CalvinBackup/apple_device-management
1
0
Fork 0
mirror of https://github.com/apple/device-management.git synced 2026-02-12 21:03:12 +00:00
Code Issues Packages Projects Releases Wiki Activity

Release_iOS-15_macOS-12

Browse Source
This commit is contained in:
Cyrus Daboo
2022-06-03 16:16:40 -04:00
commit 4e8e108dbb
233 changed files with 25461 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
.github/PULL_REQUEST_TEMPLATE.md vendored Normal file
View File

@@ -0,0 +1,3 @@
This repository does not accept pull requests.
All feedback on the data in this repository should be made using the `Feedback Assistant` app or website (https://feedbackassistant.apple.com). Select feedback for `Enterprise & Education`, and choose the `Mobile Device Management (MDM)` area.

0
.gitignore vendored Normal file
View File

20
LICENSE.txt Normal file
View File

@@ -0,0 +1,20 @@
Copyright © 2022 Apple Inc.
Permission is hereby granted, free of charge, to any person obtaining a
copy of this software and associated documentation files (the
"Software"), to deal in the Software without restriction, including
without limitation the rights to use, copy, modify, merge, publish,
distribute, sublicense, and/or sell copies of the Software, and to
permit persons to whom the Software is furnished to do so, subject to
the following conditions:
The above copyright notice and this permission notice shall be included
in all copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.
IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY
CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT,
TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE
SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

36
README.md Normal file
View File

@@ -0,0 +1,36 @@
# Device Management Client Schema
This repository contains Apple's Device Management Client schema data for the MDM (Mobile Device Management) protocol, and the Declarative Device Management feature.
## OS Versions
This release corresponds to the following OS versions
| OS | Version |
|---------|---------|
| iOS | 15.0 |
| macOS | 12.0 |
| tvOS | 15.0 |
| watchOS | 8.0 |
## What's Available
The following schema items are available:
* MDM commands - `mdm/commands`
* MDM check-in requests - `mdm/checkin`
* MDM profiles - `mdm/profiles`
* Declarative device management declarations - `declarative/declarations`
* Declarative device management status items - `declarative/status`
* Declarative device management protocol - `declarative/protocol`
## YAML Schema Definition
See [YAML Schema](docs/schema.md).
## Providing Feedback
All feedback on the data in this repository should be made using the `Feedback Assistant` app or website (https://feedbackassistant.apple.com). Select feedback for `Enterprise & Education`, and choose the `Mobile Device Management (MDM)` area.
We will NOT be accepting pull requests on this repository - please use `Feedback Assistant` for all requests.

23
declarative/declarations/activations/simple.yaml Normal file
View File

@@ -0,0 +1,23 @@
title: Activation:Simple
description: An activation used to install a set of configurations.
payload:
declarationtype: com.apple.activation.simple
supportedOS:
iOS:
introduced: '15.0'
payloadkeys:
- key: StandardConfigurations
type: <array>
presence: required
content: An array of strings that specify the identifiers of configurations to install.
A failure to install one of the configurations doesn't prevent other configurations
from installing.
subkeys:
- key: StandardConfigurationsItems
type: <string>
- key: Predicate
type: <string>
presence: optional
content: A predicate format string as Apple's Predicate Programming <https://developer.apple.com/library/archive/documentation/Cocoa/Conceptual/Predicates/AdditionalChapters/Introduction.html>
describes. The activation only installs when the predicate evaluates to 'true'
or isn't present.

34
declarative/declarations/assets/credential.userpassword.yaml Normal file
View File

@@ -0,0 +1,34 @@
title: Credential:User Name and Password
description: A reference to data describing a credential representing a user name
and password. Note that this should always be considered as security sensitive data.
payload:
declarationtype: com.apple.asset.credential.userpassword
supportedOS:
iOS:
introduced: '15.0'
payloadkeys:
- key: Reference
type: <dictionary>
presence: required
content: The reference to the credential.
subkeys:
- key: DataURL
type: <string>
presence: required
content: The URL that hosts the credential data. The URL must start with 'https://'.
- key: ContentType
type: <string>
presence: required
content: The media type that describes the data.
- key: Size
type: <integer>
presence: required
content: The size of the data at the 'DataURL'. Use this value to verify that
the returned data is the expected data. Use this value to detect when the data
changes.
- key: Hash-SHA-256
type: <string>
presence: required
content: |-
A SHA-256 hash of the data at the 'DataURL'. Use this value to verify that the returned data is the expected data. Use this value to detect when the data changes.
If 'Size' is '0', clients need to ignore this value or set it to an empty string.

16
declarative/declarations/assets/credentials/usernameandpassword.yaml Normal file
View File

@@ -0,0 +1,16 @@
title: User Name and Password Credentials
description: Data describing a credential representing a user name and password.
payload:
credentialtype: com.apple.credential.usernameandpassword
supportedOS:
iOS:
introduced: '15.0'
payloadkeys:
- key: UserName
type: <string>
presence: required
content: The user's user name for the credential.
- key: Password
type: <string>
presence: optional
content: The user's password for the credential.

18
declarative/declarations/assets/useridentity.yaml Normal file
View File

@@ -0,0 +1,18 @@
title: User Identity
description: User identity data.
payload:
declarationtype: com.apple.asset.useridentity
supportedOS:
iOS:
introduced: '15.0'
payloadkeys:
- key: FullName
title: Full Name
type: <string>
presence: optional
content: The user's full name.
- key: EmailAddress
title: Email Address
type: <string>
presence: optional
content: The user's email address.

37
declarative/declarations/configurations/account.caldav.yaml Normal file
View File

@@ -0,0 +1,37 @@
title: Account:CalDAV
description: Use this configuration to define settings for access to CalDAV servers.
payload:
declarationtype: com.apple.configuration.account.caldav
supportedOS:
iOS:
introduced: '15.0'
content: A CalDAV configuration defines a CalDAV calendar and reminders account
for a user.
payloadkeys:
- key: VisibleName
title: Account Name
type: <string>
presence: optional
content: The name that apps show to the user for this calendar account. If not present,
the system generates a suitable default.
- key: HostName
title: Server Host Name
type: <string>
presence: required
content: The hostname of the CalDAV server (or IP address).
- key: Port
title: Server Port
type: <integer>
presence: optional
content: The port number for the CalDAV server.
- key: Path
title: Server Path
type: <string>
presence: optional
content: The path for the CalDAV server.
- key: AuthenticationCredentialsAssetReference
title: Authentication Credentials Asset Reference
type: <string>
presence: optional
content: The identifier of an asset declaration that contains the credentials for
this account. The corresponding asset must be of type UserNameAndPasswordCredentials.

36
declarative/declarations/configurations/account.carddav.yaml Normal file
View File

@@ -0,0 +1,36 @@
title: Account:CardDAV
description: Use this configuration to define settings for access to CardDAV servers.
payload:
declarationtype: com.apple.configuration.account.carddav
supportedOS:
iOS:
introduced: '15.0'
content: A CardDAV configuration defines a CardDAV contacts account for a user.
payloadkeys:
- key: VisibleName
title: Account Name
type: <string>
presence: optional
content: The name that apps show to the user for this address book account. If not
present, the system generates a suitable default.
- key: HostName
title: Server Host Name
type: <string>
presence: required
content: The hostname of the CardDAV server (or IP address).
- key: Port
title: Server Port
type: <integer>
presence: optional
content: The port number for the CardDAV server.
- key: Path
title: Server Path
type: <string>
presence: optional
content: The path for the CardDAV server.
- key: AuthenticationCredentialsAssetReference
title: Authentication Credentials Asset Reference
type: <string>
presence: optional
content: The identifier of an asset declaration that contains the credentials for
this account. The corresponding asset must be of type UserNameAndPasswordCredentials.

210
declarative/declarations/configurations/account.exchange.yaml Normal file
View File

@@ -0,0 +1,210 @@
title: Account:Exchange
description: Use this configuration to define settings for access to Exchange ActiveSync
and Web Services servers.
payload:
declarationtype: com.apple.configuration.account.exchange
supportedOS:
iOS:
introduced: '15.0'
content: This payload configures an Exchange ActiveSync account on an iOS device.
payloadkeys:
- key: VisibleName
title: Account Name
type: <string>
presence: optional
content: The name that apps show to the user for this Exchange account. If not present,
the system generates a suitable default.
- key: EnabledProtocolTypes
title: Enabled Protocol Types
type: <array>
presence: required
content: |-
The set of protocol types to enable on the Exchange server, in order of preference. This is an array of unique strings with possible values:
* 'EAS:' Exchange ActiveSync
* 'EWS:' Exchange Web Services (EWS)
If the device supports one or more of the listed protocol types, it sets up an account for the first supported type.
If the device doesn't support any of the listed protocol types, it doesn't set up an account and the system reports an error.
subkeys:
- key: EnabledProtocolTypesItem
type: <string>
presence: required
rangelist:
- EAS
- EWS
- key: UserIdentityAssetReference
title: User Identity Asset Reference
type: <string>
presence: optional
content: The identifier of an asset declaration that contains the user identity
for this account. The corresponding asset must be of type UserIdentity.
- key: HostName
title: Server Host Name
type: <string>
presence: optional
content: The hostname of the EWS server (or IP address). This is a required field
unless the declaration contains an 'OAuth' property, with a 'SignInURL' that has
'enabled' as 'true'.
- key: Port
title: Server Port
supportedOS:
iOS:
introduced: n/a
type: <integer>
presence: optional
content: The port number of the EWS server. The system uses this only when this
declaration has a 'HostName' value.
- key: Path
title: Server Path
supportedOS:
iOS:
introduced: n/a
type: <string>
presence: optional
content: The path of the EWS server. The system uses this only when this declaration
has a 'HostName' value.
- key: ExternalHostName
title: Server External Host Name
supportedOS:
iOS:
introduced: n/a
type: <string>
presence: optional
content: The external hostname of the EWS server (or IP address). This is a required
field unless the declaration contains an 'OAuth' property, with a 'SignInURL'
that has 'enabled' as 'true'.
- key: ExternalPort
title: Server External Port
supportedOS:
iOS:
introduced: n/a
type: <integer>
presence: optional
content: The external port number of the EWS server. The system uses this only when
this declaration has a 'HostName' value.
- key: External Path
title: Server External Path
supportedOS:
iOS:
introduced: n/a
type: <string>
presence: optional
content: The external path of the EWS server. The system uses this only when this
declaration has a 'HostName' value.
- key: OAuth
title: Controls use of OAuth
type: <dictionary>
presence: optional
content: The configuration settings for OAuth for this account.
subkeys:
- key: Enabled
title: Use OAuth
type: <boolean>
presence: required
content: If 'true', enables OAuth for this account.
- key: SignInURL
type: <string>
presence: optional
content: The URL that this account uses for signing in with OAuth. The system
ignores this value unless 'Enabled' is 'true'. The system doesn't use autodiscovery
when a declaraction contains this URL, so the declaration must also contain
a 'HostName'.
- key: TokenRequestURL
supportedOS:
macOS:
introduced: n/a
type: <string>
presence: optional
content: The URL that this account uses for token requests with OAuth. The system
ignores this value unless 'Enabled' is 'true'.
- key: AuthenticationCredentialsAssetReference
title: Authentication Credentials Asset Reference
type: <string>
presence: optional
content: The identifier of an asset declaration that contains the credentials for
this account to authenticate with an Exchange server. The corresponding asset
must be of type CredentialUserNameAndPassword.
- key: MailServiceActive
supportedOS:
macOS:
introduced: n/a
type: <boolean>
presence: optional
default: true
content: If 'true', activates the mail service for this account.
- key: LockMailService
supportedOS:
macOS:
introduced: n/a
type: <boolean>
presence: optional
default: false
content: If 'true', prevents the user from changing the status of the mail service
for this account.
- key: ContactsServiceActive
supportedOS:
macOS:
introduced: n/a
type: <boolean>
presence: optional
default: true
content: If 'true', activates the address book service for this account.
- key: LockContactsService
supportedOS:
macOS:
introduced: n/a
type: <boolean>
presence: optional
default: false
content: If 'true', prevents the user from changing the status of the address book
service for this account.
- key: CalendarServiceActive
supportedOS:
macOS:
introduced: n/a
type: <boolean>
presence: optional
default: true
content: If 'true', activates the calendar service for this account.
- key: LockCalendarService
supportedOS:
macOS:
introduced: n/a
type: <boolean>
presence: optional
default: false
content: If 'true', prevents the user from changing the status of the calendar service
for this account.
- key: RemindersServiceActive
supportedOS:
macOS:
introduced: n/a
type: <boolean>
presence: optional
default: true
content: If 'true', activates the reminders service for this account.
- key: LockRemindersService
supportedOS:
macOS:
introduced: n/a
type: <boolean>
presence: optional
default: false
content: If 'true', prevents the user from changing the status of the reminders
service for this account.
- key: NotesServiceActive
supportedOS:
macOS:
introduced: n/a
type: <boolean>
presence: optional
default: true
content: If 'true', activates the notes service for this account.
- key: LockNotesService
supportedOS:
macOS:
introduced: n/a
type: <boolean>
presence: optional
default: false
content: If 'true', prevents the user from changing the status of the notes service
for this account.

25
declarative/declarations/configurations/account.google.yaml Normal file
View File

@@ -0,0 +1,25 @@
title: Account:Google
description: Use this configuration to define settings for access to Google services.
payload:
declarationtype: com.apple.configuration.account.google
supportedOS:
iOS:
introduced: '15.0'
content: A Google configuration defines a Google account for a user. The user will
be prompted to enter their credentials shortly after the configuration successfully
installs.
payloadkeys:
- key: VisibleName
title: Account Name
type: <string>
presence: optional
content: The name that apps show to the user for this Google account. If not present,
the system generates a suitable default.
- key: UserIdentityAssetReference
title: User Identity Asset Reference
type: <string>
presence: required
content: The identifier of an asset declaration that contains the user identity
for this Google account. The corresponding asset must be of type UserIdentity.
The asset must contain an 'EmailAddress' key that specifies the full Google email
address for the account.

69
declarative/declarations/configurations/account.ldap.yaml Normal file
View File

@@ -0,0 +1,69 @@
title: Account:LDAP
description: Use this configuration to define settings for access to LDAP servers.
payload:
declarationtype: com.apple.configuration.account.ldap
supportedOS:
iOS:
introduced: '15.0'
content: An LDAP configuration defines an LDAP directory account for a user.
payloadkeys:
- key: VisibleName
title: Account Name
type: <string>
presence: optional
content: The name that apps show to the user for this LDAP account. If not present,
the system generates a suitable default.
- key: HostName
title: Server Host Name
type: <string>
presence: required
content: The hostname of the LDAP server (or IP address).
- key: Port
title: Server Port
type: <integer>
presence: optional
content: The port number of the LDAP server (or IP address).
- key: AuthenticationCredentialsAssetReference
title: Authentication Credentials Asset Reference
type: <string>
presence: optional
content: The identifier of an asset declaration that contains the credentials for
this account. The corresponding asset must be of type UserNameAndPasswordCredentials.
- key: SearchSettings
title: Search Settings
type: <array>
presence: optional
content: The array of nodes to start LDAP searches from. There must be at least
one node for this account to be useful. macOS only searches one node and ignores
other items in the array.
subkeys:
- key: SearchSettingsItem
title: An LDAP Search Setting
type: <dictionary>
subkeys:
- key: VisibleDescription
title: Visible Description
type: <string>
presence: optional
content: The description of this search setting in the Contacts and Settings
apps. If not present, the apps display no name.
- key: SearchBase
title: Search Base
type: <string>
presence: required
content: The path to the node where a search starts. For example, 'ou=people,o=example
corp'.
- key: Scope
title: Scope
type: <string>
presence: optional
rangelist:
- Base
- OneLevel
- Subtree
default: Subtree
content: |-
The type of recursion to use in the saerch.
* 'Base': Only the 'SearchBase' node.
* 'OneLevel': The 'SearchBase' node and its immediate children.
* 'Subtree': The 'SearchBase' node and all its chidren, regardless of depth.

103
declarative/declarations/configurations/account.mail.yaml Normal file
View File

@@ -0,0 +1,103 @@
title: Account:Mail
description: Use this configuration to define settings for access to email servers.
payload:
declarationtype: com.apple.configuration.account.mail
supportedOS:
iOS:
introduced: '15.0'
content: An email configuration defines an email account for a user.
payloadkeys:
- key: VisibleName
title: Account Name
type: <string>
presence: optional
content: The name that apps show to the user for this mail account. If not present,
the system generates a suitable default.
- key: UserIdentityAssetReference
title: User Identity Asset Reference
type: <string>
presence: optional
content: The identifier of an asset declaration that contains the user identity
for this account. The corresponding asset must be of type UserIdentity.
- key: IncomingServer
title: Incoming Server Settings
type: <dictionary>
presence: required
content: The settings for the incoming mail server for this account.
subkeys:
- key: ServerType
title: Server Type
type: <string>
presence: required
rangelist:
- IMAP
- POP
content: The mail protocol this account uses.
- key: HostName
title: Server Host Name
type: <string>
presence: required
content: The host name for the incoming mail server.
- key: Port
title: Server Port
type: <integer>
presence: optional
content: The port number for the incoming mail server.
- key: AuthenticationMethod
title: Server Authentication Method
type: <string>
presence: required
rangelist:
- None
- Password
- CRAMMD5
- NTLM
- HTTPMD5
content: The authentication method for the incoming mail server.
- key: AuthenticationCredentialsAssetReference
title: Authentication Credentials Asset Reference
type: <string>
presence: optional
content: |-
The identifier of an asset declaration that contains the credentials for this account to authenticate with an incoming mail server. The corresponding asset must be of type CredentialUserNameAndPassword.
If the 'AuthenticationMethod' is 'None', this field must be blank. Otherwise, the declaration must contain this field.
- key: IMAPPathPrefix
title: IMAP Path Prefix
type: <string>
presence: optional
content: The path prefix for the IMAP server. The system uses this only when 'ServerType'
is 'IMAP'.
- key: OutgoingServer
title: Outgoing Server Settings
type: <dictionary>
presence: required
content: The settings for the outgoing mail server for this account.
subkeys:
- key: HostName
title: Server Host Name
type: <string>
presence: required
content: The host name for the outgoing mail server.
- key: Port
title: Server Port
type: <integer>
presence: optional
content: The port number for the outgoing mail server.
- key: AuthenticationMethod
title: Server Authentication Method
type: <string>
presence: required
rangelist:
- None
- Password
- CRAMMD5
- NTLM
- HTTPMD5
content: The authentication method for the outgoing mail server.
- key: AuthenticationCredentialsAssetReference
title: Authentication Credentials Asset Reference
type: <string>
presence: optional
content: |-
The identifier of an asset declaration that contains the credentials for this account to authenticate with an outgoing mail server. The corresponding asset must be of type CredentialUserNameAndPassword.
If the 'AuthenticationMethod' is 'None', this field must be blank. Otherwise, the declaration must contain this field.

28
declarative/declarations/configurations/account.subscribed-calendar.yaml Normal file
View File

@@ -0,0 +1,28 @@
title: Account:Subscribed Calendar
description: Use this configuration to define settings for a subscribed calendar.
payload:
declarationtype: com.apple.configuration.account.subscribed-calendar
supportedOS:
iOS:
introduced: '15.0'
content: A subscribed calendar configuration defines a subscribed calendar for a
user.
payloadkeys:
- key: VisibleName
title: Account Name
type: <string>
presence: optional
content: The name that apps show to the user for this calendar account. If not present,
the system generates a suitable default.
- key: CalendarURL
title: Calendar URL
type: <string>
presence: required
content: The URL of the subscribed calendar. The URL must start with 'https://'.
- key: AuthenticationCredentialsAssetReference
title: Authentication Credentials Asset Reference
type: <string>
presence: optional
content: The identifier of an asset declaration that contains the credentials for
this account to authenticate with a calendar server. The corresponding asset must
be of type CredentialUserNameAndPassword.

22
declarative/declarations/configurations/legacy.interactive.yaml Normal file
View File

@@ -0,0 +1,22 @@
title: Legacy Interactive Profile
description: Specifies an MDMv1 profile to present to the user who may choose to download
and install it
payload:
declarationtype: com.apple.configuration.legacy.interactive
supportedOS:
iOS:
introduced: '15.0'
payloadkeys:
- key: ProfileURL
title: Profile's URL.
type: <string>
presence: required
content: |-
The URL of the profile to download and install. This must be an 'https://' URL. The system silently ignores any account or passcode payloads in the profile. Use their declarative configurations instead.
If a user enrollment triggers this configuration, the system silently ignores any MDM 1 payloads in macOS where the User Enrollment Mode setting is 'forbidden'. In iOS, the system rejects the entire profile.
- key: VisibleName
title: Configuration Visible Name
type: <string>
presence: required
content: The visible name of the configuration. This name needs to indicate the
nature of the profile.

15
declarative/declarations/configurations/legacy.yaml Normal file
View File

@@ -0,0 +1,15 @@
title: Legacy Profile
description: Specifies an MDMv1 profile to download and install
payload:
declarationtype: com.apple.configuration.legacy
supportedOS:
iOS:
introduced: '15.0'
payloadkeys:
- key: ProfileURL
title: Profile's URL.
type: <string>
presence: required
content: |-
The URL of the profile to download and install. This must be an 'https://' URL. The system silently ignores any account or passcode payloads in the profile. Use their declarative configurations instead.
If a user enrollment triggers this configuration, the system silently ignores any MDM 1 payloads in macOS where the User Enrollment Mode setting is 'forbidden'. In iOS, the system rejects the entire profile.

22
declarative/declarations/configurations/management.status-subscriptions.yaml Normal file
View File

@@ -0,0 +1,22 @@
title: Management:Status Subscriptions
description: Use this configuration to define the status subscriptions that cause
status to be reported by the client.
payload:
declarationtype: com.apple.configuration.management.status-subscriptions
supportedOS:
iOS:
introduced: '15.0'
payloadkeys:
- key: StatusItems
title: Status Items
type: <array>
presence: required
content: An array of status items that the device notifies subscribers about.
subkeys:
- key: StatusItem
type: <dictionary>
subkeys:
- key: Name
type: <string>
presence: required
content: The name of the status item to send to subscribers.

24
declarative/declarations/configurations/management.test.yaml Normal file
View File

@@ -0,0 +1,24 @@
title: Management:Test
description: A configuration used for testing only
payload:
declarationtype: com.apple.configuration.management.test
supportedOS:
iOS:
introduced: '15.0'
payloadkeys:
- key: Echo
title: Status Echo
type: <string>
presence: required
content: The string to echo back in a status response reason.
- key: ReturnStatus
title: Status to Return
type: <string>
presence: optional
rangelist:
- Installed
- Failed
- PendingClient
default: Installed
content: The status the system reports back when the device implements the configuration.
Use this to override the normal 'success' result.

