maximum value is '14400' seconds. If a device has a passcode, a change to - a larger value doesn't take effect until the user logs out or removes the - passcode. For this reason, it's better to set this value before the user sets - a passcode. If the value set is less than one of the known values the next + content: |- + The number of seconds before a locked screen requires the user to enter the device passcode to unlock it. The minimum value is '0' seconds and the maximum value is '14400' seconds. + If a device has a passcode, a change to a larger value doesn't take effect until the user logs out or removes the passcode. For this reason, it's better to set this value before the user sets a passcode. + If the value set is less than one of the known values, the next lowest value will be used. For example a value of 299 will result in an effective setting of 60. + This setting won't take effect if 'TemporarySessionOnly' is 'true' because there's no passcode for a temporary session. - key: TimeZone supportedOS: iOS: diff --git a/mdm/commands/system.update.available.yaml b/mdm/commands/system.update.available.yaml index 35232f2..3967391 100644 --- a/mdm/commands/system.update.available.yaml +++ b/mdm/commands/system.update.available.yaml @@ -35,10 +35,9 @@ responsekeys: - key: AvailableOSUpdates type: presence: required - content: An array of dictionaries that contains only the most recent available updates - in iOS and tvOS, and possibly multiple available updates in macOS. Follow the - instructions in the Managed Apps and Updates section of the Apple Software Lookup - Service to find a complete catalog of iOS and tvOS updates. + content: |- + An array of dictionaries that contains only the most recent available updates in iOS and tvOS, and possibly multiple available updates in macOS. Follow the instructions in the Managed Apps and Updates section of the Apple Software Lookup Service to find a complete catalog of iOS and tvOS updates. + In macOS 14 and later, 'AvailableOSUpdates' doesn't include InstallAssistant-based, full-replacement installers. It only contains over-the-air (OTA) updates. OTA updates can update or upgrade the OS and support all 'InstallAction' options. subkeys: - key: AvailableOSUpdatesItem type: diff --git a/mdm/commands/system.update.schedule.yaml b/mdm/commands/system.update.schedule.yaml index a2d2d51..8ff3e3e 100644 --- a/mdm/commands/system.update.schedule.yaml +++ b/mdm/commands/system.update.schedule.yaml @@ -56,10 +56,9 @@ payloadkeys: introduced: '12.2' type: presence: optional - content: The version of the update, which the system requires if 'ProductKey' - isn't present. Rapid Security Response updates are not able to be installed - using this command. This value is available in iOS 11.3 and later, macOS 12 - and later, and tvOS 12.2 and later. + content: |- + The version of the update, which the system requires if 'ProductKey' isn't present. This value is available in iOS 11.3 and later, macOS 12 and later, and tvOS 12.2 and later. + This value isn't available for use with Rapid Security Response (RSR) updates. - key: InstallAction type: presence: required @@ -72,12 +71,15 @@ payloadkeys: - InstallForceRestart content: |- The install action, which is one of the following values: + * 'Default': Download or install the update, depending on the current state. You can check the 'UpdateResults' dictionary to review scheduled updates. This value is available in iOS 9 and later, macOS 10.11 and later, and tvOS 12 and later. * 'DownloadOnly': Download the software update without installing it. This value is available in iOS 9 and later, macOS 11 and later, and tvOS 12 and later. * 'InstallASAP': In iOS and tvOS, install a previously downloaded software update. In macOS, download the software update and trigger the restart countdown notification. This value is available in iOS 9 and later, macOS 10.11 and later, and tvOS 12 and later. * 'NotifyOnly': Download the software update and notify the user through the App Store. This value is available in macOS 10.11 and later. * 'InstallLater': Download the software update and install it at a later time. This value is available in macOS 10.11 and later. * 'InstallForceRestart': Perform the 'Default' action, and then force a restart if the update requires it. This value is available in macOS 11 and later. + + 'InstallForceRestart' may result in data loss. - key: MaxUserDeferrals supportedOS: diff --git a/mdm/commands/system.update.status.yaml b/mdm/commands/system.update.status.yaml index 100ca21..96c96a3 100644 --- a/mdm/commands/system.update.status.yaml +++ b/mdm/commands/system.update.status.yaml @@ -35,9 +35,7 @@ responsekeys: type: presence: required content: An array of dictionaries that describes the statuses of software updates. - The array is empty if there are no software updates currently in progress. If - an activated declaration of configuration.softwareupdate.enforcement.specific - is present on a Mac, OSUpdateStatus will only return non OS update statuses. + The array is empty if there are no software updates currently in progress. subkeys: - key: OSUpdateStatusItem type: diff --git a/mdm/profiles/TopLevel.yaml b/mdm/profiles/TopLevel.yaml index cd115d1..a411ecb 100644 --- a/mdm/profiles/TopLevel.yaml +++ b/mdm/profiles/TopLevel.yaml @@ -38,8 +38,8 @@ payloadkeys: type: presence: required content: The reverse-DNS style identifier ('com.example.myprofile', for example) - that identifies the profile. This string is used to determine whether a new profile - should replace an existing one or should be added. + that identifies the profile. The system uses this string to determine whether + to replace an existing profile or add it as a new profile. - key: PayloadUUID type: presence: required @@ -56,9 +56,9 @@ payloadkeys: presence: required rangelist: - 1 - content: The version number of the profile format. This number represents the version - of the configuration profile as a whole, not of the individual profiles within - it. The value should be 1. + content: The version number of the profile format, which needs to be '1'. This number + represents the version of the configuration profile as a whole, not of the individual + profiles within it. - key: IsEncrypted type: presence: optional @@ -85,22 +85,22 @@ payloadkeys: type: presence: optional content: The description of the profile, shown on the Detail screen for the profile. - This description should be detailed enough to help the user decide whether to - install the profile. + Make this description detailed enough to help the user decide whether to install + the profile. - key: PayloadDisplayName type: presence: optional - content: The human-readable name for the profile. This value is displayed on the - Detail screen. It doesn't have to be unique. + content: The human-readable name for the profile, which doesn't need to be unique. + The system displays this value on the Detail screen. - key: HasRemovalPasscode type: presence: optional default: false - content: Set to 'true' if there is a removal passcode. + content: Set to 'true' if there's a removal passcode. - key: PayloadOrganization type: presence: optional - content: The human-readable string containing the name of the organization that + content: The human-readable string that contains the name of the organization that provided the profile. - key: PayloadRemovalDisallowed supportedOS: @@ -116,9 +116,9 @@ payloadkeys: presence: optional default: false content: |- - If present and set to 'true', the user can't delete the profile (unless the profile has a removal password and the user provides it). - On macOS, as of 10.15, this key only affects removal of manually installed profiles. If set to 'true' and no profile removal payload is present, removing the profile requires admin auth. - On macOS versions prior to 10.15, this key would prevent admins from removing MDM installed profiles but as of macOS 10.15, users can never remove MDM profiles, not even the admin. + If present and set to 'true', the user can't delete the profile unless the profile has a removal password and the user provides it. + On macOS 10.15 and later, this key only affects removal of manually installed profiles. If set to 'true' and no profile removal payload is present, removing the profile requires admin auth. + On macOS versions prior to 10.15, this key prevents admins from removing MDM installed profiles. However, as of macOS 10.15, users can never remove MDM profiles, not even the admin. Requires a supervised device. - key: PayloadScope supportedOS: @@ -129,27 +129,28 @@ payloadkeys: rangelist: - System - User - content: A string that defines whether the profile should be installed for the system - or the user. In many cases, it determines the location of certificate items, such - as keychains. Though it isn't possible to declare different payload scopes, payloads, - like VPN, may automatically install their items in both scopes, if needed. + content: A string that defines whether to install the profile for the system or + the user. In many cases, it determines the location of certificate items, such + as keychains. Though it's not possible to declare different payload scopes, payloads + like VPN can automatically install their items in both scopes, if needed. - key: RemovalDate type: presence: optional - content: The date when the profile is automatically removed. + content: The date when the system automatically removes the profile. - key: DurationUntilRemoval type: presence: optional content: The number of seconds until the profile is automatically removed. If the - 'RemovalDate' key is present, whichever field yields the earliest date is used. + 'RemovalDate' key is present, the system uses whichever field yields the earliest + date. - key: PayloadExpirationDate supportedOS: watchOS: introduced: n/a type: presence: optional - content: The date when a profile is no longer valid and an update button is presented - to the user. + content: The date when a profile is no longer valid and the system presents an update + button to the user. - key: TargetDeviceType supportedOS: iOS: @@ -172,24 +173,26 @@ payloadkeys: default: 0 content: |- The type of platform of the target device. Specifying the platform type helps prevent unintended installations. - For interactive installations on iOS devices, specifying a target platform avoids the interstitial alerts that prompt the user to choose a profile target when multiple targets are eligible. - 0 = Any/unspecified - 1 = iPhone/iPad/iPod Touch - 2 = Apple Watch - 3 = HomePod - 4 = Apple TV - 5 = Mac + For interactive installations on iOS devices, specifying a target platform avoids interstitial alerts that prompt the user to choose a profile target when multiple targets are eligible. + Possible values include: + + * '0': Any/unspecified + * '1': iPhone/iPad/iPod Touch + * '2': Apple Watch + * '3': HomePod + * '4': Apple TV + * '5': Mac - key: ConsentText type: presence: optional content: |- - A dictionary containing a key that consists of the IETF BCP 47 identifier for a language (for example, en or jp) and a value consisting of the agreement localized to that language. The agreement is displayed in a dialog, and the user must agree before installing the profile. - + A dictionary that includes: + * A key that contains the IETF BCP 47 identifier for a language, such as en or jp + * A value that contains the agreement localized to language specified by the key The dictionary can also contain an optional key, 'default', with its value consisting of the unlocalized (usually in en) agreement. - - The system chooses a localized version in the order of preference specified by the user (macOS) or based on the user's current language setting (iOS). If no exact match is found, the default localization is used. If there is no default localization, the en localization is used. If there is no en localization, the first available localization is used. - - Provide a default value, if possible. No warning is displayed if the user's locale doesn't match any localization in the 'ConsentText' dictionary. + The system always displays the agreement in a dialog, and the user needs to agree before the system can install the profile. + The system chooses a localized version in the order of preference that the user specifies in macOS, or based on the user's current language setting in iOS. If there's no exact match, the system uses the default localization. If there's no default localization, the system uses the en localization. If there's no en localization, the system uses the first available localization. + Provide a default value, if possible. The system won't display a warning if the user's locale doesn't match any localization in the 'ConsentText' dictionary. subkeys: - key: ConsentTextItem type: diff --git a/mdm/profiles/com.apple.MCX(TimeServer).yaml b/mdm/profiles/com.apple.MCX(TimeServer).yaml index d1f352b..448f912 100644 --- a/mdm/profiles/com.apple.MCX(TimeServer).yaml +++ b/mdm/profiles/com.apple.MCX(TimeServer).yaml @@ -13,12 +13,16 @@ payload: allowmanualinstall: true userenrollment: mode: forbidden - content: Settings for time zone and server + content: Settings for time zone and server. If multiple profiles with this payload + are sent, the device's time server will be set to the value in the last payload + installed. Removing the payload will not change the settings back to the prior + settings. payloadkeys: - key: timeServer type: presence: optional - content: The NTP server to connect to. Use commas to separate multiple time servers. + content: The NTP server to connect to. As of macOS 10.13 only one time server is + supported. - key: timeZone type: presence: optional diff --git a/mdm/profiles/com.apple.SetupAssistant.managed.yaml b/mdm/profiles/com.apple.SetupAssistant.managed.yaml index 77fa36c..e1e7ee6 100644 --- a/mdm/profiles/com.apple.SetupAssistant.managed.yaml +++ b/mdm/profiles/com.apple.SetupAssistant.managed.yaml @@ -34,7 +34,7 @@ payloadkeys: type: presence: optional default: false - content: If 'true', the system skips the Apple ID setup window. + content: If 'true', the system skips the Apple ID setup pane. - key: SkipSiriSetup supportedOS: iOS: @@ -42,7 +42,7 @@ payloadkeys: type: presence: optional default: false - content: If 'true', the system skips the Siri setup window. + content: If 'true', the system skips the Siri setup pane. - key: SkipPrivacySetup supportedOS: iOS: @@ -52,7 +52,7 @@ payloadkeys: type: presence: optional default: false - content: If 'true', the system skips the Privacy consent window. + content: If 'true', the system skips the Privacy consent pane. - key: SkipiCloudStorageSetup supportedOS: iOS: @@ -62,7 +62,7 @@ payloadkeys: type: presence: optional default: false - content: If 'true', the system skips the iCloud Storage window. + content: If 'true', the system skips the iCloud Storage pane. - key: SkipTrueTone supportedOS: iOS: @@ -72,7 +72,7 @@ payloadkeys: type: presence: optional default: false - content: If 'true', the system skips the True Tone Display window. + content: If 'true', the system skips the True Tone Display pane. - key: SkipAppearance supportedOS: iOS: @@ -82,7 +82,7 @@ payloadkeys: type: presence: optional default: false - content: If 'true', the system skips the Choose Your Look window. + content: If 'true', the system skips the Choose Your Look pane. - key: SkipTouchIDSetup supportedOS: iOS: @@ -92,7 +92,7 @@ payloadkeys: type: presence: optional default: false - content: If 'true', the system skips the Touch ID setup window. + content: If 'true', the system skips the Touch ID setup pane. - key: SkipScreenTime supportedOS: iOS: @@ -102,7 +102,7 @@ payloadkeys: type: presence: optional default: false - content: If 'true', the system skips the Screen Time window. + content: If 'true', the system skips the Screen Time pane. - key: SkipAccessibility supportedOS: iOS: @@ -112,7 +112,7 @@ payloadkeys: type: presence: optional default: false - content: If 'true', the system skips the Accessibility window. + content: If 'true', the system skips the Accessibility pane. - key: SkipSetupItems supportedOS: iOS: @@ -121,9 +121,8 @@ payloadkeys: introduced: n/a type: presence: optional - content: |- - An array strings describing setup items to skip. SkipKeys provides a list of valid strings and their meanings. - Available in iOS 14 and later. + content: An array strings that describe the setup items to skip. SkipKeys provides + a list of valid strings and their meanings. Available in iOS 14 and later. subkeys: - key: SkipSetupItems type: @@ -136,7 +135,7 @@ payloadkeys: type: presence: optional default: false - content: If 'true', the system skips the Unlock With Apple Watch window. + content: If 'true', the system skips the Unlock With Apple Watch pane. - key: SkipWallpaper supportedOS: iOS: diff --git a/mdm/profiles/com.apple.apn.managed.yaml b/mdm/profiles/com.apple.apn.managed.yaml index d9e768f..b8da8d7 100644 --- a/mdm/profiles/com.apple.apn.managed.yaml +++ b/mdm/profiles/com.apple.apn.managed.yaml @@ -37,18 +37,18 @@ payloadkeys: - key: apn type: presence: required - content: This string specifies the Access Point Name. + content: The access point name. - key: username type: presence: optional - content: This string specifies the user name for this APN. If it is missing, - the device prompts for it during profile installation. + content: The user name. If missing, the device prompts for it during profile + installation. - key: password type: presence: optional - content: This data represents the password for the user for this APN. For - obfuscation purposes, the password is encoded. If it is missing from the - payload, the device prompts for the password during profile installation. + content: The password for the user. For obfuscation purposes, the system encodes + the password. If missing, the device prompts for the password during profile + installation. - key: proxy type: presence: optional diff --git a/mdm/profiles/com.apple.applicationaccess.yaml b/mdm/profiles/com.apple.applicationaccess.yaml index 152b403..1c82e30 100644 --- a/mdm/profiles/com.apple.applicationaccess.yaml +++ b/mdm/profiles/com.apple.applicationaccess.yaml @@ -53,8 +53,10 @@ payloadkeys: type: presence: optional default: true - content: If 'false', disables account modification. Requires a supervised device. - Available in iOS 7 and later, macOS 14 and later, and watchOS 10 and later. + content: If 'false', the system disables modification of accounts such as Apple + IDs and Internet-based accounts such as Mail, Contacts, and Calendar. Requires + a supervised device. Available in iOS 7 and later, macOS 14 and later, and watchOS + 10 and later. - key: allowActivityContinuation title: Allow Handoff supportedOS: @@ -73,9 +75,9 @@ payloadkeys: type: presence: optional default: true - content: If 'false', disables activity continuation. Available in iOS 8 and later, - and macOS 10.15 and later. In a future release, this restriction will begin requiring - supervision and will apply to personal Apple IDs only. + content: If 'false', the system disables activity continuation. Available in iOS + 8 and later, and macOS 10.15 and later. In a future release, this restriction + will begin requiring supervision and will apply to personal Apple IDs only. - key: allowAddingGameCenterFriends title: Allow Adding Game Center Friends supportedOS: @@ -95,8 +97,9 @@ payloadkeys: type: presence: optional default: true - content: If 'false', prohibits adding friends to Game Center. As of iOS 13, requires - a supervised device. Available in iOS 4.2.1 and later, and macOS 10.13 and later. + content: If 'false', the system prohibits adding friends to Game Center. As of iOS + 13, requires a supervised device. Available in iOS 4.2.1 and later, and macOS + 10.13 and later. - key: allowAirDrop supportedOS: iOS: @@ -115,8 +118,8 @@ payloadkeys: type: presence: optional default: true - content: If 'false', disables AirDrop. Requires a supervised device. Available in - iOS 7 and later, and macOS 10.13 and later. + content: If 'false', the system disables AirDrop. Requires a supervised device. + Available in iOS 7 and later, and macOS 10.13 and later. - key: allowAirPlayIncomingRequests title: Allow incoming AirPlay requests supportedOS: @@ -134,8 +137,8 @@ payloadkeys: type: presence: optional default: true - content: If 'false', disables incoming AirPlay requests. Requires a supervised device. - Available in macOS 12.3 and later, and tvOS 10.2 and later. + content: If 'false', the system disables incoming AirPlay requests. Requires a supervised + device. Available in macOS 12.3 and later, and tvOS 10.2 and later. - key: allowAirPrint title: Allow AirPrint supportedOS: @@ -153,8 +156,8 @@ payloadkeys: type: presence: optional default: true - content: If 'false', disables AirPrint. Requires a supervised device. Available - in iOS 11 and later. + content: If 'false', the system disables AirPrint. Requires a supervised device. + Available in iOS 11 and later. - key: allowAirPrintCredentialsStorage title: Allow storage of AirPrint credentials in Keychain supportedOS: @@ -172,8 +175,8 @@ payloadkeys: type: presence: optional default: true - content: If 'false', disables keychain storage of user name and password for AirPrint. - Requires a supervised device. Available in iOS 11 and later. + content: If 'false', the system disables keychain storage of user name and password + for AirPrint. Requires a supervised device. Available in iOS 11 and later. - key: allowAirPrintiBeaconDiscovery title: Allow discovery of AirPrint printers using iBeacons supportedOS: @@ -191,9 +194,9 @@ payloadkeys: type: presence: optional default: true - content: If 'false', disables iBeacon discovery of AirPrint printers, which prevents - spurious AirPrint Bluetooth beacons from phishing for network traffic. Requires - a supervised device. Available in iOS 11 and later. + content: If 'false', the system disables iBeacon discovery of AirPrint printers, + which prevents spurious AirPrint Bluetooth beacons from phishing for network traffic. + Requires a supervised device. Available in iOS 11 and later. - key: allowAppCellularDataModification title: Allow Modifying Cellular Data Usage for Apps Settings supportedOS: @@ -211,8 +214,8 @@ payloadkeys: type: presence: optional default: true - content: If 'false', disables changing settings for cellular data usage for apps. - Requires a supervised device. Available in iOS 7 and later. + content: If 'false', the system disables changing settings for cellular data usage + for apps. Requires a supervised device. Available in iOS 7 and later. - key: allowAppClips title: Allow App Clips supportedOS: @@ -230,9 +233,9 @@ payloadkeys: type: presence: optional default: true - content: If 'false', prevents a user from adding any App Clips, and removes any - existing App Clips on the device. Requires a supervised device. Available in iOS - 14.0 and later. + content: If 'false', the system prevents a user from adding any App Clips, and removes + any existing App Clips on the device. Requires a supervised device. Available + in iOS 14.0 and later. - key: allowAppInstallation title: Allow App Installation from Apple Configurator and iTunes supportedOS: @@ -250,10 +253,11 @@ payloadkeys: type: presence: optional default: true - content: If 'false', disables the App Store, and its icon is removed from the Home - screen. Users are unable to install or update their apps. In iOS 10 and later, - MDM commands can override this restriction. As of iOS 13, this restriction requires - a supervised device. Available in iOS 4 and later and watchOS 10 and later. + content: If 'false', the system disables the App Store, and the system removes its + icon from the Home screen. Users are unable to install or update their apps. In + iOS 10 and later, MDM commands can override this restriction. As of iOS 13, this + restriction requires a supervised device. Available in iOS 4 and later and watchOS + 10 and later. - key: allowApplePersonalizedAdvertising supportedOS: iOS: @@ -271,8 +275,8 @@ payloadkeys: type: presence: optional default: true - content: If 'false', limits Apple personalized advertising. Available in iOS 14 - and later and macOS 12 and later. + content: If 'false', the system limits Apple personalized advertising. Available + in iOS 14 and later and macOS 12 and later. - key: allowAppRemoval title: Allow App Removal supportedOS: @@ -290,8 +294,8 @@ payloadkeys: type: presence: optional default: true - content: If 'false', disables removal of apps from an iOS device. Requires a supervised - device. Available in iOS 4.2.1 and later and watchOS 10 and later. + content: If 'false', the system disables removal of apps from an iOS device. Requires + a supervised device. Available in iOS 4.2.1 and later and watchOS 10 and later. - key: allowARDRemoteManagementModification title: Allow modifying Remote Management Sharing setting supportedOS: @@ -308,8 +312,8 @@ payloadkeys: type: presence: optional default: true - content: If 'false', prevents modifying the Remote Management Sharing setting in - System Settings. Available in macOS 14 and later. + content: If 'false', the system prevents modifying the Remote Management Sharing + setting in System Settings. Available in macOS 14 and later. - key: allowAssistant title: Allow Siri supportedOS: @@ -326,8 +330,8 @@ payloadkeys: type: presence: optional default: true - content: If 'false', disables Siri or Siri settings. Available in iOS 5 and later, - and macOS 14.0 and later. Also available on iOS for user enrollment. + content: If 'false', the system disables Siri. Available in iOS 5 and later and + macOS 14 and later. Also available on iOS for user enrollment. - key: allowAssistantUserGeneratedContent supportedOS: iOS: @@ -344,9 +348,9 @@ payloadkeys: type: presence: optional default: true - content: If 'false', prevents Siri from querying user-generated content from the - web. Requires a supervised device. Available in iOS 7 and later and watchOS 10 - and later. + content: If 'false', the system prevents Siri from querying user-generated content + from the web. Requires a supervised device. Available in iOS 7 and later and watchOS + 10 and later. - key: allowAssistantWhileLocked title: Allow Siri While Locked supportedOS: @@ -359,9 +363,9 @@ payloadkeys: type: presence: optional default: true - content: If 'false', disables Siri when the device is locked. This restriction is - ignored if the device doesn't have a passcode set. Available in iOS 5.1 and later. - Also available for user enrollment. + content: If 'false', the system disables Siri when the device is locked. The system + ignores this restriction if the device doesn't have a passcode set. Available + in iOS 5.1 and later. Also available for user enrollment. - key: allowAutoCorrection title: Allow Auto Correction supportedOS: @@ -379,8 +383,8 @@ payloadkeys: type: presence: optional default: true - content: If 'false', disables keyboard autocorrection. Requires a supervised device. - Available in iOS 8.1.3 and later. + content: If 'false', the system disables keyboard autocorrection. Requires a supervised + device. Available in iOS 8.1.3 and later. - key: allowAutomaticAppDownloads title: Allow Automatic App Downloads supportedOS: @@ -398,9 +402,9 @@ payloadkeys: type: presence: optional default: true - content: If 'false', prevents automatic downloading of apps purchased on other devices. - This setting doesn't affect updates to existing apps. Requires a supervised device. - Available in iOS 9 and later and watchOS 10 and later. + content: If 'false', the system prevents automatic downloading of apps purchased + on other devices. This setting doesn't affect updates to existing apps. Requires + a supervised device. Available in iOS 9 and later and watchOS 10 and later. - key: allowAutomaticScreenSaver supportedOS: iOS: @@ -415,8 +419,8 @@ payloadkeys: type: presence: optional default: true - content: If 'false', disables Apple TV's automatic screen saver. Available in tvOS - 15.4 and later. + content: If 'false', the system disables Apple TV's automatic screen saver. Available + in tvOS 15.4 and later. - key: allowAutoUnlock supportedOS: iOS: @@ -434,9 +438,9 @@ payloadkeys: type: presence: optional default: true - content: If 'false', disallows auto unlock. Available in macOS 10.12 and later, - and iOS 14.5 and later. This restriction will require supervision in a future - release. + content: If 'false', the system disallows auto unlock. Available in macOS 10.12 + and later, and iOS 14.5 and later. This restriction will require supervision in + a future release. - key: allowBluetoothModification title: Allow modifying Bluetooth settings supportedOS: @@ -456,8 +460,8 @@ payloadkeys: type: presence: optional default: true - content: If 'false', prevents modification of Bluetooth settings. Requires a supervised - device. Available in iOS 11 and later, and macOS 13.0 and later. + content: If 'false', the system prevents modification of Bluetooth settings. Requires + a supervised device. Available in iOS 11 and later, and macOS 13.0 and later. - key: allowBluetoothSharingModification title: Allow modifying Bluetooth Sharing setting supportedOS: @@ -474,8 +478,8 @@ payloadkeys: type: presence: optional default: true - content: If 'false', prevents modifying Bluetooth setting in System Settings. Available - in macOS 14 and later. + content: If 'false', the system prevents modifying Bluetooth setting in System Settings. + Available in macOS 14 and later. - key: allowBookstore title: Allow Bookstore supportedOS: @@ -493,8 +497,8 @@ payloadkeys: type: presence: optional default: true - content: If 'false', removes the Book Store tab from the Books app. Requires a supervised - device. Available in iOS 6 and later. + content: If 'false', the system removes the Book Store tab from the Books app. Requires + a supervised device. Available in iOS 6 and later. - key: allowBookstoreErotica title: Allow Bookstore Erotica supportedOS: @@ -512,9 +516,9 @@ payloadkeys: type: presence: optional default: true - content: If 'false', the user can't download Apple Books media that's tagged as - erotica. Available in iOS 6 and later, and tvOS 11.3 and later. This restriction - will require supervision in a future release. + content: If 'false', the system prevents the user from downloading Apple Books media + that's tagged as erotica. Available in iOS 6 and later, and tvOS 11.3 and later. + This restriction will require supervision in a future release. - key: allowCamera title: Allow Camera Use supportedOS: @@ -535,10 +539,9 @@ payloadkeys: type: presence: optional default: true - content: If 'false', disables the camera, and its icon is removed from the Home - screen. Users are unable to take photographs. This restriction is deprecated on - unsupervised devices and will be supervised only in a future release. Available - in iOS 4 and later, and macOS 10.11 and later. + content: |- + If 'false', the system disables the camera, and the system removes its icon from the Home screen. Users are unable to take photographs. + This restriction is deprecated on unsupervised devices and will be supervised only in a future release. Available in iOS 4 and later, macOS 10.11 and later, and tvOS 17 and later. - key: allowCellularPlanModification supportedOS: iOS: @@ -555,8 +558,8 @@ payloadkeys: type: presence: optional default: true - content: If 'false', users can't change any settings related to their cellular plan. - Requires a supervised device. Available in iOS 11 and later. + content: If 'false', the system prevents users from changing settings related to + their cellular plan. Requires a supervised device. Available in iOS 11 and later. - key: allowChat title: Allow use of iMessage supportedOS: @@ -574,9 +577,9 @@ payloadkeys: type: presence: optional default: true - content: If 'false', disables the use of the iMessage with supervised devices. If - the device supports text messaging, the user can still send and receive text messages. - Requires a supervised device. Available in iOS 5 and later. + content: If 'false', the system disables the use of the iMessage with supervised + devices. If the device supports text messaging, the user can still send and receive + text messages. Requires a supervised device. Available in iOS 5 and later. - key: allowCloudAddressBook supportedOS: iOS: @@ -592,8 +595,8 @@ payloadkeys: type: presence: optional default: true - content: If 'false', disables iCloud Address Book services. Available in macOS 10.12 - and later. + content: If 'false', the system disables iCloud Address Book services. Available + in macOS 10.12 and later. - key: allowCloudBackup title: Allow iCloud Backup supportedOS: @@ -611,9 +614,9 @@ payloadkeys: type: presence: optional default: true - content: If 'false', disables backing up the device to iCloud. This restriction - is deprecated on unsupervised devices and will be supervised only in a future - release. Available in iOS 5 and later. + content: |- + If 'false', the system disables backing up the device to iCloud. + This restriction is deprecated on unsupervised devices and will be supervised only in a future release. Available in iOS 5 and later. - key: allowCloudBookmarks supportedOS: iOS: @@ -629,8 +632,8 @@ payloadkeys: type: presence: optional default: true - content: If 'false', disables iCloud Bookmark sync. Available in macOS 10.12 and - later. + content: If 'false', the system disables iCloud Bookmark sync. Available in macOS + 10.12 and later. - key: allowCloudCalendar supportedOS: iOS: @@ -646,8 +649,8 @@ payloadkeys: type: presence: optional default: true - content: If 'false', disables iCloud Calendar services. Available in macOS 10.12 - and later. + content: If 'false', the system disables iCloud Calendar services. Available in + macOS 10.12 and later. - key: allowCloudDesktopAndDocuments supportedOS: iOS: @@ -663,8 +666,8 @@ payloadkeys: type: presence: optional default: true - content: If 'false', disables cloud desktop and document services. Available in - macOS 10.12.4 and later. + content: If 'false', the system disables cloud desktop and document services. Available + in macOS 10.12.4 and later. - key: allowCloudDocumentSync title: Allow iCloud Document Sync supportedOS: @@ -686,10 +689,11 @@ payloadkeys: type: presence: optional default: true - content: If 'false', disables document and key-value syncing to iCloud. As of iOS - 13, this restriction requires a supervised device. Available in iOS 5 and later, - and macOS 10.11 and later. In a future release, this restriction will apply only - to personal Apple IDs and will have no effect on Managed Apple IDs. + content: If 'false', the system disables document and key-value syncing to iCloud. + As of iOS 13, this restriction requires a supervised device and Shared iPad doesn't + support it. Available in iOS 5 and later, and macOS 10.11 and later. In a future + release, this restriction will apply only to personal Apple IDs and will have + no effect on Managed Apple IDs. - key: allowCloudFreeform supportedOS: iOS: @@ -705,8 +709,8 @@ payloadkeys: type: presence: optional default: true - content: If 'false', disallows iCloud Freeform services. Available in macOS 14 and - later. + content: If 'false', the system disallows iCloud Freeform services. Available in + macOS 14 and later. - key: allowCloudKeychainSync supportedOS: iOS: @@ -725,9 +729,9 @@ payloadkeys: type: presence: optional default: true - content: If 'false', disables iCloud keychain synchronization. This restriction - is deprecated on unsupervised devices and will be supervised only in a future - release. Available in iOS 7 and later and macOS 10.12 and later. + content: |- + If 'false', the system disables iCloud keychain synchronization. + This restriction is deprecated on unsupervised devices and will be supervised only in a future release. Available in iOS 7 and later and macOS 10.12 and later. - key: allowCloudMail supportedOS: iOS: @@ -743,8 +747,8 @@ payloadkeys: type: presence: optional default: true - content: If 'false', disables iCloud Mail services. Available in macOS 10.12 and - later. + content: If 'false', the system disables iCloud Mail services. Available in macOS + 10.12 and later. - key: allowCloudNotes supportedOS: iOS: @@ -760,8 +764,8 @@ payloadkeys: type: presence: optional default: true - content: If 'false', disables iCloud Notes services. Available in macOS 10.12 and - later. + content: If 'false', the system disables iCloud Notes services. Available in macOS + 10.12 and later. - key: allowCloudPhotoLibrary title: Allow iCloud Photo Library supportedOS: @@ -780,11 +784,11 @@ payloadkeys: type: presence: optional default: true - content: If 'false', disables iCloud Photo Library, including iCloud Shared Photo - Library. Any photos not fully downloaded from iCloud Photo Library to the device - are removed from local storage. Available in iOS 9 and later, and macOS 10.12 - and later. In a future release, this restriction will begin requiring supervision - and will apply to personal Apple IDs only. + content: If 'false', the system disables iCloud Photo Library. The system removes + any photos from local storage that aren't fully downloaded from iCloud Photo Library + to the device. Available in iOS 9 and later, and macOS 10.12 and later. In a future + release, this restriction will begin requiring supervision and will apply to personal + Apple IDs only. - key: allowCloudPrivateRelay supportedOS: iOS: @@ -803,10 +807,10 @@ payloadkeys: type: presence: optional default: true - content: If 'false', disables iCloud Private Relay. For iOS devices, this restriction - requires a supervised device. Available in macOS 12 and later, and iOS 15 and - later. In a future release, this restriction will apply only to personal Apple - IDs and will have no effect on Managed Apple IDs. + content: If 'false', the system disables iCloud Private Relay. For iOS devices, + this restriction requires a supervised device. Available in macOS 12 and later, + and iOS 15 and later. In a future release, this restriction will apply only to + personal Apple IDs and will have no effect on Managed Apple IDs. - key: allowCloudReminders supportedOS: iOS: @@ -822,8 +826,8 @@ payloadkeys: type: presence: optional default: true - content: If 'false', disables iCloud Reminder services. Available in macOS 10.12 - and later. + content: If 'false', the system disables iCloud Reminder services. Available in + macOS 10.12 and later. - key: allowContentCaching supportedOS: iOS: @@ -840,7 +844,8 @@ payloadkeys: type: presence: optional default: true - content: If 'false', disables content caching. Available in macOS 10.13 and later. + content: If 'false', the system disables content caching. Available in macOS 10.13 + and later. - key: allowContinuousPathKeyboard title: Allow Continuous Path Keyboard supportedOS: @@ -858,8 +863,8 @@ payloadkeys: type: presence: optional default: true - content: If 'false', disables QuickPath keyboard. Requires a supervised device. - Available in iOS 13 and later. + content: If 'false', the system disables QuickPath keyboard. Requires a supervised + device. Available in iOS 13 and later. - key: allowDefinitionLookup title: Allow Define supportedOS: @@ -879,8 +884,8 @@ payloadkeys: type: presence: optional default: true - content: If 'false', disables definition lookup. Requires a supervised device on - iOS. Available in iOS 8.1.3 and later and macOS 10.11 and later. + content: If 'false', the system disables definition lookup. Requires a supervised + device on iOS. Available in iOS 8.1.3 and later and macOS 10.11 and later. - key: allowDeviceNameModification title: Allow Modifying Device Name supportedOS: @@ -901,9 +906,9 @@ payloadkeys: type: presence: optional default: true - content: If 'false', prevents the user from changing the device name. Requires a - supervised device. Available in iOS 9 and later, macOS 14 and later, and tvOS - 11.0 and later. + content: If 'false', the system prevents the user from changing the device name. + Requires a supervised device. Available in iOS 9 and later, macOS 14 and later, + and tvOS 11.0 and later. - key: allowDeviceSleep title: Allow Device Sleep supportedOS: @@ -919,8 +924,8 @@ payloadkeys: type: presence: optional default: true - content: If 'false', prevents device from automatically sleeping. Requires a supervised - device. Available in tvOS 13 and later. + content: If 'false', the system prevents device from automatically sleeping. Requires + a supervised device. Available in tvOS 13 and later. - key: allowDiagnosticSubmission title: Allow diagnostic submission supportedOS: @@ -933,9 +938,9 @@ payloadkeys: type: presence: optional default: true - content: If 'false', prevents the device from automatically submitting diagnostic - reports to Apple. Available in iOS 6 and later, and macOS 10.13 and later. Also - available for user enrollment. + content: If 'false', the system prevents the device from automatically submitting + diagnostic reports to Apple. Available in iOS 6 and later, and macOS 10.13 and + later. Also available for user enrollment. - key: allowDiagnosticSubmissionModification title: Allow modifying diagnostics settings supportedOS: @@ -953,9 +958,9 @@ payloadkeys: type: presence: optional default: true - content: If 'false', disables changing the diagnostic submission and app analytics - settings in the Diagnostics & Usage UI in Settings. Requires a supervised device. - Available in iOS 9.3.2 and later. + content: If 'false', the system disables changing the diagnostic submission and + app analytics settings in the Diagnostics & Usage UI in Settings. Requires a supervised + device. Available in iOS 9.3.2 and later. - key: allowDictation title: Allow dictation supportedOS: @@ -975,8 +980,8 @@ payloadkeys: type: presence: optional default: true - content: If 'false', disallows dictation input. Requires a supervised device. Available - in iOS 10.3 and later, and macOS 10.13 and later. + content: If 'false', the system disallows dictation input. Requires a supervised + device. Available in iOS 10.3 and later, and macOS 10.13 and later. - key: allowEnablingRestrictions title: Allow Configuring Restrictions or ScreenTime supportedOS: @@ -995,8 +1000,8 @@ payloadkeys: presence: optional default: true content: |- - If 'false', disables the “Enable Restrictions” option in the Restrictions UI in Settings. - In iOS 12 or later, if 'false', disables the “Enable ScreenTime” option in the ScreenTime UI in Settings and disables ScreenTime if already enabled. Requires a supervised device. Available in iOS 8 and later. + If 'false', the system disables the “Enable Restrictions” option in the Restrictions UI in Settings. + In iOS 12 or later, if 'false', the system disables the “Enable ScreenTime” option in the ScreenTime UI in Settings and disables ScreenTime if already enabled. Requires a supervised device. Available in iOS 8 and later. - key: allowEnterpriseAppTrust title: Allow Trusting Enterprise Apps supportedOS: @@ -1013,12 +1018,12 @@ payloadkeys: type: presence: optional default: true - content: If 'false', removes the Trust Enterprise Developer button in Settings > - General > Profiles & Device Management, preventing apps from being provisioned - by universal provisioning profiles. This restriction applies to free developer - accounts. However, it doesn't apply to enterprise app developers who are trusted - because their apps were pushed through MDM. It also doesn't revoke previously - granted trust. Available in iOS 9 and later. + content: If 'false', the system removes the Trust Enterprise Developer button in + Settings > General > Profiles & Device Management, which prevents provisioning + apps by universal provisioning profiles. This restriction applies to free developer + accounts. However, it doesn't apply to enterprise app developers, because they're + trusted and the system installed their apps through MDM. It also doesn't revoke + previously granted trust. Available in iOS 9 and later. - key: allowEnterpriseBookBackup title: Allow Enterprise Books Backup supportedOS: @@ -1033,8 +1038,8 @@ payloadkeys: type: presence: optional default: true - content: If 'false', disables backup of Enterprise books. Available in iOS 8 and - later. Also available for user enrollment. + content: If 'false', the system disables backup of Enterprise books. Available in + iOS 8 and later. Also available for user enrollment. - key: allowEnterpriseBookMetadataSync title: Allow Enterprise Books Notes and Highlights Sync supportedOS: @@ -1049,8 +1054,8 @@ payloadkeys: type: presence: optional default: true - content: If 'false', disables sync of Enterprise books, notes, and highlights. Available - in iOS 8 and later. Also available for user enrollment. + content: If 'false', the system disables sync of Enterprise books, notes, and highlights. + Available in iOS 8 and later. Also available for user enrollment. - key: allowEraseContentAndSettings title: Allow Erase All Content and Settings supportedOS: @@ -1070,9 +1075,9 @@ payloadkeys: type: presence: optional default: true - content: If 'false', disables the Erase All Content And Settings option in the Reset - UI. Requires a supervised device. Available in iOS 8 and later, and macOS 12 and - later. + content: If 'false', the system disables the Erase All Content And Settings option + in the Reset UI. Requires a supervised device. Available in iOS 8 and later, and + macOS 12 and later. - key: allowESIMModification title: Allow eSIM Modification supportedOS: @@ -1090,9 +1095,9 @@ payloadkeys: type: presence: optional default: true - content: If 'false', disables modifications to carrier plan related settings (only - available on select carriers). Requires a supervised device. Available in iOS - 11 and later. + content: If 'false', the system disables modifications to carrier plan related settings + (only available on select carriers). Requires a supervised device. Available in + iOS 11 and later. - key: allowExplicitContent title: Allow Explicit Content supportedOS: @@ -1110,11 +1115,12 @@ payloadkeys: type: presence: optional default: true - content: If 'false', hides explicit music or video content purchased from the iTunes - Store. Explicit content is marked as such by content providers, such as record - labels, when sold through the iTunes Store. As of iOS 13, requires a supervised - device. Available in iOS 4 and later, and tvOS 11.3 and later. This restriction - will require supervision in a future release. + content: If 'false', the system hides explicit music or video content purchased + from the iTunes Store. The system marks explicit content as such by content providers, + such as record labels, when sold through the iTunes Store. As of iOS 13, requires + a supervised device. Available in iOS 4 and later, and tvOS 11.3 and later. This + restriction will require supervision in a future tvOS release, in addition to + iOS. - key: allowFileSharingModification title: Allow modifying File Sharing setting supportedOS: @@ -1131,8 +1137,8 @@ payloadkeys: type: presence: optional default: true - content: If 'false', prevents modifying File Sharing setting in System Settings. - Available in macOS 14 and later. + content: If 'false', the system prevents modifying File Sharing setting in System + Settings. Available in macOS 14 and later. - key: allowFilesNetworkDriveAccess supportedOS: iOS: @@ -1149,8 +1155,8 @@ payloadkeys: type: presence: optional default: true - content: If 'false', prevents connecting to network drives in the Files app. Requires - a supervised device. Available in iOS 13.1 and later. + content: If 'false', the system prevents connecting to network drives in the Files + app. Requires a supervised device. Available in iOS 13.1 and later. - key: allowFilesUSBDriveAccess supportedOS: iOS: @@ -1167,8 +1173,8 @@ payloadkeys: type: presence: optional default: true - content: If 'false', prevents connecting to any connected USB devices in the Files - app. Requires a supervised device. Available in iOS 13.1 and later. + content: If 'false', the system prevents connecting to any connected USB devices + in the Files app. Requires a supervised device. Available in iOS 13.1 and later. - key: allowFindMyDevice supportedOS: iOS: @@ -1187,8 +1193,8 @@ payloadkeys: type: presence: optional default: true - content: If 'false', disables Find My Device in the Find My app. Requires a supervised - device. Available in iOS 13 and later. + content: If 'false', the system disables Find My Device in the Find My app. Requires + a supervised device. Available in iOS 13 and later. - key: allowFindMyFriends supportedOS: iOS: @@ -1207,8 +1213,8 @@ payloadkeys: type: presence: optional default: true - content: If 'false', disables Find My Friends in the Find My app. Requires a supervised - device. Available in iOS 13 and later. + content: If 'false', the system disables Find My Friends in the Find My app. Requires + a supervised device. Available in iOS 13 and later. - key: allowFindMyFriendsModification supportedOS: iOS: @@ -1225,8 +1231,8 @@ payloadkeys: type: presence: optional default: true - content: If 'false', disables changes to Find My Friends. Requires a supervised - device. Available in iOS 7 and later. + content: If 'false', the system disables changes to Find My Friends. Requires a + supervised device. Available in iOS 7 and later. - key: allowFingerprintForUnlock title: Allow Touch ID to Unlock Device supportedOS: @@ -1245,9 +1251,9 @@ payloadkeys: type: presence: optional default: true - content: If 'false', prevents Touch ID or Face ID from unlocking a device. Available - in iOS 7 and later, and macOS 10.12.4 and later. This restriction will require - supervision in a future release. + content: If 'false', the system prevents Touch ID or Face ID from unlocking a device. + Available in iOS 7 and later, and macOS 10.12.4 and later. This restriction will + require supervision in a future release. - key: allowFingerprintModification title: Allow Modifying Touch ID Fingerprints supportedOS: @@ -1267,8 +1273,9 @@ payloadkeys: type: presence: optional default: true - content: If 'false', prevents the user from modifying Touch ID or Face ID. Requires - a supervised device. Available in iOS 8.3 and later, and macOS 14 and later. + content: If 'false', the system prevents the user from modifying Touch ID or Face + ID. Requires a supervised device. Available in iOS 8.3 and later, and macOS 14 + and later. - key: allowGameCenter title: Allow Game Center supportedOS: @@ -1288,9 +1295,9 @@ payloadkeys: type: presence: optional default: true - content: If 'false', disables Game Center, and its icon is removed from the Home - screen. Requires a supervised device. Available in iOS 6 and later, and macOS - 10.13 and later. + content: If 'false', the system disables Game Center, and the system removes its + icon from the Home screen. Requires a supervised device. Available in iOS 6 and + later, and macOS 10.13 and later. - key: allowGlobalBackgroundFetchWhenRoaming title: Allow Automatic Sync While Roaming supportedOS: @@ -1307,9 +1314,9 @@ payloadkeys: type: presence: optional default: true - content: If 'false', disables global background fetch activity when an iOS phone - is roaming. Available in iOS 4 and later. This restriction will require supervision - in a future release. + content: If 'false', the system disables global background fetch activity when an + iOS phone is roaming. Available in iOS 4 and later. This restriction will require + supervision in a future release. - key: allowHostPairing supportedOS: iOS: @@ -1326,10 +1333,11 @@ payloadkeys: type: presence: optional default: true - content: If 'false', disables host pairing with the exception of the supervision - host. If no supervision host certificate has been configured, all pairing is disabled. - Host pairing lets the administrator control if an iOS device can pair with a host - Mac or PC. Requires a supervised device. Available in iOS 7 and later. + content: If 'false', the system disables host pairing with the exception of the + supervision host. If there's no configured supervision host certificate, the system + disables all pairing. Host pairing lets the administrator control if an iOS device + can pair with a host Mac or PC. Requires a supervised device. Available in iOS + 7 and later. - key: allowInAppPurchases title: Allow In App Purchases supportedOS: @@ -1346,8 +1354,8 @@ payloadkeys: type: presence: optional default: true - content: If 'false', prohibits in-app purchasing. Available in iOS 4 and later. - This restriction will require supervision in a future release. + content: If 'false', the system prohibits in-app purchasing. Available in iOS 4 + and later. This restriction will require supervision in a future release. - key: allowInternetSharingModification title: Allow modifying Internet Sharing setting supportedOS: @@ -1364,8 +1372,8 @@ payloadkeys: type: presence: optional default: true - content: If 'false', prevents modifying Internet Sharing setting in System Settings. - Available in macOS 14 and later. + content: If 'false', the system prevents modifying Internet Sharing setting in System + Settings. Available in macOS 14 and later. - key: allowiPhoneWidgetsOnMac title: Allow iPhone widget on Mac supportedOS: @@ -1385,8 +1393,9 @@ payloadkeys: type: presence: optional default: true - content: If 'false', disallows iPhone widgets on a Mac that has signed in the same - Apple ID for iCloud. Supervised only. Available on iOS 17 and later. + content: If 'false', the system disallows iPhone widgets on a Mac that has signed + in the same AppleID for iCloud. Requires a supervised device. Available on iOS + 17 and later. - key: allowiTunes title: Allow use of iTunes supportedOS: @@ -1404,9 +1413,9 @@ payloadkeys: type: presence: optional default: true - content: |- - If 'false', disables the iTunes Music Store, and its icon is removed from the Home screen. Users cannot preview, purchase, or download content. - As of iOS 13, requires a supervised device. Available in iOS 4 and later. + content: If 'false', the system disables the iTunes Music Store, and the system + removes its icon from the Home screen. Users can't preview, purchase, or download + content. As of iOS 13, requires a supervised device. Available in iOS 4 and later. - key: allowiTunesFileSharing supportedOS: iOS: @@ -1422,8 +1431,8 @@ payloadkeys: type: presence: optional default: true - content: If 'false', disables iTunes file sharing services. Available in macOS 