72
declarative/declarations/configurations/passcode.settings.yaml Normal file
View File

@@ -0,0 +1,72 @@
title: Passcode:Settings
description: Use this configuration to define passcode policy settings
payload:
declarationtype: com.apple.configuration.passcode.settings
supportedOS:
iOS:
introduced: '15.0'
payloadkeys:
- key: RequirePasscode
title: Require Passcode on Device
type: <boolean>
presence: optional
default: false
content: If 'true', requires the user to set a passcode without any requirements
about the length or quality of the passcode. The presence of any other keys implicitly
requires a passcode, and overrides this key's value.
- key: RequireComplexPasscode
title: Require Complex Passcode
type: <boolean>
presence: optional
default: false
content: If 'true', requires a complex passcode. A complex passcode is one that
doesn't contain repeated characters or increasing/decreasing characters (such
as 123 or CBA), and must contain at least one nonnumeric/nonalphabetic character.
- key: MinimumLength
title: Minimum Passcode Length
type: <integer>
presence: optional
range:
min: 0
max: 16
default: 0
content: The minimum number of characters a passcode can contain.
- key: MaximumFailedAttempts
title: Maximum Number of Failed Attempts
type: <integer>
presence: optional
range:
min: 2
max: 11
default: 11
content: |-
The number of failed passcode attempts that the system allows the user before iOS erases the device or macOS locks the device. If you don't change this setting, after six failed attempts, the device imposes a time delay before the user can enter a passcode again. The time delay increases with each failed attempt.
After the final failed attempt, the system securely erases all data and settings from the iOS device. A macOS device locks after the final attempt. The passcode time delay begins after the sixth attempt, so if this value is six or lower, the system has no time delay and triggers the erase or lock as soon as the user exceeds the limit.
- key: MaximumGracePeriodInMinutes
title: Maximum Grace Period
type: <integer>
presence: optional
content: |-
The maximum period that a user can select, during which the user can unlock the device without a passcode. A value of '0' means no grace period, and the device requires a passcode immediately. In the absence of this key, the user can select any period.
macOS translates this to screensaver settings.
- key: MaximumInactivityInMinutes
title: Automatic Device Lock
type: <integer>
presence: optional
range:
min: 0
max: 15
content: |-
The maximum period that a user can select, during which the device can be idle before the system automatically locks it. When the device reaches this limit, the device locks and the user must enter the passcode to unlock it. In the absence of this key, the user can select any period.
macOS translates this to screensaver settings.
- key: PasscodeReuseLimit
title: Passcode Reuse Limit
type: <integer>
presence: optional
range:
min: 1
max: 50
content: The number of historical passcode entries the system checks when vaildating
a new passcode. The device refuses a new passcode if it matches a previously used
passcode within the specified passcode history range. In the absence of this key,
the system performs no historical check.

25
declarative/declarations/declarationbase.yaml Normal file
View File

@@ -0,0 +1,25 @@
title: DeclarationBase
description: Keys common to all declarations used with the Remote Management protocol.
payload:
declarationtype: any
supportedOS:
iOS:
introduced: '15.0'
payloadkeys:
- key: Type
type: <string>
presence: required
content: A string specifying the type of this declaration.
- key: Identifier
type: <string>
presence: required
content: A string uniquely identifying this declaration.
- key: ServerToken
type: <string>
presence: required
content: A unique token generated by the server specifying a particular revision
of the declaration.
- key: Payload
type: <dictionary>
presence: required
content: The payload describing this declaration.

37
declarative/declarations/management/organization-info.yaml Normal file
View File

@@ -0,0 +1,37 @@
title: Management:Organization Information
description: Use this declaration to tell the client about the server's organization
information.
payload:
declarationtype: com.apple.management.organization-info
supportedOS:
iOS:
introduced: '15.0'
payloadkeys:
- key: Name
title: Organization Name
type: <string>
presence: required
content: The name of the organization.
- key: Email
title: Organization Email Address
type: <string>
presence: optional
content: The email address of the contact person for the organization.
- key: URL
title: Organization URL
type: <string>
presence: optional
content: The website of the organization to contact for support.
- key: Proof
title: Organization Identity
type: <dictionary>
presence: optional
content: The additional properties that verify the identity and authenticity of
the organization.
subkeys:
- key: IdentityToken
title: Organization Identity Token
type: <string>
presence: optional
content: A token that verifies the identity of the organization when using this
service.

25
declarative/declarations/management/server-capabilities.yaml Normal file
View File

@@ -0,0 +1,25 @@
title: Management:Server Capabilities
description: Use this declaration to tell the client about the server's capabilities.
payload:
declarationtype: com.apple.management.server-capabilities
supportedOS:
iOS:
introduced: '15.0'
payloadkeys:
- key: Version
title: Protocol Version
type: <string>
presence: required
content: The server's protocol version.
- key: SupportedFeatures
title: Supported Features
type: <dictionary>
presence: required
content: |-
A dictionary that contains the server's optional protocol features.
Each dictionary item uses the key name to represent a feature, and the value to hold the feature's associated parameters. This protocol reserves keys with a prefix of “'com.apple.'”, which appear as subkeys in this dictionary.
subkeys:
- key: ANY
type: <any>
presence: optional
content: Additional keys may be present.

84
declarative/protocol/declarationitemsresponse.yaml Normal file
View File

@@ -0,0 +1,84 @@
title: Declaration Items Response
description: The set of available declarations on the server.
payload:
requesttype: DeclarationItemsResponse
supportedOS:
iOS:
introduced: '15.0'
payloadkeys:
- key: Declarations
title: Manifest Declaration Items
type: <dictionary>
presence: required
content: The set of available declarations on the server.
subkeys:
- key: Activations
title: Activations
type: <array>
presence: required
content: The list of available activation declarations on the server.
subkeytype: DeclarationItem
subkeys:
- key: _Activations
title: Manifest Declaration
type: <dictionary>
content: Information about an available declaration on the server.
subkeytype: DeclarationItem
subkeys: &id001
- key: Identifier
title: Declaration Identifier
type: <string>
presence: required
content: The declaration's identifier.
- key: ServerToken
title: Declaration Server Token
type: <string>
presence: required
content: |-
The 'ServerToken' value of the declaration.
The client uses this to determine if the actual payload is different from the one on the client. Servers must compute the token over the entire declaration content to ensure the value always changes whenever there's any change to the content.
- key: Configurations
title: Configurations
type: <array>
presence: required
content: The list of available configuration declarations on the server.
subkeytype: DeclarationItem
subkeys:
- key: _Configurations
title: Manifest Declaration
type: <dictionary>
content: Information about an available declaration on the server.
subkeytype: DeclarationItem
subkeys: *id001
- key: Assets
title: Assets
type: <array>
presence: required
content: The list of available asset declarations on the server.
subkeytype: DeclarationItem
subkeys:
- key: _Assets
title: Manifest Declaration
type: <dictionary>
content: Information about an available declaration on the server.
subkeytype: DeclarationItem
subkeys: *id001
- key: Management
title: Management
type: <array>
presence: required
content: The list of available management declarations on the server.
subkeytype: DeclarationItem
subkeys:
- key: _Management
title: Manifest Declaration
type: <dictionary>
content: Information about an available declaration on the server.
subkeytype: DeclarationItem
subkeys: *id001
- key: DeclarationsToken
title: Declarations Token
type: <string>
presence: required
content: The current value of the declarations token. Clients use this to detect
when declarations change so they can refetch the token.

57
declarative/protocol/statusreport.yaml Normal file
View File

@@ -0,0 +1,57 @@
title: Status Report
description: Status sent by the client.
payload:
requesttype: StatusReport
supportedOS:
iOS:
introduced: '15.0'
payloadkeys:
- key: StatusItems
title: Status Items
type: <dictionary>
presence: required
content: The status items for this report.
- key: Errors
title: Errors
type: <array>
presence: required
content: An array of errors for this status report.
subkeys:
- key: _Errors
title: Error
type: <dictionary>
content: Error information for a status item that cannot be returned.
subkeys:
- key: StatusItem
title: Status Item
type: <string>
presence: required
content: The status item that this error pertains to.
- key: Reasons
title: Status Reasons
type: <array>
presence: optional
content: An array of reasons for the error.
subkeytype: StatusReason
subkeys:
- key: _Reasons
title: Status Reason
type: <dictionary>
content: Information about a status error.
subkeytype: StatusReason
subkeys:
- key: Code
title: Error Code
type: <string>
presence: required
content: The error code for this error.
- key: Description
title: Error Description
type: <string>
presence: optional
content: The description for this error.
- key: Details
title: Error Details
type: <dictionary>
presence: optional
content: A dictionary that contains further details about this error.

16
declarative/protocol/tokensresponse.yaml Normal file
View File

@@ -0,0 +1,16 @@
title: Tokens Response
description: The server's synchronization tokens.
payload:
requesttype: TokensResponse
supportedOS:
iOS:
introduced: '15.0'
payloadkeys:
- key: SyncTokens
title: Synchronization Tokens
type: <dictionary>
presence: required
content: A dictionary of synchronization tokens that describes the state of different
types of data on the server. The client uses these tokens to determine which endpoints
it needs to use to fetch new or updated data on the server.
subkeytype: SynchronizationTokens

14
declarative/status/device.model.family.yaml Normal file
View File

@@ -0,0 +1,14 @@
title: Status Device Model Family
description: The device's hardware family.
payload:
statusitemtype: device.model.family
supportedOS:
iOS:
introduced: '15.0'
payloadkeys:
- key: device.model.family
title: Status item value.
type: <string>
presence: required
content: A string that describes the hardware family of the device, such as 'Mac',
'iPhone', or 'iPad'.

17
declarative/status/device.model.identifier.yaml Normal file
View File

@@ -0,0 +1,17 @@
title: Status Device Model Identifier
description: The device's hardware identifier.
payload:
statusitemtype: device.model.identifier
supportedOS:
iOS:
introduced: '15.0'
payloadkeys:
- key: device.model.identifier
title: Status item value.
type: <string>
presence: required
content: A two-part string that uniquely identifies the device's model. The first
part describes device's model family, and the second part describes the model's
version. The model's version is a comma-separated number where the first part
of the number is the version, and the second part is a variant, such as 'MacBookPro15,1'
or 'iPhone13,2'.

15
declarative/status/device.model.marketing-name.yaml Normal file
View File

@@ -0,0 +1,15 @@
title: Status Device Model Marketing Name
description: The device's hardware marketing name.
payload:
statusitemtype: device.model.marketing-name
supportedOS:
iOS:
introduced: '15.0'
payloadkeys:
- key: device.model.marketing-name
title: Status item value.
type: <string>
presence: required
content: A string that identifies the device's marketing name, such as 'iPhone 12'.
This value may not always be available. Alternatively, use 'device.model.configuration-code'
to look up the marketing name through the web API.

14
declarative/status/device.operating-system.build-version.yaml Normal file
View File

@@ -0,0 +1,14 @@
title: Status Device Operating System Build Version
description: The device's operating system build version.
payload:
statusitemtype: device.operating-system.build-version
supportedOS:
iOS:
introduced: '15.0'
payloadkeys:
- key: device.operating-system.build-version
title: Status item value.
type: <string>
presence: required
content: A string that identifies the operating system's build version on the device,
such as '18F132'.

14
declarative/status/device.operating-system.family.yaml Normal file
View File

@@ -0,0 +1,14 @@
title: Status Device Operating System Family
description: The device's operating system family.
payload:
statusitemtype: device.operating-system.family
supportedOS:
iOS:
introduced: '15.0'
payloadkeys:
- key: device.operating-system.family
title: Status item value.
type: <string>
presence: required
content: A string that identifies the operating system family in use on the device,
such as 'macOS' or 'iOS'.

14
declarative/status/device.operating-system.marketing-name.yaml Normal file
View File

@@ -0,0 +1,14 @@
title: Status Device Operating System Marketing Name
description: The device's operating system marketing name.
payload:
statusitemtype: device.operating-system.marketing-name
supportedOS:
iOS:
introduced: '15.0'
payloadkeys:
- key: device.operating-system.marketing-name
title: Status item value.
type: <string>
presence: required
content: A string that identifies the operating system's marketing name in use on
the device, such as 'Catalina'.

14
declarative/status/device.operating-system.version.yaml Normal file
View File

@@ -0,0 +1,14 @@
title: Status Device Operating System Version
description: The device's operating system version.
payload:
statusitemtype: device.operating-system.version
supportedOS:
iOS:
introduced: '15.0'
payloadkeys:
- key: device.operating-system.version
title: Status item value.
type: <string>
presence: required
content: A string that identifies the operating system's version in use on the device,
such as '15.0'.

105
declarative/status/management.client-capabilities.yaml Normal file
View File

@@ -0,0 +1,105 @@
title: Status Management Client Capabilities
description: The client's protocol capabilities.
payload:
statusitemtype: management.client-capabilities
supportedOS:
iOS:
introduced: '15.0'
payloadkeys:
- key: management.client-capabilities
title: Status item value.
type: <dictionary>
presence: required
content: An object that contains the client's protocol capabilities. These typically
only change when the device upgrades its software. An implicit status subscription
for this status item is always present, so the client always reports changes to
the server.
subkeytype: Capabilities
subkeys:
- key: supported-versions
title: Supported Protocol Versions
type: <array>
presence: required
content: A list of protocol versions that the client supports.
subkeys:
- key: _supported-versions
title: Supported Protocol Version
type: <string>
content: A protocol version supported by the client.
- key: supported-features
title: Supported Features
type: <dictionary>
presence: required
content: A set of optional protocol features that the client supports. Each object's
key represents a feature, and the property value represents the feature's associated
parameters.
subkeys:
- key: ANY
type: <any>
presence: optional
content: Optional protocol features supported by the client.
- key: supported-payloads
title: Supported Payloads
type: <dictionary>
presence: required
content: A set of declaration and status items that the client supports.
subkeys:
- key: declarations
title: Supported Declarations
type: <dictionary>
presence: required
content: A set of declarations that the client supports.
subkeys:
- key: activations
title: Supported Activations
type: <array>
presence: optional
content: An array of strings that represents the activation types that the
client supports.
subkeys:
- key: _activations
title: Activation Type
type: <string>
content: Supported activation type.
- key: assets
title: Supported Assets
type: <array>
presence: optional
content: An array of strings that represents the assets that the client supports.
subkeys:
- key: _assets
title: Asset Type
type: <string>
content: Supported asset type.
- key: configurations
title: Supported Configurations
type: <array>
presence: optional
content: An array of strings that represents the configuration types that
the client supports.
subkeys:
- key: _configurations
title: Configuration Type
type: <string>
content: Supported configuration type.
- key: management
title: Supported Management Declarations
type: <array>
presence: optional
content: An array of strings that represents the declaration types that the
client supports.
subkeys:
- key: _management
title: Management Declaration Type
type: <string>
content: Supported management declaration type.
- key: status-items
title: Supported Status Items
type: <array>
presence: required
content: A list of status items that the client supports.
subkeys:
- key: _status_items
title: Status Item
type: <string>
content: Supported status item.

128
declarative/status/management.declarations.yaml Normal file
View File

@@ -0,0 +1,128 @@
title: Status Management Declarations
description: State of declarations processed by the client.
payload:
statusitemtype: management.declarations
supportedOS:
iOS:
introduced: '15.0'
payloadkeys:
- key: management.declarations
title: Status item value.
type: <dictionary>
presence: required
content: A collection of the client's processed declarations.
subkeytype: Declarations
subkeys:
- key: activations
title: Activations
type: <array>
presence: required
content: An array of declarations that represent the client's processed activation
types.
subkeytype: Declaration
subkeys:
- key: _activations
title: Status Declaration Item
type: <dictionary>
content: Status for a declaration processed by the client.
subkeytype: Declaration
subkeys: &id001
- key: identifier
title: Identifier
type: <string>
presence: required
content: The 'identifier' of the declaration this status report refers to.
- key: server-token
title: Server-Token
type: <string>
presence: required
content: The 'ServerToken' of the declaration this status report refers to.
- key: active
title: Declaration's Active State
type: <boolean>
presence: required
content: If 'true', the declaration is active on the device.
- key: valid
title: Declaration's Valid State
type: <string>
presence: required
rangelist:
- unknown
- invalid
- valid
content: This string defines the validity of the declaration. If it's 'invalid',
the 'reasons' property contains more details.
- key: reasons
title: Status Reasons
type: <array>
presence: optional
content: The details of any client errors.
subkeytype: StatusReason
subkeys:
- key: _reasons
title: Status Reason
type: <dictionary>
content: Information about a status error.
subkeytype: StatusReason
subkeys:
- key: code
title: Error Code
type: <string>
presence: required
content: The error code for this error.
- key: description
title: Error Description
type: <string>
presence: optional
content: The description for this error.
- key: details
title: Error Details
type: <dictionary>
presence: optional
content: A dictionary that contains further details about this error.
subkeys:
- key: ANY
type: <any>
presence: optional
content: Additional keys may be present.
- key: configurations
title: Configurations
type: <array>
presence: required
content: An array of declarations that represent the client's processed configuration
types.
subkeytype: Declaration
subkeys:
- key: _configurations
title: Status Declaration Item
type: <dictionary>
content: Status for a declaration processed by the client.
subkeytype: Declaration
subkeys: *id001
- key: assets
title: Assets
type: <array>
presence: required
content: An array of declarations that represent the client's processed assets.
subkeytype: Declaration
subkeys:
- key: _assets
title: Status Declaration Item
type: <dictionary>
content: Status for a declaration processed by the client.
subkeytype: Declaration
subkeys: *id001
- key: management
title: Management
type: <array>
presence: required
content: An array of declarations that represent the client's processed declaration
types.
subkeytype: Declaration
subkeys:
- key: _management
title: Status Declaration Item
type: <dictionary>
content: Status for a declaration processed by the client.
subkeytype: Declaration
subkeys: *id001

23
declarative/status/statusreason.yaml Normal file
View File

@@ -0,0 +1,23 @@
title: Status Reason
description: Information about a status error.
payload:
declarationtype: status-reason
supportedOS:
iOS:
introduced: '15.0'
payloadkeys:
- key: code
title: Error Code
type: <string>
presence: required
content: The error code for this error.
- key: description
title: Error Description
type: <string>
presence: optional
content: A description of this error.
- key: details
title: Error Details
type: <dictionary>
presence: optional
content: An arbitrary object containing details specific to this error.

209
docs/schema.md Normal file
View File

@@ -0,0 +1,209 @@
# Device Management Client YAML Schema Format
## Schema Definition
The definition of the schema used here is in the `schema.yaml` file. That file contains the YAML-encoded [JSON-schema](https://json-schema.org) representation of the schema definitions. Below are descriptions of the various elements of the schema and how they are used.
### Top Level Object
| Name | Type | Description |
|--------------|--------|-------------|
| title | string | Title for this schema object |
| description | string | Description of this schema object |
| payload | object | Information about the object as a whole |
| payloadkeys | array | A list of YAML objects representing the command request |
| responsekeys | array | A list of YAML objects representing the command response |
### Payload Object
| Name | Type | Description |
|-----------------|--------|-------------|
| payloadtype | string | Type of the profile payload |
| requesttype | string | Type of the MDM command |
| declarationtype | string | Type of the declaration payload |
| statusitemtype | string | Type of the status payload |
| credentialtype | string | Type of the credential asset data |
| supportedOS | object | Identifies the range of supported OS versions that support the entire payload |
| content | string | Description of the payload |
### supportedOS Object
| Name | Type | Description |
|----------|--------|-------------|
| iOS | object | Supported features on this iOS |
| macOS | object | Supported features on this macOS |
| tvOS | object | Supported features on this tvOS |
| watchOS | object | Supported features on this watchOS |
__Notes__
The `supportedOS` object is used in the `payload` object to indicate overall support for this object on each OS, as well as which enrollment modes are supported per OS. The `supportedOS` key may also appear on any payload key defined in `payloadkeys` or `responsekeys` array item objects. Each payload key is assumed to "inherit" the `supportedOS` values from the `payload` object, but that is then updated with any items in the key's own `supportedOS` object if present. This also overriding specific values in `supportedOS` on a per-key basis without the need to duplicate the entire `supportedOS` value from the `payload`.
### iOS, macOS, tvOS, watchOS Objects
| Name | Type | Description |
|--------------------|---------|-------------|
| introduced | string | OS version where feature was introduced |
| deprecated | string | OS version where feature was deprecated |
| removed | string | OS version where feature was removed |
| accessrights | string | The MDM protocol access rights required on the device to execute the command |
| devicechannel | boolean | Indicates whether the command is supported on the device channel |
| userchannel | boolean | indicates whether the command is supported on the user channel |
| supervised | boolean | Indicates whether the command can only be executed on supervised devices |
| requiresdep | boolean | If True, the command can only be executed on devices provisioned in DEP |
| userapprovedmdm | boolean | If True, the command can only be executed on devices with user approved MDM enrollment |
| allowmanualinstall | boolean | If True, the profile can be installed manually by a user on the device |
| sharedipad | object | Additional behavior specific to shared iPad devices |
| userenrollment | object | Additional behavior when user enrollment is in effect |
### Shared iPad Object
| Name | Type | Description |
|---------------|---------|-------------|
| mode | string | Indicates whether a payload or payload key can used with shared iPad |
| devicechannel | boolean | Defines if the payload can be installed on the device MDM channel |
| userchannel | boolean | Defines if the payload can be installed on the user MDM channel |
__Notes__
The `mode` can have one of four values: `allowed`, `required`, `forbidden`, and `ignored`. If set to `allowed`, then the payload or payload key can be used both with or without shared iPad in effect. If set to `required`, then the payload or payload key can only be used if shared iPad is in effect. If set to `forbidden`, then the payload or payload key cannot be used if shared iPad is in effect. If set to `ignored`, then the payload or payload key can be used, but is ignored if shared iPad is in effect.
### User Enrollment Object
| Name | Type | Description |
|----------|--------|-------------|
| mode | string | Indicates how a payload or payload key can only be used if user enrollment is in effect |
| behavior | string | Describes any special behavior for the payload or payload key if user enrollment is in effect |
__Notes__
The `mode` can have one of four values: `allowed`, `required`, `forbidden`, and `ignored`. If set to `allowed`, then the payload or payload key can be used both with or without user enrollment in effect. If set to `required`, then the payload or payload key can only be used if user enrollment is in effect. If set to `forbidden`, then the payload or payload key cannot be used if user enrollment is in effect. If set to `ignored`, then the payload or payload key can be used, but is ignored if user enrollment is in effect.
### Payload/Response Keys Array Object
| Name | Type | Description |
|-------------|--------|-------------|
| key | string | The name of the key |
| title | string | The title of the key |
| supportedOS | object | Identifies the range of supported OS versions that support the key |
| type | string | The type of key |
| subtype | string | Indicates the expected format of the string value of the key |
| presence | string | Whether the key is required or optional |
| rangelist | array | List of allowed values for this key |
| range | object | Bounds for the value of this key |
| default | scalar | The default value for the key |
| format | string | The format for the value expressed as a regular expression |
| repetition | object | Cardinality for this value |
| content | string | Description of the payload key |
| subkeytype | string | A name that uniquely represents the structured subkey object |
| subkeys | array | An array of payload keys |
__Notes__
The `type` value can be one of: `<string>`, `<integer>`, `<real>`, `<boolean>`, `<date>`, `<data>`, `<array>`, `<dictionary>`, or `<any>`. The value `<any>` may be used to indicate that any of the standard values can be used without any expectation that the value will be validated.
The `subtype` value can be one of: `<url>`, `<hostname>`, or `<email>`, to indicate the expected value of a string.
The `presence` value can be one of: `required` or `optional`.
### Range Object
| Name | Type | Description |
|------|-----------------|-------------|
| min | integer or real | Lower bound of range |
| max | integer or real | Upper bound of range |
### Repetition Object
| Name | Type | Description |
|------|-----------------|-------------|
| min | integer or real | Lower bound of repetition |
| max | integer or real | Upper bound of repetition |
## Schema Use
The schema has minor variants based on the nature of the object being described.
### MDM Commands/CheckIn
An MDM command or checkin is a YAML object with the following top-level keys:
| Name | Type | Description |
|--------------|--------|-------------|
| title | string | Title for this schema object |
| description | string | Description of this schema object |
| payload | object | Information about the object as a whole |
| payloadkeys | array | A list of YAML objects representing the command request |
| responsekeys | array | A list of YAML objects representing the command response |
The `payload` object will contain a `requesttype` key that specifies the command or CheckIn request name.
### MDM Profiles
An MDM profile is a YAML object with the following keys:
| Name | Type | Description |
|--------------|--------|-------------|
| title | string | Title for this schema object |
| description | string | Description of this schema object |
| payload | object | Information about the object as a whole |
| payloadkeys | array | A list of YAML objects representing the profile keys |
The `payload` object will contain a `payloadtype` key that specifies the payload type.
### RM model declarations
An RM declaration is a YAML object with the following keys:
| Name | Type | Description |
|--------------|--------|-------------|
| title | string | Title for this schema object |
| description | string | Description of this schema object |
| payload | object | Information about the object as a whole |
| payloadkeys | array | A list of YAML objects representing the declaration keys |
The `payload` object will contain a `declarationtype` key that specifies the declaration type.
### RM model status item
An RM status item is a YAML object with the following keys:
| Name | Type | Description |
|--------------|--------|-------------|
| title | string | Title for this schema object |
| description | string | Description of this schema object |
| payload | object | Information about the object as a whole |
| payloadkeys | array | A list of YAML objects representing the status item key |
The `payload` object will contain a `statusitemtype` key that specifies the status item type. The `payloadkeys` will contain a single object that defines the type of the value returned for the status item.
### RM protocol
An RM protocol request or response is a YAML object with the following top-level keys:
| Name | Type | Description |
|--------------|--------|-------------|
| title | string | Title for this schema object |
| description | string | Description of this schema object |
| payload | object | Information about the object as a whole |
| payloadkeys | array | A list of YAML objects representing the request or response |
The `payload` object will contain a `requesttype` key that specifies the summary description of the request or response.
## Subkey structure
A payload key can have a scalar type (`<string>`, `<integer>`, `<real>`, `<boolean>`, `<data>`) or a container type (`<array>`, `<dictionary>`). A container type must include a `subkeys` key that defines the details of the container as follows:
### `<dictionary>` container
The `subkeys` sequence in a `<dictionary>` container defines the schema for the dictionary contents.
### `<array>` container
The `subkeys` sequence in a `<array>` container defines the type of items in the array. Only a single item is allowed in the `subkeys` sequence. The type of the single item defines the structure of the container as follows:
* if the single item's type is a scalar type, then the array is a list of items with elements matching the scalar type (e.g. an array of `<string>` values). In some cases the scalar type may have a `subkeys` key, and each element of that sequence defines a possible value for the scalar type in the array.
* if the single item's type is `<dictionary>`, then the array is a list of dictionary items, with each dictionary conforming to the schema defined by the `subkeys` item of the single item (e.g., an array of `<dictionary>` values). Note that the single item `<dictionary>` is only a place holder for the keys used in the `<dictionary>` array items, and as such does not itself appear as the an array item.
* if the single item's type is `<array>`, then the array is a list of array items, with each array item conforming to the schema defined for an `<array>` container as described in this section.

227
docs/schema.yaml Normal file
View File

@@ -0,0 +1,227 @@
title: YAML MDM and Declarative Device Management Schema
type: object
additionalProperties: false
required:
- title
properties:
title:
type: string
description: Title for this schema object.
description:
type: string
description: Description of this schema object.
payload:
type: object
description: Overall properties of the payload.
additionalProperties: false
properties:
payloadtype:
type: string
description: Type of the profile payload.
requesttype:
type: string
description: Type of the MDM command.
declarationtype:
type: string
description: Type of the declaration payload.
statusitemtype:
type: string
description: Type of the status payload.
credentialtype:
type: string
description: Type of the credential asset data.
supportedOS: &supportedOS
type: object
description: Identifies the range of supported OS versions that support the entire payload.
additionalProperties: false
properties:
iOS: &supportedOSItem
type: object
description: Supported range on this OS.
additionalProperties: false
properties:
introduced:
type: string
description: OS version where feature was introduced.
deprecated:
type: string
description: OS version where feature was deprecated.
removed:
type: string
description: OS version where feature was removed.
accessrights:
type: string
description: The MDM protocol access rights required on the device to execute the command.
devicechannel:
type: boolean
description: Indicates whether the command is supported on the device channel. If this key is present it overrides the the `devicechannel` key in the top-level payload !!(payload) key.
userchannel:
type: boolean
description: indicates whether the command is supported on the user channel. If this key is present it overrides the the `userchannel` key in the top-level payload !!(payload) key.
supervised:
type: boolean
description: Indicates whether the command can only be executed on supervised devices. If this key is present it overrides the the `supervised` key in the top-level payload !!(payload) key.
requiresdep:
type: boolean
description: If True, the command can only be executed on devices provisioned in DEP.
userapprovedmdm:
type: boolean
description: If True, the command can only be executed on devices with user approved MDM enrollment.
allowmanualinstall:
type: boolean
description: If True, the profile can be installed manually by a user on the device.
sharedipad:
type: object
description: Additional behavior specific to shared iPad devices.
additionalProperties: false
properties:
mode:
type: string
description: Indicates whether a payload or payload key can used with or without shared iPad in effect.
If set to 'allowed', then the payload or payload key can be used both with or without shared iPad in effect.
If set to 'required', then the payload or payload key can only be used if shared iPad is in effect.
If set to 'forbidden', then the payload or payload key cannot be used if shared iPad is in effect.
If set to 'ignored', then the payload or payload key can be used, but is ignored if shared iPad is in effect.
enum:
- allowed
- required
- forbidden
- ignored
default: allowed
devicechannel:
type: boolean
description: Defines if the payload can be installed on the device MDM channel.
userchannel:
type: boolean
description: Defines if the payload can be installed on the user MDM channel.
userenrollment:
type: object
description: Additional behavior when user enrollment is in effect.
If this key is not present, then the corresponding payload or payload key can be used both with or without user enrollment in effect,
without any changes to normal behavior.
additionalProperties: false
properties:
mode:
type: string
description: Indicates how a payload or payload key can only be used if user enrollment is in effect.
If set to 'allowed', then the payload or payload key can be used both with or without user enrollment in effect.
If set to 'required', then the payload or payload key can only be used if user enrollment is in effect.
If set to 'forbidden', then the payload or payload key cannot be used if user enrollment is in effect.
If set to 'ignored', then the payload or payload key can be used, but is ignored if user enrollment is in effect.
enum:
- allowed
- required
- forbidden
- ignored
default: allowed
behavior:
type: string
description: Describes any special behavior for the payload or payload key if user enrollment is in effect.
macOS: *supportedOSItem
tvOS: *supportedOSItem
watchOS: *supportedOSItem
content:
type: string
description: Description of the payload.
payloadkeys: &payloadKeys
type: array
title: payloadkeys
description: An array of payload keys.
minitems: 1
items:
type: object
title: payloadkey
description: A single payload key.
additionalProperties: false
required:
- key
- type
properties:
key:
type: string
description: The name of the key.
title:
type: string
description: The title of the key.
supportedOS: *supportedOS
type:
type: string
description: The type of key. The value `<any>` may be used to indicate that any of the standard values can be used without any expectation that the value will be validated.
enum:
- <string>
- <integer>
- <real>
- <boolean>
- <date>
- <data>
- <array>
- <dictionary>
- <any>
subtype:
type: string
description: Indicates the expected format of the string value of the key, supporting additional validation of the value.
enum:
- url
- hostname
- email
presence:
type: string
description: Whether the key is required or optional.
enum:
- required
- optional
rangelist:
type: array
description: List of allowed values for this key.
items:
type:
- string
- integer
- number
range:
type: object
description: Bounds for the value of this key.
additionalProperties: false
properties:
min:
type:
- integer
- number
description: Lower bound.
max:
type:
- integer
- number
description: Upper bound.
default:
type:
- string
- integer
- number
description: The default value (if any) for the key.
format:
type: string
description: The format for the value expressed as a regular expression.
repetition:
type: object
description: Cardinality for this value.
additionalProperties: false
required:
- min
- max
properties:
min:
type: integer
description: Lower bound.
max:
type: integer
description: Upper bound.
content:
type: string
description: Description of the payload key.
subkeytype:
type: string
description: A name that uniquely represents the structured subkey object. This is used when structured subkeys are referenced multiple times.
subkeys: *payloadKeys
responsekeys: *payloadKeys

157
mdm/checkin/authenticate.yaml Normal file
View File

@@ -0,0 +1,157 @@
title: Authenticate
description: Check-in protocol authenticate request keys.
payload:
requesttype: Authenticate
supportedOS:
iOS:
introduced: '4.0'
supervised: false
requiresdep: false
sharedipad:
mode: allowed
devicechannel: true
userchannel: false
userenrollment:
mode: allowed
macOS:
introduced: '10.7'
devicechannel: true
userchannel: false
requiresdep: false
userenrollment:
mode: allowed
tvOS:
introduced: '10.2'
supervised: false
content: Check-in protocol authenticate request and response.
payloadkeys:
- key: DeviceName
supportedOS:
iOS:
introduced: n/a
tvOS:
introduced: n/a
type: <string>
presence: required
content: The device's name.
- key: ModelName
supportedOS:
iOS:
introduced: n/a
tvOS:
introduced: n/a
type: <string>
presence: required
content: The device's model name.
- key: Model
supportedOS:
iOS:
introduced: n/a
tvOS:
introduced: n/a
type: <string>
presence: required
content: The device's model.
- key: MessageType
type: <string>
presence: required
rangelist:
- Authenticate
content: The message type, which must have a value of 'Authenticate'.
- key: Topic
type: <string>
presence: required
content: The topic to which the device subscribes.
- key: UDID
supportedOS:
iOS:
userenrollment:
mode: forbidden
macOS:
userenrollment:
mode: forbidden
type: <string>
presence: required
content: The device's UDID (Unique Device ID).
- key: EnrollmentID
supportedOS:
iOS:
introduced: '13.0'
userenrollment:
mode: required
macOS:
introduced: '10.15'
userenrollment:
mode: required
tvOS:
introduced: n/a
type: <string>
presence: required
content: The per-enrollment identifier for the device. Available in macOS 10.15
and iOS 13.0 and later.
- key: OSVersion
supportedOS:
iOS:
introduced: '9.0'
accessrights: AllowQueryDeviceInformation
type: <string>
presence: optional
content: The device's OS version.
- key: BuildVersion
supportedOS:
iOS:
introduced: '9.0'
accessrights: AllowQueryDeviceInformation
type: <string>
presence: optional
content: The device's build version.
- key: ProductName
supportedOS:
iOS:
introduced: '9.0'
accessrights: AllowQueryDeviceInformation
type: <string>
presence: optional
content: The device's product name ('iPhone3,1').
- key: SerialNumber
supportedOS:
iOS:
introduced: '9.0'
accessrights: AllowQueryDeviceInformation
userenrollment:
mode: forbidden
macOS:
accessrights: AllowQueryDeviceInformation
userenrollment:
mode: forbidden
type: <string>
presence: optional
content: The device's serial number.
- key: IMEI
supportedOS:
iOS:
introduced: '9.0'
accessrights: AllowQueryDeviceInformation
userenrollment:
mode: forbidden
macOS:
introduced: n/a
tvOS:
introduced: n/a
type: <string>
presence: optional
content: The device's IMEI (International Mobile Station Equipment Identity).
- key: MEID
supportedOS:
iOS:
introduced: '9.0'
accessrights: AllowQueryDeviceInformation
userenrollment:
mode: forbidden
macOS:
introduced: n/a
tvOS:
introduced: n/a
type: <string>
presence: optional
content: The device's MEID (Mobile Equipment Identifier).

61
mdm/checkin/checkout.yaml Normal file
View File

@@ -0,0 +1,61 @@
title: Check Out
description: Check-in protocol check out request keys.
payload:
requesttype: CheckOut
supportedOS:
iOS:
introduced: '4.0'
supervised: false
requiresdep: false
sharedipad:
mode: allowed
devicechannel: true
userchannel: false
userenrollment:
mode: allowed
macOS:
introduced: '10.7'
devicechannel: true
userchannel: false
requiresdep: false
userenrollment:
mode: allowed
tvOS:
introduced: '10.2'
supervised: false
content: Check-in protocol check out request and response.
payloadkeys:
- key: MessageType
type: <string>
presence: required
rangelist:
- CheckOut
content: The message type, which must have a value of 'CheckOut'.
- key: Topic
type: <string>
presence: required
content: The topic to which the device subscribed.
- key: UDID
supportedOS:
iOS:
userenrollment:
mode: forbidden
type: <string>
presence: required
content: The device's UDID (Unique Device ID).
- key: EnrollmentID
supportedOS:
iOS:
introduced: '13.0'
userenrollment:
mode: required
macOS:
introduced: '10.15'
userenrollment:
mode: required
tvOS:
introduced: n/a
type: <string>
presence: required
content: The per-enrollment identifier for the device. Available in macOS 10.15
and iOS 13.0 and later.

38
mdm/checkin/declarativemanagement.yaml Normal file
View File

@@ -0,0 +1,38 @@
title: Declarative Management
description: Declarative Management request keys.
payload:
requesttype: DeclarativeManagement
supportedOS:
iOS:
introduced: '15.0'
supervised: false
requiresdep: false
sharedipad:
mode: forbidden
userenrollment:
mode: required
content: Check-in protocol declarative management request and response.
payloadkeys:
- key: MessageType
type: <string>
presence: required
rangelist:
- DeclarativeManagement
content: The message type, which must have a value of 'DeclarativeManagement'.
- key: EnrollmentID
type: <string>
presence: required
content: The per-enrollment identifier for the device.
- key: Endpoint
type: <string>
presence: required
content: |-
The type of operation the declaration is requesting. This key must be one of these values:
* 'tokens': For fetching synchronization tokens from the server
* 'declaration-items': For fetching the declaration manifest from the server
* 'status': For sending a status report to the server
* 'declaration/…/…': For fetching a specific declaration from the server. Include the declaration type and identifier separated by forward slashes ('/)'.
- key: Data
type: <data>
presence: optional
content: A Base64-encoded JSON object using the SynchronizationTokens schema.

32
mdm/checkin/getbootstraptoken.yaml Normal file
View File

@@ -0,0 +1,32 @@
title: Get Bootstrap Token
description: Check-in protocol get bootstrap token data.
payload:
requesttype: GetBootstrapToken
supportedOS:
macOS:
introduced: '10.15'
devicechannel: true
userchannel: false
supervised: true
requiresdep: false
userenrollment:
mode: forbidden
content: Check-in protocol get bootstrap token data request and response.
payloadkeys:
- key: MessageType
type: <string>
presence: required
rangelist:
- GetBootstrapToken
content: The message type, which must have a value of 'GetBootstrapToken'.
- key: AwaitingConfiguration
type: <boolean>
presence: optional
default: false
content: If 'true', the device is awaiting a DeviceConfigured MDM command before
proceeding through Setup Assistant.
responsekeys:
- key: BootstrapToken
type: <data>
presence: optional
content: The current bootstrap token data for the device.

32
mdm/checkin/setbootstraptoken.yaml Normal file
View File

@@ -0,0 +1,32 @@
title: Set Bootstrap Token
description: Check-in protocol set bootstrap token data.
payload:
requesttype: SetBootstrapToken
supportedOS:
macOS:
introduced: '10.15'
devicechannel: true
userchannel: false
supervised: true
requiresdep: false
userenrollment:
mode: forbidden
content: Check-in protocol set bootstrap token data request and response.
payloadkeys:
- key: MessageType
type: <string>
presence: required
rangelist:
- SetBootstrapToken
content: The message type, which must have a value of 'SetBootstrapToken'.
- key: BootstrapToken
type: <data>
presence: optional
content: The device's bootstrap token data. If this field is missing or zero length,
the bootstrap token should be removed for this device.
- key: AwaitingConfiguration
type: <boolean>
presence: optional
default: false
content: If 'true', the device is awaiting a DeviceConfigured MDM command before
proceeding through Setup Assistant.

164
mdm/checkin/tokenupdate.yaml Normal file
View File

@@ -0,0 +1,164 @@
title: Token Update
description: Check-in protocol token update request keys.
payload:
requesttype: TokenUpdate
supportedOS:
iOS:
introduced: '4.0'
supervised: false
requiresdep: false
sharedipad:
mode: allowed
devicechannel: true
userchannel: true
userenrollment:
mode: allowed
macOS:
introduced: '10.7'
devicechannel: true
userchannel: true
requiresdep: false
userenrollment:
mode: allowed
tvOS:
introduced: '10.2'
supervised: false
content: Check-in protocol token update request and response.
payloadkeys:
- key: NotOnConsole
supportedOS:
iOS:
introduced: n/a
macOS:
introduced: '10.11'
devicechannel: false
type: <boolean>
presence: required
content: If true, the device is not on console.
- key: MessageType
type: <string>
presence: required
rangelist:
- TokenUpdate
content: The message type, which must have a value of 'TokenUpdate'.
- key: Topic
type: <string>
presence: required
content: The topic the device subscribes to.
- key: UDID
supportedOS:
iOS:
userenrollment:
mode: forbidden
macOS:
userenrollment:
mode: forbidden
type: <string>
presence: required
content: The device's UDID.
- key: EnrollmentID
supportedOS:
iOS:
introduced: '13.0'
userenrollment:
mode: required
macOS:
introduced: '10.15'
userenrollment:
mode: required
tvOS:
introduced: n/a
type: <string>
presence: required
content: The per-enrollment identifier for the device. Available in macOS 10.15
and iOS 13.0 and later.
- key: EnrollmentUserID
supportedOS:
iOS:
introduced: n/a
macOS:
introduced: '10.15'
devicechannel: false
userenrollment:
mode: required
tvOS:
introduced: n/a
type: <string>
presence: required
content: The per-enrollment identifier for the user. Available in macOS 10.15 and
iOS 13.0 and later.
- key: UserShortName
supportedOS:
iOS:
introduced: '9.3'
sharedipad:
mode: required
macOS:
devicechannel: false
tvOS:
introduced: n/a
type: <string>
presence: optional
content: |-
On Shared iPad: This is the Managed Apple ID of the user on Shared iPad. It indicates that the token is for the user channel.
On macOS, this is the short name of the user.
- key: UserID
supportedOS:
iOS:
introduced: '9.3'
sharedipad:
mode: required
macOS:
devicechannel: false
tvOS:
introduced: n/a
type: <string>
presence: optional
content: |-
On macOS: This is the ID of the user.
On Shared iPad: This is always 'FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFF' to indicate that no authentication will occur.
- key: UserLongName
supportedOS:
iOS:
introduced: n/a
macOS:
devicechannel: false
tvOS:
introduced: n/a
type: <string>
presence: required
content: The full name of the user.
- key: Token
type: <data>
presence: required
content: The Push token for the device.
- key: PushMagic
type: <string>
presence: required
content: The magic string that has to be included in the push notification message.
- key: UnlockToken
supportedOS:
iOS:
accessrights: AllowPasscodeRemovalAndLock
sharedipad:
mode: forbidden
userenrollment:
mode: forbidden
macOS:
introduced: n/a
type: <data>
presence: optional
content: The data that can be used to unlock the device. If provided, the server
should remember this data and send it with when trying to Clear the Passcode.
- key: AwaitingConfiguration
supportedOS:
iOS:
introduced: '9.0'
macOS:
introduced: '10.11'
userchannel: false
type: <boolean>
presence: optional
default: false
content: If 'true', the device is awaiting a Release Device from Await Configuration
MDM command before proceeding through Setup Assistant.

34
mdm/checkin/userauthenticate.yaml Normal file
View File

@@ -0,0 +1,34 @@
title: UserAuthenticate
description: Authenticate network or mobile users with MDM.
payload:
requesttype: UserAuthenticate
supportedOS:
macOS:
introduced: '10.7'
devicechannel: false
userchannel: true
requiresdep: false
userenrollment:
mode: forbidden
content: Authenticate network or mobile users with MDM.
payloadkeys:
- key: MessageType
type: <string>
presence: required
rangelist:
- UserAuthenticate
content: The message type, which must have a value of 'UserAuthenticate'.
- key: UDID
type: <string>
presence: required
content: The device's UDID (Unique Device ID).
- key: UserID
type: <string>
presence: required
content: Local mobile user's GUID or network user's GUID from an Open Directory
record.
- key: DigestResponse
type: <string>
presence: required
content: A string provided by the client on second UserAuthenticate request after
receiving 'DigestChallenge' from server on first UserAuthenticate request.

117
mdm/commands/account.configuration.yaml Normal file
View File

@@ -0,0 +1,117 @@
title: Account Configuration Command
description: This command can be sent to the device to have it create the local administrator
account (thereby skipping the page to create this account in Setup Assistant)
payload:
requesttype: AccountConfiguration
supportedOS:
macOS:
introduced: '10.11'
accessrights: None
devicechannel: true
userchannel: false
requiresdep: true
userenrollment:
mode: forbidden
content: When a macOS (v10.11 and later) device is configured via DEP to enroll
in an MDM server and the DEP profile has the await_device_configuration flag set
to true, the AccountConfiguration command can be sent to the device to have it
create the local administrator account (thereby skipping the page to create this
account in Setup Assistant). This command can only be sent to a macOS device that
is in the AwaitingConfiguration state.
payloadkeys:
- key: SkipPrimarySetupAccountCreation
type: <boolean>
presence: optional
default: false
content: If 'true', Setup Assistant skips the user interface for setting up primary
accounts and disables autologin. If 'true', you must specify a value for 'AutoSetupAdminAccounts'.
- key: SetPrimarySetupAccountAsRegularUser
type: <boolean>
presence: optional
default: false
content: If 'true', Setup Assistant creates the primary accounts as regular users,
and you must specify a value for 'AutoSetupAdminAccounts'.
- key: PrimaryAccountFullName
supportedOS:
macOS:
introduced: '10.15'
type: <string>
presence: optional
content: The full name for the primary account. If present, Setup Assistant uses
this value to prefill the Full Name field. However, Setup Assistant ignores this
value if 'DontAutoPopulatePrimaryAccountInfo' is 'true'. This value is available
in macOS 10.15 and later.
- key: PrimaryAccountUserName
supportedOS:
macOS:
introduced: '10.15'
type: <string>
presence: optional
content: The account name for the primary account. If present, Setup Assistant uses
this value to prefill the User Name field. However, Setup Assistant ignores this
value if 'DontAutoPopulatePrimaryAccountInfo' is 'true'. This value is available
in macOS 10.15 and later.
- key: DontAutoPopulatePrimaryAccountInfo
supportedOS:
macOS:
introduced: '10.15'
type: <boolean>
presence: optional
default: false
content: If 'true', Setup Assistant ignores the primary account information and
requires the user to enter that information. If 'false', Setup Assistant prefills
the Full Name field with 'PrimaryAccountFullName' and the User Name field with
'PrimaryAccountUserName'. This value is available in macOS 10.15 and later.
- key: LockPrimaryAccountInfo
supportedOS:
macOS:
introduced: '10.15'
type: <boolean>
presence: optional
default: false
content: |-
If 'true', and you provide values for 'PrimaryAccountFullName' or 'PrimaryAccountUserName', Setup Assistant disables editing for the corresponding fields. 'DontAutoPopulatePrimaryAccountInfo' must also be 0 (or missing).
If the user's password is also available from authentication via ConfigurationURL, Setup Assistant automatically creates the primary account with that information and skips showing the user interface to view or edit these fields.
This value is available in macOS 10.15 and later.
- key: AutoSetupAdminAccounts
type: <array>
presence: optional
content: A dictionary that describes the administrator account to create with Setup
Assistant, which uses the first element and ignores additional elements.
subkeys:
- key: AutoSetupAdminAccountItem
type: <dictionary>
subkeys:
- key: shortName
title: shortName
type: <string>
presence: required
content: The short name of the user.
- key: fullName
title: fullName
type: <string>
presence: optional
content: The full name of the user. This defaults to shortName if not specified.
- key: passwordHash
title: passwordHash
type: <data>
presence: optional
content: Contains the pre-created salted PBKDF2 SHA512 password hash for the
account.
- key: hidden
title: hidden
type: <boolean>
presence: optional
default: false
content: If true, this sets the account attribute to make the account hidden
to loginwindow and Users&Groups. OD attribute dsAttrTypeNative:IsHidden.
- key: ManagedLocalUserShortName
supportedOS:
macOS:
introduced: '11.0'
type: <string>
presence: optional
content: If present, this is the short name of the local account to manage, which
can also be the account that results from setting 'AutoSetupAdminAccounts' to
'true'. Otherwise, only the local account that Setup Assistant creates is a managed
account. This value is available in macOS 11 and later.

73
mdm/commands/application.extensions.listactive.yaml Normal file
View File

@@ -0,0 +1,73 @@
title: Application:List Active NSExtensions
description: Returns information about the active NSExtensions for a particular user.
payload:
requesttype: ActiveNSExtensions
supportedOS:
macOS:
introduced: '10.13'
accessrights: QueryInstalledApps
devicechannel: false
userchannel: true
requiresdep: false
userenrollment:
mode: forbidden
content: |-
Returns information about the active NSExtensions for a particular user.
NSExtensions are installed and enabled at the user level. There is no concept of "device" NSExtensions.
Requires "Query Installed Apps" right; supported on user channel only.
payloadkeys:
- key: FilterExtensionPoints
type: <array>
presence: optional
content: An array of extension points. If you choose to provide this value, the
response only includes the app extensions for the extension points you specify.
subkeys:
- key: FilterExtensionPointsItem
type: <string>
responsekeys:
- key: Extensions
type: <array>
presence: required
content: An array of dictionaries that contains information about active extensions
on the device.
subkeys:
- key: ExtensionsItem
type: <dictionary>
subkeys:
- key: Identifier
type: <string>
presence: required
content: The identifier of the extension.
- key: ExtensionPoint
type: <string>
presence: required
content: The NSExtensionPointIdentifier for the extension.
- key: DisplayName
type: <string>
presence: required
content: The extension's display name.
- key: ContainerDisplayName
type: <string>
presence: optional
content: The display name of the container.
- key: ContainerIdentifier
type: <string>
presence: optional
content: The identifier of the container.
- key: Path
type: <string>
presence: required
content: The path to the extension.
- key: Version
type: <string>
presence: required
content: The version of the extension.
- key: UserElection
type: <string>
presence: required
rangelist:
- Default
- Use
- Ignore
content: The user-selected state of the extension, which a user sets in the
Extensions preference pane in System Preferences.

41
mdm/commands/application.extensions.mappings.yaml Normal file
View File

@@ -0,0 +1,41 @@
title: NSExtensions Mappings NSExtensions
description: This command returns information about installed extensions for a user.
payload:
requesttype: NSExtensionMappings
supportedOS:
macOS:
introduced: '10.13'
accessrights: QueryInstalledApps
devicechannel: false
userchannel: true
requiresdep: false
userenrollment:
mode: forbidden
content: |-
This command returns information about installed extensions for a user.
The purpose of this command is to allow the server to build a mapping of
extension identifiers to extension points to provide a UI for generating
"com.apple.NSExtension" payloads.
Requires "Query Installed Apps" right; supported on user channel only
responsekeys:
- key: Extensions
type: <array>
presence: required
content: An array of dictionaries that contains information about extensions on
the device.
subkeys:
- key: ExtensionsItem
type: <dictionary>
subkeys:
- key: Identifier
type: <string>
presence: required
content: The identifier of the extension.
- key: ExtensionPoint
type: <string>
presence: required
content: The NSExtensionPointIdentifier for the extension.
- key: DisplayName
type: <string>
presence: required
content: The display name of the extension.

118
mdm/commands/application.install.enterprise.yaml Normal file
View File

@@ -0,0 +1,118 @@
title: Install Enterprise Application Command
description: This command allows the server to install enterprise applications on
a device. It provides a more secure version of 'InstallApplication' that specifies
a 'ManifestURL'.
payload:
requesttype: InstallEnterpriseApplication
supportedOS:
macOS:
introduced: 10.13.6
accessrights: AllowAppInstallation
devicechannel: true
userchannel: false
requiresdep: false
userenrollment:
mode: allowed
content: This command allows the server to install an application on a device. It
provides a more secure version of 'InstallApplication' that specifies a 'ManifestURL'.
payloadkeys:
- key: Manifest
type: <dictionary>
presence: optional
content: A dictionary that specifies where to download the app. This value is backward-compatible
with the manifest for the InstallApplicationCommand; however, it also allows you
to specify 'sha256s' and 'sha256'-size for SHA-256 hashes.
subkeys:
- key: ANY
type: <any>
presence: optional
content: A manifest, which is backward-compatible with the manifest for the 'InstallApplication'
command; however, it also allows you to specify 'sha256s' and 'sha256-size'
for SHA-256 hashes.
- key: ManifestURL
type: <string>
presence: optional
content: The URL of the app manifest, which must begin with 'https:'.
- key: ManifestURLPinningCerts
type: <array>
presence: optional
content: An array of DER-encoded certificates to pin the connection when fetching
the 'ManifestURL'.
subkeys:
- key: ManifestURLPinningCertsItem
type: <data>
presence: required
content: A certificate in DER-encoded format.
- key: PinningRevocationCheckRequired
type: <boolean>
presence: optional
default: false
content: If 'true', certificate revocation checks require a positive response when
using certificate pinning with 'ManifestURLPinningCerts'.
- key: InstallAsManaged
supportedOS:
macOS:
introduced: '11.0'
userenrollment:
mode: forbidden
type: <boolean>
presence: optional
default: false
content: |-
If 'true', install the app as a managed app. For manifest-based installation, if this value is 'true', but the package doesn't meet the criteria for management, the installation fails. Reinstall a managed app with this value set to 'false' to change the app to an unmanaged app.
To satisfy the criteria for management, the pkg must contain a single, signed application installed into '/Applications'.
This value is available in macOS 11 and later.
- key: ManagementFlags
supportedOS:
macOS:
introduced: '11.0'
userenrollment:
mode: forbidden
type: <integer>
presence: optional
rangelist:
- 1
content: |-
The management flags. The only supported flag is:
* '1': Remove the app upon removal of the MDM profile. This also requires that you pass 'true' for 'InstallAsManaged'.
This value is available in macOS 11 and later.
- key: Configuration
supportedOS:
macOS:
introduced: '11.0'
type: <dictionary>
presence: optional
content: A dictionary that contains the initial configuration of the app, if you
choose to provide it. This value is available in macOS 11 and later.
subkeys:
- key: ANY
type: <any>
presence: optional
content: An app configuration key.
- key: ChangeManagementState
supportedOS:
macOS:
introduced: '11.0'
userenrollment:
mode: forbidden
type: <string>
presence: optional
rangelist:
- Managed
content: |-
The change management state. The only supported state is:
* 'Managed': Take management of the app if the user installed it already. This also requires that you pass 'true' for 'InstallAsManaged'.
This value is available in macOS 11 and later.
- key: iOSApp
supportedOS:
iOS:
introduced: n/a
macOS:
introduced: '11.0'
tvOS:
introduced: n/a
type: <boolean>
presence: optional
default: false
content: If 'true', the app is an iOS app that can run on an Apple silicon in macOS
11 and later.

231
mdm/commands/application.install.yaml Normal file
View File

@@ -0,0 +1,231 @@
title: Install Application Command
description: This command allows the server to install an application on a device.
If the app is already being managed, this command will update the app.
payload:
requesttype: InstallApplication
supportedOS:
iOS:
introduced: '5.0'
accessrights: AllowAppInstallation
supervised: false
requiresdep: false
sharedipad:
mode: allowed
devicechannel: true
userchannel: false
userenrollment:
mode: allowed
macOS:
introduced: '10.9'
accessrights: AllowAppInstallation
devicechannel: true
userchannel: true
requiresdep: false
userenrollment:
mode: allowed
tvOS:
introduced: '10.2'
accessrights: AllowAppInstallation
supervised: false
content: This command allows the server to install an application on a device. If
the app is already being managed, this command will update the app. macOS change
- 10.9 user channel for VPP, 10.10 device channel, 10.11 both.
payloadkeys:
- key: iTunesStoreID
type: <integer>
presence: optional
content: The app's iTunes Store identifier.
- key: Identifier
supportedOS:
iOS:
introduced: '7.0'
type: <string>
presence: optional
content: The app's bundle identifier.
- key: Options
supportedOS:
iOS:
introduced: '7.0'
type: <dictionary>
presence: optional
content: A dictionary that contains the app installation options.
subkeys:
- key: PurchaseMethod
type: <integer>
presence: optional
rangelist:
- 0
- 1
default: 0
content: |-
The app's purchase type, which must be one of the following values:
* '0': Free apps and Legacy Volume Purchase Program (VPP) with a redemption code. This option is only available in iOS.
* '1': Volume Purchase Program (VPP) app assignment.
Set this value to '1' to install first-party apps without user login to the iTunes Store, such as Mail or Safari, or to install an iOS app with user enrollment.
- key: ManifestURL
supportedOS:
iOS:
introduced: '7.0'
type: <string>
presence: optional
content: The URL of the app manifest, which must begin with 'https:'.
- key: ManagementFlags
supportedOS:
macOS:
introduced: '11.0'
userenrollment:
mode: forbidden
type: <integer>
presence: optional
rangelist:
- 1
- 4
- 5
content: |-
The bitwise OR of the following management flags:
* '1': Remove app upon removal of MDM profile. This also requires that you pass 'true' for 'InstallAsManaged'.
* '4': Prevent backup of app data.
This value is available in iOS 5 and later, macOS 11 and later, and tvOS 10.2 and later.
- key: Configuration
supportedOS:
iOS:
introduced: '7.0'
macOS:
introduced: '11.0'
type: <dictionary>
presence: optional
content: A dictionary that contains the initial configuration of the app, if you
choose to provide it. This value is available in iOS 7 and later, macOS 11 and
later, and tvOS 10.2 and later.
subkeys:
- key: ANY
type: <any>
presence: optional
content: An app configuration key.
- key: Attributes
supportedOS:
iOS:
introduced: '7.0'
macOS:
introduced: n/a
type: <dictionary>
presence: optional
content: A dictionary that contains the initial attributes of the app, if you choose
to provide it. This value is available in iOS 7 and later, and tvOS 10.2 and later.
subkeys:
- key: VPNUUID
type: <string>
presence: optional
content: A per-app VPN unique identifier for this app. This value is available
in iOS 7 and later, and tvOS 10.2 and later.
- key: AssociatedDomains
supportedOS:
iOS:
introduced: '13.0'
tvOS:
introduced: n/a
type: <array>
presence: optional
content: An array that contains the associated domains to add to this app. This
value is available in iOS 13 and later.
subkeys:
- key: AssociatedDomain
type: <string>
- key: AssociatedDomainsEnableDirectDownloads
supportedOS:
iOS:
introduced: '14.0'
tvOS:
introduced: n/a
type: <boolean>
presence: optional
default: true
content: If 'true', perform claimed site association verification directly at
the domain instead of on Apple's servers. Only set this to 'true' for domains
that can't access the internet. This value is available in iOS 14 and later.
- key: Removable
supportedOS:
iOS:
introduced: '14.0'
tvOS:
introduced: '14.0'
type: <boolean>
presence: optional
default: true
content: If 'false', this app isn't removable while it's a managed app. This value
is available in iOS 14 and later, and tvOS 14 and later.
- key: ChangeManagementState
supportedOS:
iOS:
introduced: '9.0'
userenrollment:
mode: forbidden
macOS:
introduced: '11.0'
userenrollment:
mode: forbidden
type: <string>
presence: optional
rangelist:
- Managed
content: |-
The change management state. The only supported state is:
* 'Managed': Take management of the app if the user installed it already. This also requires that you pass 'true' for 'InstallAsManaged'.
This value doesn't work with the User Enrollment feature introduced in iOS 13.
Available in iOS 9 and later, macOS 11 and later, and tvOS 10.2 and later.
- key: InstallAsManaged
supportedOS:
iOS:
introduced: n/a
macOS:
introduced: '11.0'
userenrollment:
mode: forbidden
tvOS:
introduced: n/a
type: <boolean>
presence: optional
default: false
content: If 'true', install the app as a managed app. For manifest-based installation,
if this value is 'true', but the package doesn't meet the criteria for management,
the installation fails. Reinstall a managed app with this value set to 'false'
to change the app to an unmanaged app. This value is available in macOS 11 and
later.
- key: iOSApp
supportedOS:
iOS:
introduced: n/a
macOS:
introduced: '11.0'
tvOS:
introduced: n/a
type: <boolean>
presence: optional
default: false
content: If 'true', the app is an iOS app that can run on an Apple silicon in macOS
11 and later.
responsekeys:
- key: Identifier
type: <string>
presence: optional
content: The app's bundle identifier, if the user accepted the request.
- key: State
type: <string>
presence: optional
content: The app's installation state, if the user accepted the request. If this
value is 'NeedsRedemption', the server must send a redemption code to complete
the app installation.
- key: RejectionReason
type: <string>
presence: optional
rangelist:
- AppAlreadyInstalled
- AppAlreadyQueued
- AppStoreDisabled
- CouldNotVerifyAppID
- ManagementChangeNotSupported
- NotAnApp
- NotSupported
- PurchaseMethodNotSupported
- PurchaseMethodNotSupportedInMultiUser
content: The reason, if installation fails.

247
mdm/commands/application.installed.list.yaml Normal file
View File

@@ -0,0 +1,247 @@
title: Application List Command
description: This command allows the server to query for installed 3rd party applications.
payload:
requesttype: InstalledApplicationList
supportedOS:
iOS:
introduced: '5.0'
accessrights: AllowQueryApplications
supervised: false
requiresdep: false
sharedipad:
mode: allowed
devicechannel: true
userchannel: false
userenrollment:
mode: allowed
macOS:
introduced: '10.7'
accessrights: AllowQueryApplications
devicechannel: true
userchannel: true
requiresdep: false
userenrollment:
mode: forbidden
tvOS:
introduced: '10.2'
accessrights: AllowQueryApplications
supervised: false
content: This command allows the server to query for installed 3rd party applications.
payloadkeys:
- key: Identifiers
supportedOS:
iOS:
introduced: '7.0'
macOS:
introduced: '10.15'
type: <array>
presence: optional
content: An array of app identifiers. Provide this value to limit the response to
only include these apps. This value is available in iOS 7 and later, macOS 10.15
and later, and tvOS 10.2 and later.
subkeys:
- key: IdentifiersItem
type: <string>
- key: ManagedAppsOnly
supportedOS:
iOS:
introduced: '7.0'
macOS:
introduced: '10.15'
type: <boolean>
presence: optional
default: false
content: If 'true', only get a list of managed apps. This value is available in
iOS 7 and later, macOS 10.15 and later, and tvOS 10.2 and later.
- key: Items
supportedOS:
iOS:
introduced: '14.0'
macOS:
introduced: n/a
tvOS:
introduced: '14.0'
type: <array>
presence: optional
content: An array of strings representing keys in the InstalledApplicationListItem
dictionary. If provided, the response will contain only the keys listed here.
The "Identifier" key is always included. If not present, the response will contain
all keys. Always request just the set of keys that will actually be used, as some
key values can take significant time and power to calculate on the device.
subkeys:
- key: ItemsItem
type: <string>
rangelist:
- AdHocCodeSigned
- AppStoreVendable
- BetaApp
- BundleSize
- DeviceBasedVPP
- DynamicSize
- ExternalVersionIdentifier
- HasUpdateAvailable
- Identifier
- Installing
- IsValidated
- Name
- ShortVersion
- Version
responsekeys:
- key: InstalledApplicationList
type: <array>
presence: required
content: An array of dictionaries that describes each installed app.
subkeys:
- key: InstalledApplicationListItem
type: <dictionary>
subkeys:
- key: Identifier
type: <string>
presence: optional
content: The app's identifier. This key will always be present on iOS/tvOS but
may be missing on macOS.
- key: ExternalVersionIdentifier
supportedOS:
iOS:
introduced: '11.0'
macOS:
introduced: '10.13'
tvOS:
introduced: '11.0'
type: <integer>
presence: optional
content: |-
The app's external version identifier, which you can use in the iTunes Search API to determine if an updated version of the app is available. Compare this value to the 'externalId' value in the 'contentMetadataLookupUrl' response from the 'VPPServiceConfigSrv' endpoint. If these values don't match, an updated version of the app may be available.
A newer version of an app may not be available for installation on the device for a variety of reasons, including that the device's operating system version or hardware is incompatible with the available version of the app.
- key: Version
type: <string>
presence: optional
content: The app's version.
- key: ShortVersion
supportedOS:
iOS:
introduced: '5.0'
type: <string>
presence: optional
content: The app's short version.
- key: Name
type: <string>
presence: optional
content: The app's name.
- key: BundleSize
supportedOS:
macOS:
introduced: '10.7'
type: <integer>
presence: optional
content: The app's static bundle size, in bytes. This value is available in
iOS 5 and later, and macOS 10.7 and later, and tvOS 10.2 and later.
- key: DynamicSize
supportedOS:
iOS:
introduced: '5.0'
macOS:
introduced: n/a
type: <integer>
presence: optional
content: The size of the app's file system in bytes, including the Documents,
Library, and other directories. This value is available in iOS 5 and later,
and tvOS 10.2 and later.
- key: IsValidated
supportedOS:
iOS:
introduced: '9.2'
macOS:
introduced: n/a
type: <boolean>
presence: optional
content: If 'true', the app is valid and can run on the device. If the app is
enterprise-distributed and unvalidated, it won't be able to run until validation
has occurred. This value is available in iOS 9.2 and later, and tvOS 10.2
and later.
- key: Installing
type: <boolean>
presence: optional
content: If 'true', the app is downloading. If 'false', it's already installed.
- key: AppStoreVendable
supportedOS:
iOS:
introduced: '11.3'
macOS:
introduced: n/a
tvOS:
introduced: '11.3'
type: <boolean>
presence: optional
content: If 'true', the app came from the App Store and can participate in store
features. For device-based Volume Purchase Program (VPP) apps, this value
is 'false'. This value is available in iOS 11.3 and later, and tvOS 11.3 and
later.
- key: DeviceBasedVPP
supportedOS:
iOS:
introduced: '11.3'
macOS:
introduced: n/a
tvOS:
introduced: '11.3'
type: <boolean>
presence: optional
content: If 'true', installing the app didn't require an Apple ID. This value
is available in iOS 11.3 and later, and tvOS 11.3 and later.
- key: BetaApp
supportedOS:
iOS:
introduced: '11.3'
macOS:
introduced: n/a
tvOS:
introduced: '11.3'
type: <boolean>
presence: optional
content: If 'true', the app is part of the Apple Beta Software Program. This
value is available in iOS 11.3 and later, and tvOS 11.3 and later.
- key: AdHocCodeSigned
supportedOS:
iOS:
introduced: '11.3'
macOS:
introduced: n/a
tvOS:
introduced: '11.3'
type: <boolean>
presence: optional
content: If 'true', the app is ad-hoc code signed. This query is available in
iOS 11.3 and later, and tvOS 11.3 and later.
- key: HasUpdateAvailable
supportedOS:
iOS:
introduced: '11.3'
macOS:
introduced: 10.13.4
type: <boolean>
presence: optional
content: If 'true', the app has an update available. This key is present only
for App Store apps. In macOS, this key is present only for Volume Purchase
Program (VPP) apps. This status updates daily and isn't always up-to-date
when installing an app.
- key: DownloadFailed
type: <boolean>
presence: optional
default: false
content: If 'true', the download failed.
- key: DownloadWaiting
type: <boolean>
presence: optional
default: false
content: If 'true', the app is in the initial state, which is waiting to download.
- key: DownloadPaused
type: <boolean>
presence: optional
default: false
content: If 'true', the user paused the download.
- key: DownloadCancelled
type: <boolean>
presence: optional
default: false
content: If 'true', the user canceled the download.

48
mdm/commands/application.invitetoprogram.yaml Normal file
View File

@@ -0,0 +1,48 @@
title: Invite To Program Command
description: This command allows a server to invite a user to join a program.
payload:
requesttype: InviteToProgram
supportedOS:
iOS:
introduced: '7.0'
accessrights: AllowAppInstallation
supervised: false
requiresdep: false
sharedipad:
mode: allowed
devicechannel: false
userchannel: true
userenrollment:
mode: forbidden
macOS:
introduced: '10.9'
accessrights: None
devicechannel: false
userchannel: true
requiresdep: false
userenrollment:
mode: forbidden
content: This command allows a server to invite a user to join a program. This command
issues the invitation, but does not allow the server to monitor whether the user
has joined the program. This command is supported in the user channel. This command
will yield a NotNow status until the user exits Setup Assistant.
payloadkeys:
- key: ProgramID
type: <string>
presence: required
rangelist:
- com.apple.cloudvpp
content: The program's identifier, which can only be 'com.apple.cloudvpp'.
- key: InvitationURL
type: <string>
presence: required
content: The Volume Purchase Program (VPP) invitation URL.
responsekeys:
- key: InvitationResult
type: <string>
presence: required
rangelist:
- Acknowledged
- InvalidProgramID
- InvalidInvitationURL
content: The result of the command.

170
mdm/commands/application.managed.list.yaml Normal file
View File

@@ -0,0 +1,170 @@
title: Managed Application List Command
description: This command allows the server to query the status of managed apps. Certain
statuses are transient. Once they are reported to the server, the entries for the
apps are removed from the next query. macOS supports this command on the user channel
starting with macOS 11.3.
payload:
requesttype: ManagedApplicationList
supportedOS:
iOS:
introduced: '5.0'
accessrights: AllowAppInstallation
supervised: false
requiresdep: false
sharedipad:
mode: allowed
devicechannel: true
userchannel: false
userenrollment:
mode: allowed
macOS:
introduced: '11.0'
accessrights: AllowAppInstallation
devicechannel: true
userchannel: true
userenrollment:
mode: allowed
tvOS:
introduced: '10.2'
accessrights: AllowAppInstallation
supervised: false
content: This command allows the server to query the status of managed apps. Certain
statuses are transient. Once they are reported to the server, the entries for
the apps are removed from the next query. macOS supports this command on the user
channel starting with macOS 11.3.
payloadkeys:
- key: Identifiers
supportedOS:
iOS:
introduced: '7.0'
type: <array>
presence: optional
content: The bundle identifiers of the managed apps to include in the response.
subkeys:
- key: IdentifiersItem
type: <string>
responsekeys:
- key: ManagedApplicationList
type: <dictionary>
presence: required
content: A dictionary that contains status information about each managed app.
subkeytype: ManagedApplicationListItem
subkeys:
- key: <app identifier>
type: <dictionary>
presence: required
content: The bundle identifier of the managed app.
subkeytype: ManagedApplicationItem
subkeys:
- key: Status
type: <string>
presence: required
rangelist:
- NeedsRedemption
- Redeeming
- Prompting
- PromptingForLogin
- ValidatingPurchase
- PromptingForUpdate
- PromptingForUpdateLogin
- PromptingForManagement
- ValidatingUpdate
- Updating
- Installing
- Managed
- ManagedButUninstalled
- Unknown
- UserInstalledApp
- UserRejected
- UpdateRejected
- ManagementRejected
- Failed
content: |-
The status of the managed app, which is one of the following values:
* 'NeedsRedemption': The app needs a redemption code to complete installation.
* 'Redeeming': The device is redeeming the redemption code for the app.
* 'Prompting': The app installation is prompting the user.
* 'PromptingForLogin' - The app installation is prompting the user for App Store credentials.
* 'ValidatingPurchase': Validation of the app purchase is occurring.
* 'PromptingForUpdate': An app update is prompting the user.
* 'PromptingForUpdateLogin': An app update is prompting the user for App Store credentials.
* 'PromptingForManagement': Changing the app to a managed app is prompting the user.
* 'ValidatingUpdate': Validation of an app update is occurring.
* 'Updating': The app is updating.
* 'Installing': The app is installing.
* 'Managed': The installed app is a managed app.
* 'ManagedButUninstalled': The app is a managed app and the user removed it. Reinstalling the app reinstates it as a managed app.
* 'Unknown': The app state is unknown.
The following statuses are transient and report only once:
* 'UserInstalledApp': The user installed the app before managed app installation could occur.
* 'UserRejected': The user rejected the offer to install the app.
* 'UpdateRejected': The user rejected the offer to update the app.
* 'ManagementRejected':The user rejected management of an installed app.
* 'Failed': The app installation failed.
- key: ManagementFlags
type: <integer>
presence: required
content: |-
The bitwise OR of the following management flags:
* '1': Remove app upon removal of MDM profile.
* '4': Prevent backup of app data.
- key: UnusedRedemptionCode
supportedOS:
macOS:
introduced: n/a
tvOS:
introduced: n/a
type: <string>
presence: required
content: If the user already purchased a paid app, this code is available for
use by another user. This code reports only once. This value is available
in iOS 5 and later.
- key: HasConfiguration
supportedOS:
iOS:
introduced: '7.0'
macOS:
introduced: '11.0'
type: <boolean>
presence: required
content: If 'true', the app has an update available. This key is present only
for App Store apps. In macOS, this key is present only for Volume Purchase
Program (VPP) apps. This status updates daily and isn't always up-to-date
when installing an app.
- key: HasFeedback
supportedOS:
iOS:
introduced: '7.0'
macOS:
introduced: '11.3'
devicechannel: false
type: <boolean>
presence: required
content: If 'true', the app has feedback for the server. This value is available
in iOS 7 and later, and tvOS 10.2 and later. On macOS 11.3 and later, this
value is available if the request was sent on the user channel.
- key: IsValidated
supportedOS:
iOS:
introduced: '9.2'
macOS:
introduced: n/a
type: <boolean>
presence: required
content: If 'true', the app is valid and can run on the device. If the app is
enterprise-distributed and unvalidated, it won't be able to run until validation
has occurred. This value is available in iOS 9.2 and later, and tvOS 10.2
and later.
- key: ExternalVersionIdentifier
supportedOS:
iOS:
introduced: '10.3'
macOS:
introduced: '11.3'
tvOS:
introduced: '10.2'
type: <integer>
presence: required
content: |-
The app's external version identifier, which you can use in the iTunes Search API to determine if an updated version of the app is available. Compare this value to the 'externalId' value in the 'contentMetadataLookupUrl' response from the 'VPPServiceConfigSrv' endpoint. If these values don't match, an updated version of the app may be available. This value is available in iOS 10.3 and later, macOS 11.3 and later, and tvOS 10.2 and later.
A newer version of an app may not be available for installation on the device for a variety of reasons, including that the device's operating system version or hardware is incompatible with the available version of the app.

26
mdm/commands/application.redemptioncode.yaml Normal file
View File

@@ -0,0 +1,26 @@
title: Apply Redemption Code Command
description: If a redemption code is needed during app installation, the server can
use this command to complete the app installation.
payload:
requesttype: ApplyRedemptionCode
supportedOS:
iOS:
introduced: '5.0'
accessrights: AllowAppInstallation
supervised: false
requiresdep: false
sharedipad:
mode: forbidden
userenrollment:
mode: forbidden
content: If a redemption code is needed during app installation, the server can
use this command to complete the app installation.
payloadkeys:
- key: Identifier
type: <string>
presence: required
content: The bundle identifier of the app.
- key: RedemptionCode
type: <string>
presence: required
content: The redemption code that applies to the app pending installation.

33
mdm/commands/application.remove.yaml Normal file
View File

@@ -0,0 +1,33 @@
title: Remove Application Command
description: This command allows a server to remove a managed app.
payload:
requesttype: RemoveApplication
supportedOS:
iOS:
introduced: '5.0'
accessrights: AllowAppInstallation
supervised: false
requiresdep: false
sharedipad:
mode: allowed
devicechannel: true
userchannel: false
userenrollment:
mode: allowed
macOS:
introduced: '11.0'
accessrights: AllowAppInstallation
devicechannel: true
userchannel: false
userenrollment:
mode: forbidden
tvOS:
introduced: '10.2'
accessrights: AllowAppInstallation
supervised: false
content: This command allows a server to remove a managed app.
payloadkeys:
- key: Identifier
type: <string>
presence: required
content: The bundle identifier of the managed app.

32
mdm/commands/application.validate.yaml Normal file
View File

@@ -0,0 +1,32 @@
title: Validate Applications Command
description: This commands allows the server to force validation of the free developer
and universal provisioning profiles associated with an enterprise app.
payload:
requesttype: ValidateApplications
supportedOS:
iOS:
introduced: '9.2'
accessrights: AllowAppInstallation
supervised: false
requiresdep: false
sharedipad:
mode: allowed
devicechannel: true
userchannel: false
userenrollment:
mode: allowed
tvOS:
introduced: '10.2'
accessrights: AllowAppInstallation
supervised: false
content: This command allows the server to query for installed 3rd party applications.
payloadkeys:
- key: Identifiers
type: <array>
presence: optional
content: The bundle identifiers of the enterprise apps to include for validation
of associated provisioning profiles, if you choose to provide them. Otherwise,
validation occurs for the provisioning profiles for the installed managed apps.
subkeys:
- key: IdentifiersItem
type: <string>

70
mdm/commands/certificate.list.yaml Normal file
View File

@@ -0,0 +1,70 @@
title: Certificate List Command
description: This command allows the server to retrieve the list of installed certificates
on the device. The command requires that the server has the Inspect Profile Manifest
privilege.
payload:
requesttype: CertificateList
supportedOS:
iOS:
introduced: '4.0'
accessrights: AllowInspection
supervised: false
requiresdep: false
sharedipad:
mode: allowed
devicechannel: true
userchannel: false
userenrollment:
mode: allowed
macOS:
introduced: '10.7'
accessrights: AllowInspection
devicechannel: true
userchannel: true
requiresdep: false
userenrollment:
mode: allowed
tvOS:
introduced: '6.0'
accessrights: AllowInspection
supervised: false
content: |-
This command allows the server to retrieve the list of installed certificates on the device. The command requires that the server has the Inspect Profile Manifest privilege.
For userenrollment, this request will limit to certificates pushed via MDM
payloadkeys:
- key: ManagedOnly
supportedOS:
iOS:
introduced: '13.0'
macOS:
introduced: '10.15'
tvOS:
introduced: '13.0'
type: <boolean>
presence: optional
default: false
content: If 'true', only include certificates that MDM installed or that are in
the same profile as the MDM payload. User-enrolled devices ignore this value and
always only include managed certificates. This value is available in iOS 13 and
later, macOS 10.15 and later, and tvOS 13 and later.
responsekeys:
- key: CertificateList
type: <array>
presence: required
content: An array of certificate list items that describes each certificate.
subkeys:
- key: CertificateListItem
type: <dictionary>
subkeys:
- key: CommonName
type: <string>
presence: required
content: The certificate's common name.
- key: IsIdentity
type: <boolean>
presence: required
content: If 'true', this is an identity certificate.
- key: Data
type: <data>
presence: required
content: The certificate in DER-encoded X.509 format.

23
mdm/commands/declarativemanagement.yaml Normal file
View File

@@ -0,0 +1,23 @@
title: Declarative Management Command
description: This command allows the server to turn on the Declarative Management
engine on the device (the first time it is used), or to trigger a Declarative Management
synchronization operation.
payload:
requesttype: DeclarativeManagement
supportedOS:
iOS:
introduced: '15.0'
supervised: false
requiresdep: false
sharedipad:
mode: forbidden
userenrollment:
mode: required
content: This command allows the server to turn on the Declarative Management engine
on the device (the first time it is used), or to trigger a Declarative Management
synchronization operation.
payloadkeys:
- key: Data
type: <data>
presence: optional
content: The base64-encoded Declarative Management JSON request using a TokensResponse.

30
mdm/commands/device.activationlock.bypasscode.yaml Normal file
View File

@@ -0,0 +1,30 @@
title: Activation Lock Bypass Code Command
description: Retrievies the Activation Lock bypass code from the device.
payload:
requesttype: ActivationLockBypassCode
supportedOS:
iOS:
introduced: '7.1'
accessrights: None
supervised: true
requiresdep: false
sharedipad:
mode: forbidden
userenrollment:
mode: forbidden
macOS:
introduced: '10.15'
accessrights: None
devicechannel: true
userchannel: false
supervised: true
requiresdep: false
userenrollment:
mode: forbidden
content: Retrieves the Activation Lock bypass code from the device. This bypass
code is only available for 15 days after supervision.
responsekeys:
- key: ActivationLockBypassCode
type: <string>
presence: required
content: The Activation Lock bypass code if it's available.

24
mdm/commands/device.activationlock.clearbypasscode.yaml Normal file
View File

@@ -0,0 +1,24 @@
title: Clear Activation Lock Bypass Code Command
description: Clears the Activation Lock bypass code from the device.
payload:
requesttype: ClearActivationLockBypassCode
supportedOS:
iOS:
introduced: '7.1'
accessrights: None
supervised: true
requiresdep: false
sharedipad:
mode: forbidden
userenrollment:
mode: forbidden
macOS:
introduced: '10.15'
accessrights: None
devicechannel: true
userchannel: false
supervised: true
requiresdep: false
userenrollment:
mode: forbidden
content: Clears the Activation Lock bypass code from the device.

31
mdm/commands/device.configured.yaml Normal file
View File

@@ -0,0 +1,31 @@
title: Device Configured Command
description: Informs the device that it can continue past DEP enrollment. Only works
on devices in DEP that have their cloud configuration set to await configuration.
payload:
requesttype: DeviceConfigured
supportedOS:
iOS:
introduced: '9.0'
accessrights: None
supervised: true
requiresdep: true
sharedipad:
mode: allowed
devicechannel: true
userchannel: false
userenrollment:
mode: forbidden
macOS:
introduced: '10.11'
accessrights: None
devicechannel: true
userchannel: false
requiresdep: true
userenrollment:
mode: forbidden
tvOS:
introduced: '10.2'
accessrights: None
supervised: true
content: Informs the device that it can continue past DEP enrollment. Only works
on devices in DEP that have their cloud configuration set to await configuration.

105
mdm/commands/device.erase.yaml Normal file
View File

@@ -0,0 +1,105 @@
title: Device Erase Command
description: This command allows the server to remotely erase the device. This command
requires the Device Erase right.
payload:
requesttype: EraseDevice
supportedOS:
iOS:
introduced: '4.0'
accessrights: AllowDeviceErase
supervised: false
requiresdep: false
sharedipad:
mode: allowed
devicechannel: true
userchannel: false
userenrollment:
mode: forbidden
macOS:
introduced: '10.7'
accessrights: AllowDeviceErase
devicechannel: true
userchannel: false
requiresdep: false
userenrollment:
mode: forbidden
tvOS:
introduced: '10.2'
accessrights: AllowDeviceErase
supervised: false
content: This command allows the server to remotely erase the device. This command
requires the Device Erase right.
payloadkeys:
- key: PreserveDataPlan
supportedOS:
iOS:
introduced: '11.0'
macOS:
introduced: n/a
tvOS:
introduced: n/a
type: <boolean>
presence: optional
default: false
content: If 'true', preserve the data plan on an iPhone or iPad with eSIM functionality,
if one exists. This value is available in iOS 11 and later.
- key: DisallowProximitySetup
supportedOS:
iOS:
introduced: '11.3'
sharedipad:
mode: forbidden
macOS:
introduced: n/a
tvOS:
introduced: n/a
type: <boolean>
presence: optional
default: false
content: If 'true', disable Proximity Setup on the next reboot and skip the pane
in Setup Assistant. This value is available in iOS 11 and later. Prior to iOS
14, don't use this option with any other option.
- key: PIN
supportedOS:
iOS:
introduced: n/a
macOS:
introduced: '10.8'
tvOS:
introduced: n/a
type: <string>
presence: optional
content: The six-character PIN for Find My. This value is available in macOS 10.8
and later.
- key: ObliterationBehavior
supportedOS:
iOS:
introduced: n/a
macOS:
introduced: '12.0'
tvOS:
introduced: n/a
type: <string>
presence: optional
rangelist:
- Default
- DoNotObliterate
- ObliterateWithWarning
- Always
content: |-
This key defines the fallback behavior for erasing a device.
In macOS 12 and later, this command uses Erase All Content and Settings (EACS) on Mac computers with the Apple M1 chip or the Apple T2 Security Chip. On those devices, if EACS can't run, the device can use obliteration (macOS 11.x behavior). This key has no effect on machines prior to the T2 chip. For a list of supported macs, see Mac models with the Apple T2 Security Chip <https://support.apple.com/en-us/HT208862>.
Upon receiving this command, the device performs preflight checks to determine if the device is in a state that allows EACS. The 'status' of the EraseDeviceResponse is either 'Acknowledged' or 'Error'.
The following values define the device's fallback behavior:
'DoNotObliterate':
If EACS preflight fails, the device responds to the server with an 'Error' status and doesn't attempt to erase itself.
If EACS preflight succeeds but EACS fails, then the device doesn't attempt to erase itself.
'ObliterateWithWarning':
If EACS preflight fails, the device responds with an 'Acknowledged' status and then attempts to erase itself.
If EACS preflight succeeds but EACS fails, then the device attempts to erase itself.
'Default':
If EACS preflight fails, the device responds to the server with an 'Error' status and then attempts to erase itself.
If EACS preflight succeeds but EACS fails, then the device attempts to erase itself.

27
mdm/commands/device.esim.yaml Normal file
View File

@@ -0,0 +1,27 @@
title: eSIM Cellular Plan Management Command
description: Instructs the device to query for active cellular plan eSIM "profiles"
at the designated carrier eSIM server URL.
payload:
requesttype: RefreshCellularPlans
supportedOS:
iOS:
introduced: '13.0'
accessrights: None
supervised: false
requiresdep: false
sharedipad:
mode: allowed
devicechannel: true
userchannel: false
userenrollment:
mode: forbidden
content: |-
Instructs the device to query for active cellular plan eSIM "profiles" (not a profile in the MDM sense)
at the designated carrier eSIM server URL. This command is only supported on cellular devices, and only
a subset of those devices support eSIM configuration management. (Need details from CoreTelephony.)
payloadkeys:
- key: eSIMServerURL
type: <string>
presence: required
content: The carrier's eSIM server URL to query. Obtain this URL from each carrier
separately.

74
mdm/commands/device.lock.yaml Normal file
View File

@@ -0,0 +1,74 @@
title: Device Lock Command
description: This command allows the server to immediately lock the device. This command
requires the Device Lock and Passcode Removal right.
payload:
requesttype: DeviceLock
supportedOS:
iOS:
introduced: '4.0'
accessrights: AllowPasscodeRemovalAndLock
supervised: false
requiresdep: false
sharedipad:
mode: allowed
devicechannel: true
userchannel: false
userenrollment:
mode: allowed
macOS:
introduced: '10.7'
accessrights: AllowPasscodeRemovalAndLock
devicechannel: true
userchannel: false
requiresdep: false
userenrollment:
mode: forbidden
content: This command allows the server to immediately lock the device. This command
requires the Device Lock and Passcode Removal right.
payloadkeys:
- key: Message
supportedOS:
iOS:
introduced: '7.0'
sharedipad:
mode: ignored
macOS:
introduced: '10.14'
type: <string>
presence: optional
content: The message to display on the Lock screen of the device. This value doesn't
apply to a shared iPad device. This value is available in iOS 4 and later, and
macOS 10.14 and later.
- key: PhoneNumber
supportedOS:
iOS:
introduced: '7.0'
sharedipad:
mode: ignored
macOS:
introduced: '11.5'
type: <string>
presence: optional
content: The phone number to display on the Lock screen. This value doesn't apply
to a shared iPad device. This value is available in iOS 7 and later and macOS
11.5 and later (for Apple silicon devices only).
- key: PIN
supportedOS:
iOS:
introduced: n/a
macOS:
introduced: '10.8'
type: <string>
presence: optional
content: The six-character PIN for Find My. This value is available in macOS 10.8
and later.
responsekeys:
- key: MessageResult
type: <string>
presence: optional
content: |-
The message result if the command includes a message or phone number, which is one of the following values:
* 'Success': The message displayed successfully.
* 'DeviceInLostMode': The device is in Lost Mode.
* 'NoPasscodeSet': The message didn't display because there isn't a set passcode.
* 'Unknown': An unknown error occurred.

17
mdm/commands/device.lostmode.disable.yaml Normal file
View File

@@ -0,0 +1,17 @@
title: Disable MDM Lost Mode Location
description: This command allows the server to take the device out of MDM lost mode.
payload:
requesttype: DisableLostMode
supportedOS:
iOS:
introduced: '9.3'
accessrights: None
supervised: true
requiresdep: false
sharedipad:
mode: allowed
devicechannel: true
userchannel: false
userenrollment:
mode: forbidden
content: This command allows the server to take the device out of MDM lost mode.

35
mdm/commands/device.lostmode.enable.yaml Normal file
View File

@@ -0,0 +1,35 @@
title: Enable MDM Lost Mode Location
description: This command allows the server to put the device in MDM lost mode, with
a message, phone number, and footnote text. A message or phone number must be provided.
payload:
requesttype: EnableLostMode
supportedOS:
iOS:
introduced: '9.3'
accessrights: None
supervised: true
requiresdep: false
sharedipad:
mode: allowed
devicechannel: true
userchannel: false
userenrollment:
mode: forbidden
content: This command allows the server to put the device in MDM lost mode, with
a message, phone number, and footnote text. A message or phone number must be
provided.
payloadkeys:
- key: Message
type: <string>
presence: optional
content: If present, display this text on the Lock screen. You must provide this
value if you don't provide a value for 'PhoneNumber'.
- key: PhoneNumber
type: <string>
presence: optional
content: If present, display this phone number on the Lock screen. You must provide
this value if you don't provide a value for 'Message'.
- key: Footnote
type: <string>
presence: optional
content: If present, display this text in place of Slide to Unlock.

74
mdm/commands/device.lostmode.location.yaml Normal file
View File

@@ -0,0 +1,74 @@
title: Device Location Command
description: This command allows the server to ask for the device's location if it
is in MDM lost mode.
payload:
requesttype: DeviceLocation
supportedOS:
iOS:
introduced: '9.3'
accessrights: None
supervised: true
requiresdep: false
sharedipad:
mode: allowed
devicechannel: true
userchannel: false
userenrollment:
mode: forbidden
responsekeys:
- key: Latitude
type: <real>
presence: required
content: The latitude of the device's location.
- key: Longitude
type: <real>
presence: required
content: The longitude of the device's location.
- key: HorizontalAccuracy
supportedOS:
iOS:
introduced: '10.3'
type: <real>
presence: required
content: The radius of uncertainty for the location in meters, which is a negative
value if the horizontal accuracy is unknown.
- key: VerticalAccuracy
supportedOS:
iOS:
introduced: '10.3'
type: <real>
presence: required
content: The accuracy of the altitude value in meters, which is a negative value
if the vertical accuracy is unknown.
- key: Altitude
supportedOS:
iOS:
introduced: '10.3'
type: <real>
presence: required
content: The altitude of the device's location, which is a negative value if the
altitude is unknown.
- key: Speed
supportedOS:
iOS:
introduced: '10.3'
type: <real>
presence: required
content: The speed of the device in meters per second, which is a negative value
if the speed is unknown.
- key: Course
supportedOS:
iOS:
introduced: '10.3'
type: <real>
presence: required
content: The direction the device is traveling, which is a negative value if the
course is unknown.
- key: Timestamp
supportedOS:
iOS:
introduced: '10.3'
type: <string>
presence: required
content: The RFC 3339 timestamp of when the server determined the location of the
device.

21
mdm/commands/device.lostmode.playsound.yaml Normal file
View File

@@ -0,0 +1,21 @@
title: Play Lost Mode Sound Command
description: This command allows the server to tell the device to play a sound if
it is in MDM Lost Mode. The sound will play until the device is either removed from
Lost Mode or a user disables the sound from the device.
payload:
requesttype: PlayLostModeSound
supportedOS:
iOS:
introduced: '10.3'
accessrights: None
supervised: true
requiresdep: false
sharedipad:
mode: allowed
devicechannel: true
userchannel: false
userenrollment:
mode: forbidden
content: This command allows the server to tell the device to play a sound if it
is in MDM Lost Mode. The sound will play until the device is either removed from
Lost Mode or a user disables the sound from the device.

78
mdm/commands/device.restart.yaml Normal file
View File

@@ -0,0 +1,78 @@
title: Device Restart Command
description: This command requires the Device Lock access right. The device will restart
immediately.
payload:
requesttype: RestartDevice
supportedOS:
iOS:
introduced: '10.3'
accessrights: AllowPasscodeRemovalAndLock
supervised: true
requiresdep: false
sharedipad:
mode: allowed
devicechannel: true
userchannel: false
userenrollment:
mode: forbidden
macOS:
introduced: '10.13'
accessrights: AllowPasscodeRemovalAndLock
devicechannel: true
userchannel: false
requiresdep: false
userenrollment:
mode: forbidden
tvOS:
introduced: '10.2'
accessrights: AllowPasscodeRemovalAndLock
supervised: true
content: This command requires the Device Lock access right. The device will restart
immediately.
payloadkeys:
- key: RebuildKernelCache
supportedOS:
iOS:
introduced: n/a
macOS:
introduced: '11.0'
tvOS:
introduced: n/a
type: <boolean>
presence: optional
default: false
content: If 'true', the system rebuilds the kernel cache during a device restart.
If 'BootstrapTokenAllowedForAuthentication' is 'true' in the SecurityInfoResponse.SecurityInfo
response, the device requests the bootstrap token from the MDM server prior to
executing this command. This value is available in macOS 11 and later.
- key: KextPaths
supportedOS:
iOS:
introduced: n/a
macOS:
introduced: '11.0'
tvOS:
introduced: n/a
type: <array>
presence: optional
content: If 'RebuildKernelCache' is 'true', this value specifies the paths to kexts
to add to the auxiliary kernel cache since the last kernel cache rebuild. If not
present, the system only adds previously discovered kexts to the kernel cache.
This value is available in macOS 11 and later.
subkeys:
- key: KextPathsItem
type: <string>
- key: NotifyUser
supportedOS:
iOS:
introduced: n/a
macOS:
introduced: '11.4'
tvOS:
introduced: n/a
type: <boolean>
presence: optional
default: false
content: |-
If 'true', notifies the user to restart the device at their convenience. No forced restart occurs unless the device is at 'loginwindow' with no logged-in users. The user can dismiss the notification and ignore the request. No further notifications display unless you resend the command.
This value is available in macOS 11.3 and later.

15
mdm/commands/device.restrictions.clearpassword.yaml Normal file
View File

@@ -0,0 +1,15 @@
title: Clear Restrictions Password Command
description: This command clears the restrictions passcode, either disabling parental
controls or allowing you to edit them.
payload:
requesttype: ClearRestrictionsPassword
supportedOS:
iOS:
introduced: '8.0'
accessrights: None
supervised: true
requiresdep: false
sharedipad:
mode: forbidden
userenrollment:
mode: forbidden

123
mdm/commands/device.restrictions.list.yaml Normal file
View File

@@ -0,0 +1,123 @@
title: Device Restrictions Command
description: This command allows the server to determine what restrictions are being
enforced on the device, and the total sum of all restrictions. This command requires
the Restrictions Query access right.
payload:
requesttype: Restrictions
supportedOS:
iOS:
introduced: '4.0'
accessrights: AllowQueryRestrictions
supervised: false
requiresdep: false
sharedipad:
mode: allowed
devicechannel: true
userchannel: true
userenrollment:
mode: forbidden
tvOS:
introduced: '6.1'
accessrights: AllowQueryRestrictions
supervised: false
content: This command allows the server to determine what restrictions are being
enforced on the device, and the total sum of all restrictions. This command requires
the Restrictions Query access right. This technically does work on macOS but it
returns a blank dictionary and there no plans to change this behavior.
payloadkeys:
- key: ProfileRestrictions
type: <boolean>
presence: optional
default: false
content: If 'true', the device reports restrictions from each profile. This value
is available in iOS 4 and later, and tvOS 6.1 and later.
responsekeys:
- key: GlobalRestrictions
type: <dictionary>
presence: required
content: A dictionary that contains the global restrictions in effect. This value
is available in iOS 4 and later, and tvOS 6.1 and later.
subkeytype: RestrictionsDictionary
subkeys: &id001
- key: restrictedBool
type: <dictionary>
presence: optional
content: A dictionary of Boolean restrictions.
subkeytype: BooleanDictionary
subkeys:
- key: ANY restriction name
type: <dictionary>
presence: optional
content: The Boolean restriction parameters.
subkeys:
- key: value
type: <boolean>
presence: required
content: The value of the restriction.
- key: restrictedValue
type: <dictionary>
presence: optional
content: A dictionary of numeric restrictions.
subkeytype: ValueDictionary
subkeys:
- key: ANY restriction name
type: <dictionary>
presence: optional
content: The numeric restriction parameters.
subkeys:
- key: value
type: <integer>
presence: required
content: The value of the restriction.
- key: intersection
type: <dictionary>
presence: optional
content: A dictionary of intersected restrictions. Intersected restrictions indicate
that new restrictions can only reduce the number of strings in the set.
subkeytype: IntersectionDictionary
subkeys:
- key: ANY restriction name
type: <dictionary>
presence: optional
content: The intersected restriction parameters.
subkeys:
- key: values
type: <array>
presence: required
content: The values of the restriction.
subkeys:
- key: valuesItem
type: <string>
- key: union
type: <dictionary>
presence: optional
content: A dictionary of unioned restrictions. Unioned restrictions indicate that
new restrictions can add to the set.
subkeytype: UnionDictionary
subkeys:
- key: ANY restriction name
type: <dictionary>
presence: optional
content: The unioned restriction parameters.
subkeys:
- key: values
type: <array>
presence: required
content: The values of the restriction.
subkeys:
- key: valuesItem
type: <string>
- key: ProfileRestrictions
type: <dictionary>
presence: required
content: A dictionary that contains dictionaries of restrictions from each profile.
This value is only available when 'ProfileRestrictions' is 'true' in the command.
The keys are the identifiers of the profiles. This value is available in iOS 4
and later, and tvOS 6.1 and later.
subkeys:
- key: ANY profile identifier
type: <dictionary>
presence: optional
content: The profile identifiers.
subkeytype: RestrictionsDictionary
subkeys: *id001

27
mdm/commands/device.shutdown.yaml Normal file
View File

@@ -0,0 +1,27 @@
title: Device Shut Down Command
description: This command requires the Device Lock access right. The device will shut
down immediately.
payload:
requesttype: ShutDownDevice
supportedOS:
iOS:
introduced: '10.3'
accessrights: AllowPasscodeRemovalAndLock
supervised: true
requiresdep: false
sharedipad:
mode: allowed
devicechannel: true
userchannel: false
userenrollment:
mode: forbidden
macOS:
introduced: '10.13'
accessrights: AllowPasscodeRemovalAndLock
devicechannel: true
userchannel: false
requiresdep: false
userenrollment:
mode: forbidden
content: This command requires the Device Lock access right. The device will shut
down immediately.

629
mdm/commands/information.contentcaching.yaml Normal file
View File

@@ -0,0 +1,629 @@
title: Content Caching Information Command
description: This command allows the server to query for information about Content
Caching.
payload:
requesttype: ContentCachingInformation
supportedOS:
macOS:
introduced: 10.15.4
accessrights: AllowQueryNetworkInformation
devicechannel: true
userchannel: false
requiresdep: false
userenrollment:
mode: forbidden
content: This command allows the server to query for information about Content Caching.
responsekeys:
- key: StatusResponse
type: <dictionary>
presence: required
content: A dictionary that contains the status of content caching on a device.
subkeys:
- key: Activated
type: <boolean>
presence: optional
default: false
content: If 'true', the device has enabled content caching. Enabling content caching
doesn't guarantee service. See the 'Active' key for the readiness of content
caching to serve requests.
- key: Active
type: <boolean>
presence: optional
default: false
content: If 'true', content caching is ready to serve requests.
- key: ActualCacheUsed
type: <integer>
presence: optional
content: The actual amount of disk space, in bytes, that cached content uses.
See related values 'CacheUsed' and 'PersonalCacheUsed'.
- key: AlertsForPeerFilterRanges
type: <dictionary>
presence: optional
content: |-
The error conditions the content cache detected in the 'PeerFilterRanges' in the installed 'com.apple.AssetCache.managed' payload.
To display these alerts on the device, set 'DisplayAlerts' to 'true' in the installed ContentCaching profile.
subkeys:
- key: Index into the PeerFilterRanges in the installed com.apple.AssetCache.managed
payload
type: <dictionary>
presence: required
content: A dictionary that describes the alerts for the peer filter ranges.
subkeys:
- key: className
type: <string>
presence: required
rangelist:
- AssetCacheUnfriendlyPeersInFilterRangeAlert
content: The type of the alert.
- key: postDate
type: <date>
presence: required
content: The date of the alert.
- key: peerFilterRangeIndex
type: <integer>
presence: required
content: The index into the 'PeerFilterRanges' in the installed ContentCaching
payload.
- key: addresses
type: <array>
presence: required
content: An array of local IP addresses of peer content caches that rejected
requests from the content cache.
subkeys:
- key: address
type: <string>
presence: required
content: Local IP address of a peer Content Cache that rejected requests
from this Content Cache.
- key: Alerts
type: <array>
presence: optional
content: |-
An array that contains the error conditions the content cache detected that aren't related to peer filter ranges, parent content caches, or peer content caches.
See 'AlertsForPeerFilterRanges' for errors related to peer filter ranges.
See 'Parents' and 'Peers' for errors related to parent and peer content caches.
To display these alerts on the device, set 'DisplayAlerts' to 'true' in the installed ContentCaching profile.
subkeys:
- key: AlertsItem
type: <dictionary>
presence: required
subkeys:
- key: className
type: <string>
presence: required
rangelist:
- AssetCacheLowSpaceAlert
- AssetCacheNoSpaceAlert
- AssetCacheRegistrationRejectedAlert
- AssetCacheRegistrationUnavailableAlert
- AssetCacheResourceMissingAlert
content: The type of the alert.
- key: postDate
type: <date>
presence: required
content: The date of the alert.
- key: cacheLimit
type: <integer>
presence: optional
content: The limit, in bytes, for the content cache at the time of the alert.
This value only applies to 'AssetCacheLowSpaceAlert' and 'AssetCacheNoSpaceAlert'
types.
- key: reservedVolumeSpace
type: <integer>
presence: optional
content: The space, in bytes, that the system reserves at the time of the
alert. This value only applies to the 'AssetCacheLowSpaceAlert' and 'AssetCacheNoSpaceAlert'
types.
- key: resource
type: <string>
presence: optional
content: The resource that was missing or inaccessible at the time of the
alert. This value only applies to the 'AssetCacheResourceMissingAlert' type.
- key: pathPreventingAccess
type: <string>
presence: optional
content: The subpath of the resource that was missing or inaccessible at the
time of the alert. This value only applies to the 'AssetCacheResourceMissingAlert'
type.
- key: CacheDetails
type: <dictionary>
presence: optional
content: The amount of disk space that various categories of cached content use.
Apple defines these categories and they're subject to change.
subkeys:
- key: Category Name
type: <integer>
presence: required
content: The amount of disk space, in bytes, that this category of cached content
uses.
- key: CacheFree
type: <integer>
presence: optional
content: The amount of disk space, in bytes, available to the content cache.
- key: CacheLimit
type: <integer>
presence: optional
content: The maximum amount of disk space, in bytes, available to the content
cache. A value of '0' indicates an unlimited amount. This value corresponds
to 'CacheLimit' in the installed ContentCaching profile.
- key: CacheStatus
type: <string>
presence: optional
rangelist:
- LOWSPACE
- OK
content: The level of cache pressure. 'LowSpace' means cache pressure is high.
- key: CacheUsed
type: <integer>
presence: optional
content: The amount of disk space, in bytes, cached content uses. Content caching
allocates space in its cache for entire files even when it stores only part
of those files in its cache.
- key: DataMigrationCompleted
type: <boolean>
presence: optional
default: false
content: If 'true', the content cache finished moving from one volume to another.
- key: DataMigrationError
type: <dictionary>
presence: optional
content: The error that occurred while the content cache moved from one volume
to another.
subkeys:
- key: domain
type: <string>
presence: required
content: The error domain.
- key: code
type: <integer>
presence: required
content: The error code.
- key: userInfo
type: <dictionary>
presence: optional
content: A dictionary that contains additional information about the error.
subkeys:
- key: ANY
type: <any>
presence: optional
content: A dictionary that contains additional details about the error.
- key: DataMigrationProgress
type: <real>
presence: optional
range:
min: 0.0
max: 1.0
content: A floating-point number between '0.0' and '1.0' that indicates the percentage
of progress in moving the content cache from one volume to another. A value
of '1.0' indicates that the content cache has fully migrated.
- key: MaxCachePressureLast1Hour
type: <real>
presence: optional
range:
min: 0.0
max: 1.0
content: A floating-point number between '0.0' and '1.0' that represents how often
the cache needed more disk space over the last hour of operation. A lower value
is better.
- key: Parents
type: <array>
presence: optional
content: An array of dictionaries that describes parent content caches.
subkeys:
- key: ParentsItem
type: <dictionary>
presence: optional
subkeys:
- key: address
type: <string>
presence: required
content: The local IP address of the parent content cache.
- key: alert
type: <dictionary>
presence: optional
content: A dictionary that describes an alert related to the parent content
cache.
subkeys:
- key: className
type: <string>
presence: required
rangelist:
- AssetCacheParentCycleAlert
- AssetCacheParentDepthAlert
content: The type of the alert.
- key: postDate
type: <date>
presence: required
content: The date of the alert.
- key: addresses
type: <array>
presence: required
content: An array of local IP addresses of parent content caches.
subkeys:
- key: address
type: <string>
presence: required
content: Local IP address of a parent Content Cache.
- key: details
type: <dictionary>
presence: required
content: A dictionary that contains additional details about the parent content
cache.
subkeys:
- key: ac-power
type: <boolean>
presence: optional
default: false
content: If 'true', the parent content cache power source is AC; otherwise,
an internal battery provides its power.
- key: cache-size
type: <integer>
presence: optional
content: The maximum amount of disk space, in bytes, available to the parent
content cache.
- key: capabilities
type: <dictionary>
presence: optional
content: A dictionary that describes the capabilities of the parent content
cache.
subkeys:
- key: im
type: <boolean>
presence: optional
default: false
content: If 'true', the parent content cache is capable of imports and
uploads.
- key: ns
type: <boolean>
presence: optional
default: false
content: If 'true', the parent content cache is capable of handling namespaces,
which is an aspect of personal caching.
- key: pc
type: <boolean>
presence: optional
default: false
content: If 'true', the parent content cache is capable of caching personal
iCloud content.
- key: query-parameters
type: <boolean>
presence: optional
default: false
content: If 'true', the parent content cache is capable of handling query
parameters in URLs.
- key: sc
type: <boolean>
presence: optional
default: false
content: If 'true', the parent content cache is capable of caching shared
non-iCloud content.
- key: ur
type: <boolean>
presence: optional
default: false
content: If 'true', the parent content cache is capable of prioritizing
imports and uploads.
- key: is-portable
type: <boolean>
presence: optional
default: false
content: If 'true', the parent content cache computer is portable; for example,
a laptop.
- key: local-network
type: <dictionary>
presence: optional
content: A dictionary that describes the parent content cache's connection
to its local network.
subkeys:
- key: speed
type: <integer>
presence: optional
content: The transfer speed, in megabits per second, of the parent content
cache's connection to its local network.
- key: wired
type: <boolean>
presence: optional
default: false
content: If 'true', the parent content cache has a wired connection to
its local network. If 'false', it has a wireless connection; for example,
Wi-Fi.
- key: guid
type: <string>
presence: required
content: The unique identifier of the parent content cache.
- key: healthy
type: <boolean>
presence: required
content: If 'true,' the parent content cache is able to respond to requests
from this content cache.
- key: port
type: <integer>
presence: required
content: The IP port number the parent content cache listens to for requests.
- key: version
type: <string>
presence: required
content: The version number of the parent content cache software.
- key: Peers
type: <array>
presence: optional
content: An array of dictionaries that describes peer content caches.
subkeys:
- key: PeersItem
type: <dictionary>
presence: optional
subkeys:
- key: address
type: <string>
presence: required
content: The local IP address of the peer content cache.
- key: alert
type: <dictionary>
presence: optional
content: A dictionary that describes an alert related to the peer content
cache.
subkeys:
- key: className
type: <string>
presence: required
rangelist:
- AssetCachePeerCycleAlert
- AssetCacheUnfriendlyPeerAlert
content: The type of the alert.
- key: postDate
type: <date>
presence: required
content: The date of the alert.
- key: addresses
type: <array>
presence: optional
content: An array of local IP addresses of peer content caches.
subkeys:
- key: address
type: <string>
presence: required
content: Local IP address of a peer Content Cache.
- key: peerAddress
type: <string>
presence: optional
content: The local IP address of a peer content cache.
- key: details
type: <dictionary>
presence: required
content: A dictionary that contains additional details about the peer content
cache.
subkeys:
- key: ac-power
type: <boolean>
presence: optional
default: false
content: If 'true', the peer content cache power source is AC; otherwise,
an internal battery provides its power.
- key: cache-size
type: <integer>
presence: optional
content: The maximum amount of disk space, in bytes, available to the peer
content cache.
- key: capabilities
type: <dictionary>
presence: optional
content: A dictionary that describes the capabilities of the peer content
cache.
subkeys:
- key: im
type: <boolean>
presence: optional
default: false
content: If 'true', the peer content cache is capable of imports and uploads.
- key: ns
type: <boolean>
presence: optional
default: false
content: If 'true', the peer content cache is capable of handling namespaces,
which is an aspect of personal caching.
- key: pc
type: <boolean>
presence: optional
default: false
content: If 'true', the peer content cache is capable of caching personal
iCloud content.
- key: query-parameters
type: <boolean>
presence: optional
default: false
content: If 'true', the peer content cache is capable of handling query
parameters in URLs.
- key: sc
type: <boolean>
presence: optional
default: false
content: If 'true', the peer content cache is capable of caching shared
non-iCloud content.
- key: ur
type: <boolean>
presence: optional
default: false
content: If 'true', the peer content cache is capable of prioritizing
imports and uploads.
- key: is-portable
type: <boolean>
presence: optional
default: false
content: If 'true', the peer content cache computer is portable; for example,
a laptop.
- key: local-network
type: <dictionary>
presence: optional
content: A dictionary that describes the peer content cache's connection
to its local network.
subkeys:
- key: speed
type: <integer>
presence: optional
content: The transfer speed, in megabits per second, of the peer content
cache's connection to its local network.
- key: wired
type: <boolean>
presence: optional
default: false
content: If 'true', the peer content cache has a wired connection to its
local network. If 'false', it has a wireless connection; for example,
Wi-Fi.
- key: friendly
type: <boolean>
presence: required
content: If 'true', the peer content cache is able to respond to requests
from the content cache.
- key: guid
type: <string>
presence: required
content: The unique identifier of the peer content cache.
- key: healthy
type: <boolean>
presence: required
content: If 'true', the peer content cache is able to respond to requests
from the content cache.
- key: port
type: <integer>
presence: required
content: The IP port number the peer content cache listens to for requests.
- key: version
type: <string>
presence: required
content: The version number of the peer content cache software.
- key: PersonalCacheFree
type: <integer>
presence: optional
content: The amount of disk space, in bytes, available to the content cache for
personal iCloud content.
- key: PersonalCacheLimit
type: <integer>
presence: optional
content: The maximum amount of disk space, in bytes, available to the content
cache for personal iCloud content. A value of '0' indicates an unlimited amount.
- key: PersonalCacheUsed
type: <integer>
presence: optional
content: The amount of disk space, in bytes, available to the content cache for
personal iCloud content.
- key: Port
type: <integer>
presence: optional
content: The IP port number the content cache listens to for requests from clients,
peers, and children.
- key: PrivateAddresses
type: <array>
presence: optional
content: An array of the content cache's local IP addresses.
subkeys:
- key: PrivateAddressesItem
type: <string>
presence: required
content: Local IP address at which the Content Cache listens for requests from
clients, peers, and children.
- key: PublicAddress
type: <string>
presence: optional
content: The public IP address of the content cache.
- key: RegistrationError
type: <string>
presence: optional
content: If present, the reason the content cache failed to register itself with
Apple.
- key: RegistrationResponseCode
type: <integer>
presence: optional
content: If present, the HTTP response code the content cache received when it
failed to register itself with Apple.
- key: RegistrationStarted
type: <date>
presence: optional
content: The date when the content cache began registering itself with Apple.
This value is only available during registration attempts.
- key: RegistrationStatus
type: <integer>
presence: optional
rangelist:
- -1
- 0
- 1
content: |-
The status of the content cache's registration with Apple, which is one of the following values:
* '-1:' Failed
* ' 0:' Pending
* ' 1:' Succeeded
- key: RestrictedMedia
type: <boolean>
presence: optional
default: false
content: If 'true', a restriction prevents caching of certain content types.
- key: ServerGUID
type: <string>
presence: optional
content: The unique identifier of the content cache.
- key: StartupStatus
type: <string>
presence: optional
rangelist:
- FAILED
- MIGRATING_DATA
- OK
- PENDING
content: The status of the content cache's registration with Apple.
- key: TetheratorStatus
type: <integer>
presence: optional
rangelist:
- -1
- 0
- 1
content: |-
The status of tethered caching, which is content caching with a shared internet connection, which is one of the following values:
* '-1:' Unknown
* ' 0:' Disabled
* ' 1:' Enabled
- key: TotalBytesAreSince
type: <date>
presence: optional
content: The start date to use when collecting data for the other 'TotalBytes'
values.
- key: TotalBytesDropped
type: <integer>
presence: optional
content: The amount of data, in bytes, that the content cache downloaded, but
couldn't add to its cache, since the 'TotalBytesAreSince' date.
- key: TotalBytesImported
type: <integer>
presence: optional
content: The amount of data, in bytes, that the content cache received since the
'TotalBytesAreSince' date.
- key: TotalBytesReturnedToChildren
type: <integer>
presence: optional
content: The amount of data, in bytes, that the content cache served to its child
content cache since the 'TotalBytesAreSince' date.
- key: TotalBytesReturnedToClients
type: <integer>
presence: optional
content: The amount of data, in bytes, that the content cache served to client
iOS, macOS, and tvOS devices since the 'TotalBytesAreSince' date.
- key: TotalBytesReturnedToPeers
type: <integer>
presence: optional
content: The amount of data, in bytes, that the content cache served to peer content
caches since the 'TotalBytesAreSince' date.
- key: TotalBytesStoredFromOrigin
type: <integer>
presence: optional
content: The amount of data, in bytes, that the content cache saved from the internet
since the 'TotalBytesAreSince' date.
- key: TotalBytesStoredFromParents
type: <integer>
presence: optional
content: The amount of data, in bytes, that the content cache saved from parent
content caches since the 'TotalBytesAreSince' date.
- key: TotalBytesStoredFromPeers
type: <integer>
presence: optional
content: The amount of data, in bytes, that the content cache saved from peer
content caches since the 'TotalBytesAreSince' date.

2027
mdm/commands/information.device.yaml Normal file
View File

File diff suppressed because it is too large Load Diff

466
mdm/commands/information.security.yaml Normal file
View File

@@ -0,0 +1,466 @@
title: Security Information Command
description: This command queries the device for security-related information. Queries
are available if the MDM host has the Security Query right.
payload:
requesttype: SecurityInfo
supportedOS:
iOS:
introduced: '4.0'
accessrights: AllowQuerySecurity
supervised: false
requiresdep: false
sharedipad:
mode: allowed
devicechannel: true
userchannel: false
userenrollment:
mode: allowed
macOS:
introduced: '10.7'
accessrights: AllowQuerySecurity
devicechannel: true
userchannel: true
requiresdep: false
userenrollment:
mode: allowed
tvOS:
introduced: '6.0'
accessrights: AllowQuerySecurity
supervised: false
content: This command queries the device for security-related information. Queries
are available if the MDM host has the Security Query right.
responsekeys:
- key: SecurityInfo
type: <dictionary>
presence: required
content: A dictionary that contains security-related information.
subkeys:
- key: HardwareEncryptionCaps
supportedOS:
macOS:
introduced: n/a
type: <integer>
content: |-
An integer that indicates the underlying hardware encryption capabilities of the device, which is one of the following values:
* '1': Block-level encryption
* '2': File-level encryption
* '3': Both block-level and file-level encryption
For a device to have data protection, 'HardwareEncryptionCaps' must be '3' and 'PasscodePresent' must 'true'.
This value is available in iOS 4 and later, and tvOS 6 and later.
- key: PasscodePresent
supportedOS:
iOS:
userenrollment:
mode: forbidden
macOS:
introduced: n/a
type: <boolean>
content: If 'true', the device has a passcode. This value is available in iOS
4 and later, and tvOS 6 and later.
- key: PasscodeCompliant
supportedOS:
macOS:
introduced: n/a
type: <boolean>
content: If 'true', the user's passcode is compliant with all requirements on
the device, including Exchange and other accounts. This value is available in
iOS 4 and later, and tvOS 6 and later.
- key: PasscodeCompliantWithProfiles
supportedOS:
iOS:
userenrollment:
mode: forbidden
macOS:
introduced: n/a
type: <boolean>
content: If 'true', the user's passcode is compliant with requirements from profiles.
This key does not apply to User-Enrolled devices. This value is available in
iOS 4 and later, and tvOS 6 and later.
- key: PasscodeLockGracePeriod
supportedOS:
iOS:
introduced: 9.3.2
sharedipad:
mode: required
userenrollment:
mode: forbidden
macOS:
introduced: n/a
type: <integer>
content: The user preference for the number of seconds before a locked screen
requires the device passcode to unlock it. This value is only available for
Shared iPad.
- key: PasscodeLockGracePeriodEnforced
supportedOS:
iOS:
introduced: 9.3.2
sharedipad:
mode: required
userenrollment:
mode: forbidden
macOS:
introduced: n/a
type: <integer>
content: The enforced value for the number of seconds before a locked screen requires
the device passcode to unlock it. If a device has a passcode, changing 'PasscodeLockGracePeriod'
to a larger value doesn't take effect until the user logs out or removes the
passcode. This value is only available for Shared iPad.
- key: FDE_Enabled
supportedOS:
iOS:
introduced: n/a
macOS:
introduced: '10.9'
userchannel: false
tvOS:
introduced: n/a
type: <boolean>
content: If 'true', the device has enabled FileVault full disk encryption (FDE).
This value is available in macOS 10.9 and later.
- key: FDE_HasPersonalRecoveryKey
supportedOS:
iOS:
introduced: n/a
macOS:
introduced: '10.9'
userchannel: false
userenrollment:
mode: forbidden
tvOS:
introduced: n/a
type: <boolean>
content: If 'true', FileVault FDE has a personal recovery key. This value is available
in macOS 10.9 and later.
- key: FDE_HasInstitutionalRecoveryKey
supportedOS:
iOS:
introduced: n/a
macOS:
introduced: '10.9'
userchannel: false
userenrollment:
mode: forbidden
tvOS:
introduced: n/a
type: <boolean>
content: If 'true', FileVault FDE has an institutional recovery key. This value
is available in macOS 10.9 and later.
- key: FDE_PersonalRecoveryKeyCMS
supportedOS:
iOS:
introduced: n/a
macOS:
introduced: '10.13'
userchannel: false
userenrollment:
mode: forbidden
tvOS:
introduced: n/a
type: <data>
content: If the FileVault personal recovery key has enabled escrow with a recovery
key, this value contains the key. The certificate from the FDERecoveryKeyEscrow
profile encrypts the key and wraps it as CMS data. This value is available in
macOS 10.13 and later.
- key: FDE_PersonalRecoveryKeyDeviceKey
supportedOS:
iOS:
introduced: n/a
macOS:
introduced: '10.13'
userchannel: false
userenrollment:
mode: forbidden
tvOS:
introduced: n/a
type: <string>
content: If the FileVault personal recovery key has enabled escrow with a recovery
key, this value is the device serial number. This is the value that displays
to the user at the EFI login window as part of the help message if they enter
their password incorrectly three times. The server also uses this value as an
index when saving the device personal recovery key. This replaces the 'recordNumber'
that the server returned in the previous escrow mechanism. This value is available
in macOS 10.13 and later.
- key: SystemIntegrityProtectionEnabled
supportedOS:
iOS:
introduced: n/a
macOS:
introduced: '10.12'
userchannel: false
tvOS:
introduced: n/a
type: <boolean>
content: If 'true', System Integrity Protection (SIP) is active on the device.
This value is available in macOS 10.12 and later.
- key: FirewallSettings
supportedOS:
iOS:
introduced: n/a
macOS:
introduced: '10.12'
userchannel: false
tvOS:
introduced: n/a
type: <dictionary>
content: A dictionary that contains the firewall settings. This value is available
in macOS 10.12 and later.
subkeys:
- key: FirewallEnabled
type: <boolean>
content: If 'true', the firewall is on.
- key: BlockAllIncoming
type: <boolean>
content: If 'true', the firewall blocks all incoming connections.
- key: StealthMode
type: <boolean>
content: If true, stealth mode is active for the firewall.
- key: Applications
supportedOS:
macOS:
introduced: '10.12'
userenrollment:
mode: forbidden
type: <array>
content: An array of dictionaries that describes the allowed applications.
subkeys:
- key: ApplicationsItem
type: <dictionary>
subkeys:
- key: Allowed
type: <boolean>
content: If 'true', the app is an allowed app.
- key: BundleID
type: <string>
content: The app's bundle identifier.
- key: Name
type: <string>
content: The app's display name if it's determinable from the 'BundleID'.
- key: LoggingEnabled
supportedOS:
macOS:
introduced: '12.0'
type: <boolean>
content: If 'true', logging is enabled.
- key: LoggingOption
supportedOS:
macOS:
introduced: '12.0'
type: <string>
rangelist:
- throttled
- brief
- detail
content: The type of logging emitted by the firewall.
- key: FirmwarePasswordStatus
supportedOS:
iOS:
introduced: n/a
macOS:
introduced: '10.13'
userchannel: false
tvOS:
introduced: n/a
type: <dictionary>
content: A dictionary that contains the status of the EFI firmware password. This
value is available in macOS 10.13 and later.
subkeys:
- key: PasswordExists
type: <boolean>
content: If 'true', the device has an EFI firmware password.
- key: ChangePending
type: <boolean>
content: |-
If 'true', a firmware password change is pending. A device restart is necessary for this change to take effect. Until then, additional attempts to change the password fail.
If 'true', the other values show the current state of the device, not the state after a restart.
- key: AllowOroms
type: <boolean>
content: If 'true', enable ROMs.
- key: ManagementStatus
supportedOS:
iOS:
introduced: '13.0'
macOS:
introduced: 10.13.2
tvOS:
introduced: '13.0'
type: <dictionary>
content: A dictionary that contains the status of the device's MDM enrollment.
subkeys:
- key: EnrolledViaDEP
supportedOS:
iOS:
introduced: n/a
tvOS:
introduced: n/a
type: <boolean>
content: If 'true', the device enrolled in MDM through the Device Enrollment
Program (DEP). This value is available in macOS 10.13.2 and later.
- key: UserApprovedEnrollment
supportedOS:
iOS:
introduced: n/a
tvOS:
introduced: n/a
type: <boolean>
content: If 'true', the enrollment was user-approved. If 'false', the device
may reject certain security-sensitive payloads or commands. This value is
available in macOS 10.13.2 and later.
- key: IsUserEnrollment
supportedOS:
macOS:
introduced: '10.15'
type: <boolean>
content: If 'true', the device is user-enrolled. This value is available in
iOS 13 and later, and macOS 10.15 and later.
- key: IsActivationLockManageable
supportedOS:
iOS:
introduced: n/a
macOS:
introduced: '10.15'
tvOS:
introduced: n/a
type: <boolean>
content: If 'true', the type of enrollment allows the MDM to manage Activation
Lock for this device. This value is available in macOS 10.15 and later.
- key: SecureBoot
supportedOS:
iOS:
introduced: n/a
macOS:
introduced: '10.15'
userchannel: false
tvOS:
introduced: n/a
type: <dictionary>
content: A dictionary that contains the device's Secure Boot settings. This value
is available in macOS 10.15 and later.
subkeys:
- key: SecureBootLevel
type: <string>
rangelist:
- 'off'
- medium
- full
- not supported
content: The security level for the bootable operating system versions.
- key: ExternalBootLevel
type: <string>
rangelist:
- allowed
- disallowed
- not supported
content: The device's external boot level, which indicates whether it allows
booting from an external device, disallows it, or doesn't support it.
- key: ReducedSecurity
supportedOS:
macOS:
introduced: '11.0'
type: <array>
content: |-
Reports which security features the user disables in 'recoveryOS'. This property is only present for Apple silicon when 'SecureBootLevel' is 'medium'.
Available in iOS 11 and later.
subkeys:
- key: ReducedSecurityItems
type: <string>
subkeys:
- key: AllowsAnyAppleSignedOS
type: <string>
content: If 'true', allows any signed version of trusted system software
from Apple to run.
- key: AllowsUserKextApproval
type: <string>
content: If 'true', the user has control over kernel extensions.
- key: AllowsMDM
type: <string>
content: If 'true', the MDM server controls kernel extensions and software
updates.
- key: RemoteDesktopEnabled
supportedOS:
iOS:
introduced: n/a
macOS:
introduced: 10.14.4
userchannel: false
userenrollment:
mode: forbidden
tvOS:
introduced: n/a
type: <boolean>
content: If 'true', Remote Desktop is active on the device. This value is available
in macOS 10.14.4 and later.
- key: AuthenticatedRootVolumeEnabled
supportedOS:
iOS:
introduced: n/a
macOS:
introduced: '11.0'
userchannel: false
tvOS:
introduced: n/a
type: <boolean>
content: If 'true', the system booted using an Authenticated Root Volume. This
value is available in macOS 11 and later.
- key: BootstrapTokenAllowedForAuthentication
supportedOS:
iOS:
introduced: n/a
macOS:
introduced: '11.0'
userchannel: false
userenrollment:
mode: forbidden
tvOS:
introduced: n/a
type: <string>
rangelist:
- allowed
- disallowed
- not supported
content: |-
This value specifies whether the Secure Enclave Processor (SEP) supports and allows secure operations to use the Bootstrap Token. The value is automatically set for devices enrolled through the Device Enrollment Program (DEP). The user can also manually set this value in the RecoveryOS.
This value is available for Apple silicon in macOS 11 and later. Not available for user enrollment.
- key: BootstrapTokenRequiredForSoftwareUpdate
supportedOS:
iOS:
introduced: n/a
macOS:
introduced: '11.0'
userchannel: false
userenrollment:
mode: forbidden
tvOS:
introduced: n/a
type: <boolean>
content: |-
If 'true', the device can accept a Bootstrap Token from the MDM server instead of prompting for user authentication prior to installation. This only applies when 'BootstrapTokenAllowedForAuthentication' is 'true' in the SecurityInfoResponse.SecurityInfo response.
This value is available for Apple silicon in macOS 11 and later. Not available for user enrollment.
- key: BootstrapTokenRequiredForKernelExtensionApproval
supportedOS:
iOS:
introduced: n/a
macOS:
introduced: '11.0'
userchannel: false
userenrollment:
mode: forbidden
tvOS:
introduced: n/a
type: <boolean>
content: |-
If 'true', the device can accept a Bootstrap Token from the MDM server instead of prompting for user authentication prior to enabling kernel extensions. This includes enabling kexts through the 'com.apple.syspolicy.kernel-extension-policy' payload or triggering the 'RestartDevice' command with 'RebuildKernelCache' set to 'true'. This only applies when 'BootstrapTokenAllowedForAuthentication' is 'true' in the SecurityInfoResponse.SecurityInfo response.
This value is available for Apple silicon in macOS 11 and later. Not available for user enrollment.
- key: IsRecoveryLockEnabled
supportedOS:
iOS:
introduced: n/a
macOS:
introduced: '11.5'
userchannel: false
userenrollment:
mode: forbidden
tvOS:
introduced: n/a
type: <boolean>
content: If 'true', a password is required to enter recovery (see SetRecoveryLockCommand).
Available in macOS 11.5 and later and only on Apple silicon devices.

86
mdm/commands/lom.devicerequest.yaml Normal file
View File

@@ -0,0 +1,86 @@
title: LOM Device Request Command
description: Issues LOM requests to devices.
payload:
requesttype: LOMDeviceRequest
supportedOS:
macOS:
introduced: '11.0'
accessrights: DeviceLockAndRemovePasscode
devicechannel: true
userchannel: false
requiresdep: false
userenrollment:
mode: forbidden
content: Used to send LOM requests ("PowerON", "PowerOFF", "Reset") to LOM Controller
which then forwards the request to LOM Devices.
payloadkeys:
- key: RequestList
type: <array>
presence: required
content: An array of requests to perform.
subkeys:
- key: RequestListItem
type: <dictionary>
presence: required
subkeys:
- key: DeviceRequestType
type: <string>
presence: required
rangelist:
- PowerON
- PowerOFF
- Reset
content: The requested action to perform on the device.
- key: DeviceRequestUUID
type: <string>
presence: required
content: The unique identifier of the request.
- key: DeviceDNSName
type: <string>
presence: required
content: The DNS name of the device. This should match the 'dNSName' in SCEP.PayloadContent.SubjectAltName.
- key: PrimaryIPv6AddressList
type: <array>
presence: required
content: An array that contains the IPv6 addresses for primary LOM-compatible
Ethernet interfaces for the device.
subkeys:
- key: PrimaryIPv6AddressListItem
type: <string>
presence: required
- key: SecondaryIPv6AddressList
type: <array>
presence: required
content: An array that contains the IPv6 addresses for secondary LOM-compatible
Ethernet interfaces for the device.
subkeys:
- key: SecondaryIPv6AddressListItem
type: <string>
presence: required
- key: LOMProtocolVersion
type: <integer>
presence: required
content: The LOM protocol version that the device supports. Provide the same
value that 'LOMProtocolVersion' receives in the LOMSetupRequestResponse.
responsekeys:
- key: ResponseList
type: <array>
presence: required
content: An array of dictionaries that describes the status of each request.
subkeys:
- key: ResponseListItem
type: <dictionary>
presence: required
subkeys:
- key: DeviceRequestSuccess
type: <boolean>
presence: required
content: If 'true', the request was successful.
- key: DeviceRequestUUID
type: <string>
presence: required
content: The unique identifier of the request for this response list item.
- key: DeviceRequestReturnError
type: <string>
presence: optional
content: If present, a description of the error for a failed request.

40
mdm/commands/lom.setuprequest.yaml Normal file
View File

@@ -0,0 +1,40 @@
title: LOM Setup Request Command
description: Queries the device for LOM setup information such as IP addresses, protocol
version, etc.
payload:
requesttype: LOMSetupRequest
supportedOS:
macOS:
introduced: '11.0'
accessrights: DeviceLockAndRemovePasscode
devicechannel: true
userchannel: false
requiresdep: false
userenrollment:
mode: forbidden
content: Queries the device for LOM setup information such as IP addresses, protocol
version, etc. The MDM server must send this command prior to sending the LOMDeviceRequest
command.
responsekeys:
- key: PrimaryIPv6AddressList
type: <array>
presence: required
content: An array that contains the IPv6 addresses for primary LOM-compatible Ethernet
interfaces for the device.
subkeys:
- key: PrimaryIPv6AddressListItem
type: <string>
presence: required
- key: SecondaryIPv6AddressList
type: <array>
presence: required
content: An array that contains the IPv6 addresses for secondary LOM-compatible
Ethernet interfaces for the device.
subkeys:
- key: SecondaryIPv6AddressListItem
type: <string>
presence: required
- key: LOMProtocolVersion
type: <integer>
presence: required
content: The LOM protocol version that the device supports.

90
mdm/commands/managed.application.attributes.yaml Normal file
View File

@@ -0,0 +1,90 @@
title: App Attributes Command
description: Queries managed application attributes. Attributes can be set on managed
apps. These attributes can be changed over time.
payload:
requesttype: ManagedApplicationAttributes
supportedOS:
iOS:
introduced: '7.0'
accessrights: AllowAppInstallation
supervised: false
requiresdep: false
sharedipad:
mode: allowed
devicechannel: true
userchannel: false
userenrollment:
mode: allowed
tvOS:
introduced: '10.2'
accessrights: AllowAppInstallation
supervised: false
content: Queries managed application attributes. Attributes can be set on managed
apps. These attributes can be changed over time.
payloadkeys:
- key: Identifiers
type: <array>
presence: required
content: The bundle identifiers of the managed apps.
subkeys:
- key: IdentifiersItem
type: <string>
responsekeys:
- key: ApplicationAttributes
type: <array>
presence: required
content: An array of app attributes items.
subkeys:
- key: ApplicationAttributesItem
type: <dictionary>
subkeys:
- key: Identifier
type: <string>
presence: required
content: The app's bundle identifier.
- key: Attributes
type: <dictionary>
presence: optional
content: The app's attributes.
subkeys:
- key: VPNUUID
type: <string>
presence: optional
content: A per-app VPN unique identifier for this app.
- key: AssociatedDomains
supportedOS:
iOS:
introduced: '13.0'
tvOS:
introduced: n/a
type: <array>
presence: optional
content: This app's associated domains. This value is available in iOS 13
and later.
subkeys:
- key: AssociatedDomain
type: <string>
- key: AssociatedDomainsEnableDirectDownloads
supportedOS:
iOS:
introduced: '14.0'
tvOS:
introduced: n/a
type: <boolean>
presence: optional
default: true
content: If 'true', perform claimed site association verification directly
at the domain instead of on Apple's servers. Only set this to 'true' for
domains that can't access the internet. This value is available in iOS 14
and later.
- key: Removable
supportedOS:
iOS:
introduced: '14.0'
tvOS:
introduced: '14.0'
type: <boolean>
presence: optional
default: true
content: If 'false', this app isn't removable while it's a managed app. This
value is available in iOS 14 and later.

64
mdm/commands/managed.application.configuration.yaml Normal file
View File

@@ -0,0 +1,64 @@
title: App Configuration Command
description: This command queries the device for the current configuration of managed
applications. This command requires the App Management right. macOS supports this
command as of 10.15, on the device channel and for User Enrollments only, because
Settings->ApplicationConfiguration is supported. Since macOS does not support Managed
Applications, this command can be used for any bundle identifier.
payload:
requesttype: ManagedApplicationConfiguration
supportedOS:
iOS:
introduced: '7.0'
accessrights: AllowAppInstallation
supervised: false
requiresdep: false
sharedipad:
mode: allowed
devicechannel: true
userchannel: false
userenrollment:
mode: allowed
macOS:
introduced: '10.15'
accessrights: AllowAppInstallation
devicechannel: true
userchannel: false
requiresdep: false
userenrollment:
mode: allowed
tvOS:
introduced: '10.2'
accessrights: AllowAppInstallation
supervised: false
content: This command queries the device for the current configuration of managed
applications. This command requires the App Management right.
payloadkeys:
- key: Identifiers
type: <array>
presence: required
content: The bundle identifiers of the managed apps.
subkeys:
- key: IdentifiersItem
type: <string>
responsekeys:
- key: ApplicationConfigurations
type: <array>
presence: required
content: An array of app configurations items.
subkeys:
- key: ApplicationConfigurationsItem
type: <dictionary>
subkeys:
- key: Identifier
type: <string>
presence: required
content: The app's bundle identifier.
- key: Configuration
type: <dictionary>
presence: optional
content: The app's configurations.
subkeys:
- key: ANY
type: <any>
presence: optional
content: The app's configuration items.

66
mdm/commands/managed.application.feedback.yaml Normal file
View File

@@ -0,0 +1,66 @@
title: App Feedback Command
description: This command queries the device for application feedback information.
This command requires the App Management right.
payload:
requesttype: ManagedApplicationFeedback
supportedOS:
iOS:
introduced: '7.0'
accessrights: AllowAppInstallation
supervised: false
requiresdep: false
sharedipad:
mode: allowed
devicechannel: true
userchannel: false
userenrollment:
mode: allowed
macOS:
introduced: '11.0'
accessrights: AllowAppInstallation
devicechannel: false
userchannel: true
userenrollment:
mode: forbidden
tvOS:
introduced: '10.2'
accessrights: AllowAppInstallation
supervised: false
content: This command queries the device for application feedback information. This
command requires the App Management right.
payloadkeys:
- key: Identifiers
type: <array>
presence: required
content: The bundle identifiers of the managed apps.
subkeys:
- key: IdentifiersItem
type: <string>
- key: DeleteFeedback
type: <boolean>
presence: optional
default: false
content: If 'true', delete the app's feedback dictionary after the server reads
it.
responsekeys:
- key: ManagedApplicationFeedback
type: <array>
presence: required
content: An array of managed app feedback items.
subkeys:
- key: ManagedApplicationFeedbackItem
type: <dictionary>
subkeys:
- key: Identifier
type: <string>
presence: required
content: The app's bundle identifier.
- key: Feedback
type: <dictionary>
presence: optional
content: The app's feedback.
subkeys:
- key: ANY
type: <any>
presence: optional
content: The app's feedback items.

150
mdm/commands/media.install.yaml Normal file
View File

@@ -0,0 +1,150 @@
title: Install Media Command
description: This command allows the server to install a book on a device. If the
book is already being managed, this command will update the book.
payload:
requesttype: InstallMedia
supportedOS:
iOS:
introduced: '8.0'
accessrights: AllowAppInstallation
supervised: false
requiresdep: false
sharedipad:
mode: allowed
devicechannel: true
userchannel: false
userenrollment:
mode: allowed
macOS:
introduced: '10.9'
accessrights: AllowAppInstallation
devicechannel: false
userchannel: true
requiresdep: false
userenrollment:
mode: forbidden
content: This command allows the server to install a book on a device. If the book
is already being managed, this command will update the book.
payloadkeys:
- key: iTunesStoreID
type: <integer>
presence: optional
content: The book's iTunes Store identifier.
- key: MediaURL
supportedOS:
macOS:
introduced: n/a
type: <string>
presence: optional
content: The URL to retrieve the book. This value is available in iOS 8 and later.
- key: MediaType
type: <string>
presence: required
rangelist:
- Book
content: The media type, which can only be 'Book'.
- key: PersistentID
supportedOS:
macOS:
introduced: n/a
type: <string>
presence: optional
content: The book's persistent identifier in reverse-DNS form; for example, 'com.acme.manuals.training'.
This value is available in iOS 8 and later.
- key: Kind
supportedOS:
macOS:
introduced: n/a
type: <string>
presence: optional
rangelist:
- pdf
- epub
- ibooks
content: |-
The kind of the media, which can be one of the following values:
* 'pdf': A PDF file
* 'epub': An EPUB file in 'gzip' format.
* 'ibooks': An iBooks Author file in 'gzip' format.
If you omit this value, its value is the file extension in the URL. This value is available in iOS 8 and later.
- key: Version
supportedOS:
macOS:
introduced: n/a
type: <string>
presence: optional
content: The book's version number. This value is available in iOS 8 and later.
- key: Author
supportedOS:
macOS:
introduced: n/a
type: <string>
presence: optional
content: The name of the book's author. This value is available in iOS 8 and later.
- key: Title
supportedOS:
macOS:
introduced: n/a
type: <string>
presence: optional
content: The book's title. This value is available in iOS 8 and later.
responsekeys:
- key: iTunesStoreID
type: <integer>
presence: optional
content: The book's iTunes Store identifier, if present in the command.
- key: MediaURL
supportedOS:
macOS:
introduced: n/a
type: <string>
presence: optional
content: The URL to retrieve the book, if present in the command. This value is
available in iOS 8 and later.
- key: PersistentID
supportedOS:
macOS:
introduced: n/a
type: <string>
presence: optional
content: The book's persistent identifier, if present in the command. This value
is available in iOS 8 and later.
- key: MediaType
type: <string>
presence: optional
content: The media type, which can only be 'Book'.
- key: State
type: <string>
presence: optional
rangelist:
- Queued
- PromptingForLogin
- Updating
- Installing
- Managed
- ManagedButUninstalled
- Installed
- Uninstalled
- Failed
- Unknown
content: The installation state of this book. The 'Failed' and 'Unknown' states
are transient and the device only reports them once. Books from the Book Store
report their state as 'Installed' instead of 'Managed'.
- key: RejectionReason
type: <string>
presence: optional
rangelist:
- CouldNotVerifyITunesStoreID
- PurchaseNotFound
- AppStoreDisabled
- WrongMediaType
- DownloadInvalid
- EnterpriseBooksNotSupportedInMultiUser
content: |-
The reason, if installation fails, which is one of the following values:
* 'CouldNotVerifyITunesStoreID': The 'iTunesStoreID' is invalid.
* 'PurchaseNotFound': The Volume Purchase Program (VPP) license isn't in the user's history.
* 'AppStoreDisabled': App Store isn't available on the device.
* 'WrongMediaType': The media type is invalid. The only valid type is 'Book'.
* 'DownloadInvalid': The URL doesn't lead to a valid book.
* 'EnterpriseBooksNotSupportedInMultiUser': Multiuser mode doesn't support enterprise books.

73
mdm/commands/media.managed.list.yaml Normal file
View File

@@ -0,0 +1,73 @@
title: Managed Media List Command
description: This command allows the server to query for installed 3rd party applications.
payload:
requesttype: ManagedMediaList
supportedOS:
iOS:
introduced: '8.0'
accessrights: AllowAppInstallation
supervised: false
requiresdep: false
sharedipad:
mode: allowed
devicechannel: true
userchannel: false
userenrollment:
mode: allowed
content: This command allows the server to query for installed 3rd party applications.
responsekeys:
- key: Books
type: <array>
presence: required
content: An array of dictionaries that describes managed books.
subkeys:
- key: BooksItem
type: <dictionary>
subkeys:
- key: iTunesStoreID
type: <integer>
presence: required
content: The book's iTunes Store identifier.
- key: State
type: <string>
presence: optional
content: |-
The installation state of this book, which is one of the following values:
* 'Queued'
* 'PromptingForLogin'
* 'Updating'
* 'Installing'
* 'Managed'
* 'ManagedButUninstalled'
* 'Installed'
* 'Uninstalled'
* 'Failed'
* 'Unknown'
The 'Failed' and 'Unknown' states are transient and the device only reports them once. Books from the Book Store report their state as 'Installed' instead of 'Managed'.
- key: PersistentID
type: <string>
presence: optional
content: The book's persistent identifier in reverse-DNS form; for example,
'com.acme.manuals.training'.
- key: Kind
type: <string>
presence: optional
content: |-
The kind of the media, which is one of the following values:
* 'pdf': A PDF file
* 'epub': An EPUB file in 'gzip' format
* 'ibooks': An iBooks Author file in 'gzip' format
* The file extension in the URL
This value is available in iOS 8 and later.
- key: Version
type: <string>
presence: optional
content: The book's version number.
- key: Author
type: <string>
presence: optional
content: The name of the book's author.
- key: Title
type: <string>
presence: optional
content: The book's title.

34
mdm/commands/media.remove.yaml Normal file
View File

@@ -0,0 +1,34 @@
title: Remove Media Command
description: This command allows an MDM server to remove managed media. This command
returns Acknowledged even if the item is not found.
payload:
requesttype: RemoveMedia
supportedOS:
iOS:
introduced: '8.0'
accessrights: AllowAppInstallation
supervised: false
requiresdep: false
sharedipad:
mode: allowed
devicechannel: true
userchannel: false
userenrollment:
mode: allowed
content: This command allows an MDM server to remove managed media. This command
returns Acknowledged even if the item is not found.
payloadkeys:
- key: MediaType
type: <string>
presence: required
rangelist:
- Book
content: The media type, which can only be 'Book'.
- key: iTunesStoreID
type: <string>
presence: optional
content: The book's iTunes Store identifier.
- key: PersistentID
type: <string>
presence: optional
content: The book's persistent identifier in reverse-DNS form; for example, 'com.acme.manuals.training'.

55
mdm/commands/mirroring.request.yaml Normal file
View File

@@ -0,0 +1,55 @@
title: Request Mirroring Command
description: This command prompts the user to share their screen using AirPlay mirroring.
payload:
requesttype: RequestMirroring
supportedOS:
iOS:
introduced: '7.0'
accessrights: None
supervised: false
requiresdep: false
sharedipad:
mode: allowed
devicechannel: true
userchannel: false
userenrollment:
mode: allowed
macOS:
introduced: '10.10'
accessrights: None
devicechannel: true
userchannel: false
requiresdep: false
userenrollment:
mode: allowed
content: This command prompts the user to share their screen using AirPlay Mirroring.
payloadkeys:
- key: DestinationName
type: <string>
presence: optional
content: The name of the AirPlay Mirroring destination.
- key: DestinationDeviceID
type: <string>
presence: optional
content: The hardware address of the AirPlay Mirroring destination that identifies
the device, in the format 'xx:xx:xx:xx:xx'. This value isn't case-sensitive.
- key: ScanTime
type: <integer>
presence: optional
content: The number of seconds, from '10' to '300', for the device to spend searching
for the destination. The default value is '30'.
- key: Password
type: <string>
presence: optional
content: The screen-sharing password that the device uses when connecting to the
destination.
responsekeys:
- key: MirroringResult
type: <string>
presence: optional
content: |-
The result of the request. One of these values:
* 'Prompting': The user is receiving a prompt to share their screen.
* 'DestinationNotFound': The device is unable to reach the destination.
* 'Cancelled': The user canceled the request.
* 'Unknown': An unknown error occurred.

25
mdm/commands/mirroring.stop.yaml Normal file
View File

@@ -0,0 +1,25 @@
title: Stop Mirroring Command
description: This command stops AirPlay mirroring.
payload:
requesttype: StopMirroring
supportedOS:
iOS:
introduced: '7.0'
accessrights: None
supervised: true
requiresdep: false
sharedipad:
mode: allowed
devicechannel: true
userchannel: false
userenrollment:
mode: forbidden
macOS:
introduced: '10.10'
accessrights: None
devicechannel: true
userchannel: false
requiresdep: false
userenrollment:
mode: forbidden
content: This command stops AirPlay mirroring.

23
mdm/commands/passcode.clear.yaml Normal file
View File

@@ -0,0 +1,23 @@
title: Clear Passcode Command
description: This command allows the server to clear the passcode on the device. This
command requires the Device Lock and Passcode Removal right.
payload:
requesttype: ClearPasscode
supportedOS:
iOS:
introduced: '4.0'
accessrights: AllowPasscodeRemovalAndLock
supervised: false
requiresdep: false
sharedipad:
mode: forbidden
userenrollment:
mode: forbidden
content: This command allows the server to clear the passcode on the device. This
command requires the Device Lock and Passcode Removal right.
payloadkeys:
- key: UnlockToken
type: <data>
presence: required
content: The unlock token value that the device provides in its 'TokenUpdateMessage'
check-in message.

37
mdm/commands/passcode.firmware.set.yaml Normal file
View File

@@ -0,0 +1,37 @@
title: Set Firmware Password Command
description: Changes or clears the firmware password for the device.
payload:
requesttype: SetFirmwarePassword
supportedOS:
macOS:
introduced: '10.13'
accessrights: DeviceLockAndRemovePasscode
devicechannel: true
userchannel: false
requiresdep: false
userenrollment:
mode: forbidden
content: Changes or clears the firmware password for the device. Requires the "Device
lock and passcode removal right". This command is not available on Apple silicon
devices.
payloadkeys:
- key: CurrentPassword
type: <string>
presence: optional
content: The current password, which you must set if the device has a firmware password.
- key: NewPassword
type: <string>
presence: required
content: The new firmware password. Set to an empty string to clear the password.
The characters in this value must consist of low-ASCII, printable characters ('0x20'
through '0x7E') to ensure that all characters are enterable on the EFI login screen.
- key: AllowOroms
type: <boolean>
presence: optional
default: false
content: If 'true', enable ROMs.
responsekeys:
- key: PasswordChanged
type: <boolean>
presence: required
content: If 'true', the password change succeeded.

25
mdm/commands/passcode.firmware.verify.yaml Normal file
View File

@@ -0,0 +1,25 @@
title: Verify Firmware Password Command
description: Verifies the device's firmware password.
payload:
requesttype: VerifyFirmwarePassword
supportedOS:
macOS:
introduced: '10.13'
accessrights: None
devicechannel: true
userchannel: false
requiresdep: false
userenrollment:
mode: forbidden
content: Verifies the device's firmware password. This command is not available
on Apple silicon devices.
payloadkeys:
- key: Password
type: <string>
presence: required
content: The password to verify.
responsekeys:
- key: PasswordVerified
type: <boolean>
presence: required
content: If 'true', the provided password matches the firmware password on the device.

26
mdm/commands/passcode.recovery.set.yaml Normal file
View File

@@ -0,0 +1,26 @@
title: Set Recovery Lock Command
description: Sets or clears the recovery lock password (AppleSilicon devices only)
payload:
requesttype: SetRecoveryLock
supportedOS:
macOS:
introduced: '11.5'
accessrights: DeviceLockAndRemovePasscode
devicechannel: true
userchannel: false
requiresdep: false
userenrollment:
mode: forbidden
content: Sets or clears the recovery lock password (AppleSilicon devices only).
Requires the "Device lock and passcode removal right".
payloadkeys:
- key: CurrentPassword
type: <string>
presence: optional
content: If the device has a Recovery Lock password set, the system requires the
current password.
- key: NewPassword
type: <string>
presence: required
content: The new password for Recovery Lock. Set as an empty string to clear the
Recovery Lock password.

24
mdm/commands/passcode.recovery.verify.yaml Normal file
View File

@@ -0,0 +1,24 @@
title: Verify Recovery Lock Command
description: Verifies the device's recovery lock password. (AppleSilicon devices only)
payload:
requesttype: VerifyRecoveryLock
supportedOS:
macOS:
introduced: '11.5'
accessrights: DeviceLockAndRemovePasscode
devicechannel: true
userchannel: false
requiresdep: false
userenrollment:
mode: forbidden
content: Verifies the device's recovery lock password. (AppleSilicon devices only)
payloadkeys:
- key: Password
type: <string>
presence: required
content: The password to verify.
responsekeys:
- key: PasswordVerified
type: <boolean>
presence: required
content: If 'true', the device verified the password.

22
mdm/commands/passcode.unlocktoken.yaml Normal file
View File

@@ -0,0 +1,22 @@
title: Request Unlock Token Command
description: This command requests an UnlockToken from the device.
payload:
requesttype: RequestUnlockToken
supportedOS:
iOS:
introduced: '5.0'
deprecated: 6.1.6
accessrights: None
supervised: true
requiresdep: false
sharedipad:
mode: forbidden
userenrollment:
mode: forbidden
content: This command requests an UnlockToken from the device. Pass this token to
the ClearPasscode command to unlock the device.
responsekeys:
- key: UnlockToken
type: <data>
presence: required
content: The unlock token. Erasing the user partition invalidates this token.

41
mdm/commands/profile.install.yaml Normal file
View File

@@ -0,0 +1,41 @@
title: Install Profile Command
description: This command allows the host to install a configuration profile. The
profile may be encrypted using any installed identity certificate. The profile may
also be signed. This command requires the Profile Installation and Removal right.
It's supported in the user channel.
payload:
requesttype: InstallProfile
supportedOS:
iOS:
introduced: '4.0'
accessrights: AllowInstallationRemoval
supervised: false
requiresdep: false
sharedipad:
mode: allowed
devicechannel: true
userchannel: true
userenrollment:
mode: allowed
macOS:
introduced: '10.7'
accessrights: AllowInstallationRemoval
devicechannel: true
userchannel: true
requiresdep: false
userenrollment:
mode: allowed
tvOS:
introduced: '6.0'
accessrights: AllowInstallationRemoval
supervised: false
content: This command allows the host to install a configuration profile. The profile
may be encrypted using any installed identity certificate. The profile may also
be signed. This command requires the Profile Installation and Removal right. It's
supported in the user channel.
payloadkeys:
- key: Payload
type: <data>
presence: required
content: The profile to install, which you can encrypt using any identity certificate
installed on the device. You can also sign the profile.

154
mdm/commands/profile.list.yaml Normal file
View File

@@ -0,0 +1,154 @@
title: Profile List Command
description: This command allows the MDM server to query for the profiles installed
on the device. This command requires the Inspect Profile Manifest right. It's supported
on the user channel.
payload:
requesttype: ProfileList
supportedOS:
iOS:
introduced: '4.0'
accessrights: AllowInspection
supervised: false
requiresdep: false
sharedipad:
mode: allowed
devicechannel: true
userchannel: true
userenrollment:
mode: allowed
macOS:
introduced: '10.7'
accessrights: AllowInspection
devicechannel: true
userchannel: true
requiresdep: false
userenrollment:
mode: allowed
tvOS:
introduced: '6.0'
accessrights: AllowInspection
supervised: false
content: This command allows the MDM server to query for the profiles installed
on the device. This command requires the Inspect Profile Manifest right. It's
supported on the user channel.
payloadkeys:
- key: ManagedOnly
supportedOS:
iOS:
introduced: '13.0'
macOS:
introduced: '10.15'
tvOS:
introduced: '13.0'
type: <boolean>
presence: optional
default: false
content: If 'true', only include profiles that MDM has installed. For user enrollments,
the device ignores this key and always limits the results to managed profiles.
This value is available in iOS 13 and later, macOS 10.5 and later, and tvOS 13
and later.
responsekeys:
- key: ProfileList
type: <array>
presence: required
content: An array of dictionaries that describes each installed profile.
subkeys:
- key: ProfileListItem
type: <dictionary>
subkeys:
- key: PayloadUUID
type: <string>
presence: required
content: The unique identifier for the profile.
- key: PayloadIdentifier
type: <string>
presence: required
content: The reverse-DNS-style identifier of the profile; for example, 'com.example.myprofile'.
- key: PayloadVersion
type: <integer>
presence: optional
content: The version of the configuration profile as a whole, not of the individual
profiles within it. The value should be '1'.
- key: PayloadDisplayName
type: <string>
presence: optional
content: The human-readable name of the profile.
- key: PayloadOrganization
type: <string>
presence: optional
content: The human-readable name of the organization that provided the profile.
- key: PayloadDescription
type: <string>
presence: optional
content: The description of the profile.
- key: PayloadRemovalDisallowed
type: <boolean>
presence: optional
default: false
content: If 'true', the user can't delete the profile unless it has a removal
password and the user provides it. The framework ignores this field on unsupervised
devices.
- key: HasRemovalPasscode
type: <boolean>
presence: optional
default: false
content: If 'true', the profile has a passcode for removal.
- key: IsEncrypted
type: <boolean>
presence: optional
default: false
content: If 'true', it's an encrypted profile.
- key: SignerCertificates
type: <array>
presence: optional
content: An array that contains the certificate for signing the profile, followed
by any intermediate certificates, in DER-encoded X.509 format.
subkeys:
- key: CertificateItem
type: <data>
content: DER-encoded X.509 certificate
- key: IsManaged
supportedOS:
macOS:
introduced: n/a
type: <boolean>
presence: optional
default: false
content: If 'true', the current MDM service installed the profile. MDM doesn't
return this value for supervised devices, and can remove or replace all profiles
on supervised devices.
- key: PayloadContent
type: <array>
presence: optional
content: An array of payload content items. This value isn't present if 'IsEncrypted'
is 'true'.
subkeys:
- key: PayloadContentItem
type: <dictionary>
subkeys:
- key: PayloadType
type: <string>
presence: required
content: The type of payload for the profile. The only supported value is
'Configuration'.
- key: PayloadVersion
type: <integer>
presence: required
content: The version of the configuration profile as a whole, not of the
individual profiles within it. The value should be '1'.
- key: PayloadIdentifier
type: <string>
presence: required
content: The reverse-DNS-style identifier of the profile; for example, 'com.example.myprofile'.
- key: PayloadDisplayName
type: <string>
presence: optional
content: The human-readable name of the profile.
- key: PayloadDescription
type: <string>
presence: optional
content: The description of the profile.
- key: PayloadOrganization
type: <string>
presence: optional
content: The human-readable name of the organization that provided the profile.

40
mdm/commands/profile.provisioning.install.yaml Normal file
View File

@@ -0,0 +1,40 @@
title: Install Provisioning Profile Command
description: This command allows the server to install a provisioning profile. No
error occurs if the provisioning profile is already installed. This command requires
the Provisioning Profile Installation and Removal right. On macOS, this command
is for iOS and iPadOS style provisioning profiles only.
payload:
requesttype: InstallProvisioningProfile
supportedOS:
iOS:
introduced: '4.0'
accessrights: AllowProvisioningInstallationRemoval
supervised: false
requiresdep: false
sharedipad:
mode: allowed
devicechannel: true
userchannel: false
userenrollment:
mode: allowed
macOS:
introduced: '11.0'
accessrights: None
devicechannel: true
userchannel: false
requiresdep: false
userenrollment:
mode: allowed
tvOS:
introduced: '10.2'
accessrights: AllowProvisioningInstallationRemoval
supervised: false
content: This command allows the server to install a provisioning profile. No error
occurs if the provisioning profile is already installed. This command requires
the Provisioning Profile Installation and Removal right. On macOS, this command
is for iOS and iPadOS style provisioning profiles only.
payloadkeys:
- key: ProvisioningProfile
type: <data>
presence: required
content: The provisioning profile.

69
mdm/commands/profile.provisioning.list.yaml Normal file
View File

@@ -0,0 +1,69 @@
title: Provisioning Profile List Command
description: This command allows the server to retrieve the list of installed provisioning
profiles on the device. This command requires the Inspect Provisioning Profiles
right. On macOS, this command is for iOS and iPadOS style provisioning profiles
only.
payload:
requesttype: ProvisioningProfileList
supportedOS:
iOS:
introduced: '4.0'
accessrights: AllowProvisioningInspection
supervised: false
requiresdep: false
sharedipad:
mode: allowed
devicechannel: true
userchannel: false
userenrollment:
mode: allowed
macOS:
introduced: '11.0'
accessrights: None
devicechannel: true
userchannel: false
requiresdep: false
userenrollment:
mode: allowed
tvOS:
introduced: '10.2'
accessrights: AllowProvisioningInspection
supervised: false
content: This command allows the server to retrieve the list of installed provisioning
profiles on the device. This command requires the Inspect Provisioning Profiles
right. On macOS, this command is for iOS and iPadOS style provisioning profiles
only.
payloadkeys:
- key: ManagedOnly
supportedOS:
iOS:
introduced: '13.0'
tvOS:
introduced: '13.0'
type: <boolean>
presence: optional
default: false
content: If 'true', only include profiles that MDM has installed. For user enrollments,
the device ignores this key and always limits the results to managed profiles.
This value is available in iOS 13 and later, and tvOS 13 and later.
responsekeys:
- key: ProvisioningProfileList
type: <array>
presence: required
content: An array of dictionaries that describes each installed profile.
subkeys:
- key: ProvisioningProfileListItem
type: <dictionary>
subkeys:
- key: Name
type: <string>
presence: required
content: The display name of the provisioning profile.
- key: UUID
type: <string>
presence: required
content: The unique identifier for the provisioning profile.
- key: ExpiryDate
type: <date>
presence: optional
content: The expiry date of the provisioning profile.

38
mdm/commands/profile.provisioning.remove.yaml Normal file
View File

@@ -0,0 +1,38 @@
title: Remove Provisioning Profile Command
description: This command allows the server to remove a provisioning profile. This
command requires the Provisioning Profile Installation and Removal right. On macOS,
this command is for iOS and iPadOS style provisioning profiles only.
payload:
requesttype: RemoveProvisioningProfile
supportedOS:
iOS:
introduced: '4.0'
accessrights: AllowProvisioningInstallationRemoval
supervised: false
requiresdep: false
sharedipad:
mode: allowed
devicechannel: true
userchannel: false
userenrollment:
mode: allowed
macOS:
introduced: '11.0'
accessrights: None
devicechannel: true
userchannel: false
requiresdep: false
userenrollment:
mode: allowed
tvOS:
introduced: '10.2'
accessrights: AllowProvisioningInstallationRemoval
supervised: false
content: This command allows the server to remove a provisioning profile. This command
requires the Provisioning Profile Installation and Removal right. On macOS, this
command is for iOS and iPadOS style provisioning profiles only.
payloadkeys:
- key: UUID
type: <string>
presence: required
content: The unique identifier of the provisioning profile to remove.

36
mdm/commands/profile.remove.yaml Normal file
View File

@@ -0,0 +1,36 @@
title: Remove Profile Command
description: This command allows the server to remove a profile. This command requires
the Profile Installation and Removal Right. It's supported in the user channel.
payload:
requesttype: RemoveProfile
supportedOS:
iOS:
introduced: '4.0'
accessrights: AllowInstallationRemoval
supervised: false
requiresdep: false
sharedipad:
mode: allowed
devicechannel: true
userchannel: true
userenrollment:
mode: allowed
macOS:
introduced: '10.7'
accessrights: AllowInstallationRemoval
devicechannel: true
userchannel: true
requiresdep: false
userenrollment:
mode: allowed
tvOS:
introduced: '6.0'
accessrights: AllowInstallationRemoval
supervised: false
content: This command allows the server to remove a profile. This command requires
the Profile Installation and Removal Right. It's supported in the user channel.
payloadkeys:
- key: Identifier
type: <string>
presence: required
content: The identifier of the profile to remove.

14
mdm/commands/remotedesktop.disable.yaml Normal file
View File

@@ -0,0 +1,14 @@
title: Remote Desktop Disable Command
description: Disable Remote Desktop on the device.
payload:
requesttype: DisableRemoteDesktop
supportedOS:
macOS:
introduced: 10.14.4
devicechannel: true
userchannel: false
supervised: true
requiresdep: false
userenrollment:
mode: forbidden
content: Disable Remote Desktop.

14
mdm/commands/remotedesktop.enable.yaml Normal file
View File

@@ -0,0 +1,14 @@
title: Remote Desktop Enable Command
description: Enable Remote Desktop on the device.
payload:
requesttype: EnableRemoteDesktop
supportedOS:
macOS:
introduced: 10.14.4
devicechannel: true
userchannel: false
supervised: true
requiresdep: false
userenrollment:
mode: forbidden
content: Enable Remote Desktop.

79
mdm/commands/rotate.file.vault.key.yaml Normal file
View File

@@ -0,0 +1,79 @@
title: Rotate FileVault Key Command
description: This command allows for changing a device's FileVaultMaster password.
payload:
requesttype: RotateFileVaultKey
supportedOS:
macOS:
introduced: '10.9'
accessrights: DeviceLockAndRemovePasscode
devicechannel: true
userchannel: false
requiresdep: false
userenrollment:
mode: forbidden
content: This command allows for changing a device's FileVaultMaster password.
payloadkeys:
- key: KeyType
type: <string>
presence: required
rangelist:
- personal
- institutional
content: The type of FileVault key you want to change the password for. Set this
value to 'personal' and set a value for 'Password' in the 'FileVaultUnlock' dictionary
to enable unlocking a device with a password. Set this value to 'institutional'
and set values for 'PrivateKeyExport' and 'PrivateKeyExportPassword' in the 'FileVaultUnlock'
dictionary.
- key: FileVaultUnlock
type: <dictionary>
presence: required
content: A dictionary that contains FileVault unlock options.
subkeys:
- key: Password
title: Password
type: <string>
presence: optional
content: A FileVault user's password, or if using a CoreStorage volume, the personal
recovery key.
- key: PrivateKeyExport
title: PrivateKeyExport
supportedOS:
macOS:
deprecated: '10.15'
type: <data>
presence: optional
content: The data for a .p12 export of the private key for the current institutional
recovery key, which requires that 'KeyType' is 'institutional'. The system ignores
this key on APFS volumes.
- key: PrivateKeyExportPassword
title: PrivateKeyExportPassword
supportedOS:
macOS:
deprecated: '10.15'
type: <string>
presence: optional
content: The password for 'PrivateKeyExport'. Either 'Password' or both 'PrivateKeyExport'
and 'PrivateKeyExportPassword' must be present. The system ignores this key
on APFS volumes.
- key: NewCertificate
type: <data>
presence: optional
content: A DER-encoded certificate for creating a new institutional recovery key,
which the system requires if 'KeyType' is 'institutional'.
- key: ReplyEncryptionCertificate
type: <data>
presence: optional
content: A DER-encoded certificate for encrypting the new personal recovery key
in a wrapper conforming to the IETF Cryptographic Message Syntax (CMS) standard.
responsekeys:
- key: RotateResult
type: <dictionary>
presence: optional
content: The result of rotating the personal recovery key.
subkeytype: RotateResultItem
subkeys:
- key: EncryptedNewRecoveryKey
type: <data>
presence: optional
content: A new personal recovery key that is encrypted using a 'ReplyEncryptionCertificate'
as a CMS-compliant envelope.

Some files were not shown because too many files have changed in this diff Show More