10.13 - and later. + content: If 'false', the system disables iTunes file sharing services. Available + in macOS 10.13 and later. - key: allowKeyboardShortcuts title: Allow Keyboard Shortcuts supportedOS: @@ -1441,8 +1450,8 @@ payloadkeys: type: presence: optional default: true - content: If 'false', disables keyboard shortcuts. Requires a supervised device. - Available in iOS 9 and later. + content: If 'false', the system disables keyboard shortcuts. Requires a supervised + device. Available in iOS 9 and later. - key: allowListedAppBundleIDs title: Allow Listed Apps supportedOS: @@ -1460,14 +1469,33 @@ payloadkeys: introduced: n/a type: presence: optional - content: If present, this property allows only bundle IDs listed in the array to - be shown or launchable. Include the value 'com.apple.webapp' to allow all webclips. - Requires a supervised device. Available in iOS 9.3 and later, and tvOS 11.0 and - later. + content: If present, the system only shows or can launch apps with bundle IDs in + the array. Include the value 'com.apple.webapp' to allow all webclips. Requires + a supervised device. Available in iOS 9.3 and later, and tvOS 11.0 and later. subkeys: - key: appAllowlistedBundleID title: Allow Listed App type: +- key: allowLiveVoicemail + title: Allow Live Voicemail + supportedOS: + iOS: + introduced: '17.2' + supervised: true + sharedipad: + mode: forbidden + userenrollment: + mode: forbidden + macOS: + introduced: n/a + tvOS: + introduced: n/a + watchOS: + introduced: n/a + type: + presence: optional + default: true + content: If set to false, disables live voicemail on the device. - key: allowLocalUserCreation title: Allow creating users in System Settings supportedOS: @@ -1484,8 +1512,8 @@ payloadkeys: type: presence: optional default: true - content: If 'false', prevents creating new users in System Settings. Available in - macOS 14 and later. + content: If 'false', the system prevents creating new users in System Settings. + Available in macOS 14 and later. - key: allowLockScreenControlCenter supportedOS: iOS: @@ -1499,8 +1527,8 @@ payloadkeys: type: presence: optional default: true - content: If 'false', prevents Control Center from appearing on the Lock screen. - Available in iOS 7 and later. Also available for user enrollment. + content: If 'false', the system prevents Control Center from appearing on the Lock + screen. Available in iOS 7 and later. Also available for user enrollment. - key: allowLockScreenNotificationsView supportedOS: iOS: @@ -1512,8 +1540,8 @@ payloadkeys: type: presence: optional default: true - content: If 'false', disables the Notifications history view on the lock screen, - so users can't view past notifications. However, they can still see notifications + content: If 'false', the system disables the Notifications history view on the lock + screen, so users can't view past notifications. However, they can still see notifications when they arrive. Available in iOS 7 and later. Also available for user enrollment. - key: allowLockScreenTodayView supportedOS: @@ -1528,8 +1556,8 @@ payloadkeys: type: presence: optional default: true - content: If 'false', disables the Today view in Notification Center on the lock - screen. Available in iOS 7 and later. Also available for user enrollment. + content: If 'false', the system disables the Today view in Notification Center on + the lock screen. Available in iOS 7 and later. Also available for user enrollment. - key: allowMailPrivacyProtection supportedOS: iOS: @@ -1546,8 +1574,8 @@ payloadkeys: type: presence: optional default: true - content: If 'false', disables Mail Privacy Protection on the device. Requires a - supervised device. Available in iOS 15.2 and later. + content: If 'false', the system disables Mail Privacy Protection on the device. + Requires a supervised device. Available in iOS 15.2 and later. - key: allowManagedAppsCloudSync title: Allow iCloud Sync for Managed Apps supportedOS: @@ -1562,8 +1590,8 @@ payloadkeys: type: presence: optional default: true - content: If 'false', prevents managed apps from using iCloud sync. Available in - iOS 8 and later. Also available for user enrollment. + content: If 'false', the system prevents managed apps from using iCloud sync. Available + in iOS 8 and later. Also available for user enrollment. - key: allowManagedToWriteUnmanagedContacts title: Allow managed apps to write to managed contacts accounts supportedOS: @@ -1581,10 +1609,9 @@ payloadkeys: type: presence: optional default: false - content: If 'true', managed apps can write contacts to unmanaged contacts accounts. - If 'allowOpenFromManagedToUnmanaged' is 'true', this restriction has no effect. - If this restriction is set to 'true', you must install the payload through MDM. - Available in iOS 12 and later. + content: |- + If 'true', the system allows managed apps to write contacts to unmanaged contacts accounts. If 'allowOpenFromManagedToUnmanaged' is 'true', this restriction has no effect. Available in iOS 12 and later. + You need to use MDM to install profiles that contain this restriction. - key: allowMultiplayerGaming title: Allow Multiplayer Gaming supportedOS: @@ -1604,8 +1631,8 @@ payloadkeys: type: presence: optional default: true - content: If 'false', prohibits multiplayer gaming. Requires a supervised device. - Available in iOS 4.1 and later, and macOS 10.13 and later. + content: If 'false', the system prohibits multiplayer gaming. Requires a supervised + device. Available in iOS 4.1 and later, and macOS 10.13 and later. - key: allowMusicService title: Allow Apple Music supportedOS: @@ -1625,9 +1652,9 @@ payloadkeys: type: presence: optional default: true - content: If 'false', disables the Music service, and the Music app reverts to classic - mode. Requires a supervised device. Available in iOS 9.3 and later, and macOS - 10.12 and later. + content: If 'false', the system disables the Music service, and the Music app reverts + to classic mode. Requires a supervised device. Available in iOS 9.3 and later, + and macOS 10.12 and later. - key: allowNews title: Allow use of News supportedOS: @@ -1645,8 +1672,8 @@ payloadkeys: type: presence: optional default: true - content: If 'false', disables News. Requires a supervised device. Available in iOS - 9 and later. + content: If 'false', the system disables News. Requires a supervised device. Available + in iOS 9 and later. - key: allowNFC supportedOS: iOS: @@ -1663,8 +1690,8 @@ payloadkeys: type: presence: optional default: true - content: If 'false', disables NFC. Requires a supervised device. Available in iOS - 14.2 and later. + content: If 'false', the system disables NFC. Requires a supervised device. Available + in iOS 14.2 and later. - key: allowNotificationsModification title: Allow Modifying Notifications Settings supportedOS: @@ -1682,8 +1709,8 @@ payloadkeys: type: presence: optional default: true - content: If 'false', disables modification of notification settings. Requires a - supervised device. Available in iOS 9.3 and later. + content: If 'false', the system disables modification of notification settings. + Requires a supervised device. Available in iOS 9.3 and later. - key: allowOpenFromManagedToUnmanaged title: Enable allow open from managed to unmanaged supportedOS: @@ -1732,8 +1759,9 @@ payloadkeys: type: presence: optional default: true - content: If 'false', disables over-the-air PKI updates. Setting this restriction - to 'false' doesn't disable CRL and OCSP checks. Available in iOS 7 and later. + content: If 'false', the system disables over-the-air PKI updates. Setting this + restriction to 'false' doesn't disable CRL and OCSP checks. Available in iOS + 7 and later. - key: allowPairedWatch title: Allow Pairing With Apple Watch supportedOS: @@ -1751,8 +1779,8 @@ payloadkeys: type: presence: optional default: true - content: If 'false', disables pairing with an Apple Watch. Any currently paired - Apple Watch is unpaired and the watch's content is erased. Requires a supervised + content: If 'false', the system disables pairing with an Apple Watch, and the system + unpairs any currently paired Apple Watch and erases its content. Requires a supervised device. Available in iOS 9 and later. - key: allowPassbookWhileLocked title: Allow Wallet While Locked @@ -1770,8 +1798,8 @@ payloadkeys: type: presence: optional default: true - content: If 'false', hides Passbook notifications from the lock screen. Available - in iOS 6 and later. + content: If 'false', the system hides Passbook notifications from the lock screen. + Available in iOS 6 and later. - key: allowPasscodeModification title: Allow Modifying Passcode supportedOS: @@ -1791,9 +1819,9 @@ payloadkeys: type: presence: optional default: true - content: |- - If 'false', prevents the device passcode from being added, changed, or removed. - This restriction is ignored by Shared iPads. Requires a supervised device. Available in iOS 9 and later, and macOS 10.13 and later. + content: If 'false', the system prevents adding, changingThe system ignores this + restriction on Shared iPad. Requires a supervised device. Available in iOS 9 and + later, and macOS 10.13 and later. - key: allowPasswordAutoFill supportedOS: iOS: @@ -1813,9 +1841,12 @@ payloadkeys: presence: optional default: true content: |- - If 'false', disables the AutoFill Passwords feature in iOS (with Keychain and third-party password managers) and the user isn't prompted to use a saved password in Safari or in apps. - This restriction also disables Automatic Strong Passwords, and strong passwords are no longer suggested to users. - It doesn't prevent AutoFill for contact info and credit cards in Safari. + If 'false', the system disables: + * The AutoFill Passwords feature in iOS, with Keychain and third-party password managers + * Prompting the user to use a saved password in Safari or in apps + * Automatic Strong Passwords + * Suggesting strong passwords to users + However, if 'false', the system doesn't prevent AutoFill for contact info and credit cards in Safari. Requires a supervised device. Available in iOS 12 and later, and macOS 10.14 and later. - key: allowPasswordProximityRequests supportedOS: @@ -1836,9 +1867,9 @@ payloadkeys: type: presence: optional default: true - content: If 'false', disables requesting passwords from nearby devices. Requires - a supervised device. Available in iOS 12 and later, macOS 10.14 and later, and - tvOS 12 and later. + content: If 'false', the system disables requesting passwords from nearby devices. + Requires a supervised device. Available in iOS 12 and later, macOS 10.14 and later, + and tvOS 12 and later. - key: allowPasswordSharing supportedOS: iOS: @@ -1857,9 +1888,9 @@ payloadkeys: type: presence: optional default: true - content: If 'false', disables sharing passwords with the Airdrop Passwords feature. - Requires a supervised device. Available in iOS 12 and later, and macOS 10.14 and - later. + content: If 'false', the system disables sharing passwords with the Airdrop Passwords + feature. Requires a supervised device. Available in iOS 12 and later, and macOS + 10.14 and later. - key: allowPersonalHotspotModification title: Allow modifying Personal Hotspot settings supportedOS: @@ -1877,8 +1908,8 @@ payloadkeys: type: presence: optional default: true - content: If 'false', disables modifications of the personal hotspot setting. Requires - a supervised device. Available in iOS 12.2 and later. + content: If 'false', the system disables modifications of the personal hotspot setting. + Requires a supervised device. Available in iOS 12.2 and later. - key: allowPhotoStream title: Allow Photo Stream supportedOS: @@ -1896,8 +1927,8 @@ payloadkeys: type: presence: optional default: true - content: If 'false', disables Photo Stream. Available in iOS 5 and later. This restriction - is deprecated and will be removed in a future release. + content: If 'false', the system disables Photo Stream. Available in iOS 5 and later. + This restriction is deprecated and will be removed in a future release. - key: allowPodcasts supportedOS: iOS: @@ -1914,8 +1945,8 @@ payloadkeys: type: presence: optional default: true - content: If 'false', disables podcasts. Requires a supervised device. Available - in iOS 8 and later. + content: If 'false', the system disables podcasts. Requires a supervised device. + Available in iOS 8 and later. - key: allowPredictiveKeyboard title: Allow Predictive Keyboard supportedOS: @@ -1933,8 +1964,8 @@ payloadkeys: type: presence: optional default: true - content: If 'false', disables predictive keyboards. Requires a supervised device. - Available in iOS 8.1.3 and later. + content: If 'false', the system disables predictive keyboards. Requires a supervised + device. Available in iOS 8.1.3 and later. - key: allowPrinterSharingModification title: Allow modifying Printer Sharing setting supportedOS: @@ -1951,8 +1982,8 @@ payloadkeys: type: presence: optional default: true - content: If 'false', prevents modifying Printer Sharing setting in System Settings. - Available in macOS 14 and later. + content: If 'false', the system prevents modifying Printer Sharing setting in System + Settings. Available in macOS 14 and later. - key: allowProximitySetupToNewDevice supportedOS: iOS: @@ -1988,8 +2019,8 @@ payloadkeys: type: presence: optional default: true - content: If 'false', disables Apple Music Radio. Requires a supervised device. Available - in iOS 9.3 and later. + content: If 'false', the system disables Apple Music Radio. Requires a supervised + device. Available in iOS 9.3 and later. - key: allowRapidSecurityResponseInstallation title: Allow Rapid Security Response Installation supportedOS: @@ -2009,8 +2040,8 @@ payloadkeys: type: presence: optional default: true - content: If 'false', prohibits installation of rapid security responses. Available - in iOS 16 and later and macOS 13 and later. + content: If 'false', the system prohibits installation of rapid security responses. + Available in iOS 16 and later, and macOS 13 and later. - key: allowRapidSecurityResponseRemoval title: Allow Rapid Security Response Removal supportedOS: @@ -2030,8 +2061,8 @@ payloadkeys: type: presence: optional default: true - content: If 'false', prohibits removal of rapid security responses. Available in - iOS 16 and later and macOS 13 and later. + content: If 'false', the system prohibits removal of rapid security responses. Available + in iOS 16 and later, and macOS 13 and later. - key: allowRemoteAppleEventsModification title: Allow modifying Remote Apple Events Sharing setting supportedOS: @@ -2048,8 +2079,8 @@ payloadkeys: type: presence: optional default: true - content: If 'false', prevents modifying Remote Apple Events Sharing setting in System - Settings. Available in macOS 14 and later. + content: If 'false', the system prevents modifying Remote Apple Events Sharing setting + in System Settings. Available in macOS 14 and later. - key: allowRemoteAppPairing title: Allow pairing with Remote app supportedOS: @@ -2065,7 +2096,7 @@ payloadkeys: type: presence: optional default: true - content: If 'false', disables pairing Apple TV for use with the Remote app or Control + content: If 'false', the system disables pairing Apple TV for use with the Control Center widget. Requires a supervised device. Available in tvOS 10.2 and later. - key: allowRemoteScreenObservation title: Allow Remote Screen Observation @@ -2081,9 +2112,9 @@ payloadkeys: type: presence: optional default: true - content: If 'false', disables remote screen observation by the Classroom app. Nest - this key beneath 'allowScreenShot' as a subrestriction. If 'allowScreenShot' is - set to 'false', the Classroom app doesn't observe remote screens. Required a supervised + content: If 'false', the system disables remote screen observation by the Classroom + app. Nest this key beneath 'allowScreenShot' as a subrestriction. If 'allowScreenShot' + is 'false', the Classroom app doesn't observe remote screens. Requires a supervised device until iOS 13 and macOS 10.15. Available in iOS 12 and later, and macOS 10.14.4 and later. - key: allowSafari @@ -2103,9 +2134,10 @@ payloadkeys: type: presence: optional default: true - content: If 'false', disables the Safari web browser app, and its icon is removed - from the Home screen. This setting also prevents users from opening web clips. - As of iOS 13, requires a supervised device. Available in iOS 4 and later. + content: If 'false', the system disables the Safari web browser app, and the system + removes its icon from the Home screen. This setting also prevents users from opening + web clips. As of iOS 13, requires a supervised device. Available in iOS 4 and + later. - key: allowScreenShot title: Allow Screenshots and Screen Recording supportedOS: @@ -2118,10 +2150,10 @@ payloadkeys: type: presence: optional default: true - content: If 'false', disables saving a screenshot of the display and capturing a - screen recording. It also disables the Classroom app from observing remote screens. - Available in iOS 4 and later, and macOS 10.14.4 and later. Also available for - user enrollment. + content: If 'false', the system disables saving a screenshot of the display and + capturing a screen recording. It also disables the Classroom app from observing + remote screens. Available in iOS 4 and later, and macOS 10.14.4 and later. Also + available for user enrollment. - key: allowSharedDeviceTemporarySession supportedOS: iOS: @@ -2138,8 +2170,8 @@ payloadkeys: type: presence: optional default: true - content: If 'false', temporary sessions aren't available on Shared iPad. Available - in iOS 13.4 and later. + content: If 'false', the system makes temporary sessions unavailable on Shared iPad. + Available in iOS 13.4 and later. - key: allowSharedStream title: Allow Shared Stream supportedOS: @@ -2156,8 +2188,8 @@ payloadkeys: type: presence: optional default: true - content: If 'false', disables Shared Photo Stream. Available in iOS 6 and later. - This restriction will require supervision in a future release. + content: If 'false', the system disables Shared Photo Stream. Available in iOS 6 + and later. This restriction will require supervision in a future release. - key: allowSpellCheck title: Allow Spell Check supportedOS: @@ -2175,8 +2207,8 @@ payloadkeys: type: presence: optional default: true - content: If 'false', disables keyboard spell-check. Requires a supervised device. - Available in iOS 8.1.3 and later. + content: If 'false', the system disables keyboard spell-check. Requires a supervised + device. Available in iOS 8.1.3 and later. - key: allowSpotlightInternetResults title: Allow Siri Suggestions supportedOS: @@ -2195,9 +2227,9 @@ payloadkeys: type: presence: optional default: true - content: If 'false', disables Spotlight Internet search results in Siri Suggestions. - Available in iOS 8 and later, and macOS 10.11 and later. This restriction will - require supervision in a future release. + content: If 'false', the system disables Spotlight Internet search results in Siri + Suggestions. Available in iOS 8 and later, and macOS 10.11 and later. This restriction + will require supervision in a future release. - key: allowStartupDiskModification title: Allow modifying Startup Disk settings supportedOS: @@ -2214,8 +2246,8 @@ payloadkeys: type: presence: optional default: true - content: If 'false', prevents modification of Startup Disk setting in System Settings. - Available in macOS 14 and later. + content: If 'false', the system prevents modification of Startup Disk setting in + System Settings. Available in macOS 14 and later. - key: allowSystemAppRemoval supportedOS: iOS: @@ -2232,8 +2264,8 @@ payloadkeys: type: presence: optional default: true - content: If 'false', disables the removal of system apps from the device. Requires - a supervised device. Available in iOS 11 and later. + content: If 'false', the system disables the removal of system apps from the device. + Requires a supervised device. Available in iOS 11 and later. - key: allowTimeMachineBackup title: Allow modifying Time Machine settings supportedOS: @@ -2250,8 +2282,8 @@ payloadkeys: type: presence: optional default: true - content: If 'false', prevents modification of Time Machine settings in System Settings. - Available in macOS 14 and later. + content: If 'false', the system prevents modification of Time Machine settings in + System Settings. Available in macOS 14 and later. - key: allowUIAppInstallation title: Allow App Installation from App Store supportedOS: @@ -2270,7 +2302,7 @@ payloadkeys: presence: optional default: true content: |- - If 'false', disables the App Store, and its icon is removed from the Home screen. However, users may continue to use host apps (iTunes, Configurator) to install or update their apps. + If 'false', the system disables the App Store, and the systems removes its icon from the Home screen. However, users can continue to use host apps (iTunes, Configurator) to install or update their apps. In iOS 10 and later, MDM commands can override this restriction. Requires a supervised device. Available in iOS 9 and later and watchOS 10 and later. - key: allowUIConfigurationProfileInstallation title: Allow UI Configuration Profile Installation @@ -2291,9 +2323,9 @@ payloadkeys: type: presence: optional default: true - content: If 'false', prohibits the user from installing configuration profiles and - certificates interactively. Requires a supervised device. Available in iOS 6 and - later and macOS 13 and later. + content: If 'false', the system prohibits the user from installing configuration + profiles and certificates interactively. Requires a supervised device. Available + in iOS 6 and later and macOS 13 and later. - key: allowUniversalControl title: Allow Universal Control supportedOS: @@ -2310,7 +2342,8 @@ payloadkeys: type: presence: optional default: true - content: If 'false', disables Universal Control. Available in macOS 13 and later. + content: If 'false', the system disables Universal Control. Available in macOS 13 + and later. - key: allowUnmanagedToReadManagedContacts title: Allow unmanaged apps to read managed contacts accounts supportedOS: @@ -2326,10 +2359,9 @@ payloadkeys: type: presence: optional default: false - content: If 'true', unmanaged apps can read from managed contacts accounts. If 'allowOpenFromManagedToUnmanaged' - is 'true', this restriction has no effect. If this restriction is set to 'true', - you must install the payload through MDM. Available in iOS 12 and later. Also - available for user enrollment. + content: |- + If 'true', the system allows unmanaged apps to read from managed contacts accounts. If 'allowOpenFromManagedToUnmanaged' is 'true', this restriction has no effect. Available in iOS 12 and later. + You need to use MDM to install profiles that contain this restriction. - key: allowUnpairedExternalBootToRecovery supportedOS: iOS: @@ -2346,7 +2378,7 @@ payloadkeys: type: presence: optional default: false - content: If 'true', allows devices to be booted into recovery by an unpaired device. + content: If 'true', the system allows unpaired devices to boot devices into recovery. Requires a supervised device. Available in iOS 14.5 and later. - key: allowUntrustedTLSPrompt title: Allow user to accept untrusted TLS certificates @@ -2364,8 +2396,8 @@ payloadkeys: type: presence: optional default: true - content: If 'false', automatically rejects untrusted HTTPS certificates without - prompting the user. Available in iOS 5 and later. + content: If 'false', the system automatically rejects untrusted HTTPS certificates + without prompting the user. Available in iOS 5 and later. - key: allowUSBRestrictedMode supportedOS: iOS: @@ -2385,9 +2417,11 @@ payloadkeys: type: presence: optional default: true - content: |- - If 'false', allows the device to always connect to USB accessories while locked. On macOS, allows new USB accessories to connect without authorization. - This value is ignored if Lockdown mode is enabled. Requires a supervised device. Available in iOS 11.4.1 and later and macOS 13 and later. + content: If 'false', the system allows iOS devices to always connect to USB accessories + while locked. On macOS, allows new USB and Thunderbolt accessories and SD cards + to connect without authorization. If the system has Lockdown mode enabled, it + ignores this value. Requires a supervised device. Available in iOS 11.4.1 and + later and macOS 13 and later. - key: allowVideoConferencing title: Allow Video Conferencing supportedOS: @@ -2405,8 +2439,8 @@ payloadkeys: type: presence: optional default: true - content: If 'false', hides the FaceTime app. As of iOS 13, requires a supervised - device. Available in iOS 4 and later. + content: If 'false', the system hides the FaceTime app. As of iOS 13, requires a + supervised device. Available in iOS 4 and later. - key: allowVoiceDialing title: Allow Voice Dialing While Device is Locked supportedOS: @@ -2424,9 +2458,8 @@ payloadkeys: type: presence: optional default: true - content: If 'false', disables voice dialing if the device is locked with a passcode. - Available in iOS 4 and later. This restriction is deprecated and will be removed - in a future release. + content: If 'false', the system disables voice dialing if the device is locked with + a passcode. Available in iOS 4 and later. - key: allowVPNCreation title: Allow Adding VPN Configurations (Supervised devices only) supportedOS: @@ -2444,8 +2477,8 @@ payloadkeys: type: presence: optional default: true - content: If 'false', disables the creation of VPN configurations. Requires a supervised - device. Available in iOS 11 and later. + content: If 'false', the system disables the creation of VPN configurations. Requires + a supervised device. Available in iOS 11 and later. - key: allowWallpaperModification title: Allow Modifying Wallpaper supportedOS: @@ -2465,7 +2498,7 @@ payloadkeys: type: presence: optional default: true - content: If 'false', prevents wallpaper from being changed. Requires a supervised + content: If 'false', the system prevents changing the wallpaper. Requires a supervised device. Available in iOS 9 and later, and macOS 10.13 and later. - key: autonomousSingleAppModePermittedAppIDs supportedOS: @@ -2482,9 +2515,9 @@ payloadkeys: introduced: n/a type: presence: optional - content: If present, allows apps identified by the bundle IDs listed in the array - to autonomously enter Single App Mode. Requires a supervised device. Available - in iOS 7 and later. + content: If present, the system allows apps identified by the bundle IDs listed + in the array to autonomously enter Single App Mode. Requires a supervised device. + Available in iOS 7 and later. subkeys: - key: appAutonomousSingleAppModePermittedID title: Apps allow list for Autonomous Single App Mode @@ -2531,8 +2564,8 @@ payloadkeys: type: presence: optional content: |- - If present, prevents bundle IDs listed in the array from being shown or launchable. Include the value 'com.apple.webapp' to restrict all webclips. Note that denying system apps may disable other functionality. For example, denying the App Store app may prevent users from accepting the terms and conditions for user-based VPP. - Requires a supervised device. Available in iOS 9.3 and later, and tvOS 11.0 and later. + If present, the system prevents showing or launching apps with bundle IDs in the array from. Include the value 'com.apple.webapp' to restrict all webclips. Requires a supervised device. Available in iOS 9.3 and later, and tvOS 11.0 and later. + Denying system apps may disable other functionality. For example, denying the App Store app may prevent users from accepting the terms and conditions for the user-based Volume Purchase Program (VPP). subkeys: - key: appBlockedBundleID title: Blocked App @@ -2576,9 +2609,12 @@ payloadkeys: min: 1 max: 90 default: 30 - content: |- - Sets how many days to delay a software update on the device. With this restriction in place, the user doesn't see a software update until the specified number of days after the software update release date. This value is used by 'forceDelayedAppSoftwareUpdates' and 'forceDelayedSoftwareUpdates'. - Requires a supervised device in iOS and tvOS. Available in iOS 11.3 and later, macOS 10.13.4 and later, and tvOS 12.2 and later. + content: How many days to delay a software update on the device. With this restriction + in place, the user doesn't see a software update until the specified number of + days after the software update release date. The restrictions 'forceDelayedAppSoftwareUpdates' + and 'forceDelayedSoftwareUpdates' use this value. Requires a supervised device + in iOS and tvOS. Available in iOS 11.3 and later, macOS 10.13.4 and later, and + tvOS 12.2 and later. - key: enforcedSoftwareUpdateMajorOSDeferredInstallDelay supportedOS: iOS: @@ -2662,8 +2698,8 @@ payloadkeys: type: presence: optional default: false - content: If 'true', causes AirDrop to be considered an unmanaged drop target. Available - in iOS 9 and later. Also available for user enrollment. + content: If 'true', the system considers AirDrop to be an unmanaged drop target. + Available in iOS 9 and later. Also available for user enrollment. - key: forceAirPlayIncomingRequestsPairingPassword supportedOS: iOS: @@ -2677,9 +2713,10 @@ payloadkeys: type: presence: optional default: false - content: If 'true', forces all devices sending AirPlay requests to this device to - use a pairing password. Available in Apple TV Software 6.2 and later. This key - isn't supported in tvOS 10.2 and later. Use the AirPlay Security Payload instead. + content: If 'true', the system forces all devices sending AirPlay requests to this + device to use a pairing password. Available in Apple TV Software 6.2 and later. + This key isn't supported in tvOS 10.2 and later. Use the AirPlay Security Payload + instead. - key: forceAirPlayOutgoingRequestsPairingPassword supportedOS: iOS: @@ -2693,9 +2730,9 @@ payloadkeys: type: presence: optional default: false - content: If 'true', forces all devices receiving AirPlay requests from this device - to use a pairing password. Available in iOS 7.1 and later. Also available for - user enrollment. + content: If 'true', the system forces all devices receiving AirPlay requests from + this device to use a pairing password. Available in iOS 7.1 and later. Also available + for user enrollment. - key: forceAirPrintTrustedTLSRequirement title: Disallow AirPrint to destinations with untrusted certificates supportedOS: @@ -2713,7 +2750,7 @@ payloadkeys: type: presence: optional default: false - content: If 'true', requires trusted certificates for TLS printing communication. + content: If 'true', the system requires trusted certificates for TLS printing communication. Requires a supervised device. Available in iOS 11 and later. - key: forceAssistantProfanityFilter title: Enable Siri Profanity Filter @@ -2734,8 +2771,9 @@ payloadkeys: type: presence: optional default: false - content: If 'true', forces the use of the profanity filter assistant. Requires a - supervised device. Available in iOS 11 and later and macOS 10.13 and later. + content: If 'true', the system forces the use of the profanity filter assistant. + Requires a supervised device. Available in iOS 11 and later and macOS 10.13 and + later. - key: forceAuthenticationBeforeAutoFill supportedOS: iOS: @@ -2752,10 +2790,11 @@ payloadkeys: type: presence: optional default: false - content: If 'true', the user must authenticate before passwords or credit card information - can be autofilled in Safari and Apps. If this restriction isn't enforced, the - user can toggle this feature in Settings. Only supported on devices with Face - ID or Touch ID. Requires a supervised device. Available in iOS 11 and later. + content: If 'true', the system the user needs to authenticate before the system + can autofill passwords or credit card information in Safari and apps. If this + restriction isn't enforced, the user can toggle this feature in Settings. Only + supported on devices with Face ID or Touch ID. Requires a supervised device. Available + in iOS 11 and later. - key: forceAutomaticDateAndTime supportedOS: iOS: @@ -2773,11 +2812,11 @@ payloadkeys: type: presence: optional default: false - content: If 'true', enables the Set Automatically feature in Date & Time and can't - be disabled by the user. The device's time zone is updated only when the device - can determine its location using a cellular connection or Wi-Fi with location - services enabled. Requires a supervised device. Available in iOS 12 and later, - and tvOS 12.2 and later. + content: If 'true', the system enables the Set Automatically feature in Date & Time + and the user can't disable it. The system updates the device's time zone only + when the device can determine its location using a cellular connection or Wi-Fi + with location services enabled. Requires a supervised device. Available in iOS + 12 and later, and tvOS 12.2 and later. - key: forceClassroomAutomaticallyJoinClasses supportedOS: iOS: @@ -2797,9 +2836,9 @@ payloadkeys: type: presence: optional default: false - content: If 'true', automatically gives permission to the teacher's requests without - prompting the student. Requires a supervised device. Available in iOS 11 and later, - and macOS 10.14.4 and later. + content: If 'true', the system automatically gives permission to the teacher's requests + without prompting the student. Requires a supervised device. Available in iOS + 11 and later, and macOS 10.14.4 and later. - key: forceClassroomRequestPermissionToLeaveClasses supportedOS: iOS: @@ -2819,9 +2858,10 @@ payloadkeys: type: presence: optional default: false - content: If 'true', a student enrolled in an unmanaged course through Classroom - requests permission from the teacher when attempting to leave the course. Requires - a supervised device. Available in iOS 11.3 and later, and macOS 10.14.4 and later. + content: If 'true', the system a student enrolled in an unmanaged course through + Classroom requests permission from the teacher when attempting to leave the course. + Requires a supervised device. Available in iOS 11.3 and later, and macOS 10.14.4 + and later. - key: forceClassroomUnpromptedAppAndDeviceLock supportedOS: iOS: @@ -2841,9 +2881,9 @@ payloadkeys: type: presence: optional default: false - content: If 'true', allows the teacher to lock apps or the device without prompting - the student. Requires a supervised device. Available in iOS 11 and later, and - macOS 10.14.4 and later. + content: If 'true', the system allows the teacher to lock apps or the device without + prompting the student. Requires a supervised device. Available in iOS 11 and later, + and macOS 10.14.4 and later. - key: forceClassroomUnpromptedScreenObservation supportedOS: iOS: @@ -2864,8 +2904,8 @@ payloadkeys: presence: optional default: false content: If 'true' and 'ScreenObservationPermissionModificationAllowed' is also - 'true' in the Education payload, a student enrolled in a managed course via the - Classroom app automatically gives permission to that course teacher's requests + 'true' in the Education payload, a student enrolled in a managed course through + the Classroom app automatically gives permission to that course teacher's requests to observe the student's screen without prompting the student. Requires a supervised device. Available in iOS 11 and later, and macOS 10.14.4 and later. - key: forceDelayedAppSoftwareUpdates @@ -2883,11 +2923,10 @@ payloadkeys: type: presence: optional default: false - content: |- - If 'true', delays user visibility of non-OS Software Updates. Requires a supervised device. - Visibility of Operating System updates is controlled through 'forceDelayedSoftwareUpdates'. - The delay is 30 days unless 'enforcedSoftwareUpdateDelay' is set to another value. - Available in macOS 11 and later. + content: If 'true', the system delays user visibility of non-OS Software Updates. + Requires a supervised device. Control visibility of operating system updates through + 'forceDelayedSoftwareUpdates'. The delay is 30 days unless you set 'enforcedSoftwareUpdateDelay' + to another value. Available in macOS 11 and later. - key: forceDelayedMajorSoftwareUpdates supportedOS: iOS: @@ -2903,8 +2942,8 @@ payloadkeys: type: presence: optional default: false - content: If 'true', delays user visibility of major upgrades to OS Software. Available - in macOS 11.3 and later. + content: If 'true', the system delays user visibility of major upgrades to OS Software. + Available in macOS 11.3 and later. - key: forceDelayedSoftwareUpdates supportedOS: iOS: @@ -2924,10 +2963,11 @@ payloadkeys: type: presence: optional default: false - content: |- - If 'true', delays user visibility of software updates. In macOS, seed build updates are allowed, without delay. Requires a supervised device in iOS and tvOS. - The delay is 30 days unless 'enforcedSoftwareUpdateDelay' is set to another value. - Available in iOS 11.3 and later, macOS 10.13 and later, and tvOS 12.2 and later. + content: If 'true', the system delays user visibility of software updates. In macOS, + the system allows seed build updates without delay. Requires a supervised device + in iOS and tvOS. The delay is 30 days unless you set 'enforcedSoftwareUpdateDelay' + to another value. Available in iOS 11.3 and later, macOS 10.13 and later, and + tvOS 12.2 and later. - key: forceEncryptedBackup title: Force Encrypted Backups supportedOS: @@ -2942,8 +2982,8 @@ payloadkeys: type: presence: optional default: false - content: If 'true', encrypts all backups. Available in iOS 4 and later. Also available - for user enrollment. + content: If 'true', the system encrypts all backups. Available in iOS 4 and later. + Also available for user enrollment. - key: forceITunesStorePasswordEntry title: Require iTunes password for all purchases supportedOS: @@ -2961,9 +3001,8 @@ payloadkeys: type: presence: optional default: false - content: If 'true', forces the user to enter their iTunes password for each transaction. - Available in iOS 6 and later. This restriction is deprecated and will be removed - in a future release. + content: If 'true', the system forces the user to enter their iTunes password for + each transaction. Available in iOS 6 and later. - key: forceLimitAdTracking supportedOS: iOS: @@ -2979,22 +3018,23 @@ payloadkeys: type: presence: optional default: false - content: If 'true', limits ad tracking. Additionally, it disables app tracking and - the Allow Apps To Request To Track setting. Available in iOS 7 and later. + content: If 'true', the system limits ad tracking. Additionally, it disables app + tracking and the Allow Apps To Request To Track setting. Available in iOS 7 and + later. - key: forceOnDeviceOnlyDictation supportedOS: iOS: introduced: '14.5' macOS: - introduced: n/a + introduced: '14.0' tvOS: introduced: n/a type: presence: optional default: false - content: If 'true', disables connections to Siri servers for the purposes of dictation. - Available in iOS 14.5 and later, macOS 14 and later, and watchOS 10 and later. - Also available for user enrollment. + content: If 'true', the system disables connections to Siri servers for the purposes + of dictation. Available in iOS 14.5 and later, macOS 14 and later, and watchOS + 10 and later. Also available for user enrollment. - key: forceOnDeviceOnlyTranslation supportedOS: iOS: @@ -3008,6 +3048,27 @@ payloadkeys: default: false content: If 'true', the device won't connect to Siri servers for the purposes of translation. Available in iOS 15 and later. Also available for user enrollment. +- key: forcePreserveESIMOnErase + title: Force Preserve ESIM on Erase + supportedOS: + iOS: + introduced: '17.2' + supervised: true + userenrollment: + mode: forbidden + macOS: + introduced: n/a + tvOS: + introduced: n/a + watchOS: + introduced: n/a + type: + presence: optional + default: false + content: If set to true, eSIM will be preserved when a device is erased due to too + many failed password attempt or the "Erase All Content and Settings" option in + Settings > General > Reset. eSIM will not be preserved if the device is erased + by FindMy. - key: forceWatchWristDetection title: Force Apple Watch Wrist Detection supportedOS: @@ -3020,8 +3081,8 @@ payloadkeys: type: presence: optional default: false - content: If 'true', forces a paired Apple Watch to use Wrist Detection. Available - in iOS 8.2 and later. Also available for user enrollment. + content: If 'true', the system forces a paired Apple Watch to use Wrist Detection. + Available in iOS 8.2 and later. Also available for user enrollment. - key: forceWiFiPowerOn title: Disallow Wi-Fi from being turned off supportedOS: @@ -3039,7 +3100,7 @@ payloadkeys: type: presence: optional default: false - content: If 'true', prevents Wi-Fi from being turned off in Settings or Control + content: If 'true', the system prevents turning off Wi-Fi in Settings or Control Center, even by entering or leaving Airplane Mode. It doesn't prevent selecting which Wi-Fi network to use. Requires a supervised device. Available in iOS 13.0 and later. @@ -3059,8 +3120,9 @@ payloadkeys: type: presence: optional default: false - content: If 'true', limits device to only join Wi-Fi networks set up through a configuration - profile. Requires a supervised device. Available in iOS 14.5 and later. + content: If 'true', the system limits device to only join Wi-Fi networks set up + through a configuration profile. Requires a supervised device. Available in iOS + 14.5 and later. - key: forceWiFiWhitelisting title: Only join Wi-Fi networks installed by profiles supportedOS: @@ -3100,15 +3162,16 @@ payloadkeys: max: 1000 default: 1000 content: |- - The maximum level of app content allowed on the device. Available in iOS 4 and later, and tvOS 11.3 and later. - Pre-installed (1st party) apps ignore this restriction. - Possible values (with the US description of the rating level): - * 1000: All - * 600: 17+ - * 300: 12+ - * 200: 9+ - * 100: 4+ - * 0: None + The maximum level of app content allowed on the device. Pre-installed (1st party) apps ignore this restriction. Available in iOS 4 and later, and tvOS 11.3 and later. + Possible values, with the US description of the rating level: + + * '1000': All + * '600': 17+ + * '300': 12+ + * '200': 9+ + * '100': 4+ + * '0': None + This restriction will require supervision in a future release. - key: ratingMovies title: Movies Ranking Number @@ -3131,14 +3194,16 @@ payloadkeys: default: 1000 content: |- The maximum level of movie content allowed on the device. Available in iOS 4 and later, and tvOS 11.3 and later. - Possible values (with the US description of the rating level): - * 1000: All - * 500: NC-17 - * 400: R - * 300: PG-13 - * 200: PG - * 100: G - * 0: None + Possible values, with the US description of the rating level: + + * '1000': All + * '500': NC-17 + * '400': R + * '300': PG-13 + * '200': PG + * '100': G + * '0': None + This restriction will require supervision in a future release. - key: ratingRegion title: Region Code @@ -3180,15 +3245,17 @@ payloadkeys: default: 1000 content: |- The maximum level of TV content allowed on the device. Available in iOS 4 and later, and tvOS 11.3 and later. - Possible values (with the US description of the rating level) - * 1000: All - * 600: TV-MA - * 500: TV-14 - * 400: TV-PG - * 300: TV-G - * 200: TV-Y7 - * 100: TV-Y - * 0: None + Possible values, with the US description of the rating level: + + * '1000': All + * '600': TV-MA + * '500': TV-14 + * '400': TV-PG + * '300': TV-G + * '200': TV-Y7 + * '100': TV-Y + * '0': None + This restriction will require supervision in a future release. - key: requireManagedPasteboard supportedOS: @@ -3203,7 +3270,7 @@ payloadkeys: type: presence: optional default: false - content: If 'true', copy and paste functionality respects the 'allowOpenFromManagedToUnmanaged' + content: If 'true', copy and paste functionality is limited by the 'allowOpenFromManagedToUnmanaged' and 'allowOpenFromUnmanagedToManaged' restrictions. Also available for user enrollment. - key: safariAcceptCookies title: Accept Cookies in Safari @@ -3227,10 +3294,12 @@ payloadkeys: - 2.0 default: 2.0 content: |- - This value defines the conditions under which the device accepts cookies. The user-facing settings changed in iOS 11, although the possible values remain the same. Available in iOS 4 and later. - '0': Prevent Cross-Site Tracking and Block All Cookies are enabled and the user canʼt disable either setting. - '1' or '1.5': Prevent Cross-Site Tracking is enabled and the user canʼt disable it. Block All Cookies is not enabled, although the user can enable it. - '2': Prevent Cross-Site Tracking is enabled and Block All Cookies is not enabled. The user can toggle either setting. + Defines the conditions under which the device accepts cookies. The user-facing settings changed in iOS 11, although the possible values remain the same. Available in iOS 4 and later. + + * '0': Enables Prevent Cross-Site Tracking and Block All Cookies and the user canʼt disable either setting. + * '1' or '1.5': Enables Prevent Cross-Site Tracking and the user canʼt disable it. Doesn't enable Block All Cookies, but the user can enable it. + * '2': Enables Prevent Cross-Site Tracking but doesn't enable Block All Cookies. The user can toggle either setting. + This restriction will require supervision in a future release. - key: safariAllowAutoFill title: Allow AutoFill in Safari @@ -3252,8 +3321,8 @@ payloadkeys: presence: optional default: true content: |- - If 'false', disables Safari AutoFill for passwords, contact info, and credit cards and also prevents the Keychain from being used for AutoFill. Though third-party password managers are allowed and apps can use AutoFill. - As of iOS 13, requires a supervised device. Available in iOS 4 and later, and macOS 10.13 and later. + If 'false', the system disables Safari AutoFill for passwords, contact info, and credit cards and also prevents using the Keychain for AutoFill. As of iOS 13, requires a supervised device. Available in iOS 4 and later, and macOS 10.13 and later. + The system still allows third-party password managers and apps can use AutoFill. - key: safariAllowJavaScript title: Allow JavaScript supportedOS: @@ -3304,8 +3373,8 @@ payloadkeys: type: presence: optional default: false - content: If 'true', enables Safari fraud warning. Available in iOS 4 and later. - Also available for user enrollment. + content: If 'true', the system enables Safari fraud warning. Available in iOS 4 + and later. Also available for user enrollment. - key: whitelistedAppBundleIDs title: Whitelisted Apps supportedOS: diff --git a/mdm/profiles/com.apple.cellular.yaml b/mdm/profiles/com.apple.cellular.yaml index e09ea7b..65373bc 100644 --- a/mdm/profiles/com.apple.cellular.yaml +++ b/mdm/profiles/com.apple.cellular.yaml @@ -47,12 +47,12 @@ payloadkeys: title: User name type: presence: optional - content: The user name for the APN. + content: The user name. - key: Password title: Password type: presence: optional - content: The password for the APN. + content: The password for the user. - key: AllowedProtocolMask title: Supported IP Versions supportedOS: @@ -65,15 +65,16 @@ payloadkeys: - 2 - 3 content: |- - The supported Internet Protocol versions. Possible values are: - 1 = IPv4 - 2 = IPv6 - 3 = Both + The Internet Protocol versions that the system supports. Possible values are: + + * '1': IPv4 + * '2': IPv6 + * '3': Both - key: APNs title: APNs type: presence: optional - content: An array of access point dictionaries. + content: An array of access point name (APN) dictionaries. subkeys: - key: APNsItem type: @@ -127,11 +128,11 @@ payloadkeys: - 2 - 3 content: |- - Deprecated. The default Internet Protocol versions. Possible values are: + The default Internet Protocol versions. Available in iOS 10.3 but no longer used in iOS 11 and later. Possible values are: + * '1': IPv4 * '2': IPv6 * '3': Both - Available in iOS 10.3 but no longer used in iOS 11 and later. - key: AllowedProtocolMask title: Supported IP Versions supportedOS: @@ -144,11 +145,11 @@ payloadkeys: - 2 - 3 content: |- - The supported Internet Protocol versions. Possible values are: + The Internet Protocol versions that the system supports. Available in iOS 10.3 and later. Possible values are: + * '1': IPv4 * '2': IPv6 * '3': Both - Available in iOS 10.3 and later. - key: AllowedProtocolMaskInRoaming title: Supported Roaming IP Versions supportedOS: @@ -161,11 +162,11 @@ payloadkeys: - 2 - 3 content: |- - The supported Internet Protocol versions while roaming. Possible values are: + The Internet Protocol versions that the system supports while roaming. Available in iOS 10.3 and later. Possible values are: + * '1': IPv4 * '2': IPv6 * '3': Both - Available in iOS 10.3 and later. - key: AllowedProtocolMaskInDomesticRoaming title: Supported Roaming IP Versions supportedOS: @@ -178,11 +179,11 @@ payloadkeys: - 2 - 3 content: |- - The supported Internet Protocol versions while roaming domestically. Possible values are: + The Internet Protocol versions that the system supports while roaming. Available in iOS 10.3 and later. Possible values are: + * '1': IPv4 * '2': IPv6 * '3': Both - Available in iOS 10.3 and later. - key: EnableXLAT464 title: Enable XLAT464 supportedOS: @@ -193,5 +194,5 @@ payloadkeys: type: presence: optional default: false - content: If 'true', enables XLAT464. Available in iOS 16 and later and watchOS - 9 and later. + content: If 'true', the system enables XLAT464. Available in iOS 16 and later + and watchOS 9 and later. diff --git a/mdm/profiles/com.apple.extensiblesso.yaml b/mdm/profiles/com.apple.extensiblesso.yaml index 9c68a9b..9685186 100644 --- a/mdm/profiles/com.apple.extensiblesso.yaml +++ b/mdm/profiles/com.apple.extensiblesso.yaml @@ -165,11 +165,14 @@ payloadkeys: content: The Platform SSO authentication method to use with the extension. Requires that the SSO Extension also support the method. - key: UseSharedDeviceKeys + supportedOS: + macOS: + userchannel: false type: presence: optional default: false content: If 'true', the system uses the same signing and encryption keys for all - users. + users. Only supported on the device channel. - key: AccountDisplayName type: presence: optional @@ -260,11 +263,8 @@ payloadkeys: content: The pairing of Authorization Rights to group names. The system updates the Authorization Right to use the group when used. subkeys: - - key: Authorization Right + - key: ANY type: - presence: required - content: The Authorization Right to update. - - key: Group - type: - presence: required - content: The group to use for the Authorization Right. + presence: optional + content: The key is an access right value, the value is the group to be associated + with that access right. diff --git a/mdm/profiles/com.apple.finder.yaml b/mdm/profiles/com.apple.finder.yaml index afa97a3..f5ab91c 100644 --- a/mdm/profiles/com.apple.finder.yaml +++ b/mdm/profiles/com.apple.finder.yaml @@ -48,24 +48,24 @@ payloadkeys: type: presence: optional default: true - content: If 'false', external hard drives don't appear on the Desktop. + content: If 'false', the system doesn't show external hard drives on the Desktop. - key: ShowHardDrivesOnDesktop type: presence: optional default: false - content: If 'false', internal hard drives don't appear on the Desktop. + content: If 'false', the system doesn't show internal hard drives on the Desktop. - key: ShowMountedServersOnDesktop type: presence: optional default: false - content: If 'false', mounted file servers don't appear on the Desktop. + content: If 'false', the system doesn't show mounted file servers on the Desktop. - key: ShowRemovableMediaOnDesktop type: presence: optional default: true - content: If 'false', removable media items don't appear on the Desktop. + content: If 'false', the system doesn't show removable media items on the Desktop. - key: WarnOnEmptyTrash type: presence: optional default: true - content: If 'false', the user isn't warned before emptying the trash. + content: If 'false', the system doesn't warn the user before emptying the trash. diff --git a/mdm/profiles/com.apple.mobiledevice.passwordpolicy.yaml b/mdm/profiles/com.apple.mobiledevice.passwordpolicy.yaml index 33b2daa..30bdf4f 100644 --- a/mdm/profiles/com.apple.mobiledevice.passwordpolicy.yaml +++ b/mdm/profiles/com.apple.mobiledevice.passwordpolicy.yaml @@ -216,7 +216,7 @@ payloadkeys: - key: passwordContentRegex type: presence: required - content: A regular expression string that they system matches against the password + content: A regular expression string that the system matches against the password to determine whether it complies with a policy. The regular expression uses the ICU syntax (). The string must not exceed 2048 characters in length. diff --git a/mdm/profiles/com.apple.relay.managed.yaml b/mdm/profiles/com.apple.relay.managed.yaml index 9ad718d..3bfc078 100644 --- a/mdm/profiles/com.apple.relay.managed.yaml +++ b/mdm/profiles/com.apple.relay.managed.yaml @@ -29,8 +29,8 @@ payloadkeys: title: Relays type: presence: required - content: An array of dictionaries that describes one or more relay servers that - can be chained together. + content: An array of dictionaries that describe one or more relay servers that the + system can chain together. subkeys: - key: Relay title: Network Relay @@ -40,26 +40,24 @@ payloadkeys: title: HTTP/3 Relay URL type: presence: optional - content: The URL or URI template (such as defined in RFC 9298) of a relay server - that is reachable using HTTP/3 and supports proxying TCP and UDP using the - CONNECT method. Each relay must have at least one URL, for either HTTP/3 or - HTTP/2, and may support both. + content: |- + The URL or URI template, as defined in RFC 9298, of a relay server that's reachable using HTTP/3 and supports proxying TCP and UDP using the CONNECT method. + Each relay needs to include either 'HTTP2RelayURL' or 'HTTP3RelayURL', or it can include both. - key: HTTP2RelayURL title: HTTP/2 Relay URL type: presence: optional - content: The URL or URI template (such as defined in RFC 9298) of a relay server - that is reachable using HTTP/2 and supports proxying TCP and UDP using the - CONNECT method. Each relay must have at least one URL, for either HTTP/3 or - HTTP/2, and may support both. + content: |- + The URL or URI template, as defined in RFC 9298, of a relay server that's reachable using HTTP/2 and supports proxying TCP and UDP using the CONNECT method. + Each relay needs to include either 'HTTP2RelayURL' or 'HTTP3RelayURL', or it can include both. - key: AdditionalHTTPHeaderFields title: Additional HTTP Header Fields type: presence: optional - content: A dictionary of custom HTTP header keys and values to add to each request - to the relay. The dictionary key name represents the HTTP header field name - to use, and the dictionary value is the string to use as the HTTP header field - value. + content: A dictionary that contains custom HTTP header keys and values to add + to each request. The dictionary key name represents the HTTP header field + name to use, and the dictionary value is the string to use as the HTTP header + field value. subkeys: - key: ANY type: @@ -70,16 +68,15 @@ payloadkeys: type: presence: optional format: ^[0-9A-Za-z]{8}-[0-9A-Za-z]{4}-[0-9A-Za-z]{4}-[0-9A-Za-z]{4}-[0-9A-Za-z]{12}$ - content: UUID pointing to an identity certificate payload. This identity will - be used to authenticate the user to the relay server. + content: The UUID that points to an identity certificate payload, which the + system uses to authenticate the user to the relay server. - key: RawPublicKeys title: Raw Public Keys type: presence: optional - content: An array of raw public keys used to authenticate the server during - a TLS handshake. The server must use one of the keys in the handshake in order - to authenticate. If no keys are specified, default TLS trust evaluation is - used. + content: |- + An array of raw public keys that the system uses to authenticate the server during a TLS handshake. The server needs to use one of the keys in the handshake to authenticate. + If this array is empty, the system uses the default TLS trust evaluation. subkeys: - key: RawPublicKeysElement title: Raw Public Key Element @@ -88,11 +85,10 @@ payloadkeys: title: Match Domains type: presence: optional - content: A list of domain strings used to determine which connection should be routed - through the servers contained in Relays. Any connection that matches the domain - exactly or is a subdomain of the listed domain will use the relay servers, unless - they match an excluded domain. If no domains are listed, traffic to all domains, - except those matching an excluded domain, will be routed to the relay servers. + content: |- + A list of domain strings that the system uses to determine which connection to route through the servers in 'Relays'. + Any connection that matches a domain in the list exactly or is a subdomain of the listed domain uses the relay servers, unless it matches a domain in 'ExcludedDomains'. + If this list is empty, the system routes traffic to all domains to the relay servers, except those that match an excluded domain. subkeys: - key: MatchDomainsElement title: Match Domains Element @@ -101,9 +97,9 @@ payloadkeys: title: Excluded Domains type: presence: optional - content: A list of domain strings that should not be routed through the servers - contained in Relays. Any connection that matches the domain exactly or is a subdomain - of the listed domain will not use the relay server. + content: A list of domain strings to exclude from routing through the servers in + 'Relays'. Any connection that matches a domain in the list exactly or is a subdomain + of the listed domain won't use the relay server. subkeys: - key: ExcludedDomainsElement title: Excluded Domains Element @@ -111,5 +107,5 @@ payloadkeys: - key: RelayUUID type: presence: optional - content: A globally-unique identifier for this relay configuration. This UUID is - used to route managed apps through the servers contained in Relays. + content: A globally-unique identifier for this relay configuration. The system uses + this UUID to route managed apps through the servers in 'Relays'. diff --git a/mdm/profiles/com.apple.security.acme.yaml b/mdm/profiles/com.apple.security.acme.yaml index c41f91d..b544a5c 100644 --- a/mdm/profiles/com.apple.security.acme.yaml +++ b/mdm/profiles/com.apple.security.acme.yaml @@ -43,7 +43,10 @@ payload: request a matching certificate based upon the ClientIdentifier, Subject, SubjectAltName, UsageFlags, and ExtendedKeyUsage fields. The ACME server issues a certificate and the device installs it in the keychain. Other payloads can reference the resulting - client identity by the payload's PayloadUUID. + client identity by the payload's PayloadUUID. For details on the content of the + attestation provided to the ACME server, see the documentation of the DevicePropertiesAttestation + key in the DeviceInformation response. In the attestation certificate the value + of the nonce OID matches the nonce specified by the ACME server via the ACME protocol. payloadkeys: - key: DirectoryURL title: ACME directory URL @@ -85,15 +88,15 @@ payloadkeys: If 'false', the private key isn't bound to the device. If 'true', the private key is bound to the device. The Secure Enclave generates the key pair, and the private key is cryptographically entangled with a system key. This prevents the system from exporting the private key. If 'true', 'KeyType' must be 'ECSECPrimeRandom' and 'KeySize' must be 256 or 384. - This key is supported as of macOS 14 on Apple Silicon and Intel devices that have a T2 chip. Older macOS versions or other Mac devices require this key but it must have a value of 'false'. + This key is supported as of macOS 14 on Apple Silicon and Intel devices that have a T2 chip. Older macOS versions or other Mac devices require this key but it must have a value of false. - key: Subject title: Subject type: presence: required content: |- The device requests this subject for the certificate that the ACME server issues. The ACME server may override or ignore this field in the certificate it issues. - The representation of a X.500 name represented as an array of OID and value. For example, /C=US/O=Apple Inc./CN=foo/1.2.5.3=bar corresponds to: - [ [ [”C”, “US”] ], [ [”O”, “Apple Inc.”] ], ..., [ [ “1.2.5.3”, “bar” ] ] ] + The representation of a X.500 name represented as an array of OID and value. For example, '/C=US/O=Apple Inc./CN=foo/1.2.5.3=bar' corresponds to: + '[ [ [”C”, “US”] ], [ [”O”, “Apple Inc.”] ], ..., [ [ “1.2.5.3”, “bar” ] ] ]' Dotted numbers can represent OIDs , with shortcuts for country (C), locality (L), state (ST), organization (O), organizational unit (OU), and common name (CN). subkeys: - key: ACMESubjectArrayInnerArray @@ -152,7 +155,7 @@ payloadkeys: type: presence: optional content: |- - The value is an array of strings. Each string is an OID in dotted notation. For instance, [”1.3.6.1.5.5.7.3.2”, “1.3.6.1.5.5.7.3.4”] indicates client authentication and email protection. + The value is an array of strings. Each string is an OID in dotted notation. For instance, '[”1.3.6.1.5.5.7.3.2”, “1.3.6.1.5.5.7.3.4”]' indicates client authentication and email protection. The device requests this field for the certificate that the ACME server issues. The ACME server may override or ignore this field in the certificate it issues. subkeys: - key: OID @@ -181,8 +184,8 @@ payloadkeys: type: presence: optional default: true - content: If true, the private key of the identity obtained via SCEP should be tagged - as “non-extractable” in the keychain. + content: If 'true', the private key of the identity obtained through Simple Certificate + Enrollment Protocol (SCEP) needs to be tagged as “non-extractable” in the keychain. - key: AllowAllAppsAccess title: Allow All Apps Access supportedOS: diff --git a/mdm/profiles/com.apple.security.firewall.yaml b/mdm/profiles/com.apple.security.firewall.yaml index d51e3aa..1b524f8 100644 --- a/mdm/profiles/com.apple.security.firewall.yaml +++ b/mdm/profiles/com.apple.security.firewall.yaml @@ -22,19 +22,19 @@ payloadkeys: - key: EnableFirewall type: presence: required - content: If 'true', enables the firewall. + content: If 'true', the system enables the firewall. - key: BlockAllIncoming type: presence: optional - content: If 'true', enables blocking of all incoming connections. + content: If 'true', the system enables blocking all incoming connections. - key: EnableStealthMode type: presence: optional - content: If 'true', enables stealth mode. + content: If 'true', the system enables stealth mode. - key: Applications type: presence: optional - content: The list of apps with connections controlled by the firewall. + content: The list of apps with connections that the firewall controls. subkeys: - key: ApplicationsItem title: Applications @@ -44,21 +44,19 @@ payloadkeys: title: Application Identifier type: presence: required - content: The bundle identifier for an app. + content: The bundle identifier for the app. - key: Allowed title: Allow connections type: presence: required - content: If true, allows connections for the app. + content: If 'true', the system allows connections for the app. - key: EnableLogging supportedOS: macOS: introduced: '12.0' type: presence: optional - content: |- - If 'true', enables logging. - Available in macOS 12 and later. + content: If 'true', the system enables logging. Available in macOS 12 and later. - key: LoggingOption supportedOS: macOS: @@ -69,9 +67,7 @@ payloadkeys: - throttled - brief - detail - content: |- - This string specifies the type of logging. - Available in macOS 12 and later. + content: The type of logging. Available in macOS 12 and later. - key: AllowSigned supportedOS: macOS: @@ -80,8 +76,8 @@ payloadkeys: presence: optional default: true content: |- - If 'true', allows built-in software to receive incoming connections. - Available in macOS 12.3 and later. + If 'true', the system allows built-in software to receive incoming connections. Available in macOS 12.3 and later. + The system ensures that 'AllowSigned' always has a value. If missing from the payload, the system sets it to 'true'. - key: AllowSignedApp supportedOS: macOS: @@ -90,5 +86,5 @@ payloadkeys: presence: optional default: true content: |- - If 'true', allows downloaded signed software to receive incoming connections. - Available in macOS 12.3 and later. + If 'true', the system allows downloaded signed software to receive incoming connections. Available in macOS 12.3 and later. + The system ensures that 'AllowSignedApp' always has a value. If missing from the payload, the system sets it to 'true'. diff --git a/mdm/profiles/com.apple.security.pkcs12.yaml b/mdm/profiles/com.apple.security.pkcs12.yaml index aeffc29..f1035e0 100644 --- a/mdm/profiles/com.apple.security.pkcs12.yaml +++ b/mdm/profiles/com.apple.security.pkcs12.yaml @@ -49,9 +49,7 @@ payloadkeys: title: Password type: presence: optional - content: |- - This is the password to the identity. - Security Caution: Because the password string is stored in the clear (unencrypted) in the profile, you should encrypt the entire profile. + content: The password to the identity. - key: AllowAllAppsAccess title: Allow All Apps Access supportedOS: @@ -81,4 +79,4 @@ payloadkeys: type: presence: optional default: true - content: If 'false', does not tag the private key data as extractable in the keychain. + content: If 'false', doesn't tag the private key data as extractable in the keychain. diff --git a/mdm/profiles/com.apple.shareddeviceconfiguration.yaml b/mdm/profiles/com.apple.shareddeviceconfiguration.yaml index 9a229d1..2187e76 100644 --- a/mdm/profiles/com.apple.shareddeviceconfiguration.yaml +++ b/mdm/profiles/com.apple.shareddeviceconfiguration.yaml @@ -28,7 +28,8 @@ payloadkeys: title: If Lost message supportedOS: iOS: - introduced: 9.3.1 + introduced: '9.3' + deprecated: 9.3.1 type: presence: optional content: Deprecated. Use 'LockScreenFootnote' instead. diff --git a/mdm/profiles/com.apple.vpn.managed.yaml b/mdm/profiles/com.apple.vpn.managed.yaml index 77eb167..5742d83 100644 --- a/mdm/profiles/com.apple.vpn.managed.yaml +++ b/mdm/profiles/com.apple.vpn.managed.yaml @@ -49,6 +49,13 @@ payloadkeys: title: VPN Subtype type: presence: optional + rangelist: + - com.cisco.anyconnect + - net.pulsesecure.PulseSecure.vpnplugin + - com.f5.F5-Edge-Client.vpnplugin + - com.sonicwall.SonicWALL-SSLVPN.vpnplugin + - com.arubanetworks.aruba-via.vpnplugin + - com.checkpoint.CheckPoint-VPN.vpnplugin content: |- An identifier for a vendor-specified configuration dictionary when the value for 'VPNType' is 'VPN'. If 'VPNType' is 'VPN', the system requires this field. If the configuration targets a VPN solution that uses a network extension provider, then this field contains the bundle identifier of the app that contains the provider. Contact the VPN solution vendor for the value of the identifier. @@ -71,25 +78,26 @@ payloadkeys: title: Realm type: presence: optional - content: The Kerberos realm name. This value needs to be properly capitalized. - Not available in watchOS. + content: The Kerberos realm name, which needs to be properly capitalized. Valid + only for Juniper SSL/Pulse Secure. Not available in watchOS. - key: Role title: Role type: presence: optional - content: The role to select when connecting to the server. This key is valid only - for Juniper SSL. Not available in watchOS. + content: The role to select when connecting to the server. Valid only for Juniper + SSL and Pulse Secure. Not available in watchOS. - key: Group title: Group type: presence: optional - content: The group to connect to on the head end. This key is only valid for Cisco - AnyConnect. Not available in watchOS. + content: The group to connect to on the head end. Valid for Cisco AnyConnect and + Cisco Legacy AnyConnect. Not available in watchOS. - key: LoginGroupOrDomain title: Login Group or Domain type: presence: optional - content: The login group or domain. Not available in watchOS. + content: The login group or domain. Valid only for SonicWALL Mobile Connect. Not + available in watchOS. - key: VPN title: VPN type: @@ -479,8 +487,8 @@ payloadkeys: title: Account Password type: presence: optional - content: If 'TokenCard' is '1', use this password for authentication. This keyis - for use with L2TP and PPTP networks. + content: If 'TokenCard' is '1', use this password for authentication. This key + is for use with L2TP and PPTP networks. - key: TokenCard title: Use Token Card type: @@ -1562,7 +1570,8 @@ payloadkeys: presence: optional content: The dictionary to use when 'VPNType' is 'TransparentProxy'. The keys in this dictionary are the same as the keys in the 'VPN' dictionary with the addition - of the fields shown in the VPN.TransparentProxy dictionary. Not available in watchOS. + of the fields shown in the VPN.TransparentProxy dictionary. Available in macOS + 14 and later. Not available in watchOS. subkeys: - key: Order title: Order diff --git a/mdm/profiles/com.apple.webClip.managed.yaml b/mdm/profiles/com.apple.webClip.managed.yaml index e92e0df..6736440 100644 --- a/mdm/profiles/com.apple.webClip.managed.yaml +++ b/mdm/profiles/com.apple.webClip.managed.yaml @@ -33,7 +33,7 @@ payloadkeys: type: presence: optional default: false - content: If 'true', prevents SpringBoard from adding 'shine' to the icon. + content: If 'true', the system prevents SpringBoard from adding shine to the icon. - key: FullScreen title: Full Screen supportedOS: @@ -42,21 +42,24 @@ payloadkeys: type: presence: optional default: false - content: If 'true', launches the web clip as a full-screen web app. + content: If 'true', the system launches the web clip as a full-screen web app. - key: URL title: URL type: subtype: presence: required - content: The URL that the web clip should open when clicked. + content: The URL of the web clip. - key: Icon title: Icon type: presence: optional - content: |- - The PNG icon to be shown on the Home screen. - For best results, provide a square image that's no larger than 400 x 400 pixels and less than 1 MB when uncompressed. The graphics file is automatically scaled and cropped to fit, if necessary, and converted to PNG format. Web clip icons are 144 x 144 pixels for iPad devices with a Retina display, and 114 x 114 pixels for iPhone devices. To prevent the device from adding a shine to the image, set 'Precomposed' to 'true'. - If this property isn't specified, a white square is shown. + content: The PNG icon to show on the Home screen. If not set, the system displays + a white square. For best results, provide a square image that's no larger than + 400 x 400 pixels and less than 1 MB when uncompressed. The graphics file is automatically + scaled and cropped to fit, if necessary, and converted to PNG format. Web clip + icons are 144 x 144 pixels for iPad devices with a Retina display, and 114 x 114 + pixels for iPhone devices. To prevent the device from adding a shine to the image, + set 'Precomposed' to 'true'. - key: IsRemovable title: Removable supportedOS: @@ -65,12 +68,12 @@ payloadkeys: type: presence: optional default: true - content: If 'true', enables removing the web clip. + content: If 'true', the system enables removing the web clip. - key: Label title: Label type: presence: required - content: The name of the web clip as displayed on the Home screen. + content: The name of the web clip that the system displays on the Home screen. - key: IgnoreManifestScope title: Ignore Web Clip manifest scope supportedOS: @@ -81,10 +84,10 @@ payloadkeys: type: presence: optional default: false - content: |- - If 'true', a full screen web clip can navigate to an external web site without showing Safari UI. Otherwise, Safari UI appears when navigating away from the web clip's URL. - This key has no effect when 'FullScreen' is 'false'. - Available in iOS 14 and later. + content: If 'true', a full screen web clip can navigate to an external web site + without showing Safari UI. Otherwise, Safari UI appears when navigating away from + the web clip's URL. This key has no effect when 'FullScreen' is 'false'. Available + in iOS 14 and later. - key: TargetApplicationBundleIdentifier title: Target Application Bundle Identifier supportedOS: @@ -94,6 +97,6 @@ payloadkeys: introduced: n/a type: presence: optional - content: |- - The application bundle identifier that specifies the application which opens the URL. To use this property, the profile must be installed through an MDM. - Available in iOS 14 and later. + content: The application bundle identifier of the application that opens the URL. + To use this property, install the profile through MDM. Available in iOS 14 and + later. diff --git a/mdm/profiles/com.apple.webcontent-filter.yaml b/mdm/profiles/com.apple.webcontent-filter.yaml index ea4a507..834d349 100644 --- a/mdm/profiles/com.apple.webcontent-filter.yaml +++ b/mdm/profiles/com.apple.webcontent-filter.yaml @@ -39,8 +39,8 @@ payloadkeys: - BuiltIn - Plugin default: BuiltIn - content: The type of filter, built-in or plug-in. In macOS, the system supports - only the plug-in value. + content: The type of filter, built-in or plug-in. In macOS, the system only supports + the plug-in value. - key: AutoFilterEnabled title: Web filter enabled supportedOS: @@ -49,10 +49,8 @@ payloadkeys: type: presence: optional default: false - content: If 'true', automatic filtering is in an enabled state. This function evaluates - each web page as it loads and attempts to identify and block content not suitable - for children. The search algorithm is complex and may vary from release to release, - but it's basically looking for adult language. + content: If 'true', the system enables automatic filtering. Use when 'FilterType' + is 'BuiltIn'. - key: PermittedURLs title: PermittedURLs supportedOS: @@ -61,8 +59,8 @@ payloadkeys: type: presence: optional content: An array or URLs that are accessible whether or not the automatic filter - allows access. The system uses this array only when 'AutoFilterEnabled' is 'true'. - Otherwise, it ignores this field. + allows access. Use when 'FilterType' is 'BuiltIn'. Requires that 'AutoFilterEnabled' + is 'true'. subkeys: - key: PermittedURLItems title: Permitted url items @@ -90,8 +88,8 @@ payloadkeys: introduced: n/a type: presence: optional - content: An array of URLs that are inaccessible. Limit the number of these URLs - to about 500. + content: An array of URLs that are inaccessible. Use when 'FilterType' is 'BuiltIn'. + Limit the number of these URLs to about 500. subkeys: - key: DenyListURLItems title: Denylisted url items @@ -130,7 +128,8 @@ payloadkeys: introduced: n/a type: presence: optional - content: An array of dictionaries defining the pages that the user can visit. + content: An array of dictionaries that define the pages that the user can bookmark + or visit. Use when 'FilterType' is 'BuiltIn'. subkeys: - key: AllowListBookmarksItem title: Identifier @@ -150,43 +149,50 @@ payloadkeys: title: UserDefinedName type: presence: optional - content: The display name for this filtering configuration. + content: The display name for this filtering configuration. Required when 'FilterType' + is 'Plugin'. - key: PluginBundleID title: PluginBundleID type: presence: optional - content: The bundle ID of the plug-in that provides filtering service. + content: The bundle ID of the plug-in that provides filtering service. Required + when 'FilterType' is 'Plugin'. Otherwise, it ignores this value. Consult your + filtering solution vendor to determine what to specify for this value. Required + when 'FilterType' is 'Plugin'. - key: ServerAddress title: ServerAddress type: presence: optional - content: The server address, which may be the IP address, hostname, or URL. + content: The server address, which may be the IP address, hostname, or URL. Use + when 'FilterType' is 'Plugin'. - key: UserName title: Username type: presence: optional - content: The user name for the service. + content: The user name for the service. Use when 'FilterType' is 'Plugin'. - key: Password title: Password type: presence: optional - content: The password for the service. + content: The password for the service. Use when 'FilterType' is 'Plugin'. - key: PayloadCertificateUUID title: Certificate UUID type: presence: optional format: ^[0-9A-Za-z]{8}-[0-9A-Za-z]{4}-[0-9A-Za-z]{4}-[0-9A-Za-z]{4}-[0-9A-Za-z]{12}$ content: The UUID of the certificate payload within the same profile that the system - uses to authenticate the user. + uses to authenticate the user. Use when 'FilterType' is 'Plugin'. - key: Organization title: Organization type: presence: optional - content: The organization string that passes to the third-party plug-in. + content: The organization string to pass to the third-party plug-in. Use when 'FilterType' + is 'Plugin'. - key: VendorConfig type: presence: optional - content: The custom dictionary that the filtering service plug-in needs. + content: The custom dictionary that the filtering service plug-in needs. Use when + 'FilterType' is 'Plugin'. subkeys: - key: ANY type: @@ -200,15 +206,17 @@ payloadkeys: type: presence: optional default: false - content: If 'true', enables the filtering of WebKit traffic. Either 'FilterBrowsers' - or 'FilterSockets' must be 'true'. + content: |- + If 'true', the system enables filtering WebKit traffic. Use when 'FilterType' is 'Plugin'. + At least one of 'FilterBrowsers' or 'FilterSockets' needs to be 'true'. - key: FilterSockets title: FilterSockets type: presence: optional default: false - content: If 'true', enables the filtering of socket traffic. Either 'FilterBrowsers' - or 'FilterSockets' must be 'true'. + content: |- + If 'true', enables the filtering of socket traffic. Use when 'FilterType' is 'Plugin'. + At least one of 'FilterBrowsers' or 'FilterSockets' needs to be 'true'. - key: FilterDataProviderDesignatedRequirement title: Filter Data Provider Designated Requirement supportedOS: @@ -218,9 +226,9 @@ payloadkeys: introduced: '10.15' type: presence: optional - content: |- - The designated requirement string that the system embeds in the code signature of the filter data provider system extension. This string identifies the filter data provider when the filter starts running. This field is a requirement if 'FilterSockets' is 'true'. - Available in macOS 10.15 and later. + content: The designated requirement string that the system embeds in the code signature + of the filter data provider system extension. This string identifies the filter + data provider when the filter starts running. Required if 'FilterSockets' is 'true'. - key: FilterDataProviderBundleIdentifier title: Filter Data Provider Bundle Identifier supportedOS: @@ -230,9 +238,9 @@ payloadkeys: introduced: '10.15' type: presence: optional - content: |- - The bundle identifier string of the filter data provider system extension. This string identifies the filter data provider when the filter starts running. This field is a requirement if 'FilterSockets' is 'true'. - Available in macOS 10.15 and later. + content: The bundle identifier string of the filter data provider system extension. + This string identifies the filter data provider when the filter starts running. + Required if 'FilterSockets' is 'true'. - key: FilterPackets title: Filter Network Packets supportedOS: @@ -244,10 +252,8 @@ payloadkeys: presence: optional default: false content: |- - If this value is 'true', the property enables the filtering of network packets. - Either 'FilterPackets' or 'FilterSockets' must be 'true'. - You can only use this when 'FilterType' is 'Plugin'. - Available in macOS 10.15 and later. + If 'true' and 'FilterType' is 'Plugin', the system enables filtering network packets. Use when 'FilterType' is 'Plugin'. + At least one of 'FilterPackets' or 'FilterSockets' needs to be 'true'. - key: FilterPacketProviderDesignatedRequirement title: Filter Packet Provider Designated Requirement supportedOS: @@ -257,9 +263,10 @@ payloadkeys: introduced: '10.15' type: presence: optional - content: |- - The designated requirement string that the system embeds in the code signature of the filter packet provider system extension. This string identifies the filter packet provider when the filter starts running. This field is a requirement if 'FilterPackets' is 'true'. - Available in macOS 10.15 and later. + content: The designated requirement string that the system embeds in the code signature + of the filter packet provider system extension. This string identifies the filter + packet provider when the filter starts running. Required if 'FilterPackets' is + 'true'. - key: FilterPacketProviderBundleIdentifier title: Filter Packet Provider Bundle Identifier supportedOS: @@ -269,9 +276,9 @@ payloadkeys: introduced: '10.15' type: presence: optional - content: |- - The bundle identifier string of the filter packet provider system extension. This string identifies the filter packet provider when the filter starts running. This field is a requirement if 'FilterPackets' is 'true'. - Available in macOS 10.15 and later. + content: The bundle identifier string of the filter packet provider system extension. + This string identifies the filter packet provider when the filter starts running. + Required if 'FilterPackets' is 'true'. - key: FilterGrade title: Filter Grade supportedOS: @@ -285,9 +292,10 @@ payloadkeys: - firewall - inspector default: firewall - content: |- - This value is for deriving the relative order of content filters. Filters with a grade of 'firewall' see network traffic before filters with a grade of 'inspector'. The system doesn't define the order of filters within a grade. - Available in macOS 10.15 and later. + content: The system uses this value to derive the relative order of content filters. + Filters with a grade of 'firewall' see network traffic before filters with a grade + of 'inspector'. However, the system doesn't define the order of filters within + a grade. - key: ContentFilterUUID title: Content Filter UUID supportedOS: @@ -297,7 +305,7 @@ payloadkeys: introduced: n/a type: presence: optional - content: A globally-unique identifier for this content filter configuration. Managed - apps with the same 'ContentFilterUUID' in their app attributes have their network - traffic processed by the content filter. This key must be present for unsupervised - devices and user enrollments. + content: A globally unique identifier for this content filter configuration. The + content filter processes network traffic for managed apps with the same 'ContentFilterUUID' + in their app attributes. Use when 'FilterType' is 'Plugin'. This key must be present + for unsupervised devices and user enrollments. diff --git a/mdm/profiles/com.apple.wifi.managed.yaml b/mdm/profiles/com.apple.wifi.managed.yaml index eff08c9..6035493 100644 --- a/mdm/profiles/com.apple.wifi.managed.yaml +++ b/mdm/profiles/com.apple.wifi.managed.yaml @@ -53,8 +53,8 @@ payloadkeys: introduced: '7.0' type: presence: optional - content: The SSID of the Wi-Fi network to be used. In iOS 7.0 and later, the SSID - is optional if a 'DomainName' value is provided. + content: The SSID of the Wi-Fi network to use. In iOS 7.0 and later, the SSID is + optional if a value exists for 'DomainName' value. - key: HIDDEN_NETWORK title: Hidden type: @@ -74,9 +74,11 @@ payloadkeys: - Manual - Auto default: None - content: |- - The proxy type, if any, to use. If you choose the manual proxy type, you need the proxy server address, including its port and optionally a user name and password into the proxy server. If you choose the auto proxy type, you can enter a proxy autoconfiguration (PAC) URL. - Available in iOS 5.0 and later, and on all versions of macOS. + content: The proxy type, if any, to use. If you choose the manual proxy type, you + need the proxy server address, including its port and optionally a user name and + password into the proxy server. If you choose the auto proxy type, you can enter + a proxy autoconfiguration (PAC) URL. Available in iOS 5.0 and later, and on all + versions of macOS. - key: EncryptionType title: Encryption Type type: @@ -96,7 +98,7 @@ payloadkeys: * 'WPA' allows joining WPA or WPA2 networks * 'WPA2' allows joining WPA2 or WPA3 networks * 'WPA3' allows joining WPA3 networks only - * 'Any' allows joining WPA, WPA2, WPA3, and WEP networks. + * 'Any' allows joining WPA, WPA2, WPA3, and WEP networks Prior to iOS 16, tvOS 16, and watchOS 9, specifying 'WPA', 'WPA2', and 'WPA3' were equivalent and would allow joining any WPA network. Prior to macOS 13, the encryption type, if specified explicitly, needed to match the encryption type of the network exactly. - key: Password @@ -343,9 +345,9 @@ payloadkeys: introduced: '10.9' type: presence: optional - content: |- - The operator name to display when connected to this network. Used only with Wi-Fi Hotspot 2.0 access points. - Available in iOS 7.0 and later, and in macOS 10.9 and later. + content: The operator name to display when connected to this network. Used only + with Wi-Fi Hotspot 2.0 access points. Available in iOS 7.0 and later, and in macOS + 10.9 and later. - key: DomainName title: Domain Name supportedOS: @@ -355,9 +357,8 @@ payloadkeys: introduced: '10.9' type: presence: optional - content: |- - The primary domain of the tunnel. - Available in iOS 7.0 and later, and in macOS 10.9 and later. + content: The primary domain of the tunnel. Available in iOS 7.0 and later, and in + macOS 10.9 and later. - key: RoamingConsortiumOIs title: Roaming OIs supportedOS: @@ -367,9 +368,9 @@ payloadkeys: introduced: '10.9' type: presence: optional - content: |- - An array of Roaming Consortium Organization Identifiers used for Wi-Fi Hotspot 2.0 negotiation. - Available in iOS 7.0 and later, and in macOS 10.9 and later. + content: An array of Roaming Consortium Organization Identifiers used for Wi-Fi + Hotspot 2.0 negotiation. Available in iOS 7.0 and later, and in macOS 10.9 and + later. subkeys: - key: RoamingConsortiumOI type: @@ -384,9 +385,8 @@ payloadkeys: type: presence: optional default: false - content: |- - If 'true', allows connection to roaming service providers. - Available in iOS 7.0 and later, and in macOS 10.9 and later. + content: If 'true', allows connection to roaming service providers. Available in + iOS 7.0 and later, and in macOS 10.9 and later. - key: IsHotspot title: Is Hotspot supportedOS: @@ -397,9 +397,8 @@ payloadkeys: type: presence: optional default: false - content: |- - If 'true', the device treats the network as a hotspot. - Available in iOS 7.0 and later, and in macOS 10.9 and later. + content: If 'true', the device treats the network as a hotspot. Available in iOS + 7.0 and later, and in macOS 10.9 and later. - key: HESSID supportedOS: iOS: @@ -416,9 +415,8 @@ payloadkeys: introduced: '10.9' type: presence: optional - content: |- - An array of Network Access Identifier Realm names used for Wi-Fi Hotspot 2.0 negotiation. - Available in iOS 7.0 and later, and in macOS 10.9 and later. + content: An array of Network Access Identifier Realm names used for Wi-Fi Hotspot + 2.0 negotiation. Available in iOS 7.0 and later, and in macOS 10.9 and later. subkeys: - key: NAIRealmName type: @@ -431,9 +429,9 @@ payloadkeys: introduced: n/a type: presence: optional - content: |- - An array of Mobile Country Code/Mobile Network Code (MCC/MNC) pairs used for Wi-Fi Hotspot 2.0 negotiation. Each string must contain exactly six digits. - Available in iOS 7.0 and later. This feature is not supported in macOS. + content: An array of Mobile Country Code/Mobile Network Code (MCC/MNC) pairs used + for Wi-Fi Hotspot 2.0 negotiation. Each string must contain exactly six digits. + Available in iOS 7.0 and later. This feature isn't supported in macOS. subkeys: - key: MCCAndMNC type: @@ -448,9 +446,8 @@ payloadkeys: type: presence: optional default: false - content: |- - If 'true', Captive Network detection will be bypassed when the device connects to the network. - Available in iOS 10.0 and later. + content: If 'true', the system bypasses Captive Network detection when the device + connects to the network. Available in iOS 10.0 and later. - key: QoSMarkingPolicy title: QoS Marking Policy supportedOS: @@ -460,9 +457,10 @@ payloadkeys: introduced: '10.13' type: presence: optional - content: |- - A dictionary that contains the list of apps that are allowed to benefit from L2 and L3 marking. When this dictionary isn't present, all apps are allowed to use L2 and L3 marking when the Wi-Fi network supports Cisco QoS fast lane. - Available in iOS 10.0 and later, and in macOS 10.13 and later. + content: A dictionary that contains the list of apps that the system allows to benefit + from L2 and L3 marking. When this dictionary isn't present, the system allows + all apps to use L2 and L3 marking when the Wi-Fi network supports Cisco QoS fast + lane. Available in iOS 10.0 and later, and in macOS 10.13 and later. subkeys: - key: QoSMarkingAllowListAppIdentifiers title: Allowlisted App Identifiers @@ -521,7 +519,7 @@ payloadkeys: introduced: n/a type: presence: optional - content: An array of strings that contain the type of connection mode to be attached. + content: An array of strings that contain the type of connection mode to attach. subkeys: - key: SetupModesItem type: @@ -540,9 +538,8 @@ payloadkeys: type: presence: optional default: false - content: |- - If 'true', allows for two-factor authentication for EAP-TTLS, PEAP, or EAP-FAST. - If 'false', allows for zero-factor authentication for EAP-TLS. + content: If 'true', allows for two-factor authentication for EAP-TTLS, PEAP, or + EAP-FAST. If 'false', allows for zero-factor authentication for EAP-TLS. - key: ProxyServer title: Proxy Server supportedOS: @@ -636,5 +633,4 @@ payloadkeys: content: |- If 'true,' disables MAC address randomization for a Wi-Fi network while associated with that network. This feature also shows a privacy warning in Settings indicating that the network has reduced privacy protections. If 'false', then the system enables MAC address randomization. - This value is only locked when the profile is installed by MDM. If the profile is manually installed, the value is set but the user can change it. - Available in iOS 14 and later, and watchOS 7 and later. + This value is only locked when MDM installs the profile. If the profile is manually installed, the system sets the value but the user can change it. Available in iOS 14 and later, and watchOS 7 and later. diff --git a/other/skipkeys.yaml b/other/skipkeys.yaml index 77c56a8..771d14e 100644 --- a/other/skipkeys.yaml +++ b/other/skipkeys.yaml @@ -28,7 +28,7 @@ payloadkeys: type: presence: optional content: The key to skip the Accessibility pane, when creating additional users. - This key is available in macOS 11 and later. + This key is not available in macOS. - key: Android title: Prevents migration from Android device supportedOS: