From 4e8e108dbbb29f041579290ce875683fe3bbc1bc Mon Sep 17 00:00:00 2001 From: Cyrus Daboo Date: Fri, 3 Jun 2022 16:16:40 -0400 Subject: [PATCH] Release_iOS-15_macOS-12 --- .github/PULL_REQUEST_TEMPLATE.md | 3 + .gitignore | 0 LICENSE.txt | 20 + README.md | 36 + .../declarations/activations/simple.yaml | 23 + .../assets/credential.userpassword.yaml | 34 + .../credentials/usernameandpassword.yaml | 16 + .../declarations/assets/useridentity.yaml | 18 + .../configurations/account.caldav.yaml | 37 + .../configurations/account.carddav.yaml | 36 + .../configurations/account.exchange.yaml | 210 ++ .../configurations/account.google.yaml | 25 + .../configurations/account.ldap.yaml | 69 + .../configurations/account.mail.yaml | 103 + .../account.subscribed-calendar.yaml | 28 + .../configurations/legacy.interactive.yaml | 22 + .../declarations/configurations/legacy.yaml | 15 + .../management.status-subscriptions.yaml | 22 + .../configurations/management.test.yaml | 24 + .../configurations/passcode.settings.yaml | 72 + declarative/declarations/declarationbase.yaml | 25 + .../management/organization-info.yaml | 37 + .../management/server-capabilities.yaml | 25 + .../protocol/declarationitemsresponse.yaml | 84 + declarative/protocol/statusreport.yaml | 57 + declarative/protocol/tokensresponse.yaml | 16 + declarative/status/device.model.family.yaml | 14 + .../status/device.model.identifier.yaml | 17 + .../status/device.model.marketing-name.yaml | 15 + ...device.operating-system.build-version.yaml | 14 + .../device.operating-system.family.yaml | 14 + ...evice.operating-system.marketing-name.yaml | 14 + .../device.operating-system.version.yaml | 14 + .../management.client-capabilities.yaml | 105 + .../status/management.declarations.yaml | 128 + declarative/status/statusreason.yaml | 23 + docs/schema.md | 209 ++ docs/schema.yaml | 227 ++ mdm/checkin/authenticate.yaml | 157 + mdm/checkin/checkout.yaml | 61 + mdm/checkin/declarativemanagement.yaml | 38 + mdm/checkin/getbootstraptoken.yaml | 32 + mdm/checkin/setbootstraptoken.yaml | 32 + mdm/checkin/tokenupdate.yaml | 164 + mdm/checkin/userauthenticate.yaml | 34 + mdm/commands/account.configuration.yaml | 117 + .../application.extensions.listactive.yaml | 73 + .../application.extensions.mappings.yaml | 41 + .../application.install.enterprise.yaml | 118 + mdm/commands/application.install.yaml | 231 ++ mdm/commands/application.installed.list.yaml | 247 ++ mdm/commands/application.invitetoprogram.yaml | 48 + mdm/commands/application.managed.list.yaml | 170 ++ mdm/commands/application.redemptioncode.yaml | 26 + mdm/commands/application.remove.yaml | 33 + mdm/commands/application.validate.yaml | 32 + mdm/commands/certificate.list.yaml | 70 + mdm/commands/declarativemanagement.yaml | 23 + .../device.activationlock.bypasscode.yaml | 30 + ...device.activationlock.clearbypasscode.yaml | 24 + mdm/commands/device.configured.yaml | 31 + mdm/commands/device.erase.yaml | 105 + mdm/commands/device.esim.yaml | 27 + mdm/commands/device.lock.yaml | 74 + mdm/commands/device.lostmode.disable.yaml | 17 + mdm/commands/device.lostmode.enable.yaml | 35 + mdm/commands/device.lostmode.location.yaml | 74 + mdm/commands/device.lostmode.playsound.yaml | 21 + mdm/commands/device.restart.yaml | 78 + .../device.restrictions.clearpassword.yaml | 15 + mdm/commands/device.restrictions.list.yaml | 123 + mdm/commands/device.shutdown.yaml | 27 + mdm/commands/information.contentcaching.yaml | 629 ++++ mdm/commands/information.device.yaml | 2027 +++++++++++++ mdm/commands/information.security.yaml | 466 +++ mdm/commands/lom.devicerequest.yaml | 86 + mdm/commands/lom.setuprequest.yaml | 40 + .../managed.application.attributes.yaml | 90 + .../managed.application.configuration.yaml | 64 + .../managed.application.feedback.yaml | 66 + mdm/commands/media.install.yaml | 150 + mdm/commands/media.managed.list.yaml | 73 + mdm/commands/media.remove.yaml | 34 + mdm/commands/mirroring.request.yaml | 55 + mdm/commands/mirroring.stop.yaml | 25 + mdm/commands/passcode.clear.yaml | 23 + mdm/commands/passcode.firmware.set.yaml | 37 + mdm/commands/passcode.firmware.verify.yaml | 25 + mdm/commands/passcode.recovery.set.yaml | 26 + mdm/commands/passcode.recovery.verify.yaml | 24 + mdm/commands/passcode.unlocktoken.yaml | 22 + mdm/commands/profile.install.yaml | 41 + mdm/commands/profile.list.yaml | 154 + .../profile.provisioning.install.yaml | 40 + mdm/commands/profile.provisioning.list.yaml | 69 + mdm/commands/profile.provisioning.remove.yaml | 38 + mdm/commands/profile.remove.yaml | 36 + mdm/commands/remotedesktop.disable.yaml | 14 + mdm/commands/remotedesktop.enable.yaml | 14 + mdm/commands/rotate.file.vault.key.yaml | 79 + mdm/commands/set.auto.admin.password.yaml | 33 + mdm/commands/settings.yaml | 775 +++++ mdm/commands/system.update.available.yaml | 198 ++ mdm/commands/system.update.scan.yaml | 27 + mdm/commands/system.update.schedule.yaml | 168 ++ mdm/commands/system.update.status.yaml | 63 + mdm/commands/user.delete.yaml | 55 + mdm/commands/user.list.yaml | 115 + mdm/commands/user.logout.yaml | 17 + mdm/commands/user.unlock.yaml | 22 + mdm/profiles/CommonPayloadKeys.yaml | 70 + mdm/profiles/GlobalPreferences.yaml | 27 + mdm/profiles/TopLevel.yaml | 205 ++ .../com.apple.ADCertificate.managed.yaml | 118 + mdm/profiles/com.apple.AIM.account.yaml | 62 + .../com.apple.AssetCache.managed.yaml | 288 ++ mdm/profiles/com.apple.Dictionary.yaml | 20 + .../com.apple.DirectoryService.managed.yaml | 265 ++ mdm/profiles/com.apple.DiscRecording.yaml | 28 + mdm/profiles/com.apple.MCX(Accounts).yaml | 32 + mdm/profiles/com.apple.MCX(EnergySaver).yaml | 154 + mdm/profiles/com.apple.MCX(FileVault2).yaml | 34 + mdm/profiles/com.apple.MCX(Mobililty).yaml | 47 + mdm/profiles/com.apple.MCX(TimeServer).yaml | 25 + mdm/profiles/com.apple.MCX(WiFi).yaml | 39 + mdm/profiles/com.apple.MCX.FileVault2.yaml | 95 + mdm/profiles/com.apple.MCX.TimeMachine.yaml | 59 + .../com.apple.ManagedClient.preferences.yaml | 43 + mdm/profiles/com.apple.NSExtension.yaml | 47 + .../com.apple.SetupAssistant.managed.yaml | 137 + mdm/profiles/com.apple.ShareKitHelper.yaml | 38 + mdm/profiles/com.apple.SoftwareUpdate.yaml | 100 + .../com.apple.SystemConfiguration.yaml | 125 + ...pple.TCC.configuration-profile-policy.yaml | 261 ++ mdm/profiles/com.apple.airplay.security.yaml | 46 + mdm/profiles/com.apple.airplay.yaml | 115 + mdm/profiles/com.apple.airprint.yaml | 82 + mdm/profiles/com.apple.apn.managed.yaml | 64 + mdm/profiles/com.apple.app.lock.yaml | 194 ++ .../com.apple.applicationaccess.new.yaml | 91 + mdm/profiles/com.apple.applicationaccess.yaml | 2685 +++++++++++++++++ mdm/profiles/com.apple.appstore.yaml | 54 + mdm/profiles/com.apple.asam.yaml | 43 + .../com.apple.associated-domains.yaml | 54 + mdm/profiles/com.apple.caldav.account.yaml | 76 + mdm/profiles/com.apple.carddav.account.yaml | 128 + mdm/profiles/com.apple.cellular.yaml | 183 ++ .../com.apple.conferenceroomdisplay.yaml | 18 + ...e.configurationprofile.identification.yaml | 66 + mdm/profiles/com.apple.dashboard.yaml | 39 + mdm/profiles/com.apple.desktop.yaml | 28 + mdm/profiles/com.apple.dnsProxy.managed.yaml | 49 + .../com.apple.dnsSettings.managed.yaml | 187 ++ mdm/profiles/com.apple.dock.yaml | 282 ++ mdm/profiles/com.apple.domains.yaml | 69 + mdm/profiles/com.apple.eas.account.yaml | 428 +++ mdm/profiles/com.apple.education.yaml | 281 ++ mdm/profiles/com.apple.ews.account.yaml | 117 + .../com.apple.extensiblesso(kerberos).yaml | 356 +++ mdm/profiles/com.apple.extensiblesso.yaml | 119 + ...om.apple.familycontrols.contentfilter.yaml | 69 + ...om.apple.familycontrols.timelimits.v2.yaml | 75 + mdm/profiles/com.apple.fileproviderd.yaml | 21 + mdm/profiles/com.apple.finder.yaml | 70 + ...com.apple.firstactiveethernet.managed.yaml | 21 + .../com.apple.firstethernet.managed.yaml | 21 + mdm/profiles/com.apple.font.yaml | 40 + mdm/profiles/com.apple.gamed.yaml | 45 + .../com.apple.globalethernet.managed.yaml | 21 + mdm/profiles/com.apple.google-oauth.yaml | 82 + mdm/profiles/com.apple.homescreenlayout.yaml | 77 + mdm/profiles/com.apple.ironwood.support.yaml | 26 + mdm/profiles/com.apple.jabber.account.yaml | 61 + mdm/profiles/com.apple.ldap.account.yaml | 98 + .../com.apple.loginitems.managed.yaml | 35 + mdm/profiles/com.apple.loginwindow.yaml | 155 + mdm/profiles/com.apple.lom.yaml | 49 + mdm/profiles/com.apple.mail.managed.yaml | 338 +++ mdm/profiles/com.apple.mcxMenuExtras.yaml | 134 + mdm/profiles/com.apple.mcxloginscripts.yaml | 49 + mdm/profiles/com.apple.mcxprinting.yaml | 100 + mdm/profiles/com.apple.mdm.yaml | 246 ++ ...com.apple.mobiledevice.passwordpolicy.yaml | 185 ++ mdm/profiles/com.apple.networkusagerules.yaml | 82 + .../com.apple.notificationsettings.yaml | 163 + mdm/profiles/com.apple.osxserver.account.yaml | 60 + .../com.apple.preference.security.yaml | 29 + mdm/profiles/com.apple.preferences.users.yaml | 19 + .../com.apple.profileRemovalPassword.yaml | 32 + mdm/profiles/com.apple.proxy.http.global.yaml | 90 + mdm/profiles/com.apple.screensaver.user.yaml | 30 + mdm/profiles/com.apple.screensaver.yaml | 49 + ...om.apple.secondactiveethernet.managed.yaml | 21 + .../com.apple.secondethernet.managed.yaml | 21 + ...m.apple.security.FDERecoveryKeyEscrow.yaml | 43 + ...om.apple.security.FDERecoveryRedirect.yaml | 34 + ....apple.security.certificatepreference.yaml | 29 + ....apple.security.certificaterevocation.yaml | 41 + ...pple.security.certificatetransparency.yaml | 69 + mdm/profiles/com.apple.security.firewall.yaml | 74 + ...com.apple.security.identitypreference.yaml | 29 + mdm/profiles/com.apple.security.pem.yaml | 43 + mdm/profiles/com.apple.security.pkcs1.yaml | 43 + mdm/profiles/com.apple.security.pkcs12.yaml | 79 + mdm/profiles/com.apple.security.root.yaml | 43 + mdm/profiles/com.apple.security.scep.yaml | 186 ++ .../com.apple.security.smartcard.yaml | 71 + .../com.apple.security.wapi-identity.yaml | 9 + .../com.apple.shareddeviceconfiguration.yaml | 40 + mdm/profiles/com.apple.sso.yaml | 66 + .../com.apple.subscribedcalendar.account.yaml | 52 + ...ple.syspolicy.kernel-extension-policy.yaml | 59 + .../com.apple.system-extension-policy.yaml | 96 + mdm/profiles/com.apple.system.logging.yaml | 48 + mdm/profiles/com.apple.systemmigration.yaml | 52 + .../com.apple.systempolicy.control.yaml | 28 + .../com.apple.systempolicy.managed.yaml | 22 + mdm/profiles/com.apple.systempolicy.rule.yaml | 50 + mdm/profiles/com.apple.systempreferences.yaml | 78 + mdm/profiles/com.apple.systemuiserver.yaml | 122 + ...com.apple.thirdactiveethernet.managed.yaml | 21 + .../com.apple.thirdethernet.managed.yaml | 21 + mdm/profiles/com.apple.tvremote.yaml | 60 + mdm/profiles/com.apple.universalaccess.yaml | 132 + .../com.apple.vpn.managed.applayer.yaml | 167 + .../com.apple.vpn.managed.appmapping.yaml | 94 + mdm/profiles/com.apple.vpn.managed.yaml | 1311 ++++++++ mdm/profiles/com.apple.webClip.managed.yaml | 97 + mdm/profiles/com.apple.webcontent-filter.yaml | 283 ++ mdm/profiles/com.apple.wifi.managed.yaml | 627 ++++ mdm/profiles/com.apple.xsan.preferences.yaml | 71 + mdm/profiles/com.apple.xsan.yaml | 60 + mdm/profiles/loginwindow.yaml | 25 + 233 files changed, 25461 insertions(+) create mode 100644 .github/PULL_REQUEST_TEMPLATE.md create mode 100644 .gitignore create mode 100644 LICENSE.txt create mode 100644 README.md create mode 100644 declarative/declarations/activations/simple.yaml create mode 100644 declarative/declarations/assets/credential.userpassword.yaml create mode 100644 declarative/declarations/assets/credentials/usernameandpassword.yaml create mode 100644 declarative/declarations/assets/useridentity.yaml create mode 100644 declarative/declarations/configurations/account.caldav.yaml create mode 100644 declarative/declarations/configurations/account.carddav.yaml create mode 100644 declarative/declarations/configurations/account.exchange.yaml create mode 100644 declarative/declarations/configurations/account.google.yaml create mode 100644 declarative/declarations/configurations/account.ldap.yaml create mode 100644 declarative/declarations/configurations/account.mail.yaml create mode 100644 declarative/declarations/configurations/account.subscribed-calendar.yaml create mode 100644 declarative/declarations/configurations/legacy.interactive.yaml create mode 100644 declarative/declarations/configurations/legacy.yaml create mode 100644 declarative/declarations/configurations/management.status-subscriptions.yaml create mode 100644 declarative/declarations/configurations/management.test.yaml create mode 100644 declarative/declarations/configurations/passcode.settings.yaml create mode 100644 declarative/declarations/declarationbase.yaml create mode 100644 declarative/declarations/management/organization-info.yaml create mode 100644 declarative/declarations/management/server-capabilities.yaml create mode 100644 declarative/protocol/declarationitemsresponse.yaml create mode 100644 declarative/protocol/statusreport.yaml create mode 100644 declarative/protocol/tokensresponse.yaml create mode 100644 declarative/status/device.model.family.yaml create mode 100644 declarative/status/device.model.identifier.yaml create mode 100644 declarative/status/device.model.marketing-name.yaml create mode 100644 declarative/status/device.operating-system.build-version.yaml create mode 100644 declarative/status/device.operating-system.family.yaml create mode 100644 declarative/status/device.operating-system.marketing-name.yaml create mode 100644 declarative/status/device.operating-system.version.yaml create mode 100644 declarative/status/management.client-capabilities.yaml create mode 100644 declarative/status/management.declarations.yaml create mode 100644 declarative/status/statusreason.yaml create mode 100644 docs/schema.md create mode 100644 docs/schema.yaml create mode 100644 mdm/checkin/authenticate.yaml create mode 100644 mdm/checkin/checkout.yaml create mode 100644 mdm/checkin/declarativemanagement.yaml create mode 100644 mdm/checkin/getbootstraptoken.yaml create mode 100644 mdm/checkin/setbootstraptoken.yaml create mode 100644 mdm/checkin/tokenupdate.yaml create mode 100644 mdm/checkin/userauthenticate.yaml create mode 100644 mdm/commands/account.configuration.yaml create mode 100644 mdm/commands/application.extensions.listactive.yaml create mode 100644 mdm/commands/application.extensions.mappings.yaml create mode 100644 mdm/commands/application.install.enterprise.yaml create mode 100644 mdm/commands/application.install.yaml create mode 100644 mdm/commands/application.installed.list.yaml create mode 100644 mdm/commands/application.invitetoprogram.yaml create mode 100644 mdm/commands/application.managed.list.yaml create mode 100644 mdm/commands/application.redemptioncode.yaml create mode 100644 mdm/commands/application.remove.yaml create mode 100644 mdm/commands/application.validate.yaml create mode 100644 mdm/commands/certificate.list.yaml create mode 100644 mdm/commands/declarativemanagement.yaml create mode 100644 mdm/commands/device.activationlock.bypasscode.yaml create mode 100644 mdm/commands/device.activationlock.clearbypasscode.yaml create mode 100644 mdm/commands/device.configured.yaml create mode 100644 mdm/commands/device.erase.yaml create mode 100644 mdm/commands/device.esim.yaml create mode 100644 mdm/commands/device.lock.yaml create mode 100644 mdm/commands/device.lostmode.disable.yaml create mode 100644 mdm/commands/device.lostmode.enable.yaml create mode 100644 mdm/commands/device.lostmode.location.yaml create mode 100644 mdm/commands/device.lostmode.playsound.yaml create mode 100644 mdm/commands/device.restart.yaml create mode 100644 mdm/commands/device.restrictions.clearpassword.yaml create mode 100644 mdm/commands/device.restrictions.list.yaml create mode 100644 mdm/commands/device.shutdown.yaml create mode 100644 mdm/commands/information.contentcaching.yaml create mode 100644 mdm/commands/information.device.yaml create mode 100644 mdm/commands/information.security.yaml create mode 100644 mdm/commands/lom.devicerequest.yaml create mode 100644 mdm/commands/lom.setuprequest.yaml create mode 100644 mdm/commands/managed.application.attributes.yaml create mode 100644 mdm/commands/managed.application.configuration.yaml create mode 100644 mdm/commands/managed.application.feedback.yaml create mode 100644 mdm/commands/media.install.yaml create mode 100644 mdm/commands/media.managed.list.yaml create mode 100644 mdm/commands/media.remove.yaml create mode 100644 mdm/commands/mirroring.request.yaml create mode 100644 mdm/commands/mirroring.stop.yaml create mode 100644 mdm/commands/passcode.clear.yaml create mode 100644 mdm/commands/passcode.firmware.set.yaml create mode 100644 mdm/commands/passcode.firmware.verify.yaml create mode 100644 mdm/commands/passcode.recovery.set.yaml create mode 100644 mdm/commands/passcode.recovery.verify.yaml create mode 100644 mdm/commands/passcode.unlocktoken.yaml create mode 100644 mdm/commands/profile.install.yaml create mode 100644 mdm/commands/profile.list.yaml create mode 100644 mdm/commands/profile.provisioning.install.yaml create mode 100644 mdm/commands/profile.provisioning.list.yaml create mode 100644 mdm/commands/profile.provisioning.remove.yaml create mode 100644 mdm/commands/profile.remove.yaml create mode 100644 mdm/commands/remotedesktop.disable.yaml create mode 100644 mdm/commands/remotedesktop.enable.yaml create mode 100644 mdm/commands/rotate.file.vault.key.yaml create mode 100644 mdm/commands/set.auto.admin.password.yaml create mode 100644 mdm/commands/settings.yaml create mode 100644 mdm/commands/system.update.available.yaml create mode 100644 mdm/commands/system.update.scan.yaml create mode 100644 mdm/commands/system.update.schedule.yaml create mode 100644 mdm/commands/system.update.status.yaml create mode 100644 mdm/commands/user.delete.yaml create mode 100644 mdm/commands/user.list.yaml create mode 100644 mdm/commands/user.logout.yaml create mode 100644 mdm/commands/user.unlock.yaml create mode 100644 mdm/profiles/CommonPayloadKeys.yaml create mode 100644 mdm/profiles/GlobalPreferences.yaml create mode 100644 mdm/profiles/TopLevel.yaml create mode 100644 mdm/profiles/com.apple.ADCertificate.managed.yaml create mode 100644 mdm/profiles/com.apple.AIM.account.yaml create mode 100644 mdm/profiles/com.apple.AssetCache.managed.yaml create mode 100644 mdm/profiles/com.apple.Dictionary.yaml create mode 100644 mdm/profiles/com.apple.DirectoryService.managed.yaml create mode 100644 mdm/profiles/com.apple.DiscRecording.yaml create mode 100644 mdm/profiles/com.apple.MCX(Accounts).yaml create mode 100644 mdm/profiles/com.apple.MCX(EnergySaver).yaml create mode 100644 mdm/profiles/com.apple.MCX(FileVault2).yaml create mode 100644 mdm/profiles/com.apple.MCX(Mobililty).yaml create mode 100644 mdm/profiles/com.apple.MCX(TimeServer).yaml create mode 100644 mdm/profiles/com.apple.MCX(WiFi).yaml create mode 100644 mdm/profiles/com.apple.MCX.FileVault2.yaml create mode 100644 mdm/profiles/com.apple.MCX.TimeMachine.yaml create mode 100644 mdm/profiles/com.apple.ManagedClient.preferences.yaml create mode 100644 mdm/profiles/com.apple.NSExtension.yaml create mode 100644 mdm/profiles/com.apple.SetupAssistant.managed.yaml create mode 100644 mdm/profiles/com.apple.ShareKitHelper.yaml create mode 100644 mdm/profiles/com.apple.SoftwareUpdate.yaml create mode 100644 mdm/profiles/com.apple.SystemConfiguration.yaml create mode 100644 mdm/profiles/com.apple.TCC.configuration-profile-policy.yaml create mode 100644 mdm/profiles/com.apple.airplay.security.yaml create mode 100644 mdm/profiles/com.apple.airplay.yaml create mode 100644 mdm/profiles/com.apple.airprint.yaml create mode 100644 mdm/profiles/com.apple.apn.managed.yaml create mode 100644 mdm/profiles/com.apple.app.lock.yaml create mode 100644 mdm/profiles/com.apple.applicationaccess.new.yaml create mode 100644 mdm/profiles/com.apple.applicationaccess.yaml create mode 100644 mdm/profiles/com.apple.appstore.yaml create mode 100644 mdm/profiles/com.apple.asam.yaml create mode 100644 mdm/profiles/com.apple.associated-domains.yaml create mode 100644 mdm/profiles/com.apple.caldav.account.yaml create mode 100644 mdm/profiles/com.apple.carddav.account.yaml create mode 100644 mdm/profiles/com.apple.cellular.yaml create mode 100644 mdm/profiles/com.apple.conferenceroomdisplay.yaml create mode 100644 mdm/profiles/com.apple.configurationprofile.identification.yaml create mode 100644 mdm/profiles/com.apple.dashboard.yaml create mode 100644 mdm/profiles/com.apple.desktop.yaml create mode 100644 mdm/profiles/com.apple.dnsProxy.managed.yaml create mode 100644 mdm/profiles/com.apple.dnsSettings.managed.yaml create mode 100644 mdm/profiles/com.apple.dock.yaml create mode 100644 mdm/profiles/com.apple.domains.yaml create mode 100644 mdm/profiles/com.apple.eas.account.yaml create mode 100644 mdm/profiles/com.apple.education.yaml create mode 100644 mdm/profiles/com.apple.ews.account.yaml create mode 100644 mdm/profiles/com.apple.extensiblesso(kerberos).yaml create mode 100644 mdm/profiles/com.apple.extensiblesso.yaml create mode 100644 mdm/profiles/com.apple.familycontrols.contentfilter.yaml create mode 100644 mdm/profiles/com.apple.familycontrols.timelimits.v2.yaml create mode 100644 mdm/profiles/com.apple.fileproviderd.yaml create mode 100644 mdm/profiles/com.apple.finder.yaml create mode 100644 mdm/profiles/com.apple.firstactiveethernet.managed.yaml create mode 100644 mdm/profiles/com.apple.firstethernet.managed.yaml create mode 100644 mdm/profiles/com.apple.font.yaml create mode 100644 mdm/profiles/com.apple.gamed.yaml create mode 100644 mdm/profiles/com.apple.globalethernet.managed.yaml create mode 100644 mdm/profiles/com.apple.google-oauth.yaml create mode 100644 mdm/profiles/com.apple.homescreenlayout.yaml create mode 100644 mdm/profiles/com.apple.ironwood.support.yaml create mode 100644 mdm/profiles/com.apple.jabber.account.yaml create mode 100644 mdm/profiles/com.apple.ldap.account.yaml create mode 100644 mdm/profiles/com.apple.loginitems.managed.yaml create mode 100644 mdm/profiles/com.apple.loginwindow.yaml create mode 100644 mdm/profiles/com.apple.lom.yaml create mode 100644 mdm/profiles/com.apple.mail.managed.yaml create mode 100644 mdm/profiles/com.apple.mcxMenuExtras.yaml create mode 100644 mdm/profiles/com.apple.mcxloginscripts.yaml create mode 100644 mdm/profiles/com.apple.mcxprinting.yaml create mode 100644 mdm/profiles/com.apple.mdm.yaml create mode 100644 mdm/profiles/com.apple.mobiledevice.passwordpolicy.yaml create mode 100644 mdm/profiles/com.apple.networkusagerules.yaml create mode 100644 mdm/profiles/com.apple.notificationsettings.yaml create mode 100644 mdm/profiles/com.apple.osxserver.account.yaml create mode 100644 mdm/profiles/com.apple.preference.security.yaml create mode 100644 mdm/profiles/com.apple.preferences.users.yaml create mode 100644 mdm/profiles/com.apple.profileRemovalPassword.yaml create mode 100644 mdm/profiles/com.apple.proxy.http.global.yaml create mode 100644 mdm/profiles/com.apple.screensaver.user.yaml create mode 100644 mdm/profiles/com.apple.screensaver.yaml create mode 100644 mdm/profiles/com.apple.secondactiveethernet.managed.yaml create mode 100644 mdm/profiles/com.apple.secondethernet.managed.yaml create mode 100644 mdm/profiles/com.apple.security.FDERecoveryKeyEscrow.yaml create mode 100644 mdm/profiles/com.apple.security.FDERecoveryRedirect.yaml create mode 100644 mdm/profiles/com.apple.security.certificatepreference.yaml create mode 100644 mdm/profiles/com.apple.security.certificaterevocation.yaml create mode 100644 mdm/profiles/com.apple.security.certificatetransparency.yaml create mode 100644 mdm/profiles/com.apple.security.firewall.yaml create mode 100644 mdm/profiles/com.apple.security.identitypreference.yaml create mode 100644 mdm/profiles/com.apple.security.pem.yaml create mode 100644 mdm/profiles/com.apple.security.pkcs1.yaml create mode 100644 mdm/profiles/com.apple.security.pkcs12.yaml create mode 100644 mdm/profiles/com.apple.security.root.yaml create mode 100644 mdm/profiles/com.apple.security.scep.yaml create mode 100644 mdm/profiles/com.apple.security.smartcard.yaml create mode 100644 mdm/profiles/com.apple.security.wapi-identity.yaml create mode 100644 mdm/profiles/com.apple.shareddeviceconfiguration.yaml create mode 100644 mdm/profiles/com.apple.sso.yaml create mode 100644 mdm/profiles/com.apple.subscribedcalendar.account.yaml create mode 100644 mdm/profiles/com.apple.syspolicy.kernel-extension-policy.yaml create mode 100644 mdm/profiles/com.apple.system-extension-policy.yaml create mode 100644 mdm/profiles/com.apple.system.logging.yaml create mode 100644 mdm/profiles/com.apple.systemmigration.yaml create mode 100644 mdm/profiles/com.apple.systempolicy.control.yaml create mode 100644 mdm/profiles/com.apple.systempolicy.managed.yaml create mode 100644 mdm/profiles/com.apple.systempolicy.rule.yaml create mode 100644 mdm/profiles/com.apple.systempreferences.yaml create mode 100644 mdm/profiles/com.apple.systemuiserver.yaml create mode 100644 mdm/profiles/com.apple.thirdactiveethernet.managed.yaml create mode 100644 mdm/profiles/com.apple.thirdethernet.managed.yaml create mode 100644 mdm/profiles/com.apple.tvremote.yaml create mode 100644 mdm/profiles/com.apple.universalaccess.yaml create mode 100644 mdm/profiles/com.apple.vpn.managed.applayer.yaml create mode 100644 mdm/profiles/com.apple.vpn.managed.appmapping.yaml create mode 100644 mdm/profiles/com.apple.vpn.managed.yaml create mode 100644 mdm/profiles/com.apple.webClip.managed.yaml create mode 100644 mdm/profiles/com.apple.webcontent-filter.yaml create mode 100644 mdm/profiles/com.apple.wifi.managed.yaml create mode 100644 mdm/profiles/com.apple.xsan.preferences.yaml create mode 100644 mdm/profiles/com.apple.xsan.yaml create mode 100644 mdm/profiles/loginwindow.yaml diff --git a/.github/PULL_REQUEST_TEMPLATE.md b/.github/PULL_REQUEST_TEMPLATE.md new file mode 100644 index 0000000..0995d06 --- /dev/null +++ b/.github/PULL_REQUEST_TEMPLATE.md @@ -0,0 +1,3 @@ +This repository does not accept pull requests. + +All feedback on the data in this repository should be made using the `Feedback Assistant` app or website (https://feedbackassistant.apple.com). Select feedback for `Enterprise & Education`, and choose the `Mobile Device Management (MDM)` area. diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..e69de29 diff --git a/LICENSE.txt b/LICENSE.txt new file mode 100644 index 0000000..e8dc617 --- /dev/null +++ b/LICENSE.txt @@ -0,0 +1,20 @@ +Copyright © 2022 Apple Inc. + +Permission is hereby granted, free of charge, to any person obtaining a +copy of this software and associated documentation files (the +"Software"), to deal in the Software without restriction, including +without limitation the rights to use, copy, modify, merge, publish, +distribute, sublicense, and/or sell copies of the Software, and to +permit persons to whom the Software is furnished to do so, subject to +the following conditions: + +The above copyright notice and this permission notice shall be included +in all copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS +OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF +MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. +IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY +CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, +TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE +SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. diff --git a/README.md b/README.md new file mode 100644 index 0000000..bc8ef57 --- /dev/null +++ b/README.md @@ -0,0 +1,36 @@ +# Device Management Client Schema + +This repository contains Apple's Device Management Client schema data for the MDM (Mobile Device Management) protocol, and the Declarative Device Management feature. + +## OS Versions + +This release corresponds to the following OS versions + +| OS | Version | +|---------|---------| +| iOS | 15.0 | +| macOS | 12.0 | +| tvOS | 15.0 | +| watchOS | 8.0 | + +## What's Available + +The following schema items are available: + +* MDM commands - `mdm/commands` +* MDM check-in requests - `mdm/checkin` +* MDM profiles - `mdm/profiles` + +* Declarative device management declarations - `declarative/declarations` +* Declarative device management status items - `declarative/status` +* Declarative device management protocol - `declarative/protocol` + +## YAML Schema Definition + +See [YAML Schema](docs/schema.md). + +## Providing Feedback + +All feedback on the data in this repository should be made using the `Feedback Assistant` app or website (https://feedbackassistant.apple.com). Select feedback for `Enterprise & Education`, and choose the `Mobile Device Management (MDM)` area. + +We will NOT be accepting pull requests on this repository - please use `Feedback Assistant` for all requests. diff --git a/declarative/declarations/activations/simple.yaml b/declarative/declarations/activations/simple.yaml new file mode 100644 index 0000000..417250e --- /dev/null +++ b/declarative/declarations/activations/simple.yaml @@ -0,0 +1,23 @@ +title: Activation:Simple +description: An activation used to install a set of configurations. +payload: + declarationtype: com.apple.activation.simple + supportedOS: + iOS: + introduced: '15.0' +payloadkeys: +- key: StandardConfigurations + type: + presence: required + content: An array of strings that specify the identifiers of configurations to install. + A failure to install one of the configurations doesn't prevent other configurations + from installing. + subkeys: + - key: StandardConfigurationsItems + type: +- key: Predicate + type: + presence: optional + content: A predicate format string as Apple's Predicate Programming + describes. The activation only installs when the predicate evaluates to 'true' + or isn't present. diff --git a/declarative/declarations/assets/credential.userpassword.yaml b/declarative/declarations/assets/credential.userpassword.yaml new file mode 100644 index 0000000..e4d5a00 --- /dev/null +++ b/declarative/declarations/assets/credential.userpassword.yaml @@ -0,0 +1,34 @@ +title: Credential:User Name and Password +description: A reference to data describing a credential representing a user name + and password. Note that this should always be considered as security sensitive data. +payload: + declarationtype: com.apple.asset.credential.userpassword + supportedOS: + iOS: + introduced: '15.0' +payloadkeys: +- key: Reference + type: + presence: required + content: The reference to the credential. + subkeys: + - key: DataURL + type: + presence: required + content: The URL that hosts the credential data. The URL must start with 'https://'. + - key: ContentType + type: + presence: required + content: The media type that describes the data. + - key: Size + type: + presence: required + content: The size of the data at the 'DataURL'. Use this value to verify that + the returned data is the expected data. Use this value to detect when the data + changes. + - key: Hash-SHA-256 + type: + presence: required + content: |- + A SHA-256 hash of the data at the 'DataURL'. Use this value to verify that the returned data is the expected data. Use this value to detect when the data changes. + If 'Size' is '0', clients need to ignore this value or set it to an empty string. diff --git a/declarative/declarations/assets/credentials/usernameandpassword.yaml b/declarative/declarations/assets/credentials/usernameandpassword.yaml new file mode 100644 index 0000000..4ae0d05 --- /dev/null +++ b/declarative/declarations/assets/credentials/usernameandpassword.yaml @@ -0,0 +1,16 @@ +title: User Name and Password Credentials +description: Data describing a credential representing a user name and password. +payload: + credentialtype: com.apple.credential.usernameandpassword + supportedOS: + iOS: + introduced: '15.0' +payloadkeys: +- key: UserName + type: + presence: required + content: The user's user name for the credential. +- key: Password + type: + presence: optional + content: The user's password for the credential. diff --git a/declarative/declarations/assets/useridentity.yaml b/declarative/declarations/assets/useridentity.yaml new file mode 100644 index 0000000..0510ce5 --- /dev/null +++ b/declarative/declarations/assets/useridentity.yaml @@ -0,0 +1,18 @@ +title: User Identity +description: User identity data. +payload: + declarationtype: com.apple.asset.useridentity + supportedOS: + iOS: + introduced: '15.0' +payloadkeys: +- key: FullName + title: Full Name + type: + presence: optional + content: The user's full name. +- key: EmailAddress + title: Email Address + type: + presence: optional + content: The user's email address. diff --git a/declarative/declarations/configurations/account.caldav.yaml b/declarative/declarations/configurations/account.caldav.yaml new file mode 100644 index 0000000..96c6a92 --- /dev/null +++ b/declarative/declarations/configurations/account.caldav.yaml @@ -0,0 +1,37 @@ +title: Account:CalDAV +description: Use this configuration to define settings for access to CalDAV servers. +payload: + declarationtype: com.apple.configuration.account.caldav + supportedOS: + iOS: + introduced: '15.0' + content: A CalDAV configuration defines a CalDAV calendar and reminders account + for a user. +payloadkeys: +- key: VisibleName + title: Account Name + type: + presence: optional + content: The name that apps show to the user for this calendar account. If not present, + the system generates a suitable default. +- key: HostName + title: Server Host Name + type: + presence: required + content: The hostname of the CalDAV server (or IP address). +- key: Port + title: Server Port + type: + presence: optional + content: The port number for the CalDAV server. +- key: Path + title: Server Path + type: + presence: optional + content: The path for the CalDAV server. +- key: AuthenticationCredentialsAssetReference + title: Authentication Credentials Asset Reference + type: + presence: optional + content: The identifier of an asset declaration that contains the credentials for + this account. The corresponding asset must be of type UserNameAndPasswordCredentials. diff --git a/declarative/declarations/configurations/account.carddav.yaml b/declarative/declarations/configurations/account.carddav.yaml new file mode 100644 index 0000000..c0e13ea --- /dev/null +++ b/declarative/declarations/configurations/account.carddav.yaml @@ -0,0 +1,36 @@ +title: Account:CardDAV +description: Use this configuration to define settings for access to CardDAV servers. +payload: + declarationtype: com.apple.configuration.account.carddav + supportedOS: + iOS: + introduced: '15.0' + content: A CardDAV configuration defines a CardDAV contacts account for a user. +payloadkeys: +- key: VisibleName + title: Account Name + type: + presence: optional + content: The name that apps show to the user for this address book account. If not + present, the system generates a suitable default. +- key: HostName + title: Server Host Name + type: + presence: required + content: The hostname of the CardDAV server (or IP address). +- key: Port + title: Server Port + type: + presence: optional + content: The port number for the CardDAV server. +- key: Path + title: Server Path + type: + presence: optional + content: The path for the CardDAV server. +- key: AuthenticationCredentialsAssetReference + title: Authentication Credentials Asset Reference + type: + presence: optional + content: The identifier of an asset declaration that contains the credentials for + this account. The corresponding asset must be of type UserNameAndPasswordCredentials. diff --git a/declarative/declarations/configurations/account.exchange.yaml b/declarative/declarations/configurations/account.exchange.yaml new file mode 100644 index 0000000..bb24270 --- /dev/null +++ b/declarative/declarations/configurations/account.exchange.yaml @@ -0,0 +1,210 @@ +title: Account:Exchange +description: Use this configuration to define settings for access to Exchange ActiveSync + and Web Services servers. +payload: + declarationtype: com.apple.configuration.account.exchange + supportedOS: + iOS: + introduced: '15.0' + content: This payload configures an Exchange ActiveSync account on an iOS device. +payloadkeys: +- key: VisibleName + title: Account Name + type: + presence: optional + content: The name that apps show to the user for this Exchange account. If not present, + the system generates a suitable default. +- key: EnabledProtocolTypes + title: Enabled Protocol Types + type: + presence: required + content: |- + The set of protocol types to enable on the Exchange server, in order of preference. This is an array of unique strings with possible values: + * 'EAS:' Exchange ActiveSync + * 'EWS:' Exchange Web Services (EWS) + If the device supports one or more of the listed protocol types, it sets up an account for the first supported type. + If the device doesn't support any of the listed protocol types, it doesn't set up an account and the system reports an error. + subkeys: + - key: EnabledProtocolTypesItem + type: + presence: required + rangelist: + - EAS + - EWS +- key: UserIdentityAssetReference + title: User Identity Asset Reference + type: + presence: optional + content: The identifier of an asset declaration that contains the user identity + for this account. The corresponding asset must be of type UserIdentity. +- key: HostName + title: Server Host Name + type: + presence: optional + content: The hostname of the EWS server (or IP address). This is a required field + unless the declaration contains an 'OAuth' property, with a 'SignInURL' that has + 'enabled' as 'true'. +- key: Port + title: Server Port + supportedOS: + iOS: + introduced: n/a + type: + presence: optional + content: The port number of the EWS server. The system uses this only when this + declaration has a 'HostName' value. +- key: Path + title: Server Path + supportedOS: + iOS: + introduced: n/a + type: + presence: optional + content: The path of the EWS server. The system uses this only when this declaration + has a 'HostName' value. +- key: ExternalHostName + title: Server External Host Name + supportedOS: + iOS: + introduced: n/a + type: + presence: optional + content: The external hostname of the EWS server (or IP address). This is a required + field unless the declaration contains an 'OAuth' property, with a 'SignInURL' + that has 'enabled' as 'true'. +- key: ExternalPort + title: Server External Port + supportedOS: + iOS: + introduced: n/a + type: + presence: optional + content: The external port number of the EWS server. The system uses this only when + this declaration has a 'HostName' value. +- key: External Path + title: Server External Path + supportedOS: + iOS: + introduced: n/a + type: + presence: optional + content: The external path of the EWS server. The system uses this only when this + declaration has a 'HostName' value. +- key: OAuth + title: Controls use of OAuth + type: + presence: optional + content: The configuration settings for OAuth for this account. + subkeys: + - key: Enabled + title: Use OAuth + type: + presence: required + content: If 'true', enables OAuth for this account. + - key: SignInURL + type: + presence: optional + content: The URL that this account uses for signing in with OAuth. The system + ignores this value unless 'Enabled' is 'true'. The system doesn't use autodiscovery + when a declaraction contains this URL, so the declaration must also contain + a 'HostName'. + - key: TokenRequestURL + supportedOS: + macOS: + introduced: n/a + type: + presence: optional + content: The URL that this account uses for token requests with OAuth. The system + ignores this value unless 'Enabled' is 'true'. +- key: AuthenticationCredentialsAssetReference + title: Authentication Credentials Asset Reference + type: + presence: optional + content: The identifier of an asset declaration that contains the credentials for + this account to authenticate with an Exchange server. The corresponding asset + must be of type CredentialUserNameAndPassword. +- key: MailServiceActive + supportedOS: + macOS: + introduced: n/a + type: + presence: optional + default: true + content: If 'true', activates the mail service for this account. +- key: LockMailService + supportedOS: + macOS: + introduced: n/a + type: + presence: optional + default: false + content: If 'true', prevents the user from changing the status of the mail service + for this account. +- key: ContactsServiceActive + supportedOS: + macOS: + introduced: n/a + type: + presence: optional + default: true + content: If 'true', activates the address book service for this account. +- key: LockContactsService + supportedOS: + macOS: + introduced: n/a + type: + presence: optional + default: false + content: If 'true', prevents the user from changing the status of the address book + service for this account. +- key: CalendarServiceActive + supportedOS: + macOS: + introduced: n/a + type: + presence: optional + default: true + content: If 'true', activates the calendar service for this account. +- key: LockCalendarService + supportedOS: + macOS: + introduced: n/a + type: + presence: optional + default: false + content: If 'true', prevents the user from changing the status of the calendar service + for this account. +- key: RemindersServiceActive + supportedOS: + macOS: + introduced: n/a + type: + presence: optional + default: true + content: If 'true', activates the reminders service for this account. +- key: LockRemindersService + supportedOS: + macOS: + introduced: n/a + type: + presence: optional + default: false + content: If 'true', prevents the user from changing the status of the reminders + service for this account. +- key: NotesServiceActive + supportedOS: + macOS: + introduced: n/a + type: + presence: optional + default: true + content: If 'true', activates the notes service for this account. +- key: LockNotesService + supportedOS: + macOS: + introduced: n/a + type: + presence: optional + default: false + content: If 'true', prevents the user from changing the status of the notes service + for this account. diff --git a/declarative/declarations/configurations/account.google.yaml b/declarative/declarations/configurations/account.google.yaml new file mode 100644 index 0000000..7c619e0 --- /dev/null +++ b/declarative/declarations/configurations/account.google.yaml @@ -0,0 +1,25 @@ +title: Account:Google +description: Use this configuration to define settings for access to Google services. +payload: + declarationtype: com.apple.configuration.account.google + supportedOS: + iOS: + introduced: '15.0' + content: A Google configuration defines a Google account for a user. The user will + be prompted to enter their credentials shortly after the configuration successfully + installs. +payloadkeys: +- key: VisibleName + title: Account Name + type: + presence: optional + content: The name that apps show to the user for this Google account. If not present, + the system generates a suitable default. +- key: UserIdentityAssetReference + title: User Identity Asset Reference + type: + presence: required + content: The identifier of an asset declaration that contains the user identity + for this Google account. The corresponding asset must be of type UserIdentity. + The asset must contain an 'EmailAddress' key that specifies the full Google email + address for the account. diff --git a/declarative/declarations/configurations/account.ldap.yaml b/declarative/declarations/configurations/account.ldap.yaml new file mode 100644 index 0000000..32bea36 --- /dev/null +++ b/declarative/declarations/configurations/account.ldap.yaml @@ -0,0 +1,69 @@ +title: Account:LDAP +description: Use this configuration to define settings for access to LDAP servers. +payload: + declarationtype: com.apple.configuration.account.ldap + supportedOS: + iOS: + introduced: '15.0' + content: An LDAP configuration defines an LDAP directory account for a user. +payloadkeys: +- key: VisibleName + title: Account Name + type: + presence: optional + content: The name that apps show to the user for this LDAP account. If not present, + the system generates a suitable default. +- key: HostName + title: Server Host Name + type: + presence: required + content: The hostname of the LDAP server (or IP address). +- key: Port + title: Server Port + type: + presence: optional + content: The port number of the LDAP server (or IP address). +- key: AuthenticationCredentialsAssetReference + title: Authentication Credentials Asset Reference + type: + presence: optional + content: The identifier of an asset declaration that contains the credentials for + this account. The corresponding asset must be of type UserNameAndPasswordCredentials. +- key: SearchSettings + title: Search Settings + type: + presence: optional + content: The array of nodes to start LDAP searches from. There must be at least + one node for this account to be useful. macOS only searches one node and ignores + other items in the array. + subkeys: + - key: SearchSettingsItem + title: An LDAP Search Setting + type: + subkeys: + - key: VisibleDescription + title: Visible Description + type: + presence: optional + content: The description of this search setting in the Contacts and Settings + apps. If not present, the apps display no name. + - key: SearchBase + title: Search Base + type: + presence: required + content: The path to the node where a search starts. For example, 'ou=people,o=example + corp'. + - key: Scope + title: Scope + type: + presence: optional + rangelist: + - Base + - OneLevel + - Subtree + default: Subtree + content: |- + The type of recursion to use in the saerch. + * 'Base': Only the 'SearchBase' node. + * 'OneLevel': The 'SearchBase' node and its immediate children. + * 'Subtree': The 'SearchBase' node and all its chidren, regardless of depth. diff --git a/declarative/declarations/configurations/account.mail.yaml b/declarative/declarations/configurations/account.mail.yaml new file mode 100644 index 0000000..e8eeb76 --- /dev/null +++ b/declarative/declarations/configurations/account.mail.yaml @@ -0,0 +1,103 @@ +title: Account:Mail +description: Use this configuration to define settings for access to email servers. +payload: + declarationtype: com.apple.configuration.account.mail + supportedOS: + iOS: + introduced: '15.0' + content: An email configuration defines an email account for a user. +payloadkeys: +- key: VisibleName + title: Account Name + type: + presence: optional + content: The name that apps show to the user for this mail account. If not present, + the system generates a suitable default. +- key: UserIdentityAssetReference + title: User Identity Asset Reference + type: + presence: optional + content: The identifier of an asset declaration that contains the user identity + for this account. The corresponding asset must be of type UserIdentity. +- key: IncomingServer + title: Incoming Server Settings + type: + presence: required + content: The settings for the incoming mail server for this account. + subkeys: + - key: ServerType + title: Server Type + type: + presence: required + rangelist: + - IMAP + - POP + content: The mail protocol this account uses. + - key: HostName + title: Server Host Name + type: + presence: required + content: The host name for the incoming mail server. + - key: Port + title: Server Port + type: + presence: optional + content: The port number for the incoming mail server. + - key: AuthenticationMethod + title: Server Authentication Method + type: + presence: required + rangelist: + - None + - Password + - CRAMMD5 + - NTLM + - HTTPMD5 + content: The authentication method for the incoming mail server. + - key: AuthenticationCredentialsAssetReference + title: Authentication Credentials Asset Reference + type: + presence: optional + content: |- + The identifier of an asset declaration that contains the credentials for this account to authenticate with an incoming mail server. The corresponding asset must be of type CredentialUserNameAndPassword. + If the 'AuthenticationMethod' is 'None', this field must be blank. Otherwise, the declaration must contain this field. + - key: IMAPPathPrefix + title: IMAP Path Prefix + type: + presence: optional + content: The path prefix for the IMAP server. The system uses this only when 'ServerType' + is 'IMAP'. +- key: OutgoingServer + title: Outgoing Server Settings + type: + presence: required + content: The settings for the outgoing mail server for this account. + subkeys: + - key: HostName + title: Server Host Name + type: + presence: required + content: The host name for the outgoing mail server. + - key: Port + title: Server Port + type: + presence: optional + content: The port number for the outgoing mail server. + - key: AuthenticationMethod + title: Server Authentication Method + type: + presence: required + rangelist: + - None + - Password + - CRAMMD5 + - NTLM + - HTTPMD5 + content: The authentication method for the outgoing mail server. + - key: AuthenticationCredentialsAssetReference + title: Authentication Credentials Asset Reference + type: + presence: optional + content: |- + The identifier of an asset declaration that contains the credentials for this account to authenticate with an outgoing mail server. The corresponding asset must be of type CredentialUserNameAndPassword. + If the 'AuthenticationMethod' is 'None', this field must be blank. Otherwise, the declaration must contain this field. diff --git a/declarative/declarations/configurations/account.subscribed-calendar.yaml b/declarative/declarations/configurations/account.subscribed-calendar.yaml new file mode 100644 index 0000000..769c0d4 --- /dev/null +++ b/declarative/declarations/configurations/account.subscribed-calendar.yaml @@ -0,0 +1,28 @@ +title: Account:Subscribed Calendar +description: Use this configuration to define settings for a subscribed calendar. +payload: + declarationtype: com.apple.configuration.account.subscribed-calendar + supportedOS: + iOS: + introduced: '15.0' + content: A subscribed calendar configuration defines a subscribed calendar for a + user. +payloadkeys: +- key: VisibleName + title: Account Name + type: + presence: optional + content: The name that apps show to the user for this calendar account. If not present, + the system generates a suitable default. +- key: CalendarURL + title: Calendar URL + type: + presence: required + content: The URL of the subscribed calendar. The URL must start with 'https://'. +- key: AuthenticationCredentialsAssetReference + title: Authentication Credentials Asset Reference + type: + presence: optional + content: The identifier of an asset declaration that contains the credentials for + this account to authenticate with a calendar server. The corresponding asset must + be of type CredentialUserNameAndPassword. diff --git a/declarative/declarations/configurations/legacy.interactive.yaml b/declarative/declarations/configurations/legacy.interactive.yaml new file mode 100644 index 0000000..f055b03 --- /dev/null +++ b/declarative/declarations/configurations/legacy.interactive.yaml @@ -0,0 +1,22 @@ +title: Legacy Interactive Profile +description: Specifies an MDMv1 profile to present to the user who may choose to download + and install it +payload: + declarationtype: com.apple.configuration.legacy.interactive + supportedOS: + iOS: + introduced: '15.0' +payloadkeys: +- key: ProfileURL + title: Profile's URL. + type: + presence: required + content: |- + The URL of the profile to download and install. This must be an 'https://' URL. The system silently ignores any account or passcode payloads in the profile. Use their declarative configurations instead. + If a user enrollment triggers this configuration, the system silently ignores any MDM 1 payloads in macOS where the User Enrollment Mode setting is 'forbidden'. In iOS, the system rejects the entire profile. +- key: VisibleName + title: Configuration Visible Name + type: + presence: required + content: The visible name of the configuration. This name needs to indicate the + nature of the profile. diff --git a/declarative/declarations/configurations/legacy.yaml b/declarative/declarations/configurations/legacy.yaml new file mode 100644 index 0000000..06e0ce8 --- /dev/null +++ b/declarative/declarations/configurations/legacy.yaml @@ -0,0 +1,15 @@ +title: Legacy Profile +description: Specifies an MDMv1 profile to download and install +payload: + declarationtype: com.apple.configuration.legacy + supportedOS: + iOS: + introduced: '15.0' +payloadkeys: +- key: ProfileURL + title: Profile's URL. + type: + presence: required + content: |- + The URL of the profile to download and install. This must be an 'https://' URL. The system silently ignores any account or passcode payloads in the profile. Use their declarative configurations instead. + If a user enrollment triggers this configuration, the system silently ignores any MDM 1 payloads in macOS where the User Enrollment Mode setting is 'forbidden'. In iOS, the system rejects the entire profile. diff --git a/declarative/declarations/configurations/management.status-subscriptions.yaml b/declarative/declarations/configurations/management.status-subscriptions.yaml new file mode 100644 index 0000000..b4668a9 --- /dev/null +++ b/declarative/declarations/configurations/management.status-subscriptions.yaml @@ -0,0 +1,22 @@ +title: Management:Status Subscriptions +description: Use this configuration to define the status subscriptions that cause + status to be reported by the client. +payload: + declarationtype: com.apple.configuration.management.status-subscriptions + supportedOS: + iOS: + introduced: '15.0' +payloadkeys: +- key: StatusItems + title: Status Items + type: + presence: required + content: An array of status items that the device notifies subscribers about. + subkeys: + - key: StatusItem + type: + subkeys: + - key: Name + type: + presence: required + content: The name of the status item to send to subscribers. diff --git a/declarative/declarations/configurations/management.test.yaml b/declarative/declarations/configurations/management.test.yaml new file mode 100644 index 0000000..a12e695 --- /dev/null +++ b/declarative/declarations/configurations/management.test.yaml @@ -0,0 +1,24 @@ +title: Management:Test +description: A configuration used for testing only +payload: + declarationtype: com.apple.configuration.management.test + supportedOS: + iOS: + introduced: '15.0' +payloadkeys: +- key: Echo + title: Status Echo + type: + presence: required + content: The string to echo back in a status response reason. +- key: ReturnStatus + title: Status to Return + type: + presence: optional + rangelist: + - Installed + - Failed + - PendingClient + default: Installed + content: The status the system reports back when the device implements the configuration. + Use this to override the normal 'success' result. diff --git a/declarative/declarations/configurations/passcode.settings.yaml b/declarative/declarations/configurations/passcode.settings.yaml new file mode 100644 index 0000000..ba262f8 --- /dev/null +++ b/declarative/declarations/configurations/passcode.settings.yaml @@ -0,0 +1,72 @@ +title: Passcode:Settings +description: Use this configuration to define passcode policy settings +payload: + declarationtype: com.apple.configuration.passcode.settings + supportedOS: + iOS: + introduced: '15.0' +payloadkeys: +- key: RequirePasscode + title: Require Passcode on Device + type: + presence: optional + default: false + content: If 'true', requires the user to set a passcode without any requirements + about the length or quality of the passcode. The presence of any other keys implicitly + requires a passcode, and overrides this key's value. +- key: RequireComplexPasscode + title: Require Complex Passcode + type: + presence: optional + default: false + content: If 'true', requires a complex passcode. A complex passcode is one that + doesn't contain repeated characters or increasing/decreasing characters (such + as 123 or CBA), and must contain at least one nonnumeric/nonalphabetic character. +- key: MinimumLength + title: Minimum Passcode Length + type: + presence: optional + range: + min: 0 + max: 16 + default: 0 + content: The minimum number of characters a passcode can contain. +- key: MaximumFailedAttempts + title: Maximum Number of Failed Attempts + type: + presence: optional + range: + min: 2 + max: 11 + default: 11 + content: |- + The number of failed passcode attempts that the system allows the user before iOS erases the device or macOS locks the device. If you don't change this setting, after six failed attempts, the device imposes a time delay before the user can enter a passcode again. The time delay increases with each failed attempt. + After the final failed attempt, the system securely erases all data and settings from the iOS device. A macOS device locks after the final attempt. The passcode time delay begins after the sixth attempt, so if this value is six or lower, the system has no time delay and triggers the erase or lock as soon as the user exceeds the limit. +- key: MaximumGracePeriodInMinutes + title: Maximum Grace Period + type: + presence: optional + content: |- + The maximum period that a user can select, during which the user can unlock the device without a passcode. A value of '0' means no grace period, and the device requires a passcode immediately. In the absence of this key, the user can select any period. + macOS translates this to screensaver settings. +- key: MaximumInactivityInMinutes + title: Automatic Device Lock + type: + presence: optional + range: + min: 0 + max: 15 + content: |- + The maximum period that a user can select, during which the device can be idle before the system automatically locks it. When the device reaches this limit, the device locks and the user must enter the passcode to unlock it. In the absence of this key, the user can select any period. + macOS translates this to screensaver settings. +- key: PasscodeReuseLimit + title: Passcode Reuse Limit + type: + presence: optional + range: + min: 1 + max: 50 + content: The number of historical passcode entries the system checks when vaildating + a new passcode. The device refuses a new passcode if it matches a previously used + passcode within the specified passcode history range. In the absence of this key, + the system performs no historical check. diff --git a/declarative/declarations/declarationbase.yaml b/declarative/declarations/declarationbase.yaml new file mode 100644 index 0000000..0c8745d --- /dev/null +++ b/declarative/declarations/declarationbase.yaml @@ -0,0 +1,25 @@ +title: DeclarationBase +description: Keys common to all declarations used with the Remote Management protocol. +payload: + declarationtype: any + supportedOS: + iOS: + introduced: '15.0' +payloadkeys: +- key: Type + type: + presence: required + content: A string specifying the type of this declaration. +- key: Identifier + type: + presence: required + content: A string uniquely identifying this declaration. +- key: ServerToken + type: + presence: required + content: A unique token generated by the server specifying a particular revision + of the declaration. +- key: Payload + type: + presence: required + content: The payload describing this declaration. diff --git a/declarative/declarations/management/organization-info.yaml b/declarative/declarations/management/organization-info.yaml new file mode 100644 index 0000000..cdde995 --- /dev/null +++ b/declarative/declarations/management/organization-info.yaml @@ -0,0 +1,37 @@ +title: Management:Organization Information +description: Use this declaration to tell the client about the server's organization + information. +payload: + declarationtype: com.apple.management.organization-info + supportedOS: + iOS: + introduced: '15.0' +payloadkeys: +- key: Name + title: Organization Name + type: + presence: required + content: The name of the organization. +- key: Email + title: Organization Email Address + type: + presence: optional + content: The email address of the contact person for the organization. +- key: URL + title: Organization URL + type: + presence: optional + content: The website of the organization to contact for support. +- key: Proof + title: Organization Identity + type: + presence: optional + content: The additional properties that verify the identity and authenticity of + the organization. + subkeys: + - key: IdentityToken + title: Organization Identity Token + type: + presence: optional + content: A token that verifies the identity of the organization when using this + service. diff --git a/declarative/declarations/management/server-capabilities.yaml b/declarative/declarations/management/server-capabilities.yaml new file mode 100644 index 0000000..2c38bbc --- /dev/null +++ b/declarative/declarations/management/server-capabilities.yaml @@ -0,0 +1,25 @@ +title: Management:Server Capabilities +description: Use this declaration to tell the client about the server's capabilities. +payload: + declarationtype: com.apple.management.server-capabilities + supportedOS: + iOS: + introduced: '15.0' +payloadkeys: +- key: Version + title: Protocol Version + type: + presence: required + content: The server's protocol version. +- key: SupportedFeatures + title: Supported Features + type: + presence: required + content: |- + A dictionary that contains the server's optional protocol features. + Each dictionary item uses the key name to represent a feature, and the value to hold the feature's associated parameters. This protocol reserves keys with a prefix of “'com.apple.'”, which appear as subkeys in this dictionary. + subkeys: + - key: ANY + type: + presence: optional + content: Additional keys may be present. diff --git a/declarative/protocol/declarationitemsresponse.yaml b/declarative/protocol/declarationitemsresponse.yaml new file mode 100644 index 0000000..6933094 --- /dev/null +++ b/declarative/protocol/declarationitemsresponse.yaml @@ -0,0 +1,84 @@ +title: Declaration Items Response +description: The set of available declarations on the server. +payload: + requesttype: DeclarationItemsResponse + supportedOS: + iOS: + introduced: '15.0' +payloadkeys: +- key: Declarations + title: Manifest Declaration Items + type: + presence: required + content: The set of available declarations on the server. + subkeys: + - key: Activations + title: Activations + type: + presence: required + content: The list of available activation declarations on the server. + subkeytype: DeclarationItem + subkeys: + - key: _Activations + title: Manifest Declaration + type: + content: Information about an available declaration on the server. + subkeytype: DeclarationItem + subkeys: &id001 + - key: Identifier + title: Declaration Identifier + type: + presence: required + content: The declaration's identifier. + - key: ServerToken + title: Declaration Server Token + type: + presence: required + content: |- + The 'ServerToken' value of the declaration. + The client uses this to determine if the actual payload is different from the one on the client. Servers must compute the token over the entire declaration content to ensure the value always changes whenever there's any change to the content. + - key: Configurations + title: Configurations + type: + presence: required + content: The list of available configuration declarations on the server. + subkeytype: DeclarationItem + subkeys: + - key: _Configurations + title: Manifest Declaration + type: + content: Information about an available declaration on the server. + subkeytype: DeclarationItem + subkeys: *id001 + - key: Assets + title: Assets + type: + presence: required + content: The list of available asset declarations on the server. + subkeytype: DeclarationItem + subkeys: + - key: _Assets + title: Manifest Declaration + type: + content: Information about an available declaration on the server. + subkeytype: DeclarationItem + subkeys: *id001 + - key: Management + title: Management + type: + presence: required + content: The list of available management declarations on the server. + subkeytype: DeclarationItem + subkeys: + - key: _Management + title: Manifest Declaration + type: + content: Information about an available declaration on the server. + subkeytype: DeclarationItem + subkeys: *id001 +- key: DeclarationsToken + title: Declarations Token + type: + presence: required + content: The current value of the declarations token. Clients use this to detect + when declarations change so they can refetch the token. diff --git a/declarative/protocol/statusreport.yaml b/declarative/protocol/statusreport.yaml new file mode 100644 index 0000000..0bbd634 --- /dev/null +++ b/declarative/protocol/statusreport.yaml @@ -0,0 +1,57 @@ +title: Status Report +description: Status sent by the client. +payload: + requesttype: StatusReport + supportedOS: + iOS: + introduced: '15.0' +payloadkeys: +- key: StatusItems + title: Status Items + type: + presence: required + content: The status items for this report. +- key: Errors + title: Errors + type: + presence: required + content: An array of errors for this status report. + subkeys: + - key: _Errors + title: Error + type: + content: Error information for a status item that cannot be returned. + subkeys: + - key: StatusItem + title: Status Item + type: + presence: required + content: The status item that this error pertains to. + - key: Reasons + title: Status Reasons + type: + presence: optional + content: An array of reasons for the error. + subkeytype: StatusReason + subkeys: + - key: _Reasons + title: Status Reason + type: + content: Information about a status error. + subkeytype: StatusReason + subkeys: + - key: Code + title: Error Code + type: + presence: required + content: The error code for this error. + - key: Description + title: Error Description + type: + presence: optional + content: The description for this error. + - key: Details + title: Error Details + type: + presence: optional + content: A dictionary that contains further details about this error. diff --git a/declarative/protocol/tokensresponse.yaml b/declarative/protocol/tokensresponse.yaml new file mode 100644 index 0000000..ad2a370 --- /dev/null +++ b/declarative/protocol/tokensresponse.yaml @@ -0,0 +1,16 @@ +title: Tokens Response +description: The server's synchronization tokens. +payload: + requesttype: TokensResponse + supportedOS: + iOS: + introduced: '15.0' +payloadkeys: +- key: SyncTokens + title: Synchronization Tokens + type: + presence: required + content: A dictionary of synchronization tokens that describes the state of different + types of data on the server. The client uses these tokens to determine which endpoints + it needs to use to fetch new or updated data on the server. + subkeytype: SynchronizationTokens diff --git a/declarative/status/device.model.family.yaml b/declarative/status/device.model.family.yaml new file mode 100644 index 0000000..0607552 --- /dev/null +++ b/declarative/status/device.model.family.yaml @@ -0,0 +1,14 @@ +title: Status Device Model Family +description: The device's hardware family. +payload: + statusitemtype: device.model.family + supportedOS: + iOS: + introduced: '15.0' +payloadkeys: +- key: device.model.family + title: Status item value. + type: + presence: required + content: A string that describes the hardware family of the device, such as 'Mac', + 'iPhone', or 'iPad'. diff --git a/declarative/status/device.model.identifier.yaml b/declarative/status/device.model.identifier.yaml new file mode 100644 index 0000000..7bb92d0 --- /dev/null +++ b/declarative/status/device.model.identifier.yaml @@ -0,0 +1,17 @@ +title: Status Device Model Identifier +description: The device's hardware identifier. +payload: + statusitemtype: device.model.identifier + supportedOS: + iOS: + introduced: '15.0' +payloadkeys: +- key: device.model.identifier + title: Status item value. + type: + presence: required + content: A two-part string that uniquely identifies the device's model. The first + part describes device's model family, and the second part describes the model's + version. The model's version is a comma-separated number where the first part + of the number is the version, and the second part is a variant, such as 'MacBookPro15,1' + or 'iPhone13,2'. diff --git a/declarative/status/device.model.marketing-name.yaml b/declarative/status/device.model.marketing-name.yaml new file mode 100644 index 0000000..7a29f6a --- /dev/null +++ b/declarative/status/device.model.marketing-name.yaml @@ -0,0 +1,15 @@ +title: Status Device Model Marketing Name +description: The device's hardware marketing name. +payload: + statusitemtype: device.model.marketing-name + supportedOS: + iOS: + introduced: '15.0' +payloadkeys: +- key: device.model.marketing-name + title: Status item value. + type: + presence: required + content: A string that identifies the device's marketing name, such as 'iPhone 12'. + This value may not always be available. Alternatively, use 'device.model.configuration-code' + to look up the marketing name through the web API. diff --git a/declarative/status/device.operating-system.build-version.yaml b/declarative/status/device.operating-system.build-version.yaml new file mode 100644 index 0000000..88b7468 --- /dev/null +++ b/declarative/status/device.operating-system.build-version.yaml @@ -0,0 +1,14 @@ +title: Status Device Operating System Build Version +description: The device's operating system build version. +payload: + statusitemtype: device.operating-system.build-version + supportedOS: + iOS: + introduced: '15.0' +payloadkeys: +- key: device.operating-system.build-version + title: Status item value. + type: + presence: required + content: A string that identifies the operating system's build version on the device, + such as '18F132'. diff --git a/declarative/status/device.operating-system.family.yaml b/declarative/status/device.operating-system.family.yaml new file mode 100644 index 0000000..4acaa3c --- /dev/null +++ b/declarative/status/device.operating-system.family.yaml @@ -0,0 +1,14 @@ +title: Status Device Operating System Family +description: The device's operating system family. +payload: + statusitemtype: device.operating-system.family + supportedOS: + iOS: + introduced: '15.0' +payloadkeys: +- key: device.operating-system.family + title: Status item value. + type: + presence: required + content: A string that identifies the operating system family in use on the device, + such as 'macOS' or 'iOS'. diff --git a/declarative/status/device.operating-system.marketing-name.yaml b/declarative/status/device.operating-system.marketing-name.yaml new file mode 100644 index 0000000..9ef8346 --- /dev/null +++ b/declarative/status/device.operating-system.marketing-name.yaml @@ -0,0 +1,14 @@ +title: Status Device Operating System Marketing Name +description: The device's operating system marketing name. +payload: + statusitemtype: device.operating-system.marketing-name + supportedOS: + iOS: + introduced: '15.0' +payloadkeys: +- key: device.operating-system.marketing-name + title: Status item value. + type: + presence: required + content: A string that identifies the operating system's marketing name in use on + the device, such as 'Catalina'. diff --git a/declarative/status/device.operating-system.version.yaml b/declarative/status/device.operating-system.version.yaml new file mode 100644 index 0000000..291294b --- /dev/null +++ b/declarative/status/device.operating-system.version.yaml @@ -0,0 +1,14 @@ +title: Status Device Operating System Version +description: The device's operating system version. +payload: + statusitemtype: device.operating-system.version + supportedOS: + iOS: + introduced: '15.0' +payloadkeys: +- key: device.operating-system.version + title: Status item value. + type: + presence: required + content: A string that identifies the operating system's version in use on the device, + such as '15.0'. diff --git a/declarative/status/management.client-capabilities.yaml b/declarative/status/management.client-capabilities.yaml new file mode 100644 index 0000000..adcd11d --- /dev/null +++ b/declarative/status/management.client-capabilities.yaml @@ -0,0 +1,105 @@ +title: Status Management Client Capabilities +description: The client's protocol capabilities. +payload: + statusitemtype: management.client-capabilities + supportedOS: + iOS: + introduced: '15.0' +payloadkeys: +- key: management.client-capabilities + title: Status item value. + type: + presence: required + content: An object that contains the client's protocol capabilities. These typically + only change when the device upgrades its software. An implicit status subscription + for this status item is always present, so the client always reports changes to + the server. + subkeytype: Capabilities + subkeys: + - key: supported-versions + title: Supported Protocol Versions + type: + presence: required + content: A list of protocol versions that the client supports. + subkeys: + - key: _supported-versions + title: Supported Protocol Version + type: + content: A protocol version supported by the client. + - key: supported-features + title: Supported Features + type: + presence: required + content: A set of optional protocol features that the client supports. Each object's + key represents a feature, and the property value represents the feature's associated + parameters. + subkeys: + - key: ANY + type: + presence: optional + content: Optional protocol features supported by the client. + - key: supported-payloads + title: Supported Payloads + type: + presence: required + content: A set of declaration and status items that the client supports. + subkeys: + - key: declarations + title: Supported Declarations + type: + presence: required + content: A set of declarations that the client supports. + subkeys: + - key: activations + title: Supported Activations + type: + presence: optional + content: An array of strings that represents the activation types that the + client supports. + subkeys: + - key: _activations + title: Activation Type + type: + content: Supported activation type. + - key: assets + title: Supported Assets + type: + presence: optional + content: An array of strings that represents the assets that the client supports. + subkeys: + - key: _assets + title: Asset Type + type: + content: Supported asset type. + - key: configurations + title: Supported Configurations + type: + presence: optional + content: An array of strings that represents the configuration types that + the client supports. + subkeys: + - key: _configurations + title: Configuration Type + type: + content: Supported configuration type. + - key: management + title: Supported Management Declarations + type: + presence: optional + content: An array of strings that represents the declaration types that the + client supports. + subkeys: + - key: _management + title: Management Declaration Type + type: + content: Supported management declaration type. + - key: status-items + title: Supported Status Items + type: + presence: required + content: A list of status items that the client supports. + subkeys: + - key: _status_items + title: Status Item + type: + content: Supported status item. diff --git a/declarative/status/management.declarations.yaml b/declarative/status/management.declarations.yaml new file mode 100644 index 0000000..9d50590 --- /dev/null +++ b/declarative/status/management.declarations.yaml @@ -0,0 +1,128 @@ +title: Status Management Declarations +description: State of declarations processed by the client. +payload: + statusitemtype: management.declarations + supportedOS: + iOS: + introduced: '15.0' +payloadkeys: +- key: management.declarations + title: Status item value. + type: + presence: required + content: A collection of the client's processed declarations. + subkeytype: Declarations + subkeys: + - key: activations + title: Activations + type: + presence: required + content: An array of declarations that represent the client's processed activation + types. + subkeytype: Declaration + subkeys: + - key: _activations + title: Status Declaration Item + type: + content: Status for a declaration processed by the client. + subkeytype: Declaration + subkeys: &id001 + - key: identifier + title: Identifier + type: + presence: required + content: The 'identifier' of the declaration this status report refers to. + - key: server-token + title: Server-Token + type: + presence: required + content: The 'ServerToken' of the declaration this status report refers to. + - key: active + title: Declaration's Active State + type: + presence: required + content: If 'true', the declaration is active on the device. + - key: valid + title: Declaration's Valid State + type: + presence: required + rangelist: + - unknown + - invalid + - valid + content: This string defines the validity of the declaration. If it's 'invalid', + the 'reasons' property contains more details. + - key: reasons + title: Status Reasons + type: + presence: optional + content: The details of any client errors. + subkeytype: StatusReason + subkeys: + - key: _reasons + title: Status Reason + type: + content: Information about a status error. + subkeytype: StatusReason + subkeys: + - key: code + title: Error Code + type: + presence: required + content: The error code for this error. + - key: description + title: Error Description + type: + presence: optional + content: The description for this error. + - key: details + title: Error Details + type: + presence: optional + content: A dictionary that contains further details about this error. + subkeys: + - key: ANY + type: + presence: optional + content: Additional keys may be present. + - key: configurations + title: Configurations + type: + presence: required + content: An array of declarations that represent the client's processed configuration + types. + subkeytype: Declaration + subkeys: + - key: _configurations + title: Status Declaration Item + type: + content: Status for a declaration processed by the client. + subkeytype: Declaration + subkeys: *id001 + - key: assets + title: Assets + type: + presence: required + content: An array of declarations that represent the client's processed assets. + subkeytype: Declaration + subkeys: + - key: _assets + title: Status Declaration Item + type: + content: Status for a declaration processed by the client. + subkeytype: Declaration + subkeys: *id001 + - key: management + title: Management + type: + presence: required + content: An array of declarations that represent the client's processed declaration + types. + subkeytype: Declaration + subkeys: + - key: _management + title: Status Declaration Item + type: + content: Status for a declaration processed by the client. + subkeytype: Declaration + subkeys: *id001 diff --git a/declarative/status/statusreason.yaml b/declarative/status/statusreason.yaml new file mode 100644 index 0000000..bb55842 --- /dev/null +++ b/declarative/status/statusreason.yaml @@ -0,0 +1,23 @@ +title: Status Reason +description: Information about a status error. +payload: + declarationtype: status-reason + supportedOS: + iOS: + introduced: '15.0' +payloadkeys: +- key: code + title: Error Code + type: + presence: required + content: The error code for this error. +- key: description + title: Error Description + type: + presence: optional + content: A description of this error. +- key: details + title: Error Details + type: + presence: optional + content: An arbitrary object containing details specific to this error. diff --git a/docs/schema.md b/docs/schema.md new file mode 100644 index 0000000..517ea1d --- /dev/null +++ b/docs/schema.md @@ -0,0 +1,209 @@ +# Device Management Client YAML Schema Format + +## Schema Definition + +The definition of the schema used here is in the `schema.yaml` file. That file contains the YAML-encoded [JSON-schema](https://json-schema.org) representation of the schema definitions. Below are descriptions of the various elements of the schema and how they are used. + +### Top Level Object + +| Name | Type | Description | +|--------------|--------|-------------| +| title | string | Title for this schema object | +| description | string | Description of this schema object | +| payload | object | Information about the object as a whole | +| payloadkeys | array | A list of YAML objects representing the command request | +| responsekeys | array | A list of YAML objects representing the command response | + +### Payload Object + +| Name | Type | Description | +|-----------------|--------|-------------| +| payloadtype | string | Type of the profile payload | +| requesttype | string | Type of the MDM command | +| declarationtype | string | Type of the declaration payload | +| statusitemtype | string | Type of the status payload | +| credentialtype | string | Type of the credential asset data | +| supportedOS | object | Identifies the range of supported OS versions that support the entire payload | +| content | string | Description of the payload | + +### supportedOS Object + +| Name | Type | Description | +|----------|--------|-------------| +| iOS | object | Supported features on this iOS | +| macOS | object | Supported features on this macOS | +| tvOS | object | Supported features on this tvOS | +| watchOS | object | Supported features on this watchOS | + +__Notes__ + +The `supportedOS` object is used in the `payload` object to indicate overall support for this object on each OS, as well as which enrollment modes are supported per OS. The `supportedOS` key may also appear on any payload key defined in `payloadkeys` or `responsekeys` array item objects. Each payload key is assumed to "inherit" the `supportedOS` values from the `payload` object, but that is then updated with any items in the key's own `supportedOS` object if present. This also overriding specific values in `supportedOS` on a per-key basis without the need to duplicate the entire `supportedOS` value from the `payload`. + +### iOS, macOS, tvOS, watchOS Objects + +| Name | Type | Description | +|--------------------|---------|-------------| +| introduced | string | OS version where feature was introduced | +| deprecated | string | OS version where feature was deprecated | +| removed | string | OS version where feature was removed | +| accessrights | string | The MDM protocol access rights required on the device to execute the command | +| devicechannel | boolean | Indicates whether the command is supported on the device channel | +| userchannel | boolean | indicates whether the command is supported on the user channel | +| supervised | boolean | Indicates whether the command can only be executed on supervised devices | +| requiresdep | boolean | If True, the command can only be executed on devices provisioned in DEP | +| userapprovedmdm | boolean | If True, the command can only be executed on devices with user approved MDM enrollment | +| allowmanualinstall | boolean | If True, the profile can be installed manually by a user on the device | +| sharedipad | object | Additional behavior specific to shared iPad devices | +| userenrollment | object | Additional behavior when user enrollment is in effect | + +### Shared iPad Object + +| Name | Type | Description | +|---------------|---------|-------------| +| mode | string | Indicates whether a payload or payload key can used with shared iPad | +| devicechannel | boolean | Defines if the payload can be installed on the device MDM channel | +| userchannel | boolean | Defines if the payload can be installed on the user MDM channel | + +__Notes__ + +The `mode` can have one of four values: `allowed`, `required`, `forbidden`, and `ignored`. If set to `allowed`, then the payload or payload key can be used both with or without shared iPad in effect. If set to `required`, then the payload or payload key can only be used if shared iPad is in effect. If set to `forbidden`, then the payload or payload key cannot be used if shared iPad is in effect. If set to `ignored`, then the payload or payload key can be used, but is ignored if shared iPad is in effect. + +### User Enrollment Object + +| Name | Type | Description | +|----------|--------|-------------| +| mode | string | Indicates how a payload or payload key can only be used if user enrollment is in effect | +| behavior | string | Describes any special behavior for the payload or payload key if user enrollment is in effect | + +__Notes__ + +The `mode` can have one of four values: `allowed`, `required`, `forbidden`, and `ignored`. If set to `allowed`, then the payload or payload key can be used both with or without user enrollment in effect. If set to `required`, then the payload or payload key can only be used if user enrollment is in effect. If set to `forbidden`, then the payload or payload key cannot be used if user enrollment is in effect. If set to `ignored`, then the payload or payload key can be used, but is ignored if user enrollment is in effect. + +### Payload/Response Keys Array Object + +| Name | Type | Description | +|-------------|--------|-------------| +| key | string | The name of the key | +| title | string | The title of the key | +| supportedOS | object | Identifies the range of supported OS versions that support the key | +| type | string | The type of key | +| subtype | string | Indicates the expected format of the string value of the key | +| presence | string | Whether the key is required or optional | +| rangelist | array | List of allowed values for this key | +| range | object | Bounds for the value of this key | +| default | scalar | The default value for the key | +| format | string | The format for the value expressed as a regular expression | +| repetition | object | Cardinality for this value | +| content | string | Description of the payload key | +| subkeytype | string | A name that uniquely represents the structured subkey object | +| subkeys | array | An array of payload keys | + +__Notes__ + +The `type` value can be one of: ``, ``, ``, ``, ``, ``, ``, ``, or ``. The value `` may be used to indicate that any of the standard values can be used without any expectation that the value will be validated. + +The `subtype` value can be one of: ``, ``, or ``, to indicate the expected value of a string. + +The `presence` value can be one of: `required` or `optional`. + +### Range Object + +| Name | Type | Description | +|------|-----------------|-------------| +| min | integer or real | Lower bound of range | +| max | integer or real | Upper bound of range | + +### Repetition Object + +| Name | Type | Description | +|------|-----------------|-------------| +| min | integer or real | Lower bound of repetition | +| max | integer or real | Upper bound of repetition | + +## Schema Use + +The schema has minor variants based on the nature of the object being described. + +### MDM Commands/CheckIn + +An MDM command or checkin is a YAML object with the following top-level keys: + +| Name | Type | Description | +|--------------|--------|-------------| +| title | string | Title for this schema object | +| description | string | Description of this schema object | +| payload | object | Information about the object as a whole | +| payloadkeys | array | A list of YAML objects representing the command request | +| responsekeys | array | A list of YAML objects representing the command response | + +The `payload` object will contain a `requesttype` key that specifies the command or CheckIn request name. + +### MDM Profiles + +An MDM profile is a YAML object with the following keys: + +| Name | Type | Description | +|--------------|--------|-------------| +| title | string | Title for this schema object | +| description | string | Description of this schema object | +| payload | object | Information about the object as a whole | +| payloadkeys | array | A list of YAML objects representing the profile keys | + +The `payload` object will contain a `payloadtype` key that specifies the payload type. + +### RM model declarations + +An RM declaration is a YAML object with the following keys: + +| Name | Type | Description | +|--------------|--------|-------------| +| title | string | Title for this schema object | +| description | string | Description of this schema object | +| payload | object | Information about the object as a whole | +| payloadkeys | array | A list of YAML objects representing the declaration keys | + +The `payload` object will contain a `declarationtype` key that specifies the declaration type. + +### RM model status item + +An RM status item is a YAML object with the following keys: + +| Name | Type | Description | +|--------------|--------|-------------| +| title | string | Title for this schema object | +| description | string | Description of this schema object | +| payload | object | Information about the object as a whole | +| payloadkeys | array | A list of YAML objects representing the status item key | + +The `payload` object will contain a `statusitemtype` key that specifies the status item type. The `payloadkeys` will contain a single object that defines the type of the value returned for the status item. + +### RM protocol + +An RM protocol request or response is a YAML object with the following top-level keys: + +| Name | Type | Description | +|--------------|--------|-------------| +| title | string | Title for this schema object | +| description | string | Description of this schema object | +| payload | object | Information about the object as a whole | +| payloadkeys | array | A list of YAML objects representing the request or response | + +The `payload` object will contain a `requesttype` key that specifies the summary description of the request or response. + +## Subkey structure + +A payload key can have a scalar type (``, ``, ``, ``, ``) or a container type (``, ``). A container type must include a `subkeys` key that defines the details of the container as follows: + +### `` container + +The `subkeys` sequence in a `` container defines the schema for the dictionary contents. + +### `` container + +The `subkeys` sequence in a `` container defines the type of items in the array. Only a single item is allowed in the `subkeys` sequence. The type of the single item defines the structure of the container as follows: + +* if the single item's type is a scalar type, then the array is a list of items with elements matching the scalar type (e.g. an array of `` values). In some cases the scalar type may have a `subkeys` key, and each element of that sequence defines a possible value for the scalar type in the array. + +* if the single item's type is ``, then the array is a list of dictionary items, with each dictionary conforming to the schema defined by the `subkeys` item of the single item (e.g., an array of `` values). Note that the single item `` is only a place holder for the keys used in the `` array items, and as such does not itself appear as the an array item. + +* if the single item's type is ``, then the array is a list of array items, with each array item conforming to the schema defined for an `` container as described in this section. diff --git a/docs/schema.yaml b/docs/schema.yaml new file mode 100644 index 0000000..4609334 --- /dev/null +++ b/docs/schema.yaml @@ -0,0 +1,227 @@ +title: YAML MDM and Declarative Device Management Schema +type: object +additionalProperties: false +required: +- title +properties: + title: + type: string + description: Title for this schema object. + description: + type: string + description: Description of this schema object. + payload: + type: object + description: Overall properties of the payload. + additionalProperties: false + properties: + payloadtype: + type: string + description: Type of the profile payload. + requesttype: + type: string + description: Type of the MDM command. + declarationtype: + type: string + description: Type of the declaration payload. + statusitemtype: + type: string + description: Type of the status payload. + credentialtype: + type: string + description: Type of the credential asset data. + supportedOS: &supportedOS + type: object + description: Identifies the range of supported OS versions that support the entire payload. + additionalProperties: false + properties: + iOS: &supportedOSItem + type: object + description: Supported range on this OS. + additionalProperties: false + properties: + introduced: + type: string + description: OS version where feature was introduced. + deprecated: + type: string + description: OS version where feature was deprecated. + removed: + type: string + description: OS version where feature was removed. + accessrights: + type: string + description: The MDM protocol access rights required on the device to execute the command. + devicechannel: + type: boolean + description: Indicates whether the command is supported on the device channel. If this key is present it overrides the the `devicechannel` key in the top-level payload !!(payload) key. + userchannel: + type: boolean + description: indicates whether the command is supported on the user channel. If this key is present it overrides the the `userchannel` key in the top-level payload !!(payload) key. + supervised: + type: boolean + description: Indicates whether the command can only be executed on supervised devices. If this key is present it overrides the the `supervised` key in the top-level payload !!(payload) key. + requiresdep: + type: boolean + description: If True, the command can only be executed on devices provisioned in DEP. + userapprovedmdm: + type: boolean + description: If True, the command can only be executed on devices with user approved MDM enrollment. + allowmanualinstall: + type: boolean + description: If True, the profile can be installed manually by a user on the device. + sharedipad: + type: object + description: Additional behavior specific to shared iPad devices. + additionalProperties: false + properties: + mode: + type: string + description: Indicates whether a payload or payload key can used with or without shared iPad in effect. + If set to 'allowed', then the payload or payload key can be used both with or without shared iPad in effect. + If set to 'required', then the payload or payload key can only be used if shared iPad is in effect. + If set to 'forbidden', then the payload or payload key cannot be used if shared iPad is in effect. + If set to 'ignored', then the payload or payload key can be used, but is ignored if shared iPad is in effect. + enum: + - allowed + - required + - forbidden + - ignored + default: allowed + devicechannel: + type: boolean + description: Defines if the payload can be installed on the device MDM channel. + userchannel: + type: boolean + description: Defines if the payload can be installed on the user MDM channel. + userenrollment: + type: object + description: Additional behavior when user enrollment is in effect. + If this key is not present, then the corresponding payload or payload key can be used both with or without user enrollment in effect, + without any changes to normal behavior. + additionalProperties: false + properties: + mode: + type: string + description: Indicates how a payload or payload key can only be used if user enrollment is in effect. + If set to 'allowed', then the payload or payload key can be used both with or without user enrollment in effect. + If set to 'required', then the payload or payload key can only be used if user enrollment is in effect. + If set to 'forbidden', then the payload or payload key cannot be used if user enrollment is in effect. + If set to 'ignored', then the payload or payload key can be used, but is ignored if user enrollment is in effect. + enum: + - allowed + - required + - forbidden + - ignored + default: allowed + behavior: + type: string + description: Describes any special behavior for the payload or payload key if user enrollment is in effect. + macOS: *supportedOSItem + tvOS: *supportedOSItem + watchOS: *supportedOSItem + content: + type: string + description: Description of the payload. + payloadkeys: &payloadKeys + type: array + title: payloadkeys + description: An array of payload keys. + minitems: 1 + items: + type: object + title: payloadkey + description: A single payload key. + additionalProperties: false + required: + - key + - type + properties: + key: + type: string + description: The name of the key. + title: + type: string + description: The title of the key. + supportedOS: *supportedOS + type: + type: string + description: The type of key. The value `` may be used to indicate that any of the standard values can be used without any expectation that the value will be validated. + enum: + - + - + - + - + - + - + - + - + - + subtype: + type: string + description: Indicates the expected format of the string value of the key, supporting additional validation of the value. + enum: + - url + - hostname + - email + presence: + type: string + description: Whether the key is required or optional. + enum: + - required + - optional + rangelist: + type: array + description: List of allowed values for this key. + items: + type: + - string + - integer + - number + range: + type: object + description: Bounds for the value of this key. + additionalProperties: false + properties: + min: + type: + - integer + - number + description: Lower bound. + max: + type: + - integer + - number + description: Upper bound. + default: + type: + - string + - integer + - number + description: The default value (if any) for the key. + format: + type: string + description: The format for the value expressed as a regular expression. + repetition: + type: object + description: Cardinality for this value. + additionalProperties: false + required: + - min + - max + properties: + min: + type: integer + description: Lower bound. + max: + type: integer + description: Upper bound. + content: + type: string + description: Description of the payload key. + subkeytype: + type: string + description: A name that uniquely represents the structured subkey object. This is used when structured subkeys are referenced multiple times. + subkeys: *payloadKeys + + responsekeys: *payloadKeys diff --git a/mdm/checkin/authenticate.yaml b/mdm/checkin/authenticate.yaml new file mode 100644 index 0000000..fc69cf3 --- /dev/null +++ b/mdm/checkin/authenticate.yaml @@ -0,0 +1,157 @@ +title: Authenticate +description: Check-in protocol authenticate request keys. +payload: + requesttype: Authenticate + supportedOS: + iOS: + introduced: '4.0' + supervised: false + requiresdep: false + sharedipad: + mode: allowed + devicechannel: true + userchannel: false + userenrollment: + mode: allowed + macOS: + introduced: '10.7' + devicechannel: true + userchannel: false + requiresdep: false + userenrollment: + mode: allowed + tvOS: + introduced: '10.2' + supervised: false + content: Check-in protocol authenticate request and response. +payloadkeys: +- key: DeviceName + supportedOS: + iOS: + introduced: n/a + tvOS: + introduced: n/a + type: + presence: required + content: The device's name. +- key: ModelName + supportedOS: + iOS: + introduced: n/a + tvOS: + introduced: n/a + type: + presence: required + content: The device's model name. +- key: Model + supportedOS: + iOS: + introduced: n/a + tvOS: + introduced: n/a + type: + presence: required + content: The device's model. +- key: MessageType + type: + presence: required + rangelist: + - Authenticate + content: The message type, which must have a value of 'Authenticate'. +- key: Topic + type: + presence: required + content: The topic to which the device subscribes. +- key: UDID + supportedOS: + iOS: + userenrollment: + mode: forbidden + macOS: + userenrollment: + mode: forbidden + type: + presence: required + content: The device's UDID (Unique Device ID). +- key: EnrollmentID + supportedOS: + iOS: + introduced: '13.0' + userenrollment: + mode: required + macOS: + introduced: '10.15' + userenrollment: + mode: required + tvOS: + introduced: n/a + type: + presence: required + content: The per-enrollment identifier for the device. Available in macOS 10.15 + and iOS 13.0 and later. +- key: OSVersion + supportedOS: + iOS: + introduced: '9.0' + accessrights: AllowQueryDeviceInformation + type: + presence: optional + content: The device's OS version. +- key: BuildVersion + supportedOS: + iOS: + introduced: '9.0' + accessrights: AllowQueryDeviceInformation + type: + presence: optional + content: The device's build version. +- key: ProductName + supportedOS: + iOS: + introduced: '9.0' + accessrights: AllowQueryDeviceInformation + type: + presence: optional + content: The device's product name ('iPhone3,1'). +- key: SerialNumber + supportedOS: + iOS: + introduced: '9.0' + accessrights: AllowQueryDeviceInformation + userenrollment: + mode: forbidden + macOS: + accessrights: AllowQueryDeviceInformation + userenrollment: + mode: forbidden + type: + presence: optional + content: The device's serial number. +- key: IMEI + supportedOS: + iOS: + introduced: '9.0' + accessrights: AllowQueryDeviceInformation + userenrollment: + mode: forbidden + macOS: + introduced: n/a + tvOS: + introduced: n/a + type: + presence: optional + content: The device's IMEI (International Mobile Station Equipment Identity). +- key: MEID + supportedOS: + iOS: + introduced: '9.0' + accessrights: AllowQueryDeviceInformation + userenrollment: + mode: forbidden + macOS: + introduced: n/a + tvOS: + introduced: n/a + type: + presence: optional + content: The device's MEID (Mobile Equipment Identifier). diff --git a/mdm/checkin/checkout.yaml b/mdm/checkin/checkout.yaml new file mode 100644 index 0000000..3309178 --- /dev/null +++ b/mdm/checkin/checkout.yaml @@ -0,0 +1,61 @@ +title: Check Out +description: Check-in protocol check out request keys. +payload: + requesttype: CheckOut + supportedOS: + iOS: + introduced: '4.0' + supervised: false + requiresdep: false + sharedipad: + mode: allowed + devicechannel: true + userchannel: false + userenrollment: + mode: allowed + macOS: + introduced: '10.7' + devicechannel: true + userchannel: false + requiresdep: false + userenrollment: + mode: allowed + tvOS: + introduced: '10.2' + supervised: false + content: Check-in protocol check out request and response. +payloadkeys: +- key: MessageType + type: + presence: required + rangelist: + - CheckOut + content: The message type, which must have a value of 'CheckOut'. +- key: Topic + type: + presence: required + content: The topic to which the device subscribed. +- key: UDID + supportedOS: + iOS: + userenrollment: + mode: forbidden + type: + presence: required + content: The device's UDID (Unique Device ID). +- key: EnrollmentID + supportedOS: + iOS: + introduced: '13.0' + userenrollment: + mode: required + macOS: + introduced: '10.15' + userenrollment: + mode: required + tvOS: + introduced: n/a + type: + presence: required + content: The per-enrollment identifier for the device. Available in macOS 10.15 + and iOS 13.0 and later. diff --git a/mdm/checkin/declarativemanagement.yaml b/mdm/checkin/declarativemanagement.yaml new file mode 100644 index 0000000..6dc47ef --- /dev/null +++ b/mdm/checkin/declarativemanagement.yaml @@ -0,0 +1,38 @@ +title: Declarative Management +description: Declarative Management request keys. +payload: + requesttype: DeclarativeManagement + supportedOS: + iOS: + introduced: '15.0' + supervised: false + requiresdep: false + sharedipad: + mode: forbidden + userenrollment: + mode: required + content: Check-in protocol declarative management request and response. +payloadkeys: +- key: MessageType + type: + presence: required + rangelist: + - DeclarativeManagement + content: The message type, which must have a value of 'DeclarativeManagement'. +- key: EnrollmentID + type: + presence: required + content: The per-enrollment identifier for the device. +- key: Endpoint + type: + presence: required + content: |- + The type of operation the declaration is requesting. This key must be one of these values: + * 'tokens': For fetching synchronization tokens from the server + * 'declaration-items': For fetching the declaration manifest from the server + * 'status': For sending a status report to the server + * 'declaration/…/…': For fetching a specific declaration from the server. Include the declaration type and identifier separated by forward slashes ('/)'. +- key: Data + type: + presence: optional + content: A Base64-encoded JSON object using the SynchronizationTokens schema. diff --git a/mdm/checkin/getbootstraptoken.yaml b/mdm/checkin/getbootstraptoken.yaml new file mode 100644 index 0000000..25ce5c3 --- /dev/null +++ b/mdm/checkin/getbootstraptoken.yaml @@ -0,0 +1,32 @@ +title: Get Bootstrap Token +description: Check-in protocol get bootstrap token data. +payload: + requesttype: GetBootstrapToken + supportedOS: + macOS: + introduced: '10.15' + devicechannel: true + userchannel: false + supervised: true + requiresdep: false + userenrollment: + mode: forbidden + content: Check-in protocol get bootstrap token data request and response. +payloadkeys: +- key: MessageType + type: + presence: required + rangelist: + - GetBootstrapToken + content: The message type, which must have a value of 'GetBootstrapToken'. +- key: AwaitingConfiguration + type: + presence: optional + default: false + content: If 'true', the device is awaiting a DeviceConfigured MDM command before + proceeding through Setup Assistant. +responsekeys: +- key: BootstrapToken + type: + presence: optional + content: The current bootstrap token data for the device. diff --git a/mdm/checkin/setbootstraptoken.yaml b/mdm/checkin/setbootstraptoken.yaml new file mode 100644 index 0000000..bfe0436 --- /dev/null +++ b/mdm/checkin/setbootstraptoken.yaml @@ -0,0 +1,32 @@ +title: Set Bootstrap Token +description: Check-in protocol set bootstrap token data. +payload: + requesttype: SetBootstrapToken + supportedOS: + macOS: + introduced: '10.15' + devicechannel: true + userchannel: false + supervised: true + requiresdep: false + userenrollment: + mode: forbidden + content: Check-in protocol set bootstrap token data request and response. +payloadkeys: +- key: MessageType + type: + presence: required + rangelist: + - SetBootstrapToken + content: The message type, which must have a value of 'SetBootstrapToken'. +- key: BootstrapToken + type: + presence: optional + content: The device's bootstrap token data. If this field is missing or zero length, + the bootstrap token should be removed for this device. +- key: AwaitingConfiguration + type: + presence: optional + default: false + content: If 'true', the device is awaiting a DeviceConfigured MDM command before + proceeding through Setup Assistant. diff --git a/mdm/checkin/tokenupdate.yaml b/mdm/checkin/tokenupdate.yaml new file mode 100644 index 0000000..cd69f61 --- /dev/null +++ b/mdm/checkin/tokenupdate.yaml @@ -0,0 +1,164 @@ +title: Token Update +description: Check-in protocol token update request keys. +payload: + requesttype: TokenUpdate + supportedOS: + iOS: + introduced: '4.0' + supervised: false + requiresdep: false + sharedipad: + mode: allowed + devicechannel: true + userchannel: true + userenrollment: + mode: allowed + macOS: + introduced: '10.7' + devicechannel: true + userchannel: true + requiresdep: false + userenrollment: + mode: allowed + tvOS: + introduced: '10.2' + supervised: false + content: Check-in protocol token update request and response. +payloadkeys: +- key: NotOnConsole + supportedOS: + iOS: + introduced: n/a + macOS: + introduced: '10.11' + devicechannel: false + type: + presence: required + content: If true, the device is not on console. +- key: MessageType + type: + presence: required + rangelist: + - TokenUpdate + content: The message type, which must have a value of 'TokenUpdate'. +- key: Topic + type: + presence: required + content: The topic the device subscribes to. +- key: UDID + supportedOS: + iOS: + userenrollment: + mode: forbidden + macOS: + userenrollment: + mode: forbidden + type: + presence: required + content: The device's UDID. +- key: EnrollmentID + supportedOS: + iOS: + introduced: '13.0' + userenrollment: + mode: required + macOS: + introduced: '10.15' + userenrollment: + mode: required + tvOS: + introduced: n/a + type: + presence: required + content: The per-enrollment identifier for the device. Available in macOS 10.15 + and iOS 13.0 and later. +- key: EnrollmentUserID + supportedOS: + iOS: + introduced: n/a + macOS: + introduced: '10.15' + devicechannel: false + userenrollment: + mode: required + tvOS: + introduced: n/a + type: + presence: required + content: The per-enrollment identifier for the user. Available in macOS 10.15 and + iOS 13.0 and later. +- key: UserShortName + supportedOS: + iOS: + introduced: '9.3' + sharedipad: + mode: required + macOS: + devicechannel: false + tvOS: + introduced: n/a + type: + presence: optional + content: |- + On Shared iPad: This is the Managed Apple ID of the user on Shared iPad. It indicates that the token is for the user channel. + On macOS, this is the short name of the user. +- key: UserID + supportedOS: + iOS: + introduced: '9.3' + sharedipad: + mode: required + macOS: + devicechannel: false + tvOS: + introduced: n/a + type: + presence: optional + content: |- + On macOS: This is the ID of the user. + On Shared iPad: This is always 'FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFF' to indicate that no authentication will occur. +- key: UserLongName + supportedOS: + iOS: + introduced: n/a + macOS: + devicechannel: false + tvOS: + introduced: n/a + type: + presence: required + content: The full name of the user. +- key: Token + type: + presence: required + content: The Push token for the device. +- key: PushMagic + type: + presence: required + content: The magic string that has to be included in the push notification message. +- key: UnlockToken + supportedOS: + iOS: + accessrights: AllowPasscodeRemovalAndLock + sharedipad: + mode: forbidden + userenrollment: + mode: forbidden + macOS: + introduced: n/a + type: + presence: optional + content: The data that can be used to unlock the device. If provided, the server + should remember this data and send it with when trying to Clear the Passcode. +- key: AwaitingConfiguration + supportedOS: + iOS: + introduced: '9.0' + macOS: + introduced: '10.11' + userchannel: false + type: + presence: optional + default: false + content: If 'true', the device is awaiting a Release Device from Await Configuration + MDM command before proceeding through Setup Assistant. diff --git a/mdm/checkin/userauthenticate.yaml b/mdm/checkin/userauthenticate.yaml new file mode 100644 index 0000000..4d8c5d2 --- /dev/null +++ b/mdm/checkin/userauthenticate.yaml @@ -0,0 +1,34 @@ +title: UserAuthenticate +description: Authenticate network or mobile users with MDM. +payload: + requesttype: UserAuthenticate + supportedOS: + macOS: + introduced: '10.7' + devicechannel: false + userchannel: true + requiresdep: false + userenrollment: + mode: forbidden + content: Authenticate network or mobile users with MDM. +payloadkeys: +- key: MessageType + type: + presence: required + rangelist: + - UserAuthenticate + content: The message type, which must have a value of 'UserAuthenticate'. +- key: UDID + type: + presence: required + content: The device's UDID (Unique Device ID). +- key: UserID + type: + presence: required + content: Local mobile user's GUID or network user's GUID from an Open Directory + record. +- key: DigestResponse + type: + presence: required + content: A string provided by the client on second UserAuthenticate request after + receiving 'DigestChallenge' from server on first UserAuthenticate request. diff --git a/mdm/commands/account.configuration.yaml b/mdm/commands/account.configuration.yaml new file mode 100644 index 0000000..9d14d17 --- /dev/null +++ b/mdm/commands/account.configuration.yaml @@ -0,0 +1,117 @@ +title: Account Configuration Command +description: This command can be sent to the device to have it create the local administrator + account (thereby skipping the page to create this account in Setup Assistant) +payload: + requesttype: AccountConfiguration + supportedOS: + macOS: + introduced: '10.11' + accessrights: None + devicechannel: true + userchannel: false + requiresdep: true + userenrollment: + mode: forbidden + content: When a macOS (v10.11 and later) device is configured via DEP to enroll + in an MDM server and the DEP profile has the await_device_configuration flag set + to true, the AccountConfiguration command can be sent to the device to have it + create the local administrator account (thereby skipping the page to create this + account in Setup Assistant). This command can only be sent to a macOS device that + is in the AwaitingConfiguration state. +payloadkeys: +- key: SkipPrimarySetupAccountCreation + type: + presence: optional + default: false + content: If 'true', Setup Assistant skips the user interface for setting up primary + accounts and disables autologin. If 'true', you must specify a value for 'AutoSetupAdminAccounts'. +- key: SetPrimarySetupAccountAsRegularUser + type: + presence: optional + default: false + content: If 'true', Setup Assistant creates the primary accounts as regular users, + and you must specify a value for 'AutoSetupAdminAccounts'. +- key: PrimaryAccountFullName + supportedOS: + macOS: + introduced: '10.15' + type: + presence: optional + content: The full name for the primary account. If present, Setup Assistant uses + this value to prefill the Full Name field. However, Setup Assistant ignores this + value if 'DontAutoPopulatePrimaryAccountInfo' is 'true'. This value is available + in macOS 10.15 and later. +- key: PrimaryAccountUserName + supportedOS: + macOS: + introduced: '10.15' + type: + presence: optional + content: The account name for the primary account. If present, Setup Assistant uses + this value to prefill the User Name field. However, Setup Assistant ignores this + value if 'DontAutoPopulatePrimaryAccountInfo' is 'true'. This value is available + in macOS 10.15 and later. +- key: DontAutoPopulatePrimaryAccountInfo + supportedOS: + macOS: + introduced: '10.15' + type: + presence: optional + default: false + content: If 'true', Setup Assistant ignores the primary account information and + requires the user to enter that information. If 'false', Setup Assistant prefills + the Full Name field with 'PrimaryAccountFullName' and the User Name field with + 'PrimaryAccountUserName'. This value is available in macOS 10.15 and later. +- key: LockPrimaryAccountInfo + supportedOS: + macOS: + introduced: '10.15' + type: + presence: optional + default: false + content: |- + If 'true', and you provide values for 'PrimaryAccountFullName' or 'PrimaryAccountUserName', Setup Assistant disables editing for the corresponding fields. 'DontAutoPopulatePrimaryAccountInfo' must also be 0 (or missing). + If the user's password is also available from authentication via ConfigurationURL, Setup Assistant automatically creates the primary account with that information and skips showing the user interface to view or edit these fields. + This value is available in macOS 10.15 and later. +- key: AutoSetupAdminAccounts + type: + presence: optional + content: A dictionary that describes the administrator account to create with Setup + Assistant, which uses the first element and ignores additional elements. + subkeys: + - key: AutoSetupAdminAccountItem + type: + subkeys: + - key: shortName + title: shortName + type: + presence: required + content: The short name of the user. + - key: fullName + title: fullName + type: + presence: optional + content: The full name of the user. This defaults to shortName if not specified. + - key: passwordHash + title: passwordHash + type: + presence: optional + content: Contains the pre-created salted PBKDF2 SHA512 password hash for the + account. + - key: hidden + title: hidden + type: + presence: optional + default: false + content: If true, this sets the account attribute to make the account hidden + to loginwindow and Users&Groups. OD attribute dsAttrTypeNative:IsHidden. +- key: ManagedLocalUserShortName + supportedOS: + macOS: + introduced: '11.0' + type: + presence: optional + content: If present, this is the short name of the local account to manage, which + can also be the account that results from setting 'AutoSetupAdminAccounts' to + 'true'. Otherwise, only the local account that Setup Assistant creates is a managed + account. This value is available in macOS 11 and later. diff --git a/mdm/commands/application.extensions.listactive.yaml b/mdm/commands/application.extensions.listactive.yaml new file mode 100644 index 0000000..599e866 --- /dev/null +++ b/mdm/commands/application.extensions.listactive.yaml @@ -0,0 +1,73 @@ +title: Application:List Active NSExtensions +description: Returns information about the active NSExtensions for a particular user. +payload: + requesttype: ActiveNSExtensions + supportedOS: + macOS: + introduced: '10.13' + accessrights: QueryInstalledApps + devicechannel: false + userchannel: true + requiresdep: false + userenrollment: + mode: forbidden + content: |- + Returns information about the active NSExtensions for a particular user. + NSExtensions are installed and enabled at the user level. There is no concept of "device" NSExtensions. + Requires "Query Installed Apps" right; supported on user channel only. +payloadkeys: +- key: FilterExtensionPoints + type: + presence: optional + content: An array of extension points. If you choose to provide this value, the + response only includes the app extensions for the extension points you specify. + subkeys: + - key: FilterExtensionPointsItem + type: +responsekeys: +- key: Extensions + type: + presence: required + content: An array of dictionaries that contains information about active extensions + on the device. + subkeys: + - key: ExtensionsItem + type: + subkeys: + - key: Identifier + type: + presence: required + content: The identifier of the extension. + - key: ExtensionPoint + type: + presence: required + content: The NSExtensionPointIdentifier for the extension. + - key: DisplayName + type: + presence: required + content: The extension's display name. + - key: ContainerDisplayName + type: + presence: optional + content: The display name of the container. + - key: ContainerIdentifier + type: + presence: optional + content: The identifier of the container. + - key: Path + type: + presence: required + content: The path to the extension. + - key: Version + type: + presence: required + content: The version of the extension. + - key: UserElection + type: + presence: required + rangelist: + - Default + - Use + - Ignore + content: The user-selected state of the extension, which a user sets in the + Extensions preference pane in System Preferences. diff --git a/mdm/commands/application.extensions.mappings.yaml b/mdm/commands/application.extensions.mappings.yaml new file mode 100644 index 0000000..558ffb9 --- /dev/null +++ b/mdm/commands/application.extensions.mappings.yaml @@ -0,0 +1,41 @@ +title: NSExtensions Mappings NSExtensions +description: This command returns information about installed extensions for a user. +payload: + requesttype: NSExtensionMappings + supportedOS: + macOS: + introduced: '10.13' + accessrights: QueryInstalledApps + devicechannel: false + userchannel: true + requiresdep: false + userenrollment: + mode: forbidden + content: |- + This command returns information about installed extensions for a user. + The purpose of this command is to allow the server to build a mapping of + extension identifiers to extension points to provide a UI for generating + "com.apple.NSExtension" payloads. + Requires "Query Installed Apps" right; supported on user channel only +responsekeys: +- key: Extensions + type: + presence: required + content: An array of dictionaries that contains information about extensions on + the device. + subkeys: + - key: ExtensionsItem + type: + subkeys: + - key: Identifier + type: + presence: required + content: The identifier of the extension. + - key: ExtensionPoint + type: + presence: required + content: The NSExtensionPointIdentifier for the extension. + - key: DisplayName + type: + presence: required + content: The display name of the extension. diff --git a/mdm/commands/application.install.enterprise.yaml b/mdm/commands/application.install.enterprise.yaml new file mode 100644 index 0000000..efac039 --- /dev/null +++ b/mdm/commands/application.install.enterprise.yaml @@ -0,0 +1,118 @@ +title: Install Enterprise Application Command +description: This command allows the server to install enterprise applications on + a device. It provides a more secure version of 'InstallApplication' that specifies + a 'ManifestURL'. +payload: + requesttype: InstallEnterpriseApplication + supportedOS: + macOS: + introduced: 10.13.6 + accessrights: AllowAppInstallation + devicechannel: true + userchannel: false + requiresdep: false + userenrollment: + mode: allowed + content: This command allows the server to install an application on a device. It + provides a more secure version of 'InstallApplication' that specifies a 'ManifestURL'. +payloadkeys: +- key: Manifest + type: + presence: optional + content: A dictionary that specifies where to download the app. This value is backward-compatible + with the manifest for the InstallApplicationCommand; however, it also allows you + to specify 'sha256s' and 'sha256'-size for SHA-256 hashes. + subkeys: + - key: ANY + type: + presence: optional + content: A manifest, which is backward-compatible with the manifest for the 'InstallApplication' + command; however, it also allows you to specify 'sha256s' and 'sha256-size' + for SHA-256 hashes. +- key: ManifestURL + type: + presence: optional + content: The URL of the app manifest, which must begin with 'https:'. +- key: ManifestURLPinningCerts + type: + presence: optional + content: An array of DER-encoded certificates to pin the connection when fetching + the 'ManifestURL'. + subkeys: + - key: ManifestURLPinningCertsItem + type: + presence: required + content: A certificate in DER-encoded format. +- key: PinningRevocationCheckRequired + type: + presence: optional + default: false + content: If 'true', certificate revocation checks require a positive response when + using certificate pinning with 'ManifestURLPinningCerts'. +- key: InstallAsManaged + supportedOS: + macOS: + introduced: '11.0' + userenrollment: + mode: forbidden + type: + presence: optional + default: false + content: |- + If 'true', install the app as a managed app. For manifest-based installation, if this value is 'true', but the package doesn't meet the criteria for management, the installation fails. Reinstall a managed app with this value set to 'false' to change the app to an unmanaged app. + To satisfy the criteria for management, the pkg must contain a single, signed application installed into '/Applications'. + This value is available in macOS 11 and later. +- key: ManagementFlags + supportedOS: + macOS: + introduced: '11.0' + userenrollment: + mode: forbidden + type: + presence: optional + rangelist: + - 1 + content: |- + The management flags. The only supported flag is: + * '1': Remove the app upon removal of the MDM profile. This also requires that you pass 'true' for 'InstallAsManaged'. + This value is available in macOS 11 and later. +- key: Configuration + supportedOS: + macOS: + introduced: '11.0' + type: + presence: optional + content: A dictionary that contains the initial configuration of the app, if you + choose to provide it. This value is available in macOS 11 and later. + subkeys: + - key: ANY + type: + presence: optional + content: An app configuration key. +- key: ChangeManagementState + supportedOS: + macOS: + introduced: '11.0' + userenrollment: + mode: forbidden + type: + presence: optional + rangelist: + - Managed + content: |- + The change management state. The only supported state is: + * 'Managed': Take management of the app if the user installed it already. This also requires that you pass 'true' for 'InstallAsManaged'. + This value is available in macOS 11 and later. +- key: iOSApp + supportedOS: + iOS: + introduced: n/a + macOS: + introduced: '11.0' + tvOS: + introduced: n/a + type: + presence: optional + default: false + content: If 'true', the app is an iOS app that can run on an Apple silicon in macOS + 11 and later. diff --git a/mdm/commands/application.install.yaml b/mdm/commands/application.install.yaml new file mode 100644 index 0000000..e7cd4d6 --- /dev/null +++ b/mdm/commands/application.install.yaml @@ -0,0 +1,231 @@ +title: Install Application Command +description: This command allows the server to install an application on a device. + If the app is already being managed, this command will update the app. +payload: + requesttype: InstallApplication + supportedOS: + iOS: + introduced: '5.0' + accessrights: AllowAppInstallation + supervised: false + requiresdep: false + sharedipad: + mode: allowed + devicechannel: true + userchannel: false + userenrollment: + mode: allowed + macOS: + introduced: '10.9' + accessrights: AllowAppInstallation + devicechannel: true + userchannel: true + requiresdep: false + userenrollment: + mode: allowed + tvOS: + introduced: '10.2' + accessrights: AllowAppInstallation + supervised: false + content: This command allows the server to install an application on a device. If + the app is already being managed, this command will update the app. macOS change + - 10.9 user channel for VPP, 10.10 device channel, 10.11 both. +payloadkeys: +- key: iTunesStoreID + type: + presence: optional + content: The app's iTunes Store identifier. +- key: Identifier + supportedOS: + iOS: + introduced: '7.0' + type: + presence: optional + content: The app's bundle identifier. +- key: Options + supportedOS: + iOS: + introduced: '7.0' + type: + presence: optional + content: A dictionary that contains the app installation options. + subkeys: + - key: PurchaseMethod + type: + presence: optional + rangelist: + - 0 + - 1 + default: 0 + content: |- + The app's purchase type, which must be one of the following values: + * '0': Free apps and Legacy Volume Purchase Program (VPP) with a redemption code. This option is only available in iOS. + * '1': Volume Purchase Program (VPP) app assignment. + Set this value to '1' to install first-party apps without user login to the iTunes Store, such as Mail or Safari, or to install an iOS app with user enrollment. +- key: ManifestURL + supportedOS: + iOS: + introduced: '7.0' + type: + presence: optional + content: The URL of the app manifest, which must begin with 'https:'. +- key: ManagementFlags + supportedOS: + macOS: + introduced: '11.0' + userenrollment: + mode: forbidden + type: + presence: optional + rangelist: + - 1 + - 4 + - 5 + content: |- + The bitwise OR of the following management flags: + * '1': Remove app upon removal of MDM profile. This also requires that you pass 'true' for 'InstallAsManaged'. + * '4': Prevent backup of app data. + This value is available in iOS 5 and later, macOS 11 and later, and tvOS 10.2 and later. +- key: Configuration + supportedOS: + iOS: + introduced: '7.0' + macOS: + introduced: '11.0' + type: + presence: optional + content: A dictionary that contains the initial configuration of the app, if you + choose to provide it. This value is available in iOS 7 and later, macOS 11 and + later, and tvOS 10.2 and later. + subkeys: + - key: ANY + type: + presence: optional + content: An app configuration key. +- key: Attributes + supportedOS: + iOS: + introduced: '7.0' + macOS: + introduced: n/a + type: + presence: optional + content: A dictionary that contains the initial attributes of the app, if you choose + to provide it. This value is available in iOS 7 and later, and tvOS 10.2 and later. + subkeys: + - key: VPNUUID + type: + presence: optional + content: A per-app VPN unique identifier for this app. This value is available + in iOS 7 and later, and tvOS 10.2 and later. + - key: AssociatedDomains + supportedOS: + iOS: + introduced: '13.0' + tvOS: + introduced: n/a + type: + presence: optional + content: An array that contains the associated domains to add to this app. This + value is available in iOS 13 and later. + subkeys: + - key: AssociatedDomain + type: + - key: AssociatedDomainsEnableDirectDownloads + supportedOS: + iOS: + introduced: '14.0' + tvOS: + introduced: n/a + type: + presence: optional + default: true + content: If 'true', perform claimed site association verification directly at + the domain instead of on Apple's servers. Only set this to 'true' for domains + that can't access the internet. This value is available in iOS 14 and later. + - key: Removable + supportedOS: + iOS: + introduced: '14.0' + tvOS: + introduced: '14.0' + type: + presence: optional + default: true + content: If 'false', this app isn't removable while it's a managed app. This value + is available in iOS 14 and later, and tvOS 14 and later. +- key: ChangeManagementState + supportedOS: + iOS: + introduced: '9.0' + userenrollment: + mode: forbidden + macOS: + introduced: '11.0' + userenrollment: + mode: forbidden + type: + presence: optional + rangelist: + - Managed + content: |- + The change management state. The only supported state is: + * 'Managed': Take management of the app if the user installed it already. This also requires that you pass 'true' for 'InstallAsManaged'. + This value doesn't work with the User Enrollment feature introduced in iOS 13. + Available in iOS 9 and later, macOS 11 and later, and tvOS 10.2 and later. +- key: InstallAsManaged + supportedOS: + iOS: + introduced: n/a + macOS: + introduced: '11.0' + userenrollment: + mode: forbidden + tvOS: + introduced: n/a + type: + presence: optional + default: false + content: If 'true', install the app as a managed app. For manifest-based installation, + if this value is 'true', but the package doesn't meet the criteria for management, + the installation fails. Reinstall a managed app with this value set to 'false' + to change the app to an unmanaged app. This value is available in macOS 11 and + later. +- key: iOSApp + supportedOS: + iOS: + introduced: n/a + macOS: + introduced: '11.0' + tvOS: + introduced: n/a + type: + presence: optional + default: false + content: If 'true', the app is an iOS app that can run on an Apple silicon in macOS + 11 and later. +responsekeys: +- key: Identifier + type: + presence: optional + content: The app's bundle identifier, if the user accepted the request. +- key: State + type: + presence: optional + content: The app's installation state, if the user accepted the request. If this + value is 'NeedsRedemption', the server must send a redemption code to complete + the app installation. +- key: RejectionReason + type: + presence: optional + rangelist: + - AppAlreadyInstalled + - AppAlreadyQueued + - AppStoreDisabled + - CouldNotVerifyAppID + - ManagementChangeNotSupported + - NotAnApp + - NotSupported + - PurchaseMethodNotSupported + - PurchaseMethodNotSupportedInMultiUser + content: The reason, if installation fails. diff --git a/mdm/commands/application.installed.list.yaml b/mdm/commands/application.installed.list.yaml new file mode 100644 index 0000000..3a9c2c5 --- /dev/null +++ b/mdm/commands/application.installed.list.yaml @@ -0,0 +1,247 @@ +title: Application List Command +description: This command allows the server to query for installed 3rd party applications. +payload: + requesttype: InstalledApplicationList + supportedOS: + iOS: + introduced: '5.0' + accessrights: AllowQueryApplications + supervised: false + requiresdep: false + sharedipad: + mode: allowed + devicechannel: true + userchannel: false + userenrollment: + mode: allowed + macOS: + introduced: '10.7' + accessrights: AllowQueryApplications + devicechannel: true + userchannel: true + requiresdep: false + userenrollment: + mode: forbidden + tvOS: + introduced: '10.2' + accessrights: AllowQueryApplications + supervised: false + content: This command allows the server to query for installed 3rd party applications. +payloadkeys: +- key: Identifiers + supportedOS: + iOS: + introduced: '7.0' + macOS: + introduced: '10.15' + type: + presence: optional + content: An array of app identifiers. Provide this value to limit the response to + only include these apps. This value is available in iOS 7 and later, macOS 10.15 + and later, and tvOS 10.2 and later. + subkeys: + - key: IdentifiersItem + type: +- key: ManagedAppsOnly + supportedOS: + iOS: + introduced: '7.0' + macOS: + introduced: '10.15' + type: + presence: optional + default: false + content: If 'true', only get a list of managed apps. This value is available in + iOS 7 and later, macOS 10.15 and later, and tvOS 10.2 and later. +- key: Items + supportedOS: + iOS: + introduced: '14.0' + macOS: + introduced: n/a + tvOS: + introduced: '14.0' + type: + presence: optional + content: An array of strings representing keys in the InstalledApplicationListItem + dictionary. If provided, the response will contain only the keys listed here. + The "Identifier" key is always included. If not present, the response will contain + all keys. Always request just the set of keys that will actually be used, as some + key values can take significant time and power to calculate on the device. + subkeys: + - key: ItemsItem + type: + rangelist: + - AdHocCodeSigned + - AppStoreVendable + - BetaApp + - BundleSize + - DeviceBasedVPP + - DynamicSize + - ExternalVersionIdentifier + - HasUpdateAvailable + - Identifier + - Installing + - IsValidated + - Name + - ShortVersion + - Version +responsekeys: +- key: InstalledApplicationList + type: + presence: required + content: An array of dictionaries that describes each installed app. + subkeys: + - key: InstalledApplicationListItem + type: + subkeys: + - key: Identifier + type: + presence: optional + content: The app's identifier. This key will always be present on iOS/tvOS but + may be missing on macOS. + - key: ExternalVersionIdentifier + supportedOS: + iOS: + introduced: '11.0' + macOS: + introduced: '10.13' + tvOS: + introduced: '11.0' + type: + presence: optional + content: |- + The app's external version identifier, which you can use in the iTunes Search API to determine if an updated version of the app is available. Compare this value to the 'externalId' value in the 'contentMetadataLookupUrl' response from the 'VPPServiceConfigSrv' endpoint. If these values don't match, an updated version of the app may be available. + A newer version of an app may not be available for installation on the device for a variety of reasons, including that the device's operating system version or hardware is incompatible with the available version of the app. + - key: Version + type: + presence: optional + content: The app's version. + - key: ShortVersion + supportedOS: + iOS: + introduced: '5.0' + type: + presence: optional + content: The app's short version. + - key: Name + type: + presence: optional + content: The app's name. + - key: BundleSize + supportedOS: + macOS: + introduced: '10.7' + type: + presence: optional + content: The app's static bundle size, in bytes. This value is available in + iOS 5 and later, and macOS 10.7 and later, and tvOS 10.2 and later. + - key: DynamicSize + supportedOS: + iOS: + introduced: '5.0' + macOS: + introduced: n/a + type: + presence: optional + content: The size of the app's file system in bytes, including the Documents, + Library, and other directories. This value is available in iOS 5 and later, + and tvOS 10.2 and later. + - key: IsValidated + supportedOS: + iOS: + introduced: '9.2' + macOS: + introduced: n/a + type: + presence: optional + content: If 'true', the app is valid and can run on the device. If the app is + enterprise-distributed and unvalidated, it won't be able to run until validation + has occurred. This value is available in iOS 9.2 and later, and tvOS 10.2 + and later. + - key: Installing + type: + presence: optional + content: If 'true', the app is downloading. If 'false', it's already installed. + - key: AppStoreVendable + supportedOS: + iOS: + introduced: '11.3' + macOS: + introduced: n/a + tvOS: + introduced: '11.3' + type: + presence: optional + content: If 'true', the app came from the App Store and can participate in store + features. For device-based Volume Purchase Program (VPP) apps, this value + is 'false'. This value is available in iOS 11.3 and later, and tvOS 11.3 and + later. + - key: DeviceBasedVPP + supportedOS: + iOS: + introduced: '11.3' + macOS: + introduced: n/a + tvOS: + introduced: '11.3' + type: + presence: optional + content: If 'true', installing the app didn't require an Apple ID. This value + is available in iOS 11.3 and later, and tvOS 11.3 and later. + - key: BetaApp + supportedOS: + iOS: + introduced: '11.3' + macOS: + introduced: n/a + tvOS: + introduced: '11.3' + type: + presence: optional + content: If 'true', the app is part of the Apple Beta Software Program. This + value is available in iOS 11.3 and later, and tvOS 11.3 and later. + - key: AdHocCodeSigned + supportedOS: + iOS: + introduced: '11.3' + macOS: + introduced: n/a + tvOS: + introduced: '11.3' + type: + presence: optional + content: If 'true', the app is ad-hoc code signed. This query is available in + iOS 11.3 and later, and tvOS 11.3 and later. + - key: HasUpdateAvailable + supportedOS: + iOS: + introduced: '11.3' + macOS: + introduced: 10.13.4 + type: + presence: optional + content: If 'true', the app has an update available. This key is present only + for App Store apps. In macOS, this key is present only for Volume Purchase + Program (VPP) apps. This status updates daily and isn't always up-to-date + when installing an app. + - key: DownloadFailed + type: + presence: optional + default: false + content: If 'true', the download failed. + - key: DownloadWaiting + type: + presence: optional + default: false + content: If 'true', the app is in the initial state, which is waiting to download. + - key: DownloadPaused + type: + presence: optional + default: false + content: If 'true', the user paused the download. + - key: DownloadCancelled + type: + presence: optional + default: false + content: If 'true', the user canceled the download. diff --git a/mdm/commands/application.invitetoprogram.yaml b/mdm/commands/application.invitetoprogram.yaml new file mode 100644 index 0000000..5d0f513 --- /dev/null +++ b/mdm/commands/application.invitetoprogram.yaml @@ -0,0 +1,48 @@ +title: Invite To Program Command +description: This command allows a server to invite a user to join a program. +payload: + requesttype: InviteToProgram + supportedOS: + iOS: + introduced: '7.0' + accessrights: AllowAppInstallation + supervised: false + requiresdep: false + sharedipad: + mode: allowed + devicechannel: false + userchannel: true + userenrollment: + mode: forbidden + macOS: + introduced: '10.9' + accessrights: None + devicechannel: false + userchannel: true + requiresdep: false + userenrollment: + mode: forbidden + content: This command allows a server to invite a user to join a program. This command + issues the invitation, but does not allow the server to monitor whether the user + has joined the program. This command is supported in the user channel. This command + will yield a NotNow status until the user exits Setup Assistant. +payloadkeys: +- key: ProgramID + type: + presence: required + rangelist: + - com.apple.cloudvpp + content: The program's identifier, which can only be 'com.apple.cloudvpp'. +- key: InvitationURL + type: + presence: required + content: The Volume Purchase Program (VPP) invitation URL. +responsekeys: +- key: InvitationResult + type: + presence: required + rangelist: + - Acknowledged + - InvalidProgramID + - InvalidInvitationURL + content: The result of the command. diff --git a/mdm/commands/application.managed.list.yaml b/mdm/commands/application.managed.list.yaml new file mode 100644 index 0000000..c2350bf --- /dev/null +++ b/mdm/commands/application.managed.list.yaml @@ -0,0 +1,170 @@ +title: Managed Application List Command +description: This command allows the server to query the status of managed apps. Certain + statuses are transient. Once they are reported to the server, the entries for the + apps are removed from the next query. macOS supports this command on the user channel + starting with macOS 11.3. +payload: + requesttype: ManagedApplicationList + supportedOS: + iOS: + introduced: '5.0' + accessrights: AllowAppInstallation + supervised: false + requiresdep: false + sharedipad: + mode: allowed + devicechannel: true + userchannel: false + userenrollment: + mode: allowed + macOS: + introduced: '11.0' + accessrights: AllowAppInstallation + devicechannel: true + userchannel: true + userenrollment: + mode: allowed + tvOS: + introduced: '10.2' + accessrights: AllowAppInstallation + supervised: false + content: This command allows the server to query the status of managed apps. Certain + statuses are transient. Once they are reported to the server, the entries for + the apps are removed from the next query. macOS supports this command on the user + channel starting with macOS 11.3. +payloadkeys: +- key: Identifiers + supportedOS: + iOS: + introduced: '7.0' + type: + presence: optional + content: The bundle identifiers of the managed apps to include in the response. + subkeys: + - key: IdentifiersItem + type: +responsekeys: +- key: ManagedApplicationList + type: + presence: required + content: A dictionary that contains status information about each managed app. + subkeytype: ManagedApplicationListItem + subkeys: + - key: + type: + presence: required + content: The bundle identifier of the managed app. + subkeytype: ManagedApplicationItem + subkeys: + - key: Status + type: + presence: required + rangelist: + - NeedsRedemption + - Redeeming + - Prompting + - PromptingForLogin + - ValidatingPurchase + - PromptingForUpdate + - PromptingForUpdateLogin + - PromptingForManagement + - ValidatingUpdate + - Updating + - Installing + - Managed + - ManagedButUninstalled + - Unknown + - UserInstalledApp + - UserRejected + - UpdateRejected + - ManagementRejected + - Failed + content: |- + The status of the managed app, which is one of the following values: + * 'NeedsRedemption': The app needs a redemption code to complete installation. + * 'Redeeming': The device is redeeming the redemption code for the app. + * 'Prompting': The app installation is prompting the user. + * 'PromptingForLogin' - The app installation is prompting the user for App Store credentials. + * 'ValidatingPurchase': Validation of the app purchase is occurring. + * 'PromptingForUpdate': An app update is prompting the user. + * 'PromptingForUpdateLogin': An app update is prompting the user for App Store credentials. + * 'PromptingForManagement': Changing the app to a managed app is prompting the user. + * 'ValidatingUpdate': Validation of an app update is occurring. + * 'Updating': The app is updating. + * 'Installing': The app is installing. + * 'Managed': The installed app is a managed app. + * 'ManagedButUninstalled': The app is a managed app and the user removed it. Reinstalling the app reinstates it as a managed app. + * 'Unknown': The app state is unknown. + The following statuses are transient and report only once: + * 'UserInstalledApp': The user installed the app before managed app installation could occur. + * 'UserRejected': The user rejected the offer to install the app. + * 'UpdateRejected': The user rejected the offer to update the app. + * 'ManagementRejected':The user rejected management of an installed app. + * 'Failed': The app installation failed. + - key: ManagementFlags + type: + presence: required + content: |- + The bitwise OR of the following management flags: + * '1': Remove app upon removal of MDM profile. + * '4': Prevent backup of app data. + - key: UnusedRedemptionCode + supportedOS: + macOS: + introduced: n/a + tvOS: + introduced: n/a + type: + presence: required + content: If the user already purchased a paid app, this code is available for + use by another user. This code reports only once. This value is available + in iOS 5 and later. + - key: HasConfiguration + supportedOS: + iOS: + introduced: '7.0' + macOS: + introduced: '11.0' + type: + presence: required + content: If 'true', the app has an update available. This key is present only + for App Store apps. In macOS, this key is present only for Volume Purchase + Program (VPP) apps. This status updates daily and isn't always up-to-date + when installing an app. + - key: HasFeedback + supportedOS: + iOS: + introduced: '7.0' + macOS: + introduced: '11.3' + devicechannel: false + type: + presence: required + content: If 'true', the app has feedback for the server. This value is available + in iOS 7 and later, and tvOS 10.2 and later. On macOS 11.3 and later, this + value is available if the request was sent on the user channel. + - key: IsValidated + supportedOS: + iOS: + introduced: '9.2' + macOS: + introduced: n/a + type: + presence: required + content: If 'true', the app is valid and can run on the device. If the app is + enterprise-distributed and unvalidated, it won't be able to run until validation + has occurred. This value is available in iOS 9.2 and later, and tvOS 10.2 + and later. + - key: ExternalVersionIdentifier + supportedOS: + iOS: + introduced: '10.3' + macOS: + introduced: '11.3' + tvOS: + introduced: '10.2' + type: + presence: required + content: |- + The app's external version identifier, which you can use in the iTunes Search API to determine if an updated version of the app is available. Compare this value to the 'externalId' value in the 'contentMetadataLookupUrl' response from the 'VPPServiceConfigSrv' endpoint. If these values don't match, an updated version of the app may be available. This value is available in iOS 10.3 and later, macOS 11.3 and later, and tvOS 10.2 and later. + A newer version of an app may not be available for installation on the device for a variety of reasons, including that the device's operating system version or hardware is incompatible with the available version of the app. diff --git a/mdm/commands/application.redemptioncode.yaml b/mdm/commands/application.redemptioncode.yaml new file mode 100644 index 0000000..db844a6 --- /dev/null +++ b/mdm/commands/application.redemptioncode.yaml @@ -0,0 +1,26 @@ +title: Apply Redemption Code Command +description: If a redemption code is needed during app installation, the server can + use this command to complete the app installation. +payload: + requesttype: ApplyRedemptionCode + supportedOS: + iOS: + introduced: '5.0' + accessrights: AllowAppInstallation + supervised: false + requiresdep: false + sharedipad: + mode: forbidden + userenrollment: + mode: forbidden + content: If a redemption code is needed during app installation, the server can + use this command to complete the app installation. +payloadkeys: +- key: Identifier + type: + presence: required + content: The bundle identifier of the app. +- key: RedemptionCode + type: + presence: required + content: The redemption code that applies to the app pending installation. diff --git a/mdm/commands/application.remove.yaml b/mdm/commands/application.remove.yaml new file mode 100644 index 0000000..d39fe96 --- /dev/null +++ b/mdm/commands/application.remove.yaml @@ -0,0 +1,33 @@ +title: Remove Application Command +description: This command allows a server to remove a managed app. +payload: + requesttype: RemoveApplication + supportedOS: + iOS: + introduced: '5.0' + accessrights: AllowAppInstallation + supervised: false + requiresdep: false + sharedipad: + mode: allowed + devicechannel: true + userchannel: false + userenrollment: + mode: allowed + macOS: + introduced: '11.0' + accessrights: AllowAppInstallation + devicechannel: true + userchannel: false + userenrollment: + mode: forbidden + tvOS: + introduced: '10.2' + accessrights: AllowAppInstallation + supervised: false + content: This command allows a server to remove a managed app. +payloadkeys: +- key: Identifier + type: + presence: required + content: The bundle identifier of the managed app. diff --git a/mdm/commands/application.validate.yaml b/mdm/commands/application.validate.yaml new file mode 100644 index 0000000..9d2d45c --- /dev/null +++ b/mdm/commands/application.validate.yaml @@ -0,0 +1,32 @@ +title: Validate Applications Command +description: This commands allows the server to force validation of the free developer + and universal provisioning profiles associated with an enterprise app. +payload: + requesttype: ValidateApplications + supportedOS: + iOS: + introduced: '9.2' + accessrights: AllowAppInstallation + supervised: false + requiresdep: false + sharedipad: + mode: allowed + devicechannel: true + userchannel: false + userenrollment: + mode: allowed + tvOS: + introduced: '10.2' + accessrights: AllowAppInstallation + supervised: false + content: This command allows the server to query for installed 3rd party applications. +payloadkeys: +- key: Identifiers + type: + presence: optional + content: The bundle identifiers of the enterprise apps to include for validation + of associated provisioning profiles, if you choose to provide them. Otherwise, + validation occurs for the provisioning profiles for the installed managed apps. + subkeys: + - key: IdentifiersItem + type: diff --git a/mdm/commands/certificate.list.yaml b/mdm/commands/certificate.list.yaml new file mode 100644 index 0000000..645e2c3 --- /dev/null +++ b/mdm/commands/certificate.list.yaml @@ -0,0 +1,70 @@ +title: Certificate List Command +description: This command allows the server to retrieve the list of installed certificates + on the device. The command requires that the server has the Inspect Profile Manifest + privilege. +payload: + requesttype: CertificateList + supportedOS: + iOS: + introduced: '4.0' + accessrights: AllowInspection + supervised: false + requiresdep: false + sharedipad: + mode: allowed + devicechannel: true + userchannel: false + userenrollment: + mode: allowed + macOS: + introduced: '10.7' + accessrights: AllowInspection + devicechannel: true + userchannel: true + requiresdep: false + userenrollment: + mode: allowed + tvOS: + introduced: '6.0' + accessrights: AllowInspection + supervised: false + content: |- + This command allows the server to retrieve the list of installed certificates on the device. The command requires that the server has the Inspect Profile Manifest privilege. + For userenrollment, this request will limit to certificates pushed via MDM +payloadkeys: +- key: ManagedOnly + supportedOS: + iOS: + introduced: '13.0' + macOS: + introduced: '10.15' + tvOS: + introduced: '13.0' + type: + presence: optional + default: false + content: If 'true', only include certificates that MDM installed or that are in + the same profile as the MDM payload. User-enrolled devices ignore this value and + always only include managed certificates. This value is available in iOS 13 and + later, macOS 10.15 and later, and tvOS 13 and later. +responsekeys: +- key: CertificateList + type: + presence: required + content: An array of certificate list items that describes each certificate. + subkeys: + - key: CertificateListItem + type: + subkeys: + - key: CommonName + type: + presence: required + content: The certificate's common name. + - key: IsIdentity + type: + presence: required + content: If 'true', this is an identity certificate. + - key: Data + type: + presence: required + content: The certificate in DER-encoded X.509 format. diff --git a/mdm/commands/declarativemanagement.yaml b/mdm/commands/declarativemanagement.yaml new file mode 100644 index 0000000..959d8be --- /dev/null +++ b/mdm/commands/declarativemanagement.yaml @@ -0,0 +1,23 @@ +title: Declarative Management Command +description: This command allows the server to turn on the Declarative Management + engine on the device (the first time it is used), or to trigger a Declarative Management + synchronization operation. +payload: + requesttype: DeclarativeManagement + supportedOS: + iOS: + introduced: '15.0' + supervised: false + requiresdep: false + sharedipad: + mode: forbidden + userenrollment: + mode: required + content: This command allows the server to turn on the Declarative Management engine + on the device (the first time it is used), or to trigger a Declarative Management + synchronization operation. +payloadkeys: +- key: Data + type: + presence: optional + content: The base64-encoded Declarative Management JSON request using a TokensResponse. diff --git a/mdm/commands/device.activationlock.bypasscode.yaml b/mdm/commands/device.activationlock.bypasscode.yaml new file mode 100644 index 0000000..642a4b1 --- /dev/null +++ b/mdm/commands/device.activationlock.bypasscode.yaml @@ -0,0 +1,30 @@ +title: Activation Lock Bypass Code Command +description: Retrievies the Activation Lock bypass code from the device. +payload: + requesttype: ActivationLockBypassCode + supportedOS: + iOS: + introduced: '7.1' + accessrights: None + supervised: true + requiresdep: false + sharedipad: + mode: forbidden + userenrollment: + mode: forbidden + macOS: + introduced: '10.15' + accessrights: None + devicechannel: true + userchannel: false + supervised: true + requiresdep: false + userenrollment: + mode: forbidden + content: Retrieves the Activation Lock bypass code from the device. This bypass + code is only available for 15 days after supervision. +responsekeys: +- key: ActivationLockBypassCode + type: + presence: required + content: The Activation Lock bypass code if it's available. diff --git a/mdm/commands/device.activationlock.clearbypasscode.yaml b/mdm/commands/device.activationlock.clearbypasscode.yaml new file mode 100644 index 0000000..b6cd681 --- /dev/null +++ b/mdm/commands/device.activationlock.clearbypasscode.yaml @@ -0,0 +1,24 @@ +title: Clear Activation Lock Bypass Code Command +description: Clears the Activation Lock bypass code from the device. +payload: + requesttype: ClearActivationLockBypassCode + supportedOS: + iOS: + introduced: '7.1' + accessrights: None + supervised: true + requiresdep: false + sharedipad: + mode: forbidden + userenrollment: + mode: forbidden + macOS: + introduced: '10.15' + accessrights: None + devicechannel: true + userchannel: false + supervised: true + requiresdep: false + userenrollment: + mode: forbidden + content: Clears the Activation Lock bypass code from the device. diff --git a/mdm/commands/device.configured.yaml b/mdm/commands/device.configured.yaml new file mode 100644 index 0000000..aebba8d --- /dev/null +++ b/mdm/commands/device.configured.yaml @@ -0,0 +1,31 @@ +title: Device Configured Command +description: Informs the device that it can continue past DEP enrollment. Only works + on devices in DEP that have their cloud configuration set to await configuration. +payload: + requesttype: DeviceConfigured + supportedOS: + iOS: + introduced: '9.0' + accessrights: None + supervised: true + requiresdep: true + sharedipad: + mode: allowed + devicechannel: true + userchannel: false + userenrollment: + mode: forbidden + macOS: + introduced: '10.11' + accessrights: None + devicechannel: true + userchannel: false + requiresdep: true + userenrollment: + mode: forbidden + tvOS: + introduced: '10.2' + accessrights: None + supervised: true + content: Informs the device that it can continue past DEP enrollment. Only works + on devices in DEP that have their cloud configuration set to await configuration. diff --git a/mdm/commands/device.erase.yaml b/mdm/commands/device.erase.yaml new file mode 100644 index 0000000..85b8246 --- /dev/null +++ b/mdm/commands/device.erase.yaml @@ -0,0 +1,105 @@ +title: Device Erase Command +description: This command allows the server to remotely erase the device. This command + requires the Device Erase right. +payload: + requesttype: EraseDevice + supportedOS: + iOS: + introduced: '4.0' + accessrights: AllowDeviceErase + supervised: false + requiresdep: false + sharedipad: + mode: allowed + devicechannel: true + userchannel: false + userenrollment: + mode: forbidden + macOS: + introduced: '10.7' + accessrights: AllowDeviceErase + devicechannel: true + userchannel: false + requiresdep: false + userenrollment: + mode: forbidden + tvOS: + introduced: '10.2' + accessrights: AllowDeviceErase + supervised: false + content: This command allows the server to remotely erase the device. This command + requires the Device Erase right. +payloadkeys: +- key: PreserveDataPlan + supportedOS: + iOS: + introduced: '11.0' + macOS: + introduced: n/a + tvOS: + introduced: n/a + type: + presence: optional + default: false + content: If 'true', preserve the data plan on an iPhone or iPad with eSIM functionality, + if one exists. This value is available in iOS 11 and later. +- key: DisallowProximitySetup + supportedOS: + iOS: + introduced: '11.3' + sharedipad: + mode: forbidden + macOS: + introduced: n/a + tvOS: + introduced: n/a + type: + presence: optional + default: false + content: If 'true', disable Proximity Setup on the next reboot and skip the pane + in Setup Assistant. This value is available in iOS 11 and later. Prior to iOS + 14, don't use this option with any other option. +- key: PIN + supportedOS: + iOS: + introduced: n/a + macOS: + introduced: '10.8' + tvOS: + introduced: n/a + type: + presence: optional + content: The six-character PIN for Find My. This value is available in macOS 10.8 + and later. +- key: ObliterationBehavior + supportedOS: + iOS: + introduced: n/a + macOS: + introduced: '12.0' + tvOS: + introduced: n/a + type: + presence: optional + rangelist: + - Default + - DoNotObliterate + - ObliterateWithWarning + - Always + content: |- + This key defines the fallback behavior for erasing a device. + In macOS 12 and later, this command uses Erase All Content and Settings (EACS) on Mac computers with the Apple M1 chip or the Apple T2 Security Chip. On those devices, if EACS can't run, the device can use obliteration (macOS 11.x behavior). This key has no effect on machines prior to the T2 chip. For a list of supported macs, see Mac models with the Apple T2 Security Chip . + Upon receiving this command, the device performs preflight checks to determine if the device is in a state that allows EACS. The 'status' of the EraseDeviceResponse is either 'Acknowledged' or 'Error'. + The following values define the device's fallback behavior: + + 'DoNotObliterate': + If EACS preflight fails, the device responds to the server with an 'Error' status and doesn't attempt to erase itself. + If EACS preflight succeeds but EACS fails, then the device doesn't attempt to erase itself. + + 'ObliterateWithWarning': + If EACS preflight fails, the device responds with an 'Acknowledged' status and then attempts to erase itself. + If EACS preflight succeeds but EACS fails, then the device attempts to erase itself. + + 'Default': + If EACS preflight fails, the device responds to the server with an 'Error' status and then attempts to erase itself. + If EACS preflight succeeds but EACS fails, then the device attempts to erase itself. diff --git a/mdm/commands/device.esim.yaml b/mdm/commands/device.esim.yaml new file mode 100644 index 0000000..371a085 --- /dev/null +++ b/mdm/commands/device.esim.yaml @@ -0,0 +1,27 @@ +title: eSIM Cellular Plan Management Command +description: Instructs the device to query for active cellular plan eSIM "profiles" + at the designated carrier eSIM server URL. +payload: + requesttype: RefreshCellularPlans + supportedOS: + iOS: + introduced: '13.0' + accessrights: None + supervised: false + requiresdep: false + sharedipad: + mode: allowed + devicechannel: true + userchannel: false + userenrollment: + mode: forbidden + content: |- + Instructs the device to query for active cellular plan eSIM "profiles" (not a profile in the MDM sense) + at the designated carrier eSIM server URL. This command is only supported on cellular devices, and only + a subset of those devices support eSIM configuration management. (Need details from CoreTelephony.) +payloadkeys: +- key: eSIMServerURL + type: + presence: required + content: The carrier's eSIM server URL to query. Obtain this URL from each carrier + separately. diff --git a/mdm/commands/device.lock.yaml b/mdm/commands/device.lock.yaml new file mode 100644 index 0000000..dfd94d5 --- /dev/null +++ b/mdm/commands/device.lock.yaml @@ -0,0 +1,74 @@ +title: Device Lock Command +description: This command allows the server to immediately lock the device. This command + requires the Device Lock and Passcode Removal right. +payload: + requesttype: DeviceLock + supportedOS: + iOS: + introduced: '4.0' + accessrights: AllowPasscodeRemovalAndLock + supervised: false + requiresdep: false + sharedipad: + mode: allowed + devicechannel: true + userchannel: false + userenrollment: + mode: allowed + macOS: + introduced: '10.7' + accessrights: AllowPasscodeRemovalAndLock + devicechannel: true + userchannel: false + requiresdep: false + userenrollment: + mode: forbidden + content: This command allows the server to immediately lock the device. This command + requires the Device Lock and Passcode Removal right. +payloadkeys: +- key: Message + supportedOS: + iOS: + introduced: '7.0' + sharedipad: + mode: ignored + macOS: + introduced: '10.14' + type: + presence: optional + content: The message to display on the Lock screen of the device. This value doesn't + apply to a shared iPad device. This value is available in iOS 4 and later, and + macOS 10.14 and later. +- key: PhoneNumber + supportedOS: + iOS: + introduced: '7.0' + sharedipad: + mode: ignored + macOS: + introduced: '11.5' + type: + presence: optional + content: The phone number to display on the Lock screen. This value doesn't apply + to a shared iPad device. This value is available in iOS 7 and later and macOS + 11.5 and later (for Apple silicon devices only). +- key: PIN + supportedOS: + iOS: + introduced: n/a + macOS: + introduced: '10.8' + type: + presence: optional + content: The six-character PIN for Find My. This value is available in macOS 10.8 + and later. +responsekeys: +- key: MessageResult + type: + presence: optional + content: |- + The message result if the command includes a message or phone number, which is one of the following values: + * 'Success': The message displayed successfully. + * 'DeviceInLostMode': The device is in Lost Mode. + * 'NoPasscodeSet': The message didn't display because there isn't a set passcode. + * 'Unknown': An unknown error occurred. diff --git a/mdm/commands/device.lostmode.disable.yaml b/mdm/commands/device.lostmode.disable.yaml new file mode 100644 index 0000000..b48b173 --- /dev/null +++ b/mdm/commands/device.lostmode.disable.yaml @@ -0,0 +1,17 @@ +title: Disable MDM Lost Mode Location +description: This command allows the server to take the device out of MDM lost mode. +payload: + requesttype: DisableLostMode + supportedOS: + iOS: + introduced: '9.3' + accessrights: None + supervised: true + requiresdep: false + sharedipad: + mode: allowed + devicechannel: true + userchannel: false + userenrollment: + mode: forbidden + content: This command allows the server to take the device out of MDM lost mode. diff --git a/mdm/commands/device.lostmode.enable.yaml b/mdm/commands/device.lostmode.enable.yaml new file mode 100644 index 0000000..1bca8d9 --- /dev/null +++ b/mdm/commands/device.lostmode.enable.yaml @@ -0,0 +1,35 @@ +title: Enable MDM Lost Mode Location +description: This command allows the server to put the device in MDM lost mode, with + a message, phone number, and footnote text. A message or phone number must be provided. +payload: + requesttype: EnableLostMode + supportedOS: + iOS: + introduced: '9.3' + accessrights: None + supervised: true + requiresdep: false + sharedipad: + mode: allowed + devicechannel: true + userchannel: false + userenrollment: + mode: forbidden + content: This command allows the server to put the device in MDM lost mode, with + a message, phone number, and footnote text. A message or phone number must be + provided. +payloadkeys: +- key: Message + type: + presence: optional + content: If present, display this text on the Lock screen. You must provide this + value if you don't provide a value for 'PhoneNumber'. +- key: PhoneNumber + type: + presence: optional + content: If present, display this phone number on the Lock screen. You must provide + this value if you don't provide a value for 'Message'. +- key: Footnote + type: + presence: optional + content: If present, display this text in place of Slide to Unlock. diff --git a/mdm/commands/device.lostmode.location.yaml b/mdm/commands/device.lostmode.location.yaml new file mode 100644 index 0000000..3328072 --- /dev/null +++ b/mdm/commands/device.lostmode.location.yaml @@ -0,0 +1,74 @@ +title: Device Location Command +description: This command allows the server to ask for the device's location if it + is in MDM lost mode. +payload: + requesttype: DeviceLocation + supportedOS: + iOS: + introduced: '9.3' + accessrights: None + supervised: true + requiresdep: false + sharedipad: + mode: allowed + devicechannel: true + userchannel: false + userenrollment: + mode: forbidden +responsekeys: +- key: Latitude + type: + presence: required + content: The latitude of the device's location. +- key: Longitude + type: + presence: required + content: The longitude of the device's location. +- key: HorizontalAccuracy + supportedOS: + iOS: + introduced: '10.3' + type: + presence: required + content: The radius of uncertainty for the location in meters, which is a negative + value if the horizontal accuracy is unknown. +- key: VerticalAccuracy + supportedOS: + iOS: + introduced: '10.3' + type: + presence: required + content: The accuracy of the altitude value in meters, which is a negative value + if the vertical accuracy is unknown. +- key: Altitude + supportedOS: + iOS: + introduced: '10.3' + type: + presence: required + content: The altitude of the device's location, which is a negative value if the + altitude is unknown. +- key: Speed + supportedOS: + iOS: + introduced: '10.3' + type: + presence: required + content: The speed of the device in meters per second, which is a negative value + if the speed is unknown. +- key: Course + supportedOS: + iOS: + introduced: '10.3' + type: + presence: required + content: The direction the device is traveling, which is a negative value if the + course is unknown. +- key: Timestamp + supportedOS: + iOS: + introduced: '10.3' + type: + presence: required + content: The RFC 3339 timestamp of when the server determined the location of the + device. diff --git a/mdm/commands/device.lostmode.playsound.yaml b/mdm/commands/device.lostmode.playsound.yaml new file mode 100644 index 0000000..102f84f --- /dev/null +++ b/mdm/commands/device.lostmode.playsound.yaml @@ -0,0 +1,21 @@ +title: Play Lost Mode Sound Command +description: This command allows the server to tell the device to play a sound if + it is in MDM Lost Mode. The sound will play until the device is either removed from + Lost Mode or a user disables the sound from the device. +payload: + requesttype: PlayLostModeSound + supportedOS: + iOS: + introduced: '10.3' + accessrights: None + supervised: true + requiresdep: false + sharedipad: + mode: allowed + devicechannel: true + userchannel: false + userenrollment: + mode: forbidden + content: This command allows the server to tell the device to play a sound if it + is in MDM Lost Mode. The sound will play until the device is either removed from + Lost Mode or a user disables the sound from the device. diff --git a/mdm/commands/device.restart.yaml b/mdm/commands/device.restart.yaml new file mode 100644 index 0000000..9b26291 --- /dev/null +++ b/mdm/commands/device.restart.yaml @@ -0,0 +1,78 @@ +title: Device Restart Command +description: This command requires the Device Lock access right. The device will restart + immediately. +payload: + requesttype: RestartDevice + supportedOS: + iOS: + introduced: '10.3' + accessrights: AllowPasscodeRemovalAndLock + supervised: true + requiresdep: false + sharedipad: + mode: allowed + devicechannel: true + userchannel: false + userenrollment: + mode: forbidden + macOS: + introduced: '10.13' + accessrights: AllowPasscodeRemovalAndLock + devicechannel: true + userchannel: false + requiresdep: false + userenrollment: + mode: forbidden + tvOS: + introduced: '10.2' + accessrights: AllowPasscodeRemovalAndLock + supervised: true + content: This command requires the Device Lock access right. The device will restart + immediately. +payloadkeys: +- key: RebuildKernelCache + supportedOS: + iOS: + introduced: n/a + macOS: + introduced: '11.0' + tvOS: + introduced: n/a + type: + presence: optional + default: false + content: If 'true', the system rebuilds the kernel cache during a device restart. + If 'BootstrapTokenAllowedForAuthentication' is 'true' in the SecurityInfoResponse.SecurityInfo + response, the device requests the bootstrap token from the MDM server prior to + executing this command. This value is available in macOS 11 and later. +- key: KextPaths + supportedOS: + iOS: + introduced: n/a + macOS: + introduced: '11.0' + tvOS: + introduced: n/a + type: + presence: optional + content: If 'RebuildKernelCache' is 'true', this value specifies the paths to kexts + to add to the auxiliary kernel cache since the last kernel cache rebuild. If not + present, the system only adds previously discovered kexts to the kernel cache. + This value is available in macOS 11 and later. + subkeys: + - key: KextPathsItem + type: +- key: NotifyUser + supportedOS: + iOS: + introduced: n/a + macOS: + introduced: '11.4' + tvOS: + introduced: n/a + type: + presence: optional + default: false + content: |- + If 'true', notifies the user to restart the device at their convenience. No forced restart occurs unless the device is at 'loginwindow' with no logged-in users. The user can dismiss the notification and ignore the request. No further notifications display unless you resend the command. + This value is available in macOS 11.3 and later. diff --git a/mdm/commands/device.restrictions.clearpassword.yaml b/mdm/commands/device.restrictions.clearpassword.yaml new file mode 100644 index 0000000..c8a3d45 --- /dev/null +++ b/mdm/commands/device.restrictions.clearpassword.yaml @@ -0,0 +1,15 @@ +title: Clear Restrictions Password Command +description: This command clears the restrictions passcode, either disabling parental + controls or allowing you to edit them. +payload: + requesttype: ClearRestrictionsPassword + supportedOS: + iOS: + introduced: '8.0' + accessrights: None + supervised: true + requiresdep: false + sharedipad: + mode: forbidden + userenrollment: + mode: forbidden diff --git a/mdm/commands/device.restrictions.list.yaml b/mdm/commands/device.restrictions.list.yaml new file mode 100644 index 0000000..b87d17b --- /dev/null +++ b/mdm/commands/device.restrictions.list.yaml @@ -0,0 +1,123 @@ +title: Device Restrictions Command +description: This command allows the server to determine what restrictions are being + enforced on the device, and the total sum of all restrictions. This command requires + the Restrictions Query access right. +payload: + requesttype: Restrictions + supportedOS: + iOS: + introduced: '4.0' + accessrights: AllowQueryRestrictions + supervised: false + requiresdep: false + sharedipad: + mode: allowed + devicechannel: true + userchannel: true + userenrollment: + mode: forbidden + tvOS: + introduced: '6.1' + accessrights: AllowQueryRestrictions + supervised: false + content: This command allows the server to determine what restrictions are being + enforced on the device, and the total sum of all restrictions. This command requires + the Restrictions Query access right. This technically does work on macOS but it + returns a blank dictionary and there no plans to change this behavior. +payloadkeys: +- key: ProfileRestrictions + type: + presence: optional + default: false + content: If 'true', the device reports restrictions from each profile. This value + is available in iOS 4 and later, and tvOS 6.1 and later. +responsekeys: +- key: GlobalRestrictions + type: + presence: required + content: A dictionary that contains the global restrictions in effect. This value + is available in iOS 4 and later, and tvOS 6.1 and later. + subkeytype: RestrictionsDictionary + subkeys: &id001 + - key: restrictedBool + type: + presence: optional + content: A dictionary of Boolean restrictions. + subkeytype: BooleanDictionary + subkeys: + - key: ANY restriction name + type: + presence: optional + content: The Boolean restriction parameters. + subkeys: + - key: value + type: + presence: required + content: The value of the restriction. + - key: restrictedValue + type: + presence: optional + content: A dictionary of numeric restrictions. + subkeytype: ValueDictionary + subkeys: + - key: ANY restriction name + type: + presence: optional + content: The numeric restriction parameters. + subkeys: + - key: value + type: + presence: required + content: The value of the restriction. + - key: intersection + type: + presence: optional + content: A dictionary of intersected restrictions. Intersected restrictions indicate + that new restrictions can only reduce the number of strings in the set. + subkeytype: IntersectionDictionary + subkeys: + - key: ANY restriction name + type: + presence: optional + content: The intersected restriction parameters. + subkeys: + - key: values + type: + presence: required + content: The values of the restriction. + subkeys: + - key: valuesItem + type: + - key: union + type: + presence: optional + content: A dictionary of unioned restrictions. Unioned restrictions indicate that + new restrictions can add to the set. + subkeytype: UnionDictionary + subkeys: + - key: ANY restriction name + type: + presence: optional + content: The unioned restriction parameters. + subkeys: + - key: values + type: + presence: required + content: The values of the restriction. + subkeys: + - key: valuesItem + type: +- key: ProfileRestrictions + type: + presence: required + content: A dictionary that contains dictionaries of restrictions from each profile. + This value is only available when 'ProfileRestrictions' is 'true' in the command. + The keys are the identifiers of the profiles. This value is available in iOS 4 + and later, and tvOS 6.1 and later. + subkeys: + - key: ANY profile identifier + type: + presence: optional + content: The profile identifiers. + subkeytype: RestrictionsDictionary + subkeys: *id001 diff --git a/mdm/commands/device.shutdown.yaml b/mdm/commands/device.shutdown.yaml new file mode 100644 index 0000000..b8d1e98 --- /dev/null +++ b/mdm/commands/device.shutdown.yaml @@ -0,0 +1,27 @@ +title: Device Shut Down Command +description: This command requires the Device Lock access right. The device will shut + down immediately. +payload: + requesttype: ShutDownDevice + supportedOS: + iOS: + introduced: '10.3' + accessrights: AllowPasscodeRemovalAndLock + supervised: true + requiresdep: false + sharedipad: + mode: allowed + devicechannel: true + userchannel: false + userenrollment: + mode: forbidden + macOS: + introduced: '10.13' + accessrights: AllowPasscodeRemovalAndLock + devicechannel: true + userchannel: false + requiresdep: false + userenrollment: + mode: forbidden + content: This command requires the Device Lock access right. The device will shut + down immediately. diff --git a/mdm/commands/information.contentcaching.yaml b/mdm/commands/information.contentcaching.yaml new file mode 100644 index 0000000..6151d51 --- /dev/null +++ b/mdm/commands/information.contentcaching.yaml @@ -0,0 +1,629 @@ +title: Content Caching Information Command +description: This command allows the server to query for information about Content + Caching. +payload: + requesttype: ContentCachingInformation + supportedOS: + macOS: + introduced: 10.15.4 + accessrights: AllowQueryNetworkInformation + devicechannel: true + userchannel: false + requiresdep: false + userenrollment: + mode: forbidden + content: This command allows the server to query for information about Content Caching. +responsekeys: +- key: StatusResponse + type: + presence: required + content: A dictionary that contains the status of content caching on a device. + subkeys: + - key: Activated + type: + presence: optional + default: false + content: If 'true', the device has enabled content caching. Enabling content caching + doesn't guarantee service. See the 'Active' key for the readiness of content + caching to serve requests. + - key: Active + type: + presence: optional + default: false + content: If 'true', content caching is ready to serve requests. + - key: ActualCacheUsed + type: + presence: optional + content: The actual amount of disk space, in bytes, that cached content uses. + See related values 'CacheUsed' and 'PersonalCacheUsed'. + - key: AlertsForPeerFilterRanges + type: + presence: optional + content: |- + The error conditions the content cache detected in the 'PeerFilterRanges' in the installed 'com.apple.AssetCache.managed' payload. + To display these alerts on the device, set 'DisplayAlerts' to 'true' in the installed ContentCaching profile. + subkeys: + - key: Index into the PeerFilterRanges in the installed com.apple.AssetCache.managed + payload + type: + presence: required + content: A dictionary that describes the alerts for the peer filter ranges. + subkeys: + - key: className + type: + presence: required + rangelist: + - AssetCacheUnfriendlyPeersInFilterRangeAlert + content: The type of the alert. + - key: postDate + type: + presence: required + content: The date of the alert. + - key: peerFilterRangeIndex + type: + presence: required + content: The index into the 'PeerFilterRanges' in the installed ContentCaching + payload. + - key: addresses + type: + presence: required + content: An array of local IP addresses of peer content caches that rejected + requests from the content cache. + subkeys: + - key: address + type: + presence: required + content: Local IP address of a peer Content Cache that rejected requests + from this Content Cache. + - key: Alerts + type: + presence: optional + content: |- + An array that contains the error conditions the content cache detected that aren't related to peer filter ranges, parent content caches, or peer content caches. + See 'AlertsForPeerFilterRanges' for errors related to peer filter ranges. + See 'Parents' and 'Peers' for errors related to parent and peer content caches. + To display these alerts on the device, set 'DisplayAlerts' to 'true' in the installed ContentCaching profile. + subkeys: + - key: AlertsItem + type: + presence: required + subkeys: + - key: className + type: + presence: required + rangelist: + - AssetCacheLowSpaceAlert + - AssetCacheNoSpaceAlert + - AssetCacheRegistrationRejectedAlert + - AssetCacheRegistrationUnavailableAlert + - AssetCacheResourceMissingAlert + content: The type of the alert. + - key: postDate + type: + presence: required + content: The date of the alert. + - key: cacheLimit + type: + presence: optional + content: The limit, in bytes, for the content cache at the time of the alert. + This value only applies to 'AssetCacheLowSpaceAlert' and 'AssetCacheNoSpaceAlert' + types. + - key: reservedVolumeSpace + type: + presence: optional + content: The space, in bytes, that the system reserves at the time of the + alert. This value only applies to the 'AssetCacheLowSpaceAlert' and 'AssetCacheNoSpaceAlert' + types. + - key: resource + type: + presence: optional + content: The resource that was missing or inaccessible at the time of the + alert. This value only applies to the 'AssetCacheResourceMissingAlert' type. + - key: pathPreventingAccess + type: + presence: optional + content: The subpath of the resource that was missing or inaccessible at the + time of the alert. This value only applies to the 'AssetCacheResourceMissingAlert' + type. + - key: CacheDetails + type: + presence: optional + content: The amount of disk space that various categories of cached content use. + Apple defines these categories and they're subject to change. + subkeys: + - key: Category Name + type: + presence: required + content: The amount of disk space, in bytes, that this category of cached content + uses. + - key: CacheFree + type: + presence: optional + content: The amount of disk space, in bytes, available to the content cache. + - key: CacheLimit + type: + presence: optional + content: The maximum amount of disk space, in bytes, available to the content + cache. A value of '0' indicates an unlimited amount. This value corresponds + to 'CacheLimit' in the installed ContentCaching profile. + - key: CacheStatus + type: + presence: optional + rangelist: + - LOWSPACE + - OK + content: The level of cache pressure. 'LowSpace' means cache pressure is high. + - key: CacheUsed + type: + presence: optional + content: The amount of disk space, in bytes, cached content uses. Content caching + allocates space in its cache for entire files even when it stores only part + of those files in its cache. + - key: DataMigrationCompleted + type: + presence: optional + default: false + content: If 'true', the content cache finished moving from one volume to another. + - key: DataMigrationError + type: + presence: optional + content: The error that occurred while the content cache moved from one volume + to another. + subkeys: + - key: domain + type: + presence: required + content: The error domain. + - key: code + type: + presence: required + content: The error code. + - key: userInfo + type: + presence: optional + content: A dictionary that contains additional information about the error. + subkeys: + - key: ANY + type: + presence: optional + content: A dictionary that contains additional details about the error. + - key: DataMigrationProgress + type: + presence: optional + range: + min: 0.0 + max: 1.0 + content: A floating-point number between '0.0' and '1.0' that indicates the percentage + of progress in moving the content cache from one volume to another. A value + of '1.0' indicates that the content cache has fully migrated. + - key: MaxCachePressureLast1Hour + type: + presence: optional + range: + min: 0.0 + max: 1.0 + content: A floating-point number between '0.0' and '1.0' that represents how often + the cache needed more disk space over the last hour of operation. A lower value + is better. + - key: Parents + type: + presence: optional + content: An array of dictionaries that describes parent content caches. + subkeys: + - key: ParentsItem + type: + presence: optional + subkeys: + - key: address + type: + presence: required + content: The local IP address of the parent content cache. + - key: alert + type: + presence: optional + content: A dictionary that describes an alert related to the parent content + cache. + subkeys: + - key: className + type: + presence: required + rangelist: + - AssetCacheParentCycleAlert + - AssetCacheParentDepthAlert + content: The type of the alert. + - key: postDate + type: + presence: required + content: The date of the alert. + - key: addresses + type: + presence: required + content: An array of local IP addresses of parent content caches. + subkeys: + - key: address + type: + presence: required + content: Local IP address of a parent Content Cache. + - key: details + type: + presence: required + content: A dictionary that contains additional details about the parent content + cache. + subkeys: + - key: ac-power + type: + presence: optional + default: false + content: If 'true', the parent content cache power source is AC; otherwise, + an internal battery provides its power. + - key: cache-size + type: + presence: optional + content: The maximum amount of disk space, in bytes, available to the parent + content cache. + - key: capabilities + type: + presence: optional + content: A dictionary that describes the capabilities of the parent content + cache. + subkeys: + - key: im + type: + presence: optional + default: false + content: If 'true', the parent content cache is capable of imports and + uploads. + - key: ns + type: + presence: optional + default: false + content: If 'true', the parent content cache is capable of handling namespaces, + which is an aspect of personal caching. + - key: pc + type: + presence: optional + default: false + content: If 'true', the parent content cache is capable of caching personal + iCloud content. + - key: query-parameters + type: + presence: optional + default: false + content: If 'true', the parent content cache is capable of handling query + parameters in URLs. + - key: sc + type: + presence: optional + default: false + content: If 'true', the parent content cache is capable of caching shared + non-iCloud content. + - key: ur + type: + presence: optional + default: false + content: If 'true', the parent content cache is capable of prioritizing + imports and uploads. + - key: is-portable + type: + presence: optional + default: false + content: If 'true', the parent content cache computer is portable; for example, + a laptop. + - key: local-network + type: + presence: optional + content: A dictionary that describes the parent content cache's connection + to its local network. + subkeys: + - key: speed + type: + presence: optional + content: The transfer speed, in megabits per second, of the parent content + cache's connection to its local network. + - key: wired + type: + presence: optional + default: false + content: If 'true', the parent content cache has a wired connection to + its local network. If 'false', it has a wireless connection; for example, + Wi-Fi. + - key: guid + type: + presence: required + content: The unique identifier of the parent content cache. + - key: healthy + type: + presence: required + content: If 'true,' the parent content cache is able to respond to requests + from this content cache. + - key: port + type: + presence: required + content: The IP port number the parent content cache listens to for requests. + - key: version + type: + presence: required + content: The version number of the parent content cache software. + - key: Peers + type: + presence: optional + content: An array of dictionaries that describes peer content caches. + subkeys: + - key: PeersItem + type: + presence: optional + subkeys: + - key: address + type: + presence: required + content: The local IP address of the peer content cache. + - key: alert + type: + presence: optional + content: A dictionary that describes an alert related to the peer content + cache. + subkeys: + - key: className + type: + presence: required + rangelist: + - AssetCachePeerCycleAlert + - AssetCacheUnfriendlyPeerAlert + content: The type of the alert. + - key: postDate + type: + presence: required + content: The date of the alert. + - key: addresses + type: + presence: optional + content: An array of local IP addresses of peer content caches. + subkeys: + - key: address + type: + presence: required + content: Local IP address of a peer Content Cache. + - key: peerAddress + type: + presence: optional + content: The local IP address of a peer content cache. + - key: details + type: + presence: required + content: A dictionary that contains additional details about the peer content + cache. + subkeys: + - key: ac-power + type: + presence: optional + default: false + content: If 'true', the peer content cache power source is AC; otherwise, + an internal battery provides its power. + - key: cache-size + type: + presence: optional + content: The maximum amount of disk space, in bytes, available to the peer + content cache. + - key: capabilities + type: + presence: optional + content: A dictionary that describes the capabilities of the peer content + cache. + subkeys: + - key: im + type: + presence: optional + default: false + content: If 'true', the peer content cache is capable of imports and uploads. + - key: ns + type: + presence: optional + default: false + content: If 'true', the peer content cache is capable of handling namespaces, + which is an aspect of personal caching. + - key: pc + type: + presence: optional + default: false + content: If 'true', the peer content cache is capable of caching personal + iCloud content. + - key: query-parameters + type: + presence: optional + default: false + content: If 'true', the peer content cache is capable of handling query + parameters in URLs. + - key: sc + type: + presence: optional + default: false + content: If 'true', the peer content cache is capable of caching shared + non-iCloud content. + - key: ur + type: + presence: optional + default: false + content: If 'true', the peer content cache is capable of prioritizing + imports and uploads. + - key: is-portable + type: + presence: optional + default: false + content: If 'true', the peer content cache computer is portable; for example, + a laptop. + - key: local-network + type: + presence: optional + content: A dictionary that describes the peer content cache's connection + to its local network. + subkeys: + - key: speed + type: + presence: optional + content: The transfer speed, in megabits per second, of the peer content + cache's connection to its local network. + - key: wired + type: + presence: optional + default: false + content: If 'true', the peer content cache has a wired connection to its + local network. If 'false', it has a wireless connection; for example, + Wi-Fi. + - key: friendly + type: + presence: required + content: If 'true', the peer content cache is able to respond to requests + from the content cache. + - key: guid + type: + presence: required + content: The unique identifier of the peer content cache. + - key: healthy + type: + presence: required + content: If 'true', the peer content cache is able to respond to requests + from the content cache. + - key: port + type: + presence: required + content: The IP port number the peer content cache listens to for requests. + - key: version + type: + presence: required + content: The version number of the peer content cache software. + - key: PersonalCacheFree + type: + presence: optional + content: The amount of disk space, in bytes, available to the content cache for + personal iCloud content. + - key: PersonalCacheLimit + type: + presence: optional + content: The maximum amount of disk space, in bytes, available to the content + cache for personal iCloud content. A value of '0' indicates an unlimited amount. + - key: PersonalCacheUsed + type: + presence: optional + content: The amount of disk space, in bytes, available to the content cache for + personal iCloud content. + - key: Port + type: + presence: optional + content: The IP port number the content cache listens to for requests from clients, + peers, and children. + - key: PrivateAddresses + type: + presence: optional + content: An array of the content cache's local IP addresses. + subkeys: + - key: PrivateAddressesItem + type: + presence: required + content: Local IP address at which the Content Cache listens for requests from + clients, peers, and children. + - key: PublicAddress + type: + presence: optional + content: The public IP address of the content cache. + - key: RegistrationError + type: + presence: optional + content: If present, the reason the content cache failed to register itself with + Apple. + - key: RegistrationResponseCode + type: + presence: optional + content: If present, the HTTP response code the content cache received when it + failed to register itself with Apple. + - key: RegistrationStarted + type: + presence: optional + content: The date when the content cache began registering itself with Apple. + This value is only available during registration attempts. + - key: RegistrationStatus + type: + presence: optional + rangelist: + - -1 + - 0 + - 1 + content: |- + The status of the content cache's registration with Apple, which is one of the following values: + * '-1:' Failed + * ' 0:' Pending + * ' 1:' Succeeded + - key: RestrictedMedia + type: + presence: optional + default: false + content: If 'true', a restriction prevents caching of certain content types. + - key: ServerGUID + type: + presence: optional + content: The unique identifier of the content cache. + - key: StartupStatus + type: + presence: optional + rangelist: + - FAILED + - MIGRATING_DATA + - OK + - PENDING + content: The status of the content cache's registration with Apple. + - key: TetheratorStatus + type: + presence: optional + rangelist: + - -1 + - 0 + - 1 + content: |- + The status of tethered caching, which is content caching with a shared internet connection, which is one of the following values: + * '-1:' Unknown + * ' 0:' Disabled + * ' 1:' Enabled + - key: TotalBytesAreSince + type: + presence: optional + content: The start date to use when collecting data for the other 'TotalBytes' + values. + - key: TotalBytesDropped + type: + presence: optional + content: The amount of data, in bytes, that the content cache downloaded, but + couldn't add to its cache, since the 'TotalBytesAreSince' date. + - key: TotalBytesImported + type: + presence: optional + content: The amount of data, in bytes, that the content cache received since the + 'TotalBytesAreSince' date. + - key: TotalBytesReturnedToChildren + type: + presence: optional + content: The amount of data, in bytes, that the content cache served to its child + content cache since the 'TotalBytesAreSince' date. + - key: TotalBytesReturnedToClients + type: + presence: optional + content: The amount of data, in bytes, that the content cache served to client + iOS, macOS, and tvOS devices since the 'TotalBytesAreSince' date. + - key: TotalBytesReturnedToPeers + type: + presence: optional + content: The amount of data, in bytes, that the content cache served to peer content + caches since the 'TotalBytesAreSince' date. + - key: TotalBytesStoredFromOrigin + type: + presence: optional + content: The amount of data, in bytes, that the content cache saved from the internet + since the 'TotalBytesAreSince' date. + - key: TotalBytesStoredFromParents + type: + presence: optional + content: The amount of data, in bytes, that the content cache saved from parent + content caches since the 'TotalBytesAreSince' date. + - key: TotalBytesStoredFromPeers + type: + presence: optional + content: The amount of data, in bytes, that the content cache saved from peer + content caches since the 'TotalBytesAreSince' date. diff --git a/mdm/commands/information.device.yaml b/mdm/commands/information.device.yaml new file mode 100644 index 0000000..727019b --- /dev/null +++ b/mdm/commands/information.device.yaml @@ -0,0 +1,2027 @@ +title: Device Information Command +description: This command allows the server to query for specific device information. + It's supported in the user channel. +payload: + requesttype: DeviceInformation + supportedOS: + iOS: + introduced: '4.0' + accessrights: Special Case + supervised: false + requiresdep: false + sharedipad: + mode: allowed + devicechannel: true + userchannel: true + userenrollment: + mode: allowed + macOS: + introduced: '10.7' + accessrights: Special Case + devicechannel: true + userchannel: true + requiresdep: false + userenrollment: + mode: allowed + tvOS: + introduced: '6.0' + accessrights: Special Case + supervised: false + content: This command allows the server to query for specific device information. + It's supported in the user channel. +payloadkeys: +- key: Queries + type: + presence: required + content: An array of query dictionaries to get information about a device. + subkeys: + - key: QueriesItem + type: + subkeys: + - key: UDID + supportedOS: + iOS: + accessrights: n/a + userenrollment: + mode: forbidden + macOS: + accessrights: n/a + userenrollment: + mode: forbidden + tvOS: + accessrights: n/a + type: + content: The key to get the unique identifier of the device. + - key: ProvisioningUDID + supportedOS: + iOS: + introduced: n/a + macOS: + introduced: '11.3' + accessrights: n/a + userenrollment: + mode: forbidden + tvOS: + introduced: n/a + type: + content: The device identifier for provisioning profiles. This value differs + from the UDID for Apple silicon. Available in macOS 11.3 and later. + - key: OrganizationInfo + supportedOS: + iOS: + introduced: '7.0' + accessrights: n/a + macOS: + introduced: '10.11' + tvOS: + introduced: '9.0' + accessrights: n/a + type: + content: The key to get the contents of SettingsCommand.Command.Settings.OrganizationInfo.OrganizationInfo. + - key: MDMOptions + supportedOS: + iOS: + introduced: '7.0' + accessrights: n/a + macOS: + introduced: '11.0' + tvOS: + introduced: '9.0' + accessrights: n/a + type: + content: The key to get the contents of SettingsCommand.Command.Settings.MDMOptions.MDMOptions. + - key: LastCloudBackupDate + supportedOS: + iOS: + introduced: '8.0' + userenrollment: + mode: forbidden + macOS: + introduced: n/a + tvOS: + introduced: n/a + type: + content: The key to get the date of the most recent iCloud backup. This value + is available in iOS 8 and later. + - key: AwaitingConfiguration + supportedOS: + iOS: + introduced: '9.0' + accessrights: n/a + userenrollment: + mode: forbidden + macOS: + introduced: '10.11' + accessrights: n/a + userenrollment: + mode: forbidden + tvOS: + introduced: '10.2' + accessrights: n/a + type: + content: The key to determine if the device is waiting for a DeviceConfiguredCommand + to continue through Setup Assistant. + - key: iTunesStoreAccountIsActive + supportedOS: + iOS: + introduced: '7.0' + accessrights: AllowAppInstallation + userenrollment: + mode: forbidden + macOS: + introduced: '10.9' + accessrights: AllowAppInstallation + userenrollment: + mode: forbidden + tvOS: + introduced: '9.0' + accessrights: AllowAppInstallation + type: + content: The key to determine if an iTunes Store account is active. This value + requires the App Installation access right. + - key: iTunesStoreAccountHash + supportedOS: + iOS: + introduced: '8.0' + accessrights: AllowAppInstallation + userenrollment: + mode: forbidden + macOS: + introduced: '10.10' + accessrights: AllowAppInstallation + userenrollment: + mode: forbidden + tvOS: + introduced: '9.0' + accessrights: AllowAppInstallation + type: + content: The key to get a hash of the logged-in iTunes Store account. Also see + GetVppUserRequest. This value requires the App Installation access right. + - key: DeviceName + supportedOS: + iOS: + accessrights: AllowQueryDeviceInformation + macOS: + accessrights: AllowQueryDeviceInformation + tvOS: + accessrights: AllowQueryDeviceInformation + type: + content: The key to get the device name. This value requires the Device Information + access right. + - key: OSVersion + supportedOS: + iOS: + accessrights: AllowQueryDeviceInformation + macOS: + accessrights: AllowQueryDeviceInformation + tvOS: + accessrights: AllowQueryDeviceInformation + type: + content: The key to get the operating system version. This value requires the + Device Information access right. + - key: BuildVersion + supportedOS: + iOS: + accessrights: AllowQueryDeviceInformation + macOS: + accessrights: AllowQueryDeviceInformation + tvOS: + accessrights: AllowQueryDeviceInformation + type: + content: The key to get the operating system version. This value requires the + Device Information access right. + - key: ModelName + supportedOS: + iOS: + accessrights: AllowQueryDeviceInformation + macOS: + accessrights: AllowQueryDeviceInformation + tvOS: + accessrights: AllowQueryDeviceInformation + type: + content: The key to get the model name; for example, iPhone. This value requires + the Device Information access right. + - key: Model + supportedOS: + iOS: + accessrights: AllowQueryDeviceInformation + macOS: + accessrights: AllowQueryDeviceInformation + tvOS: + accessrights: AllowQueryDeviceInformation + type: + content: The key to get the model. This value requires the Device Information + access right. + - key: IsAppleSilicon + supportedOS: + iOS: + introduced: n/a + macOS: + introduced: '12.0' + accessrights: AllowQueryDeviceInformation + tvOS: + introduced: n/a + type: + content: |- + If 'true', the device is a Mac with Apple silicon (for example, an Apple M1 chip). + Available in macOS 12 and later. + - key: ProductName + supportedOS: + iOS: + accessrights: AllowQueryDeviceInformation + macOS: + accessrights: AllowQueryDeviceInformation + tvOS: + accessrights: AllowQueryDeviceInformation + type: + content: The key to get the product name, such as iPad8,12. This value requires + the Device Information access right. + - key: SerialNumber + supportedOS: + iOS: + accessrights: AllowQueryDeviceInformatio + userenrollment: + mode: forbidden + macOS: + accessrights: AllowQueryDeviceInformation + userenrollment: + mode: forbidden + tvOS: + accessrights: AllowQueryDeviceInformation + type: + content: The key to get the serial number. This value requires the Device Information + access right. + - key: DeviceCapacity + supportedOS: + iOS: + accessrights: AllowQueryDeviceInformation + macOS: + accessrights: AllowQueryDeviceInformation + tvOS: + introduced: n/a + type: + content: The key to get the device's total capacity. This value requires the + Device Information access right, and is available in iOS 4 and later, and + macOS 10.7 and later. + - key: AvailableDeviceCapacity + supportedOS: + iOS: + accessrights: AllowQueryDeviceInformation + macOS: + accessrights: AllowQueryDeviceInformation + tvOS: + introduced: n/a + type: + content: The key to get the available capacity. This value requires the Device + Information access right, and is available in iOS 4 and later, and macOS 10.7 + and later. + - key: IMEI + supportedOS: + iOS: + accessrights: AllowQueryDeviceInformation + userenrollment: + mode: forbidden + macOS: + introduced: n/a + tvOS: + introduced: n/a + type: + content: The key to get the International Mobile Equipment Identity (IMEI) number. + This value requires the Device Information access right, and is available + in iOS 4 and later. + - key: MEID + supportedOS: + iOS: + accessrights: AllowQueryDeviceInformation + userenrollment: + mode: forbidden + macOS: + introduced: n/a + tvOS: + introduced: n/a + type: + content: The key to get the mobile equipment ID (MEID). This value requires + the Device Information access right, and is available in iOS 4 and later. + - key: ModemFirmwareVersion + supportedOS: + iOS: + accessrights: AllowQueryDeviceInformation + userenrollment: + mode: forbidden + macOS: + introduced: n/a + tvOS: + introduced: n/a + type: + content: The key to get the modem firmware version. This value requires the + Device Information access right, and is available in iOS 4 and later. + - key: CellularTechnology + supportedOS: + iOS: + introduced: 4.2.6 + accessrights: AllowQueryDeviceInformation + macOS: + introduced: n/a + tvOS: + introduced: n/a + type: + content: The key to get the cellular technology type. This value requires the + Device Information access right, and is available in iOS 4.2.6 and later. + - key: BatteryLevel + supportedOS: + iOS: + introduced: '5.0' + accessrights: AllowQueryDeviceInformation + macOS: + introduced: n/a + tvOS: + introduced: n/a + type: + content: The key to get the battery level. This value requires the Device Information + access right, and is available in iOS 5 and later. + - key: IsSupervised + supportedOS: + iOS: + introduced: '6.0' + accessrights: AllowQueryDeviceInformation + macOS: + introduced: '10.15' + tvOS: + introduced: '9.0' + accessrights: AllowQueryDeviceInformation + type: + content: The key to determine if the device is a supervised device. This value + requires the Device Information access right, and is available in iOS 6 and + later, macOS 10.15 and later, and tvOS 9 and later. + - key: IsMultiUser + supportedOS: + iOS: + introduced: '9.3' + accessrights: AllowQueryDeviceInformation + macOS: + introduced: n/a + tvOS: + introduced: n/a + type: + content: The key to determine if the device is in ephemeral multiuser mode. + This value requires the Device Information access right, and is available + in iOS 9.3 and later. + - key: IsDeviceLocatorServiceEnabled + supportedOS: + iOS: + introduced: '7.0' + accessrights: AllowQueryDeviceInformation + macOS: + introduced: n/a + tvOS: + introduced: n/a + type: + content: The key to determine if a device locator service, such as Find My, + is in an enabled state on the device. This value requires the Device Information + access right, and is available in iOS 7 and later. + - key: IsActivationLockEnabled + supportedOS: + iOS: + introduced: '7.0' + accessrights: AllowQueryDeviceInformation + userenrollment: + mode: forbidden + macOS: + introduced: '10.15' + accessrights: AllowQueryDeviceInformation + userenrollment: + mode: forbidden + tvOS: + introduced: n/a + type: + content: The key to determine if Activation Lock is in an enabled state on the + device. This value requires the Device Information access right, and is available + in iOS 7 and later, and macOS 10.9 and later. + - key: IsActivationLockSupported + supportedOS: + iOS: + introduced: n/a + macOS: + introduced: '10.15' + accessrights: AllowQueryDeviceInformation + userenrollment: + mode: forbidden + tvOS: + introduced: n/a + type: + content: The key to determine if the device supports Activation Lock. Also see + 'IsActivationLockManageable' in SecurityInfoResponse.SecurityInfo.ManagementStatus. + This value is available in macOS 10.9 and later. + - key: IsDoNotDisturbInEffect + supportedOS: + iOS: + introduced: '7.0' + accessrights: AllowQueryDeviceInformation + userenrollment: + mode: forbidden + macOS: + introduced: n/a + tvOS: + introduced: n/a + type: + content: The key to determine if the device is in Do Not Disturb (DND) mode. + This value requires the Device Information access right, and is available + in iOS 7 and later. + - key: DeviceID + supportedOS: + iOS: + introduced: n/a + macOS: + introduced: n/a + tvOS: + introduced: '6.0' + accessrights: AllowQueryDeviceInformation + type: + content: The key to get the device ID. This value requires the Device Information + access right, and is available in tvOS 6 and later. + - key: EASDeviceIdentifier + supportedOS: + iOS: + introduced: '7.0' + accessrights: AllowQueryDeviceInformation + macOS: + introduced: n/a + tvOS: + introduced: n/a + type: + content: The key to get the device identifier for Exchange ActiveSync (EAS). + This value requires the Device Information access right, and is available + in iOS 7 and later. + - key: IsCloudBackupEnabled + supportedOS: + iOS: + introduced: '7.1' + accessrights: AllowQueryDeviceInformation + userenrollment: + mode: forbidden + macOS: + introduced: n/a + tvOS: + introduced: n/a + type: + content: The key to determine if iCloud Backup is in an enabled state on the + device. This value requires the Device Information access right, and is available + in iOS 7.1 and later. + - key: ActiveManagedUsers + supportedOS: + iOS: + introduced: n/a + macOS: + introduced: '10.11' + accessrights: AllowQueryDeviceInformation + userchannel: false + tvOS: + introduced: n/a + type: + content: The key to get an array of directory GUIDs for logged-in managed users. + This value requires the Device Information access right, and is available + in macOS 10.11 and later. + - key: OSUpdateSettings + supportedOS: + iOS: + introduced: n/a + macOS: + introduced: '10.11' + accessrights: AllowQueryDeviceInformation + userenrollment: + mode: forbidden + tvOS: + introduced: n/a + type: + content: The key to get the contents of DeviceInformationResponse.QueryResponses.OSUpdateSettings. + This value requires the Device Information access right, and is available + in macOS 10.11 and later. + - key: LocalHostName + supportedOS: + iOS: + introduced: n/a + macOS: + introduced: '10.11' + accessrights: AllowQueryDeviceInformation + tvOS: + introduced: n/a + type: + content: The key to get the local hostname from Bonjour. This value is available + in macOS 10.11 and later. + - key: HostName + supportedOS: + iOS: + introduced: n/a + macOS: + introduced: '10.11' + accessrights: AllowQueryDeviceInformation + tvOS: + introduced: n/a + type: + content: The key to get the hostname. This value is available in macOS 10.11 + and later. + - key: AutoSetupAdminAccounts + supportedOS: + iOS: + introduced: n/a + macOS: + introduced: '10.11' + accessrights: AllowQueryDeviceInformation + requiresdep: true + userenrollment: + mode: forbidden + tvOS: + introduced: n/a + type: + content: The key to get the contents of DeviceInformationResponse.QueryResponses.AutoSetupAdminAccountsItem, + which Setup Assistant automatically creates during enrollment. This value + requires the Device Information access right, and is available in macOS 10.11 + and later. + - key: SystemIntegrityProtectionEnabled + supportedOS: + iOS: + introduced: n/a + macOS: + introduced: '10.12' + accessrights: AllowQueryDeviceInformation + tvOS: + introduced: n/a + type: + content: The key to determine if System Integrity Protection is in an enabled + state on the device. This value requires the Device Information access right, + and is available in macOS 10.12 and later. + - key: SupportsLOMDevice + supportedOS: + iOS: + introduced: n/a + macOS: + introduced: '11.0' + accessrights: AllowQueryDeviceInformation + tvOS: + introduced: n/a + type: + content: The key to determine if the device can receive 'PowerON', 'PowerOFF', + and 'Reset' commands from a lights-out management (LOM) controller. This query + is available in macOS 11 and later. + - key: IsMDMLostModeEnabled + supportedOS: + iOS: + introduced: '9.3' + accessrights: AllowQueryDeviceInformation + userenrollment: + mode: forbidden + macOS: + introduced: n/a + tvOS: + introduced: n/a + type: + content: The key to determine if Managed Lost Mode is in an enabled state on + the device. This value requires the Device Information access right, and is + available in iOS 9.3 and later. + - key: MaximumResidentUsers + supportedOS: + iOS: + introduced: '9.3' + accessrights: AllowQueryDeviceInformation + supervised: true + userenrollment: + mode: forbidden + macOS: + introduced: n/a + tvOS: + introduced: n/a + type: + content: The key to get the maximum number of users that can use this Shared + iPad device. Beginning with iOS 13.4, the value that returns is always '32'. + This value requires the Device Information access right, and is available + in iOS 9.3 and later. + - key: EstimatedResidentUsers + supportedOS: + iOS: + introduced: '14.0' + accessrights: AllowQueryDeviceInformation + supervised: true + userenrollment: + mode: forbidden + macOS: + introduced: n/a + tvOS: + introduced: n/a + type: + content: The key to get the estimated number of users that can use this Shared + iPad device, according to the available space of the device and each user's + quota. This value requires the Device Information access right, and is available + in iOS 14 and later. + - key: QuotaSize + supportedOS: + iOS: + introduced: '13.4' + accessrights: AllowQueryDeviceInformation + macOS: + introduced: n/a + tvOS: + introduced: n/a + type: + content: The key to get the quota size for each user on this Shared iPad device. + This value requires the Device Information access right, and is available + in iOS 13.4 and later. + - key: ResidentUsers + supportedOS: + iOS: + introduced: '13.4' + accessrights: AllowQueryDeviceInformation + macOS: + introduced: n/a + tvOS: + introduced: n/a + type: + content: The key to get the number of users currently on this Shared iPad device. + This value requires the Device Information access right, and is available + in iOS 13.4 and later. + - key: UserSessionTimeout + supportedOS: + iOS: + introduced: '14.5' + accessrights: AllowQueryDeviceInformation + macOS: + introduced: n/a + tvOS: + introduced: n/a + type: + content: The timeout interval for the user session. '0' means no timeout. + - key: TemporarySessionTimeout + supportedOS: + iOS: + introduced: '14.5' + accessrights: AllowQueryDeviceInformation + macOS: + introduced: n/a + tvOS: + introduced: n/a + type: + content: The timeout interval for the temporary session. '0' means no timeout. + - key: TemporarySessionOnly + supportedOS: + iOS: + introduced: '14.5' + accessrights: AllowQueryDeviceInformation + macOS: + introduced: n/a + tvOS: + introduced: n/a + type: + content: If 'true', the device only allows temporary sessions. + - key: PushToken + supportedOS: + iOS: + introduced: '9.3' + accessrights: AllowQueryDeviceInformation + sharedipad: + devicechannel: false + userchannel: true + userenrollment: + mode: forbidden + macOS: + introduced: '10.12' + userchannel: true + tvOS: + introduced: n/a + type: + content: The key to get the push token for the current user-channel connection. + The MDM server ignores this query for the device channel. This value requires + the Device Information access right, and is available in iOS 9.3 and later, + and macOS 10.12 and later. + - key: DiagnosticSubmissionEnabled + supportedOS: + iOS: + introduced: '9.3' + accessrights: AllowQueryDeviceInformation + macOS: + introduced: n/a + tvOS: + introduced: n/a + type: + content: The key to determine if the diagnostic submission setting is in an + enabled state on the device. This value requires the Device Information access + right, and is available in iOS 9.3 and later. + - key: AppAnalyticsEnabled + supportedOS: + iOS: + introduced: '9.3' + accessrights: AllowQueryDeviceInformation + macOS: + introduced: n/a + tvOS: + introduced: n/a + type: + content: The key to determine if the device is sharing app analytics. This value + requires the Device Information access right, and is available in iOS 4 and + later, and macOS 10.7 and later. + - key: TimeZone + supportedOS: + iOS: + introduced: '14.0' + accessrights: AllowQueryDeviceInformation + macOS: + introduced: n/a + tvOS: + introduced: '14.0' + accessrights: AllowQueryDeviceInformation + type: + content: The key to get the current Internet Assigned Numbers Authority (IANA) + time zone database name. This value requires the Device Information access + right, and is available in iOS 14 and later, and tvOS 14 and later. + - key: ICCID + supportedOS: + iOS: + accessrights: AllowQueryNetworkInformation + userenrollment: + mode: forbidden + macOS: + introduced: n/a + tvOS: + introduced: n/a + type: + content: The key to get the integrated circuit card (ICC) identifier for the + installed SIM card. This value requires the Network Information access right, + and is available in iOS 4 and later. + - key: BluetoothMAC + supportedOS: + iOS: + accessrights: AllowQueryNetworkInformation + userenrollment: + mode: forbidden + macOS: + accessrights: AllowQueryNetworkInformation + userenrollment: + mode: forbidden + tvOS: + accessrights: AllowQueryNetworkInformation + type: + content: The key to get the Bluetooth media access control (MAC) address. This + value requires the Network Information access right. + - key: WiFiMAC + supportedOS: + iOS: + accessrights: AllowQueryNetworkInformation + userenrollment: + mode: forbidden + macOS: + accessrights: AllowQueryNetworkInformation + userenrollment: + mode: forbidden + tvOS: + accessrights: AllowQueryNetworkInformation + type: + content: The key to get the Wi-Fi MAC address. This value requires the Network + Information access right. + - key: EthernetMAC + supportedOS: + iOS: + introduced: n/a + macOS: + accessrights: AllowQueryNetworkInformation + userenrollment: + mode: forbidden + tvOS: + introduced: n/a + type: + content: The key to get the primary Ethernet MAC address. This value requires + the Network Information access right, and is available in macOS 10.7 and later. + - key: CurrentCarrierNetwork + supportedOS: + iOS: + accessrights: AllowQueryNetworkInformation + userenrollment: + mode: forbidden + macOS: + introduced: n/a + tvOS: + introduced: n/a + type: + content: The key to get the name of the current carrier network. This value + requires the Network Information access right, and is available in iOS 4 and + later. + - key: SIMCarrierNetwork + supportedOS: + iOS: + removed: '5.0' + accessrights: AllowQueryNetworkInformation + userenrollment: + mode: forbidden + macOS: + introduced: n/a + tvOS: + introduced: n/a + type: + content: Apple no longer supports this query. Use 'SubscriberCarrierNetwork' + instead. + - key: SubscriberCarrierNetwork + supportedOS: + iOS: + introduced: '5.0' + accessrights: AllowQueryNetworkInformation + userenrollment: + mode: forbidden + macOS: + introduced: n/a + tvOS: + introduced: n/a + type: + content: The key to get the name of the home carrier network. This value requires + the Network Information access right, and is available in iOS 5 and later. + - key: CarrierSettingsVersion + supportedOS: + iOS: + accessrights: AllowQueryNetworkInformation + userenrollment: + mode: forbidden + macOS: + introduced: n/a + tvOS: + introduced: n/a + type: + content: The key to get the version of the carrier settings. This value requires + the Network Information access right, and is available in iOS 4 and later. + - key: PhoneNumber + supportedOS: + iOS: + accessrights: AllowQueryNetworkInformation + userenrollment: + mode: forbidden + macOS: + introduced: n/a + tvOS: + introduced: n/a + type: + content: The key to get the raw phone number, without punctuation, and including + the country code. This value requires the Network Information access right, + and is available in iOS 7 and later. + - key: DataRoamingEnabled + supportedOS: + iOS: + introduced: '5.0' + accessrights: AllowQueryNetworkInformation + userenrollment: + mode: forbidden + macOS: + introduced: n/a + tvOS: + introduced: n/a + type: + content: The key to determine if data roaming is in an enabled state on the + device. This value requires the Network Information access right, and is available + in iOS 5 and later. + - key: VoiceRoamingEnabled + supportedOS: + iOS: + introduced: '5.0' + accessrights: AllowQueryNetworkInformation + userenrollment: + mode: forbidden + macOS: + introduced: n/a + tvOS: + introduced: n/a + type: + content: The key to determine if voice roaming, which isn't available for all + carriers, is in an enabled state on the device. This value requires the Network + Information access right, and is available in iOS 5 and later. + - key: PersonalHotspotEnabled + supportedOS: + iOS: + introduced: '7.0' + accessrights: AllowQueryNetworkInformation + userenrollment: + mode: forbidden + macOS: + introduced: n/a + tvOS: + introduced: n/a + type: + content: The key to determine if Personal Hotspot, which isn't available for + all carriers, is in an enabled state on the device. This value requires the + Network Information access right, and is available in iOS 7 and later. + - key: IsNetworkTethered + supportedOS: + iOS: + introduced: '10.3' + accessrights: AllowQueryNetworkInformation + macOS: + introduced: n/a + tvOS: + introduced: n/a + type: + content: The key to determine if the device is network-tethered. This value + requires the Network Information access right, and is available in iOS 10.3 + and later. + - key: IsRoaming + supportedOS: + iOS: + introduced: '4.2' + accessrights: AllowQueryNetworkInformation + userenrollment: + mode: forbidden + macOS: + introduced: n/a + tvOS: + introduced: n/a + type: + content: The key to determine if the device is roaming. This value requires + the Network Information access right, and is available in iOS 4.2 and later. + - key: SubscriberMCC + supportedOS: + iOS: + introduced: 4.2.6 + accessrights: AllowQueryNetworkInformation + userenrollment: + mode: forbidden + macOS: + introduced: n/a + tvOS: + introduced: n/a + type: + content: The key to get the home mobile country code. This value requires the + Network Information access right, and is available in iOS 4.2.6 and later. + - key: SubscriberMNC + supportedOS: + iOS: + introduced: 4.2.6 + accessrights: AllowQueryNetworkInformation + userenrollment: + mode: forbidden + macOS: + introduced: n/a + tvOS: + introduced: n/a + type: + content: The key to get the home mobile network code. This value requires the + Network Information access right, and is available in iOS 4.2.6 and later. + - key: CurrentMCC + supportedOS: + iOS: + accessrights: AllowQueryNetworkInformation + userenrollment: + mode: forbidden + macOS: + introduced: n/a + tvOS: + introduced: n/a + type: + content: The key to get the current mobile country code (MCC). This value requires + the Network Information access right, and is available in iOS 4 and later. + - key: CurrentMNC + supportedOS: + iOS: + accessrights: AllowQueryNetworkInformation + userenrollment: + mode: forbidden + macOS: + introduced: n/a + tvOS: + introduced: n/a + type: + content: The key to get the current mobile network code (MNC). This value requires + the Network Information access right, and is available in iOS 4 and later. + - key: ServiceSubscriptions + supportedOS: + iOS: + introduced: '12.0' + accessrights: AllowQueryNetworkInformation + userenrollment: + mode: forbidden + macOS: + introduced: n/a + tvOS: + introduced: n/a + type: + content: The key to get the contents of DeviceInformationResponse.QueryResponses.ServiceSubscriptionProperty. + This value requires the Network Information access right. + - key: PINRequiredForEraseDevice + supportedOS: + iOS: + introduced: n/a + macOS: + introduced: '11.0' + accessrights: AllowQueryDeviceInformation + userenrollment: + mode: forbidden + tvOS: + introduced: n/a + type: + content: The key to determine if the EraseDeviceCommand requires a PIN. This + value is available in macOS 11 and later. + - key: PINRequiredForDeviceLock + supportedOS: + iOS: + introduced: n/a + macOS: + introduced: '11.0' + accessrights: AllowQueryDeviceInformation + userenrollment: + mode: forbidden + tvOS: + introduced: n/a + type: + content: The key to determine if the DeviceLockCommand requires a PIN. This + value is available in macOS 11 and later. + - key: SupportsiOSAppInstalls + supportedOS: + iOS: + introduced: n/a + macOS: + introduced: '11.0' + accessrights: AllowQueryDeviceInformation + tvOS: + introduced: n/a + type: + content: The key to determine whether the macOS device supports iOS/iPadOS app + installs. This query is available in macOS 11 and later. + - key: SoftwareUpdateDeviceID + supportedOS: + iOS: + introduced: '15.0' + userenrollment: + mode: forbidden + macOS: + introduced: '12.0' + userenrollment: + mode: forbidden + tvOS: + introduced: n/a + type: + content: The key that represents the device identifier you use to look up available + OS updates via . Available in iOS 14.5 and + later. +responsekeys: +- key: QueryResponses + type: + presence: required + content: A dictionary that contains information about the device. + subkeys: + - key: UDID + type: + content: The unique identifier of the device. + - key: ProvisioningUDID + supportedOS: + iOS: + introduced: n/a + macOS: + introduced: '11.3' + accessrights: n/a + userenrollment: + mode: forbidden + tvOS: + introduced: n/a + type: + content: The device identifier used in provisioning profiles. This value differs + from the UDID on Apple Silicon Macs. Available in macOS 11.3 and later. + - key: OrganizationInfo + supportedOS: + iOS: + introduced: '7.0' + macOS: + introduced: '10.11' + tvOS: + introduced: '9.0' + type: + content: The contents of SettingsCommand.Command.Settings.OrganizationInfo.OrganizationInfo. + subkeys: + - key: OrganizationName + type: + presence: required + content: A string that describes the organization operating the MDM server. + This value is available in iOS 7 and later, macOS 10.11 and later, and tvOS + 9 and later. + - key: OrganizationAddress + type: + presence: optional + content: The organization's address. Use the LF character (' ') to insert + line breaks. This value is available in iOS 7 and later, macOS 10.11 and later, + and tvOS 9 and later. + - key: OrganizationPhone + type: + presence: optional + content: The organization's phone number. This value is available in iOS 7 and + later, macOS 10.11 and later, and tvOS 9 and later. + - key: OrganizationEmail + type: + presence: optional + content: The orgnization's support email address. This value is available in + iOS 7 and later, macOS 10.11 and later, and tvOS 9 and later. + - key: OrganizationMagic + type: + presence: optional + content: A unique identifier for the various services a single organization + manages. This value is available in iOS 7 and later, macOS 10.11 and later, + and tvOS 9 and later. + - key: MDMOptions + supportedOS: + iOS: + introduced: '7.0' + macOS: + introduced: '11.0' + tvOS: + introduced: '9.0' + type: + content: The contents of SettingsCommand.Command.Settings.MDMOptions.MDMOptions. + subkeys: + - key: ActivationLockAllowedWhileSupervised + type: + presence: optional + default: false + content: If 'true', a supervised device registers itself with Activation Lock + when the user enables Find My. Unsupervised devices ignore this value. This + value is available in iOS 7 and later, macOS 11 and later, and tvOS 9 and + later. + - key: BootstrapTokenAllowed + supportedOS: + iOS: + introduced: n/a + macOS: + introduced: '11.0' + tvOS: + introduced: n/a + type: + presence: optional + default: false + content: If 'true', the server supports Bootstrap Token commands. This value + is available in macOS 11 and later. + - key: PromptUserToAllowBootstrapTokenForAuthentication + supportedOS: + iOS: + introduced: n/a + macOS: + introduced: '11.0' + tvOS: + introduced: n/a + type: + presence: optional + default: false + content: If 'true', the device can accept a Bootstrap Token from the MDM server + instead of prompting for user authentication prior to installation. This only + applies when 'BootstrapTokenAllowedForAuthentication' is 'true' in the SecurityInfoResponse.SecurityInfo + response. This value is available for Apple silicon devices in macOS 11 and + later. + - key: LastCloudBackupDate + supportedOS: + iOS: + introduced: '8.0' + macOS: + introduced: n/a + tvOS: + introduced: n/a + type: + content: The date of the last iCloud backup. This query is available in iOS 8 + and later. + - key: AwaitingConfiguration + supportedOS: + iOS: + introduced: '9.0' + macOS: + introduced: '10.11' + tvOS: + introduced: '10.2' + type: + content: If 'true', the device is still waiting for a DeviceConfiguredCommand + to continue through Setup Assistant. + - key: iTunesStoreAccountIsActive + supportedOS: + iOS: + introduced: '7.0' + macOS: + introduced: '10.9' + tvOS: + introduced: '9.0' + type: + content: If 'true', the device has an active iTunes Store account. This value + requires the App Installation access right. + - key: iTunesStoreAccountHash + supportedOS: + iOS: + introduced: '8.0' + macOS: + introduced: '10.10' + tvOS: + introduced: '9.0' + type: + content: A hash of the logged-in iTunes Store account. Also see GetVppUserRequest. + This value requires the App Installation access right. + - key: DeviceName + type: + content: The device name. This value requires the Device Information access right. + - key: OSVersion + type: + content: The operating system version. This value requires the Device Information + access right. + - key: BuildVersion + type: + content: The operating system version. This value requires the Device Information + access right. + - key: ModelName + type: + content: The model name, for example, iPhone. This value requires the Device Information + access right. + - key: Model + type: + content: The model. This value requires the Device Information access right. + - key: IsAppleSilicon + supportedOS: + iOS: + introduced: n/a + macOS: + introduced: '12.0' + tvOS: + introduced: n/a + type: + content: If 'true', the macOS device uses an AppleSilicon chip. + - key: ProductName + type: + content: The product name, such as iPad8,12. This value requires the Device Information + access right. + - key: SerialNumber + type: + content: The serial number. This value requires the Device Information access + right. + - key: DeviceCapacity + supportedOS: + tvOS: + introduced: n/a + type: + content: The total capacity in floating-point base-10 gigabytes (GB) on iOS and + macOS 12 or later. The capacity is in base-2 gibibytes (GiB) on macOS 11 and + earlier. This value requires the Device Information access right, and is available + in iOS 4 and later, and macOS 10.7 and later. + - key: AvailableDeviceCapacity + supportedOS: + tvOS: + introduced: n/a + type: + content: The available capacity in floating-point base-10 gigabytes (GB) on iOS + and macOS 12 or later. The capacity is in base-2 gibibytes (GiB) on macOS 11 + and earlier. This value requires the Device Information access right, and is + available in iOS 4 and later, and macOS 10.7 and later. + - key: IMEI + supportedOS: + macOS: + introduced: n/a + tvOS: + introduced: n/a + type: + content: The International Mobile Equipment Identity (IMEI) number. This value + requires the Device Information access right, and is available in iOS 4 and + later. + - key: MEID + supportedOS: + macOS: + introduced: n/a + tvOS: + introduced: n/a + type: + content: The mobile equipment identifier (MEID) number. This value requires the + Device Information access right, and is available in iOS 4.0 and later. + - key: ModemFirmwareVersion + supportedOS: + macOS: + introduced: n/a + tvOS: + introduced: n/a + type: + content: The modem firmware version. This value requires the Device Information + access right, and is available in iOS 4.0 and later. + - key: CellularTechnology + supportedOS: + iOS: + introduced: 4.2.6 + macOS: + introduced: n/a + tvOS: + introduced: n/a + type: + rangelist: + - 0 + - 1 + - 2 + - 3 + content: |- + The cellular technology type, which is one of the following values: + * '0: 'None + * '1: 'GSM + * '2: 'CDMA + * '3: 'Both + This value requires the Device Information access right, and is available in iOS 4.2.6 and later. + - key: BatteryLevel + supportedOS: + iOS: + introduced: '5.0' + macOS: + introduced: n/a + tvOS: + introduced: n/a + type: + content: The battery level, between '0.0' and '1.0', or '-1.0' if MDM can't determine + the battery level. This value requires the Device Information access right, + and is available in iOS 5 and later. + - key: IsSupervised + supportedOS: + iOS: + introduced: '6.0' + macOS: + introduced: '10.15' + tvOS: + introduced: '9.0' + type: + content: If 'true', it's a supervised device. This value requires the Device Information + access right, and is available in iOS 6 and later, macOS 10.15 and later, and + tvOS 9 and later. + - key: IsMultiUser + supportedOS: + iOS: + introduced: '9.3' + macOS: + introduced: n/a + tvOS: + introduced: n/a + type: + content: If 'true', the device is in ephemeral multiuser mode. This value requires + the Device Information access right, and is available in iOS 9.3 and later. + - key: IsDeviceLocatorServiceEnabled + supportedOS: + iOS: + introduced: '7.0' + macOS: + introduced: n/a + tvOS: + introduced: n/a + type: + content: If 'true', the device has enabled a device locator service, such as Find + My. This value requires the Device Information access right, and is available + in iOS 7 and later. + - key: IsActivationLockEnabled + supportedOS: + iOS: + introduced: '7.0' + macOS: + introduced: '10.9' + tvOS: + introduced: n/a + type: + content: If 'true', the device has enabled Activation Lock. This value requires + the Device Information access right, and is available in iOS 7 and later, and + macOS 10.9 and later. + - key: IsActivationLockSupported + supportedOS: + iOS: + introduced: n/a + macOS: + introduced: '10.9' + tvOS: + introduced: n/a + type: + content: If 'true', the device supports Activation Lock. Also see IsActivationLockManageable + in SecurityInfoResponse.SecurityInfo.ManagementStatus. This value is available + in macOS 10.9 and later. + - key: IsDoNotDisturbInEffect + supportedOS: + iOS: + introduced: '7.0' + macOS: + introduced: n/a + tvOS: + introduced: n/a + type: + content: If 'true', the device is in Do Not Disturb (DND) mode. This value is + 'true' even if DND is only in effect for a locked device. This value requires + the Device Information access right, and is available in iOS 7 and later. + - key: SupportsLOMDevice + supportedOS: + iOS: + introduced: n/a + macOS: + introduced: '11.0' + tvOS: + introduced: n/a + type: + content: If 'true', the device can receive 'PowerON', 'PowerOFF', and 'Reset' + commands from a lights-out management (LOM) controller. This query is available + in macOS 11 and later. + - key: DeviceID + supportedOS: + iOS: + introduced: n/a + macOS: + introduced: n/a + tvOS: + introduced: '6.0' + type: + content: The device identifier. This value requires the Device Information access + right, and is available in tvOS 6 and later. + - key: EASDeviceIdentifier + supportedOS: + iOS: + introduced: '7.0' + macOS: + introduced: n/a + tvOS: + introduced: n/a + type: + content: The device identifier for Exchange Active Sync (EAS). This value requires + the Device Information access right, and is available in iOS 7 and later. + - key: IsCloudBackupEnabled + supportedOS: + iOS: + introduced: '7.1' + macOS: + introduced: n/a + tvOS: + introduced: n/a + type: + content: If 'true', the device has enabled iCloud backup. This value requires + the Device Information access right, and is available in iOS 7.1 and later. + - key: ActiveManagedUsers + supportedOS: + iOS: + introduced: n/a + macOS: + introduced: '10.11' + tvOS: + introduced: n/a + type: + content: An array of the directory GUIDs of the logged-in managed users. If one + of these users is currently logged in to the console, the 'CurrentConsoleManagedUser' + key returns the GUID of that user. This value requires the Device Information + access right, and is available in macOS 10.11 and later. + subkeys: + - key: ActiveManagedUsersItems + type: + - key: OSUpdateSettings + supportedOS: + iOS: + introduced: n/a + macOS: + introduced: '10.11' + tvOS: + introduced: n/a + type: + content: The contents of DeviceInformationResponse.QueryResponses.OSUpdateSettings. + This value requires the Device Information access right, and is available in + macOS 10.11 and later. + subkeys: + - key: CatalogURL + type: + content: The URL to the software update catalog the client is using. This value + is available in macOS 10.11 and later. + - key: IsDefaultCatalog + type: + content: If 'true', 'CatalogURL' is the default catalog. This value is available + in macOS 10.11 and later. + - key: PreviousScanDate + type: + content: The date of the last software update scan. This value is available + in macOS 10.11 and later. + - key: PreviousScanResult + type: + content: The result code of last software update scan; '”0”' = success. This + value is available in macOS 10.11 and later. + - key: PerformPeriodicCheck + type: + content: If 'true', start a new scan. This value is available in macOS 10.11 + and later. + - key: AutomaticCheckEnabled + type: + content: The preference to automatically check for app updates. This value is + available in macOS 10.11 and later. + - key: BackgroundDownloadEnabled + type: + content: The preference to download app updates in the background. This value + is available in macOS 10.11 and later. + - key: AutomaticAppInstallationEnabled + type: + content: The preference to automatically install app updates. This value is + available in macOS 10.11 and later. + - key: AutomaticOSInstallationEnabled + type: + content: The preference to automatically install operating system updates. This + value is available in macOS 10.11 and later. + - key: AutomaticSecurityUpdatesEnabled + type: + content: The preference to automatically install system data files and security + updates. This value is available in macOS 10.11 and later. + - key: LocalHostName + supportedOS: + iOS: + introduced: n/a + macOS: + introduced: '10.11' + tvOS: + introduced: n/a + type: + content: The local host name from Bonjour. This value is available in macOS 10.11 + and later. + - key: HostName + supportedOS: + iOS: + introduced: n/a + macOS: + introduced: '10.11' + tvOS: + introduced: n/a + type: + content: The host name. This value is available in macOS 10.11 and later. + - key: AutoSetupAdminAccounts + supportedOS: + iOS: + introduced: n/a + macOS: + introduced: '10.11' + tvOS: + introduced: n/a + type: + content: The contents of DeviceInformationResponse.QueryResponses.AutoSetupAdminAccountsItem, + which Setup Assistant automatically created during DEP enrollment. This value + requires the Device Information access right, and is available in macOS 10.11 + and later. + subkeys: + - key: AutoSetupAdminAccountsItem + type: + subkeys: + - key: GUID + type: + content: The 'GeneratedUID' of the administrator account. This value is available + in macOS 10.11 and later. + - key: shortName + type: + content: The short name of the administrator account. This value is available + in macOS 10.11 and later. + - key: SystemIntegrityProtectionEnabled + supportedOS: + iOS: + introduced: n/a + macOS: + introduced: '10.12' + tvOS: + introduced: n/a + type: + content: If 'true', the device has enabled System Integrity Protection. This value + requires the Device Information access right, and is available in macOS 10.12 + and later. + - key: IsMDMLostModeEnabled + supportedOS: + iOS: + introduced: '9.3' + macOS: + introduced: n/a + tvOS: + introduced: n/a + type: + content: If 'true', the device has enabled Managed Lost Mode. This value requires + the Device Information access right, and is available in iOS 9.3 and later. + - key: MaximumResidentUsers + supportedOS: + iOS: + introduced: '9.3' + macOS: + introduced: n/a + tvOS: + introduced: n/a + type: + content: The maximum number of users that can use this shared iPad device. Starting + with iOS 13.4, the value that returns is always '32'. This value requires the + Device Information access right, and is available in iOS 9.3 and later. + - key: EstimatedResidentUsers + supportedOS: + iOS: + introduced: '14.0' + macOS: + introduced: n/a + tvOS: + introduced: n/a + type: + content: The estimated number of users that can use this shared iPad device, according + to the space available on the device and each user's quota. This value requires + the Device Information access right, and is available in iOS 14 and later. + - key: QuotaSize + supportedOS: + iOS: + introduced: '13.4' + macOS: + introduced: n/a + tvOS: + introduced: n/a + type: + content: The quota size in megabytes for each user on this shared iPad device. + This value requires the Device Information access right, and is available in + iOS 13.4 and later. + - key: ResidentUsers + supportedOS: + iOS: + introduced: '13.4' + macOS: + introduced: n/a + tvOS: + introduced: n/a + type: + content: The number of users currently on this shared iPad device. This value + requires the Device Information access right, and is available in iOS 13.4 and + later. + - key: UserSessionTimeout + supportedOS: + iOS: + introduced: '14.5' + macOS: + introduced: n/a + tvOS: + introduced: n/a + type: + content: The timeout interval for the user session. '0' means no timeout. + - key: TemporarySessionTimeout + supportedOS: + iOS: + introduced: '14.5' + macOS: + introduced: n/a + tvOS: + introduced: n/a + type: + content: The timeout interval for the temporary session. '0' means no timeout. + - key: TemporarySessionOnly + supportedOS: + iOS: + introduced: '14.5' + macOS: + introduced: n/a + tvOS: + introduced: n/a + type: + content: If 'true', the device only allows temporary sessions. + - key: PushToken + supportedOS: + iOS: + introduced: '9.3' + macOS: + introduced: '10.12' + tvOS: + introduced: n/a + type: + content: The push token for the user-channel connection, in the same format as + in TokenUpdateRequest. MDM ignores this query for the device channel. This value + requires the Device Information access right, and is available in iOS 9.3 and + later, and macOS 1012 and later. + - key: DiagnosticSubmissionEnabled + supportedOS: + iOS: + introduced: '9.3' + macOS: + introduced: n/a + tvOS: + introduced: n/a + type: + content: If 'true', the device has enabled diagnostic submission. This value requires + the Device Information access right, and is available in iOS 9.3 and later. + - key: AppAnalyticsEnabled + supportedOS: + iOS: + introduced: '9.3' + macOS: + introduced: n/a + tvOS: + introduced: n/a + type: + content: If 'true', the device is sharing app analytics. This value requires the + Device Information access right, and is available in iOS 9.3 and later. + - key: TimeZone + supportedOS: + iOS: + introduced: '14.0' + macOS: + introduced: n/a + tvOS: + introduced: '14.0' + type: + content: The current Internet Assigned Numbers Authority (IANA) time zone database + name. This value requires the Device Information access right, and is available + in iOS 14 and later, and tvOS 14 and later. + - key: ICCID + supportedOS: + macOS: + introduced: n/a + tvOS: + introduced: n/a + type: + content: The integrated circuit card (ICC) identifier for the installed SIM card. + This value requires the Network Information access right, and is available in + iOS 4 and later. + - key: BluetoothMAC + type: + content: The Bluetooth media access control (MAC) address. This value requires + the Network Information access right. + - key: WiFiMAC + type: + content: The Wi-Fi MAC address. This value requires the Network Information access + right. + - key: EthernetMAC + supportedOS: + iOS: + introduced: n/a + tvOS: + introduced: n/a + type: + content: The primary Ethernet MAC address. This value requires the Network Information + access right, and is available in macOS 10.7 and later. + - key: CurrentCarrierNetwork + supportedOS: + macOS: + introduced: n/a + tvOS: + introduced: n/a + type: + content: The name of the current carrier network. This value requires the Network + Information access right, and is available in iOS 4 and later. + - key: SIMCarrierNetwork + supportedOS: + iOS: + removed: '5.0' + macOS: + introduced: n/a + tvOS: + introduced: n/a + type: + content: Apple no longer supports this query. Use 'SubscriberCarrierNetwork' instead. + - key: SubscriberCarrierNetwork + supportedOS: + iOS: + introduced: '5.0' + macOS: + introduced: n/a + tvOS: + introduced: n/a + type: + content: The name of the home carrier network. This value requires the Network + Information access right, and is available in iOS 5 and later. + - key: CarrierSettingsVersion + supportedOS: + macOS: + introduced: n/a + tvOS: + introduced: n/a + type: + content: The version of the carrier settings. This value requires the Network + Information access right, and is available in iOS 4 and later. + - key: PhoneNumber + supportedOS: + macOS: + introduced: n/a + tvOS: + introduced: n/a + type: + content: The raw phone number without punctuation and including the country code. + This value requires the Network Information access right, and is available in + iOS 7.0 and later. + - key: DataRoamingEnabled + supportedOS: + iOS: + introduced: '5.0' + macOS: + introduced: n/a + tvOS: + introduced: n/a + type: + content: If 'true', the device has enabled data roaming. This value requires the + Network Information access right, and is available in iOS 5 and later. + - key: VoiceRoamingEnabled + supportedOS: + iOS: + introduced: '5.0' + macOS: + introduced: n/a + tvOS: + introduced: n/a + type: + content: If 'true', the device has enabled voice roaming, which isn't available + for all carriers. This value requires the Network Information access right, + and is available in iOS 5 and later. + - key: PersonalHotspotEnabled + supportedOS: + iOS: + introduced: '7.0' + macOS: + introduced: n/a + tvOS: + introduced: n/a + type: + content: If 'true,' the device has enabled Personal Hotspot, which isn't available + for all carriers. This value requires the Network Information access right, + and is available in iOS 7.0 and later. + - key: IsNetworkTethered + supportedOS: + iOS: + introduced: '10.3' + macOS: + introduced: n/a + tvOS: + introduced: n/a + type: + content: If 'true', the device is network-tethered. This value requires the Network + Information access right, and is available in iOS 10.3 and later. + - key: IsRoaming + supportedOS: + iOS: + introduced: '4.2' + macOS: + introduced: n/a + tvOS: + introduced: n/a + type: + content: If 'true', the device is roaming. This value requires the Network Information + access right, and is available in iOS 4.2 and later. + - key: SIMMCC + supportedOS: + iOS: + removed: 4.2.6 + macOS: + introduced: n/a + tvOS: + introduced: n/a + type: + content: Apple no longer supports this query. Use 'SubscriberMCC' instead. + - key: SIMMNC + supportedOS: + iOS: + removed: 4.2.6 + macOS: + introduced: n/a + tvOS: + introduced: n/a + type: + content: Apple no longer supports this query. Use 'SubscriberMNC' instead. + - key: SubscriberMCC + supportedOS: + iOS: + introduced: 4.2.6 + macOS: + introduced: n/a + tvOS: + introduced: n/a + type: + content: The home Mobile Country Code (MCC). This value requires the Network Information + access right, and is available in iOS 4.2.6 and later. + - key: SubscriberMNC + supportedOS: + iOS: + introduced: 4.2.6 + macOS: + introduced: n/a + tvOS: + introduced: n/a + type: + content: The key to get the home Mobile Network Code (MNC). This value requires + the Network Information access right, and is available in iOS 4.2.6 and later. + - key: CurrentMCC + supportedOS: + macOS: + introduced: n/a + tvOS: + introduced: n/a + type: + content: The current mobile country code (MCC). This value requires the Network + Information access right, and is available in iOS 4 and later. + - key: CurrentMNC + supportedOS: + macOS: + introduced: n/a + tvOS: + introduced: n/a + type: + content: The current mobile network code (MNC). This value requires the Network + Information access right, and is available in iOS 4 and later. + - key: ServiceSubscriptions + supportedOS: + iOS: + introduced: '12.0' + macOS: + introduced: n/a + tvOS: + introduced: n/a + type: + content: The contents of DeviceInformationResponse.QueryResponses.ServiceSubscriptionProperty. + This value requires the Network Information access right. + subkeys: + - key: ServiceSubscriptionProperty + type: + content: Properties of this Service Subscription. See below. + subkeys: + - key: CarrierSettingsVersion + type: + content: The version of the carrier settings. This value is available in iOS + 12 and later. + - key: CurrentCarrierNetwork + type: + content: The name of the current carrier network. This value is available + in iOS 12 and later. + - key: CurrentMCC + type: + content: The current mobile country code (MCC). This value is available in + iOS 12 and later. + - key: CurrentMNC + type: + content: The current mobile network code (MNC). This value is available in + iOS 12 and later. + - key: ICCID + type: + content: The integrated circuit card identifier (ICCID) value. This value + is available in iOS 12 and later. + - key: EID + supportedOS: + iOS: + introduced: '14.0' + macOS: + introduced: n/a + tvOS: + introduced: n/a + type: + content: The eSIM identifier. This value is available in iOS 14 and later. + - key: IMEI + type: + content: The device International Mobile Equipment Identity (IMEI) number. + This value is available in iOS 12 and later. + - key: IsDataPreferred + type: + content: If 'true', this subscription is the preference for data. This value + is available in iOS 12 and later. + - key: IsRoaming + type: + content: If 'true', the phone is roaming. This value is available in iOS 12 + and later. + - key: IsVoicePreferred + type: + content: If 'true', this subscription is the preference for voice. This value + is available in iOS 12 and later. + - key: Label + type: + content: The label of this subscription. This value is available in iOS 12 + and later. + - key: LabelID + type: + content: The unique identifier for this subscription. This value is available + in iOS 12 and later. + - key: MEID + type: + content: The device Mobile Equipment Identifier (MEID) number. This query + is available in iOS 12 and later. + - key: PhoneNumber + type: + content: The raw phone number without punctuation and including country code. + This value is available in iOS 12 and later. + - key: Slot + type: + content: The description of the slot that contains the SIM representing this + subscription. This value is available in iOS 12 and later. + - key: PINRequiredForEraseDevice + supportedOS: + iOS: + introduced: n/a + macOS: + introduced: '11.0' + tvOS: + introduced: n/a + type: + content: If 'true', the EraseDeviceCommand requires a PIN. This value is available + in macOS 11 and later. + - key: PINRequiredForDeviceLock + supportedOS: + iOS: + introduced: n/a + macOS: + introduced: '11.0' + tvOS: + introduced: n/a + type: + content: If 'true', the DeviceLockCommand requires a PIN. This value is available + in macOS 11 and later. + - key: SupportsiOSAppInstalls + supportedOS: + iOS: + introduced: n/a + macOS: + introduced: '11.0' + tvOS: + introduced: n/a + type: + content: If 'true', the device supports iOS/iPadOS app installs via MDM. This + query is available in macOS 11 and later. + - key: SoftwareUpdateDeviceID + supportedOS: + iOS: + introduced: '15.0' + userenrollment: + mode: forbidden + macOS: + introduced: '12.0' + userenrollment: + mode: forbidden + tvOS: + introduced: n/a + type: + content: The key representing the device identifier to be used when looking up + available OS updates via . Available in iOS 14.5 + and later. diff --git a/mdm/commands/information.security.yaml b/mdm/commands/information.security.yaml new file mode 100644 index 0000000..57e853c --- /dev/null +++ b/mdm/commands/information.security.yaml @@ -0,0 +1,466 @@ +title: Security Information Command +description: This command queries the device for security-related information. Queries + are available if the MDM host has the Security Query right. +payload: + requesttype: SecurityInfo + supportedOS: + iOS: + introduced: '4.0' + accessrights: AllowQuerySecurity + supervised: false + requiresdep: false + sharedipad: + mode: allowed + devicechannel: true + userchannel: false + userenrollment: + mode: allowed + macOS: + introduced: '10.7' + accessrights: AllowQuerySecurity + devicechannel: true + userchannel: true + requiresdep: false + userenrollment: + mode: allowed + tvOS: + introduced: '6.0' + accessrights: AllowQuerySecurity + supervised: false + content: This command queries the device for security-related information. Queries + are available if the MDM host has the Security Query right. +responsekeys: +- key: SecurityInfo + type: + presence: required + content: A dictionary that contains security-related information. + subkeys: + - key: HardwareEncryptionCaps + supportedOS: + macOS: + introduced: n/a + type: + content: |- + An integer that indicates the underlying hardware encryption capabilities of the device, which is one of the following values: + * '1': Block-level encryption + * '2': File-level encryption + * '3': Both block-level and file-level encryption + For a device to have data protection, 'HardwareEncryptionCaps' must be '3' and 'PasscodePresent' must 'true'. + This value is available in iOS 4 and later, and tvOS 6 and later. + - key: PasscodePresent + supportedOS: + iOS: + userenrollment: + mode: forbidden + macOS: + introduced: n/a + type: + content: If 'true', the device has a passcode. This value is available in iOS + 4 and later, and tvOS 6 and later. + - key: PasscodeCompliant + supportedOS: + macOS: + introduced: n/a + type: + content: If 'true', the user's passcode is compliant with all requirements on + the device, including Exchange and other accounts. This value is available in + iOS 4 and later, and tvOS 6 and later. + - key: PasscodeCompliantWithProfiles + supportedOS: + iOS: + userenrollment: + mode: forbidden + macOS: + introduced: n/a + type: + content: If 'true', the user's passcode is compliant with requirements from profiles. + This key does not apply to User-Enrolled devices. This value is available in + iOS 4 and later, and tvOS 6 and later. + - key: PasscodeLockGracePeriod + supportedOS: + iOS: + introduced: 9.3.2 + sharedipad: + mode: required + userenrollment: + mode: forbidden + macOS: + introduced: n/a + type: + content: The user preference for the number of seconds before a locked screen + requires the device passcode to unlock it. This value is only available for + Shared iPad. + - key: PasscodeLockGracePeriodEnforced + supportedOS: + iOS: + introduced: 9.3.2 + sharedipad: + mode: required + userenrollment: + mode: forbidden + macOS: + introduced: n/a + type: + content: The enforced value for the number of seconds before a locked screen requires + the device passcode to unlock it. If a device has a passcode, changing 'PasscodeLockGracePeriod' + to a larger value doesn't take effect until the user logs out or removes the + passcode. This value is only available for Shared iPad. + - key: FDE_Enabled + supportedOS: + iOS: + introduced: n/a + macOS: + introduced: '10.9' + userchannel: false + tvOS: + introduced: n/a + type: + content: If 'true', the device has enabled FileVault full disk encryption (FDE). + This value is available in macOS 10.9 and later. + - key: FDE_HasPersonalRecoveryKey + supportedOS: + iOS: + introduced: n/a + macOS: + introduced: '10.9' + userchannel: false + userenrollment: + mode: forbidden + tvOS: + introduced: n/a + type: + content: If 'true', FileVault FDE has a personal recovery key. This value is available + in macOS 10.9 and later. + - key: FDE_HasInstitutionalRecoveryKey + supportedOS: + iOS: + introduced: n/a + macOS: + introduced: '10.9' + userchannel: false + userenrollment: + mode: forbidden + tvOS: + introduced: n/a + type: + content: If 'true', FileVault FDE has an institutional recovery key. This value + is available in macOS 10.9 and later. + - key: FDE_PersonalRecoveryKeyCMS + supportedOS: + iOS: + introduced: n/a + macOS: + introduced: '10.13' + userchannel: false + userenrollment: + mode: forbidden + tvOS: + introduced: n/a + type: + content: If the FileVault personal recovery key has enabled escrow with a recovery + key, this value contains the key. The certificate from the FDERecoveryKeyEscrow + profile encrypts the key and wraps it as CMS data. This value is available in + macOS 10.13 and later. + - key: FDE_PersonalRecoveryKeyDeviceKey + supportedOS: + iOS: + introduced: n/a + macOS: + introduced: '10.13' + userchannel: false + userenrollment: + mode: forbidden + tvOS: + introduced: n/a + type: + content: If the FileVault personal recovery key has enabled escrow with a recovery + key, this value is the device serial number. This is the value that displays + to the user at the EFI login window as part of the help message if they enter + their password incorrectly three times. The server also uses this value as an + index when saving the device personal recovery key. This replaces the 'recordNumber' + that the server returned in the previous escrow mechanism. This value is available + in macOS 10.13 and later. + - key: SystemIntegrityProtectionEnabled + supportedOS: + iOS: + introduced: n/a + macOS: + introduced: '10.12' + userchannel: false + tvOS: + introduced: n/a + type: + content: If 'true', System Integrity Protection (SIP) is active on the device. + This value is available in macOS 10.12 and later. + - key: FirewallSettings + supportedOS: + iOS: + introduced: n/a + macOS: + introduced: '10.12' + userchannel: false + tvOS: + introduced: n/a + type: + content: A dictionary that contains the firewall settings. This value is available + in macOS 10.12 and later. + subkeys: + - key: FirewallEnabled + type: + content: If 'true', the firewall is on. + - key: BlockAllIncoming + type: + content: If 'true', the firewall blocks all incoming connections. + - key: StealthMode + type: + content: If true, stealth mode is active for the firewall. + - key: Applications + supportedOS: + macOS: + introduced: '10.12' + userenrollment: + mode: forbidden + type: + content: An array of dictionaries that describes the allowed applications. + subkeys: + - key: ApplicationsItem + type: + subkeys: + - key: Allowed + type: + content: If 'true', the app is an allowed app. + - key: BundleID + type: + content: The app's bundle identifier. + - key: Name + type: + content: The app's display name if it's determinable from the 'BundleID'. + - key: LoggingEnabled + supportedOS: + macOS: + introduced: '12.0' + type: + content: If 'true', logging is enabled. + - key: LoggingOption + supportedOS: + macOS: + introduced: '12.0' + type: + rangelist: + - throttled + - brief + - detail + content: The type of logging emitted by the firewall. + - key: FirmwarePasswordStatus + supportedOS: + iOS: + introduced: n/a + macOS: + introduced: '10.13' + userchannel: false + tvOS: + introduced: n/a + type: + content: A dictionary that contains the status of the EFI firmware password. This + value is available in macOS 10.13 and later. + subkeys: + - key: PasswordExists + type: + content: If 'true', the device has an EFI firmware password. + - key: ChangePending + type: + content: |- + If 'true', a firmware password change is pending. A device restart is necessary for this change to take effect. Until then, additional attempts to change the password fail. + If 'true', the other values show the current state of the device, not the state after a restart. + - key: AllowOroms + type: + content: If 'true', enable ROMs. + - key: ManagementStatus + supportedOS: + iOS: + introduced: '13.0' + macOS: + introduced: 10.13.2 + tvOS: + introduced: '13.0' + type: + content: A dictionary that contains the status of the device's MDM enrollment. + subkeys: + - key: EnrolledViaDEP + supportedOS: + iOS: + introduced: n/a + tvOS: + introduced: n/a + type: + content: If 'true', the device enrolled in MDM through the Device Enrollment + Program (DEP). This value is available in macOS 10.13.2 and later. + - key: UserApprovedEnrollment + supportedOS: + iOS: + introduced: n/a + tvOS: + introduced: n/a + type: + content: If 'true', the enrollment was user-approved. If 'false', the device + may reject certain security-sensitive payloads or commands. This value is + available in macOS 10.13.2 and later. + - key: IsUserEnrollment + supportedOS: + macOS: + introduced: '10.15' + type: + content: If 'true', the device is user-enrolled. This value is available in + iOS 13 and later, and macOS 10.15 and later. + - key: IsActivationLockManageable + supportedOS: + iOS: + introduced: n/a + macOS: + introduced: '10.15' + tvOS: + introduced: n/a + type: + content: If 'true', the type of enrollment allows the MDM to manage Activation + Lock for this device. This value is available in macOS 10.15 and later. + - key: SecureBoot + supportedOS: + iOS: + introduced: n/a + macOS: + introduced: '10.15' + userchannel: false + tvOS: + introduced: n/a + type: + content: A dictionary that contains the device's Secure Boot settings. This value + is available in macOS 10.15 and later. + subkeys: + - key: SecureBootLevel + type: + rangelist: + - 'off' + - medium + - full + - not supported + content: The security level for the bootable operating system versions. + - key: ExternalBootLevel + type: + rangelist: + - allowed + - disallowed + - not supported + content: The device's external boot level, which indicates whether it allows + booting from an external device, disallows it, or doesn't support it. + - key: ReducedSecurity + supportedOS: + macOS: + introduced: '11.0' + type: + content: |- + Reports which security features the user disables in 'recoveryOS'. This property is only present for Apple silicon when 'SecureBootLevel' is 'medium'. + Available in iOS 11 and later. + subkeys: + - key: ReducedSecurityItems + type: + subkeys: + - key: AllowsAnyAppleSignedOS + type: + content: If 'true', allows any signed version of trusted system software + from Apple to run. + - key: AllowsUserKextApproval + type: + content: If 'true', the user has control over kernel extensions. + - key: AllowsMDM + type: + content: If 'true', the MDM server controls kernel extensions and software + updates. + - key: RemoteDesktopEnabled + supportedOS: + iOS: + introduced: n/a + macOS: + introduced: 10.14.4 + userchannel: false + userenrollment: + mode: forbidden + tvOS: + introduced: n/a + type: + content: If 'true', Remote Desktop is active on the device. This value is available + in macOS 10.14.4 and later. + - key: AuthenticatedRootVolumeEnabled + supportedOS: + iOS: + introduced: n/a + macOS: + introduced: '11.0' + userchannel: false + tvOS: + introduced: n/a + type: + content: If 'true', the system booted using an Authenticated Root Volume. This + value is available in macOS 11 and later. + - key: BootstrapTokenAllowedForAuthentication + supportedOS: + iOS: + introduced: n/a + macOS: + introduced: '11.0' + userchannel: false + userenrollment: + mode: forbidden + tvOS: + introduced: n/a + type: + rangelist: + - allowed + - disallowed + - not supported + content: |- + This value specifies whether the Secure Enclave Processor (SEP) supports and allows secure operations to use the Bootstrap Token. The value is automatically set for devices enrolled through the Device Enrollment Program (DEP). The user can also manually set this value in the RecoveryOS. + This value is available for Apple silicon in macOS 11 and later. Not available for user enrollment. + - key: BootstrapTokenRequiredForSoftwareUpdate + supportedOS: + iOS: + introduced: n/a + macOS: + introduced: '11.0' + userchannel: false + userenrollment: + mode: forbidden + tvOS: + introduced: n/a + type: + content: |- + If 'true', the device can accept a Bootstrap Token from the MDM server instead of prompting for user authentication prior to installation. This only applies when 'BootstrapTokenAllowedForAuthentication' is 'true' in the SecurityInfoResponse.SecurityInfo response. + This value is available for Apple silicon in macOS 11 and later. Not available for user enrollment. + - key: BootstrapTokenRequiredForKernelExtensionApproval + supportedOS: + iOS: + introduced: n/a + macOS: + introduced: '11.0' + userchannel: false + userenrollment: + mode: forbidden + tvOS: + introduced: n/a + type: + content: |- + If 'true', the device can accept a Bootstrap Token from the MDM server instead of prompting for user authentication prior to enabling kernel extensions. This includes enabling kexts through the 'com.apple.syspolicy.kernel-extension-policy' payload or triggering the 'RestartDevice' command with 'RebuildKernelCache' set to 'true'. This only applies when 'BootstrapTokenAllowedForAuthentication' is 'true' in the SecurityInfoResponse.SecurityInfo response. + This value is available for Apple silicon in macOS 11 and later. Not available for user enrollment. + - key: IsRecoveryLockEnabled + supportedOS: + iOS: + introduced: n/a + macOS: + introduced: '11.5' + userchannel: false + userenrollment: + mode: forbidden + tvOS: + introduced: n/a + type: + content: If 'true', a password is required to enter recovery (see SetRecoveryLockCommand). + Available in macOS 11.5 and later and only on Apple silicon devices. diff --git a/mdm/commands/lom.devicerequest.yaml b/mdm/commands/lom.devicerequest.yaml new file mode 100644 index 0000000..33ef38e --- /dev/null +++ b/mdm/commands/lom.devicerequest.yaml @@ -0,0 +1,86 @@ +title: LOM Device Request Command +description: Issues LOM requests to devices. +payload: + requesttype: LOMDeviceRequest + supportedOS: + macOS: + introduced: '11.0' + accessrights: DeviceLockAndRemovePasscode + devicechannel: true + userchannel: false + requiresdep: false + userenrollment: + mode: forbidden + content: Used to send LOM requests ("PowerON", "PowerOFF", "Reset") to LOM Controller + which then forwards the request to LOM Devices. +payloadkeys: +- key: RequestList + type: + presence: required + content: An array of requests to perform. + subkeys: + - key: RequestListItem + type: + presence: required + subkeys: + - key: DeviceRequestType + type: + presence: required + rangelist: + - PowerON + - PowerOFF + - Reset + content: The requested action to perform on the device. + - key: DeviceRequestUUID + type: + presence: required + content: The unique identifier of the request. + - key: DeviceDNSName + type: + presence: required + content: The DNS name of the device. This should match the 'dNSName' in SCEP.PayloadContent.SubjectAltName. + - key: PrimaryIPv6AddressList + type: + presence: required + content: An array that contains the IPv6 addresses for primary LOM-compatible + Ethernet interfaces for the device. + subkeys: + - key: PrimaryIPv6AddressListItem + type: + presence: required + - key: SecondaryIPv6AddressList + type: + presence: required + content: An array that contains the IPv6 addresses for secondary LOM-compatible + Ethernet interfaces for the device. + subkeys: + - key: SecondaryIPv6AddressListItem + type: + presence: required + - key: LOMProtocolVersion + type: + presence: required + content: The LOM protocol version that the device supports. Provide the same + value that 'LOMProtocolVersion' receives in the LOMSetupRequestResponse. +responsekeys: +- key: ResponseList + type: + presence: required + content: An array of dictionaries that describes the status of each request. + subkeys: + - key: ResponseListItem + type: + presence: required + subkeys: + - key: DeviceRequestSuccess + type: + presence: required + content: If 'true', the request was successful. + - key: DeviceRequestUUID + type: + presence: required + content: The unique identifier of the request for this response list item. + - key: DeviceRequestReturnError + type: + presence: optional + content: If present, a description of the error for a failed request. diff --git a/mdm/commands/lom.setuprequest.yaml b/mdm/commands/lom.setuprequest.yaml new file mode 100644 index 0000000..2ddf0ad --- /dev/null +++ b/mdm/commands/lom.setuprequest.yaml @@ -0,0 +1,40 @@ +title: LOM Setup Request Command +description: Queries the device for LOM setup information such as IP addresses, protocol + version, etc. +payload: + requesttype: LOMSetupRequest + supportedOS: + macOS: + introduced: '11.0' + accessrights: DeviceLockAndRemovePasscode + devicechannel: true + userchannel: false + requiresdep: false + userenrollment: + mode: forbidden + content: Queries the device for LOM setup information such as IP addresses, protocol + version, etc. The MDM server must send this command prior to sending the LOMDeviceRequest + command. +responsekeys: +- key: PrimaryIPv6AddressList + type: + presence: required + content: An array that contains the IPv6 addresses for primary LOM-compatible Ethernet + interfaces for the device. + subkeys: + - key: PrimaryIPv6AddressListItem + type: + presence: required +- key: SecondaryIPv6AddressList + type: + presence: required + content: An array that contains the IPv6 addresses for secondary LOM-compatible + Ethernet interfaces for the device. + subkeys: + - key: SecondaryIPv6AddressListItem + type: + presence: required +- key: LOMProtocolVersion + type: + presence: required + content: The LOM protocol version that the device supports. diff --git a/mdm/commands/managed.application.attributes.yaml b/mdm/commands/managed.application.attributes.yaml new file mode 100644 index 0000000..7f74664 --- /dev/null +++ b/mdm/commands/managed.application.attributes.yaml @@ -0,0 +1,90 @@ +title: App Attributes Command +description: Queries managed application attributes. Attributes can be set on managed + apps. These attributes can be changed over time. +payload: + requesttype: ManagedApplicationAttributes + supportedOS: + iOS: + introduced: '7.0' + accessrights: AllowAppInstallation + supervised: false + requiresdep: false + sharedipad: + mode: allowed + devicechannel: true + userchannel: false + userenrollment: + mode: allowed + tvOS: + introduced: '10.2' + accessrights: AllowAppInstallation + supervised: false + content: Queries managed application attributes. Attributes can be set on managed + apps. These attributes can be changed over time. +payloadkeys: +- key: Identifiers + type: + presence: required + content: The bundle identifiers of the managed apps. + subkeys: + - key: IdentifiersItem + type: +responsekeys: +- key: ApplicationAttributes + type: + presence: required + content: An array of app attributes items. + subkeys: + - key: ApplicationAttributesItem + type: + subkeys: + - key: Identifier + type: + presence: required + content: The app's bundle identifier. + - key: Attributes + type: + presence: optional + content: The app's attributes. + subkeys: + - key: VPNUUID + type: + presence: optional + content: A per-app VPN unique identifier for this app. + - key: AssociatedDomains + supportedOS: + iOS: + introduced: '13.0' + tvOS: + introduced: n/a + type: + presence: optional + content: This app's associated domains. This value is available in iOS 13 + and later. + subkeys: + - key: AssociatedDomain + type: + - key: AssociatedDomainsEnableDirectDownloads + supportedOS: + iOS: + introduced: '14.0' + tvOS: + introduced: n/a + type: + presence: optional + default: true + content: If 'true', perform claimed site association verification directly + at the domain instead of on Apple's servers. Only set this to 'true' for + domains that can't access the internet. This value is available in iOS 14 + and later. + - key: Removable + supportedOS: + iOS: + introduced: '14.0' + tvOS: + introduced: '14.0' + type: + presence: optional + default: true + content: If 'false', this app isn't removable while it's a managed app. This + value is available in iOS 14 and later. diff --git a/mdm/commands/managed.application.configuration.yaml b/mdm/commands/managed.application.configuration.yaml new file mode 100644 index 0000000..71eb635 --- /dev/null +++ b/mdm/commands/managed.application.configuration.yaml @@ -0,0 +1,64 @@ +title: App Configuration Command +description: This command queries the device for the current configuration of managed + applications. This command requires the App Management right. macOS supports this + command as of 10.15, on the device channel and for User Enrollments only, because + Settings->ApplicationConfiguration is supported. Since macOS does not support Managed + Applications, this command can be used for any bundle identifier. +payload: + requesttype: ManagedApplicationConfiguration + supportedOS: + iOS: + introduced: '7.0' + accessrights: AllowAppInstallation + supervised: false + requiresdep: false + sharedipad: + mode: allowed + devicechannel: true + userchannel: false + userenrollment: + mode: allowed + macOS: + introduced: '10.15' + accessrights: AllowAppInstallation + devicechannel: true + userchannel: false + requiresdep: false + userenrollment: + mode: allowed + tvOS: + introduced: '10.2' + accessrights: AllowAppInstallation + supervised: false + content: This command queries the device for the current configuration of managed + applications. This command requires the App Management right. +payloadkeys: +- key: Identifiers + type: + presence: required + content: The bundle identifiers of the managed apps. + subkeys: + - key: IdentifiersItem + type: +responsekeys: +- key: ApplicationConfigurations + type: + presence: required + content: An array of app configurations items. + subkeys: + - key: ApplicationConfigurationsItem + type: + subkeys: + - key: Identifier + type: + presence: required + content: The app's bundle identifier. + - key: Configuration + type: + presence: optional + content: The app's configurations. + subkeys: + - key: ANY + type: + presence: optional + content: The app's configuration items. diff --git a/mdm/commands/managed.application.feedback.yaml b/mdm/commands/managed.application.feedback.yaml new file mode 100644 index 0000000..1a0ab1d --- /dev/null +++ b/mdm/commands/managed.application.feedback.yaml @@ -0,0 +1,66 @@ +title: App Feedback Command +description: This command queries the device for application feedback information. + This command requires the App Management right. +payload: + requesttype: ManagedApplicationFeedback + supportedOS: + iOS: + introduced: '7.0' + accessrights: AllowAppInstallation + supervised: false + requiresdep: false + sharedipad: + mode: allowed + devicechannel: true + userchannel: false + userenrollment: + mode: allowed + macOS: + introduced: '11.0' + accessrights: AllowAppInstallation + devicechannel: false + userchannel: true + userenrollment: + mode: forbidden + tvOS: + introduced: '10.2' + accessrights: AllowAppInstallation + supervised: false + content: This command queries the device for application feedback information. This + command requires the App Management right. +payloadkeys: +- key: Identifiers + type: + presence: required + content: The bundle identifiers of the managed apps. + subkeys: + - key: IdentifiersItem + type: +- key: DeleteFeedback + type: + presence: optional + default: false + content: If 'true', delete the app's feedback dictionary after the server reads + it. +responsekeys: +- key: ManagedApplicationFeedback + type: + presence: required + content: An array of managed app feedback items. + subkeys: + - key: ManagedApplicationFeedbackItem + type: + subkeys: + - key: Identifier + type: + presence: required + content: The app's bundle identifier. + - key: Feedback + type: + presence: optional + content: The app's feedback. + subkeys: + - key: ANY + type: + presence: optional + content: The app's feedback items. diff --git a/mdm/commands/media.install.yaml b/mdm/commands/media.install.yaml new file mode 100644 index 0000000..716a134 --- /dev/null +++ b/mdm/commands/media.install.yaml @@ -0,0 +1,150 @@ +title: Install Media Command +description: This command allows the server to install a book on a device. If the + book is already being managed, this command will update the book. +payload: + requesttype: InstallMedia + supportedOS: + iOS: + introduced: '8.0' + accessrights: AllowAppInstallation + supervised: false + requiresdep: false + sharedipad: + mode: allowed + devicechannel: true + userchannel: false + userenrollment: + mode: allowed + macOS: + introduced: '10.9' + accessrights: AllowAppInstallation + devicechannel: false + userchannel: true + requiresdep: false + userenrollment: + mode: forbidden + content: This command allows the server to install a book on a device. If the book + is already being managed, this command will update the book. +payloadkeys: +- key: iTunesStoreID + type: + presence: optional + content: The book's iTunes Store identifier. +- key: MediaURL + supportedOS: + macOS: + introduced: n/a + type: + presence: optional + content: The URL to retrieve the book. This value is available in iOS 8 and later. +- key: MediaType + type: + presence: required + rangelist: + - Book + content: The media type, which can only be 'Book'. +- key: PersistentID + supportedOS: + macOS: + introduced: n/a + type: + presence: optional + content: The book's persistent identifier in reverse-DNS form; for example, 'com.acme.manuals.training'. + This value is available in iOS 8 and later. +- key: Kind + supportedOS: + macOS: + introduced: n/a + type: + presence: optional + rangelist: + - pdf + - epub + - ibooks + content: |- + The kind of the media, which can be one of the following values: + * 'pdf': A PDF file + * 'epub': An EPUB file in 'gzip' format. + * 'ibooks': An iBooks Author file in 'gzip' format. + If you omit this value, its value is the file extension in the URL. This value is available in iOS 8 and later. +- key: Version + supportedOS: + macOS: + introduced: n/a + type: + presence: optional + content: The book's version number. This value is available in iOS 8 and later. +- key: Author + supportedOS: + macOS: + introduced: n/a + type: + presence: optional + content: The name of the book's author. This value is available in iOS 8 and later. +- key: Title + supportedOS: + macOS: + introduced: n/a + type: + presence: optional + content: The book's title. This value is available in iOS 8 and later. +responsekeys: +- key: iTunesStoreID + type: + presence: optional + content: The book's iTunes Store identifier, if present in the command. +- key: MediaURL + supportedOS: + macOS: + introduced: n/a + type: + presence: optional + content: The URL to retrieve the book, if present in the command. This value is + available in iOS 8 and later. +- key: PersistentID + supportedOS: + macOS: + introduced: n/a + type: + presence: optional + content: The book's persistent identifier, if present in the command. This value + is available in iOS 8 and later. +- key: MediaType + type: + presence: optional + content: The media type, which can only be 'Book'. +- key: State + type: + presence: optional + rangelist: + - Queued + - PromptingForLogin + - Updating + - Installing + - Managed + - ManagedButUninstalled + - Installed + - Uninstalled + - Failed + - Unknown + content: The installation state of this book. The 'Failed' and 'Unknown' states + are transient and the device only reports them once. Books from the Book Store + report their state as 'Installed' instead of 'Managed'. +- key: RejectionReason + type: + presence: optional + rangelist: + - CouldNotVerifyITunesStoreID + - PurchaseNotFound + - AppStoreDisabled + - WrongMediaType + - DownloadInvalid + - EnterpriseBooksNotSupportedInMultiUser + content: |- + The reason, if installation fails, which is one of the following values: + * 'CouldNotVerifyITunesStoreID': The 'iTunesStoreID' is invalid. + * 'PurchaseNotFound': The Volume Purchase Program (VPP) license isn't in the user's history. + * 'AppStoreDisabled': App Store isn't available on the device. + * 'WrongMediaType': The media type is invalid. The only valid type is 'Book'. + * 'DownloadInvalid': The URL doesn't lead to a valid book. + * 'EnterpriseBooksNotSupportedInMultiUser': Multiuser mode doesn't support enterprise books. diff --git a/mdm/commands/media.managed.list.yaml b/mdm/commands/media.managed.list.yaml new file mode 100644 index 0000000..a1d0607 --- /dev/null +++ b/mdm/commands/media.managed.list.yaml @@ -0,0 +1,73 @@ +title: Managed Media List Command +description: This command allows the server to query for installed 3rd party applications. +payload: + requesttype: ManagedMediaList + supportedOS: + iOS: + introduced: '8.0' + accessrights: AllowAppInstallation + supervised: false + requiresdep: false + sharedipad: + mode: allowed + devicechannel: true + userchannel: false + userenrollment: + mode: allowed + content: This command allows the server to query for installed 3rd party applications. +responsekeys: +- key: Books + type: + presence: required + content: An array of dictionaries that describes managed books. + subkeys: + - key: BooksItem + type: + subkeys: + - key: iTunesStoreID + type: + presence: required + content: The book's iTunes Store identifier. + - key: State + type: + presence: optional + content: |- + The installation state of this book, which is one of the following values: + * 'Queued' + * 'PromptingForLogin' + * 'Updating' + * 'Installing' + * 'Managed' + * 'ManagedButUninstalled' + * 'Installed' + * 'Uninstalled' + * 'Failed' + * 'Unknown' + The 'Failed' and 'Unknown' states are transient and the device only reports them once. Books from the Book Store report their state as 'Installed' instead of 'Managed'. + - key: PersistentID + type: + presence: optional + content: The book's persistent identifier in reverse-DNS form; for example, + 'com.acme.manuals.training'. + - key: Kind + type: + presence: optional + content: |- + The kind of the media, which is one of the following values: + * 'pdf': A PDF file + * 'epub': An EPUB file in 'gzip' format + * 'ibooks': An iBooks Author file in 'gzip' format + * The file extension in the URL + This value is available in iOS 8 and later. + - key: Version + type: + presence: optional + content: The book's version number. + - key: Author + type: + presence: optional + content: The name of the book's author. + - key: Title + type: + presence: optional + content: The book's title. diff --git a/mdm/commands/media.remove.yaml b/mdm/commands/media.remove.yaml new file mode 100644 index 0000000..accd593 --- /dev/null +++ b/mdm/commands/media.remove.yaml @@ -0,0 +1,34 @@ +title: Remove Media Command +description: This command allows an MDM server to remove managed media. This command + returns Acknowledged even if the item is not found. +payload: + requesttype: RemoveMedia + supportedOS: + iOS: + introduced: '8.0' + accessrights: AllowAppInstallation + supervised: false + requiresdep: false + sharedipad: + mode: allowed + devicechannel: true + userchannel: false + userenrollment: + mode: allowed + content: This command allows an MDM server to remove managed media. This command + returns Acknowledged even if the item is not found. +payloadkeys: +- key: MediaType + type: + presence: required + rangelist: + - Book + content: The media type, which can only be 'Book'. +- key: iTunesStoreID + type: + presence: optional + content: The book's iTunes Store identifier. +- key: PersistentID + type: + presence: optional + content: The book's persistent identifier in reverse-DNS form; for example, 'com.acme.manuals.training'. diff --git a/mdm/commands/mirroring.request.yaml b/mdm/commands/mirroring.request.yaml new file mode 100644 index 0000000..42f68b9 --- /dev/null +++ b/mdm/commands/mirroring.request.yaml @@ -0,0 +1,55 @@ +title: Request Mirroring Command +description: This command prompts the user to share their screen using AirPlay mirroring. +payload: + requesttype: RequestMirroring + supportedOS: + iOS: + introduced: '7.0' + accessrights: None + supervised: false + requiresdep: false + sharedipad: + mode: allowed + devicechannel: true + userchannel: false + userenrollment: + mode: allowed + macOS: + introduced: '10.10' + accessrights: None + devicechannel: true + userchannel: false + requiresdep: false + userenrollment: + mode: allowed + content: This command prompts the user to share their screen using AirPlay Mirroring. +payloadkeys: +- key: DestinationName + type: + presence: optional + content: The name of the AirPlay Mirroring destination. +- key: DestinationDeviceID + type: + presence: optional + content: The hardware address of the AirPlay Mirroring destination that identifies + the device, in the format 'xx:xx:xx:xx:xx'. This value isn't case-sensitive. +- key: ScanTime + type: + presence: optional + content: The number of seconds, from '10' to '300', for the device to spend searching + for the destination. The default value is '30'. +- key: Password + type: + presence: optional + content: The screen-sharing password that the device uses when connecting to the + destination. +responsekeys: +- key: MirroringResult + type: + presence: optional + content: |- + The result of the request. One of these values: + * 'Prompting': The user is receiving a prompt to share their screen. + * 'DestinationNotFound': The device is unable to reach the destination. + * 'Cancelled': The user canceled the request. + * 'Unknown': An unknown error occurred. diff --git a/mdm/commands/mirroring.stop.yaml b/mdm/commands/mirroring.stop.yaml new file mode 100644 index 0000000..a118b51 --- /dev/null +++ b/mdm/commands/mirroring.stop.yaml @@ -0,0 +1,25 @@ +title: Stop Mirroring Command +description: This command stops AirPlay mirroring. +payload: + requesttype: StopMirroring + supportedOS: + iOS: + introduced: '7.0' + accessrights: None + supervised: true + requiresdep: false + sharedipad: + mode: allowed + devicechannel: true + userchannel: false + userenrollment: + mode: forbidden + macOS: + introduced: '10.10' + accessrights: None + devicechannel: true + userchannel: false + requiresdep: false + userenrollment: + mode: forbidden + content: This command stops AirPlay mirroring. diff --git a/mdm/commands/passcode.clear.yaml b/mdm/commands/passcode.clear.yaml new file mode 100644 index 0000000..de0c01e --- /dev/null +++ b/mdm/commands/passcode.clear.yaml @@ -0,0 +1,23 @@ +title: Clear Passcode Command +description: This command allows the server to clear the passcode on the device. This + command requires the Device Lock and Passcode Removal right. +payload: + requesttype: ClearPasscode + supportedOS: + iOS: + introduced: '4.0' + accessrights: AllowPasscodeRemovalAndLock + supervised: false + requiresdep: false + sharedipad: + mode: forbidden + userenrollment: + mode: forbidden + content: This command allows the server to clear the passcode on the device. This + command requires the Device Lock and Passcode Removal right. +payloadkeys: +- key: UnlockToken + type: + presence: required + content: The unlock token value that the device provides in its 'TokenUpdateMessage' + check-in message. diff --git a/mdm/commands/passcode.firmware.set.yaml b/mdm/commands/passcode.firmware.set.yaml new file mode 100644 index 0000000..12871d8 --- /dev/null +++ b/mdm/commands/passcode.firmware.set.yaml @@ -0,0 +1,37 @@ +title: Set Firmware Password Command +description: Changes or clears the firmware password for the device. +payload: + requesttype: SetFirmwarePassword + supportedOS: + macOS: + introduced: '10.13' + accessrights: DeviceLockAndRemovePasscode + devicechannel: true + userchannel: false + requiresdep: false + userenrollment: + mode: forbidden + content: Changes or clears the firmware password for the device. Requires the "Device + lock and passcode removal right". This command is not available on Apple silicon + devices. +payloadkeys: +- key: CurrentPassword + type: + presence: optional + content: The current password, which you must set if the device has a firmware password. +- key: NewPassword + type: + presence: required + content: The new firmware password. Set to an empty string to clear the password. + The characters in this value must consist of low-ASCII, printable characters ('0x20' + through '0x7E') to ensure that all characters are enterable on the EFI login screen. +- key: AllowOroms + type: + presence: optional + default: false + content: If 'true', enable ROMs. +responsekeys: +- key: PasswordChanged + type: + presence: required + content: If 'true', the password change succeeded. diff --git a/mdm/commands/passcode.firmware.verify.yaml b/mdm/commands/passcode.firmware.verify.yaml new file mode 100644 index 0000000..9dd5b30 --- /dev/null +++ b/mdm/commands/passcode.firmware.verify.yaml @@ -0,0 +1,25 @@ +title: Verify Firmware Password Command +description: Verifies the device's firmware password. +payload: + requesttype: VerifyFirmwarePassword + supportedOS: + macOS: + introduced: '10.13' + accessrights: None + devicechannel: true + userchannel: false + requiresdep: false + userenrollment: + mode: forbidden + content: Verifies the device's firmware password. This command is not available + on Apple silicon devices. +payloadkeys: +- key: Password + type: + presence: required + content: The password to verify. +responsekeys: +- key: PasswordVerified + type: + presence: required + content: If 'true', the provided password matches the firmware password on the device. diff --git a/mdm/commands/passcode.recovery.set.yaml b/mdm/commands/passcode.recovery.set.yaml new file mode 100644 index 0000000..37ccb13 --- /dev/null +++ b/mdm/commands/passcode.recovery.set.yaml @@ -0,0 +1,26 @@ +title: Set Recovery Lock Command +description: Sets or clears the recovery lock password (AppleSilicon devices only) +payload: + requesttype: SetRecoveryLock + supportedOS: + macOS: + introduced: '11.5' + accessrights: DeviceLockAndRemovePasscode + devicechannel: true + userchannel: false + requiresdep: false + userenrollment: + mode: forbidden + content: Sets or clears the recovery lock password (AppleSilicon devices only). + Requires the "Device lock and passcode removal right". +payloadkeys: +- key: CurrentPassword + type: + presence: optional + content: If the device has a Recovery Lock password set, the system requires the + current password. +- key: NewPassword + type: + presence: required + content: The new password for Recovery Lock. Set as an empty string to clear the + Recovery Lock password. diff --git a/mdm/commands/passcode.recovery.verify.yaml b/mdm/commands/passcode.recovery.verify.yaml new file mode 100644 index 0000000..cb27f88 --- /dev/null +++ b/mdm/commands/passcode.recovery.verify.yaml @@ -0,0 +1,24 @@ +title: Verify Recovery Lock Command +description: Verifies the device's recovery lock password. (AppleSilicon devices only) +payload: + requesttype: VerifyRecoveryLock + supportedOS: + macOS: + introduced: '11.5' + accessrights: DeviceLockAndRemovePasscode + devicechannel: true + userchannel: false + requiresdep: false + userenrollment: + mode: forbidden + content: Verifies the device's recovery lock password. (AppleSilicon devices only) +payloadkeys: +- key: Password + type: + presence: required + content: The password to verify. +responsekeys: +- key: PasswordVerified + type: + presence: required + content: If 'true', the device verified the password. diff --git a/mdm/commands/passcode.unlocktoken.yaml b/mdm/commands/passcode.unlocktoken.yaml new file mode 100644 index 0000000..2dc1a5f --- /dev/null +++ b/mdm/commands/passcode.unlocktoken.yaml @@ -0,0 +1,22 @@ +title: Request Unlock Token Command +description: This command requests an UnlockToken from the device. +payload: + requesttype: RequestUnlockToken + supportedOS: + iOS: + introduced: '5.0' + deprecated: 6.1.6 + accessrights: None + supervised: true + requiresdep: false + sharedipad: + mode: forbidden + userenrollment: + mode: forbidden + content: This command requests an UnlockToken from the device. Pass this token to + the ClearPasscode command to unlock the device. +responsekeys: +- key: UnlockToken + type: + presence: required + content: The unlock token. Erasing the user partition invalidates this token. diff --git a/mdm/commands/profile.install.yaml b/mdm/commands/profile.install.yaml new file mode 100644 index 0000000..33c400c --- /dev/null +++ b/mdm/commands/profile.install.yaml @@ -0,0 +1,41 @@ +title: Install Profile Command +description: This command allows the host to install a configuration profile. The + profile may be encrypted using any installed identity certificate. The profile may + also be signed. This command requires the Profile Installation and Removal right. + It's supported in the user channel. +payload: + requesttype: InstallProfile + supportedOS: + iOS: + introduced: '4.0' + accessrights: AllowInstallationRemoval + supervised: false + requiresdep: false + sharedipad: + mode: allowed + devicechannel: true + userchannel: true + userenrollment: + mode: allowed + macOS: + introduced: '10.7' + accessrights: AllowInstallationRemoval + devicechannel: true + userchannel: true + requiresdep: false + userenrollment: + mode: allowed + tvOS: + introduced: '6.0' + accessrights: AllowInstallationRemoval + supervised: false + content: This command allows the host to install a configuration profile. The profile + may be encrypted using any installed identity certificate. The profile may also + be signed. This command requires the Profile Installation and Removal right. It's + supported in the user channel. +payloadkeys: +- key: Payload + type: + presence: required + content: The profile to install, which you can encrypt using any identity certificate + installed on the device. You can also sign the profile. diff --git a/mdm/commands/profile.list.yaml b/mdm/commands/profile.list.yaml new file mode 100644 index 0000000..b1b8850 --- /dev/null +++ b/mdm/commands/profile.list.yaml @@ -0,0 +1,154 @@ +title: Profile List Command +description: This command allows the MDM server to query for the profiles installed + on the device. This command requires the Inspect Profile Manifest right. It's supported + on the user channel. +payload: + requesttype: ProfileList + supportedOS: + iOS: + introduced: '4.0' + accessrights: AllowInspection + supervised: false + requiresdep: false + sharedipad: + mode: allowed + devicechannel: true + userchannel: true + userenrollment: + mode: allowed + macOS: + introduced: '10.7' + accessrights: AllowInspection + devicechannel: true + userchannel: true + requiresdep: false + userenrollment: + mode: allowed + tvOS: + introduced: '6.0' + accessrights: AllowInspection + supervised: false + content: This command allows the MDM server to query for the profiles installed + on the device. This command requires the Inspect Profile Manifest right. It's + supported on the user channel. +payloadkeys: +- key: ManagedOnly + supportedOS: + iOS: + introduced: '13.0' + macOS: + introduced: '10.15' + tvOS: + introduced: '13.0' + type: + presence: optional + default: false + content: If 'true', only include profiles that MDM has installed. For user enrollments, + the device ignores this key and always limits the results to managed profiles. + This value is available in iOS 13 and later, macOS 10.5 and later, and tvOS 13 + and later. +responsekeys: +- key: ProfileList + type: + presence: required + content: An array of dictionaries that describes each installed profile. + subkeys: + - key: ProfileListItem + type: + subkeys: + - key: PayloadUUID + type: + presence: required + content: The unique identifier for the profile. + - key: PayloadIdentifier + type: + presence: required + content: The reverse-DNS-style identifier of the profile; for example, 'com.example.myprofile'. + - key: PayloadVersion + type: + presence: optional + content: The version of the configuration profile as a whole, not of the individual + profiles within it. The value should be '1'. + - key: PayloadDisplayName + type: + presence: optional + content: The human-readable name of the profile. + - key: PayloadOrganization + type: + presence: optional + content: The human-readable name of the organization that provided the profile. + - key: PayloadDescription + type: + presence: optional + content: The description of the profile. + - key: PayloadRemovalDisallowed + type: + presence: optional + default: false + content: If 'true', the user can't delete the profile unless it has a removal + password and the user provides it. The framework ignores this field on unsupervised + devices. + - key: HasRemovalPasscode + type: + presence: optional + default: false + content: If 'true', the profile has a passcode for removal. + - key: IsEncrypted + type: + presence: optional + default: false + content: If 'true', it's an encrypted profile. + - key: SignerCertificates + type: + presence: optional + content: An array that contains the certificate for signing the profile, followed + by any intermediate certificates, in DER-encoded X.509 format. + subkeys: + - key: CertificateItem + type: + content: DER-encoded X.509 certificate + - key: IsManaged + supportedOS: + macOS: + introduced: n/a + type: + presence: optional + default: false + content: If 'true', the current MDM service installed the profile. MDM doesn't + return this value for supervised devices, and can remove or replace all profiles + on supervised devices. + - key: PayloadContent + type: + presence: optional + content: An array of payload content items. This value isn't present if 'IsEncrypted' + is 'true'. + subkeys: + - key: PayloadContentItem + type: + subkeys: + - key: PayloadType + type: + presence: required + content: The type of payload for the profile. The only supported value is + 'Configuration'. + - key: PayloadVersion + type: + presence: required + content: The version of the configuration profile as a whole, not of the + individual profiles within it. The value should be '1'. + - key: PayloadIdentifier + type: + presence: required + content: The reverse-DNS-style identifier of the profile; for example, 'com.example.myprofile'. + - key: PayloadDisplayName + type: + presence: optional + content: The human-readable name of the profile. + - key: PayloadDescription + type: + presence: optional + content: The description of the profile. + - key: PayloadOrganization + type: + presence: optional + content: The human-readable name of the organization that provided the profile. diff --git a/mdm/commands/profile.provisioning.install.yaml b/mdm/commands/profile.provisioning.install.yaml new file mode 100644 index 0000000..29217b2 --- /dev/null +++ b/mdm/commands/profile.provisioning.install.yaml @@ -0,0 +1,40 @@ +title: Install Provisioning Profile Command +description: This command allows the server to install a provisioning profile. No + error occurs if the provisioning profile is already installed. This command requires + the Provisioning Profile Installation and Removal right. On macOS, this command + is for iOS and iPadOS style provisioning profiles only. +payload: + requesttype: InstallProvisioningProfile + supportedOS: + iOS: + introduced: '4.0' + accessrights: AllowProvisioningInstallationRemoval + supervised: false + requiresdep: false + sharedipad: + mode: allowed + devicechannel: true + userchannel: false + userenrollment: + mode: allowed + macOS: + introduced: '11.0' + accessrights: None + devicechannel: true + userchannel: false + requiresdep: false + userenrollment: + mode: allowed + tvOS: + introduced: '10.2' + accessrights: AllowProvisioningInstallationRemoval + supervised: false + content: This command allows the server to install a provisioning profile. No error + occurs if the provisioning profile is already installed. This command requires + the Provisioning Profile Installation and Removal right. On macOS, this command + is for iOS and iPadOS style provisioning profiles only. +payloadkeys: +- key: ProvisioningProfile + type: + presence: required + content: The provisioning profile. diff --git a/mdm/commands/profile.provisioning.list.yaml b/mdm/commands/profile.provisioning.list.yaml new file mode 100644 index 0000000..0146dc2 --- /dev/null +++ b/mdm/commands/profile.provisioning.list.yaml @@ -0,0 +1,69 @@ +title: Provisioning Profile List Command +description: This command allows the server to retrieve the list of installed provisioning + profiles on the device. This command requires the Inspect Provisioning Profiles + right. On macOS, this command is for iOS and iPadOS style provisioning profiles + only. +payload: + requesttype: ProvisioningProfileList + supportedOS: + iOS: + introduced: '4.0' + accessrights: AllowProvisioningInspection + supervised: false + requiresdep: false + sharedipad: + mode: allowed + devicechannel: true + userchannel: false + userenrollment: + mode: allowed + macOS: + introduced: '11.0' + accessrights: None + devicechannel: true + userchannel: false + requiresdep: false + userenrollment: + mode: allowed + tvOS: + introduced: '10.2' + accessrights: AllowProvisioningInspection + supervised: false + content: This command allows the server to retrieve the list of installed provisioning + profiles on the device. This command requires the Inspect Provisioning Profiles + right. On macOS, this command is for iOS and iPadOS style provisioning profiles + only. +payloadkeys: +- key: ManagedOnly + supportedOS: + iOS: + introduced: '13.0' + tvOS: + introduced: '13.0' + type: + presence: optional + default: false + content: If 'true', only include profiles that MDM has installed. For user enrollments, + the device ignores this key and always limits the results to managed profiles. + This value is available in iOS 13 and later, and tvOS 13 and later. +responsekeys: +- key: ProvisioningProfileList + type: + presence: required + content: An array of dictionaries that describes each installed profile. + subkeys: + - key: ProvisioningProfileListItem + type: + subkeys: + - key: Name + type: + presence: required + content: The display name of the provisioning profile. + - key: UUID + type: + presence: required + content: The unique identifier for the provisioning profile. + - key: ExpiryDate + type: + presence: optional + content: The expiry date of the provisioning profile. diff --git a/mdm/commands/profile.provisioning.remove.yaml b/mdm/commands/profile.provisioning.remove.yaml new file mode 100644 index 0000000..4a238e7 --- /dev/null +++ b/mdm/commands/profile.provisioning.remove.yaml @@ -0,0 +1,38 @@ +title: Remove Provisioning Profile Command +description: This command allows the server to remove a provisioning profile. This + command requires the Provisioning Profile Installation and Removal right. On macOS, + this command is for iOS and iPadOS style provisioning profiles only. +payload: + requesttype: RemoveProvisioningProfile + supportedOS: + iOS: + introduced: '4.0' + accessrights: AllowProvisioningInstallationRemoval + supervised: false + requiresdep: false + sharedipad: + mode: allowed + devicechannel: true + userchannel: false + userenrollment: + mode: allowed + macOS: + introduced: '11.0' + accessrights: None + devicechannel: true + userchannel: false + requiresdep: false + userenrollment: + mode: allowed + tvOS: + introduced: '10.2' + accessrights: AllowProvisioningInstallationRemoval + supervised: false + content: This command allows the server to remove a provisioning profile. This command + requires the Provisioning Profile Installation and Removal right. On macOS, this + command is for iOS and iPadOS style provisioning profiles only. +payloadkeys: +- key: UUID + type: + presence: required + content: The unique identifier of the provisioning profile to remove. diff --git a/mdm/commands/profile.remove.yaml b/mdm/commands/profile.remove.yaml new file mode 100644 index 0000000..301388e --- /dev/null +++ b/mdm/commands/profile.remove.yaml @@ -0,0 +1,36 @@ +title: Remove Profile Command +description: This command allows the server to remove a profile. This command requires + the Profile Installation and Removal Right. It's supported in the user channel. +payload: + requesttype: RemoveProfile + supportedOS: + iOS: + introduced: '4.0' + accessrights: AllowInstallationRemoval + supervised: false + requiresdep: false + sharedipad: + mode: allowed + devicechannel: true + userchannel: true + userenrollment: + mode: allowed + macOS: + introduced: '10.7' + accessrights: AllowInstallationRemoval + devicechannel: true + userchannel: true + requiresdep: false + userenrollment: + mode: allowed + tvOS: + introduced: '6.0' + accessrights: AllowInstallationRemoval + supervised: false + content: This command allows the server to remove a profile. This command requires + the Profile Installation and Removal Right. It's supported in the user channel. +payloadkeys: +- key: Identifier + type: + presence: required + content: The identifier of the profile to remove. diff --git a/mdm/commands/remotedesktop.disable.yaml b/mdm/commands/remotedesktop.disable.yaml new file mode 100644 index 0000000..6eaf356 --- /dev/null +++ b/mdm/commands/remotedesktop.disable.yaml @@ -0,0 +1,14 @@ +title: Remote Desktop Disable Command +description: Disable Remote Desktop on the device. +payload: + requesttype: DisableRemoteDesktop + supportedOS: + macOS: + introduced: 10.14.4 + devicechannel: true + userchannel: false + supervised: true + requiresdep: false + userenrollment: + mode: forbidden + content: Disable Remote Desktop. diff --git a/mdm/commands/remotedesktop.enable.yaml b/mdm/commands/remotedesktop.enable.yaml new file mode 100644 index 0000000..94448ea --- /dev/null +++ b/mdm/commands/remotedesktop.enable.yaml @@ -0,0 +1,14 @@ +title: Remote Desktop Enable Command +description: Enable Remote Desktop on the device. +payload: + requesttype: EnableRemoteDesktop + supportedOS: + macOS: + introduced: 10.14.4 + devicechannel: true + userchannel: false + supervised: true + requiresdep: false + userenrollment: + mode: forbidden + content: Enable Remote Desktop. diff --git a/mdm/commands/rotate.file.vault.key.yaml b/mdm/commands/rotate.file.vault.key.yaml new file mode 100644 index 0000000..a6d6fa8 --- /dev/null +++ b/mdm/commands/rotate.file.vault.key.yaml @@ -0,0 +1,79 @@ +title: Rotate FileVault Key Command +description: This command allows for changing a device's FileVaultMaster password. +payload: + requesttype: RotateFileVaultKey + supportedOS: + macOS: + introduced: '10.9' + accessrights: DeviceLockAndRemovePasscode + devicechannel: true + userchannel: false + requiresdep: false + userenrollment: + mode: forbidden + content: This command allows for changing a device's FileVaultMaster password. +payloadkeys: +- key: KeyType + type: + presence: required + rangelist: + - personal + - institutional + content: The type of FileVault key you want to change the password for. Set this + value to 'personal' and set a value for 'Password' in the 'FileVaultUnlock' dictionary + to enable unlocking a device with a password. Set this value to 'institutional' + and set values for 'PrivateKeyExport' and 'PrivateKeyExportPassword' in the 'FileVaultUnlock' + dictionary. +- key: FileVaultUnlock + type: + presence: required + content: A dictionary that contains FileVault unlock options. + subkeys: + - key: Password + title: Password + type: + presence: optional + content: A FileVault user's password, or if using a CoreStorage volume, the personal + recovery key. + - key: PrivateKeyExport + title: PrivateKeyExport + supportedOS: + macOS: + deprecated: '10.15' + type: + presence: optional + content: The data for a .p12 export of the private key for the current institutional + recovery key, which requires that 'KeyType' is 'institutional'. The system ignores + this key on APFS volumes. + - key: PrivateKeyExportPassword + title: PrivateKeyExportPassword + supportedOS: + macOS: + deprecated: '10.15' + type: + presence: optional + content: The password for 'PrivateKeyExport'. Either 'Password' or both 'PrivateKeyExport' + and 'PrivateKeyExportPassword' must be present. The system ignores this key + on APFS volumes. +- key: NewCertificate + type: + presence: optional + content: A DER-encoded certificate for creating a new institutional recovery key, + which the system requires if 'KeyType' is 'institutional'. +- key: ReplyEncryptionCertificate + type: + presence: optional + content: A DER-encoded certificate for encrypting the new personal recovery key + in a wrapper conforming to the IETF Cryptographic Message Syntax (CMS) standard. +responsekeys: +- key: RotateResult + type: + presence: optional + content: The result of rotating the personal recovery key. + subkeytype: RotateResultItem + subkeys: + - key: EncryptedNewRecoveryKey + type: + presence: optional + content: A new personal recovery key that is encrypted using a 'ReplyEncryptionCertificate' + as a CMS-compliant envelope. diff --git a/mdm/commands/set.auto.admin.password.yaml b/mdm/commands/set.auto.admin.password.yaml new file mode 100644 index 0000000..a188d53 --- /dev/null +++ b/mdm/commands/set.auto.admin.password.yaml @@ -0,0 +1,33 @@ +title: Set Auto Admin Password Command +description: Allows changing the password of a local admin account that was created + by Setup Assistant during DEP enrollment via the AccountConfiguration command. +payload: + requesttype: SetAutoAdminPassword + supportedOS: + macOS: + introduced: '10.11' + accessrights: None + devicechannel: true + userchannel: false + requiresdep: true + userenrollment: + mode: forbidden + content: Allows changing the password of a local admin account that was created + by Setup Assistant during DEP enrollment via the AccountConfiguration command. +payloadkeys: +- key: GUID + type: + presence: required + content: The unique identifier of the local administrator account. If this value + doesn't match the GUID of an administrator account that MDM created during Device + Enrollment Program (DEP) enrollment, the command returns an error. +- key: passwordHash + type: + presence: required + content: |- + The precreated salted SHA-512 PBKDF2 password hash for the account. + Create this hash on the server using the CommonCrypto libraries, or equivalent, as a salted SHA-512 PBKDF2 dictionary that contains these elements: + * 'entropy': The derived key from the password hash; for example, from 'CCKeyDerivationPBKDF()' + * 'salt': The 32-byte randomized salt; for example, from 'CCRandomCopyBytes()' + * 'iterations:' The number of iterations; for example, from 'CCCalibratePBKDF()' using a minimum hash time of 100 milliseconds, or if unknown, a number in the range of 20,000 to 40,000 iterations + Place the dictionary that contains these elements into an outer dictionary with the key 'SALTED-SHA512-PBKDF2'. Convert this dictionary to binary data before setting it as the value for 'passwordHash'. diff --git a/mdm/commands/settings.yaml b/mdm/commands/settings.yaml new file mode 100644 index 0000000..58c2bfa --- /dev/null +++ b/mdm/commands/settings.yaml @@ -0,0 +1,775 @@ +title: Settings Command +description: This command allows the server to set settings on the device. +payload: + requesttype: Settings + supportedOS: + iOS: + introduced: '5.0' + accessrights: AllowSettings + supervised: false + requiresdep: false + sharedipad: + mode: allowed + devicechannel: true + userchannel: false + userenrollment: + mode: allowed + macOS: + introduced: '10.9' + accessrights: AllowSettings + devicechannel: true + userchannel: true + requiresdep: false + userenrollment: + mode: allowed + tvOS: + introduced: '6.0' + accessrights: AllowSettings + supervised: false + content: This command allows the server to set settings on the device. These settings + take effect on a one-time basis. The user may still be able to change the settings + at a later time. This command requires the ApplySettings right. +payloadkeys: +- key: Settings + type: + presence: required + content: An array of dictionaries that contains the settings. + subkeys: + - key: Wallpaper + supportedOS: + iOS: + introduced: '8.0' + supervised: true + userenrollment: + mode: forbidden + macOS: + introduced: n/a + tvOS: + introduced: n/a + type: + presence: optional + content: A dictionary that contains wallpaper settings. This setting doesn't support + User Enrollment, and is available in iOS 8 and later. + subkeys: + - key: Item + type: + presence: required + rangelist: + - Wallpaper + content: A string that identifies this setting. + - key: Image + type: + presence: required + content: A Base64-encoded image in either PNG or JPG format to use for wallpaper. + - key: Where + type: + presence: required + rangelist: + - 1 + - 2 + - 3 + content: |- + A number that indicates where to use the wallpaper, which is one of the following values: + * '1': Lock screen + * '2': Home screen + * '3': Lock and Home screens + - key: DataRoaming + supportedOS: + iOS: + userenrollment: + mode: forbidden + macOS: + introduced: n/a + tvOS: + introduced: n/a + type: + presence: optional + content: A dictionary that contains data roaming settings. This setting requires + the Network Information access right, doesn't support User Enrollment, and is + available in iOS 5 and later. + subkeys: + - key: Item + type: + presence: required + rangelist: + - DataRoaming + content: A string that identifies this setting. + - key: Enabled + type: + presence: required + content: If 'true', enable data roaming, which also enables voice roaming. If + 'false', disable data roaming. + - key: VoiceRoaming + supportedOS: + iOS: + userenrollment: + mode: forbidden + macOS: + introduced: n/a + tvOS: + introduced: n/a + type: + presence: optional + content: A dictionary that contains voice roaming settings. This setting requires + the Network Information access right, doesn't support User Enrollment, and is + available in iOS 5 and later. + subkeys: + - key: Item + type: + presence: required + rangelist: + - VoiceRoaming + content: A string that identifies this setting. + - key: Enabled + type: + presence: required + content: If 'true', enable voice roaming. If 'false', disable voice roaming, + which also disables data roaming. The setting is only available for certain + carriers. + - key: PersonalHotspot + supportedOS: + iOS: + accessrights: AllowQueryNetworkInformation + userenrollment: + mode: forbidden + macOS: + introduced: n/a + tvOS: + introduced: n/a + type: + presence: optional + content: A dictionary that contains Personal Hotspot settings. This setting requires + the Network Information access right, doesn't support User Enrollment, and is + available in iOS 5 and later. + subkeys: + - key: Item + type: + presence: required + rangelist: + - PersonalHotspot + content: A string that identifies this setting. + - key: Enabled + type: + presence: required + content: If 'true', enable Personal Hotspot. If 'false', disable Personal Hotspot. + - key: Bluetooth + supportedOS: + iOS: + introduced: '11.3' + supervised: true + userenrollment: + mode: forbidden + macOS: + introduced: 10.13.4 + userenrollment: + mode: forbidden + tvOS: + introduced: n/a + type: + presence: optional + content: A dictionary that contains Bluetooth settings. This setting requires + the Network Information access right, doesn't support User Enrollment, is only + available on supervised devices, and is available in iOS 11.3 and later, and + macOS 10.13.4 and later. + subkeys: + - key: Item + type: + presence: required + rangelist: + - Bluetooth + content: A string that identifies this setting. + - key: Enabled + type: + presence: required + content: If 'true', enable the Bluetooth setting. If 'false', disable the Bluetooth + setting. + - key: ApplicationConfiguration + supportedOS: + iOS: + introduced: '7.0' + accessrights: AllowAppInstallation + macOS: + introduced: '10.15' + accessrights: AllowAppInstallation + userchannel: false + tvOS: + introduced: '10.2' + accessrights: AllowAppInstallation + type: + presence: optional + content: A dictionary that contains the configurations to apply to the app. Omit + this setting to remove existing configurations. This setting requires the App + Management access right, supports User Enrollment, and is available in iOS 7 + and later, macOS 10.15 and later, and tvOS 10.2 and later. + subkeys: + - key: Item + type: + presence: required + rangelist: + - ApplicationConfiguration + content: A string that identifies this setting. + - key: Identifier + type: + presence: required + content: The bundle identifier of the managed app. + - key: Configuration + type: + presence: optional + content: A dictionary that contains the configurations to apply to the app. + Omit this setting to remove existing configurations. + subkeys: + - key: ANY + type: + presence: optional + content: A dictionary that contains configurations. + - key: ApplicationAttributes + supportedOS: + iOS: + introduced: '7.0' + accessrights: AllowAppInstallation + macOS: + introduced: n/a + tvOS: + introduced: '10.2' + accessrights: AllowAppInstallation + type: + presence: optional + content: A dictionary that contains the attributes to apply to the app. Omit this + setting to remove existing attributes. This setting supports User Enrollment, + is available in iOS 7 and later, and tvOS 10.2 and later. + subkeys: + - key: Item + type: + presence: required + rangelist: + - ApplicationAttributes + content: A string that identifies this setting. + - key: Identifier + type: + presence: required + content: The bundle identifier of the app. + - key: Attributes + type: + presence: optional + content: A dictionary that contains the attributes to apply to the app. Omit + this setting to remove existing attributes. This setting is available in iOS + 7 and later, and tvOS 10.2 and later. + subkeys: + - key: VPNUUID + type: + presence: optional + content: A per-app VPN unique identifier for this app. This value is available + in iOS 7 and later, and tvOS 10.2 and later. + - key: AssociatedDomains + supportedOS: + iOS: + introduced: '13.0' + tvOS: + introduced: n/a + type: + presence: optional + content: An array that contains the associated domains to add to this app. + This setting is available in iOS 7 and later, and tvOS 10.2 and later. + subkeys: + - key: AssociatedDomain + type: + - key: AssociatedDomainsEnableDirectDownloads + supportedOS: + iOS: + introduced: '14.0' + tvOS: + introduced: n/a + type: + presence: optional + default: true + content: If 'true', perform claimed site association verification directly + at the domain, instead of on Apple's servers. Only set this to 'true' for + domains that can't access the internet. This value is available in iOS 14 + and later. + - key: Removable + supportedOS: + iOS: + introduced: '14.0' + tvOS: + introduced: '14.0' + type: + presence: optional + default: true + content: If 'false', this app isn't removable while it's managed. This value + is available in iOS 14 and later, and tvOS 14 and later. + - key: DeviceName + supportedOS: + iOS: + supervised: true + userenrollment: + mode: forbidden + macOS: + introduced: '10.10' + userenrollment: + mode: forbidden + type: + presence: optional + content: A dictionary that contains device name settings. This setting doesn't + support User Enrollment, and is only available on supervised devices. Available + on iOS 5 and later. + subkeys: + - key: Item + type: + presence: required + rangelist: + - DeviceName + content: A string that identifies this setting. + - key: DeviceName + type: + presence: required + content: The device's name. + - key: HostName + supportedOS: + iOS: + introduced: n/a + macOS: + introduced: '10.11' + userenrollment: + mode: forbidden + tvOS: + introduced: n/a + type: + presence: optional + content: A dictionary that contains hostname settings. This setting doesn't support + User Enrollment, and is available in macOS 10.11 and later. + subkeys: + - key: Item + type: + presence: required + rangelist: + - HostName + content: The string that defines this setting type. + - key: HostName + type: + presence: required + content: The hostname for the device. + - key: OrganizationInfo + supportedOS: + macOS: + introduced: '10.9' + type: + presence: optional + content: A dictionary that contains settings about the organization operating + the MDM server. This setting supports User Enrollment. Available in iOS 5 and + later. + subkeys: + - key: Item + type: + presence: required + rangelist: + - OrganizationInfo + content: The string that defines this setting type. + - key: OrganizationInfo + type: + presence: optional + content: A dictionary that contains information about the organization operating + the MDM server. Omit this setting to remove existing information. + subkeys: + - key: OrganizationName + type: + presence: required + content: A string that describes the organization operating the MDM server + for display to the user during certain operations, such as purchasing or + installing apps. + - key: OrganizationShortName + supportedOS: + iOS: + introduced: '13.0' + macOS: + introduced: '10.15' + tvOS: + introduced: '13.0' + type: + presence: optional + content: A shorter version of 'OrganizationName', preferably a single word + or abbreviation, suitable for display to the user in places where a very + short name is necessary. + - key: OrganizationAddress + type: + presence: optional + content: The organization's address. Use the LF character (' ') to insert + line breaks. + - key: OrganizationPhone + type: + presence: optional + content: The organization's phone number. + - key: OrganizationEmail + type: + presence: optional + content: The orgnization's support email address. + - key: OrganizationMagic + type: + presence: optional + content: A unique identifier for the various services a single organization + manages. + - key: MDMOptions + supportedOS: + iOS: + introduced: '7.0' + macOS: + introduced: '10.15' + userenrollment: + mode: forbidden + tvOS: + introduced: n/a + type: + presence: optional + content: A dictionary that contains settings related to the MDM protocol. This + setting doesn't support User Enrollment, and is available in iOS 7 and later, + and macOS 10.15 and later. + subkeys: + - key: Item + type: + presence: required + rangelist: + - MDMOptions + content: The string that defines this setting type. + - key: MDMOptions + type: + presence: required + content: A dictionary of MDM options. + subkeys: + - key: ActivationLockAllowedWhileSupervised + type: + presence: optional + default: false + content: If 'true', a supervised device registers itself with Activation Lock + when the user enables Find My. This setting is available for supervised + devices in iOS 7 and later, and macOS 10.15 and later. + - key: BootstrapTokenAllowed + supportedOS: + iOS: + introduced: n/a + macOS: + introduced: '10.15' + deprecated: '11.0' + userenrollment: + mode: forbidden + tvOS: + introduced: n/a + type: + presence: optional + default: false + content: If 'true', the server supports the Bootstrap Token commands. + - key: PromptUserToAllowBootstrapTokenForAuthentication + supportedOS: + iOS: + introduced: n/a + macOS: + introduced: '11.0' + tvOS: + introduced: n/a + type: + presence: optional + default: false + content: If 'true', warn the user that they need to reboot into RecoveryOS + and allow the MDM server to use the Bootstrap Token for authentication for + certain sensitive operations; for example, enabling kernel extensions or + installing certain types of software updates. Set this value to 'false' + if your MDM server doesn't need to perform these operations. The value provided + here overrides the value specified in MDM, and only applies when 'BootstrapTokenAllowedForAuthentication' + is 'true' in the SecurityInfoResponse.SecurityInfo response. This value + is available for Apple silicon in macOS 11 and later. + - key: MaximumResidentUsers + supportedOS: + iOS: + introduced: '9.3' + deprecated: '13.4' + sharedipad: + mode: required + devicechannel: true + userchannel: false + userenrollment: + mode: forbidden + macOS: + introduced: n/a + tvOS: + introduced: n/a + type: + presence: optional + content: A dictionary that contains settings for maximum resident users. Apple + deprecated this setting in iOS 13.4. Use 'SharedDeviceConfiguration' instead. + This setting doesn't support User Enrollment, and is only available for Shared + iPad. + subkeys: + - key: Item + type: + presence: required + rangelist: + - MaximumResidentUsers + content: A string that identifies this setting. + - key: MaximumResidentUsers + type: + presence: required + content: |- + The maximum number of users that can use the device. If this value is greater than the value for the maximum possible number of users that the device suports, the MDM server uses that value instead. + This setting requires that the device is in the 'AwaitingConfiguration' phase before it receives the DeviceConfigured message. + When a device reaches the maximum number of resident users and a new user tries to sign in, the MDM server removes a synchronized user to make space for the new user. If there are no synchronized users, the new user sign-in fails. A synchronized user is a user that has completed syncing their data. + - key: SharedDeviceConfiguration + supportedOS: + iOS: + introduced: '13.4' + sharedipad: + mode: required + devicechannel: true + userchannel: false + userenrollment: + mode: forbidden + macOS: + introduced: n/a + tvOS: + introduced: n/a + type: + presence: optional + content: A dictionary that contains shared device configuration settings. This + setting doesn't support User Enrollment, and is available in iOS 13.4 and later + for Shared iPad. + subkeys: + - key: Item + type: + presence: required + rangelist: + - SharedDeviceConfiguration + content: A string that identifies this setting. + - key: QuotaSize + type: + presence: optional + content: The quota size, in megabytes (MB), for each user on the shared device, + or if the quota size is too small, the minimum quota size. + - key: ResidentUsers + type: + presence: optional + content: The expected number of users. If this value is greater than the value + for the maximum possible number of users that the device supports, the MDM + server uses that value instead. + - key: UserSessionTimeout + supportedOS: + iOS: + introduced: '14.5' + type: + presence: optional + content: |- + The timeout, in seconds, for the user session. The user session logs out automatically after the specified period of inactivity. The minimum value is 30 seconds. Setting this value to '0' removes the timeout. + Available in iOS 14.5 and later. + - key: TemporarySessionTimeout + supportedOS: + iOS: + introduced: '14.5' + type: + presence: optional + content: |- + The timeout, in seconds, for the temporary session. The temporary session logs out automatically after the specified period of inactivity. The minimum value is 30 seconds. Setting this value to '0' removes the timeout. + Available in iOS 14.5 and later. + - key: TemporarySessionOnly + supportedOS: + iOS: + introduced: '14.5' + type: + presence: optional + default: false + content: |- + If 'true', the user only sees the Guest Welcome pane and can only log in as a guest user. + If 'false', the user can sign in with a managed Apple ID (the existing behavior). + Available in iOS 14.5 and later. + - key: DiagnosticSubmission + supportedOS: + iOS: + introduced: '9.3' + sharedipad: + mode: required + devicechannel: true + userchannel: false + userenrollment: + mode: forbidden + macOS: + introduced: n/a + tvOS: + introduced: n/a + type: + presence: optional + content: A dictionary that contains diagnostic submission settings. This setting + doesn't support User Enrollment, and is only available for Shared iPad. Available + in iOS 9.3 and later. + subkeys: + - key: Item + type: + presence: required + rangelist: + - DiagnosticSubmission + content: The string that defines this setting type. + - key: Enabled + type: + presence: required + content: If 'true', enables diagnostic submission. If 'false', disables diagnostic + submission. + - key: AppAnalytics + supportedOS: + iOS: + introduced: 9.3.2 + sharedipad: + mode: required + devicechannel: true + userchannel: false + userenrollment: + mode: forbidden + macOS: + introduced: n/a + tvOS: + introduced: n/a + type: + presence: optional + content: A dictionary that contains settings for sharing app analytics. This setting + doesn't support User Enrollment, and is only available for Shared iPad. Available + in iOS 9.3.2 and later. + subkeys: + - key: Item + type: + presence: required + rangelist: + - AppAnalytics + content: A string that identifies this setting. + - key: Enabled + type: + presence: required + content: If 'true', enable sharing app analytics with app developers. If 'false', + disable sharing app analytics. + - key: PasscodeLockGracePeriod + supportedOS: + iOS: + introduced: 9.3.2 + sharedipad: + mode: required + devicechannel: true + userchannel: false + userenrollment: + mode: forbidden + macOS: + introduced: n/a + tvOS: + introduced: n/a + type: + presence: optional + content: A dictionary that contains password lock grace period settings. This + setting doesn't support User Enrollment, and is only available for Shared iPad. + Available in iOS 9.3.2 and later. + subkeys: + - key: Item + type: + presence: required + rangelist: + - PasscodeLockGracePeriod + content: A string that identifies this setting. + - key: PasscodeLockGracePeriod + type: + presence: required + content: |- + The number of seconds before a locked screen requires the user to enter the device passcode to unlock it. The minimum value is '0' seconds and the maximum value is '14400' seconds. + If a device has a passcode, a change to a larger value doesn't take effect until the user logs out or removes the passcode. For this reason, it's better to set this value before the user sets a passcode. + - key: TimeZone + supportedOS: + iOS: + introduced: '14.0' + supervised: true + userenrollment: + mode: forbidden + macOS: + introduced: n/a + tvOS: + introduced: '14.0' + supervised: true + type: + presence: optional + content: A dictionary that contains time zone settings. This setting is only available + on supervised devices and doesn't support User Enrollment. Available in iOS + 14 and later, and tvOS 14 and later. + subkeys: + - key: Item + type: + presence: required + rangelist: + - TimeZone + content: A string that identifies this setting. + - key: TimeZone + type: + presence: required + content: |- + The Internet Assigned Numbers Authority (IANA) time zone database name. + If the 'forceAutomaticDateAndTime' restriction is set in Restrictions, this setting fails with an error. Otherwise, setting this value disables automatic time zone logic. The user is still be able to change the timezone; for example, by turning automatic date and time back on. The intention is to allow setting the timezone when automatic determination isn't be available, such as when Location Services are off. + - key: SoftwareUpdateSettings + supportedOS: + iOS: + introduced: '14.5' + supervised: true + userenrollment: + mode: forbidden + macOS: + introduced: n/a + tvOS: + introduced: n/a + type: + presence: optional + content: A dictionary that contains software update settings. This setting doesn't + support User Enrollment, and is available in iOS 14.5 and later. + subkeys: + - key: Item + type: + presence: required + rangelist: + - SoftwareUpdateSettings + content: A string that represents the type of updates that should appear in + the Software Update pane in Settings. Supervised only. + - key: RecommendationCadence + type: + presence: required + rangelist: + - 0 + - 1 + - 2 + content: |- + This value defines how the system presents software updates to the user. When there's more than one available update for the user, the system behaves as follows: + * '0': Presents both options to the user. + * '1': Presents the lower numbered (oldest) software update version. + * '2': Presents only the highest numbered (most recent) release available for the device. + This value has no effect when there's only one available update; the system shows the single available update to the user regardless of the value of this setting. + Available in iOS 14.5 and later. +responsekeys: +- key: Settings + type: + presence: optional + content: A dictionary that describes the results of configuring settings. + subkeys: + - key: Status + type: + presence: required + content: |- + The status of the setting, which is one of the following values: + * 'Acknowledged': The device processed the command successfully. + * 'Error': An error occurred. See the 'ErrorChain' for more details. + - key: ErrorChain + type: + presence: optional + content: An array of dictionaries that describes any errors that occurred. + subkeys: + - key: ErrorChainItem + type: + subkeys: + - key: ANY + type: + presence: required + content: A dictionary that contains additional details about the error. + - key: Identifier + supportedOS: + iOS: + introduced: '7.0' + macOS: + introduced: n/a + tvOS: + introduced: '10.2' + type: + presence: optional + content: The app identifier to which this error applies. diff --git a/mdm/commands/system.update.available.yaml b/mdm/commands/system.update.available.yaml new file mode 100644 index 0000000..071bd52 --- /dev/null +++ b/mdm/commands/system.update.available.yaml @@ -0,0 +1,198 @@ +title: Available OS Updates Command +description: Queries the device for a list of available OS updates. On OS X, a ScheduleOSUpdateScan + must be performed to update the results returned by this query. +payload: + requesttype: AvailableOSUpdates + supportedOS: + iOS: + introduced: '9.0' + accessrights: AllowAppInstallation + supervised: true + requiresdep: false + sharedipad: + mode: allowed + devicechannel: true + userchannel: false + userenrollment: + mode: forbidden + macOS: + introduced: '10.11' + accessrights: None + devicechannel: true + userchannel: false + requiresdep: false + userenrollment: + mode: forbidden + tvOS: + introduced: '12.0' + accessrights: AllowAppInstallation + devicechannel: true + supervised: true + requiresdep: false + content: Queries the device for a list of available OS updates. On OS X, a ScheduleOSUpdateScan + must be performed to update the results returned by this query. +responsekeys: +- key: AvailableOSUpdates + type: + presence: required + content: An array of dictionaries that contains only the most recent available updates + in iOS and tvOS, and possibly multiple available updates in macOS. Follow the + instructions in the Managed Apps and Updates section of the Apple Software Lookup + Service to find a complete catalog of iOS and tvOS updates. + subkeys: + - key: AvailableOSUpdatesItem + type: + presence: required + subkeys: + - key: ProductKey + type: + presence: required + content: The product key that represents the update. + - key: HumanReadableName + type: + presence: required + content: The human-readable name of the update in the current user's current + locale. + - key: HumanReadableNameLocale + supportedOS: + iOS: + introduced: n/a + tvOS: + introduced: n/a + type: + presence: required + content: The locale, in IOS639-1 Alpha-2 code format, of the 'HumanReadableName' + value. This value is available in macOS 10.11 and later. + - key: MetadataURL + supportedOS: + iOS: + introduced: n/a + tvOS: + introduced: n/a + type: + presence: required + content: A URL where the MDM server can request additional localized names for + this update. This value is available in macOS 10.11 and later. + - key: ProductName + supportedOS: + macOS: + introduced: n/a + type: + presence: required + content: The product name; for example, iOS. This value is available in iOS + 9.0 and later, and tvOS 12.0 and later. + - key: Version + type: + presence: required + content: The version of the update. + - key: Build + type: + presence: required + content: The build number of the update. + - key: DownloadSize + supportedOS: + macOS: + introduced: '10.12' + type: + presence: required + content: The storage size necessary to download the software update. Prior to + macOS 10.14, this only includes major operating-system updates. In macOS 10.14 + and later, this also includes minor updates. + - key: InstallSize + supportedOS: + macOS: + introduced: n/a + type: + presence: required + content: The storage size necessary to install the update. This value is available + in iOS 9.0 and later, and tvOS 12.0 and later. + - key: AppIdentifiersToClose + supportedOS: + iOS: + introduced: n/a + tvOS: + introduced: n/a + type: + presence: required + content: An array that contains app identifiers of apps to close so you can + install the update. This value is available in macOS 10.11 and later. + subkeys: + - key: AppIdentifiersToCloseItem + type: + - key: IsCritical + type: + presence: optional + default: false + content: If 'true', this is a critical update. + - key: IsConfigDataUpdate + supportedOS: + iOS: + introduced: n/a + tvOS: + introduced: n/a + type: + presence: optional + default: false + content: If 'true', this is an update to a configuration file. This value is + available in macOS 10.11 and later. + - key: IsFirmwareUpdate + supportedOS: + iOS: + introduced: n/a + tvOS: + introduced: n/a + type: + presence: optional + default: false + content: If 'true', this is an update to firmware. This value is available in + macOS 10.11 and later. + - key: IsMajorOSUpdate + supportedOS: + iOS: + introduced: n/a + macOS: + introduced: 10.11.4 + tvOS: + introduced: n/a + type: + presence: optional + default: false + content: If 'true', this is a major update; for example, 10.15.x to 11. This + value is available in macOS 10.11 and later. + - key: RestartRequired + type: + presence: optional + default: false + content: If 'true', the device restarts after installing the update. + - key: AllowsInstallLater + type: + presence: optional + default: false + content: If 'true', download the software update and install it later. + - key: DeferredUntil + supportedOS: + iOS: + introduced: n/a + macOS: + introduced: 10.12.4 + tvOS: + introduced: n/a + type: + presence: optional + content: If present, the date when you want the update to install. This value + is available in macOS 10.12.4 and later. + - key: RequiresBootstrapToken + supportedOS: + iOS: + introduced: n/a + macOS: + introduced: '11.0' + tvOS: + introduced: n/a + type: + presence: optional + default: false + content: If 'true', the device can accept a Bootstrap Token from the MDM server + instead of prompting for user authentication prior to installation. This only + applies when 'BootstrapTokenAllowedForAuthentication' is 'true' in the SecurityInfoResponse.SecurityInfo + response. This value is available for Apple silicon in macOS 11 and later. diff --git a/mdm/commands/system.update.scan.yaml b/mdm/commands/system.update.scan.yaml new file mode 100644 index 0000000..2837efd --- /dev/null +++ b/mdm/commands/system.update.scan.yaml @@ -0,0 +1,27 @@ +title: Schedule OS Update Scan Command +description: Requests that the device perform a background scan for OS updates. +payload: + requesttype: ScheduleOSUpdateScan + supportedOS: + macOS: + introduced: '10.11' + accessrights: None + devicechannel: true + userchannel: false + supervised: true + requiresdep: false + userenrollment: + mode: forbidden + content: Requests that the device perform a background scan for OS updates. +payloadkeys: +- key: Force + type: + presence: optional + default: false + content: If 'true', force a scan to start immediately. Otherwise, the scan starts + at a system-determined time. +responsekeys: +- key: ScanInitiated + type: + presence: required + content: If 'true', the scan started successfully. diff --git a/mdm/commands/system.update.schedule.yaml b/mdm/commands/system.update.schedule.yaml new file mode 100644 index 0000000..9f0dfca --- /dev/null +++ b/mdm/commands/system.update.schedule.yaml @@ -0,0 +1,168 @@ +title: Schedule OS Update Command +description: This command allows the server to schedule an OS update. +payload: + requesttype: ScheduleOSUpdate + supportedOS: + iOS: + introduced: '9.0' + accessrights: AllowAppInstallation + supervised: true + requiresdep: false + sharedipad: + mode: allowed + devicechannel: true + userchannel: false + userenrollment: + mode: forbidden + macOS: + introduced: '10.11' + accessrights: None + devicechannel: true + userchannel: false + supervised: true + requiresdep: false + userenrollment: + mode: forbidden + tvOS: + introduced: '12.0' + accessrights: AllowAppInstallation + devicechannel: true + supervised: true + requiresdep: false + content: This command allows the server to schedule an OS update. +payloadkeys: +- key: Updates + type: + presence: required + content: An array of dictionaries specifying the updates to download or install. + If this value is missing, the device applies the default behavior for handling + updates. + subkeys: + - key: UpdatesItem + type: + presence: required + subkeys: + - key: ProductKey + type: + presence: optional + content: The product key that represents the update. + - key: ProductVersion + supportedOS: + iOS: + introduced: '11.3' + macOS: + introduced: '12.0' + tvOS: + introduced: '12.2' + type: + presence: optional + content: The version of the update, which the system requires if 'ProductKey' + isn't present. This value is available in iOS 11.3 and later, macOS 12 and + later, and tvOS 12.2 and later. + - key: InstallAction + type: + presence: required + rangelist: + - Default + - DownloadOnly + - InstallASAP + - NotifyOnly + - InstallLater + - InstallForceRestart + content: |- + The install action, which is one of the following values: + * 'Default': Download or install the update, depending on the current state. You can check the 'UpdateResults' dictionary to review scheduled updates. This value is available in iOS 9 and later, macOS 10.11 and later, and tvOS 12 and later. + * 'DownloadOnly': Download the software update without installing it. This value is available in iOS 9 and later, macOS 11 and later, and tvOS 12 and later. + * 'InstallASAP': In iOS and tvOS, install a previously downloaded software update. In macOS, download the software update and trigger the restart countdown notification. This value is available in iOS 9 and later, macOS 10.11 and later, and tvOS 12 and later. + * 'NotifyOnly': Download the software update and notify the user through the App Store. This value is available in macOS 10.11 and later. + * 'InstallLater': Download the software update and install it at a later time. This value is available in macOS 10.11 and later. + * 'InstallForceRestart': Perform the 'Default' action, and then force a restart if the update requires it. This value is available in macOS 11 and later. + 'InstallForceRestart' may result in data loss. + - key: MaxUserDeferrals + supportedOS: + iOS: + introduced: n/a + macOS: + introduced: '12.0' + tvOS: + introduced: n/a + type: + presence: optional + content: |- + The maximum number of times the system allows the user to postpone an update before it's installed. The system prompts the user once a day. + This key is only supported when 'InstallAction' is 'InstallLater' and only supported for minor OS updates (for example, macOS 12.x to 12.y). +responsekeys: +- key: UpdateResults + type: + presence: required + content: An array of dictionaries that describes the results of processing operating-system + updates. + subkeys: + - key: UpdateResultsItem + type: + presence: required + subkeys: + - key: ProductKey + type: + presence: required + content: The product key that represents the update. + - key: InstallAction + type: + presence: required + rangelist: + - Error + - DownloadOnly + - InstallASAP + - NotifyOnly + - InstallLater + - InstallForceRestart + content: |- + The install action that the device scheduled, which is one of the following values: + * 'Error': An error occurred during scheduling. + * 'DownloadOnly': Download the software update without installing it. + * 'InstallASAP': Install a previously downloaded software update. + * 'NotifyOnly': Download the software update and notify the user through the App Store. This value is available in macOS 10.11 and later. + * 'InstallLater': Download the software update and install it at a later time. This value is available in macOS 10.11 and later. + * 'InstallForceRestart': Perform the 'Default' action, and then force a restart if the update requires it. This value is available in macOS 11 and later. + - key: Status + type: + presence: required + rangelist: + - Idle + - Downloading + - DownloadFailed + - DownloadRequiresComputer + - DownloadInsufficientSpace + - DownloadInsufficientPower + - DownloadInsufficientNetwork + - Installing + - InstallInsufficientSpace + - InstallInsufficientPower + - InstallPhoneCallInProgress + - InstallFailed + content: |- + The status of the update, which is one of the following values: + * 'Idle': The update is idle. + * 'Downloading': The software update is downloading. + * 'DownloadFailed': The download failed. + * 'DownloadRequiresComputer': Tether the device to download this update. This value is only available in iOS. + * 'DownloadInsufficientSpace': There isn't enough space to download the update. + * 'DownloadInsufficientPower': There isn't enough power to download the update. + * 'DownloadInsufficientNetwork': The network capacity is insufficient to download the update. + * 'Installing': The software update is installing. + * 'InstallInsufficientSpace': There isn't enough space to install the update. + * 'InstallInsufficientPower': There isn't enough power to install the update. + * 'InstallPhoneCallInProgress': Installation couldn't occur because a phone call is in progress. + * 'InstallFailed': Installation failed due to an unspecified reason. + - key: ErrorChain + type: + presence: optional + content: A dictionary that describes an error chain. + subkeys: + - key: ErrorChainItem + type: + subkeys: + - key: ANY + type: + presence: required + content: The error details. diff --git a/mdm/commands/system.update.status.yaml b/mdm/commands/system.update.status.yaml new file mode 100644 index 0000000..0073ef7 --- /dev/null +++ b/mdm/commands/system.update.status.yaml @@ -0,0 +1,63 @@ +title: OS Update Status Command +description: Queries the device for the status of software updates. +payload: + requesttype: OSUpdateStatus + supportedOS: + iOS: + introduced: '9.0' + accessrights: AllowAppInstallation + supervised: true + requiresdep: false + sharedipad: + mode: allowed + devicechannel: true + userchannel: false + userenrollment: + mode: forbidden + macOS: + introduced: 10.11.5 + accessrights: None + devicechannel: true + userchannel: false + supervised: true + requiresdep: false + userenrollment: + mode: forbidden + tvOS: + introduced: '12.0' + accessrights: AllowAppInstallation + devicechannel: true + supervised: true + requiresdep: false + content: Queries the device for the status of software updates. +responsekeys: +- key: OSUpdateStatus + type: + presence: required + content: An array of dictionaries that describes the statuses of software updates. + subkeys: + - key: OSUpdateStatusItem + type: + presence: required + subkeys: + - key: ProductKey + type: + presence: required + content: The product key that represents the update. + - key: IsDownloaded + type: + presence: required + content: If 'true', the update has finished downloading. + - key: DownloadPercentComplete + type: + presence: required + content: A floating-point number between '0.0' and '1.0' that indicates the + download progress as a percentage. + - key: Status + type: + presence: required + content: |- + The status of the update, which is one of the following values: + * 'Idle': The update is idle. + * 'Downloading': The software update is downloading. + * 'Installing': The software update is installing. diff --git a/mdm/commands/user.delete.yaml b/mdm/commands/user.delete.yaml new file mode 100644 index 0000000..e139a75 --- /dev/null +++ b/mdm/commands/user.delete.yaml @@ -0,0 +1,55 @@ +title: Delete User Command +description: This command allows the server to delete a user that has an active account + on the device. +payload: + requesttype: DeleteUser + supportedOS: + iOS: + introduced: '9.3' + accessrights: None + supervised: false + requiresdep: false + sharedipad: + mode: required + devicechannel: true + userchannel: false + userenrollment: + mode: forbidden + macOS: + introduced: '10.13' + accessrights: None + devicechannel: true + userchannel: false + supervised: true + requiresdep: false + userenrollment: + mode: forbidden + content: This command allows the server to delete a user that has an active account + on the device. +payloadkeys: +- key: UserName + type: + presence: required + content: The user name of the account to delete. +- key: ForceDeletion + supportedOS: + macOS: + introduced: n/a + type: + presence: optional + default: false + content: If 'true', the system deletes the account even if the user has data that's + pending sync to the cloud. This value is available on iOS 9.3 and later. +- key: DeleteAllUsers + supportedOS: + iOS: + introduced: '14.0' + macOS: + introduced: n/a + type: + presence: optional + default: false + content: If 'true', the system attempts to delete all users from the device. If + 'ForceDeletion' is 'false', the system generates an error instead and doesn't + delete users who have data that's pending sync. This value is available in iOS + 14 and later. diff --git a/mdm/commands/user.list.yaml b/mdm/commands/user.list.yaml new file mode 100644 index 0000000..8905182 --- /dev/null +++ b/mdm/commands/user.list.yaml @@ -0,0 +1,115 @@ +title: User List Command +description: This command allows the server to query for a list of users that have + an active account on the device. +payload: + requesttype: UserList + supportedOS: + iOS: + introduced: '9.3' + accessrights: None + supervised: false + requiresdep: false + sharedipad: + mode: required + devicechannel: true + userchannel: false + userenrollment: + mode: forbidden + macOS: + introduced: '10.13' + accessrights: None + devicechannel: true + userchannel: false + supervised: true + requiresdep: false + userenrollment: + mode: forbidden + content: This command allows the server to query for a list of users that have an + active account on the device. +responsekeys: +- key: Users + type: + presence: required + content: An array of user dictionaries that contains information about the active + accounts. + subkeys: + - key: UsersItem + type: + presence: required + subkeys: + - key: UserName + type: + presence: required + content: The user name for the account. In macOS, this is the short name of + the user account. This value is available in iOS 9.3 and later, and macOS + 10.13 and later. + - key: FullName + supportedOS: + iOS: + introduced: n/a + type: + presence: required + content: The user's full name. This value is available in macOS 10.13 and later. + - key: UID + supportedOS: + iOS: + introduced: n/a + type: + presence: required + content: The user's unique identifier. This value is available in macOS 10.13 + and later. + - key: UserGUID + supportedOS: + iOS: + introduced: n/a + type: + presence: required + content: The user's 'GeneratedUID'. This value is available in macOS 10.13 and + later. + - key: IsLoggedIn + type: + presence: required + content: If 'true', the user is currently logged in on the device. This value + is available in iOS 9.3 and later, and macOS 10.13 and later. + - key: HasDataToSync + supportedOS: + macOS: + introduced: n/a + type: + presence: required + content: If 'true', the user has data to sync to the cloud. This value is available + in iOS 9.3 and later. + - key: DataQuota + supportedOS: + macOS: + introduced: n/a + type: + presence: required + content: If present, the user's data quota in bytes. This isn't present if the + account doesn't enforce a quota. This value is available in iOS 9.3 and later. + - key: DataUsed + supportedOS: + macOS: + introduced: n/a + type: + presence: required + content: The amount of data, in bytes, that the user has used. This value is + available in iOS 9.3 and later. + - key: MobileAccount + supportedOS: + iOS: + introduced: n/a + type: + presence: required + content: If 'true', the account is a mobile account. This value is available + in macOS 10.13 and later. + - key: HasSecureToken + supportedOS: + iOS: + introduced: n/a + macOS: + introduced: '11.0' + type: + presence: required + content: If 'true', the user currently has a secure token set. This value is + available in macOS 11 and later. diff --git a/mdm/commands/user.logout.yaml b/mdm/commands/user.logout.yaml new file mode 100644 index 0000000..8c625cb --- /dev/null +++ b/mdm/commands/user.logout.yaml @@ -0,0 +1,17 @@ +title: Log Out User Command +description: This command allows the server to force the current user to logout. +payload: + requesttype: LogOutUser + supportedOS: + iOS: + introduced: '9.3' + accessrights: None + supervised: false + requiresdep: false + sharedipad: + mode: required + devicechannel: true + userchannel: false + userenrollment: + mode: forbidden + content: This command allows the server to force the current user to logout. diff --git a/mdm/commands/user.unlock.yaml b/mdm/commands/user.unlock.yaml new file mode 100644 index 0000000..4c60d2f --- /dev/null +++ b/mdm/commands/user.unlock.yaml @@ -0,0 +1,22 @@ +title: Unlock User Account Command +description: This command allows the server to unlock a local user account. +payload: + requesttype: UnlockUserAccount + supportedOS: + macOS: + introduced: '10.13' + accessrights: DeviceLockAndRemovePasscode + devicechannel: true + userchannel: false + requiresdep: false + userenrollment: + mode: forbidden + content: This command allows the server to unlock a local user account that has + been locked due to too many failed password attempts. Requires "Device lock and + passcode removal right". +payloadkeys: +- key: UserName + type: + presence: required + content: The user name of the local account, which can be any local account on the + system, not just a managed user account. diff --git a/mdm/profiles/CommonPayloadKeys.yaml b/mdm/profiles/CommonPayloadKeys.yaml new file mode 100644 index 0000000..c9daa5d --- /dev/null +++ b/mdm/profiles/CommonPayloadKeys.yaml @@ -0,0 +1,70 @@ +title: Common Payload Keys +description: Payload dictionary keys common to all payload types +payload: + payloadtype: CommonPayloadKeys + supportedOS: + iOS: + introduced: '4.0' + supervised: false + allowmanualinstall: true + sharedipad: + mode: allowed + devicechannel: true + userchannel: true + userenrollment: + mode: allowed + macOS: + introduced: '10.7' + devicechannel: true + userchannel: true + requiresdep: false + userapprovedmdm: false + allowmanualinstall: true + userenrollment: + mode: allowed + tvOS: + introduced: '5.0' + supervised: false + allowmanualinstall: true + watchOS: + introduced: '1.0' + allowmanualinstall: true +payloadkeys: +- key: PayloadIdentifier + type: + presence: required + content: |- + The reverse-DNS-style identifier for the payload. This identifier is usually the same as the TopLevel value, with an additional appended component. This string must be unique within the profile. + During a profile replacement, the system updates payloads with the same 'PayloadIdentifier' and 'PayloadUUID' in the old and new profiles. +- key: PayloadUUID + type: + presence: required + content: |- + The globally unique identifier for the payload. The actual content is unimportant, but must be globally unique. In macOS, use 'uuidgen' to generate UUIDs. + During a profile replacement, the system updates payloads with the same 'PayloadIdentifier' and 'PayloadUUID' in the old and new profiles. +- key: PayloadType + type: + presence: required + content: The payload type, which each payload domain's reference page specifies. +- key: PayloadVersion + type: + presence: required + rangelist: + - 1 + content: The version of this specific payload. +- key: PayloadDescription + type: + presence: optional + content: The human-readable description of this payload. This description appears + on the Detail screen. +- key: PayloadDisplayName + type: + presence: optional + content: The human-readable name for the profile payload. The name appears on the + Detail screen and doesn't need to be unique. +- key: PayloadOrganization + type: + presence: optional + content: The human-readable string containing the name of the organization that + provides the profile. This value doesn't need to match the organization payload + value in the enclosing dictionary. diff --git a/mdm/profiles/GlobalPreferences.yaml b/mdm/profiles/GlobalPreferences.yaml new file mode 100644 index 0000000..5eac179 --- /dev/null +++ b/mdm/profiles/GlobalPreferences.yaml @@ -0,0 +1,27 @@ +title: Global Preferences +description: '' +payload: + payloadtype: .GlobalPreferences + supportedOS: + macOS: + introduced: '10.7' + devicechannel: true + userchannel: true + requiresdep: false + userapprovedmdm: false + allowmanualinstall: true + userenrollment: + mode: forbidden + content: Global preferences on macOS +payloadkeys: +- key: MultipleSessionEnabled + type: + presence: optional + default: true + content: If 'false', disables fast user switching. +- key: com.apple.autologout.AutoLogOutDelay + type: + presence: optional + content: The 'autologout' delay, in seconds. A value of '0' means 'autologout' is + off. In some cases, this delay may be restricted to values between 5 minutes and + 24 hours. diff --git a/mdm/profiles/TopLevel.yaml b/mdm/profiles/TopLevel.yaml new file mode 100644 index 0000000..f6b9807 --- /dev/null +++ b/mdm/profiles/TopLevel.yaml @@ -0,0 +1,205 @@ +title: Top Level +description: '' +payload: + payloadtype: TopLevel + supportedOS: + iOS: + introduced: '4.0' + supervised: false + allowmanualinstall: true + sharedipad: + mode: allowed + devicechannel: true + userchannel: true + userenrollment: + mode: allowed + macOS: + introduced: '10.7' + devicechannel: true + userchannel: true + requiresdep: false + userapprovedmdm: false + allowmanualinstall: true + userenrollment: + mode: allowed + tvOS: + introduced: '5.0' + supervised: false + allowmanualinstall: true + watchOS: + introduced: '1.0' + allowmanualinstall: true +payloadkeys: +- key: PayloadIdentifier + type: + presence: required + content: The reverse-DNS style identifier ('com.example.myprofile', for example) + that identifies the profile. This string is used to determine whether a new profile + should replace an existing one or should be added. +- key: PayloadUUID + type: + presence: required + content: The globally unique identifier for the profile. The actual content is unimportant. + In macOS, you can use 'uuidgen' to generate reasonable UUIDs. +- key: PayloadType + type: + presence: required + rangelist: + - Configuration + content: The type of payload. The only supported value is 'Configuration'. +- key: PayloadVersion + type: + presence: required + rangelist: + - 1 + content: The version number of the profile format. This number represents the version + of the configuration profile as a whole, not of the individual profiles within + it. The value should be 1. +- key: IsEncrypted + type: + presence: optional + default: false + content: Set to 'true' if the profile is encrypted. +- key: PayloadContent + type: + presence: required + content: The array of payload dictionaries. If 'IsEncrypted' is 'true', this array + isn't needed. + subkeys: + - key: PayloadContentItem + type: + subkeys: + - key: ANY + type: + presence: required + content: A payload item as defined by each payload type. +- key: EncryptedPayloadContent + type: + presence: optional + content: Enabled if 'IsEncrypted' is 'true'. +- key: PayloadDescription + type: + presence: optional + content: The description of the profile, shown on the Detail screen for the profile. + This description should be detailed enough to help the user decide whether to + install the profile. +- key: PayloadDisplayName + type: + presence: optional + content: The human-readable name for the profile. This value is displayed on the + Detail screen. It doesn't have to be unique. +- key: HasRemovalPasscode + type: + presence: optional + default: false + content: Set to 'true' if there is a removal passcode. +- key: PayloadOrganization + type: + presence: optional + content: The human-readable string containing the name of the organization that + provided the profile. +- key: PayloadRemovalDisallowed + supportedOS: + iOS: + supervised: true + userenrollment: + mode: forbidden + macOS: + supervised: true + userenrollment: + mode: forbidden + tvOS: + supervised: true + watchOS: + introduced: n/a + type: + presence: optional + default: false + content: |- + If present and set to 'true', the user cannot delete the profile (unless the profile has a removal password and the user provides it). + On macOS, as of 10.15, this key only affects removal of manually installed profiles. If set to 'true' and no profile removal payload is present, admin auth will be required to remove the profile. + On macOS versions prior to 10.15, this key would prevent admins from removing MDM installed profiles but as of macOS 10.15, MDM profiles can never be removed by a user, not even the admin. +- key: PayloadScope + supportedOS: + macOS: + introduced: '10.8' + type: + presence: optional + rangelist: + - System + - User + content: A string that defines whether the profile should be installed for the system + or the user. In many cases, it determines the location of certificate items, such + as keychains. Though it isn't possible to declare different payload scopes, payloads, + like VPN, may automatically install their items in both scopes, if needed. +- key: RemovalDate + type: + presence: optional + content: The date when the profile is automatically removed. +- key: DurationUntilRemoval + type: + presence: optional + content: The number of seconds until the profile is automatically removed. If the + 'RemovalDate' key is present, whichever field yields the earliest date is used. +- key: PayloadExpirationDate + supportedOS: + watchOS: + introduced: n/a + type: + presence: optional + content: The date when a profile is no longer valid and an update button is presented + to the user. +- key: TargetDeviceType + supportedOS: + iOS: + introduced: '12.2' + macOS: + introduced: '10.15' + tvOS: + introduced: '12.2' + watchOS: + introduced: '5.2' + type: + presence: optional + rangelist: + - 0 + - 1 + - 2 + - 3 + - 4 + - 5 + default: 0 + content: |- + The type of platform of the target device. Specifying the platform type helps prevent unintended installations. + For interactive installations on iOS devices, specifying a target platform avoids the interstitial alerts that prompt the user to choose a profile target when multiple targets are eligible. + 0 = Any/unspecified + 1 = iPhone/iPad/iPod Touch + 2 = Apple Watch + 3 = HomePod + 4 = Apple TV + 5 = Mac +- key: ConsentText + type: + presence: optional + content: |- + A dictionary containing a key that consists of the IETF BCP 47 identifier for a language (for example, en or jp) and a value consisting of the agreement localized to that language. The agreement is displayed in a dialog, and the user must agree before installing the profile. + + The dictionary can also contain an optional key, 'default', with its value consisting of the unlocalized (usually in en) agreement. + + The system chooses a localized version in the order of preference specified by the user (macOS) or based on the user's current language setting (iOS). If no exact match is found, the default localization is used. If there is no default localization, the en localization is used. If there is no en localization, the first available localization is used. + + Provide a default value, if possible. No warning is displayed if the user's locale doesn't match any localization in the 'ConsentText' dictionary. + subkeys: + - key: ConsentTextItem + type: + presence: required + content: The dictionary containing a key that consists of the IETF BCP 47 identifier + for a language (for example, en or jp) and a value that consists of the agreement + localized to that language. + subkeys: + - key: ANY + type: + presence: required + content: The key consisting of the IETF BCP 47 identifier for a language (for + example, en or jp) and the value consisting of the agreement localized to + that language. diff --git a/mdm/profiles/com.apple.ADCertificate.managed.yaml b/mdm/profiles/com.apple.ADCertificate.managed.yaml new file mode 100644 index 0000000..02239db --- /dev/null +++ b/mdm/profiles/com.apple.ADCertificate.managed.yaml @@ -0,0 +1,118 @@ +title: Active Directory Certificate +description: Active Directory Certificate +payload: + payloadtype: com.apple.ADCertificate.managed + supportedOS: + macOS: + introduced: '10.7' + devicechannel: true + userchannel: true + requiresdep: false + userapprovedmdm: false + allowmanualinstall: true + userenrollment: + mode: allowed + content: A certificate can be requested from a Microsoft Certificate Authority (CA) + using DCE/RPC and the Active Directory Certificate profile payload instructions + detailed at support.apple.com/kb/HT5357. +payloadkeys: +- key: CertServer + title: Certificate Server + type: + presence: required + content: The fully qualified host name of the CA. +- key: CertTemplate + title: Certificate Template + type: + presence: required + content: The certificate template for your environment. The default user certificate + value is `User`. The default computer certificate value is `Machine`. +- key: Description + title: Description + type: + presence: optional + content: A user-friendly description of the certification identity. +- key: CertificateRenewalTimeInterval + title: Certificate Renewal Time Interval + type: + presence: optional + content: The number of days in advance of certificate expiration that the notification + center notifies the user. +- key: CertificateAuthority + title: Certificate Authority + supportedOS: + macOS: + introduced: '10.8' + type: + presence: optional + content: |- + The name of the certificate authority (CA). This value is determined from the common name (CN) of the Active Directory entry. Available in macOS 10.8 and later. + + Valid values: + * CN= + * CN='Certification Authorities' + * CN='Public Key Services' + * ''CN='Services' + * ''CN='Configuration' + * ''CN= +- key: CertificateAcquisitionMechanism + title: Certificate Acquisition Mechanism + supportedOS: + macOS: + introduced: '10.8' + type: + presence: optional + content: This value is most commonly 'RPC'; if using web enrollment, use 'HTTP'. + Available in macOS 10.8 and later. +- key: AllowAllAppsAccess + title: Allow All Apps Access + supportedOS: + macOS: + introduced: '10.10' + type: + presence: optional + default: false + content: If 'true', gives apps access to the private key. Available in macOS 10.10 + and later. +- key: PromptForCredentials + title: Prompt For Credentials + supportedOS: + macOS: + introduced: '10.8' + type: + presence: optional + default: false + content: If 'true', the user is prompted for credentials when the profile is installed. + This key applies only to user certificates with the Manual Download profile delivery + method. Omit this key for computer certificates. Available in macOS 10.8 and later. +- key: KeyIsExtractable + title: Key Is Extractable + supportedOS: + macOS: + introduced: '10.10' + type: + presence: optional + default: false + content: If 'true', allows exporting the private key. Available in macOS 10.10 and + later. +- key: Keysize + title: Key Size + supportedOS: + macOS: + introduced: '10.11' + type: + presence: optional + default: 2048 + content: The RSA key size for the certificate signing request (CSR). Available in + macOS 10.11 and later. +- key: EnableAutoRenewal + title: Key Size + supportedOS: + macOS: + introduced: 10.13.4 + type: + presence: optional + default: false + content: If 'true', the certificate obtained with this payload attempts auto-renewal. + Auto-renewal can only be used with device Active Directory certificate payloads. + Available in macOS 10.13.4 and later. diff --git a/mdm/profiles/com.apple.AIM.account.yaml b/mdm/profiles/com.apple.AIM.account.yaml new file mode 100644 index 0000000..b594921 --- /dev/null +++ b/mdm/profiles/com.apple.AIM.account.yaml @@ -0,0 +1,62 @@ +title: AIM Account +description: Use this section to define settings for configuration access to AIM servers. +payload: + payloadtype: com.apple.AIM.account + supportedOS: + macOS: + introduced: '10.7' + deprecated: '10.13' + removed: '10.14' + devicechannel: false + userchannel: true + requiresdep: false + userapprovedmdm: false + allowmanualinstall: true + userenrollment: + mode: forbidden + content: An AIM payload creates an AIM account on the device. +payloadkeys: +- key: AIMAccountDescription + title: Account Description + type: + presence: optional + content: The description of the account. +- key: AIMHostName + title: Account Hostname + type: + presence: required + rangelist: + - slogin.oscar.aol.com + content: The server address. +- key: AIMUserName + title: Account Username + type: + presence: optional + content: The user's login name. +- key: AIMPassword + title: Account Password + type: + presence: optional + content: The user's password. +- key: AIMUseSSL + title: Use SSL + type: + presence: optional + default: true + content: If 'true', enables SSL. +- key: AIMPort + title: Port Number + type: + presence: optional + range: + min: 0 + max: 65535 + default: 5190 + content: The connection port for the server. +- key: AIMAuthentication + title: AIM Authentification + type: + presence: required + rangelist: + - AIMAuthPassword + content: The authentication method for the account. diff --git a/mdm/profiles/com.apple.AssetCache.managed.yaml b/mdm/profiles/com.apple.AssetCache.managed.yaml new file mode 100644 index 0000000..e6d69f2 --- /dev/null +++ b/mdm/profiles/com.apple.AssetCache.managed.yaml @@ -0,0 +1,288 @@ +title: Content Caching +description: '' +payload: + payloadtype: com.apple.AssetCache.managed + supportedOS: + macOS: + introduced: 10.13.4 + devicechannel: true + userchannel: false + requiresdep: false + userapprovedmdm: false + allowmanualinstall: true + userenrollment: + mode: forbidden + content: Configures the Content Caching service. +payloadkeys: +- key: AllowCacheDelete + supportedOS: + macOS: + introduced: '10.15' + type: + presence: optional + default: true + content: |- + Allow the system to purge content from the cache automatically when it needs disk space for other apps (i.e. when free disk space runs low on the computer). Customers who want Content Caching to be as effective as possible should turn this setting off. + Available in macOS 10.15 and later. +- key: AllowPersonalCaching + supportedOS: + macOS: + introduced: 10.13.4 + type: + presence: optional + default: true + content: |- + If 'true', caches the user's iCloud data. Clients may take some time (hours or days) to react to changes to this setting; it doesn't have an immediate effect. + + At least one of the 'AllowPersonalCaching' or 'AllowSharedCaching' keys must be 'true'. +- key: AllowSharedCaching + supportedOS: + macOS: + introduced: 10.13.4 + type: + presence: optional + default: true + content: |- + If 'true', caches non-iCloud content, such as apps and software updates. Clients may take some time (hours, days) to react to changes to this setting; it does not have an immediate effect. + + At least one of the 'AllowPersonalCaching' or 'AllowSharedCaching' keys must be 'true'. +- key: AutoActivation + supportedOS: + macOS: + introduced: 10.13.4 + type: + presence: optional + default: false + content: |- + If 'true', automatically activates the content cache when possible and prevents it from being disabled. If the 'allowContentCaching' restriction is set to 'false', 'AutoActivation' is also 'false'. + Removing a profile that set 'AutoActivation' to 'true' does not deactivate the Content Cache. +- key: AutoEnableTetheredCaching + supportedOS: + macOS: + introduced: 10.15.4 + type: + presence: optional + default: false + content: |- + Automatically enable Internet connection sharing when possible and prevent disabling Internet connection sharing. 'DenyTetheredCaching' overrides 'AutoEnableTetheredCaching'. Tethered caching requires Content Caching. + Available in macOS 10.15.4 and later. +- key: CacheLimit + supportedOS: + macOS: + introduced: 10.13.4 + type: + presence: optional + default: 0 + content: The maximum number of bytes of disk space that will be used for the content + cache. A value of 0 means unlimited disk space. +- key: DataPath + supportedOS: + macOS: + introduced: 10.13.4 + type: + presence: optional + default: /Library/Application Support/Apple/AssetCache/Data + content: |- + The path to the directory used to store cached content. Changing this setting manually doesn't automatically move cached content from the old location to the new one. To move content automatically, use the Sharing preference's Content Caching pane. The value must be (or end with) '/Library/Application Support/Apple/AssetCache/Data'. + + A directory and its intermediates are created for the given data path if it doesn't already exist. The directory is owned by '_assetcache:_assetcache' and has mode 0750. Its immediate parent directory ('.../Library/Application Support/Apple/AssetCache') is owned by '_assetcache:_assetcache' and has mode '0755'. +- key: DenyTetheredCaching + supportedOS: + macOS: + introduced: 10.13.4 + type: + presence: optional + default: false + content: If 'true', disables tethered caching. +- key: DisplayAlerts + supportedOS: + macOS: + introduced: '10.15' + type: + presence: optional + default: false + content: |- + If 'true', Content Caching displays exceptional conditions (alerts) as system notifications in the upper corner of the screen. Alerts were automatically displayed starting in macOS 10.13. In macOS 10.15 the alerts are off by default, but still available via this setting. + Available in macOS 10.15 and later. +- key: KeepAwake + supportedOS: + macOS: + introduced: '10.15' + type: + presence: optional + default: false + content: |- + If 'true', prevents the computer from sleeping as long as Content Caching is on (System Preferences > Sharing > Content Caching is on). Customers who want Content Caching to be as available as musch as possible should turn this setting on. + Available in macOS 10.15 and later. +- key: ListenRanges + supportedOS: + macOS: + introduced: 10.13.4 + type: + presence: optional + content: An array of dictionaries describing a range of client IP addresses to serve. + subkeytype: Ranges + subkeys: &id001 + - key: RangesItem + type: + subkeys: + - key: type + supportedOS: + macOS: + introduced: 10.13.4 + type: + presence: optional + rangelist: + - IPv4 + - IPv6 + default: IPv4 + content: The IP address type. + - key: first + supportedOS: + macOS: + introduced: 10.13.4 + type: + presence: required + content: The first IP address in the range. + - key: last + supportedOS: + macOS: + introduced: 10.13.4 + type: + presence: required + content: The last IP address in the range. +- key: ListenRangesOnly + supportedOS: + macOS: + introduced: 10.13.4 + type: + presence: optional + default: false + content: If 'true', the content cache provides content to the clients in the 'ListenRanges'. +- key: ListenWithPeersAndParents + supportedOS: + macOS: + introduced: 10.13.4 + type: + presence: optional + default: true + content: If 'true', the content cache provides content to the clients in the union + of the 'ListenRanges', 'PeerListenRanges' and 'Parents'. +- key: LocalSubnetsOnly + supportedOS: + macOS: + introduced: 10.13.4 + type: + presence: optional + default: true + content: If 'true', the content cache offers content to clients only on the same + immediate local network only. No content is offered to clients on other networks + reachable by the content cache. If 'LocalSubnetsOnly' is set to 'true', 'ListenRanges' + will be ignored. +- key: LogClientIdentity + supportedOS: + macOS: + introduced: 10.13.4 + type: + presence: optional + default: false + content: If 'true', the Content Cache logs the IP address and port number of the + clients that request content. +- key: Parents + supportedOS: + macOS: + introduced: 10.13.4 + type: + presence: optional + content: An array of the local IP addresses of other content caches that this cache + should download from or upload to, instead of downloading from or uploading to + Apple directly. Invalid addresses and addresses of computers that aren't content + caches are ignored. Parent caches that become unavailable are skipped. If all + parent content caches become unavailable, the content cache downloads from or + uploads to Apple directly, until a parent content cache becomes available again. + subkeys: + - key: ParentsItem + type: + presence: required + content: An IP address. +- key: ParentSelectionPolicy + supportedOS: + macOS: + introduced: 10.13.4 + type: + presence: optional + rangelist: + - first-available + - url-path-hash + - random + - round-robin + - sticky-available + default: round-robin + content: |- + The policy to implement when choosing among more than one configured parent content cache. With every policy, parent caches that are temporarily unavailable are skipped. + + 'first-available': Always use the first available parent in the Parents list. Use this policy to designate permanent primary, secondary, and subsequent parents. + + 'url-path-hash': Hash the path part of the requested URL so that the same parent is always used for the same URL. This is useful for maximizing the size of the combined caches of the parents. + + 'random': Choose a parent at random. Use this policy for load balancing. + + 'round-robin': Rotate through the parents in order. Use this policy for load balancing. + + 'sticky-available': Use the first available parent that is available in the Parents list until it becomes unavailable, then advance to the next one. Use this policy for designating floating primary, secondary, and subsequent parents. +- key: PeerFilterRanges + supportedOS: + macOS: + introduced: 10.13.4 + type: + presence: optional + content: An array of dictionaries describing a range of peer IP addresses that the + content cache uses to filter its list of peers to query for content. The content + cache only queries peers in 'PeerFilterRanges'. When 'PeerFilterRanges' is an + empty array, the content cache doesn't query any peers. + subkeytype: Ranges + subkeys: *id001 +- key: PeerListenRanges + supportedOS: + macOS: + introduced: 10.13.4 + type: + presence: optional + content: An array of dictionaries describing a range of peer IP addresses the content + cache responds to. When 'PeerListenRanges' is an empty array, the content cache + responds with an error to all cache queries. + subkeytype: Ranges + subkeys: *id001 +- key: PeerLocalSubnetsOnly + supportedOS: + macOS: + introduced: 10.13.4 + type: + presence: optional + default: true + content: If 'true', the content cache only peers with other content caches on the + same immediate local network, rather than with content caches that use the same + public IP address as the device. When 'PeerLocalSubnetsOnly' is 'true', it overrides + the configuration of 'PeerFilterRanges' and 'PeerListenRanges'. If the network + changes, the local network peering restrictions update appropriately. If 'false', + the content cache defers to 'PeerFilterRanges' and 'PeerListenRanges' for configuring + the peering restrictions. +- key: Port + supportedOS: + macOS: + introduced: 10.13.4 + type: + presence: optional + default: 0 + content: The TCP port number on which the content cache accepts requests for uploads + or downloads. Set the port to 0 to pick a random, available port. +- key: PublicRanges + supportedOS: + macOS: + introduced: 10.13.4 + type: + presence: optional + content: An array of dictionaries describing a range of public IP addresses that + the cloud servers should use for matching clients to content caches. + subkeytype: Ranges + subkeys: *id001 diff --git a/mdm/profiles/com.apple.Dictionary.yaml b/mdm/profiles/com.apple.Dictionary.yaml new file mode 100644 index 0000000..b260d18 --- /dev/null +++ b/mdm/profiles/com.apple.Dictionary.yaml @@ -0,0 +1,20 @@ +title: 'Parental Controls: Dictionary' +description: '' +payload: + payloadtype: com.apple.Dictionary + supportedOS: + macOS: + introduced: '10.7' + devicechannel: true + userchannel: true + requiresdep: false + userapprovedmdm: false + allowmanualinstall: true + userenrollment: + mode: forbidden + content: Parental controls dictionary restrictions. +payloadkeys: +- key: parentalControl + type: + presence: required + content: If 'true', enables parental controls dictionary restrictions. diff --git a/mdm/profiles/com.apple.DirectoryService.managed.yaml b/mdm/profiles/com.apple.DirectoryService.managed.yaml new file mode 100644 index 0000000..df9a3e0 --- /dev/null +++ b/mdm/profiles/com.apple.DirectoryService.managed.yaml @@ -0,0 +1,265 @@ +title: Directory Service +description: Directory Service +payload: + payloadtype: com.apple.DirectoryService.managed + supportedOS: + macOS: + introduced: '10.8' + devicechannel: true + userchannel: false + requiresdep: false + userapprovedmdm: false + allowmanualinstall: true + userenrollment: + mode: allowed + content: In macOS 10.9 and later, a configuration profile can be used to configure + macOS to join an Active Directory (AD) domain. Advanced AD options available via + Directory Utility or the dsconfigad command line tool can also be set using a + configuration profile. +payloadkeys: +- key: HostName + title: HostName + type: + presence: required + content: The Active Directory domain to join. +- key: UserName + title: UserName + type: + presence: optional + content: The user name of the account for the domain. +- key: Password + title: Password + type: + presence: optional + content: The password of the account for the domain. +- key: ClientID + title: Client ID + type: + presence: optional + content: The client's identifier. +- key: Description + title: Description + type: + presence: optional + content: The directory service description. +- key: ADOrganizationalUnit + title: ADOrganizationalUnit + type: + presence: optional + content: The organizational unit where the joining computer object is added. +- key: ADMountStyle + title: ADMountStyle + type: + presence: optional + content: 'The network home protocol to use: ''afp'' or ''smb''.' +- key: ADCreateMobileAccountAtLoginFlag + title: ADCreateMobileAccountAtLoginFlag + supportedOS: + macOS: + introduced: '10.9' + type: + presence: optional + default: false + content: If 'true', enables the 'ADCreateMobileAccountAtLogin' key. +- key: ADCreateMobileAccountAtLogin + title: ADCreateMobileAccountAtLogin + type: + presence: optional + default: false + content: If 'true', creates a mobile account at login. +- key: ADWarnUserBeforeCreatingMAFlag + title: ADWarnUserBeforeCreatingMAFlag + supportedOS: + macOS: + introduced: '10.9' + type: + presence: optional + default: false + content: If 'true', enables the 'ADWarnUserBeforeCreatingMA' key. +- key: ADWarnUserBeforeCreatingMA + title: ADWarnUserBeforeCreatingMA + type: + presence: optional + default: false + content: If 'true', enables the warning before creating the mobile account. +- key: ADForceHomeLocalFlag + title: ADForceHomeLocalFlag + supportedOS: + macOS: + introduced: '10.9' + type: + presence: optional + default: false + content: If 'true', enables the 'ADForceHomeLocal' key. +- key: ADForceHomeLocal + title: ADForceHomeLocal + type: + presence: optional + default: false + content: If 'true', forces a local home directory. +- key: ADUseWindowsUNCPathFlag + title: ADUseWindowsUNCPathFlag + supportedOS: + macOS: + introduced: '10.9' + type: + presence: optional + default: false + content: If 'true', enables the 'ADUseWindowsUNCPath' key. +- key: ADUseWindowsUNCPath + title: ADUseWindowsUNCPath + type: + presence: optional + default: false + content: If 'true', uses the UNC path from Active Directory to derive the network + home location. +- key: ADAllowMultiDomainAuthFlag + title: ADAllowMultiDomainAuthFlag + supportedOS: + macOS: + introduced: '10.9' + type: + presence: optional + default: false + content: If 'true', enables the 'ADAllowMultiDomainAuth' key. +- key: ADAllowMultiDomainAuth + title: ADAllowMultiDomainAuth + type: + presence: optional + default: false + content: If 'true', allows authentication from any domain in the namespace. +- key: ADDefaultUserShellFlag + title: ADDefaultUserShellFlag + type: + presence: optional + default: false + content: If 'true', enables the 'ADDefaultUserShell' key. +- key: ADDefaultUserShell + title: ADDefaultUserShell + type: + presence: optional + content: The default user shell. +- key: ADMapUIDAttributeFlag + title: ADMapUIDAttributeFlag + type: + presence: optional + default: false + content: If 'true', enables the 'ADMapUIDAttribute' key. +- key: ADMapUIDAttribute + title: ADMapUIDAttribute + type: + presence: optional + content: The map UID to attribute. +- key: ADMapGIDAttributeFlag + title: ADMapGIDAttributeFlag + type: + presence: optional + default: false + content: If 'true', enables the 'ADMapGIDAttribute' key. +- key: ADMapGIDAttribute + title: ADMapGIDAttribute + type: + presence: optional + content: The map GID to attribute. +- key: ADMapGGIDAttributeFlag + title: ADMapGGIDAttributeFlag + type: + presence: optional + default: false + content: If 'true', enables the 'ADMapGGIDAttributeFlag' key. +- key: ADMapGGIDAttribute + title: ADMapGGIDAttribute + type: + presence: optional + content: The map group GID to attribute. +- key: ADPreferredDCServerFlag + title: ADPreferredDCServerFlag + type: + presence: optional + default: false + content: If 'true', enables the 'ADPreferredDCServer' key. +- key: ADPreferredDCServer + title: ADPreferredDCServer + type: + presence: optional + content: The preferred domain server. +- key: ADDomainAdminGroupListFlag + title: ADDomainAdminGroupListFlag + type: + presence: optional + default: false + content: If 'true', enables the 'ADDomainAdminGroupList' key. +- key: ADDomainAdminGroupList + title: ADDomainAdminGroupList + type: + presence: optional + content: The list of Active Directory groups that are granted admin access. + subkeys: + - key: ADDomainAdminGroupListItem + type: +- key: ADNamespaceFlag + title: ADNamespaceFlag + type: + presence: optional + default: false + content: If 'true', enables the 'ADNamespace' key. +- key: ADNamespace + title: ADNamespace + type: + presence: optional + content: The primary user account naming convention; either 'forest' or 'domain'. +- key: ADPacketSignFlag + title: ADPacketSignFlag + supportedOS: + macOS: + introduced: '10.8' + type: + presence: optional + default: false + content: If 'true', enables the 'ADPacketSign' key. +- key: ADPacketSign + title: ADPacketSign + type: + presence: optional + content: The packet signing policy. +- key: ADPacketEncryptFlag + title: ADPacketEncryptFlag + type: + presence: optional + default: false + content: If 'true', enables the 'ADPacketEncrypt' key. +- key: ADPacketEncrypt + title: ADPacketEncrypt + type: + presence: optional + content: The packet encryption policy. +- key: ADRestrictDDNSFlag + title: ADRestrictDDNSFlag + type: + presence: optional + default: false + content: If 'true', enables the 'ADRestrictDDNS' key. +- key: ADRestrictDDNS + title: ADRestrictDDNS + supportedOS: + macOS: + introduced: '10.8' + type: + presence: optional + content: An array of strings representing the interfaces that are allowed for dynamic + DNS updates (for example, en0, en1, and so on). + subkeys: + - key: ADRestrictDDNSItem + type: +- key: ADTrustChangePassIntervalDaysFlag + title: ADTrustChangePassIntervalDaysFlag + type: + presence: optional + default: false + content: If true, enables the 'ADTrustChangePassIntervalDays 'key. +- key: ADTrustChangePassIntervalDays + title: ADTrustChangePassIntervalDays + type: + presence: optional + content: The number of days before requiring a change of the computer trust account + password. '0' disables the feature. diff --git a/mdm/profiles/com.apple.DiscRecording.yaml b/mdm/profiles/com.apple.DiscRecording.yaml new file mode 100644 index 0000000..de60d43 --- /dev/null +++ b/mdm/profiles/com.apple.DiscRecording.yaml @@ -0,0 +1,28 @@ +title: 'Media Management: Disc Burning' +description: '' +payload: + payloadtype: com.apple.DiscRecording + supportedOS: + macOS: + introduced: '10.7' + devicechannel: true + userchannel: true + requiresdep: false + userapprovedmdm: false + allowmanualinstall: true + userenrollment: + mode: forbidden +payloadkeys: +- key: BurnSupport + type: + presence: required + rangelist: + - 'off' + - authenticate + - 'on' + content: |- + If 'off', disables disc burning. + + If 'on', allows normal default operation. Setting this key to 'on' doesn't enable disc burn support if it has already been disabled by other mechanisms or preferences. It also must be enabled with the Finder profile. + + If 'authenticate', requires authentication. diff --git a/mdm/profiles/com.apple.MCX(Accounts).yaml b/mdm/profiles/com.apple.MCX(Accounts).yaml new file mode 100644 index 0000000..9e0844d --- /dev/null +++ b/mdm/profiles/com.apple.MCX(Accounts).yaml @@ -0,0 +1,32 @@ +title: Accounts +description: '' +payload: + payloadtype: com.apple.MCX + supportedOS: + macOS: + introduced: '10.7' + devicechannel: true + userchannel: false + requiresdep: false + userapprovedmdm: false + allowmanualinstall: true + userenrollment: + mode: forbidden +payloadkeys: +- key: EnableGuestAccount + supportedOS: + macOS: + introduced: '10.7' + type: + presence: optional + default: false + content: If 'true', enables the guest account. +- key: DisableGuestAccount + supportedOS: + macOS: + introduced: '10.7' + type: + presence: optional + default: false + content: If 'true', disables the guest account. This property has no effect if 'EnableGuestAccount' + is 'true'. diff --git a/mdm/profiles/com.apple.MCX(EnergySaver).yaml b/mdm/profiles/com.apple.MCX(EnergySaver).yaml new file mode 100644 index 0000000..e3e875b --- /dev/null +++ b/mdm/profiles/com.apple.MCX(EnergySaver).yaml @@ -0,0 +1,154 @@ +title: Energy Saver +description: '' +payload: + payloadtype: com.apple.MCX + supportedOS: + macOS: + introduced: '10.7' + devicechannel: true + userchannel: false + requiresdep: false + userapprovedmdm: false + allowmanualinstall: true + userenrollment: + mode: forbidden +payloadkeys: +- key: com.apple.EnergySaver.desktop.ACPower + type: + presence: optional + content: The settings for a desktop computer. + subkeytype: PowerSettings + subkeys: &id001 + - key: Display Sleep Timer + type: + presence: optional + rangelist: + - 0 + range: + min: 1 + max: 180 + content: The display sleep time, in minutes. A value of 0 means never. + - key: Disk Sleep Timer + type: + presence: optional + rangelist: + - 0 + range: + min: 1 + max: 180 + content: The disk sleep time, in minutes. A value of 0 means never. + - key: System Sleep Timer + type: + presence: optional + rangelist: + - 0 + range: + min: 1 + max: 180 + content: System sleep time, in minutes. A value of 0 means never. + - key: Reduce Processor Speed + type: + presence: optional + rangelist: + - 0 + - 1 + content: May not be available on all systems. + - key: Dynamic Power Step + type: + presence: optional + rangelist: + - 0 + - 1 + content: May not be available on all systems. + - key: Wake on LAN + type: + presence: optional + rangelist: + - 0 + - 1 + content: If 'true', enables 'Wake for network access.' + - key: Wake On Modem Ring + type: + presence: optional + rangelist: + - 0 + - 1 + content: If 'true', enables 'Wake for modem ring.' + - key: Automatic Restart On Power Loss + type: + presence: optional + rangelist: + - 0 + - 1 + content: If 'true', enables 'Start up automatically after a power failure.' +- key: com.apple.EnergySaver.portable.ACPower + type: + presence: optional + content: The settings for a laptop computer using AC power. + subkeytype: PowerSettings + subkeys: *id001 +- key: com.apple.EnergySaver.portable.BatteryPower + type: + presence: optional + content: The settings for a laptop computer using battery power. + subkeytype: PowerSettings + subkeys: *id001 +- key: com.apple.EnergySaver.desktop.Schedule + type: + presence: optional + content: The schedule for turning a computer on and off. + subkeytype: EnergySaver Schedule + subkeys: + - key: RepeatingPowerOn + type: + presence: optional + content: The schedule for turning the device on. + subkeytype: RepeatingPowerItem + subkeys: &id002 + - key: eventtype + type: + presence: required + rangelist: + - wake + - poweron + - wakepoweron + - sleep + - shutdown + - restart + content: The type of action defined by this schedule. + - key: weekdays + type: + presence: optional + content: |- + One or more days of the week in an unsigned integer bitmap: + * '1' = Mon + * '2' = Tue + * '4' = Wed + * '8' = Thu + * '16' = Fri + * '32' = Sat + * '64' = Sun + - key: time + type: + presence: optional + content: The time, in minutes, since midnight. + - key: RepeatingPowerOff + type: + presence: optional + content: The schedule for turning the device off. + subkeytype: RepeatingPowerItem + subkeys: *id002 +- key: SleepDisabled + type: + presence: optional + default: false + content: If 'true', disables sleep. +- key: DestroyFVKeyOnStandby + supportedOS: + macOS: + introduced: '10.10' + type: + presence: optional + default: false + content: If 'true', prevents the OS from storing a temporary FileVault key in SMC + or RAM for standby. diff --git a/mdm/profiles/com.apple.MCX(FileVault2).yaml b/mdm/profiles/com.apple.MCX(FileVault2).yaml new file mode 100644 index 0000000..7f94c87 --- /dev/null +++ b/mdm/profiles/com.apple.MCX(FileVault2).yaml @@ -0,0 +1,34 @@ +title: FDE FileVault Options +description: '' +payload: + payloadtype: com.apple.MCX + supportedOS: + macOS: + introduced: '10.7' + devicechannel: true + userchannel: false + requiresdep: false + userapprovedmdm: false + allowmanualinstall: true + userenrollment: + mode: forbidden + content: The FileVault accounts payload sets up options for enabling FileVault. +payloadkeys: +- key: dontAllowFDEDisable + type: + presence: optional + default: false + content: Set to 'true' to prevent FileVault from being disabled. +- key: dontAllowFDEEnable + type: + presence: optional + default: false + content: Set to 'true' to prevent FileVault from being enabled. +- key: DestroyFVKeyOnStandby + supportedOS: + macOS: + introduced: '10.9' + type: + presence: optional + default: false + content: Set to 'true' to prevent storing the FileVault key across restarts. diff --git a/mdm/profiles/com.apple.MCX(Mobililty).yaml b/mdm/profiles/com.apple.MCX(Mobililty).yaml new file mode 100644 index 0000000..f1ed13f --- /dev/null +++ b/mdm/profiles/com.apple.MCX(Mobililty).yaml @@ -0,0 +1,47 @@ +title: Mobile Accounts +description: '' +payload: + payloadtype: com.apple.MCX + supportedOS: + macOS: + introduced: '10.7' + devicechannel: true + userchannel: true + requiresdep: false + userapprovedmdm: false + allowmanualinstall: true + userenrollment: + mode: forbidden + content: Sets up mobile account options for network based user accounts. +payloadkeys: +- key: com.apple.cachedaccounts.CreateAtLogin + type: + presence: optional + default: false + content: If 'true', creates the mobile account at login time. +- key: com.apple.cachedaccounts.WarnOnCreate + type: + presence: optional + default: false + content: If 'true', asks the user if the mobile account should be created and allow + the user to not create it. +- key: cachedaccounts.WarnOnCreate.allowNever + type: + presence: optional + default: false + content: If 'true', allows the user to stop the prompts about mobile account creation + every time the user logs in. This key is only valid if 'com.apple.cachedaccounts.WarnOnCreate' + is set to 'true'. +- key: cachedaccounts.expiry.delete.disusedSeconds + type: + presence: optional + default: -1 + content: |- + The minimum number of seconds a mobile account can exist before an automatic attempt is made to remove the mobile account. + Set to '0' to try to remove it at next login or logout time. Set to '-1' to never try to remove the mobile account. +- key: cachedaccounts.askForSecureTokenAuthBypass + type: + presence: optional + default: false + content: If 'true', bypasses the secure token authorization dialog. This dialog + only appears on APFS volumes. diff --git a/mdm/profiles/com.apple.MCX(TimeServer).yaml b/mdm/profiles/com.apple.MCX(TimeServer).yaml new file mode 100644 index 0000000..4d11e4f --- /dev/null +++ b/mdm/profiles/com.apple.MCX(TimeServer).yaml @@ -0,0 +1,25 @@ +title: Time Server +description: '' +payload: + payloadtype: com.apple.MCX + supportedOS: + macOS: + introduced: 10.12.4 + devicechannel: true + userchannel: false + requiresdep: false + userapprovedmdm: false + allowmanualinstall: true + userenrollment: + mode: forbidden + content: Settings for time zone and server +payloadkeys: +- key: timeServer + type: + presence: optional + content: The NTP server to connect to. Use commas to separate multiple time servers. +- key: timeZone + type: + presence: optional + content: The time zone path location string in '/usr/share/zoneinfo/'; for example, + 'America/Denver' or 'Zulu'. diff --git a/mdm/profiles/com.apple.MCX(WiFi).yaml b/mdm/profiles/com.apple.MCX(WiFi).yaml new file mode 100644 index 0000000..6c3463e --- /dev/null +++ b/mdm/profiles/com.apple.MCX(WiFi).yaml @@ -0,0 +1,39 @@ +title: Wi-Fi Managed Settings +description: '' +payload: + payloadtype: com.apple.MCX + supportedOS: + macOS: + introduced: '10.9' + devicechannel: true + userchannel: false + requiresdep: false + userapprovedmdm: false + allowmanualinstall: true + userenrollment: + mode: forbidden +payloadkeys: +- key: RequireAdminForIBSS + supportedOS: + macOS: + introduced: '10.9' + type: + presence: optional + default: false + content: If YES, requires administrator authorization to enable IBSS. +- key: RequireAdminForAirPortNetworkChange + supportedOS: + macOS: + introduced: '10.9' + type: + presence: optional + default: false + content: If YES, requires administrator authorization for network changes. +- key: RequireAdminToTurnAirPortOnOff + supportedOS: + macOS: + introduced: '10.9' + type: + presence: optional + default: false + content: If YES, requires administrator authorization to turn Wi-Fi on or off. diff --git a/mdm/profiles/com.apple.MCX.FileVault2.yaml b/mdm/profiles/com.apple.MCX.FileVault2.yaml new file mode 100644 index 0000000..63a6098 --- /dev/null +++ b/mdm/profiles/com.apple.MCX.FileVault2.yaml @@ -0,0 +1,95 @@ +title: FDE FileVault +description: '' +payload: + payloadtype: com.apple.MCX.FileVault2 + supportedOS: + macOS: + introduced: '10.9' + devicechannel: true + userchannel: false + requiresdep: false + userapprovedmdm: true + allowmanualinstall: true + userenrollment: + mode: forbidden + content: The FileVault payload only works on macOS to enable or disable FileVault. + Starting with macOS 10.15, this payload requires UAMDM to enable FileVault. +payloadkeys: +- key: Enable + type: + presence: required + rangelist: + - 'On' + - 'Off' + content: If 'true', enables FileVault. +- key: Defer + type: + presence: optional + default: false + content: If 'true', defers enabling FileVault until the designated user logs out. + For details, see 'fdesetup(8)'. The person enabling FileVault must be either a + local user or a mobile account user. +- key: UserEntersMissingInfo + type: + presence: optional + default: false + content: If 'true', enables a prompt for missing user name or password fields. +- key: UseRecoveryKey + type: + presence: optional + default: true + content: If 'true', creates a personal recovery key and displays it to the user. +- key: ShowRecoveryKey + type: + presence: optional + default: true + content: If 'false', prevents display of the personal recovery key to the user after + FileVault is enabled. +- key: OutputPath + type: + presence: optional + content: The path to the location where the recovery key and computer information + property list are stored. +- key: Certificate + type: + presence: optional + content: The DER-encoded certificate data if 'UseRecoveryKey' is enabled. +- key: PayloadCertificateUUID + type: + presence: optional + content: The UUID of the payload within the same profile containing the asymmetric + recovery key certificate payload. +- key: Username + type: + presence: optional + content: The user name of the Open Directory user to be added to FileVault. +- key: Password + type: + presence: optional + content: The password of the Open Directory user to be added to FileVault. Use the + 'UserEntersMissingInfo' key if you want to prompt for this information. +- key: UseKeychain + type: + presence: optional + default: false + content: If 'true' and no certificate information is provided in this payload, the + keychain created at '/Library/Keychains/FileVaultMaster.keychain' is used when + the institutional recovery key is added. +- key: DeferForceAtUserLoginMaxBypassAttempts + type: + presence: optional + range: + min: -1 + max: 9999 + content: The maximum number of times users can bypass enabling FileVault before + being required to enable it to log in. If the value is '0', the user will be required + to enabled FileVault the next time they attempt to log in. Setting this key to + '–1' disables the feature. +- key: DeferDontAskAtUserLogout + supportedOS: + macOS: + introduced: '10.10' + type: + presence: optional + default: false + content: If 'true', prevents requests for enabling FileVault at user logout time. diff --git a/mdm/profiles/com.apple.MCX.TimeMachine.yaml b/mdm/profiles/com.apple.MCX.TimeMachine.yaml new file mode 100644 index 0000000..e299b71 --- /dev/null +++ b/mdm/profiles/com.apple.MCX.TimeMachine.yaml @@ -0,0 +1,59 @@ +title: Time Machine +payload: + payloadtype: com.apple.MCX.TimeMachine + supportedOS: + macOS: + introduced: '10.7' + devicechannel: true + userchannel: false + requiresdep: false + userapprovedmdm: false + allowmanualinstall: true + userenrollment: + mode: forbidden +payloadkeys: +- key: AutoBackup + type: + presence: optional + default: true + content: If 'true', performs automatic backups at regular intervals. +- key: BackupAllVolumes + type: + presence: optional + default: false + content: If true, backs up only the startup volume by default. +- key: BackupDestURL + type: + presence: required + content: The URL of the backup destination. +- key: BackupSizeMB + type: + presence: optional + default: 0 + content: The backup size limit, in megabytes. Set to 0 for unlimited. +- key: BackupSkipSys + type: + presence: optional + default: false + content: If 'true', skips system files and folders by default. +- key: MobileBackups + type: + presence: optional + default: true + content: If 'true', create local backup snapshots when not connected to the network. +- key: BasePaths + type: + presence: optional + content: The list of paths to back up besides the startup volume. + subkeys: + - key: BasePathItem + type: + presence: required +- key: SkipPaths + type: + presence: optional + content: The path to skip from start volume. + subkeys: + - key: SkipPathItem + type: + presence: required diff --git a/mdm/profiles/com.apple.ManagedClient.preferences.yaml b/mdm/profiles/com.apple.ManagedClient.preferences.yaml new file mode 100644 index 0000000..8155b0b --- /dev/null +++ b/mdm/profiles/com.apple.ManagedClient.preferences.yaml @@ -0,0 +1,43 @@ +title: Managed Preferences +description: '' +payload: + payloadtype: com.apple.ManagedClient.preferences + supportedOS: + macOS: + introduced: '10.7' + devicechannel: true + userchannel: true + requiresdep: false + userapprovedmdm: false + allowmanualinstall: true + userenrollment: + mode: forbidden +payloadkeys: +- key: PreferenceDomain + type: + presence: required + content: The dictionary containing app preference domains. + subkeys: + - key: Forced + type: + presence: required + content: The dictionary of forced settings. + subkeys: &id001 + - key: Settings + type: + presence: required + subkeys: + - key: mcx_preference_settings + type: + presence: required + content: The dictionary of settings. + subkeys: + - key: ANY + type: + presence: optional + content: The setting/value pairs. + - key: Set-Once + type: + presence: required + content: The dictonary of one-time settings. + subkeys: *id001 diff --git a/mdm/profiles/com.apple.NSExtension.yaml b/mdm/profiles/com.apple.NSExtension.yaml new file mode 100644 index 0000000..e7d28e2 --- /dev/null +++ b/mdm/profiles/com.apple.NSExtension.yaml @@ -0,0 +1,47 @@ +title: NSExtension Management +description: '' +payload: + payloadtype: com.apple.NSExtension + supportedOS: + macOS: + introduced: '10.13' + devicechannel: true + userchannel: true + requiresdep: false + userapprovedmdm: false + allowmanualinstall: true + userenrollment: + mode: forbidden + content: Specifies which NSExtension extensions are to be allowed or disallowed + on a system. Extensions can be managed by bundleID allow/deny lists and "extension + points". +payloadkeys: +- key: AllowedExtensions + type: + presence: optional + content: An array of identifiers for extensions that are allowed to run on the system. + subkeys: + - key: AllowedExtensionsItem + type: + presence: required + content: An extension identifier. +- key: DeniedExtensions + type: + presence: optional + content: An array of identifiers for extensions that aren't allowed to run on the + system. + subkeys: + - key: DeniedExtensionsItem + type: + presence: required + content: An extension identifier. +- key: DeniedExtensionPoints + type: + presence: optional + content: An array of extension points for extensions that aren't allowed to run + on the system. + subkeys: + - key: DeniedExtensionPointsItem + type: + presence: required + content: An extension identifier. diff --git a/mdm/profiles/com.apple.SetupAssistant.managed.yaml b/mdm/profiles/com.apple.SetupAssistant.managed.yaml new file mode 100644 index 0000000..2d6f206 --- /dev/null +++ b/mdm/profiles/com.apple.SetupAssistant.managed.yaml @@ -0,0 +1,137 @@ +title: Setup Assistant +description: '' +payload: + payloadtype: com.apple.SetupAssistant.managed + supportedOS: + iOS: + introduced: '14.0' + supervised: true + allowmanualinstall: true + sharedipad: + mode: allowed + devicechannel: true + userchannel: false + userenrollment: + mode: forbidden + macOS: + introduced: '10.12' + devicechannel: true + userchannel: true + requiresdep: false + userapprovedmdm: false + allowmanualinstall: true + userenrollment: + mode: forbidden + content: On macOS, this payload can specify Setup Assistant options for either the + system or particular users. +payloadkeys: +- key: SkipCloudSetup + supportedOS: + iOS: + introduced: n/a + type: + presence: optional + default: false + content: If 'true', skips the Apple ID setup window. +- key: SkipSiriSetup + supportedOS: + iOS: + introduced: n/a + type: + presence: optional + default: false + content: If 'true', skips the Siri setup window. +- key: SkipPrivacySetup + supportedOS: + iOS: + introduced: n/a + macOS: + introduced: 10.13.4 + type: + presence: optional + default: false + content: If 'true', skips the Privacy consent window. +- key: SkipiCloudStorageSetup + supportedOS: + iOS: + introduced: n/a + macOS: + introduced: 10.13.4 + type: + presence: optional + default: false + content: If 'true', skips the iCloud Storage window. +- key: SkipTrueTone + supportedOS: + iOS: + introduced: n/a + macOS: + introduced: 10.13.6 + type: + presence: optional + default: false + content: If 'true', skips the True Tone Display window. +- key: SkipAppearance + supportedOS: + iOS: + introduced: n/a + macOS: + introduced: '10.14' + type: + presence: optional + default: false + content: If 'true', skips the Choose Your Look window. +- key: SkipTouchIDSetup + supportedOS: + iOS: + introduced: n/a + macOS: + introduced: '10.15' + type: + presence: optional + default: false + content: If true, skips the Touch ID setup window. +- key: SkipScreenTime + supportedOS: + iOS: + introduced: n/a + macOS: + introduced: '10.15' + type: + presence: optional + default: false + content: If true, skips the Screen Time window. +- key: SkipAccessibility + supportedOS: + iOS: + introduced: n/a + macOS: + introduced: '11.0' + type: + presence: optional + default: false + content: Skips Accessibility window +- key: SkipSetupItems + supportedOS: + iOS: + introduced: '14.0' + macOS: + introduced: n/a + type: + presence: optional + content: |- + An array strings describing setup items to skip. SkipKeys provides a list of valid strings and their meanings. + Available in iOS 14 and later. + subkeys: + - key: SkipSetupItems + type: +- key: SkipUnlockWithWatch + supportedOS: + iOS: + introduced: n/a + macOS: + introduced: '12.0' + type: + presence: optional + default: false + content: Skips Unlock With Apple Watch window diff --git a/mdm/profiles/com.apple.ShareKitHelper.yaml b/mdm/profiles/com.apple.ShareKitHelper.yaml new file mode 100644 index 0000000..c8e3653 --- /dev/null +++ b/mdm/profiles/com.apple.ShareKitHelper.yaml @@ -0,0 +1,38 @@ +title: ShareKit +description: '' +payload: + payloadtype: com.apple.ShareKitHelper + supportedOS: + macOS: + introduced: '10.9' + deprecated: '10.12' + devicechannel: true + userchannel: true + requiresdep: false + userapprovedmdm: false + allowmanualinstall: true + userenrollment: + mode: forbidden + content: macOS only. Specifies which ShareKit plugin can be accessed on client. + Both allow and disallow lists can be specified. +payloadkeys: +- key: SHKAllowedShareServices + type: + presence: optional + content: The list of plugin IDs that show up in the user's Share menu. If this array + exists, only these items are permitted. + subkeys: + - key: SHKAllowedShareServicesItem + type: + presence: required + content: A plugin ID. +- key: SHKDeniedShareServices + type: + presence: optional + content: The list of plugin IDs that won't show up in the user's Share menu. This + key is used only if there is no 'SHKAllowedShareServices' key. + subkeys: + - key: SHKDeniedShareServicesItem + type: + presence: required + content: A plugin ID. diff --git a/mdm/profiles/com.apple.SoftwareUpdate.yaml b/mdm/profiles/com.apple.SoftwareUpdate.yaml new file mode 100644 index 0000000..046d913 --- /dev/null +++ b/mdm/profiles/com.apple.SoftwareUpdate.yaml @@ -0,0 +1,100 @@ +title: Software Update +description: Software Update Managed Settings +payload: + payloadtype: com.apple.SoftwareUpdate + supportedOS: + macOS: + introduced: '10.7' + devicechannel: true + userchannel: false + requiresdep: false + userapprovedmdm: false + allowmanualinstall: true + userenrollment: + mode: forbidden + content: Software update catalog options. +payloadkeys: +- key: CatalogURL + supportedOS: + macOS: + introduced: '10.7' + deprecated: '11.0' + userenrollment: + mode: forbidden + type: + presence: optional + content: The URL of the software update catalog. This property is not supported + in macOS 11 and later. +- key: AllowPreReleaseInstallation + title: Allow Pre-Release Update Installation + supportedOS: + macOS: + introduced: '10.9' + type: + presence: optional + default: true + content: If 'true', prerelease software can be installed on this computer. +- key: restrict-software-update-require-admin-to-install + supportedOS: + macOS: + introduced: '10.14' + type: + presence: optional + default: false + content: If 'true', restrict app installations to admin users. This key has the + same function as the 'restrict-store-require-admin-to-install' key in the 'com.apple.appstore' + payload. +- key: AutomaticallyInstallMacOSUpdates + supportedOS: + macOS: + introduced: '10.15' + type: + presence: optional + default: true + content: If 'false', restricts the 'Install macOS Updates' option and prevents the + user from changing the option. +- key: AutomaticallyInstallAppUpdates + supportedOS: + macOS: + introduced: '10.15' + type: + presence: optional + default: true + content: If 'false', deselects the 'Install app updates from the App Store' option + and prevents the user from changing the option. +- key: AutomaticCheckEnabled + supportedOS: + macOS: + introduced: '10.15' + type: + presence: optional + default: true + content: If 'false', deselects the 'Check for updates' option and prevents the user + from changing the option. +- key: AutomaticDownload + supportedOS: + macOS: + introduced: '10.15' + type: + presence: optional + default: true + content: If 'false', deselects the 'Download new updates when available from the + App Store' option and prevents the user from changing the option. +- key: CriticalUpdateInstall + supportedOS: + macOS: + introduced: '10.15' + type: + presence: optional + default: true + content: If 'false', disables the automatic installation of critical updates and + prevents the user from changing the 'Install system data files and security updates' + option. +- key: ConfigDataInstall + supportedOS: + macOS: + introduced: '10.15' + type: + presence: optional + default: true + content: If 'false', restricts the automatic installation of configuration data. diff --git a/mdm/profiles/com.apple.SystemConfiguration.yaml b/mdm/profiles/com.apple.SystemConfiguration.yaml new file mode 100644 index 0000000..206c8c6 --- /dev/null +++ b/mdm/profiles/com.apple.SystemConfiguration.yaml @@ -0,0 +1,125 @@ +title: Network Proxy Configuration +payload: + payloadtype: com.apple.SystemConfiguration + supportedOS: + macOS: + introduced: '10.7' + devicechannel: true + userchannel: false + requiresdep: false + userapprovedmdm: false + allowmanualinstall: true + userenrollment: + mode: forbidden +payloadkeys: +- key: Proxies + type: + presence: required + content: The dictionary containing all the proxies for this device. + subkeys: + - key: FTPEnable + type: + presence: optional + content: If 'true', enables FTP proxy. + - key: FTPPassive + type: + presence: optional + content: If 'true', enables passive FTP mode. + - key: FTPPort + type: + presence: optional + content: The FTP proxy port. + - key: FTPProxy + type: + presence: optional + content: The host name or IP address for the FTP proxy. + - key: GopherEnable + type: + presence: optional + content: If 'true', enables gopher proxy. + - key: GopherPort + type: + presence: optional + content: The gopher proxy port. + - key: GopherProxy + type: + presence: optional + content: The host name or IP address for the gopher proxy. + - key: HTTPEnable + type: + presence: optional + content: If 'true', enables web proxy. + - key: HTTPPort + type: + presence: optional + content: The web proxy port. + - key: HTTPProxy + type: + presence: optional + content: The host name or IP address for the web proxy. + - key: HTTPSEnable + type: + presence: optional + content: If 'true', enables secure web proxy. + - key: HTTPSPort + type: + presence: optional + content: The secure web proxy port. + - key: HTTPSProxy + type: + presence: optional + content: The host name or IP address for the secure web proxy. + - key: ProxyAutoConfigEnable + type: + presence: optional + content: If 'true', enables automatic proxy configuration. + - key: ProxyAutoConfigURLString + type: + presence: optional + content: The automatic proxy configuration URL. + - key: ProxyCaptiveLoginAllowed + supportedOS: + macOS: + introduced: '10.9' + type: + presence: optional + content: If 1, allows client to log into captive portal network. + - key: RTSPEnable + type: + presence: optional + content: If 'true', enable streaming proxy. + - key: RTSPPort + type: + presence: optional + content: The streaming proxy port. + - key: RTSPProxy + type: + presence: optional + content: The host name or IP address for the streaming proxy. + - key: SOCKSEnable + type: + presence: optional + content: If 'true', enable the SOCKS proxy. + - key: SOCKSPortinteger + type: + presence: optional + content: The SOCKS proxy port. + - key: SOCKSProxy + type: + presence: optional + content: The host name or IP address for the SOCKS proxy. + - key: FallBackAllowed + type: + presence: optional + content: |- + If '1', enables fallback. Default is '1'. + For managed devices, if not supplied, the default is '0'. + - key: ExceptionsList + type: + presence: optional + content: The list of hosts and domains that should bypass proxy settings. + subkeys: + - key: Exception + type: + presence: required + content: Bypass proxy settings for these Hosts & Domains diff --git a/mdm/profiles/com.apple.TCC.configuration-profile-policy.yaml b/mdm/profiles/com.apple.TCC.configuration-profile-policy.yaml new file mode 100644 index 0000000..a94eb90 --- /dev/null +++ b/mdm/profiles/com.apple.TCC.configuration-profile-policy.yaml @@ -0,0 +1,261 @@ +title: Privacy Preferences Policy Control +description: Configures Security Preferences:Privacy settings +payload: + payloadtype: com.apple.TCC.configuration-profile-policy + supportedOS: + macOS: + introduced: '10.14' + devicechannel: true + userchannel: false + requiresdep: false + userapprovedmdm: true + allowmanualinstall: false + userenrollment: + mode: forbidden +payloadkeys: +- key: Services + type: + presence: required + content: A dictionary whose keys are limited to the privacy policy control services. In + the case of conflicting specifications, the most restrictive setting (deny) is + used. + subkeys: + - key: AddressBook + type: + presence: optional + content: Specifies the policies for contact information managed by the Contacts.app. + subkeytype: Identity + subkeys: &id001 + - key: IdentityDict + type: + subkeys: + - key: Identifier + type: + presence: required + content: The bundle ID or installation path of the binary. + - key: IdentifierType + type: + presence: required + rangelist: + - bundleID + - path + content: The type of identifier value. Application bundles must be identified + by bundle ID. Nonbundled binaries must be identified by installation path. + Helper tools embedded within an application bundle automatically inherit + the permissions of their enclosing app bundle. + - key: CodeRequirement + type: + presence: required + content: Obtained via the command ''codesign –display -r -''. + - key: StaticCode + type: + presence: optional + default: false + content: If 'true', statically validate the code requirement. Used only if + the process invalidates its dynamic code signature. + - key: Allowed + type: + presence: required + content: If 'true', access is granted; otherwise, the process doesn't have + access. The user isn't prompted and can't change this value. + - key: Authorization + supportedOS: + macOS: + introduced: '11.0' + type: + presence: optional + rangelist: + - Allow + - Deny + - AllowStandardUserToSetSystemService + content: |- + The 'Authorization' key is an optional replacement for the 'Allowed' key. Every payload must specify either 'Authorization' or 'Allowed', but not both. + 'Allow': Equivalent to a 'true' value for the 'Allowed' key. + 'Deny': Equivalent to a f'alse' value for the 'Allowed' key. + 'AllowStandardUserToSetSystemService:' allows a standard (non-admin) user to configure the permissions for the specified app in the Privacy preferences for services that otherwise require admin authorization. 'AllowStandardUserToSetSystemService' is only valid for the 'ListenEvent' and 'ScreenCapture' services. + Available in macOS 11 and later. + - key: Comment + type: + presence: optional + content: Not used. + - key: AEReceiverIdentifier + type: + presence: optional + content: The identifier of the process receiving an AppleEvent sent by the + Identifier process. This identifier is required for AppleEvents service; + not valid for other services. + - key: AEReceiverIdentifierType + type: + presence: optional + rangelist: + - bundleID + - path + content: The type of AEReceiverIdentifier value, either 'bundleID' or 'path'. + This setting is required for AppleEvents service; not valid for other services. + - key: AEReceiverCodeRequirement + type: + presence: optional + content: The code requirement for the receiving binary. This code requirement + is required for AppleEvents service; not valid for other services. + - key: Calendar + type: + presence: optional + content: Specifies the policies for calendar information managed by the Calendar.app. + subkeytype: Identity + subkeys: *id001 + - key: Reminders + type: + presence: optional + content: Specifies the policies for reminders information managed by the Reminders + app. + subkeytype: Identity + subkeys: *id001 + - key: Photos + type: + presence: optional + content: The pictures managed by the Photos app in '~/Pictures/.photoslibrary'. + subkeytype: Identity + subkeys: *id001 + - key: Camera + type: + presence: optional + content: A system camera. Access to the camera cannot be given in a profile; it + can only be denied. + subkeytype: Identity + subkeys: *id001 + - key: Microphone + type: + presence: optional + content: A system microphone. Access to the microphone cannot be given in a profile; + it can only be denied. + subkeytype: Identity + subkeys: *id001 + - key: Accessibility + type: + presence: optional + content: Specifies the policies for the app via the Accessibility subsystem. + subkeytype: Identity + subkeys: *id001 + - key: PostEvent + type: + presence: optional + content: Specifies the policies for the application to use CoreGraphics APIs to + send CGEvents to the system event stream. + subkeytype: Identity + subkeys: *id001 + - key: SystemPolicyAllFiles + type: + presence: optional + content: Allows the application access to all protected files, including system + administration files. + subkeytype: Identity + subkeys: *id001 + - key: SystemPolicySysAdminFiles + type: + presence: optional + content: Allows the application access to some files used in system administration. + subkeytype: Identity + subkeys: *id001 + - key: AppleEvents + type: + presence: optional + content: Specifies the policies for the app sending restricted AppleEvents to + another process. + subkeytype: Identity + subkeys: *id001 + - key: MediaLibrary + supportedOS: + macOS: + introduced: '10.15' + type: + presence: optional + content: Allows the application to access Apple Music, music and video activity, + and the media library. + subkeytype: Identity + subkeys: *id001 + - key: FileProviderPresence + supportedOS: + macOS: + introduced: '10.15' + type: + presence: optional + content: Allows a File Provider application to know when the user is using files + managed by the File Provider. + subkeytype: Identity + subkeys: *id001 + - key: ListenEvent + supportedOS: + macOS: + introduced: '10.15' + type: + presence: optional + content: Allows the application to use CoreGraphics and HID APIs to listen to + (receive) CGEvents and HID events from all processes. Access to these events + cannot be given in a profile; it can only be denied. + subkeytype: Identity + subkeys: *id001 + - key: ScreenCapture + supportedOS: + macOS: + introduced: '10.15' + type: + presence: optional + content: Allows the application to capture (read) the contents of the system display. + Access to the contents cannot be given in a profile; it can only be denied. + subkeytype: Identity + subkeys: *id001 + - key: SpeechRecognition + supportedOS: + macOS: + introduced: '10.15' + type: + presence: optional + content: Allows the application to use the system Speech Recognition facility + and to send speech data to Apple. + subkeytype: Identity + subkeys: *id001 + - key: SystemPolicyDesktopFolder + supportedOS: + macOS: + introduced: '10.15' + type: + presence: optional + content: Allows the application to access files in the user's Desktop folder. + subkeytype: Identity + subkeys: *id001 + - key: SystemPolicyDocumentsFolder + supportedOS: + macOS: + introduced: '10.15' + type: + presence: optional + content: Allows the application to access files in the user's Documents folder. + subkeytype: Identity + subkeys: *id001 + - key: SystemPolicyDownloadsFolder + supportedOS: + macOS: + introduced: '10.15' + type: + presence: optional + content: Allows the application to access files in the user's Downloads folder. + subkeytype: Identity + subkeys: *id001 + - key: SystemPolicyNetworkVolumes + supportedOS: + macOS: + introduced: '10.15' + type: + presence: optional + content: Allows the application to access files on network volumes. + subkeytype: Identity + subkeys: *id001 + - key: SystemPolicyRemovableVolumes + supportedOS: + macOS: + introduced: '10.15' + type: + presence: optional + content: Allows the application to access files on removable volumes. + subkeytype: Identity + subkeys: *id001 diff --git a/mdm/profiles/com.apple.airplay.security.yaml b/mdm/profiles/com.apple.airplay.security.yaml new file mode 100644 index 0000000..1268292 --- /dev/null +++ b/mdm/profiles/com.apple.airplay.security.yaml @@ -0,0 +1,46 @@ +title: AirPlay Security +description: AirPlay Security settings +payload: + payloadtype: com.apple.airplay.security + supportedOS: + tvOS: + introduced: '11.0' + supervised: false + allowmanualinstall: true + content: Manages the AirPlay Security settings on Apple TV (Settings > AirPlay > + Security). Use this payload to lock Apple TV to a particular style of AirPlay + security. The setting can enable/disable an on-screen passcode, or require a specific + password phrase. +payloadkeys: +- key: SecurityType + title: Security Type + type: + presence: required + rangelist: + - PASSCODE_ONCE + - PASSCODE_ALWAYS + - PASSWORD + content: |- + The security policy for AirPlay. + 'PASSCODE_ONCE' requires an onscreen passcode on first connection from a device. Subsequent connections from the same device aren't prompted. + 'PASSCODE_ALWAYS' requires an onscreen passcode for every AirPlay connection. After an AirPlay connection ends, reconnecting within 30 seconds is allowed without a password. + + 'PASSWORD' requires a passphrase as specified in the 'Password' key. + + 'NONE' was deprecated in tvOS 11.3. Existing profiles using 'NONE' get the 'PASSWORD_ONCE' behavior. +- key: AccessType + title: Access Type + type: + presence: required + rangelist: + - ANY + - WIFI_ONLY + content: |- + The access policy for AirPlay. + 'ANY' allows connections from both Ethernet/WiFi and Apple Wireless Direct Link. + 'WIFI_ONLY' allows connections only from devices on the same Ethernet/WiFi network as Apple TV. +- key: Password + title: Password + type: + presence: optional + content: The AirPlay password; required if SecurityType is 'PASSWORD'. diff --git a/mdm/profiles/com.apple.airplay.yaml b/mdm/profiles/com.apple.airplay.yaml new file mode 100644 index 0000000..2bbf642 --- /dev/null +++ b/mdm/profiles/com.apple.airplay.yaml @@ -0,0 +1,115 @@ +title: AirPlay +description: AirPlay settings +payload: + payloadtype: com.apple.airplay + supportedOS: + iOS: + introduced: '7.0' + supervised: false + allowmanualinstall: true + sharedipad: + mode: allowed + devicechannel: true + userchannel: false + userenrollment: + mode: allowed + macOS: + introduced: '10.10' + devicechannel: true + userchannel: true + requiresdep: false + userapprovedmdm: false + allowmanualinstall: true + userenrollment: + mode: allowed + content: macOS supports more than one payload, iOS does not. Supported on the user + channel for macOS only. +payloadkeys: +- key: AllowList + title: AllowList + supportedOS: + iOS: + introduced: '14.5' + supervised: true + userenrollment: + mode: forbidden + macOS: + introduced: '11.3' + userenrollment: + mode: ignored + type: + presence: optional + content: If present, only AirPlay destinations in this list are available to the + device. This allow list applies to supervised devices. + subkeys: &id001 + - key: AllowListItem + title: AllowList Content Item + supportedOS: + iOS: + introduced: '7.0' + supervised: true + userenrollment: + mode: forbidden + macOS: + introduced: '10.10' + userenrollment: + mode: ignored + type: + presence: required + subkeys: + - key: DeviceID + title: Device ID + type: + presence: required + format: ^([0-9A-Fa-f]{2}:){5}([0-9A-Fa-f]{2})$ + content: The device ID of the AirPlay destination in the format 'xx:xx:xx:xx:xx:xx'. + This field isn't case-sensitive. +- key: Passwords + title: Passwords + type: + presence: optional + content: |- + If present, sets passwords for known AirPlay destinations. + Using multiple entries for the same destination, whether within the same payload or across multiple installed payloads, is an error and results in undefined behavior. + subkeys: + - key: PasswordsItem + title: Password Content Item + type: + presence: required + subkeys: + - key: DeviceName + title: Device Name + supportedOS: + macOS: + introduced: n/a + type: + presence: required + content: The name of the AirPlay destination; used in iOS. + - key: Password + title: Password + type: + presence: required + content: The password for the AirPlay destination. + - key: DeviceID + supportedOS: + iOS: + introduced: n/a + type: + presence: required + content: The device ID of the AirPlay destination; used in macOS. +- key: Whitelist + title: Whitelist + supportedOS: + iOS: + deprecated: '14.5' + supervised: true + userenrollment: + mode: forbidden + macOS: + deprecated: '11.3' + userenrollment: + mode: ignored + type: + presence: optional + content: Use 'AllowList' instead. As of macOS 11.3 and iOS 14.5 this key is deprecated. + subkeys: *id001 diff --git a/mdm/profiles/com.apple.airprint.yaml b/mdm/profiles/com.apple.airprint.yaml new file mode 100644 index 0000000..b5be55b --- /dev/null +++ b/mdm/profiles/com.apple.airprint.yaml @@ -0,0 +1,82 @@ +title: AirPrint +description: Use this section to define settings for AirPrint. +payload: + payloadtype: com.apple.airprint + supportedOS: + iOS: + introduced: '7.0' + supervised: false + allowmanualinstall: true + sharedipad: + mode: allowed + devicechannel: true + userchannel: false + userenrollment: + mode: allowed + macOS: + introduced: '10.10' + devicechannel: true + userchannel: true + requiresdep: false + userapprovedmdm: false + allowmanualinstall: true + userenrollment: + mode: allowed +payloadkeys: +- key: AirPrint + title: Air print + type: + presence: required + content: An array of AirPrint printers that are presented to the user. + subkeys: + - key: AirPrintItem + title: Identifier + type: + subkeys: + - key: IPAddress + title: IP Address + supportedOS: + iOS: + introduced: '7.0' + type: + presence: required + content: The IP address or hostname of the AirPrint destination. + - key: ResourcePath + title: Resource Path + supportedOS: + iOS: + introduced: '7.0' + type: + presence: required + content: |- + The resource path associated with the printer. This path corresponds to the 'rp' parameter of the '_ipps.tcp' Bonjour record. For example: + * 'printers/Canon_MG5300_series' + * 'printers/Xerox_Phaser_7600' + * 'ipp/print' + * 'Epson_IPP_Printer' + - key: Port + title: Port Number + supportedOS: + iOS: + introduced: '11.0' + macOS: + introduced: n/a + type: + presence: optional + range: + min: 0 + max: 65535 + content: The listening port of the AirPrint destination. Available only in iOS + 11 and later. + - key: ForceTLS + title: Force TLS + supportedOS: + iOS: + introduced: '11.0' + macOS: + introduced: n/a + type: + presence: optional + default: false + content: If 'true', AirPrint connections are secured by Transport Layer Security + (TLS). Available only in iOS 11 and later. diff --git a/mdm/profiles/com.apple.apn.managed.yaml b/mdm/profiles/com.apple.apn.managed.yaml new file mode 100644 index 0000000..2035833 --- /dev/null +++ b/mdm/profiles/com.apple.apn.managed.yaml @@ -0,0 +1,64 @@ +title: APN +description: '' +payload: + payloadtype: com.apple.apn.managed + supportedOS: + iOS: + introduced: '4.0' + deprecated: '7.0' + supervised: false + allowmanualinstall: true + sharedipad: + mode: allowed + devicechannel: true + userchannel: false + userenrollment: + mode: forbidden + content: |- + Not supported in macOS. + This technically does install on watchOS but we are removing the supportedOS dictionary. The cellular payload should be used instead. + Only applies to the preferred data SIM. + Deprecated. Use Cellular instead. +payloadkeys: +- key: DefaultsData + type: + presence: required + content: The list of access point names (APNs). + subkeys: + - key: apns + type: + presence: required + content: An array of APN dictionaries (`APN.DefaultsData.Apns`). + subkeys: + - key: apnsItem + type: + subkeys: + - key: apn + type: + presence: required + content: This string specifies the Access Point Name. + - key: username + type: + presence: optional + content: This string specifies the user name for this APN. If it is missing, + the device prompts for it during profile installation. + - key: password + type: + presence: optional + content: This data represents the password for the user for this APN. For + obfuscation purposes, the password is encoded. If it is missing from the + payload, the device prompts for the password during profile installation. + - key: proxy + type: + presence: optional + content: The IP address or URL of the APN proxy. + - key: proxyPort + type: + presence: optional + content: The port number of the APN proxy. +- key: DefaultsDomainName + type: + presence: required + rangelist: + - com.apple.managedCarrier + content: The domain name. diff --git a/mdm/profiles/com.apple.app.lock.yaml b/mdm/profiles/com.apple.app.lock.yaml new file mode 100644 index 0000000..a05eeaf --- /dev/null +++ b/mdm/profiles/com.apple.app.lock.yaml @@ -0,0 +1,194 @@ +title: App Lock +description: App Lock (Supervised Only) +payload: + payloadtype: com.apple.app.lock + supportedOS: + iOS: + introduced: '6.0' + supervised: true + allowmanualinstall: true + sharedipad: + mode: allowed + devicechannel: true + userchannel: false + userenrollment: + mode: forbidden + tvOS: + introduced: '10.2' + supervised: true + allowmanualinstall: true +payloadkeys: +- key: App + title: App + type: + presence: required + content: A dictionary that contains information about the app. + subkeys: + - key: Identifier + title: Identifier + type: + presence: required + content: The app's bundle identifier. + - key: Options + title: Options + supportedOS: + iOS: + introduced: '7.0' + type: + presence: optional + content: A dictionary of options that the user cannot change. + subkeys: + - key: DisableTouch + title: Disable Touch + type: + presence: optional + default: false + content: If 'true', disables the touch screen. In tvOS, it disables the touch + surface on the Apple TV Remote. + - key: DisableDeviceRotation + title: Disable Device Rotation + supportedOS: + tvOS: + introduced: n/a + type: + presence: optional + default: false + content: If 'true', disables device rotation sensing. + - key: DisableVolumeButtons + title: Disable Volume Buttons + supportedOS: + tvOS: + introduced: n/a + type: + presence: optional + default: false + content: If 'true', disables the volume buttons. + - key: DisableRingerSwitch + title: Disable Ringer Switch + supportedOS: + tvOS: + introduced: n/a + type: + presence: optional + default: false + content: If 'true', disables the ringer switch. When disabled, the ringer behavior + depends on what position the switch was in when it was first disabled. + - key: DisableSleepWakeButton + title: Disable Sleep Wake Button + supportedOS: + tvOS: + introduced: n/a + type: + presence: optional + default: false + content: If 'true', disables the sleep/wake button. + - key: DisableAutoLock + title: Disable Auto Lock + type: + presence: optional + default: false + content: If 'true', the device doesn't automatically go to sleep after an idle + period. + - key: EnableVoiceOver + title: Enable Voice Over + type: + presence: optional + default: false + content: If 'true', enables VoiceOver. + - key: EnableZoom + title: Enable Zoom + type: + presence: optional + default: false + content: If 'true', enables Zoom. + - key: EnableInvertColors + title: Enable Invert Colors + type: + presence: optional + default: false + content: If 'true', enables Invert Colors. + - key: EnableAssistiveTouch + title: Enable Assistive Touch + supportedOS: + tvOS: + introduced: n/a + type: + presence: optional + default: false + content: If 'true', enables AssistiveTouch. + - key: EnableSpeakSelection + title: Enable Speak Selection + supportedOS: + tvOS: + introduced: n/a + type: + presence: optional + default: false + content: If 'true', enables Speak Selection. + - key: EnableMonoAudio + title: Enable Mono Audio + supportedOS: + tvOS: + introduced: n/a + type: + presence: optional + default: false + content: If 'true', enables Mono Audio. + - key: EnableVoiceControl + title: Enable Voice Control + supportedOS: + iOS: + introduced: '13.0' + tvOS: + introduced: n/a + type: + presence: optional + default: false + content: If 'true', enables Voice Control. + - key: UserEnabledOptions + title: User Enabled Options + supportedOS: + iOS: + introduced: '7.0' + type: + presence: optional + content: A dictionary of user-editable options. + subkeys: + - key: VoiceControl + title: Voice Control + supportedOS: + iOS: + introduced: '13.0' + tvOS: + introduced: n/a + type: + presence: optional + default: false + content: If 'true', allows the user to toggle Voice Control. + - key: VoiceOver + title: Voice Over + type: + presence: optional + default: false + content: If 'true', allows the user to toggle VoiceOver. + - key: Zoom + title: Zoom + type: + presence: optional + default: false + content: If 'true', allows the user to toggle Zoom. + - key: InvertColors + title: Invert Colors + type: + presence: optional + default: false + content: If 'true', allows the user to toggle Invert Colors. + - key: AssistiveTouch + title: Assistive Touch + supportedOS: + tvOS: + introduced: n/a + type: + presence: optional + default: false + content: If 'true', allows the user to toggle AssistiveTouch. diff --git a/mdm/profiles/com.apple.applicationaccess.new.yaml b/mdm/profiles/com.apple.applicationaccess.new.yaml new file mode 100644 index 0000000..b967289 --- /dev/null +++ b/mdm/profiles/com.apple.applicationaccess.new.yaml @@ -0,0 +1,91 @@ +title: 'Parental Controls: Application Restrictions' +description: '' +payload: + payloadtype: com.apple.applicationaccess.new + supportedOS: + macOS: + introduced: '10.7' + devicechannel: true + userchannel: true + requiresdep: false + userapprovedmdm: false + allowmanualinstall: true + userenrollment: + mode: forbidden + content: |- + Parental controls application restrictions. + Order of evaluation: + (1) Certain system applications and utilities are always allowed to run + (2) The "whiteList" is searched to see if a matching entry is found by bundleID. If a match is found, the "appID" and "detachedSignature" + (if present) are used to verify the signature of the application being launched. If the signature is valid and matches the designated + requirement (in the "appID" key), the application is allowed to launch. + (3) (deprecated) If the path to the binary being launched matches (or is in a subdirectory) of a path in "pathBlackList", the binary is denied. + (4) (deprecated) If the path to the binary being launched matches (or is a subdirectory) of a path in "pathWhiteList", the binary is allowed to launch. + (5) The binary is denied permission to launch. +payloadkeys: +- key: familyControlsEnabled + type: + presence: required + content: If 'true', enables app access restrictions. +- key: whiteList + type: + presence: optional + content: The allow list of app item dictionaries. + subkeytype: ApplicationItem + subkeys: &id001 + - key: whiteListItem + type: + subkeys: + - key: bundleID + type: + presence: required + content: The bundle ID of the app. + - key: appID + type: + presence: required + content: The identifier of the app. + - key: detachedSignature + type: + presence: optional + content: The signature for an unsigned binary. + - key: disabled + type: + presence: optional + default: false + content: If 'true', this app is not added to the allow list. + - key: subApps + type: + presence: optional + content: An array of nested helper applications. + subkeytype: ApplicationItem + subkeys: *id001 + - key: displayName + type: + presence: optional + content: The name used for display purposes. +- key: pathBlackList + supportedOS: + macOS: + deprecated: '10.15' + type: + presence: optional + content: The paths to apps in the deny list. This property is deprecated in macOS + 10.15 and later. + subkeys: + - key: pathBlackListItem + type: + presence: required + content: A path. +- key: pathWhiteList + supportedOS: + macOS: + deprecated: '10.15' + type: + presence: optional + content: The paths to apps in the allow list. This property is deprecated in macOS + 10.15 and later. + subkeys: + - key: pathWhiteListItem + type: + presence: required + content: A path. diff --git a/mdm/profiles/com.apple.applicationaccess.yaml b/mdm/profiles/com.apple.applicationaccess.yaml new file mode 100644 index 0000000..d5a126d --- /dev/null +++ b/mdm/profiles/com.apple.applicationaccess.yaml @@ -0,0 +1,2685 @@ +title: Restrictions +description: Use this section to define restrictions settings +payload: + payloadtype: com.apple.applicationaccess + supportedOS: + iOS: + introduced: '4.0' + supervised: false + allowmanualinstall: true + sharedipad: + mode: allowed + devicechannel: true + userchannel: true + userenrollment: + mode: allowed + macOS: + introduced: '10.7' + devicechannel: true + userchannel: true + requiresdep: false + userapprovedmdm: false + allowmanualinstall: true + userenrollment: + mode: allowed + tvOS: + introduced: '6.1' + supervised: false + allowmanualinstall: true +payloadkeys: +- key: allowAccountModification + supportedOS: + iOS: + introduced: '7.0' + supervised: true + userenrollment: + mode: forbidden + macOS: + introduced: n/a + tvOS: + introduced: n/a + type: + presence: optional + default: true + content: If 'false', disables account modification. Requires a supervised device. + Available in iOS 7 and later. +- key: allowActivityContinuation + title: Allow Handoff + supportedOS: + iOS: + introduced: '8.0' + userenrollment: + mode: forbidden + macOS: + introduced: '10.15' + userenrollment: + mode: forbidden + tvOS: + introduced: n/a + type: + presence: optional + default: true + content: If 'false', disables activity continuation. Available in iOS 8 and later, + and macOS 10.15 and later. +- key: allowAddingGameCenterFriends + title: Allow Adding Game Center Friends + supportedOS: + iOS: + introduced: 4.2.1 + supervised: true + userenrollment: + mode: forbidden + macOS: + introduced: '10.13' + userenrollment: + mode: forbidden + tvOS: + introduced: n/a + type: + presence: optional + default: true + content: If 'false', prohibits adding friends to Game Center. As of iOS 13, requires + a supervised device. Available in iOS 4.2.1 and later, and macOS 10.13 and later. +- key: allowAirDrop + supportedOS: + iOS: + introduced: '7.0' + supervised: true + userenrollment: + mode: forbidden + macOS: + introduced: '10.13' + userenrollment: + mode: forbidden + tvOS: + introduced: n/a + type: + presence: optional + default: true + content: If 'false', disables AirDrop. Requires a supervised device. Available in + iOS 7 and later, and macOS 10.13 and later. +- key: allowAirPlayIncomingRequests + title: Allow incoming AirPlay requests + supportedOS: + iOS: + introduced: n/a + macOS: + introduced: n/a + tvOS: + introduced: '10.2' + supervised: true + type: + presence: optional + default: true + content: If 'false', disables incoming AirPlay requests. Requires a supervised device. + Available in tvOS 10.2 and later. +- key: allowAirPrint + title: Allow AirPrint + supportedOS: + iOS: + introduced: '11.0' + supervised: true + userenrollment: + mode: forbidden + macOS: + introduced: n/a + tvOS: + introduced: n/a + type: + presence: optional + default: true + content: If 'false', disables AirPrint. Requires a supervised device. Available + in iOS 11 and later. +- key: allowAirPrintCredentialsStorage + title: Allow storage of AirPrint credentials in Keychain + supportedOS: + iOS: + introduced: '11.0' + supervised: true + userenrollment: + mode: forbidden + macOS: + introduced: n/a + tvOS: + introduced: n/a + type: + presence: optional + default: true + content: If 'false', disables keychain storage of user name and password for AirPrint. + Requires a supervised device. Available in iOS 11 and later. +- key: allowAirPrintiBeaconDiscovery + title: Allow discovery of AirPrint printers using iBeacons + supportedOS: + iOS: + introduced: '11.0' + supervised: true + userenrollment: + mode: forbidden + macOS: + introduced: n/a + tvOS: + introduced: n/a + type: + presence: optional + default: true + content: If 'false', disables iBeacon discovery of AirPrint printers, which prevents + spurious AirPrint Bluetooth beacons from phishing for network traffic. Requires + a supervised device. Available in iOS 11 and later. +- key: allowAppCellularDataModification + title: Allow Modifying Cellular Data Usage for Apps Settings + supportedOS: + iOS: + introduced: '7.0' + supervised: true + userenrollment: + mode: forbidden + macOS: + introduced: n/a + tvOS: + introduced: n/a + type: + presence: optional + default: true + content: If 'false', disables changing settings for cellular data usage for apps. + Requires a supervised device. Available in iOS 7 and later. +- key: allowAppClips + title: Allow App Clips + supportedOS: + iOS: + introduced: '14.0' + supervised: true + userenrollment: + mode: forbidden + macOS: + introduced: n/a + tvOS: + introduced: n/a + type: + presence: optional + default: true + content: If 'false', prevents a user from adding any App Clips, and removes any + existing App Clips on the device. Requires a supervised device. Available in iOS + 14.0 and later. +- key: allowAppInstallation + title: Allow App Installation from Apple Configurator and iTunes + supportedOS: + iOS: + introduced: '4.0' + supervised: true + userenrollment: + mode: forbidden + macOS: + introduced: n/a + tvOS: + introduced: n/a + type: + presence: optional + default: true + content: If 'false', disables the App Store, and its icon is removed from the Home + screen. Users are unable to install or update their apps. In iOS 10 and later, + MDM commands can override this restriction. As of iOS 13, this restriction requires + a supervised device. Available in iOS 4 and later. +- key: allowApplePersonalizedAdvertising + supportedOS: + iOS: + introduced: '14.0' + userenrollment: + mode: forbidden + macOS: + introduced: '12.0' + userenrollment: + mode: forbidden + tvOS: + introduced: n/a + type: + presence: optional + default: true + content: If 'false', limits Apple personalized advertising. Available in iOS 14 + and later. +- key: allowAppRemoval + title: Allow App Removal + supportedOS: + iOS: + introduced: 4.2.1 + supervised: true + userenrollment: + mode: forbidden + macOS: + introduced: n/a + tvOS: + introduced: n/a + type: + presence: optional + default: true + content: If 'false', disables removal of apps from an iOS device. Requires a supervised + device. Available in iOS 4.2.1 and later. +- key: allowAssistant + title: Allow Siri + supportedOS: + iOS: + introduced: '5.0' + macOS: + introduced: n/a + tvOS: + introduced: n/a + type: + presence: optional + default: true + content: If 'false', disables Siri. Available in iOS 5 and later. Also available + for user enrollment. +- key: allowAssistantUserGeneratedContent + supportedOS: + iOS: + introduced: '7.0' + supervised: true + userenrollment: + mode: forbidden + macOS: + introduced: n/a + tvOS: + introduced: n/a + type: + presence: optional + default: true + content: If 'false', prevents Siri from querying user-generated content from the + web. Requires a supervised device. Available in iOS 7 and later. +- key: allowAssistantWhileLocked + title: Allow Siri While Locked + supportedOS: + iOS: + introduced: '5.1' + macOS: + introduced: n/a + tvOS: + introduced: n/a + type: + presence: optional + default: true + content: If 'false', disables Siri when the device is locked. This restriction is + ignored if the device doesn't have a passcode set. Available in iOS 5.1 and later. + Also available for user enrollment. +- key: allowAutoCorrection + title: Allow Auto Correction + supportedOS: + iOS: + introduced: 8.1.3 + supervised: true + userenrollment: + mode: forbidden + macOS: + introduced: n/a + tvOS: + introduced: n/a + type: + presence: optional + default: true + content: If 'false', disables keyboard autocorrection. Requires a supervised device. + Available in iOS 8.1.3 and later. +- key: allowAutomaticAppDownloads + title: Allow Automatic App Downloads + supportedOS: + iOS: + introduced: '9.0' + supervised: true + userenrollment: + mode: forbidden + macOS: + introduced: n/a + tvOS: + introduced: n/a + type: + presence: optional + default: true + content: If 'false', prevents automatic downloading of apps purchased on other devices. + This setting doesn't affect updates to existing apps. Requires a supervised device. + Available in iOS 9 and later. +- key: allowAutoUnlock + supportedOS: + iOS: + introduced: '14.5' + userenrollment: + mode: forbidden + macOS: + introduced: '10.12' + userenrollment: + mode: forbidden + tvOS: + introduced: n/a + type: + presence: optional + default: true + content: If 'false', disallows auto unlock. Available in macOS 10.12 and later, + and iOS 14.5 and later. +- key: allowBluetoothModification + title: Allow modifying Bluetooth settings + supportedOS: + iOS: + introduced: '11.0' + supervised: true + userenrollment: + mode: forbidden + macOS: + introduced: n/a + tvOS: + introduced: n/a + type: + presence: optional + default: true + content: If 'false', prevents modification of Bluetooth settings. Requires a supervised + device. Available in iOS 11 and later. +- key: allowBookstore + title: Allow Bookstore + supportedOS: + iOS: + introduced: '6.0' + supervised: true + userenrollment: + mode: forbidden + macOS: + introduced: n/a + tvOS: + introduced: n/a + type: + presence: optional + default: true + content: If 'false', removes the Book Store tab from the Books app. Requires a supervised + device. Available in iOS 6 and later. +- key: allowBookstoreErotica + title: Allow Bookstore Erotica + supportedOS: + iOS: + introduced: '6.0' + userenrollment: + mode: forbidden + macOS: + introduced: n/a + tvOS: + introduced: '11.3' + type: + presence: optional + default: true + content: If 'false', the user can't download Apple Books media that is tagged as + erotica. Available in iOS 6 and later, and tvOS 11.3 and later. +- key: allowCamera + title: Allow Camera Use + supportedOS: + iOS: + introduced: '4.0' + supervised: false + userenrollment: + mode: forbidden + macOS: + introduced: '10.11' + userenrollment: + mode: forbidden + tvOS: + introduced: n/a + type: + presence: optional + default: true + content: If 'false', disables the camera, and its icon is removed from the Home + screen. Users are unable to take photographs. This restriction is deprecated on + unsupervised devices and will be supervised only in a future release. Available + in iOS 4 and later, and macOS 10.11 and later. +- key: allowCellularPlanModification + supportedOS: + iOS: + introduced: '11.0' + supervised: true + userenrollment: + mode: forbidden + macOS: + introduced: n/a + tvOS: + introduced: n/a + type: + presence: optional + default: true + content: If 'false', users can't change any settings related to their cellular plan. + Requires a supervised device. Available in iOS 11 and later. +- key: allowChat + title: Allow use of iMessage + supportedOS: + iOS: + introduced: '5.0' + supervised: true + userenrollment: + mode: forbidden + macOS: + introduced: n/a + tvOS: + introduced: n/a + type: + presence: optional + default: true + content: If 'false', disables the use of the iMessage with supervised devices. If + the device supports text messaging, the user can still send and receive text messages. + Requires a supervised device. Available in iOS 5 and later. +- key: allowCloudAddressBook + supportedOS: + iOS: + introduced: n/a + macOS: + introduced: '10.12' + userenrollment: + mode: forbidden + tvOS: + introduced: n/a + type: + presence: optional + default: true + content: If 'false', disables iCloud Address Book services. Available in macOS 10.12 + and later. +- key: allowCloudBackup + title: Allow iCloud Backup + supportedOS: + iOS: + introduced: '5.0' + supervised: false + userenrollment: + mode: forbidden + macOS: + introduced: n/a + tvOS: + introduced: n/a + type: + presence: optional + default: true + content: If 'false', disables backing up the device to iCloud. This restriction + is deprecated on unsupervised devices and will be supervised only in a future + release. Available in iOS 5 and later. +- key: allowCloudBookmarks + supportedOS: + iOS: + introduced: n/a + macOS: + introduced: '10.12' + userenrollment: + mode: forbidden + tvOS: + introduced: n/a + type: + presence: optional + default: true + content: If 'false', disables iCloud Bookmark sync. Available in macOS 10.12 and + later. +- key: allowCloudCalendar + supportedOS: + iOS: + introduced: n/a + macOS: + introduced: '10.12' + userenrollment: + mode: forbidden + tvOS: + introduced: n/a + type: + presence: optional + default: true + content: If 'false', disables iCloud Calendar services. Available in macOS 10.12 + and later. +- key: allowCloudDesktopAndDocuments + supportedOS: + iOS: + introduced: n/a + macOS: + introduced: 10.12.4 + userenrollment: + mode: forbidden + tvOS: + introduced: n/a + type: + presence: optional + default: true + content: If 'false', disables cloud desktop and document services. Available in + macOS 10.12.4 and later. +- key: allowCloudDocumentSync + title: Allow iCloud Document Sync + supportedOS: + iOS: + introduced: '5.0' + supervised: true + userenrollment: + mode: forbidden + macOS: + introduced: '10.11' + userenrollment: + mode: forbidden + tvOS: + introduced: n/a + type: + presence: optional + default: true + content: If 'false', disables document and key-value syncing to iCloud. As of iOS + 13, this restriction requires a supervised device. Available in iOS 5 and later, + and macOS 10.11 and later. +- key: allowCloudKeychainSync + supportedOS: + iOS: + introduced: '7.0' + supervised: false + userenrollment: + mode: forbidden + macOS: + introduced: '10.12' + userenrollment: + mode: forbidden + tvOS: + introduced: n/a + type: + presence: optional + default: true + content: If 'false', disables iCloud keychain synchronization. This restriction + is deprecated on unsupervised devices and will be supervised only in a future + release. Available in iOS 7 and later and macOS 10.12 and later. +- key: allowCloudMail + supportedOS: + iOS: + introduced: n/a + macOS: + introduced: '10.12' + userenrollment: + mode: forbidden + tvOS: + introduced: n/a + type: + presence: optional + default: true + content: If 'false', disables iCloud Mail services. Available in macOS 10.12 and + later. +- key: allowCloudNotes + supportedOS: + iOS: + introduced: n/a + macOS: + introduced: '10.12' + userenrollment: + mode: forbidden + tvOS: + introduced: n/a + type: + presence: optional + default: true + content: If 'false', disables iCloud Notes services. Available in macOS 10.12 and + later. +- key: allowCloudPhotoLibrary + title: Allow iCloud Photo Library + supportedOS: + iOS: + introduced: '9.0' + userenrollment: + mode: forbidden + macOS: + introduced: '10.12' + userenrollment: + mode: forbidden + tvOS: + introduced: n/a + type: + presence: optional + default: true + content: If 'false', disables iCloud Photo Library. Any photos not fully downloaded + from iCloud Photo Library to the device are removed from local storage. Available + in iOS 9 and later, and macOS 10.12 and later. +- key: allowCloudPrivateRelay + supportedOS: + iOS: + introduced: '15.0' + supervised: true + userenrollment: + mode: forbidden + macOS: + introduced: '12.0' + userenrollment: + mode: forbidden + tvOS: + introduced: n/a + type: + presence: optional + default: true + content: If 'false', disables iCloud Private Relay. For iOS devices, this restriction + requires a supervised device. Available in macOS 12 and later, and iOS 15 and + later. +- key: allowCloudReminders + supportedOS: + iOS: + introduced: n/a + macOS: + introduced: '10.12' + userenrollment: + mode: forbidden + tvOS: + introduced: n/a + type: + presence: optional + default: true + content: If 'false', disables iCloud Reminder services. Available in macOS 10.12 + and later. +- key: allowContentCaching + supportedOS: + iOS: + introduced: n/a + macOS: + introduced: '10.13' + userenrollment: + mode: forbidden + tvOS: + introduced: n/a + type: + presence: optional + default: true + content: If 'false', disables content caching. As of 10.13.4 this is included in + the content caching payload. Available in macOS 10.13 and later. +- key: allowContinuousPathKeyboard + title: Allow Continuous Path Keyboard + supportedOS: + iOS: + introduced: '13.0' + supervised: true + userenrollment: + mode: forbidden + macOS: + introduced: n/a + tvOS: + introduced: n/a + type: + presence: optional + default: true + content: If 'false', disables QuickPath keyboard. Requires a supervised device. + Available in iOS 13 and later. +- key: allowDefinitionLookup + title: Allow Define + supportedOS: + iOS: + introduced: 8.1.3 + supervised: true + userenrollment: + mode: forbidden + macOS: + introduced: '10.11' + userenrollment: + mode: forbidden + tvOS: + introduced: n/a + type: + presence: optional + default: true + content: If 'false', disables definition lookup. Requires a supervised device on + iOS. Available in iOS 8.1.3 and later and macOS 10.11 and later. +- key: allowDeviceNameModification + title: Allow Modifying Device Name + supportedOS: + iOS: + introduced: '9.0' + supervised: true + userenrollment: + mode: forbidden + macOS: + introduced: n/a + tvOS: + introduced: '11.0' + supervised: true + type: + presence: optional + default: true + content: If 'false', prevents the user from changing the device name. Requires a + supervised device. Available in iOS 9 and later, and tvOS 11.0 and later. +- key: allowDeviceSleep + title: Allow Device Sleep + supportedOS: + iOS: + introduced: n/a + macOS: + introduced: n/a + tvOS: + introduced: '13.0' + supervised: true + type: + presence: optional + default: true + content: If 'false', prevents device from automatically sleeping. Requires a supervised + device. Available in tvOS 13 and later. +- key: allowDiagnosticSubmission + title: Allow diagnostic submission + supportedOS: + iOS: + introduced: '6.0' + macOS: + introduced: '10.13' + tvOS: + introduced: n/a + type: + presence: optional + default: true + content: If 'false', prevents the device from automatically submitting diagnostic + reports to Apple. Available in iOS 6 and later, and macOS 10.13 and later. Also + available for user enrollment. +- key: allowDiagnosticSubmissionModification + title: Allow modifying diagnostics settings + supportedOS: + iOS: + introduced: 9.3.2 + supervised: true + userenrollment: + mode: forbidden + macOS: + introduced: n/a + tvOS: + introduced: n/a + type: + presence: optional + default: true + content: If 'false', disables changing the diagnostic submission and app analytics + settings in the Diagnostics & Usage UI in Settings. Requires a supervised device. + Available in iOS 9.3.2 and later. +- key: allowDictation + title: Allow dictation + supportedOS: + iOS: + introduced: '10.3' + supervised: true + userenrollment: + mode: forbidden + macOS: + introduced: '10.13' + userenrollment: + mode: forbidden + tvOS: + introduced: n/a + type: + presence: optional + default: true + content: If 'false', disallows dictation input. Requires a supervised device. Available + in iOS 10.3 and later, and macOS 10.13 and later. +- key: allowEnablingRestrictions + title: Allow Configuring Restrictions or ScreenTime + supportedOS: + iOS: + introduced: '8.0' + supervised: true + userenrollment: + mode: forbidden + macOS: + introduced: n/a + tvOS: + introduced: n/a + type: + presence: optional + default: true + content: |- + If 'false', disables the 'Enable Restrictions' option in the Restrictions UI in Settings. + In iOS 12 or later, if 'false', disables the 'Enable ScreenTime' option in the ScreenTime UI in Settings and disables ScreenTime if already enabled. Requires a supervised device. Available in iOS 8 and later. +- key: allowEnterpriseAppTrust + title: Allow Trusting Enterprise Apps + supportedOS: + iOS: + introduced: '9.0' + userenrollment: + mode: forbidden + macOS: + introduced: n/a + tvOS: + introduced: n/a + type: + presence: optional + default: true + content: If 'false', removes the Trust Enterprise Developer button in Settings > + General > Profiles & Device Management, preventing apps from being provisioned + by universal provisioning profiles. This restriction applies to free developer + accounts. However, it doesn't apply to enterprise app developers who are trusted + because their apps were pushed through MDM. It also doesn't revoke previously + granted trust. Available in iOS 9 and later. +- key: allowEnterpriseBookBackup + title: Allow Enterprise Books Backup + supportedOS: + iOS: + introduced: '8.0' + macOS: + introduced: n/a + tvOS: + introduced: n/a + type: + presence: optional + default: true + content: If 'false', disables backup of Enterprise books. Available in iOS 8 and + later. Also available for user enrollment. +- key: allowEnterpriseBookMetadataSync + title: Allow Enterprise Books Notes and Highlights Sync + supportedOS: + iOS: + introduced: '8.0' + macOS: + introduced: n/a + tvOS: + introduced: n/a + type: + presence: optional + default: true + content: If 'false', disables sync of Enterprise books, notes, and highlights. Available + in iOS 8 and later. Also available for user enrollment. +- key: allowEraseContentAndSettings + title: Allow Erase All Content and Settings + supportedOS: + iOS: + introduced: '8.0' + supervised: true + userenrollment: + mode: forbidden + macOS: + introduced: '12.0' + userenrollment: + mode: forbidden + tvOS: + introduced: n/a + type: + presence: optional + default: true + content: If 'false', disables the Erase All Content And Settings option in the Reset + UI. Requires a supervised device. Available in iOS 8 and later, and macOS 12 and + later. +- key: allowESIMModification + title: Allow eSIM Modification + supportedOS: + iOS: + introduced: '12.1' + supervised: true + userenrollment: + mode: forbidden + macOS: + introduced: n/a + tvOS: + introduced: n/a + type: + presence: optional + default: true + content: If 'false', disables modifications to carrier plan related settings (only + available on select carriers). Requires a supervised device. Available in iOS + 11 and later. +- key: allowExplicitContent + title: Allow Explicit Content + supportedOS: + iOS: + introduced: '4.0' + supervised: true + userenrollment: + mode: forbidden + macOS: + introduced: n/a + tvOS: + introduced: '11.3' + type: + presence: optional + default: true + content: If 'false', hides explicit music or video content purchased from the iTunes + Store. Explicit content is marked as such by content providers, such as record + labels, when sold through the iTunes Store. As of iOS 13, requires a supervised + device. Available in iOS 4 and later, and tvOS 11.3 and later. +- key: allowFilesNetworkDriveAccess + supportedOS: + iOS: + introduced: '13.1' + supervised: true + userenrollment: + mode: forbidden + macOS: + introduced: n/a + tvOS: + introduced: n/a + type: + presence: optional + default: true + content: If 'false', prevents connecting to network drives in the Files app. Requires + a supervised device. Available in iOS 13.1 and later. +- key: allowFilesUSBDriveAccess + supportedOS: + iOS: + introduced: '13.0' + supervised: true + userenrollment: + mode: forbidden + macOS: + introduced: n/a + tvOS: + introduced: n/a + type: + presence: optional + default: true + content: If 'false', prevents connecting to any connected USB devices in the Files + app. Requires a supervised device. Available in iOS 13.1 and later. +- key: allowFindMyDevice + supportedOS: + iOS: + introduced: '13.0' + supervised: true + userenrollment: + mode: forbidden + macOS: + introduced: '10.15' + userenrollment: + mode: forbidden + tvOS: + introduced: n/a + type: + presence: optional + default: true + content: If 'false', disables Find My Device in the Find My app. Requires a supervised + device. Available in iOS 13 and later. +- key: allowFindMyFriends + supportedOS: + iOS: + introduced: '13.0' + supervised: true + userenrollment: + mode: forbidden + macOS: + introduced: '10.15' + userenrollment: + mode: forbidden + tvOS: + introduced: n/a + type: + presence: optional + default: true + content: If 'false', disables Find My Friends in the Find My app. Requires a supervised + device. Available in iOS 13 and later. +- key: allowFindMyFriendsModification + supportedOS: + iOS: + introduced: '7.0' + supervised: true + userenrollment: + mode: forbidden + macOS: + introduced: n/a + tvOS: + introduced: n/a + type: + presence: optional + default: true + content: If 'false', disables changes to Find My Friends. Requires a supervised + device. Available in iOS 7 and later. +- key: allowFingerprintForUnlock + title: Allow Touch ID to Unlock Device + supportedOS: + iOS: + introduced: '7.0' + userenrollment: + mode: forbidden + macOS: + introduced: 10.12.4 + userenrollment: + mode: forbidden + tvOS: + introduced: n/a + type: + presence: optional + default: true + content: If 'false', prevents Touch ID or Face ID from unlocking a device. Available + in iOS 7 and later, and macOS 10.12.4 and later. +- key: allowFingerprintModification + title: Allow Modifying Touch ID Fingerprints + supportedOS: + iOS: + introduced: '8.3' + supervised: true + userenrollment: + mode: forbidden + macOS: + introduced: n/a + tvOS: + introduced: n/a + type: + presence: optional + default: true + content: If 'false', prevents the user from modifying Touch ID or Face ID. Requires + a supervised device. Available in iOS 8.3 and later. +- key: allowGameCenter + title: Allow Game Center + supportedOS: + iOS: + introduced: '6.0' + supervised: true + userenrollment: + mode: forbidden + macOS: + introduced: '10.13' + userenrollment: + mode: forbidden + tvOS: + introduced: n/a + type: + presence: optional + default: true + content: If 'false', disables Game Center, and its icon is removed from the Home + screen. Requires a supervised device. Available in iOS 6 and later, and macOS + 10.13 and later. +- key: allowGlobalBackgroundFetchWhenRoaming + title: Allow Automatic Sync While Roaming + supportedOS: + iOS: + introduced: '4.0' + userenrollment: + mode: forbidden + macOS: + introduced: n/a + tvOS: + introduced: n/a + type: + presence: optional + default: true + content: If 'false', disables global background fetch activity when an iOS phone + is roaming. Available in iOS 4 and later. +- key: allowHostPairing + supportedOS: + iOS: + introduced: '7.0' + supervised: true + userenrollment: + mode: forbidden + macOS: + introduced: n/a + tvOS: + introduced: n/a + type: + presence: optional + default: true + content: If 'false', disables host pairing with the exception of the supervision + host. If no supervision host certificate has been configured, all pairing is disabled. + Host pairing lets the administrator control if an iOS device can pair with a host + Mac or PC. Requires a supervised device. Available in iOS 7 and later. +- key: allowInAppPurchases + title: Allow In App Purchases + supportedOS: + iOS: + introduced: '4.0' + userenrollment: + mode: forbidden + macOS: + introduced: n/a + tvOS: + introduced: n/a + type: + presence: optional + default: true + content: If 'false', prohibits in-app purchasing. Available in iOS 4 and later. +- key: allowiTunes + title: Allow use of iTunes + supportedOS: + iOS: + introduced: '4.0' + supervised: true + userenrollment: + mode: forbidden + macOS: + introduced: n/a + tvOS: + introduced: n/a + type: + presence: optional + default: true + content: |- + If 'false', disables the iTunes Music Store, and its icon is removed from the Home screen. Users cannot preview, purchase, or download content. + As of iOS 13, requires a supervised device. Available in iOS 4 and later. +- key: allowiTunesFileSharing + supportedOS: + iOS: + introduced: n/a + macOS: + introduced: '10.13' + userenrollment: + mode: forbidden + tvOS: + introduced: n/a + type: + presence: optional + default: true + content: If 'false', disables iTunes file sharing services. Available in macOS 10.13 + and later. +- key: allowKeyboardShortcuts + title: Allow Keyboard Shortcuts + supportedOS: + iOS: + introduced: '9.0' + supervised: true + userenrollment: + mode: forbidden + macOS: + introduced: n/a + tvOS: + introduced: n/a + type: + presence: optional + default: true + content: If 'false', disables keyboard shortcuts. Requires a supervised device. + Available in iOS 9 and later. +- key: allowListedAppBundleIDs + title: Allow Listed Apps + supportedOS: + iOS: + introduced: '15.0' + supervised: true + userenrollment: + mode: forbidden + macOS: + introduced: n/a + tvOS: + introduced: '15.0' + supervised: true + type: + presence: optional + content: If present, this property allows only bundle IDs listed in the array to + be shown or launchable. Include the value 'com.apple.webapp' to allow all webclips. + Requires a supervised device. Available in iOS 9.3 and later, and tvOS 11.0 and + later. + subkeys: + - key: appAllowlistedBundleID + title: Allow Listed App + type: +- key: allowLockScreenControlCenter + supportedOS: + iOS: + introduced: '7.0' + macOS: + introduced: n/a + tvOS: + introduced: n/a + type: + presence: optional + default: true + content: If 'false', prevents Control Center from appearing on the Lock screen. + Available in iOS 7 and later. Also available for user enrollment. +- key: allowLockScreenNotificationsView + supportedOS: + iOS: + introduced: '7.0' + macOS: + introduced: n/a + tvOS: + introduced: n/a + type: + presence: optional + default: true + content: If 'false', disables the Notifications history view on the lock screen, + so users can't view past notifications. However, they can still see notifications + when they arrive. Available in iOS 7 and later. Also available for user enrollment. +- key: allowLockScreenTodayView + supportedOS: + iOS: + introduced: '7.0' + macOS: + introduced: n/a + tvOS: + introduced: n/a + type: + presence: optional + default: true + content: If 'false', disables the Today view in Notification Center on the lock + screen. Available in iOS 7 and later. Also available for user enrollment. +- key: allowManagedAppsCloudSync + title: Allow iCloud Sync for Managed Apps + supportedOS: + iOS: + introduced: '8.0' + macOS: + introduced: n/a + tvOS: + introduced: n/a + type: + presence: optional + default: true + content: If 'false', prevents managed apps from using iCloud sync. Available in + iOS 8 and later. Also available for user enrollment. +- key: allowManagedToWriteUnmanagedContacts + title: Allow managed apps to write to managed contacts accounts + supportedOS: + iOS: + introduced: '12.0' + allowmanualinstall: false + userenrollment: + mode: forbidden + macOS: + introduced: n/a + tvOS: + introduced: n/a + type: + presence: optional + default: false + content: If 'true', managed apps can write contacts to unmanaged contacts accounts. + If 'allowOpenFromManagedToUnmanaged' is 'true', this restriction has no effect. + If this restriction is set to 'true', you must install the payload through MDM. + Available in iOS 12 and later. +- key: allowMultiplayerGaming + title: Allow Multiplayer Gaming + supportedOS: + iOS: + introduced: '4.1' + supervised: true + userenrollment: + mode: forbidden + macOS: + introduced: '10.13' + userenrollment: + mode: forbidden + tvOS: + introduced: n/a + type: + presence: optional + default: true + content: If 'false', prohibits multiplayer gaming. Requires a supervised device. + Available in iOS 4.1 and later, and macOS 10.13 and later. +- key: allowMusicService + title: Allow Apple Music + supportedOS: + iOS: + introduced: '9.3' + supervised: true + userenrollment: + mode: forbidden + macOS: + introduced: '10.12' + userenrollment: + mode: forbidden + tvOS: + introduced: n/a + type: + presence: optional + default: true + content: If 'false', disables the Music service, and the Music app reverts to classic + mode. Requires a supervised device. Available in iOS 9.3 and later, and macOS + 10.12 and later. +- key: allowNews + title: Allow use of News + supportedOS: + iOS: + introduced: '9.0' + supervised: true + userenrollment: + mode: forbidden + macOS: + introduced: n/a + tvOS: + introduced: n/a + type: + presence: optional + default: true + content: If 'false', disables News. Requires a supervised device. Available in iOS + 9 and later. +- key: allowNFC + supportedOS: + iOS: + introduced: '14.2' + supervised: true + userenrollment: + mode: forbidden + macOS: + introduced: n/a + tvOS: + introduced: n/a + type: + presence: optional + default: true + content: If 'false', disables NFC. Requires a supervised device. Available in iOS + 14.2 and later. +- key: allowNotificationsModification + title: Allow Modifying Notifications Settings + supportedOS: + iOS: + introduced: '9.3' + supervised: true + userenrollment: + mode: forbidden + macOS: + introduced: n/a + tvOS: + introduced: n/a + type: + presence: optional + default: true + content: If 'false', disables modification of notification settings. Requires a + supervised device. Available in iOS 9.3 and later. +- key: allowOpenFromManagedToUnmanaged + title: Enable allow open from managed to unmanaged + supportedOS: + iOS: + introduced: '7.0' + macOS: + introduced: n/a + tvOS: + introduced: n/a + type: + presence: optional + default: true + content: If 'false', documents in managed apps and accounts only open in other managed + apps and accounts. Available in iOS 7 and later. Also available for user enrollment. +- key: allowOpenFromUnmanagedToManaged + title: Enable allow open from unmanaged to managed + supportedOS: + iOS: + introduced: '7.0' + macOS: + introduced: n/a + tvOS: + introduced: n/a + type: + presence: optional + default: true + content: If 'false', documents in unmanaged apps and accounts only open in other + unmanaged apps and accounts. Available in iOS 7 and later. Also available for + user enrollment. +- key: allowOTAPKIUpdates + supportedOS: + iOS: + introduced: '7.0' + userenrollment: + mode: forbidden + macOS: + introduced: n/a + tvOS: + introduced: n/a + type: + presence: optional + default: true + content: If 'false', disables over-the-air PKI updates. Setting this restriction + to 'false' doesn't disable CRL and OCSP checks. Available in iOS 7 and later. +- key: allowPairedWatch + title: Allow Pairing With Apple Watch + supportedOS: + iOS: + introduced: '9.0' + supervised: true + userenrollment: + mode: forbidden + macOS: + introduced: n/a + tvOS: + introduced: n/a + type: + presence: optional + default: true + content: If 'false', disables pairing with an Apple Watch. Any currently paired + Apple Watch is unpaired and the watch's content is erased. Requires a supervised + device. Available in iOS 9 and later. +- key: allowPassbookWhileLocked + title: Allow Wallet While Locked + supportedOS: + iOS: + introduced: '6.0' + userenrollment: + mode: forbidden + macOS: + introduced: n/a + tvOS: + introduced: n/a + type: + presence: optional + default: true + content: If 'false', hides Passbook notifications from the lock screen. Available + in iOS 6 and later. +- key: allowPasscodeModification + title: Allow Modifying Passcode + supportedOS: + iOS: + introduced: '9.0' + supervised: true + userenrollment: + mode: forbidden + macOS: + introduced: '10.13' + userenrollment: + mode: forbidden + tvOS: + introduced: n/a + type: + presence: optional + default: true + content: |- + If 'false', prevents the device passcode from being added, changed, or removed. + This restriction is ignored by Shared iPads. Requires a supervised device. Available in iOS 9 and later, and macOS 10.13 and later. +- key: allowPasswordAutoFill + supportedOS: + iOS: + introduced: '12.0' + supervised: true + userenrollment: + mode: forbidden + macOS: + introduced: '10.14' + userenrollment: + mode: forbidden + tvOS: + introduced: n/a + type: + presence: optional + default: true + content: |- + If 'false', disables the AutoFill Passwords feature in iOS (with Keychain and third-party password managers) and the user isn't prompted to use a saved password in Safari or in apps. + This restriction also disables Automatic Strong Passwords, and strong passwords are no longer suggested to users. + It does not prevent AutoFill for contact info and credit cards in Safari. + Requires a supervised device. Available in iOS 12 and later, and macOS 10.14 and later. +- key: allowPasswordProximityRequests + supportedOS: + iOS: + introduced: '12.0' + supervised: true + userenrollment: + mode: forbidden + macOS: + introduced: '10.14' + userenrollment: + mode: forbidden + tvOS: + introduced: '12.0' + supervised: true + type: + presence: optional + default: true + content: If 'false', disables requesting passwords from nearby devices. Requires + a supervised device. Available in iOS 12 and later, macOS 10.14 and later, and + tvOS 12 and later. +- key: allowPasswordSharing + supportedOS: + iOS: + introduced: '12.0' + supervised: true + userenrollment: + mode: forbidden + macOS: + introduced: '10.14' + userenrollment: + mode: forbidden + tvOS: + introduced: n/a + type: + presence: optional + default: true + content: If 'false', disables sharing passwords with the Airdrop Passwords feature. + Requires a supervised device. Available in iOS 12 and later, and macOS 10.14 and + later. +- key: allowPersonalHotspotModification + title: Allow modifying Personal Hotspot settings + supportedOS: + iOS: + introduced: '12.2' + supervised: true + userenrollment: + mode: forbidden + macOS: + introduced: n/a + tvOS: + introduced: n/a + type: + presence: optional + default: true + content: If 'false', disables modifications of the personal hotspot setting. Requires + a supervised device. Available in iOS 12.2 and later. +- key: allowPhotoStream + title: Allow Photo Stream + supportedOS: + iOS: + introduced: '5.0' + userenrollment: + mode: forbidden + macOS: + introduced: n/a + tvOS: + introduced: n/a + type: + presence: optional + default: true + content: If 'false', disables Photo Stream. Available in iOS 5 and later. +- key: allowPodcasts + supportedOS: + iOS: + introduced: '8.0' + supervised: true + userenrollment: + mode: forbidden + macOS: + introduced: n/a + tvOS: + introduced: n/a + type: + presence: optional + default: true + content: If 'false', disables podcasts. Requires a supervised device. Available + in iOS 8 and later. +- key: allowPredictiveKeyboard + title: Allow Predictive Keyboard + supportedOS: + iOS: + introduced: 8.1.3 + supervised: true + userenrollment: + mode: forbidden + macOS: + introduced: n/a + tvOS: + introduced: n/a + type: + presence: optional + default: true + content: If 'false', disables predictive keyboards. Requires a supervised device. + Available in iOS 8.1.3 and later. +- key: allowProximitySetupToNewDevice + supportedOS: + iOS: + introduced: '11.0' + supervised: true + userenrollment: + mode: forbidden + macOS: + introduced: n/a + tvOS: + introduced: n/a + type: + presence: optional + default: true + content: If 'false', disables the prompt to set up new devices that are nearby. + Requires a supervised device. Available in iOS 11 and later. +- key: allowRadioService + title: Allow iTunes Radio + supportedOS: + iOS: + introduced: '9.3' + supervised: true + userenrollment: + mode: forbidden + macOS: + introduced: n/a + tvOS: + introduced: n/a + type: + presence: optional + default: true + content: If 'false', disables Apple Music Radio. Requires a supervised device. Available + in iOS 9.3 and later. +- key: allowRemoteAppPairing + title: Allow pairing with Remote app + supportedOS: + iOS: + introduced: n/a + macOS: + introduced: n/a + tvOS: + introduced: '10.2' + supervised: true + type: + presence: optional + default: true + content: If 'false', disables pairing Apple TV for use with the Remote app or Control + Center widget. Requires a supervised device. Available in tvOS 10.2 and later. +- key: allowRemoteScreenObservation + title: Allow Remote Screen Observation + supportedOS: + iOS: + introduced: '9.3' + macOS: + introduced: 10.14.4 + tvOS: + introduced: n/a + type: + presence: optional + default: true + content: If 'false', disables remote screen observation by the Classroom app. Nest + this key beneath 'allowScreenShot' as a subrestriction. If 'allowScreenShot' is + set to 'false', the Classroom app doesn't observe remote screens. Required a supervised + device until iOS 13 and macOS 10.15. Available in iOS 12 and later, and macOS + 10.14.4 and later. +- key: allowSafari + title: Allow use of Safari + supportedOS: + iOS: + introduced: '4.0' + supervised: true + userenrollment: + mode: forbidden + macOS: + introduced: n/a + tvOS: + introduced: n/a + type: + presence: optional + default: true + content: If 'false', disables the Safari web browser app, and its icon is removed + from the Home screen. This setting also prevents users from opening web clips. + As of iOS 13, requires a supervised device. Available in iOS 4 and later. +- key: allowScreenShot + title: Allow Screenshots and Screen Recording + supportedOS: + iOS: + introduced: '3.1' + macOS: + introduced: 10.14.4 + tvOS: + introduced: n/a + type: + presence: optional + default: true + content: If 'false', disables saving a screenshot of the display and capturing a + screen recording. It also disables the Classroom app from observing remote screens. + Available in iOS 4 and later, and macOS 10.14.4 and later. Also available for + user enrollment. +- key: allowSharedDeviceTemporarySession + supportedOS: + iOS: + introduced: '13.4' + supervised: true + userenrollment: + mode: forbidden + macOS: + introduced: n/a + tvOS: + introduced: n/a + type: + presence: optional + default: true + content: If 'false', temporary sessions are not available on Shared iPad. Available + in iOS 13.4 and later. +- key: allowSharedStream + title: Allow Shared Stream + supportedOS: + iOS: + introduced: '6.0' + userenrollment: + mode: forbidden + macOS: + introduced: n/a + tvOS: + introduced: n/a + type: + presence: optional + default: true + content: If 'false', disables Shared Photo Stream. Available in iOS 6 and later. +- key: allowSpellCheck + title: Allow Spell Check + supportedOS: + iOS: + introduced: 8.1.3 + supervised: true + userenrollment: + mode: forbidden + macOS: + introduced: n/a + tvOS: + introduced: n/a + type: + presence: optional + default: true + content: If 'false', disables keyboard spell-check. Requires a supervised device. + Available in iOS 8.1.3 and later. +- key: allowSpotlightInternetResults + title: Allow Siri Suggestions + supportedOS: + iOS: + introduced: '8.0' + userenrollment: + mode: forbidden + macOS: + introduced: '10.11' + userenrollment: + mode: forbidden + tvOS: + introduced: n/a + type: + presence: optional + default: true + content: If 'false', disables Spotlight Internet search results in Siri Suggestions. + Available in iOS 8 and later, and macOS 10.11 and later. +- key: allowSystemAppRemoval + supportedOS: + iOS: + introduced: '11.0' + supervised: true + userenrollment: + mode: forbidden + macOS: + introduced: n/a + tvOS: + introduced: n/a + type: + presence: optional + default: true + content: If 'false', disables the removal of system apps from the device. Requires + a supervised device. Available in iOS 11 and later. +- key: allowUIAppInstallation + title: Allow App Installation from App Store + supportedOS: + iOS: + introduced: '9.0' + supervised: true + userenrollment: + mode: forbidden + macOS: + introduced: n/a + tvOS: + introduced: n/a + type: + presence: optional + default: true + content: |- + If 'false', disables the App Store, and its icon is removed from the Home screen. However, users may continue to use host apps (iTunes, Configurator) to install or update their apps. + In iOS 10 and later, MDM commands can override this restriction. Requires a supervised device. Available in iOS 9 and later. +- key: allowUIConfigurationProfileInstallation + title: Allow UI Configuration Profile Installation + supportedOS: + iOS: + introduced: '6.0' + supervised: true + userenrollment: + mode: forbidden + macOS: + introduced: n/a + tvOS: + introduced: n/a + type: + presence: optional + default: true + content: If 'false', prohibits the user from installing configuration profiles and + certificates interactively. Requires a supervised device. Available in iOS 6 and + later. +- key: allowUnmanagedToReadManagedContacts + title: Allow unmanaged apps to read managed contacts accounts + supportedOS: + iOS: + introduced: '12.0' + allowmanualinstall: false + macOS: + introduced: n/a + tvOS: + introduced: n/a + type: + presence: optional + default: false + content: If 'true', unmanaged apps can read from managed contacts accounts. If 'allowOpenFromManagedToUnmanaged' + is 'true', this restriction has no effect. If this restriction is set to 'true', + you must install the payload through MDM. Available in iOS 12 and later. Also + available for user enrollment. +- key: allowUnpairedExternalBootToRecovery + supportedOS: + iOS: + introduced: '14.5' + supervised: true + userenrollment: + mode: forbidden + macOS: + introduced: n/a + tvOS: + introduced: n/a + type: + presence: optional + default: false + content: If 'true', allows devices to be booted into recovery by an unpaired device. + Requires a supervised device. Available in iOS 14.5 and later. +- key: allowUntrustedTLSPrompt + title: Allow user to accept untrusted TLS certificates + supportedOS: + iOS: + introduced: '5.0' + userenrollment: + mode: forbidden + macOS: + introduced: n/a + tvOS: + introduced: n/a + type: + presence: optional + default: true + content: If 'false', automatically rejects untrusted HTTPS certificates without + prompting the user. Available in iOS 5 and later. +- key: allowUSBRestrictedMode + supportedOS: + iOS: + introduced: 11.4.1 + supervised: true + userenrollment: + mode: forbidden + macOS: + introduced: n/a + tvOS: + introduced: n/a + type: + presence: optional + default: true + content: If 'false', allows the device to always connect to USB accessories while + locked. Requires a supervised device. Available in iOS 11.4.1 and later. +- key: allowVideoConferencing + title: Allow Video Conferencing + supportedOS: + iOS: + introduced: '4.0' + supervised: true + userenrollment: + mode: forbidden + macOS: + introduced: n/a + tvOS: + introduced: n/a + type: + presence: optional + default: true + content: If 'false', hides the FaceTime app. As of iOS 13, requires a supervised + device. Available in iOS 4 and later. +- key: allowVoiceDialing + title: Allow Voice Dialing While Device is Locked + supportedOS: + iOS: + introduced: '4.0' + userenrollment: + mode: forbidden + macOS: + introduced: n/a + tvOS: + introduced: n/a + type: + presence: optional + default: true + content: If 'false', disables voice dialing if the device is locked with a passcode. + Available in iOS 4 and later. +- key: allowVPNCreation + title: Allow Adding VPN Configurations (Supervised devices only) + supportedOS: + iOS: + introduced: '11.0' + supervised: true + userenrollment: + mode: forbidden + macOS: + introduced: n/a + tvOS: + introduced: n/a + type: + presence: optional + default: true + content: If 'false', disables the creation of VPN configurations. Requires a supervised + device. Available in iOS 11 and later. +- key: allowWallpaperModification + title: Allow Modifying Wallpaper + supportedOS: + iOS: + introduced: '9.0' + supervised: true + userenrollment: + mode: forbidden + macOS: + introduced: '10.13' + userenrollment: + mode: forbidden + tvOS: + introduced: n/a + type: + presence: optional + default: true + content: If 'false', prevents wallpaper from being changed. Requires a supervised + device. Available in iOS 9 and later, and macOS 10.13 and later. +- key: autonomousSingleAppModePermittedAppIDs + supportedOS: + iOS: + introduced: '7.0' + supervised: true + userenrollment: + mode: forbidden + macOS: + introduced: n/a + tvOS: + introduced: n/a + type: + presence: optional + content: If present, allows apps identified by the bundle IDs listed in the array + to autonomously enter Single App Mode. Requires a supervised device. Available + in iOS 7 and later. + subkeys: + - key: appAutonomousSingleAppModePermittedID + title: Apps allow list for Autonomous Single App Mode + type: +- key: blacklistedAppBundleIDs + title: Blacklisted Apps + supportedOS: + iOS: + introduced: '9.3' + deprecated: '15.0' + supervised: true + userenrollment: + mode: forbidden + macOS: + introduced: n/a + tvOS: + introduced: '11.0' + deprecated: '15.0' + supervised: true + type: + presence: optional + content: Use blockedAppBundleIDs instead. + subkeys: + - key: appBlacklistedBundleID + title: Blacklisted App + type: +- key: blockedAppBundleIDs + title: Blocked Apps + supportedOS: + iOS: + introduced: '15.0' + supervised: true + userenrollment: + mode: forbidden + macOS: + introduced: n/a + tvOS: + introduced: '15.0' + supervised: true + type: + presence: optional + content: If present, prevents bundle IDs listed in the array from being shown or + launchable. Include the value 'com.apple.webapp' to restrict all webclips. Requires + a supervised device. Available in iOS 9.3 and later, and tvOS 11.0 and later. + subkeys: + - key: appBlockedBundleID + title: Blocked App + type: +- key: enforcedFingerprintTimeout + supportedOS: + iOS: + introduced: n/a + macOS: + introduced: '12.0' + userenrollment: + mode: forbidden + tvOS: + introduced: n/a + type: + presence: optional + default: 172800 + content: The value, in seconds, after which the fingerprint unlock will require + a password to authenticate. The default value is 48 hours. +- key: enforcedSoftwareUpdateDelay + supportedOS: + iOS: + introduced: '11.3' + supervised: true + userenrollment: + mode: forbidden + macOS: + introduced: 10.13.4 + userenrollment: + mode: forbidden + tvOS: + introduced: '12.2' + supervised: true + type: + presence: optional + range: + min: 1 + max: 90 + default: 30 + content: |- + Sets how many days to delay a software update on the device. With this restriction in place, the user doesn't see a software update until the specified number of days after the software update release date. This value is used by 'forceDelayedAppSoftwareUpdates' and 'forceDelayedSoftwareUpdates'. + Requires a supervised device in iOS and tvOS. + Available in iOS 11.3 and later, macOS 10.13.4 and later, and tvOS 12.2 and later. +- key: enforcedSoftwareUpdateMajorOSDeferredInstallDelay + supportedOS: + iOS: + introduced: n/a + macOS: + introduced: '11.3' + userenrollment: + mode: forbidden + tvOS: + introduced: n/a + type: + presence: optional + range: + min: 1 + max: 90 + default: 30 + content: |- + This restriction allows the admin to set how many days to delay a major software upgrade on the device. When this restriction is in place the user sees a software upgrade only after the specified delay after the release of the software upgrade. This value controls the delay for 'forceDelayedMajorSoftwareUpdates'. + Available in macOS 11.3 and later. +- key: enforcedSoftwareUpdateMinorOSDeferredInstallDelay + supportedOS: + iOS: + introduced: n/a + macOS: + introduced: '11.3' + userenrollment: + mode: forbidden + tvOS: + introduced: n/a + type: + presence: optional + range: + min: 1 + max: 90 + default: 30 + content: |- + This restriction allows the admin to set how many days to delay a minor OS software update on the device. When this restriction is in place the user see a software update only after the specified delay after the release of the software update. This value controls the delay for 'forceDelayedSoftwareUpdates'. + Available in macOS 11.3 and later. +- key: enforcedSoftwareUpdateNonOSDeferredInstallDelay + supportedOS: + iOS: + introduced: n/a + macOS: + introduced: '11.3' + userenrollment: + mode: forbidden + tvOS: + introduced: n/a + type: + presence: optional + range: + min: 1 + max: 90 + default: 30 + content: |- + This restriction allows the admin to set how many days to delay an app software update on the device. When this restriction is in place the user sees a non-OS software update only after the specified delay after the release of the software. This value controls the delay for 'forceDelayedAppSoftwareUpdates'. + Available in macOS 11.3 and later. +- key: forceAirDropUnmanaged + title: Treat AirDrop as Unmanaged Destination + supportedOS: + iOS: + introduced: '9.0' + macOS: + introduced: n/a + tvOS: + introduced: n/a + type: + presence: optional + default: false + content: If 'true', causes AirDrop to be considered an unmanaged drop target. Available + in iOS 9 and later. Also available for user enrollment. +- key: forceAirPlayIncomingRequestsPairingPassword + supportedOS: + iOS: + introduced: n/a + macOS: + introduced: n/a + tvOS: + introduced: '6.2' + type: + presence: optional + default: false + content: If 'true', forces all devices sending AirPlay requests to this device to + use a pairing password. Available in Apple TV Software 6.2 and later. This key + isn't supported in tvOS 10.2 and later. Use the AirPlay Security Payload instead. +- key: forceAirPlayOutgoingRequestsPairingPassword + supportedOS: + iOS: + introduced: '7.1' + macOS: + introduced: n/a + tvOS: + introduced: n/a + type: + presence: optional + default: false + content: If 'true', forces all devices receiving AirPlay requests from this device + to use a pairing password. Available in iOS 7.1 and later. Also available for + user enrollment. +- key: forceAirPrintTrustedTLSRequirement + title: Disallow AirPrint to destinations with untrusted certificates + supportedOS: + iOS: + introduced: '11.0' + supervised: true + userenrollment: + mode: forbidden + macOS: + introduced: n/a + tvOS: + introduced: n/a + type: + presence: optional + default: false + content: If 'true', requires trusted certificates for TLS printing communication. + Requires a supervised device. Available in iOS 11 and later. +- key: forceAssistantProfanityFilter + title: Enable Siri Profanity Filter + supportedOS: + iOS: + introduced: '5.0' + supervised: true + userenrollment: + mode: forbidden + macOS: + introduced: '10.13' + userenrollment: + mode: forbidden + tvOS: + introduced: n/a + type: + presence: optional + default: false + content: If 'true', forces the use of the profanity filter assistant. Requires a + supervised device. Available in iOS 11 and later. +- key: forceAuthenticationBeforeAutoFill + supportedOS: + iOS: + introduced: '11.0' + supervised: true + userenrollment: + mode: forbidden + macOS: + introduced: n/a + tvOS: + introduced: n/a + type: + presence: optional + default: false + content: If 'true', the user must authenticate before passwords or credit card information + can be autofilled in Safari and Apps. If this restriction isn't enforced, the + user can toggle this feature in Settings. Only supported on devices with Face + ID or Touch ID. Requires a supervised device. Available in iOS 11 and later. +- key: forceAutomaticDateAndTime + supportedOS: + iOS: + introduced: '12.0' + supervised: true + userenrollment: + mode: forbidden + macOS: + introduced: n/a + tvOS: + introduced: '12.2' + supervised: true + type: + presence: optional + default: false + content: If 'true', enables the Set Automatically feature in Date & Time and can't + be disabled by the user. The device's time zone is updated only when the device + can determine its location using a cellular connection or Wi-Fi with location + services enabled. Requires a supervised device. Available in iOS 12 and later, + and tvOS 12.2 and later. +- key: forceClassroomAutomaticallyJoinClasses + supportedOS: + iOS: + introduced: '11.0' + supervised: true + userenrollment: + mode: forbidden + macOS: + introduced: 10.14.4 + supervised: true + userenrollment: + mode: forbidden + tvOS: + introduced: n/a + type: + presence: optional + default: false + content: If 'true', automatically gives permission to the teacher's requests without + prompting the student. Requires a supervised device. Available in iOS 11 and later, + and macOS 10.14.4 and later. +- key: forceClassroomRequestPermissionToLeaveClasses + supportedOS: + iOS: + introduced: '11.3' + supervised: true + userenrollment: + mode: forbidden + macOS: + introduced: 10.14.4 + supervised: true + userenrollment: + mode: forbidden + tvOS: + introduced: n/a + type: + presence: optional + default: false + content: If 'true', a student enrolled in an unmanaged course through Classroom + requests permission from the teacher when attempting to leave the course. Requires + a supervised device. Available in iOS 11.3 and later, and macOS 10.14.4 and later. +- key: forceClassroomUnpromptedAppAndDeviceLock + supportedOS: + iOS: + introduced: '11.0' + supervised: true + userenrollment: + mode: forbidden + macOS: + introduced: 10.14.4 + supervised: true + userenrollment: + mode: forbidden + tvOS: + introduced: n/a + type: + presence: optional + default: false + content: If 'true', allows the teacher to lock apps or the device without prompting + the student. Requires a supervised device. Available in iOS 11 and later, and + macOS 10.14.4 and later. +- key: forceClassroomUnpromptedScreenObservation + supportedOS: + iOS: + introduced: '11.0' + supervised: true + userenrollment: + mode: forbidden + macOS: + introduced: 10.14.4 + supervised: true + userenrollment: + mode: forbidden + tvOS: + introduced: n/a + type: + presence: optional + default: false + content: If 'true' and 'ScreenObservationPermissionModificationAllowed' is also + 'true' in the Education payload, a student enrolled in a managed course via the + Classroom app automatically gives permission to that course teacher's requests + to observe the student's screen without prompting the student. Requires a supervised + device. Available in iOS 11 and later, and macOS 10.14.4 and later. +- key: forceDelayedAppSoftwareUpdates + supportedOS: + iOS: + introduced: n/a + macOS: + introduced: '11.0' + userenrollment: + mode: forbidden + tvOS: + introduced: n/a + type: + presence: optional + default: false + content: |- + If 'true', delays user visibility of non-OS Software Updates. Requires a supervised device. + Visibility of Operating System updates is controlled through 'forceDelayedSoftwareUpdates'. + The delay is 30 days unless 'enforcedSoftwareUpdateDelay' is set to another value. + Available in macOS 11 and later. +- key: forceDelayedMajorSoftwareUpdates + supportedOS: + iOS: + introduced: n/a + macOS: + introduced: '11.3' + userenrollment: + mode: forbidden + tvOS: + introduced: n/a + type: + presence: optional + default: false + content: |- + If set to true, delays user visibility of major upgrades to OS Software. + Available in macOS 11.3 and later. +- key: forceDelayedSoftwareUpdates + supportedOS: + iOS: + introduced: '11.3' + supervised: true + userenrollment: + mode: forbidden + macOS: + introduced: '10.13' + userenrollment: + mode: forbidden + tvOS: + introduced: '12.2' + supervised: true + type: + presence: optional + default: false + content: |- + If 'true', delays user visibility of software updates. In macOS, seed build updates are allowed, without delay. Requires a supervised device in iOS and tvOS. + The delay is 30 days unless 'enforcedSoftwareUpdateDelay' is set to another value. + Available in iOS 11.3 and later, macOS 10.13 and later, and tvOS 12.2 and later. +- key: forceEncryptedBackup + title: Force Encrypted Backups + supportedOS: + iOS: + introduced: '4.0' + macOS: + introduced: n/a + tvOS: + introduced: n/a + type: + presence: optional + default: false + content: If 'true', encrypts all backups. Available in iOS 4 and later. Also available + for user enrollment. +- key: forceITunesStorePasswordEntry + title: Require iTunes password for all purchases + supportedOS: + iOS: + introduced: '6.0' + userenrollment: + mode: forbidden + macOS: + introduced: n/a + tvOS: + introduced: n/a + type: + presence: optional + default: false + content: If 'true', forces the user to enter their iTunes password for each transaction. + Available in iOS 6 and later. +- key: forceLimitAdTracking + supportedOS: + iOS: + introduced: '7.0' + userenrollment: + mode: forbidden + macOS: + introduced: n/a + tvOS: + introduced: n/a + type: + presence: optional + default: false + content: If 'true', limits ad tracking. Available in iOS 7 and later. +- key: forceOnDeviceOnlyDictation + supportedOS: + iOS: + introduced: '14.5' + macOS: + introduced: n/a + tvOS: + introduced: n/a + type: + presence: optional + default: false + content: If 'true', disables connections to Siri servers for the purposes of dictation. + Available in iOS 14.5 and later. Also available for user enrollment. +- key: forceOnDeviceOnlyTranslation + supportedOS: + iOS: + introduced: '15.0' + macOS: + introduced: n/a + tvOS: + introduced: n/a + type: + presence: optional + default: false + content: If 'true', the device won't connect to Siri servers for the purposes of + translation. Available in iOS 15 and later. Also available for user enrollment. +- key: forceWatchWristDetection + title: Force Apple Watch Wrist Detection + supportedOS: + iOS: + introduced: '8.2' + macOS: + introduced: n/a + tvOS: + introduced: n/a + type: + presence: optional + default: false + content: If 'true', forces a paired Apple Watch to use Wrist Detection. Available + in iOS 8.2 and later. Also available for user enrollment. +- key: forceWiFiPowerOn + title: Disallow Wi-Fi from being turned off + supportedOS: + iOS: + introduced: '13.0' + supervised: true + userenrollment: + mode: forbidden + macOS: + introduced: n/a + tvOS: + introduced: n/a + type: + presence: optional + default: false + content: If 'true', prevents Wi-Fi from being turned off in Settings or Control + Center, even by entering or leaving Airplane Mode. It doesn't prevent selecting + which Wi-Fi network to use. Requires a supervised device. Available in iOS 13.0 + and later. +- key: forceWiFiToAllowedNetworksOnly + supportedOS: + iOS: + introduced: '14.5' + supervised: true + userenrollment: + mode: forbidden + macOS: + introduced: n/a + tvOS: + introduced: n/a + type: + presence: optional + default: false + content: If 'true', limits device to only join Wi-Fi networks set-up via configuration + profile. Requires a supervised device. Available in iOS 14.5 and later. +- key: forceWiFiWhitelisting + title: Only join Wi-Fi networks installed by profiles + supportedOS: + iOS: + introduced: '10.3' + deprecated: '14.5' + supervised: true + userenrollment: + mode: forbidden + macOS: + introduced: n/a + tvOS: + introduced: n/a + type: + presence: optional + default: false + content: Use 'forceWiFiToAllowedNetworksOnly' instead. +- key: ratingApps + title: Apps Ranking Number + supportedOS: + iOS: + introduced: '4.0' + userenrollment: + mode: forbidden + macOS: + introduced: n/a + tvOS: + introduced: '11.3' + type: + presence: optional + range: + min: 0 + max: 1000 + default: 1000 + content: |- + The maximum level of app content allowed on the device. Available in iOS 4 and later, and tvOS 11.3 and later. + Possible values (with the US description of the rating level): + * 1000: All + * 600: 17+ + * 300: 12+ + * 200: 9+ + * 100: 4+ + * 0: None +- key: ratingMovies + title: Movies Ranking Number + supportedOS: + iOS: + introduced: '4.0' + userenrollment: + mode: forbidden + macOS: + introduced: n/a + tvOS: + introduced: '11.3' + type: + presence: optional + range: + min: 0 + max: 1000 + default: 1000 + content: |- + The maximum level of movie content allowed on the device. Available in iOS 4 and later, and tvOS 11.3 and later. + Possible values (with the US description of the rating level): + * 1000: All + * 500: NC-17 + * 400: R + * 300: PG-13 + * 200: PG + * 100: G + * 0: None +- key: ratingRegion + title: Region Code + type: + presence: optional + rangelist: + - us + - au + - ca + - de + - fr + - ie + - jp + - nz + - gb + content: The two-letter key that profile tools use to display the proper ratings + for the given region. This data isn't recognized or reported by the client. +- key: ratingTVShows + title: TV Shows Ranking Number + supportedOS: + iOS: + introduced: '4.0' + userenrollment: + mode: forbidden + macOS: + introduced: n/a + tvOS: + introduced: '11.3' + type: + presence: optional + range: + min: 0 + max: 1000 + default: 1000 + content: |- + The maximum level of TV content allowed on the device. Available in iOS 4 and later, and tvOS 11.3 and later. + + Possible values (with the US description of the rating level): + + * 1000: All + * 600: TV-MA + * 500: TV-14 + * 400: TV-PG + * 300: TV-G + * 200: TV-Y7 + * 100: TV-Y + * 0: None +- key: requireManagedPasteboard + supportedOS: + iOS: + introduced: '15.0' + macOS: + introduced: n/a + tvOS: + introduced: n/a + type: + presence: optional + default: false + content: If 'true', copy and paste functionality respects the 'allowOpenFromManagedToUnmanaged' + and 'allowOpenFromUnmanagedToManaged' restrictions. Also available for user enrollment. +- key: safariAcceptCookies + title: Accept Cookies in Safari + supportedOS: + iOS: + introduced: '4.0' + userenrollment: + mode: forbidden + macOS: + introduced: n/a + tvOS: + introduced: n/a + type: + presence: optional + rangelist: + - 0.0 + - 1.0 + - 1.5 + - 2.0 + default: 2.0 + content: |- + This value defines the conditions under which the device accepts cookies. The user-facing settings changed in iOS 11, although the possible values remain the same. Available in iOS 4 and later. + '0': Prevent Cross-Site Tracking and Block All Cookies are enabled and the user canʼt disable either setting. + '1' or '1.5': Prevent Cross-Site Tracking is enabled and the user canʼt disable it. Block All Cookies is not enabled, although the user can enable it. + '2': Prevent Cross-Site Tracking is enabled and Block All Cookies is not enabled. The user can toggle either setting. +- key: safariAllowAutoFill + title: Allow AutoFill in Safari + supportedOS: + iOS: + introduced: '4.0' + supervised: true + userenrollment: + mode: forbidden + macOS: + introduced: '10.13' + userenrollment: + mode: forbidden + tvOS: + introduced: n/a + type: + presence: optional + default: true + content: |- + If 'false', disables Safari AutoFill for passwords, contact info, and credit cards and also prevents the Keychain from being used for AutoFill. Though third-party password managers are allowed and apps can use AutoFill. + As of iOS 13, requires a supervised device. Available in iOS 4 and later, and macOS 10.13 and later. +- key: safariAllowJavaScript + title: Allow JavaScript + supportedOS: + iOS: + introduced: '4.0' + userenrollment: + mode: forbidden + macOS: + introduced: n/a + tvOS: + introduced: n/a + type: + presence: optional + default: true + content: If 'false', Safari doesn't execute JavaScript. Available in iOS 4 and later. +- key: safariAllowPopups + title: Allow Pop-ups + supportedOS: + iOS: + introduced: '4.0' + userenrollment: + mode: forbidden + macOS: + introduced: n/a + tvOS: + introduced: n/a + type: + presence: optional + default: true + content: If 'false', Safari doesn't allow pop-up windows. Available in iOS 4 and + later. +- key: safariForceFraudWarning + title: Enable Fraud Warning + supportedOS: + iOS: + introduced: '4.0' + macOS: + introduced: n/a + tvOS: + introduced: n/a + type: + presence: optional + default: false + content: If 'true', enables Safari fraud warning. Available in iOS 4 and later. + Also available for user enrollment. +- key: whitelistedAppBundleIDs + title: Whitelisted Apps + supportedOS: + iOS: + introduced: '9.3' + deprecated: '15.0' + supervised: true + userenrollment: + mode: forbidden + macOS: + introduced: n/a + tvOS: + introduced: '11.0' + deprecated: '15.0' + supervised: true + type: + presence: optional + content: Use 'allowListedAppBundleIDs' instead. + subkeys: + - key: appWhitelistedBundleID + title: Whitelisted App + type: diff --git a/mdm/profiles/com.apple.appstore.yaml b/mdm/profiles/com.apple.appstore.yaml new file mode 100644 index 0000000..a3ac455 --- /dev/null +++ b/mdm/profiles/com.apple.appstore.yaml @@ -0,0 +1,54 @@ +title: App Store +description: '' +payload: + payloadtype: com.apple.appstore + supportedOS: + macOS: + introduced: '10.9' + devicechannel: true + userchannel: true + requiresdep: false + userapprovedmdm: false + allowmanualinstall: true + userenrollment: + mode: forbidden + content: Use this payload to set restrictions used by the Mac App Store. +payloadkeys: +- key: restrict-store-require-admin-to-install + supportedOS: + macOS: + introduced: '10.9' + deprecated: '10.14' + type: + presence: optional + default: false + content: If 'true', restricts app installations to admin users only. Deprecated + in macOS 10.14. Use the 'com.apple.SoftwareUpdate' payload key 'restrict-software-update-require-admin-to-install' + as a replacement. +- key: restrict-store-softwareupdate-only + supportedOS: + macOS: + introduced: '10.10' + type: + presence: optional + default: false + content: If 'true', prevents App Store from launching. Available in macOS 10.14 + and later. Restricts installations to software updates only in macOS 10.10 - 10.13. +- key: restrict-store-disable-app-adoption + supportedOS: + macOS: + introduced: '10.10' + type: + presence: optional + default: false + content: If 'true', disables app adoption by users. Available in macOS 10.10 and + later. +- key: DisableSoftwareUpdateNotifications + supportedOS: + macOS: + introduced: '10.10' + type: + presence: optional + default: false + content: If 'true', disables software update notifications. Available in macOS 10.10 + and later. diff --git a/mdm/profiles/com.apple.asam.yaml b/mdm/profiles/com.apple.asam.yaml new file mode 100644 index 0000000..34c6b27 --- /dev/null +++ b/mdm/profiles/com.apple.asam.yaml @@ -0,0 +1,43 @@ +title: Autonomous Single App Mode +description: '' +payload: + payloadtype: com.apple.asam + supportedOS: + macOS: + introduced: 10.13.4 + devicechannel: true + userchannel: false + requiresdep: false + userapprovedmdm: true + allowmanualinstall: false + userenrollment: + mode: forbidden +payloadkeys: +- key: AllowedApplications + supportedOS: + macOS: + introduced: 10.13.4 + type: + presence: required + content: An array of dictionaries that specifies the apps that can be granted access + to the Accessibility APIs. + subkeys: + - key: AllowedApplicationsItem + type: + subkeys: + - key: BundleIdentifier + supportedOS: + macOS: + introduced: 10.13.4 + type: + presence: required + content: The unique bundle identifier. If two dictionaries contain the same + 'BundleIdentifier' value but a different 'TeamIdentifier' value, this will + be considered an error and the profile won't be installed. + - key: TeamIdentifier + supportedOS: + macOS: + introduced: 10.13.4 + type: + presence: required + content: The developer's team identifier, used when the app was signed. diff --git a/mdm/profiles/com.apple.associated-domains.yaml b/mdm/profiles/com.apple.associated-domains.yaml new file mode 100644 index 0000000..ad3eb25 --- /dev/null +++ b/mdm/profiles/com.apple.associated-domains.yaml @@ -0,0 +1,54 @@ +title: Associated Domains +description: Use this section to define settings for Associated Domains to be used + with features such as Extensible AppSSO, universal links and Password AutoFill. +payload: + payloadtype: com.apple.associated-domains + supportedOS: + macOS: + introduced: '10.15' + devicechannel: true + userchannel: true + requiresdep: false + userapprovedmdm: true + allowmanualinstall: true + userenrollment: + mode: allowed + content: Configures Associated Domains to be used with features such as Extensible + AppSSO, universal links and Password AutoFill. Settings are per-user. The effective + settings for a user will be the union of payloads installed for the device and + the user. Users on a system that are not managed by the MDM will not have any + effective settings, not even those from device payloads. +payloadkeys: +- key: Configuration + title: Configuration + type: + presence: required + content: A dictionary that maps apps to their associated domains. + subkeys: + - key: ConfigurationItem + type: + subkeys: + - key: ApplicationIdentifier + type: + presence: required + content: The app identifier to associate the domains with. + - key: AssociatedDomains + type: + presence: required + content: |- + The domains to be associated with the app. Each string is in the form of ''service:domain''. Domains should be fully qualified hostnames, like 'www.example.com'. + See Supporting Associated Domains for more information. + subkeys: + - key: AssociatedDomain + type: + presence: required + - key: EnableDirectDownloads + supportedOS: + macOS: + introduced: '11.0' + type: + presence: optional + default: false + content: If 'true', data for this domain should be downloaded directly instead + of through a CDN. The entitlement value for this domain must be set to 'service:domain?mode=managed' + or this value will be ignored. Available in macOS 11 and later. diff --git a/mdm/profiles/com.apple.caldav.account.yaml b/mdm/profiles/com.apple.caldav.account.yaml new file mode 100644 index 0000000..b9c9556 --- /dev/null +++ b/mdm/profiles/com.apple.caldav.account.yaml @@ -0,0 +1,76 @@ +title: CalDAV +description: Use this section to define settings for configuration access to CalDAV + servers. +payload: + payloadtype: com.apple.caldav.account + supportedOS: + iOS: + introduced: '4.0' + supervised: false + allowmanualinstall: true + sharedipad: + mode: allowed + devicechannel: false + userchannel: true + userenrollment: + mode: allowed + macOS: + introduced: '10.7' + devicechannel: false + userchannel: true + requiresdep: false + userapprovedmdm: false + allowmanualinstall: true + userenrollment: + mode: allowed +payloadkeys: +- key: CalDAVAccountDescription + title: Account Description + type: + presence: optional + content: The description of the account. +- key: CalDAVHostName + title: Account Hostname + type: + presence: required + content: The server's address. +- key: CalDAVUsername + title: Account Username + type: + presence: optional + content: |- + The user name for logins. + If this profile part of a non-interactive install, this field is required. +- key: CalDAVPassword + title: Account Password + type: + presence: optional + content: The user's password. This is only used with encrypted profiles. +- key: CalDAVPrincipalURL + title: Principal URL + type: + presence: optional + content: The base URL to the user's calendar. +- key: CalDAVUseSSL + title: Use SSL + type: + presence: optional + default: true + content: If 'true', enables SSL. +- key: CalDAVPort + title: Port Number + type: + presence: optional + content: The server's port. +- key: VPNUUID + title: VPNUUID + supportedOS: + iOS: + introduced: '14.0' + macOS: + introduced: n/a + type: + presence: optional + content: |- + The VPNUUID of the per-app VPN the account uses for network communication. + Available in iOS 14 and later. diff --git a/mdm/profiles/com.apple.carddav.account.yaml b/mdm/profiles/com.apple.carddav.account.yaml new file mode 100644 index 0000000..9f99a66 --- /dev/null +++ b/mdm/profiles/com.apple.carddav.account.yaml @@ -0,0 +1,128 @@ +title: CardDAV +description: Use this section to define settings for configuration access to CardDAV + servers. +payload: + payloadtype: com.apple.carddav.account + supportedOS: + iOS: + introduced: '4.0' + supervised: false + allowmanualinstall: true + sharedipad: + mode: allowed + devicechannel: false + userchannel: true + userenrollment: + mode: allowed + macOS: + introduced: '10.7' + devicechannel: false + userchannel: true + requiresdep: false + userapprovedmdm: false + allowmanualinstall: true + userenrollment: + mode: allowed +payloadkeys: +- key: CardDAVAccountDescription + title: Account Description + supportedOS: + macOS: + introduced: '10.7' + type: + presence: optional + content: The description of the account. +- key: CardDAVHostName + title: Account Hostname + supportedOS: + macOS: + introduced: '10.7' + type: + presence: required + content: The server's address. +- key: CardDAVUsername + title: Account Username + supportedOS: + macOS: + introduced: '10.7' + type: + presence: optional + content: The user name for logins. +- key: CardDAVPassword + title: Account Password + supportedOS: + macOS: + introduced: '10.7' + type: + presence: optional + content: The user's password. +- key: CardDAVPrincipalURL + title: Principal URL + supportedOS: + macOS: + introduced: n/a + type: + presence: optional + content: The base URL to the user's address book. +- key: CardDAVUseSSL + title: Use SSL + supportedOS: + macOS: + introduced: '10.7' + type: + presence: optional + default: true + content: If 'true', enables SSL. +- key: CardDAVPort + title: Port Number + supportedOS: + macOS: + introduced: '10.7' + type: + presence: optional + content: The server's port. +- key: CommunicationServiceRules + title: Communication Service Rules + supportedOS: + iOS: + introduced: '10.0' + macOS: + introduced: n/a + type: + presence: optional + content: An array of communication service rules for this account. + subkeys: + - key: DefaultServiceHandlers + title: Default Service Handlers + supportedOS: + iOS: + introduced: '10.0' + macOS: + introduced: n/a + type: + presence: optional + content: A dictionary of service handlers for contacts from this account. + subkeys: + - key: AudioCall + title: App for audio calls + supportedOS: + iOS: + introduced: '10.0' + macOS: + introduced: n/a + type: + presence: optional + content: A string containing the bundle identifier for the default application + that handles audio calls made to contacts from this account. +- key: VPNUUID + title: VPNUUID + supportedOS: + iOS: + introduced: '14.0' + macOS: + introduced: n/a + type: + presence: optional + content: |- + The VPNUUID of the per-app VPN the account uses for network communication. + Available in iOS 14 and later. diff --git a/mdm/profiles/com.apple.cellular.yaml b/mdm/profiles/com.apple.cellular.yaml new file mode 100644 index 0000000..52b484c --- /dev/null +++ b/mdm/profiles/com.apple.cellular.yaml @@ -0,0 +1,183 @@ +title: Cellular +description: Use this section to define custom APNs for cellular data access. +payload: + payloadtype: com.apple.cellular + supportedOS: + iOS: + introduced: '7.0' + supervised: false + allowmanualinstall: true + sharedipad: + mode: allowed + devicechannel: true + userchannel: false + userenrollment: + mode: forbidden + watchOS: + introduced: '3.2' + allowmanualinstall: true + content: |- + This payload cannot be installed if an APN payload is already installed. + This payload only applies to the preferred data SIM. There is no way to have a cellular payload affect a different SIM. + This payload replaces the com.apple.managedCarrier payload. The latter payload is supported, but deprecated. +payloadkeys: +- key: AttachAPN + title: AttachAPN + type: + presence: optional + content: A configuration dictionary. + subkeys: + - key: Name + title: Name + type: + presence: required + content: The name for this configuration. + - key: AuthenticationType + title: Authentication type + type: + presence: optional + rangelist: + - CHAP + - PAP + default: PAP + content: The authentication type. + - key: Username + title: User name + type: + presence: optional + content: The user name for the APN. + - key: Password + title: Password + type: + presence: optional + content: The password for the APN. + - key: AllowedProtocolMask + title: Supported IP Versions + supportedOS: + iOS: + introduced: '10.3' + type: + presence: optional + rangelist: + - 1 + - 2 + - 3 + content: |- + The supported Internet Protocol versions. Possible values are: + 1 = IPv4 + 2 = IPv6 + 3 = Both +- key: APNs + title: APNs + type: + presence: optional + content: An array of access point dictionaries. + subkeys: + - key: APNsItem + type: + subkeys: + - key: Name + title: Name + type: + presence: required + content: The name for this configuration. + - key: AuthenticationType + title: Authentication type + type: + presence: optional + rangelist: + - CHAP + - PAP + default: PAP + content: The authentication type for logging in. + - key: Username + title: User name + type: + presence: optional + content: The user name for the APN. + - key: Password + title: Password + type: + presence: optional + content: The user's password for the APN. + - key: ProxyServer + title: Proxy server + supportedOS: + macOS: + introduced: n/a + type: + presence: optional + content: The proxy server's address. + - key: ProxyPort + title: Proxy port + type: + presence: optional + content: The proxy server's port number. + - key: DefaultProtocolMask + supportedOS: + iOS: + introduced: '10.3' + deprecated: '11.0' + type: + presence: optional + rangelist: + - 1 + - 2 + - 3 + content: |- + Deprecated. The default Internet Protocol versions. Possible values are: + * '1': IPv4 + * '2': IPv6 + * '3': Both + Available in iOS 10.3 but no longer used in iOS 11 and later. + - key: AllowedProtocolMask + title: Supported IP Versions + supportedOS: + iOS: + introduced: '10.3' + type: + presence: optional + rangelist: + - 1 + - 2 + - 3 + content: |- + The supported Internet Protocol versions. Possible values are: + * '1': IPv4 + * '2': IPv6 + * '3': Both + Available in iOS 10.3 and later. + - key: AllowedProtocolMaskInRoaming + title: Supported Roaming IP Versions + supportedOS: + iOS: + introduced: '10.3' + type: + presence: optional + rangelist: + - 1 + - 2 + - 3 + content: |- + The supported Internet Protocol versions while roaming. Possible values are: + * '1': IPv4 + * '2': IPv6 + * '3': Both + Available in iOS 10.3 and later. + - key: AllowedProtocolMaskInDomesticRoaming + title: Supported Roaming IP Versions + supportedOS: + iOS: + introduced: '10.3' + type: + presence: optional + rangelist: + - 1 + - 2 + - 3 + content: |- + The supported Internet Protocol versions while roaming domestically. Possible values are: + * '1': IPv4 + * '2': IPv6 + * '3': Both + Available in iOS 10.3 and later. diff --git a/mdm/profiles/com.apple.conferenceroomdisplay.yaml b/mdm/profiles/com.apple.conferenceroomdisplay.yaml new file mode 100644 index 0000000..20cf5ce --- /dev/null +++ b/mdm/profiles/com.apple.conferenceroomdisplay.yaml @@ -0,0 +1,18 @@ +title: Conference Room Display +description: Use this section to place an Apple TV device into Conference Room Display + mode. +payload: + payloadtype: com.apple.conferenceroomdisplay + supportedOS: + tvOS: + introduced: '10.2' + supervised: true + allowmanualinstall: true + content: Configures an Apple TV to enter Conference Room Display mode, and restrictions + exit from that mode +payloadkeys: +- key: Message + title: Custom message + type: + presence: optional + content: The custom message displayed on the screen in Conference Room Display mode. diff --git a/mdm/profiles/com.apple.configurationprofile.identification.yaml b/mdm/profiles/com.apple.configurationprofile.identification.yaml new file mode 100644 index 0000000..f5cfe22 --- /dev/null +++ b/mdm/profiles/com.apple.configurationprofile.identification.yaml @@ -0,0 +1,66 @@ +title: Identification +payload: + payloadtype: com.apple.configurationprofile.identification + supportedOS: + macOS: + introduced: '10.7' + devicechannel: true + userchannel: true + requiresdep: false + userapprovedmdm: false + allowmanualinstall: true + userenrollment: + mode: allowed + content: |- + This payload can be used on the device or user channel depending on what payload it is paired with. + + Device channel: + *com.apple.MCX.FileVault2 + *com.apple.ADCertificate.managed + *com.apple.DirectoryService.managed + + User channel: + *com.apple.caldav.account + *com.apple.carddav.account + *com.apple.ews.account + *com.apple.ldap.account + *com.apple.mail.managed +payloadkeys: +- key: PayloadIdentification + type: + presence: required + content: The dictionary containing details about the user. + subkeys: + - key: UserName + type: + presence: required + content: The UNIX user name for the accounts. + - key: FullName + type: + presence: required + content: The full name of the account. + - key: EmailAddress + type: + presence: required + content: The address for the account. + - key: AuthMethod + type: + presence: required + rangelist: + - Password + - UserEnteredPassword + content: The authorization method. Either the password is supplied in the profile + or the user supplies it. + - key: Password + type: + presence: required + content: The password for the account. Required when the 'AuthMethod' is of type + 'password'. + - key: Prompt + type: + presence: optional + content: The custom instructions for the user, if needed. + - key: PromptMessage + type: + presence: optional + content: The additional descriptive text for the user prompt. diff --git a/mdm/profiles/com.apple.dashboard.yaml b/mdm/profiles/com.apple.dashboard.yaml new file mode 100644 index 0000000..3cdfc50 --- /dev/null +++ b/mdm/profiles/com.apple.dashboard.yaml @@ -0,0 +1,39 @@ +title: 'Parental Controls: Dashboard Widget Restrictions' +description: '' +payload: + payloadtype: com.apple.dashboard + supportedOS: + macOS: + introduced: '10.7' + deprecated: '10.15' + removed: '10.15' + devicechannel: true + userchannel: true + requiresdep: false + userapprovedmdm: false + allowmanualinstall: true + userenrollment: + mode: forbidden + content: Widget restrictions. +payloadkeys: +- key: whiteListEnabled + type: + presence: required + content: If 'true', enables the widget allow list. +- key: WhiteList + type: + presence: required + content: An array of widget item dictionaries that are allowed. + subkeys: + - key: WhiteListItem + type: + subkeys: + - key: Type + type: + presence: required + content: The type of allow list item. Set to 'bundleID' to use a widget's bundle + ID as its main ID. + - key: ID + type: + presence: required + content: The bundle ID of a widget. diff --git a/mdm/profiles/com.apple.desktop.yaml b/mdm/profiles/com.apple.desktop.yaml new file mode 100644 index 0000000..0af97ce --- /dev/null +++ b/mdm/profiles/com.apple.desktop.yaml @@ -0,0 +1,28 @@ +title: Desktop +description: '' +payload: + payloadtype: com.apple.desktop + supportedOS: + macOS: + introduced: '10.10' + devicechannel: true + userchannel: true + requiresdep: false + userapprovedmdm: false + allowmanualinstall: true + userenrollment: + mode: forbidden +payloadkeys: +- key: locked + supportedOS: + macOS: + deprecated: '10.13' + type: + presence: optional + default: false + content: If 'true', locks the desktop picture. Replaced with allowWallpaperModification + in macOS 10.13. +- key: override-picture-path + type: + presence: optional + content: The path to the desktop picture. If set, this picture is always locked. diff --git a/mdm/profiles/com.apple.dnsProxy.managed.yaml b/mdm/profiles/com.apple.dnsProxy.managed.yaml new file mode 100644 index 0000000..3338916 --- /dev/null +++ b/mdm/profiles/com.apple.dnsProxy.managed.yaml @@ -0,0 +1,49 @@ +title: DNS Proxy +description: Use this section to configure a DNS proxy network extension +payload: + payloadtype: com.apple.dnsProxy.managed + supportedOS: + iOS: + introduced: '11.0' + supervised: false + allowmanualinstall: false + sharedipad: + mode: allowed + devicechannel: true + userchannel: false + userenrollment: + mode: forbidden + macOS: + introduced: '10.15' + devicechannel: true + userchannel: false + requiresdep: false + userapprovedmdm: false + allowmanualinstall: true + userenrollment: + mode: forbidden + content: As of iOS 15.0 this payload can now be installed on unsupervised devices + via MDM and can now only be installed via MDM. +payloadkeys: +- key: AppBundleIdentifier + title: App Bundle Identifier + type: + presence: required + content: The bundle identifier of the app containing the DNS proxy network extension. +- key: ProviderBundleIdentifier + title: Provider Bundle Identifier + type: + presence: optional + content: The bundle identifier of the DNS proxy network extension to use. Declaring + the bundle identifier is useful for apps that contain more than one DNS proxy + extension. +- key: ProviderConfiguration + title: Provider Configuration + type: + presence: optional + content: The dictionary of vendor-specific configuration items. + subkeys: + - key: ANY + type: + presence: optional + content: Key/value pairs. diff --git a/mdm/profiles/com.apple.dnsSettings.managed.yaml b/mdm/profiles/com.apple.dnsSettings.managed.yaml new file mode 100644 index 0000000..260bf20 --- /dev/null +++ b/mdm/profiles/com.apple.dnsSettings.managed.yaml @@ -0,0 +1,187 @@ +title: DNS Settings +description: Use this section to configure DNS settings. +payload: + payloadtype: com.apple.dnsSettings.managed + supportedOS: + iOS: + introduced: '14.0' + supervised: false + allowmanualinstall: true + sharedipad: + mode: allowed + devicechannel: true + userchannel: false + userenrollment: + mode: forbidden + macOS: + introduced: '11.0' + devicechannel: true + userchannel: false + requiresdep: false + userapprovedmdm: false + allowmanualinstall: true + userenrollment: + mode: forbidden +payloadkeys: +- key: DNSSettings + title: DNS Settings + type: + presence: required + content: A dictionary that defines a configuration for an encrypted DNS server. + subkeys: + - key: DNSProtocol + title: DNS Protocol + type: + presence: required + rangelist: + - HTTPS + - TLS + content: The encrypted transport protocol used to communicate with the DNS server. + - key: ServerURL + title: Server URL + type: + presence: optional + content: The URI template of a DNS-over-HTTPS server, as defined in RFC 8484. + This URL must use the 'https://' scheme, and the hostname or address in the + URL will be used to validate the server certificate. If no 'ServerAddresses' + are provided, the hostname or address in the URL will be used to determine the + server addresses. This key must be present only if the 'DNSProtocol' is 'HTTPS'. + - key: ServerName + title: Server Name + type: + presence: optional + content: The hostname of a DNS-over-TLS server used to validate the server certificate, + as defined in RFC 7858. If no 'ServerAddresses' are provided, the hostname will + be used to determine the server addresses. This key must be present only if + the DNSProtocol is 'TLS'. + - key: ServerAddresses + title: DNS Server Addresses + type: + presence: optional + content: An unordered list of DNS server IP address strings. These IP addresses + can be a mixture of IPv4 and IPv6 addresses. + subkeys: + - key: ServerAddressesElement + title: Server Address Element + type: + - key: SupplementalMatchDomains + title: Supplemental Match Domains + type: + presence: optional + content: |- + A list of domain strings used to determine which DNS queries will use the DNS server. If this array is not provided, all domains will use the DNS server. + A single wildcard '*' prefix is supported, but is not required. For example, both '*.example.com' and 'example.com' match against 'mydomain.example.com' and 'your.domain.example.com', but do not match against 'mydomain-example.com'. + subkeys: + - key: SupplementalMatchDomainsElement + title: Supplemental Match Domains Element + type: +- key: OnDemandRules + title: On Demand Rules + type: + presence: optional + content: An array of rules defining the DNS settings. If rules are not present, + the system always applies the DNS settings. These rules are identical to the 'OnDemandRules' + array in VPN payloads. + subkeytype: OnDemandRulesElement + subkeys: + - key: OnDemandRulesElement + title: On Demand Rules Element + type: + subkeys: + - key: Action + title: On Demand Action + type: + presence: required + rangelist: + - Connect + - Disconnect + - EvaluateConnection + content: |- + The action to take if this dictionary matches the current network. Possible values are: + * 'Connect': Apply DNS Settings when the dictionary matches. + * 'Disconnect': Do not apply DNS Settings when the dictionary matches. + * 'EvaluateConnection': Apply DNS Settings with per-domain exceptions when the dictionary matches. + - key: ActionParameters + title: Action Parameters + type: + presence: optional + content: |- + A dictionary that provides per-connection rules. + This array is used only for settings where the 'Action' value is'EvaluateConnection'. + subkeys: + - key: Domains + title: Domains + type: + presence: required + content: The domains for which this evaluation applies. + subkeys: + - key: DomainsElement + title: Domains Element + type: + - key: DomainAction + title: Domain Action + type: + presence: required + rangelist: + - NeverConnect + - ConnectIfNeeded + content: |- + The DNS settings behavior for the specified domains. Allowed values are: + * 'NeverConnect': Do not use the DNS Settings for the specified domains. + * 'ConnectIfNeeded': Allow using the DNS Settings for the specified domains. + - key: DNSDomainMatch + title: DNS Domain Match + type: + presence: optional + content: |- + An array of domain names. This rule matches if any of the domain names in the specified list matches any domain in the device's search domains list. + A single wildcard '*' prefix is supported, but is not required. For example, both '*.example.com' and 'example.com' match against 'mydomain.example.com' and 'your.domain.example.com', but do not match against 'mydomain-example.com'. + subkeys: + - key: DNSDomainMatchElement + title: DNS Domain Match Element + type: + - key: DNSServerAddressMatch + title: DNS Server Address Match + type: + presence: optional + content: |- + An array of IP addresses. This rule matches if any of the network's specified DNS servers match any entry in the array. + Matching with a single wildcard is supported. For example, 17.* matches any DNS server in the 17.0.0.0/8 subnet. + subkeys: + - key: DNSServerAddressMatchElement + title: DNS Server Address Match Element + type: + - key: InterfaceTypeMatch + title: Interface Type Match + type: + presence: optional + rangelist: + - Ethernet + - WiFi + - Cellular + content: An interface type. If specified, this rule matches only if the primary + network interface hardware matches the specified type. + - key: SSIDMatch + title: SSID Match + type: + presence: optional + content: |- + An array of SSIDs to match against the current network. If the network is not a Wi-Fi network or if the SSID does not appear in this array, the match fails. + Omit this key and the corresponding array to match against any SSID. + subkeys: + - key: SSIDMatchElement + title: SSID Match Element + type: + - key: URLStringProbe + title: URL String Probe + type: + presence: optional + content: A URL to probe. If this URL is successfully fetched (returning a 200 + HTTP status code) without redirection, this rule matches. +- key: ProhibitDisablement + title: Prohibit Disablement + type: + presence: optional + default: false + content: If 'true', prohibits users from disabling DNS settings. This key is only + available on supervised devices. diff --git a/mdm/profiles/com.apple.dock.yaml b/mdm/profiles/com.apple.dock.yaml new file mode 100644 index 0000000..cd1b0c2 --- /dev/null +++ b/mdm/profiles/com.apple.dock.yaml @@ -0,0 +1,282 @@ +title: Dock +description: '' +payload: + payloadtype: com.apple.dock + supportedOS: + macOS: + introduced: '10.7' + devicechannel: true + userchannel: true + requiresdep: false + userapprovedmdm: false + allowmanualinstall: true + userenrollment: + mode: forbidden +payloadkeys: +- key: tilesize + type: + presence: optional + range: + min: 16 + max: 128 + content: The tile size. Values must be in the range from 16 to 128. +- key: size-immutable + type: + presence: optional + default: false + content: If 'true', locks the size slider. +- key: magnification + type: + presence: optional + default: false + content: If 'true', enables magnification. +- key: magnify-immutable + type: + presence: optional + default: false + content: If 'true', locks magnification. +- key: largesize + type: + presence: optional + range: + min: 16 + max: 128 + content: The size of the largest magnification. +- key: magsize-immutable + type: + presence: optional + default: false + content: If 'true', locks the magnification slider. +- key: orientation + type: + presence: optional + rangelist: + - bottom + - left + - right + content: The orientation of the dock. +- key: position-immutable + type: + presence: optional + default: false + content: If 'true', locks the position. +- key: mineffect + type: + presence: optional + rangelist: + - genie + - scale + content: The minimize effect. +- key: mineffect-immutable + type: + presence: optional + default: false + content: If 'true', locks 'Minimize windows using.' +- key: windowtabbing + supportedOS: + macOS: + introduced: '10.15' + type: + presence: optional + rangelist: + - manual + - always + - fullscreen + content: Set the 'Prefer tabs when opening documents' to the provided value. +- key: windowtabbing-immutable + supportedOS: + macOS: + introduced: '10.12' + type: + presence: optional + default: false + content: If 'true', disables 'Prefer tabs when opening documents' checkbox. +- key: dblclickbehavior + supportedOS: + macOS: + introduced: '10.15' + type: + presence: optional + rangelist: + - minimize + - maximize + - none + content: The behavior when the window's title bar is double-clicked. +- key: dblclickbehavior-immutable + supportedOS: + macOS: + introduced: '10.14' + type: + presence: optional + default: false + content: If 'true', locks 'Double-click a window's title bar.' +- key: minimize-to-application + type: + presence: optional + default: false + content: If 'true', enables 'Minimize windows into application icon.' +- key: minintoapp-immutable + supportedOS: + macOS: + introduced: '10.14' + type: + presence: optional + default: false + content: If 'true', disables the 'Minimize windows into application icon' checkbox. +- key: launchanim + type: + presence: optional + default: false + content: If 'true', enables 'Animate opening applications.' +- key: launchanim-immutable + type: + presence: optional + default: false + content: If 'true', locks 'Animate opening applications.' +- key: autohide + type: + presence: optional + default: false + content: If 'true', enables 'Automatically hide and show the dock.' +- key: autohide-immutable + type: + presence: optional + default: false + content: If 'true', locks 'Automatically hide.' +- key: show-process-indicators + type: + presence: optional + default: false + content: If true, shows the process indicator. +- key: showindicators-immutable + type: + presence: optional + default: false + content: If 'true', locks 'Show indicators.' +- key: show-recents + supportedOS: + macOS: + introduced: '10.14' + type: + presence: optional + default: false + content: If 'true', enables 'Show recent items.' +- key: showrecents-immutable + supportedOS: + macOS: + introduced: '10.15' + type: + presence: optional + default: false + content: If 'true', disables 'Show recent applications' checkbox. +- key: contents-immutable + type: + presence: optional + default: false + content: If 'true', disables changes to the dock. +- key: MCXDockSpecialFolders + type: + presence: optional + content: |- + One or more special folders that may be created at user login time and placed in the dock. + + The 'My Applications' item is only used for Simple Finder environments. The 'Original Network Home' item is only used for mobile account users. + subkeys: + - key: MCXDockSpecialFoldersItems + type: + rangelist: + - AddDockMCXMyApplicationsFolder + - AddDockMCXDocumentsFolder + - AddDockMCXSharedFolder + - AddDockMCXOriginalNetworkHomeFolder +- key: AllowDockFixupOverride + supportedOS: + macOS: + introduced: '10.12' + type: + presence: optional + default: false + content: If 'true', use the file in '/Library/Preferences/com.apple.dockfixup.plist' + when a new user or migrated user logs in. This option has no effect for existing + users. Available in macOS 10.12 and later. Only available on the device channel. +- key: static-only + type: + presence: optional + default: false + content: If 'true', uses the 'static-apps' and 'static-others' dictionaries for + the dock and ignores any items in the 'persistent-apps' and 'persistent-others' + dictionaries. If 'false', the contents are merged with the static items listed + first. +- key: static-others + type: + presence: optional + content: An array of items located on the Documents side of the Dock and cannot + be removed from that location. + subkeytype: StaticItem + subkeys: &id001 + - key: StaticItem + type: + subkeys: + - key: tile-data + type: + presence: required + content: The information about the dock item. + subkeys: + - key: label + type: + presence: required + content: The label of the dock item. + - key: url + type: + presence: optional + content: The URL string. + - key: file-type + type: + presence: required + rangelist: + - 0 + - 1 + - 3 + content: |- + The type of tile: + * '0': URL + * '1': File + * '3': Directory + - key: file-data + type: + presence: optional + content: The data in a file. For Apple use only. + subkeys: + - key: ANY + type: + presence: optional + content: For Apple use only. + - key: tile-type + type: + presence: required + rangelist: + - file-tile + - directory-tile + - url-tile + content: The type of tile. +- key: static-apps + type: + presence: optional + content: An array of items located on the Applications side of the Dock and cannot + be removed from that location. + subkeytype: StaticItem + subkeys: *id001 +- key: persistent-apps + type: + presence: optional + content: An array of items located on the Applications side of the Dock that can + be removed from the dock. + subkeytype: StaticItem + subkeys: *id001 +- key: persistent-others + type: + presence: optional + content: An array of items located on the Documents side of the Dock that can be + removed from the dock. + subkeytype: StaticItem + subkeys: *id001 diff --git a/mdm/profiles/com.apple.domains.yaml b/mdm/profiles/com.apple.domains.yaml new file mode 100644 index 0000000..3495c67 --- /dev/null +++ b/mdm/profiles/com.apple.domains.yaml @@ -0,0 +1,69 @@ +title: Domains +description: Use this section to define Domains settings. +payload: + payloadtype: com.apple.domains + supportedOS: + iOS: + introduced: '8.0' + supervised: false + allowmanualinstall: true + sharedipad: + mode: allowed + devicechannel: true + userchannel: true + userenrollment: + mode: forbidden + macOS: + introduced: '10.10' + devicechannel: true + userchannel: true + requiresdep: false + userapprovedmdm: false + allowmanualinstall: true + userenrollment: + mode: forbidden + content: This payload defines web domains that are under an enterprise's management. +payloadkeys: +- key: EmailDomains + title: Email Domains + type: + presence: optional + content: |- + An array of domains. Email addresses that lack a suffix matching any of these strings are considered out of domain and marked in Mail. + This is the only field supported on macOS. + subkeys: + - key: EmailDomainsItem + type: + presence: required + content: An email address. +- key: WebDomains + title: Web Domains + supportedOS: + macOS: + introduced: n/a + type: + presence: optional + content: An array of domains. URLs matching the patterns listed here are considered + managed. + subkeys: + - key: WebDomainsItem + type: +- key: SafariPasswordAutoFillDomains + title: Password Autofill Domains + supportedOS: + iOS: + introduced: '9.3' + supervised: true + userenrollment: + mode: forbidden + macOS: + introduced: n/a + type: + presence: optional + content: |- + An array of domains. Users can only save passwords in Safari from URLs matching the patterns listed here. This property doesn't disable the autofill feature itself. + Supervised devices or Shared iPads need this property to enable saving passwords in Safari. + Available in iOS 9.3 and later. + subkeys: + - key: SafariPasswordAutoFillDomainsItem + type: diff --git a/mdm/profiles/com.apple.eas.account.yaml b/mdm/profiles/com.apple.eas.account.yaml new file mode 100644 index 0000000..4a9c4a6 --- /dev/null +++ b/mdm/profiles/com.apple.eas.account.yaml @@ -0,0 +1,428 @@ +title: Exchange ActiveSync +description: Use this section to define settings for the Exchange ActiveSync account. +payload: + payloadtype: com.apple.eas.account + supportedOS: + iOS: + introduced: '4.0' + supervised: false + allowmanualinstall: true + sharedipad: + mode: allowed + devicechannel: false + userchannel: true + userenrollment: + mode: allowed + content: |- + This payload configures an Exchange Active Sync account on an iOS device for Mail, Contacts, Calendars, Reminders, and Notes. + Updating this payload overrides any settings that the user customized, such as EnableMail/Contacts/Calendars/Reminders/Notes and MailNumberOfPastDaysToSync. +payloadkeys: +- key: EmailAddress + title: Email Address + type: + presence: optional + content: The full email address for the account. If not present in the payload, + the device prompts for this string during profile installation. +- key: Host + title: Exchange ActiveSync Host + type: + presence: optional + content: |- + The Exchange server host name or IP address. + If using OAuth without an OAuthSignInURL, the host name is ignored. +- key: SSL + title: Use SSL + type: + presence: optional + default: false + content: If 'true', enables SSL for authentication. +- key: OAuth + title: Use OAuth + supportedOS: + iOS: + introduced: '12.0' + type: + presence: optional + default: false + content: |- + If 'true', enables OAuth for authentication. If enabled, don't specify a password. + Available only in iOS 12.0 and above. +- key: UserName + title: User + type: + presence: optional + content: This user name for this Exchange account. The user name is required for + noninteractive installations like MDM in iOS. +- key: Password + title: Password + type: + presence: optional + content: The password of the account. Use only with encrypted profiles. +- key: Certificate + title: Authentication Credential + supportedOS: + iOS: + introduced: '7.0' + type: + presence: optional + content: The '.p12' identity certificate in NSData blob format, for accounts that + allow authentication via certificate. +- key: CertificateName + title: Authentication Credential Name + supportedOS: + iOS: + introduced: '7.0' + type: + presence: optional + content: The name or description of the certificate. +- key: CertificatePassword + title: Authentication Credential Password + type: + presence: optional + content: The password necessary for the '.p12' identity certificate. Used with mandatory + encryption of profiles. +- key: PreventMove + title: Prevent Move + supportedOS: + iOS: + introduced: '5.0' + type: + presence: optional + default: false + content: If 'true', prevents messages from being moved out of this email account + into another account. This setting also prevents forwarding or replying from an + account other than the one the message was sent to. +- key: PreventAppSheet + title: Prevent App Sheet + supportedOS: + iOS: + introduced: '5.0' + type: + presence: optional + default: false + content: If 'true', prevents this account from sending mail in any app other than + the Apple Mail app. +- key: PayloadCertificateUUID + title: Payload Certificate UUID + type: + presence: optional + format: ^[0-9A-Za-z]{8}-[0-9A-Za-z]{4}-[0-9A-Za-z]{4}-[0-9A-Za-z]{4}-[0-9A-Za-z]{12}$ + content: The UUID of of the certificate payload within the same profile to use for + the identity credential. If this field is present, the Certificate field is not + used. +- key: SMIMEEnabled + title: S/MIME Enabled + supportedOS: + iOS: + introduced: '5.0' + deprecated: '10.0' + type: + presence: optional + default: false + content: If 'true', enables S/MIME encryption. In iOS 10.0 and later, this key is + ignored. Use 'SMIMESigningEnabled' instead. +- key: SMIMESigningEnabled + title: S/MIME Signing Enabled + supportedOS: + iOS: + introduced: '10.3' + type: + presence: optional + default: false + content: If 'true', enables S/MIME signing for this account. Available in iOS 10.0 + and later. +- key: SMIMESigningCertificateUUID + title: S/MIME Signing Certificate + supportedOS: + iOS: + introduced: '5.0' + type: + presence: optional + format: ^[0-9A-Za-z]{8}-[0-9A-Za-z]{4}-[0-9A-Za-z]{4}-[0-9A-Za-z]{4}-[0-9A-Za-z]{12}$ + content: The UUID of the identity certificate used to sign messages sent from this + account. +- key: SMIMEEncryptionEnabled + title: S/MIME Encryption Enabled + supportedOS: + iOS: + introduced: '10.3' + deprecated: '12.0' + type: + presence: optional + default: false + content: If 'true', enables S/MIME encryption for this account. Available in iOS + 10.0 and later. As of iOS 12.0, this key is deprecated. It is recommended to use + 'SMIMEEncryptByDefault' instead. +- key: SMIMEEncryptionCertificateUUID + title: S/MIME Encryption Certificate + supportedOS: + iOS: + introduced: '5.0' + type: + presence: optional + format: ^[0-9A-Za-z]{8}-[0-9A-Za-z]{4}-[0-9A-Za-z]{4}-[0-9A-Za-z]{4}-[0-9A-Za-z]{12}$ + content: The payload UUID of the identity certificate used to decrypt messages sent + to this account. The public certificate is attached to outgoing mail to allow + encrypted mail to be sent to this user. When the user sends encrypted mail, the + public certificate is used to encrypt the copy of the mail in the user's Sent + mailbox. +- key: SMIMEEnablePerMessageSwitch + title: S/MIME Enable Per-Message Switch + supportedOS: + iOS: + introduced: '8.0' + deprecated: '12.0' + type: + presence: optional + default: false + content: |- + If 'true', displays the per-message encryption switch in the Mail Compose UI. + Available in iOS 8.0 and later. As of iOS 12.0, this key is deprecated. Use 'SMIMEEnableEncryptionPerMessageSwitch' instead. +- key: disableMailRecentsSyncing + title: Disable Mail Recents Syncing + type: + presence: optional + default: false + content: If 'true', excludes this account from Recent Addresses syncing. +- key: MailNumberOfPastDaysToSync + title: Past Days of Mail to Sync + type: + presence: optional + rangelist: + - 1 + - 3 + - 7 + - 14 + - 31 + default: 7 + content: The number of days in the past to sync mail on the device. +- key: HeaderMagic + supportedOS: + iOS: + deprecated: '7.0' + type: + presence: optional + content: The value of the 'X-Apple-Config-Magic' header in each EAS HTTP request. +- key: CommunicationServiceRules + title: Communication Service Rules + supportedOS: + iOS: + introduced: '10.0' + type: + presence: optional + content: The communication service handler rules for this account. + subkeys: + - key: DefaultServiceHandlers + title: Default Service Handlers + supportedOS: + iOS: + introduced: '10.0' + type: + presence: optional + content: The default handlers to be used for contacts from this account. + subkeys: + - key: AudioCall + title: App for audio calls + supportedOS: + iOS: + introduced: '10.0' + type: + presence: optional + content: The bundle identifier of the default application to use for audio calls + made to contacts from this account. +- key: allowMailDrop + title: Allow Mail Drop + supportedOS: + iOS: + introduced: '9.2' + type: + presence: optional + default: false + content: If 'true', enables this account to use Mail Drop. +- key: SMIMESigningUserOverrideable + supportedOS: + iOS: + introduced: '12.0' + type: + presence: optional + default: false + content: If 'true', the user can turn S/MIME signing on or off in Settings. Available + in iOS 12.0 and later. +- key: SMIMESigningCertificateUUIDUserOverrideable + supportedOS: + iOS: + introduced: '12.0' + type: + presence: optional + default: false + content: If 'true', the user can select the signing identity. Available in iOS 12.0 + and later. +- key: SMIMEEncryptByDefault + supportedOS: + iOS: + introduced: '12.0' + type: + presence: optional + default: false + content: If set to true, S/MIME encryption is enabled by default. If 'SMIMEEnableEncryptionPerMessageSwitch' + is false, this default cannot be changed by the user. Available in iOS 12.0 and + later. +- key: SMIMEEncryptByDefaultUserOverrideable + supportedOS: + iOS: + introduced: '12.0' + type: + presence: optional + default: false + content: If 'true', the user can turn encryption by default on/off, and encryption + is on. Available in iOS 12.0 and later. +- key: SMIMEEncryptionCertificateUUIDUserOverrideable + supportedOS: + iOS: + introduced: '12.0' + type: + presence: optional + default: false + content: If 'true', the user can select the S/MIME encryption identity, and encryption + is on.Available in iOS 12.0 and later. +- key: SMIMEEnableEncryptionPerMessageSwitch + supportedOS: + iOS: + introduced: '12.0' + type: + presence: optional + default: false + content: If 'true', displays the per-message encryption switch in the Mail Compose + UI. Available in iOS 12.0 and later. +- key: EnableMail + supportedOS: + iOS: + introduced: '13.0' + type: + presence: optional + default: true + content: |- + If 'false', disables the Mail service for this account. The Mail service may be re-enabled in Settings unless 'EnableMailUserOverridable' is 'false'. + 'EnableMail', 'EnableContacts', 'EnableCalendars', 'EnableReminders', and 'EnableNotes' can't all be set to 'false'. +- key: EnableContacts + supportedOS: + iOS: + introduced: '13.0' + type: + presence: optional + default: true + content: |- + If 'false', disables the Contacts service for this account. The Contacts service may be re-enabled in Settings unless 'EnableContactsUserOverridable' is 'false'. + 'EnableMail', 'EnableContacts', 'EnableCalendars', 'EnableReminders', and 'EnableNotes' can't all be set to 'false'. +- key: EnableCalendars + supportedOS: + iOS: + introduced: '13.0' + type: + presence: optional + default: true + content: |- + If 'false', disables the Calendars service for this account. The Calendars service may be re-enabled in Settings unless 'EnableCalendarsUserOverridable' is 'false'. + 'EnableMail', 'EnableContacts', 'EnableCalendars', 'EnableReminders', and 'EnableNotes' can't all be set to 'false'. +- key: EnableReminders + supportedOS: + iOS: + introduced: '13.0' + type: + presence: optional + default: true + content: |- + If 'false', disables the Reminders service for this account. The Reminders service may be re-enabled in Settings unless 'EnableRemindersUserOverridable' is false. + 'EnableMail', 'EnableContacts', 'EnableCalendars', 'EnableReminders', and 'EnableNotes' can't all be set to 'false'. +- key: EnableNotes + supportedOS: + iOS: + introduced: '13.0' + type: + presence: optional + default: true + content: |- + If 'false', disables the Notes service for this account. The Notes service may be re-enabled in Settings unless 'EnableNotesUserOverridable' is 'false'. + 'EnableMail', 'EnableContacts', 'EnableCalendars', 'EnableReminders', and 'EnableNotes' can't all be set to 'false'. +- key: EnableMailUserOverridable + supportedOS: + iOS: + introduced: '13.0' + type: + presence: optional + default: true + content: If 'false', prevents the user from changing the state of the Mail service + for this account in Settings. +- key: EnableContactsUserOverridable + supportedOS: + iOS: + introduced: '13.0' + type: + presence: optional + default: true + content: If 'false', prevents the user from changing the state of the Contacts service + for this account in Settings. +- key: EnableCalendarsUserOverridable + supportedOS: + iOS: + introduced: '13.0' + type: + presence: optional + default: true + content: If 'false', prevents the user from changing the state of the Calendars + service for this account in Settings. +- key: EnableRemindersUserOverridable + supportedOS: + iOS: + introduced: '13.0' + type: + presence: optional + default: true + content: If 'false', prevents the user from changing the state of the Reminders + service for this account in Settings. +- key: EnableNotesUserOverridable + supportedOS: + iOS: + introduced: '13.0' + type: + presence: optional + default: true + content: If 'false', prevents the user from changing the state of the Notes service + for this account in Settings. +- key: OAuthSignInURL + supportedOS: + iOS: + introduced: '13.0' + type: + presence: optional + content: |- + The URL that this account should use for signing in via OAuth. When this URL is specified, auto-discovery is not used for this account so you must also specify a host. + This field is ignored unless 'OAuth' is 'true'. +- key: OAuthTokenRequestURL + supportedOS: + iOS: + introduced: '13.0' + type: + presence: optional + content: |- + The URL that this account should use for token requests via OAuth. + This field is ignored unless 'OAuth' is 'true'. +- key: OverridePreviousPassword + supportedOS: + iOS: + introduced: '14.0' + type: + presence: optional + default: false + content: If 'true', overrides the previous user/EAS password with the new EAS password + in the payload. Available in iOS 14 and later. +- key: VPNUUID + title: VPNUUID + supportedOS: + iOS: + introduced: '14.0' + type: + presence: optional + content: |- + The VPNUUID of the per-app VPN the account uses for network communication. + Available in iOS 14 and later. diff --git a/mdm/profiles/com.apple.education.yaml b/mdm/profiles/com.apple.education.yaml new file mode 100644 index 0000000..de541eb --- /dev/null +++ b/mdm/profiles/com.apple.education.yaml @@ -0,0 +1,281 @@ +title: Education Configuration +description: '' +payload: + payloadtype: com.apple.education + supportedOS: + iOS: + introduced: '9.3' + supervised: false + allowmanualinstall: true + sharedipad: + mode: allowed + devicechannel: true + userchannel: false + userenrollment: + mode: allowed + macOS: + introduced: '10.14' + devicechannel: false + userchannel: true + requiresdep: false + userapprovedmdm: false + allowmanualinstall: true + userenrollment: + mode: allowed + content: This payload is used to configure Classroom students, Classroom instructors, + and the Shared iPad login screen. These do not necessarily require the same set + of keys to be present in their payloads, so make sure to include all keys that + are required for the education product you are configuring. +payloadkeys: +- key: OrganizationUUID + type: + presence: required + content: The organization's UUID identifier. This identifier can be any valid UUID. + All teacher and student devices that need to communicate with one another must + have the same organization UUID, particularly if they originated from different + Device Enrollment Programs. +- key: OrganizationName + type: + presence: required + content: The organization's display name. This name is shown in the iOS login screen. +- key: PayloadCertificateUUID + type: + presence: optional + content: |- + The UUID of an identity certificate payload within the same profile to use for performing client authentication with other devices. + This key is required to configure Classroom. It does not impact the configuration of the Shared iPad login screen. +- key: LeaderPayloadCertificateAnchorUUID + type: + presence: optional + content: |- + The array of UUIDs referring to certificate payloads within the same profile that are used to authorize leader peer certificate identities. This array must contain all certificates needed to validate the entire chain of trust. Leader certificates must have the common name prefix leader (case insensitive). + Note: Identity payloads aren't supported. + This key is required when configuring a student device for Classroom, and is ignored when configuring an instructor device. It does not impact the configuration of the Shared iPad login screen. + subkeys: + - key: LeaderPayloadCertificateAnchorUUIDItem + type: + presence: required + content: A certificate payload UUID. +- key: MemberPayloadCertificateAnchorUUID + type: + presence: optional + content: |- + The array of UUIDs referring to certificate payloads within the same profile that are used to authorize group member peer certificate identities. This array must contain all certificates needed to validate the entire chain of trust. Member certificates must have the common name prefix member (case insensitive). + Note: Identity payloads aren't supported. + This key is required when configuring an instructor device for Classroom, and is ignored when configuring a student device. It does not impact the configuration of the Shared iPad login screen. + subkeys: + - key: MemberPayloadCertificateAnchorUUIDItem + type: + presence: required + content: A certificate payload UUID. +- key: ResourcePayloadCertificateUUID + type: + presence: optional + content: |- + The UUID of an identity certificate payload within the same profile that is used to perform client authentication when fetching additional resources, such as student images. If not specified, the MDM client identity is used. + If present, this key is used to configure both Classroom and the Shared iPad login screen. +- key: UserIdentifier + type: + presence: required + content: |- + The unique string that identifies the user of this device within the organization. + If this payload is intended to configure the Shared iPad login screen, this value must not be set. +- key: Departments + type: + presence: optional + content: |- + For shared iPad profiles: The array of dictionaries that defines which departments are shown in the Shared iPad login screen. + If present, this key is used to configure both Classroom and the Shared iPad login screen. + subkeys: + - key: DepartmentsItem + type: + subkeys: + - key: Name + type: + presence: required + content: The display name of the department. + - key: GroupBeaconIDs + type: + presence: required + content: The group beacon identifiers that are members of this department. + subkeys: + - key: GroupBeaconIDsItem + type: + presence: required + content: A group beacon identifier. +- key: Groups + type: + presence: required + content: |- + For shared iPad profiles: The array of dictionaries that defines which groups the user can select in the login window. + + For leader/teacher profiles: The array of dictionaries that defines the groups that the user can control. + + For member/student profiles: The array of dictionaries that defines the groups where the user is a member. + subkeys: + - key: GroupsItem + type: + subkeys: + - key: BeaconID + type: + presence: required + content: The group's unique beacon ID. + - key: Name + type: + presence: required + content: The display name of the group. + - key: Description + type: + presence: optional + content: The description of the group. + - key: ImageURL + supportedOS: + iOS: + deprecated: 9.3.2 + macOS: + introduced: n/a + type: + presence: optional + content: Deprecated in iOS 9.3.1 and later. The URL of an image for the group. + - key: ConfigurationSource + type: + presence: optional + content: The source that provided this group; for example, iTunesU, SIS, or + MDM. + - key: LeaderIdentifiers + type: + presence: optional + content: The user identifiers that are leaders of this group. + subkeys: + - key: LeaderIdentifiersItem + type: + presence: required + content: A user identifier. + - key: MemberIdentifiers + type: + presence: required + content: The entries in the Users array that are members of the group. + subkeys: + - key: MemberIdentifiersItem + type: + presence: required + content: A member identifier. + - key: DeviceGroupIdentifiers + type: + presence: optional + content: |- + The identifiers that refer to entries in the DeviceGroups array to which the instructor can assign users from this class. + The presence/value of this key does not impact the configuration of the Shared iPad login screen. + subkeys: + - key: DeviceGroupIdentifiersItem + type: + presence: required + content: A device group identifier. +- key: Users + type: + presence: required + content: |- + For shared iPad profiles: The array of dictionaries that define the users that are shown in the iOS login window. + + For leader/teacher profiles: The array of dictionaries that define users that are members of the teacher's groups. + + For member/student profiles: The array of dictionaries that must contain the definition of the user specified in the 'UserIdentifier' key. With one-to-one member devices, this key should include only the device user and the teacher but not other class members. + subkeys: + - key: UsersItem + type: + subkeys: + - key: Identifier + type: + presence: required + content: The unique identifier for a user in the organization. + - key: Name + type: + presence: required + content: The name of the user. + - key: GivenName + type: + presence: optional + content: The given name of the user. + - key: FamilyName + type: + presence: optional + content: The family name of the user. + - key: PhoneticGivenName + type: + presence: optional + content: The user's phonetic given name. This name is used to sort users in + the Classroom app and the Shared iPad Login Screen. + - key: PhoneticFamilyName + type: + presence: optional + content: The user's phonetic family name. This name is used to sort users in + the Classroom app and the shared iPad login screen. + - key: ImageURL + type: + presence: optional + content: |- + A string containing a URL pointing to an image of the user. This image will be displayed in the iOS login screen and in the Classroom app. The recommended resolution is 256 x 256 pixels (512 x 512 pixels on a 2x device). The recommended formats are JPEG, PNG, and TIFF. + The 'ResourcePayloadCertificateUUID' identity certificate or the MDM client identity will be used to perform authentication when fetching the image. + - key: FullScreenImageURL + supportedOS: + iOS: + deprecated: 9.3.2 + macOS: + deprecated: n/a + type: + presence: optional + content: Deprecated in iOS 9.3.1 and later. The URL pointing to an image of + the user. The 'ResourcePayloadCertificateUUID' identity certificate or the + MDM client identity will be used to perform authentication when fetching the + specified resource. + - key: AppleID + type: + presence: optional + content: |- + The managed Apple ID for this user. + This key is not required to configure Classroom, but it is used by Classroom if it is present. + This key is required when configuring the Shared iPad login screen. + - key: PasscodeType + type: + presence: optional + rangelist: + - complex + - four + - six + content: The type of passcode UI to show when the user is at the login window. +- key: DeviceGroups + type: + presence: optional + content: 'For leader/teacher profiles: The array of dictionaries that defines which + device groups the leader can assign devices to. This key is not included in member + payloads.' + subkeys: + - key: DeviceGroupsItem + type: + subkeys: + - key: Identifier + type: + presence: required + content: The unique identifier for the device group in the organization. + - key: Name + type: + presence: required + content: The name of the device group, which must be unique in the organization. + - key: SerialNumbers + type: + presence: required + content: The serial numbers of the devices in the group. + subkeys: + - key: SerialNumbersItem + type: + presence: required + content: A serial number. +- key: ScreenObservationPermissionModificationAllowed + supportedOS: + iOS: + introduced: '10.3' + type: + presence: optional + default: false + content: If 'true', allows students enrolled in managed classes to modify their + teacher's permissions for screen observation on their device. diff --git a/mdm/profiles/com.apple.ews.account.yaml b/mdm/profiles/com.apple.ews.account.yaml new file mode 100644 index 0000000..cc581be --- /dev/null +++ b/mdm/profiles/com.apple.ews.account.yaml @@ -0,0 +1,117 @@ +title: Exchange Web Services +description: '' +payload: + payloadtype: com.apple.ews.account + supportedOS: + macOS: + introduced: '10.7' + devicechannel: false + userchannel: true + requiresdep: false + userapprovedmdm: false + allowmanualinstall: true + userenrollment: + mode: allowed + content: For macOS 10.9 and higher, an Exchange Web services (EWS) account is configured + with support for Mail, Contacts, Calendar, Notes and Reminders. macOS 10.7-10.8 + only supported Contacts. +payloadkeys: +- key: EmailAddress + type: + presence: optional + content: The full email address for the account. If the email address string isn't + present in the payload, the device prompts for it during profile installation. +- key: Host + type: + presence: optional + content: |- + The Exchange server host name or IP address. + If using OAuth, the host name is ignored.. +- key: SSL + type: + presence: optional + default: true + content: If 'true', enables SSL. +- key: OAuth + title: Use OAuth + supportedOS: + macOS: + introduced: '10.14' + type: + presence: optional + default: false + content: |- + If 'true', enables OAuth for authentication. If OAuth is enabled, don't specify a password. + Available in macOS 10.14 and later +- key: OAuthSignInURL + title: URL for OAuth sign-in + supportedOS: + macOS: + introduced: '10.14' + type: + presence: optional + content: The URL to load into a web view for authentication via OAuth when autodiscovery + isn't used. This setting requires a 'Host' value. +- key: UserName + type: + presence: optional + content: The user name for this Exchange account. This string is required for noninteractive + (for example, MDM) installation. If it's missing, the device prompts for it during + interactive profile installation. +- key: Password + type: + presence: optional + content: The password of the account. Use only with encrypted profiles. +- key: PayloadCertificateUUID + title: Payload Certificate UUID + supportedOS: + macOS: + introduced: '10.12' + type: + presence: optional + format: ^[0-9A-Za-z]{8}-[0-9A-Za-z]{4}-[0-9A-Za-z]{4}-[0-9A-Za-z]{4}-[0-9A-Za-z]{12}$ + content: The UUID of of the certificate payload within the same profile to use for + the identity credential. Supported on macOS 10.12 or later. +- key: AuthenticationCertificateUUID + supportedOS: + macOS: + introduced: '10.11' + type: + presence: optional + content: The UUID of of the certificate payload within the same profile to use for + the identity credential. Supported on macOS 10.11 or later. On macOS 10.12 or + later use the PayloadCertificateUUID. +- key: allowMailDrop + title: Allow Mail Drop + supportedOS: + macOS: + introduced: '10.12' + type: + presence: optional + default: false + content: If 'true', enables Mail Drop. +- key: Path + type: + presence: optional + content: The server path. +- key: Port + type: + presence: optional + content: The server port number. +- key: ExternalHost + type: + presence: optional + content: The external server address. +- key: ExternalSSL + type: + presence: optional + default: true + content: If 'true', enables SSL for connections to the external server. +- key: ExternalPath + type: + presence: optional + content: The external server path. +- key: ExternalPort + type: + presence: optional + content: The external server port number. diff --git a/mdm/profiles/com.apple.extensiblesso(kerberos).yaml b/mdm/profiles/com.apple.extensiblesso(kerberos).yaml new file mode 100644 index 0000000..f6671db --- /dev/null +++ b/mdm/profiles/com.apple.extensiblesso(kerberos).yaml @@ -0,0 +1,356 @@ +title: Extensible Single Sign-On (Kerberos) +description: Configures an app extension to handle Kerberos SSO. +payload: + payloadtype: com.apple.extensiblesso + supportedOS: + iOS: + introduced: '13.0' + supervised: false + allowmanualinstall: false + sharedipad: + mode: allowed + devicechannel: false + userchannel: true + userenrollment: + mode: allowed + macOS: + introduced: '10.15' + devicechannel: true + userchannel: true + requiresdep: false + userapprovedmdm: true + allowmanualinstall: false + userenrollment: + mode: allowed + content: Configures the included Kerberos extension that performs SSO on behalf + of specified hosts. User channel support was added in macOS 11.0. +payloadkeys: +- key: ExtensionIdentifier + type: + presence: required + rangelist: + - com.apple.AppSSOKerberos.KerberosExtension + content: This value must be 'com.apple.AppSSOKerberos.KerberosExtension' for this + extension. +- key: TeamIdentifier + type: + presence: required + rangelist: + - apple + content: This value must be 'apple' for the Kerberos extension. +- key: Type + type: + presence: required + rangelist: + - Credential + content: This value must be 'Credential' for the Kerberos extension. +- key: Realm + type: + presence: required + content: The Kerberos realm, which should be properly capitalized. If in an Active + Directory forest, this is the realm where the user logs in. +- key: ExtensionData + type: + presence: optional + content: This is the dictionary used by the Apple built-in Kerberos extension. + subkeys: + - key: cacheName + supportedOS: + iOS: + deprecated: '15.0' + macOS: + deprecated: '12.0' + type: + presence: optional + content: The GSS name of the Kerberos cache to use. Rarely set by an administrator. + - key: principalName + type: + presence: optional + content: The principal (aka username) to use. You do not need to include the realm. + - key: siteCode + type: + presence: optional + content: The name of the Active Directory site the Kerberos extension should use. + Most administrators will never need to modify this value, as the Kerberos extension + can normally find the site automatically. + - key: certificateUUID + type: + presence: optional + content: The PayloadUUID of a PKINIT certificate. + - key: useSiteAutoDiscovery + type: + presence: optional + default: true + content: If 'false', the Kerberos extension doesn't automatically use LDAP and + DNS to determine its AD site name. + - key: credentialBundleIdACL + type: + presence: optional + content: A list of bundle IDs allowed to access the ticket-granting ticket (TGT). + subkeys: + - key: credentialBundleIdACLItem + type: + presence: optional + content: Bundle IDs allowed to access the TGT. These values are case sensitive. + - key: includeManagedAppsInBundleIdACL + supportedOS: + iOS: + introduced: '14.0' + macOS: + introduced: '12.0' + type: + presence: optional + default: false + content: If 'true', the Kerberos extension allows only managed apps to access + and use the credential. This is in addition to the 'credentialBundleIDACL', + if it is specified. Available in iOS 14 and later, and macOS 12 and later. + - key: includeKerberosAppsInBundleIdACL + supportedOS: + iOS: + introduced: n/a + macOS: + introduced: '12.0' + type: + presence: optional + default: false + content: |- + If 'true', the Kerberos extension allows the standard kerberos utilities including 'TicketViewer' and 'klist' to access and use the credential. This is in addition to 'includeManagedAppsInBundleIdACL' or the 'credentialBundleIdACL', if it is specified. + Available in macOS 12 and later. + - key: domainRealmMapping + type: + presence: optional + content: A custom domain-realm mapping for Kerberos. This is used when the DNS + name of hosts do not match the realm name. Most administrators will not need + to customize this. + subkeys: + - key: Realm + type: + presence: optional + content: The key should be the name of the realm, and the value is an array + of DNS suffixes that map to the realm. + subkeys: + - key: RealmItem + type: + presence: optional + content: Domains to map to the realm + - key: isDefaultRealm + type: + presence: optional + default: false + content: This property specifies it is the default realm if there is more than + one Kerberos extension configuration. + - key: customUsernameLabel + supportedOS: + iOS: + introduced: '14.0' + macOS: + introduced: '11.0' + type: + presence: optional + content: The custom user name label used in the Kerberos extension instead of + “Username”. For example, “Company ID”. Available in macOS 11 and later. + - key: helpText + supportedOS: + iOS: + introduced: '14.0' + macOS: + introduced: '11.0' + type: + presence: optional + content: The text to be displayed to the user at the bottom of the Kerberos login + window. It can be used to display help information or disclaimer text. Available + in iOS 14 and later and macOS 11 and later. + - key: allowPasswordChange + supportedOS: + iOS: + introduced: n/a + type: + presence: optional + default: true + content: If 'false', disables password changes. Available in macOS 10.15 and later. + - key: allowAutomaticLogin + type: + presence: optional + default: true + content: If 'false', passwords are not allowed to be saved to the keychain. + - key: requireUserPresence + type: + presence: optional + default: false + content: If 'true', requires the user to provide Touch ID, Face ID or their passcode + to access the keychain entry. + - key: pwExpireOverride + supportedOS: + iOS: + introduced: n/a + macOS: + deprecated: '12.0' + type: + presence: optional + content: The number of days that passwords can be used on this domain. For most + domains, this can be calculated automatically. Available in macOS 10.15 and + later. + - key: pwNotificationDays + supportedOS: + iOS: + introduced: n/a + type: + presence: optional + default: 15 + content: The number of days prior to password expiration when a notification of + password expiration will be sent to the user. Available in macOS 10.15 and later. + - key: pwReqLength + supportedOS: + iOS: + introduced: n/a + type: + presence: optional + content: The minimum length of passwords on the domain.Available in macOS 10.15 + and later. + - key: pwReqComplexity + supportedOS: + iOS: + introduced: n/a + type: + presence: optional + default: false + content: If 'true', passwords must meet Active Directory's definition of 'complex'.Available + in macOS 10.15 and later. + - key: pwReqMinAge + supportedOS: + iOS: + introduced: n/a + type: + presence: optional + content: The minimum age of passwords before they can be changed on this domain. + Available in macOS 10.15 and later. + - key: pwReqHistory + supportedOS: + iOS: + introduced: n/a + type: + presence: optional + content: The number of prior passwords that cannot be re-used on this domain.Available + in macOS 10.15 and later. + - key: pwReqText + supportedOS: + iOS: + introduced: n/a + type: + presence: optional + content: The text version of the domain's password requirements. Only for use + if 'pwReqComplexity' or 'pwReqLength' aren't specified. Available in macOS 10.15 + and later. + - key: pwChangeURL + supportedOS: + iOS: + introduced: n/a + type: + presence: optional + content: This URL will launch in the user's default web browser when they initiate + a password change. Available in macOS 10.15 and later. + - key: syncLocalPassword + supportedOS: + iOS: + introduced: n/a + type: + presence: optional + default: false + content: If 'false', disables password sync. Note that this will not work if the + user is logged in with a mobile account. Available in macOS 10.15 and later. + - key: replicationTime + supportedOS: + iOS: + introduced: n/a + macOS: + introduced: '11.0' + deprecated: '12.0' + type: + presence: optional + default: 900 + content: The time, in seconds, required to replicate changes in the Active Directory + domain. The Kerberos extension will use this when checking password age after + a change. Available in macOS 11 and later. + - key: delayUserSetup + supportedOS: + iOS: + introduced: n/a + macOS: + introduced: '11.0' + type: + presence: optional + default: false + content: If 'true', doesn't prompt the user to setup the Kerberos extension until + either the administrator enables it with the 'app-sso' tool or a Kerberos challenge + is received. Available in macOS 11 and later. + - key: monitorCredentialsCache + supportedOS: + iOS: + introduced: n/a + macOS: + introduced: '11.0' + type: + presence: optional + default: true + content: |- + If 'false', the credential is requested on the next matching Kerberos challenge or network state change. + If the credential is expired or missing, a new one will be created. Available in macOS 11 and later. + - key: requireTLSForLDAP + supportedOS: + iOS: + introduced: '14.0' + macOS: + introduced: '11.0' + type: + presence: optional + default: false + content: Require that LDAP connections use TLS. Available in macOS 11 and later. + - key: credentialUseMode + supportedOS: + iOS: + introduced: '14.0' + macOS: + introduced: '11.0' + type: + presence: optional + rangelist: + - always + - whenNotSpecified + - kerberosDefault + default: always + content: |- + This setting affects how the Kerberos Extension credential is used by other processes. Use of the following: + * 'always -' The extension credential will always be used if the SPN matches the Kerberos Extension 'Hosts' array. The credential will not be used if the calling app is not in the 'credentialBundleIDACL'. + * 'whenNotSpecified -' The credential will only be used when another credential has not been specified by the caller and the SPN matches the Kerberos Extensions 'Hosts' array. The credential will not be used if the calling app is not in the 'credentialBundleIDACL'. + * 'kerberosDefault - 'The default Kerberos processes for selecting credentials is used which normally uses the default Kerberos credential. This is the same as turning off this capability. + Available in macOS 11 and later. + - key: preferredKDCs + supportedOS: + iOS: + introduced: '15.0' + macOS: + introduced: '12.0' + type: + presence: optional + content: |- + The ordered list of perferred Key Distribution Centers (KDCs) to use for Kerberos traffic. Use this if the servers are not discoverable via DNS. If the servers are specified, then they are used for both connectivity checks and attempted first for Kerberos traffic. If the servers do not respond, then the device falls back to DNS discovery. Each entry is formatted the same as it would be in a 'krb5.conf' file. Examples of entries are: + * 'adserver1.example.com' + * 'tcp/adserver1.example.com:88' + * 'kkdcp://kerberosproxy.example.com:443/kkdcp' + subkeys: + - key: preferredKDC + type: + presence: required + content: A host or domain name in the format of [protocol/]hostname[:port][/path] +- key: Hosts + type: + presence: optional + content: |- + One or more host or domain names for which the app extension performs SSO. Host or domain names are matched case-insensitively, and all the host/domain names of all installed Extensible SSO payloads must be unique. + Hosts that begin with a “.” are wildcard suffixes and will match all subdomains, otherwise the host must be an exact match. + subkeys: + - key: hostname + type: + presence: required + content: A host or domain name. Values that begin with a "." will be used as domain + names. diff --git a/mdm/profiles/com.apple.extensiblesso.yaml b/mdm/profiles/com.apple.extensiblesso.yaml new file mode 100644 index 0000000..6d64888 --- /dev/null +++ b/mdm/profiles/com.apple.extensiblesso.yaml @@ -0,0 +1,119 @@ +title: Extensible Single Sign-On +description: Configures an app extension to handle SSO. +payload: + payloadtype: com.apple.extensiblesso + supportedOS: + iOS: + introduced: '13.0' + supervised: false + allowmanualinstall: false + sharedipad: + mode: allowed + devicechannel: false + userchannel: true + userenrollment: + mode: allowed + macOS: + introduced: '10.15' + devicechannel: true + userchannel: true + requiresdep: false + userapprovedmdm: true + allowmanualinstall: false + userenrollment: + mode: allowed + content: Configures an app extension that performs SSO on behalf of certain URLs. + User channel support was added in macOS 11.0. +payloadkeys: +- key: ExtensionIdentifier + type: + presence: required + content: The bundle identifier of the app extension that performs SSO for the specified + URLs. +- key: TeamIdentifier + supportedOS: + iOS: + introduced: n/a + type: + presence: optional + content: |- + The team identifier of the app extension. + This key is required on macOS and ignored elsewhere. +- key: Type + type: + presence: required + rangelist: + - Credential + - Redirect + content: The type of SSO. +- key: Realm + type: + presence: optional + content: |- + The realm name for 'Credential' payloads. Use proper capitalization for this value. + This key is ignored for 'Redirect' payloads. +- key: ExtensionData + type: + presence: optional + content: A dictionary of arbitrary data passed through to the app extension. + subkeys: + - key: ANY + type: + presence: optional + content: Keys and values to be passed to the app extension. +- key: URLs + type: + presence: optional + content: |- + An array of URL prefixes of identity providers where the app extension performs SSO. + Required for 'Redirect' payloads. Ignored for 'Credential' payloads. + The URLs must begin with 'http://' or 'https://', the scheme and host name are matched case-insensitively, query parameters and URL fragments are not allowed, and the URLs of all installed Extensible SSO payloads must be unique. + subkeys: + - key: URL + type: + presence: required + content: An http or https URL prefix. +- key: Hosts + type: + presence: optional + content: |- + An array of host names or domain names that apps can authenticate through the app extension. + Required for 'Credential' payloads. Ignored for 'Redirect' payloads. + Host or domain names are matched case-insensitively, and all the host/domain names of all installed Extensible SSO payloads must be unique. + Hosts that begin with a “.” are wildcard suffixes and match all subdomains; otherwise the host must be an exact match. + subkeys: + - key: hostname + type: + presence: required + content: A host or domain name, with or without a leading dot. +- key: ScreenLockedBehavior + supportedOS: + iOS: + introduced: '15.0' + macOS: + introduced: '12.0' + type: + presence: optional + rangelist: + - Cancel + - DoNotHandle + default: Cancel + content: |- + If set to 'Cancel', the system cancels authentication requests when the screen is locked. If set to 'DoNotHandle', the request continues without SSO instead. This does not apply to requests where 'userInterfaceEnabled' is set to 'false' or background NSURLSession requests. + Available in iOS 15 and later and macOS 12 and later. +- key: DeniedBundleIdentifiers + supportedOS: + iOS: + introduced: '15.0' + macOS: + introduced: '12.0' + type: + presence: optional + content: |- + An array of bundle identifiers of apps that don't use SSO provided by this extension. + Available in iOS 15 and later and macOS 12 and later. + subkeys: + - key: bundleIdentifier + type: + presence: required + content: The bundle identifier of the app. diff --git a/mdm/profiles/com.apple.familycontrols.contentfilter.yaml b/mdm/profiles/com.apple.familycontrols.contentfilter.yaml new file mode 100644 index 0000000..f629d6a --- /dev/null +++ b/mdm/profiles/com.apple.familycontrols.contentfilter.yaml @@ -0,0 +1,69 @@ +title: 'Parental Controls: Content Filter' +description: '' +payload: + payloadtype: com.apple.familycontrols.contentfilter + supportedOS: + macOS: + introduced: '10.7' + devicechannel: true + userchannel: true + requiresdep: false + userapprovedmdm: false + allowmanualinstall: true + userenrollment: + mode: forbidden + content: Parental controls web filter. +payloadkeys: +- key: restrictWeb + type: + presence: required + content: If 'true', enables web content filters. +- key: useContentFilter + type: + presence: optional + default: false + content: If 'true', filters content automatically. +- key: whitelistEnabled + type: + presence: optional + default: false + content: If 'true', enables web content filters. +- key: siteWhitelist + type: + presence: optional + content: |- + An array of sites that defines an allow list. If specified, this defines additional allowed sites besides those in the automated allow list and deny list, including disallowed adult sites. + + This key is required if 'whiteListEnabled' is 'true'. + subkeys: + - key: siteWhitelistItem + type: + subkeys: + - key: address + type: + presence: required + content: The site prefix, including http(s) scheme. + - key: pageTitle + type: + presence: optional + content: The site page title. +- key: filterWhitelist + type: + presence: optional + content: The array of URLs that defines an allow list. When 'restrictWeb' and 'useContentFilter' + are enabled, only URLs in the allow list are available to the user. + subkeys: + - key: filterWhitelistItem + type: + presence: required + content: An allowed site. +- key: filterBlacklist + type: + presence: optional + content: The array of URLs that defines a deny list. When 'restrictWeb' and 'useContentFilter' + are enabled, no URLs in the deny list are available to the user. + subkeys: + - key: filterBlacklistItem + type: + presence: required + content: A disallowed site. diff --git a/mdm/profiles/com.apple.familycontrols.timelimits.v2.yaml b/mdm/profiles/com.apple.familycontrols.timelimits.v2.yaml new file mode 100644 index 0000000..c0410f4 --- /dev/null +++ b/mdm/profiles/com.apple.familycontrols.timelimits.v2.yaml @@ -0,0 +1,75 @@ +title: 'Parental Controls: Time Limits' +description: '' +payload: + payloadtype: com.apple.familycontrols.timelimits.v2 + supportedOS: + macOS: + introduced: '10.7' + devicechannel: true + userchannel: true + requiresdep: false + userapprovedmdm: false + allowmanualinstall: true + userenrollment: + mode: forbidden + content: Parental controls time limits. +payloadkeys: +- key: familyControlsEnabled + type: + presence: required + content: If 'true', enables time limits. +- key: time-limits + type: + presence: optional + content: The time limits to enforce if 'familyControlsEnabled' is enabled. + subkeys: + - key: weekday-allowance + type: + presence: optional + content: The weekday allowance settings. + subkeytype: Allowance + subkeys: &id001 + - key: enabled + type: + presence: required + content: If 'true', enable these settings. + - key: rangeType + type: + presence: required + rangelist: + - 0 + - 1 + content: |- + The type of day range: + 0 = Weekday + 1 = Weekend + - key: start + type: + presence: optional + content: The curfew start time, in the format '%d:%d:%d'. + - key: end + type: + presence: optional + content: The curfew end time, in the format '%d:%d:%d'. + - key: secondsPerDay + type: + presence: optional + content: The allowance for that day, in seconds. + - key: weekday-curfew + type: + presence: optional + content: The weekday curfew settings. + subkeytype: Allowance + subkeys: *id001 + - key: weekend-allowance + type: + presence: optional + content: The weekend allowance settings. + subkeytype: Allowance + subkeys: *id001 + - key: weekend-curfew + type: + presence: optional + content: The weekend curfew settings. + subkeytype: Allowance + subkeys: *id001 diff --git a/mdm/profiles/com.apple.fileproviderd.yaml b/mdm/profiles/com.apple.fileproviderd.yaml new file mode 100644 index 0000000..afcc5cd --- /dev/null +++ b/mdm/profiles/com.apple.fileproviderd.yaml @@ -0,0 +1,21 @@ +title: File Provider +description: '' +payload: + payloadtype: com.apple.fileproviderd + supportedOS: + macOS: + introduced: '11.0' + devicechannel: true + userchannel: true + requiresdep: false + userapprovedmdm: true + allowmanualinstall: false + userenrollment: + mode: forbidden +payloadkeys: +- key: AllowManagedFileProvidersToRequestAttribution + type: + presence: optional + default: false + content: If 'true', enables file providers access to the path of the requesting + process. diff --git a/mdm/profiles/com.apple.finder.yaml b/mdm/profiles/com.apple.finder.yaml new file mode 100644 index 0000000..b9f9552 --- /dev/null +++ b/mdm/profiles/com.apple.finder.yaml @@ -0,0 +1,70 @@ +title: Finder +description: '' +payload: + payloadtype: com.apple.finder + supportedOS: + macOS: + introduced: '10.7' + devicechannel: true + userchannel: true + requiresdep: false + userapprovedmdm: false + allowmanualinstall: true + userenrollment: + mode: forbidden +payloadkeys: +- key: ProhibitBurn + type: + presence: optional + default: false + content: If 'true', disables the Finder's burn support. +- key: InterfaceLevel + supportedOS: + macOS: + removed: '10.15' + type: + presence: optional + rangelist: + - Simple + - Full + content: If Finder should operate in Simple or Full mode. +- key: ProhibitConnectTo + type: + presence: optional + default: false + content: If set to true, Connect to Server will be disabled. +- key: ProhibitEject + type: + presence: optional + default: false + content: If set to true, Eject will be disabled. +- key: ProhibitGoToFolder + type: + presence: optional + default: false + content: If set to true, Go To Folder will be disabled. +- key: ShowExternalHardDrivesOnDesktop + type: + presence: optional + default: true + content: If set to false, extneral hard drives will not appear on the desktop. +- key: ShowHardDrivesOnDesktop + type: + presence: optional + default: false + content: If set to false, internal hard drives will not appear on the desktop. +- key: ShowMountedServersOnDesktop + type: + presence: optional + default: false + content: If set to false, mounted file servers will not appear on the desktop. +- key: ShowRemovableMediaOnDesktop + type: + presence: optional + default: true + content: If set to false, removable media will not appear on the desktop. +- key: WarnOnEmptyTrash + type: + presence: optional + default: true + content: If set to false, user will not be warned before emptying the trash. diff --git a/mdm/profiles/com.apple.firstactiveethernet.managed.yaml b/mdm/profiles/com.apple.firstactiveethernet.managed.yaml new file mode 100644 index 0000000..b58c019 --- /dev/null +++ b/mdm/profiles/com.apple.firstactiveethernet.managed.yaml @@ -0,0 +1,21 @@ +title: '802.1X: First Active Ethernet' +description: '' +payload: + payloadtype: com.apple.firstactiveethernet.managed + supportedOS: + macOS: + introduced: '10.7' + devicechannel: true + userchannel: true + requiresdep: false + userapprovedmdm: false + allowmanualinstall: true + userenrollment: + mode: allowed +payloadkeys: +- key: ANY + type: + presence: optional + content: Keys relevant to 802.1x configuration. User enrollment payloads do not + support the various proxy keys including ProxyType, ProxyServer, ProxyServerPort, + ProxyUsername, ProxyPassword,, ProxyPACURL and ProxyPACFallbackAllowed. diff --git a/mdm/profiles/com.apple.firstethernet.managed.yaml b/mdm/profiles/com.apple.firstethernet.managed.yaml new file mode 100644 index 0000000..0d1bcd1 --- /dev/null +++ b/mdm/profiles/com.apple.firstethernet.managed.yaml @@ -0,0 +1,21 @@ +title: '802.1X: First Ethernet' +description: '' +payload: + payloadtype: com.apple.firstethernet.managed + supportedOS: + macOS: + introduced: '10.7' + devicechannel: true + userchannel: true + requiresdep: false + userapprovedmdm: false + allowmanualinstall: true + userenrollment: + mode: allowed +payloadkeys: +- key: ANY + type: + presence: optional + content: Keys relevant to 802.1x configuration. User enrollment payloads do not + support the various proxy keys including ProxyType, ProxyServer, ProxyServerPort, + ProxyUsername, ProxyPassword,, ProxyPACURL and ProxyPACFallbackAllowed. diff --git a/mdm/profiles/com.apple.font.yaml b/mdm/profiles/com.apple.font.yaml new file mode 100644 index 0000000..2d1b40f --- /dev/null +++ b/mdm/profiles/com.apple.font.yaml @@ -0,0 +1,40 @@ +title: Font +description: Use this section to define Font settings. +payload: + payloadtype: com.apple.font + supportedOS: + iOS: + introduced: '7.0' + supervised: false + allowmanualinstall: true + sharedipad: + mode: forbidden + userenrollment: + mode: allowed + macOS: + introduced: '10.9' + devicechannel: true + userchannel: true + requiresdep: false + userapprovedmdm: false + allowmanualinstall: true + userenrollment: + mode: allowed + content: |- + Each payload may contain one font file. Font files may be in TrueType (.ttf) or OpenType (.otf) file format. Collection types (.ttc or .otc) formats are not supported. + Fonts are uniqued internally by their embedded PostScript name. Two fonts with the same PostScript name will be considered the same font, even if their contents differ. Installing two different fonts with the same PostScript name is not supported, and it is undefined which font will remain installed. +payloadkeys: +- key: Name + title: Font Name + type: + presence: optional + default: '' + content: |- + The user-visible name for the font. This field is replaced by the actual name of the font after installation. Each payload must contain exactly one font file in trueType (.ttf) or OpenType (.otf) format. Collection formats (.ttc or .otc) are not supported. + + Fonts are identified by their embedded PostScript names. Two fonts with the same PostScript name are considered to be the same font even if their contents differ. Installing two different fonts with the same PostScript name isn't supported, and the resulting behavior is undefined. +- key: Font + title: Font + type: + presence: required + content: The contents of the font file. diff --git a/mdm/profiles/com.apple.gamed.yaml b/mdm/profiles/com.apple.gamed.yaml new file mode 100644 index 0000000..a3f9d53 --- /dev/null +++ b/mdm/profiles/com.apple.gamed.yaml @@ -0,0 +1,45 @@ +title: 'Parental Controls: Game Center' +description: '' +payload: + payloadtype: com.apple.gamed + supportedOS: + macOS: + introduced: '10.9' + devicechannel: true + userchannel: true + requiresdep: false + userapprovedmdm: false + allowmanualinstall: true + userenrollment: + mode: forbidden + content: Parental controls Game Center restrictions. +payloadkeys: +- key: GKFeatureGameCenterAllowed + supportedOS: + macOS: + deprecated: '10.13' + type: + presence: optional + default: true + content: If 'true', enables Game Center. +- key: GKFeatureAccountModificationAllowed + type: + presence: optional + default: true + content: If 'true', allows account modifications. +- key: GKFeatureAddingGameCenterFriendsAllowed + supportedOS: + macOS: + deprecated: '10.13' + type: + presence: optional + default: true + content: If 'true', allows adding Game Center friends. +- key: GKFeatureMultiplayerGamingAllowed + supportedOS: + macOS: + deprecated: '10.13' + type: + presence: optional + default: true + content: If 'true', allows multiplayer gaming. diff --git a/mdm/profiles/com.apple.globalethernet.managed.yaml b/mdm/profiles/com.apple.globalethernet.managed.yaml new file mode 100644 index 0000000..a97d3a2 --- /dev/null +++ b/mdm/profiles/com.apple.globalethernet.managed.yaml @@ -0,0 +1,21 @@ +title: '802.1X: Global Ethernet' +description: '' +payload: + payloadtype: com.apple.globalethernet.managed + supportedOS: + macOS: + introduced: '10.13' + devicechannel: true + userchannel: true + requiresdep: false + userapprovedmdm: false + allowmanualinstall: true + userenrollment: + mode: allowed +payloadkeys: +- key: ANY + type: + presence: optional + content: Keys relevant to 802.1x configuration. User enrollment payloads do not + support the various proxy keys including ProxyType, ProxyServer, ProxyServerPort, + ProxyUsername, ProxyPassword,, ProxyPACURL and ProxyPACFallbackAllowed. diff --git a/mdm/profiles/com.apple.google-oauth.yaml b/mdm/profiles/com.apple.google-oauth.yaml new file mode 100644 index 0000000..d4988d4 --- /dev/null +++ b/mdm/profiles/com.apple.google-oauth.yaml @@ -0,0 +1,82 @@ +title: Google Account +description: Use this section to configure Google accounts. The user will be prompted + to sign in afterward. +payload: + payloadtype: com.apple.google-oauth + supportedOS: + iOS: + introduced: '9.3' + supervised: false + allowmanualinstall: true + sharedipad: + mode: allowed + devicechannel: false + userchannel: true + userenrollment: + mode: allowed + content: A Google account payload sets up a Google email address as well as any + other Google services the user enables after authentication. Google accounts must + be installed via MDM or by Apple Configurator 2 (if the device is supervised). + The payload never contains credentials and the user will be prompted to enter + their credentials shortly after the payload successfully installs. On Shared iPads, + this payload can only be installed on the MDM user channel. +payloadkeys: +- key: AccountDescription + title: Account Description + type: + presence: optional + content: A user-visible description of the Google account, shown in the Mail and + Settings apps. +- key: AccountName + title: Account Name + type: + presence: optional + content: The user's full name for the Google account. This name appears in sent + messages. +- key: EmailAddress + title: Email Address + type: + presence: required + content: The full Google email address for the account. +- key: CommunicationServiceRules + title: Communication Service Rules + supportedOS: + iOS: + introduced: '10.0' + type: + presence: optional + content: The communication service handler rules for this account. + subkeys: + - key: DefaultServiceHandlers + title: Default Service Handlers + supportedOS: + iOS: + introduced: '10.0' + macOS: + introduced: n/a + type: + presence: optional + content: A dictionary defining which app to use for audio calls made from this + account. + subkeys: + - key: AudioCall + title: App for audio calls + supportedOS: + iOS: + introduced: '10.0' + macOS: + introduced: n/a + type: + presence: optional + content: A string containing the bundle identifier for the default application + that handles audio calls made to contacts from this account. +- key: VPNUUID + title: VPNUUID + supportedOS: + iOS: + introduced: '14.0' + type: + presence: optional + content: |- + The VPNUUID of the per-app VPN the account uses for network communication. + Available in iOS 14 and later. diff --git a/mdm/profiles/com.apple.homescreenlayout.yaml b/mdm/profiles/com.apple.homescreenlayout.yaml new file mode 100644 index 0000000..666ecd5 --- /dev/null +++ b/mdm/profiles/com.apple.homescreenlayout.yaml @@ -0,0 +1,77 @@ +title: Home Screen Layout +description: '' +payload: + payloadtype: com.apple.homescreenlayout + supportedOS: + iOS: + introduced: '9.3' + supervised: true + allowmanualinstall: true + sharedipad: + mode: allowed + devicechannel: true + userchannel: true + userenrollment: + mode: forbidden + tvOS: + introduced: '11.0' + supervised: true + allowmanualinstall: true + content: The payload defines a layout of apps, folders, & web clips for the Home + screen. +payloadkeys: +- key: Dock + type: + presence: optional + content: An array of dictionaries, each of which must conform to the icon dictionary + format. If this key isn't present, the user's dock is empty. + subkeytype: IconItem + subkeys: &id001 + - key: IconItem + type: + subkeys: + - key: Type + type: + presence: required + rangelist: + - App + - Folder + - WebClip + content: The type of the dock item. + - key: DisplayName + type: + presence: optional + content: The human-readable string shown to the user. This setting is valid + only if the type is 'Folder'. + - key: BundleID + type: + presence: optional + content: The bundle identifier of the app. This setting is required if the type + is 'Application'. + - key: Pages + type: + presence: optional + content: An array of arrays of dictionaries, each conforming to the icon dictionary + format. This setting is valid only if the type is 'Folder'. + subkeytype: PagesItem + subkeys: &id002 + - key: PagesItem + type: + subkeytype: IconItem + subkeys: *id001 + - key: URL + supportedOS: + iOS: + introduced: '11.3' + type: + presence: optional + content: |- + The URL of the existing web clip for this item. This setting is required if 'type' is 'WebClip'. If more than one web clip exists with the same URL, the behavior is undefined. + Specifying a web clip in this payload doesn't create the web clip. Use the WebClip payload to create a web clip. +- key: Pages + type: + presence: required + content: An array of arrays of dictionaries, each of which must conform to the icon + dictionary format. + subkeytype: PagesItem + subkeys: *id002 diff --git a/mdm/profiles/com.apple.ironwood.support.yaml b/mdm/profiles/com.apple.ironwood.support.yaml new file mode 100644 index 0000000..26dd196 --- /dev/null +++ b/mdm/profiles/com.apple.ironwood.support.yaml @@ -0,0 +1,26 @@ +title: 'Parental Control: Dictation and Profanity' +description: Parental controls for restricting Siri, Dictation and Profanity +payload: + payloadtype: com.apple.ironwood.support + supportedOS: + macOS: + introduced: '10.9' + deprecated: '10.13' + devicechannel: true + userchannel: true + requiresdep: false + userapprovedmdm: false + allowmanualinstall: true + userenrollment: + mode: forbidden +payloadkeys: +- key: Profanity Allowed + type: + presence: optional + default: true + content: If 'false', suppresses profanity. +- key: Ironwood Allowed + type: + presence: optional + default: true + content: If 'false', disables dictation. diff --git a/mdm/profiles/com.apple.jabber.account.yaml b/mdm/profiles/com.apple.jabber.account.yaml new file mode 100644 index 0000000..3ca1788 --- /dev/null +++ b/mdm/profiles/com.apple.jabber.account.yaml @@ -0,0 +1,61 @@ +title: Jabber Account +description: Use this section to define settings for configuration access to Jabber + servers. +payload: + payloadtype: com.apple.jabber.account + supportedOS: + macOS: + introduced: '10.7' + deprecated: '10.14' + removed: '10.14' + devicechannel: false + userchannel: true + requiresdep: false + userapprovedmdm: false + allowmanualinstall: true + userenrollment: + mode: forbidden + content: A Jabber payload creates a Jabber account on the device. +payloadkeys: +- key: JabberAccountDescription + title: Account Description + type: + presence: optional + content: The description of the account. +- key: JabberHostName + title: Account Hostname + type: + presence: required + content: The server's address. +- key: JabberUserName + title: Account Username + type: + presence: optional + content: The user's user name. +- key: JabberPassword + title: Account Password + type: + presence: optional + content: The user's password. +- key: JabberUseSSL + title: Use SSL + type: + presence: optional + default: false + content: If 'true', enables SSL. +- key: JabberPort + title: Port Number + type: + presence: optional + range: + min: 0 + max: 65535 + default: 5222 + content: The server's port. +- key: JabberAuthentication + title: Jabber Authentification + type: + presence: required + rangelist: + - JabberAuthPassword + content: The authentication method for the account. diff --git a/mdm/profiles/com.apple.ldap.account.yaml b/mdm/profiles/com.apple.ldap.account.yaml new file mode 100644 index 0000000..8d87893 --- /dev/null +++ b/mdm/profiles/com.apple.ldap.account.yaml @@ -0,0 +1,98 @@ +title: LDAP +description: Use this section to define settings for configuration access to LDAP + servers. +payload: + payloadtype: com.apple.ldap.account + supportedOS: + iOS: + introduced: '4.0' + supervised: false + allowmanualinstall: true + sharedipad: + mode: allowed + devicechannel: false + userchannel: true + userenrollment: + mode: allowed + macOS: + introduced: '10.7' + devicechannel: false + userchannel: true + requiresdep: false + userapprovedmdm: false + allowmanualinstall: true + userenrollment: + mode: allowed +payloadkeys: +- key: LDAPAccountDescription + title: Account Description + type: + presence: optional + content: The description of the account. +- key: LDAPAccountHostName + title: Account Hostname + type: + presence: required + content: The server's address. +- key: LDAPAccountUserName + title: Account Username + type: + presence: optional + content: The user's user name. +- key: LDAPAccountPassword + title: Account Password + type: + presence: optional + content: The user's password. The password is enabled only with encrypted profiles. +- key: LDAPAccountUseSSL + title: Use SSL + type: + presence: optional + default: true + content: If 'true', enables SSL. +- key: LDAPSearchSettings + title: Search Settings + type: + presence: optional + content: An array of search settings dictionaries. + subkeys: + - key: LDAPSearchSettingsItem + title: An LDAP Search Setting + type: + subkeys: + - key: LDAPSearchSettingDescription + title: Description + type: + presence: optional + content: The description of this search setting. + - key: LDAPSearchSettingSearchBase + title: Search Setting Search Base + type: + presence: required + content: The path to the node where a search should start. + - key: LDAPSearchSettingScope + title: Search Setting Scope + type: + presence: optional + rangelist: + - LDAPSearchSettingScopeBase + - LDAPSearchSettingScopeOneLevel + - LDAPSearchSettingScopeSubtree + default: LDAPSearchSettingScopeSubtree + content: |- + The type of recursion to use in the search. It is one of the following values: + * 'LDAPSearchSettingScopeBase': Only the immediate node that the search base points to. + * 'LDAPSearchSettingScopeOneLevel': The node plus its immediate children. + * 'LDAPSearchSettingScopeSubtree': The node plus all children, regardless of depth. +- key: VPNUUID + title: VPNUUID + supportedOS: + iOS: + introduced: '14.0' + macOS: + introduced: n/a + type: + presence: optional + content: |- + The VPNUUID of the per-app VPN the account uses for network communication. + Available in iOS 14 and later. diff --git a/mdm/profiles/com.apple.loginitems.managed.yaml b/mdm/profiles/com.apple.loginitems.managed.yaml new file mode 100644 index 0000000..8de1d70 --- /dev/null +++ b/mdm/profiles/com.apple.loginitems.managed.yaml @@ -0,0 +1,35 @@ +title: 'Login Items: Managed Items' +description: '' +payload: + payloadtype: com.apple.loginitems.managed + supportedOS: + macOS: + introduced: '10.13' + devicechannel: true + userchannel: true + requiresdep: false + userapprovedmdm: false + allowmanualinstall: true + userenrollment: + mode: allowed + content: This payload handles login items usage on macOS. +payloadkeys: +- key: AutoLaunchedApplicationDictionary-managed + type: + presence: required + content: An array of login item dictionaries. + subkeys: + - key: LoginItem + type: + presence: required + content: A login item. + subkeys: + - key: Path + type: + presence: required + content: The URL or path string to the item's location. + - key: Hide + type: + presence: optional + default: false + content: If true, hide this item in the Users & Groups login items list. diff --git a/mdm/profiles/com.apple.loginwindow.yaml b/mdm/profiles/com.apple.loginwindow.yaml new file mode 100644 index 0000000..52f760c --- /dev/null +++ b/mdm/profiles/com.apple.loginwindow.yaml @@ -0,0 +1,155 @@ +title: Login Window +description: '' +payload: + payloadtype: com.apple.loginwindow + supportedOS: + macOS: + introduced: '10.7' + devicechannel: true + userchannel: false + requiresdep: false + userapprovedmdm: false + allowmanualinstall: true + userenrollment: + mode: forbidden + content: The com.apple.loginwindow payload creates managed preferences on macOS + for system/device profiles. +payloadkeys: +- key: SHOWFULLNAME + type: + presence: optional + default: false + content: If 'true', shows the name and password dialog; if 'false', displays a list + of users. +- key: HideLocalUsers + type: + presence: optional + default: false + content: If 'true', shows only network and system users when showing a user list. +- key: IncludeNetworkUser + type: + presence: optional + default: false + content: If 'true', shows network users when showing a user list. +- key: HideAdminUsers + type: + presence: optional + default: false + content: If 'true', hides administrator users when showing a user list. +- key: SHOWOTHERUSERS_MANAGED + type: + presence: optional + default: false + content: If 'true', displays Other... when showing a list of users. +- key: AdminHostInfo + type: + presence: optional + rangelist: + - HostName + - SystemVersion + - IPAddress + content: If this key is included in the payload, its value is displayed in the login + window as additional computer information. Before macOS 10.10, this string could + contain only certain information (host name, system version, or IP address). After + macOS 10.10, setting this key to any value allows the user to click the time area + of the menu bar to toggle through various computer information values. +- key: AllowList + type: + presence: optional + content: The list of user GUIDs or group GUIDs of users that are allowed to log + in. An asterisk '*' string specifies all users or groups. + subkeys: + - key: AllowListItem + type: + presence: required + content: A user or group GUID. +- key: DenyList + type: + presence: optional + content: The list of user GUIDs or group GUIDs of users that cannot log in. This + list takes priority over the list in the 'AllowList' key. + subkeys: + - key: DenyListItem + type: + presence: required + content: A user or group GUID. +- key: HideMobileAccounts + type: + presence: optional + default: false + content: If 'true', hides mobile account users in a user list. In some cases, mobile + users show up as network users. +- key: ShutDownDisabled + type: + presence: optional + default: false + content: If 'true', disables the Shut Down button. +- key: RestartDisabled + type: + presence: optional + default: false + content: If 'true', disables the Restart item. +- key: SleepDisabled + type: + presence: optional + default: false + content: If 'true', disables the Sleep button. +- key: DisableConsoleAccess + type: + presence: optional + default: false + content: If 'true', disregards the '>console' special user name, which will provide + a command line UI. +- key: LoginwindowText + type: + presence: optional + content: The text to display in the login window. +- key: ShutDownDisabledWhileLoggedIn + type: + presence: optional + default: false + content: If 'true', disables the Shut Down menu item when the user is logged in. +- key: RestartDisabledWhileLoggedIn + type: + presence: optional + default: false + content: If 'true', disables the Restart menu item when the user is logged in. +- key: PowerOffDisabledWhileLoggedIn + type: + presence: optional + default: false + content: If 'true', disables the Power Off menu item when the user is logged in. +- key: LogOutDisabledWhileLoggedIn + supportedOS: + macOS: + introduced: '10.13' + type: + presence: optional + default: false + content: If 'true', disables the Log Out menu item when the user is logged in. Available + in macOS 10.13 and later. +- key: DisableScreenLockImmediate + supportedOS: + macOS: + introduced: '10.13' + type: + presence: optional + default: false + content: If 'true', disables the immediate Screen Lock functions. Available in macOS + 10.13 and later. +- key: showInputMenu + supportedOS: + macOS: + introduced: '10.8' + type: + presence: optional + default: false + content: If 'True', shows the Input Menu in the login window. +- key: DisableFDEAutoLogin + supportedOS: + macOS: + introduced: '10.9' + type: + presence: optional + default: false + content: If t'rue', disables the automatic login option when using FileVault. diff --git a/mdm/profiles/com.apple.lom.yaml b/mdm/profiles/com.apple.lom.yaml new file mode 100644 index 0000000..13cf09f --- /dev/null +++ b/mdm/profiles/com.apple.lom.yaml @@ -0,0 +1,49 @@ +title: Lights Out Management (LOM) +description: Configures a computer to send or receive "PowerON". "PowerOFF", "Reset" + requests. +payload: + payloadtype: com.apple.lom + supportedOS: + macOS: + introduced: '11.0' + devicechannel: true + userchannel: false + requiresdep: false + userapprovedmdm: true + allowmanualinstall: false + userenrollment: + mode: forbidden + content: Configures a computer to send or receive "PowerON". "PowerOFF", "Reset" + requests. +payloadkeys: +- key: DeviceCertificateUUID + title: Device Certificate payload UUID + type: + presence: optional + content: The UUID certificate for the device. This key indicates the device can + receive 'PowerON', 'PowerOFF', and 'Reset' requests from a LOM controller. +- key: ControllerCertificateUUID + title: Controller Certificate payload UUID + type: + presence: optional + content: The UUID certificate for the LOM controller. This key configures the device + to accept the LOMDeviceRequestCommand from MDM and then send it to the target + device. +- key: DeviceCACertificateUUIDs + title: CA certificate payload UUIDs + type: + presence: optional + content: Array of payload UUIDs containing CA certificates that controllers use + to evaluate trust of device certificates. + subkeys: + - key: DeviceCACertificateUUIDsItem + type: +- key: ControllerCACertificateUUIDs + title: CA certificate payload UUIDs + type: + presence: optional + content: Array of payload UUIDs containing CA certificates that devices use to evaluate + trust of controller certificates. + subkeys: + - key: ControllerCACertificateUUIDsItem + type: diff --git a/mdm/profiles/com.apple.mail.managed.yaml b/mdm/profiles/com.apple.mail.managed.yaml new file mode 100644 index 0000000..d6fe55f --- /dev/null +++ b/mdm/profiles/com.apple.mail.managed.yaml @@ -0,0 +1,338 @@ +title: Mail +description: Use this section to define settings for access to Email servers. +payload: + payloadtype: com.apple.mail.managed + supportedOS: + iOS: + introduced: '4.0' + supervised: false + allowmanualinstall: true + sharedipad: + mode: allowed + devicechannel: false + userchannel: true + userenrollment: + mode: allowed + macOS: + introduced: '10.7' + devicechannel: false + userchannel: true + requiresdep: false + userapprovedmdm: false + allowmanualinstall: true + userenrollment: + mode: allowed + content: An email payload creates an email account on the device. +payloadkeys: +- key: EmailAccountDescription + title: Account Description + type: + presence: optional + content: A user-visible description of the email account, shown in the Mail and + Settings applications. +- key: EmailAccountName + title: Account Name + type: + presence: optional + content: The full user name for the account. This name is shown in sent messages. +- key: EmailAccountType + title: Account Type + type: + presence: required + rangelist: + - EmailTypeIMAP + - EmailTypePOP + content: Defines the protocol to be used for the account. +- key: EmailAddress + title: Email Address + type: + presence: optional + content: The full email address for the account. If this string isn't present in + the payload, the device prompts for this string during interactive profile installation + in Settings or System Preferences. +- key: IncomingMailServerAuthentication + title: Incoming Mail Server Authentification + type: + presence: required + rangelist: + - EmailAuthNone + - EmailAuthPassword + - EmailAuthCRAMMD5 + - EmailAuthNTLM + - EmailAuthHTTPMD5 + content: The authentication scheme for incoming mail. +- key: IncomingMailServerHostName + title: Mail Server + type: + presence: required + content: The incoming mail server host name. +- key: IncomingMailServerPortNumber + title: Port + type: + presence: optional + content: The incoming mail server port number. If no port number is specified, the + default port for a given protocol is used. +- key: IncomingMailServerUseSSL + title: Use SSL + type: + presence: optional + default: false + content: If 'true', enables SSL for authentication on the incoming mail server. +- key: IncomingMailServerUsername + title: Username + type: + presence: optional + content: The user name for the email account, usually the same as the email address + up to the @ character. If the user name isn't present in the payload and the account + is set up to require authentication for incoming email, the device prompts for + this string during interactive profile installation in Settings or System Preferences. +- key: IncomingPassword + title: Password + type: + presence: optional + content: The password for the incoming mail server. This password is used only with + encrypted profiles. +- key: OutgoingPassword + title: Password + type: + presence: optional + content: The password for the outgoing mail server. This password is used only with + encrypted profiles. +- key: OutgoingPasswordSameAsIncomingPassword + title: Outgoing Password Same As Incoming + type: + presence: optional + default: false + content: |- + If 'true', the user is prompted only once for the password, which is used for both outgoing and incoming mail. + This setting is only supported by interactive profile installations. Not supported by non-interactive installations (like MDM on iOS). +- key: OutgoingMailServerAuthentication + title: Authentication Type + type: + presence: required + rangelist: + - EmailAuthNone + - EmailAuthPassword + - EmailAuthCRAMMD5 + - EmailAuthNTLM + - EmailAuthHTTPMD5 + content: The authentication scheme for outgoing mail. +- key: OutgoingMailServerHostName + title: Mail Server + type: + presence: required + content: The outgoing mail server host name. +- key: OutgoingMailServerPortNumber + title: Port + type: + presence: optional + content: The outgoing mail server port number. If no port number is specified, ports + 25, 587, and 465 are used, in that order. +- key: OutgoingMailServerUseSSL + title: Use SSL + type: + presence: optional + default: false + content: If 'true', enables SSL authentication on the outgoing mail server. +- key: OutgoingMailServerUsername + title: Username + type: + presence: optional + content: The user name for the email account, usually the same as the email address + up to the @ character. If the user name isn't present in the payload and the account + is set up to require authentication for outgoing email, the device prompts for + this string during interactive profile installation in Settings or System Preferences. +- key: PreventMove + title: Prevent Move + supportedOS: + iOS: + introduced: '5.0' + macOS: + introduced: n/a + type: + presence: optional + default: false + content: If 'true', prevents messages from being moved out of this email account + and into another account. It also prevents forwarding or replying from an account + other than one the message was sent to. +- key: PreventAppSheet + title: Prevent App Sheet + supportedOS: + iOS: + introduced: '5.0' + macOS: + introduced: n/a + type: + presence: optional + default: false + content: If 'true', prevents this account from sending mail in any app other than + the Apple Mail app. +- key: SMIMEEnabled + title: S/MIME Enabled + supportedOS: + iOS: + introduced: '5.0' + macOS: + introduced: n/a + type: + presence: optional + default: false + content: If 'true', enables S/MIME encryption. In iOS 10.0 and later, this key is + ignored. +- key: SMIMESigningEnabled + title: S/MIME Signing Enabled + supportedOS: + iOS: + introduced: '10.0' + macOS: + introduced: n/a + type: + presence: optional + default: false + content: If 'true', enables S/MIME signing for this account. +- key: SMIMESigningCertificateUUID + title: S/MIME Signing Certificate + supportedOS: + iOS: + introduced: '5.0' + macOS: + introduced: n/a + type: + presence: optional + format: ^[0-9A-Za-z]{8}-[0-9A-Za-z]{4}-[0-9A-Za-z]{4}-[0-9A-Za-z]{4}-[0-9A-Za-z]{12}$ + content: The payload UUID of the identity certificate used to sign messages sent + from this account. +- key: SMIMEEncryptionEnabled + title: S/MIME Encryption Enabled + supportedOS: + iOS: + introduced: '10.0' + type: + presence: optional + default: false + content: If 'true', enables S/MIME encryption for this account. +- key: SMIMEEncryptionCertificateUUID + title: S/MIME Encryption Certificate + supportedOS: + iOS: + introduced: '5.0' + macOS: + introduced: n/a + type: + presence: optional + format: ^[0-9A-Za-z]{8}-[0-9A-Za-z]{4}-[0-9A-Za-z]{4}-[0-9A-Za-z]{4}-[0-9A-Za-z]{12}$ + content: The UUID of the identity certificate used to decrypt messages sent to this + account. The public certificate is attached to outgoing mail to allow encrypted + mail to be sent to this user. When the user sends encrypted mail, the public certificate + is used to encrypt the copy of the mail in their Sent mailbox. +- key: SMIMEEnablePerMessageSwitch + title: S/MIME Enable Per-Message Switch + supportedOS: + iOS: + introduced: '8.0' + deprecated: '10.0' + type: + presence: optional + default: false + content: |- + If 'true', displays the per-message encryption switch in the Mail Compose UI. + + As of iOS 12.0, this key is deprecated. Use 'SMIMEEnableEncryptionPerMessageSwitch' instead. +- key: disableMailRecentsSyncing + title: Disable Mail Recents Syncing + supportedOS: + iOS: + introduced: '6.0' + type: + presence: optional + default: false + content: If 'true', excludes this account from Recent Addresses syncing. +- key: allowMailDrop + title: Allow Mail Drop + supportedOS: + iOS: + introduced: '9.2' + macOS: + introduced: '10.12' + type: + presence: optional + default: false + content: If 'true', enables this account to use Mail Drop. +- key: IncomingMailServerIMAPPathPrefix + title: Path Prefix + type: + presence: optional + content: The path prefix for the IMAP mail server. +- key: SMIMESigningUserOverrideable + supportedOS: + iOS: + introduced: '12.0' + macOS: + introduced: n/a + type: + presence: optional + default: false + content: If 'true', the user can turn S/MIME signing on or off in Settings. +- key: SMIMESigningCertificateUUIDUserOverrideable + supportedOS: + iOS: + introduced: '12.0' + macOS: + introduced: n/a + type: + presence: optional + default: false + content: If 'true', the user can select the signing identity. +- key: SMIMEEncryptByDefault + supportedOS: + iOS: + introduced: '12.0' + type: + presence: optional + default: false + content: If 'true', enables S/MIME encryption by default. +- key: SMIMEEncryptByDefaultUserOverrideable + supportedOS: + iOS: + introduced: '12.0' + macOS: + introduced: n/a + type: + presence: optional + default: false + content: If 'true', the user can turn encryption by default on/off, and encryption + is on. +- key: SMIMEEncryptionCertificateUUIDUserOverrideable + supportedOS: + iOS: + introduced: '12.0' + macOS: + introduced: n/a + type: + presence: optional + default: false + content: If 'true', the user can select the S/MIME encryption identity, and encryption + is on. +- key: SMIMEEnableEncryptionPerMessageSwitch + supportedOS: + iOS: + introduced: '12.0' + macOS: + introduced: n/a + type: + presence: optional + default: false + content: If 'true', displays the per-message encryption switch in the Mail Compose + UI. +- key: VPNUUID + title: VPNUUID + supportedOS: + iOS: + introduced: '14.0' + macOS: + introduced: n/a + type: + presence: optional + content: |- + The VPNUUID of the per-app VPN the account uses for network communication. + Available in iOS 14 and later. diff --git a/mdm/profiles/com.apple.mcxMenuExtras.yaml b/mdm/profiles/com.apple.mcxMenuExtras.yaml new file mode 100644 index 0000000..70c3555 --- /dev/null +++ b/mdm/profiles/com.apple.mcxMenuExtras.yaml @@ -0,0 +1,134 @@ +title: Managed Menu Extras +payload: + payloadtype: com.apple.mcxMenuExtras + supportedOS: + macOS: + introduced: '10.7' + devicechannel: true + userchannel: true + requiresdep: false + userapprovedmdm: false + allowmanualinstall: true + userenrollment: + mode: forbidden + content: |- + Specified menu extras will be added or removed from the menu bar + after user login. Standard menu extra may be specified by file + name. Non-standard menu extras are specified by full path. +payloadkeys: +- key: delaySeconds + type: + presence: optional + default: 2.5 + content: The number of seconds to delay after login before adding or removing menu + extras. If the delay is too short, the menu extras don't appear, or disappear + from the menu bar. +- key: maxWaitSeconds + type: + presence: optional + default: 20.0 + content: The maximum wait, in seconds, for all menu extras to be added or removed. +- key: AirPort.menu + type: + presence: optional + content: If 'true', enables the AirPort menu extra. +- key: Battery.menu + type: + presence: optional + content: If 'true', enables the Battery menu extra. +- key: Bluetooth.menu + type: + presence: optional + content: If 'true', enables the Bluetooth menu extra. +- key: CPU.menu + type: + presence: optional + content: If 'true', enables the CPU menu extra. +- key: Clock.menu + type: + presence: optional + content: If 'true', enables the Clock menu extra. +- key: Displays.menu + type: + presence: optional + content: If 'true', enables the Displays menu extra. +- key: Eject.menu + type: + presence: optional + content: If 'true', enables the Eject menu extra. +- key: Fax.menu + type: + presence: optional + content: If 'true', enables the Fax menu extra. +- key: HomeSync.menu + type: + presence: optional + content: If 'true', enables the HomeSync menu extra. +- key: iChat.menu + type: + presence: optional + content: If 'true', enables the iChat menu extra. +- key: Ink.menu + type: + presence: optional + content: If 'true', enables the Ink menu extra. +- key: IrDA.menu + type: + presence: optional + content: If 'true', enables the IrDA menu extra. +- key: PCCard.menu + type: + presence: optional + content: If 'true', enables the PCCard menu extra. +- key: PPP.menu + type: + presence: optional + content: If 'true', enables the PPP menu extra. +- key: PPPoE.menu + type: + presence: optional + content: If 'true', enables the PPPoE menu extra. +- key: RemoteDesktop.menu + type: + presence: optional + content: If 'true', enables the Remote Desktop menu extra. +- key: Script Menu.menu + type: + presence: optional + content: If 'true', enables the Script menu extra. +- key: Spaces.menu + type: + presence: optional + content: If 'true', enables the Spaces menu extra. +- key: Sync.menu + type: + presence: optional + content: If 'true', enables the Sync menu extra. +- key: TextInput.menu + type: + presence: optional + content: If 'true', enables the Text Input menu extra. +- key: TimeMachine.menu + type: + presence: optional + content: If 'true', enables the TimeMachine menu extra. +- key: UniversalAccess.menu + type: + presence: optional + content: If 'true', enables the Universal Access menu extra. +- key: User.menu + type: + presence: optional + content: If 'true', enables the User menu extra. +- key: VPN.menu + type: + presence: optional + content: If 'true', enables the VPN menu extra. +- key: Volume.menu + type: + presence: optional + content: If 'true', enables the Volume menu extra. +- key: WWAN.menu + type: + presence: optional + content: If 'true', enables the WWAN menu extra. diff --git a/mdm/profiles/com.apple.mcxloginscripts.yaml b/mdm/profiles/com.apple.mcxloginscripts.yaml new file mode 100644 index 0000000..0e96028 --- /dev/null +++ b/mdm/profiles/com.apple.mcxloginscripts.yaml @@ -0,0 +1,49 @@ +title: 'Login Window: Scripts' +description: '' +payload: + payloadtype: com.apple.mcxloginscripts + supportedOS: + macOS: + introduced: '10.7' + devicechannel: true + userchannel: false + requiresdep: false + userapprovedmdm: false + allowmanualinstall: true + userenrollment: + mode: forbidden + content: Login and logout managed script handling +payloadkeys: +- key: loginscripts + type: + presence: optional + content: An array of one or more dictionaries of scripts to run at user login time. + subkeytype: ScriptsItems + subkeys: &id001 + - key: ScriptsItems + type: + subkeys: + - key: filename + type: + presence: required + content: The filename for display purposes. + - key: filedata + type: + presence: required + content: The UTF-8 encoded data object representing the executable script. +- key: logoutscripts + type: + presence: optional + content: An array of one or more dictionaries of scripts to run at user logout time. + subkeytype: ScriptsItems + subkeys: *id001 +- key: skipLoginHook + type: + presence: optional + default: false + content: If 'true', doesn't execute the login scripts during login. +- key: skipLogoutHook + type: + presence: optional + default: false + content: If 'true', doesn't execute the logout scripts during logout. diff --git a/mdm/profiles/com.apple.mcxprinting.yaml b/mdm/profiles/com.apple.mcxprinting.yaml new file mode 100644 index 0000000..a83690e --- /dev/null +++ b/mdm/profiles/com.apple.mcxprinting.yaml @@ -0,0 +1,100 @@ +title: Printing +payload: + payloadtype: com.apple.mcxprinting + supportedOS: + macOS: + introduced: '10.7' + devicechannel: true + userchannel: true + requiresdep: false + userapprovedmdm: false + allowmanualinstall: true + userenrollment: + mode: forbidden +payloadkeys: +- key: RequireAdminToAddPrinters + type: + presence: optional + default: true + content: If 'true', requires an administrator password to add printers. +- key: AllowLocalPrinters + type: + presence: optional + default: true + content: If 'true', allows printers that connect directly to a user's computer. +- key: RequireAdminToPrintLocally + type: + presence: optional + default: false + content: If 'true', requires an administrator password to print locally. +- key: ShowOnlyManagedPrinters + type: + presence: optional + default: false + content: If 'true', shows only managed printers. +- key: PrintFooter + type: + presence: optional + default: false + content: If 'true', prints the page footer (including the user name and date). +- key: PrintMACAddress + type: + presence: optional + default: false + content: If 'true', includes the MAC address. +- key: FooterFontSize + type: + presence: optional + content: The footer font size. +- key: FooterFontName + type: + presence: optional + content: The footer font name. +- key: DefaultPrinter + type: + presence: optional + content: The default printer for the user. + subkeys: + - key: DeviceURI + type: + presence: optional + content: The device URI. + - key: DisplayName + type: + presence: optional + content: The display name. +- key: UserPrinterList + type: + presence: optional + content: The printers available to a user. + subkeys: + - key: Printer + type: + presence: optional + content: A dictionary of printer details. + subkeys: + - key: DeviceURI + type: + presence: optional + content: The device URI. + - key: DisplayName + type: + presence: optional + content: The display name. + - key: Location + type: + presence: optional + content: The printer's location. + - key: Model + type: + presence: optional + content: The printer's model. + - key: PrinterLocked + type: + presence: optional + default: false + content: If 'true', locks the printer. + - key: PPDURL + type: + presence: optional + content: The printer's PPDURL. diff --git a/mdm/profiles/com.apple.mdm.yaml b/mdm/profiles/com.apple.mdm.yaml new file mode 100644 index 0000000..11a9eb4 --- /dev/null +++ b/mdm/profiles/com.apple.mdm.yaml @@ -0,0 +1,246 @@ +title: MDM +description: Use this section to define settings for mobile device management. +payload: + payloadtype: com.apple.mdm + supportedOS: + iOS: + introduced: '4.0' + supervised: false + allowmanualinstall: true + sharedipad: + mode: allowed + devicechannel: true + userchannel: false + userenrollment: + mode: allowed + macOS: + introduced: '10.7' + devicechannel: true + userchannel: false + requiresdep: false + userapprovedmdm: false + allowmanualinstall: true + userenrollment: + mode: allowed + tvOS: + introduced: '6.0' + supervised: false + allowmanualinstall: true +payloadkeys: +- key: IdentityCertificateUUID + title: Identity Certificate UUID + type: + presence: required + format: ^[0-9A-Za-z]{8}-[0-9A-Za-z]{4}-[0-9A-Za-z]{4}-[0-9A-Za-z]{4}-[0-9A-Za-z]{12}$ + content: The UUID of the certificate payload for the device's identity. It may also + point to a SCEP payload. +- key: Topic + title: Topic + type: + presence: required + content: The topic that MDM listens to for push notifications. The certificate that + the server uses to send push notifications must have the same topic in its subject. + The topic must begin with the 'com.apple.mgmt.' prefix. +- key: ServerURL + title: Server URL + type: + presence: required + format: ^https://.*$ + content: The URL that the device contacts to retrieve device management instructions. + The URL must begin with the 'https://' URL scheme, and may contain a port number + (':1234', for example). +- key: CheckInURL + title: Check In URL + type: + presence: optional + format: ^https://.*$ + content: The URL that the device should use to check in during installation. The + URL must begin with the 'https://' URL scheme and may contain a port number (':1234', + for example). If this URL isn't given, 'ServerURL' is used for both purposes. +- key: SignMessage + title: Sign Message + type: + presence: optional + default: false + content: If 'true', each message coming from the device carries the additional 'Mdm-Signature' + HTTP header. +- key: AccessRights + title: Access Rights + supportedOS: + iOS: + userenrollment: + mode: ignored + macOS: + userenrollment: + mode: ignored + type: + presence: optional + content: |- + Logical OR of the following bit flags: + '1': Allow inspection of installed configuration profiles. + '2': Allow installation and removal of configuration profiles. + '4': Allow device lock and passcode removal. + '8': Allow device erase. + '16': Allow query of device information (device capacity, serial number). + '32': Allow query of network information (phone/SIM numbers, MAC addresses). + '64': Allow inspection of installed provisioning profiles. + '128': Allow installation and removal of provisioning profiles. + '256': Allow inspection of installed applications. + '512': Allow restriction-related queries. + '1024': Allow security-related queries. + '2048': Allow manipulation of settings. + '4096': Allow app management. + The value can't be '0'. If '2' is specified, '1' must also be specified. If '128' is specified, '64' must also be specified. + If the 'ManagedAppleID' is included, then 'AccessRights' are ignored. +- key: UseDevelopmentAPNS + title: Use Development APNS + type: + presence: optional + default: false + content: |- + If 'true', the device uses the development APNS servers. Otherwise, the device uses the production servers. + Note that this property must be set to 'false' if your Apple Push Notification Service certificate was issued by the Apple Push Certificate Portal ('https://identity.apple.com/pushcert'). That portal only issues certificates for the production push environment. +- key: ManagedAppleID + title: Managed Apple ID + supportedOS: + iOS: + introduced: '13.1' + userenrollment: + mode: required + macOS: + introduced: '10.15' + userenrollment: + mode: required + tvOS: + introduced: n/a + type: + presence: optional + content: The Managed Apple ID of the user. Available in iOS 13.1 and later, and + macOS 10.15 and later. +- key: AssignedManagedAppleID + title: Assigned Managed Apple ID + supportedOS: + iOS: + introduced: '15.0' + macOS: + introduced: n/a + tvOS: + introduced: n/a + type: + presence: optional + content: |- + The Managed Apple ID pre-assigned to the authenticated user. This is only used with the BYOD enrollment flow. + Available in iOS 15 and later. +- key: EnrollmentMode + title: Enrollment Mode + supportedOS: + iOS: + introduced: '15.0' + macOS: + introduced: n/a + tvOS: + introduced: n/a + type: + presence: optional + rangelist: + - BYOD + content: |- + The enrollment mode the server indicates must be used when enrolling. This must be present for BYOD enrollments. + Available in iOS 15 and later. +- key: ServerURLPinningCertificateUUIDs + supportedOS: + iOS: + introduced: '13.4' + macOS: + introduced: '10.13' + tvOS: + introduced: '13.4' + type: + presence: optional + content: An array of strings, each containing the UUID of a certificate to be used + when evaluating trust to the '.../connect/' URLs of MDM servers. + subkeys: + - key: ServerURLPinningCertificateUUIDsItem + type: + presence: required + content: A certificate payload UUID. +- key: CheckInURLPinningCertificateUUIDs + supportedOS: + iOS: + introduced: '13.4' + macOS: + introduced: '10.13' + tvOS: + introduced: '13.4' + type: + presence: optional + content: An array of strings, each containing the payload UUID of a certificate + to be used when evaluating trust to the '.../checkin/' URLs of MDM servers. + subkeys: + - key: CheckInURLPinningCertificateUUIDsItem + type: + presence: required + content: A certificate payload UUID. +- key: PinningRevocationCheckRequired + supportedOS: + iOS: + introduced: '13.4' + macOS: + introduced: '10.13' + tvOS: + introduced: '13.4' + type: + presence: optional + default: false + content: |- + If 'true', fails the connection attempt unless a verified positive response is obtained during certificate revocation checks. + If 'false', revocation checks are done on a best-attempt basis, where failure to reach the server isn't considered fatal. +- key: ServerCapabilities + type: + presence: optional + content: |- + A unique array of strings indicating server capabilities. If the server manages macOS devices or a Shared iPad, this field is mandatory and must contain the value 'com.apple.mdm.per-user-connections', which indicates that the server supports both device and user connections. + Starting with macOS 11, it is also recommended that macOS device enrollment profiles contain the value 'com.apple.mdm.bootstraptoken' to ensure the Bootstrap Token is created and escrowed with the MDM server at enrollment time. + subkeys: + - key: ServerCapabilitiesItems + type: + rangelist: + - com.apple.mdm.per-user-connections + - com.apple.mdm.bootstraptoken +- key: CheckOutWhenRemoved + type: + presence: optional + default: false + content: If 'true', the device attempts to send a CheckOut + message to the 'CheckInURL' when the profile is removed. +- key: RequiredAppIDForMDM + supportedOS: + iOS: + introduced: '15.1' + macOS: + introduced: n/a + tvOS: + introduced: n/a + type: + presence: optional + content: |- + This property specifies an iTunes Store ID for an app the system can install with the InstallApplicationCommand, without any approval from the user. The MDM vendor or managing organization generally provides this app, which enhances the management experience for the user. The device shows the user details about this app in the account-driven enrollment process prior to installing the MDM profile. Use this property with account-driven MDM enrollments that normally require user approval for app installs through MDM. + Only account-driven user enrollments support this property and other enrollment types ignore it. + Available in iOS 15.1 and later. +- key: PromptUserToAllowBootstrapTokenForAuthentication + supportedOS: + iOS: + introduced: n/a + macOS: + introduced: '11.0' + tvOS: + introduced: n/a + type: + presence: optional + default: false + content: |- + If 'true', warns the user that they need to reboot into RecoveryOS and allow the MDM to use the Bootstrap Token for authentication for certain sensitive operations such as enabling kernel extensions or installing some types of software updates. If the MDM doesn't need to perform these operations, it can leave this key set to 'false', and the user won't be notified. + The SettingsCommand.Command.Settings.MDMOptions.MDMOptions command overrides this default value. + This setting only applies to devices that have 'BootstrapTokenRequiredForSoftwareUpdate' or 'BootstrapTokenRequiredForKernelExtensionApproval' set to 'true' in their SecurityInfoResponse.SecurityInfo. + DEP-enrolled devices are automatically allowed to use the Bootstrap Token for authentication. + Available in macOS 11 and later. diff --git a/mdm/profiles/com.apple.mobiledevice.passwordpolicy.yaml b/mdm/profiles/com.apple.mobiledevice.passwordpolicy.yaml new file mode 100644 index 0000000..ea21ad9 --- /dev/null +++ b/mdm/profiles/com.apple.mobiledevice.passwordpolicy.yaml @@ -0,0 +1,185 @@ +title: Passcode +description: Use this section to define passcode policy settings +payload: + payloadtype: com.apple.mobiledevice.passwordpolicy + supportedOS: + iOS: + introduced: '4.0' + supervised: false + allowmanualinstall: true + sharedipad: + mode: forbidden + userenrollment: + mode: allowed + macOS: + introduced: '10.7' + devicechannel: true + userchannel: true + requiresdep: false + userapprovedmdm: false + allowmanualinstall: true + userenrollment: + mode: forbidden +payloadkeys: +- key: allowSimple + title: Allow Simple Value + supportedOS: + iOS: + userenrollment: + mode: ignored + type: + presence: optional + default: true + content: If 'true', allows a simple passcode. A simple passcode contains repeated + characters, or increasing or decreasing characters (such as '123' or 'CBA'). Setting + this value to false has the same result as setting 'minComplexChars' to '1'. +- key: forcePIN + title: Require Passcode on Device + supportedOS: + iOS: + userenrollment: + mode: ignored + type: + presence: optional + default: false + content: If 'true', forces the user to enter a PIN. +- key: maxFailedAttempts + title: Maximum Number of Failed Attempts + supportedOS: + iOS: + userenrollment: + mode: ignored + type: + presence: optional + range: + min: 2 + max: 11 + default: 11 + content: The number of allowed failed attempts to enter the passcode at the device's + lock screen. After six failed attempts, a time delay is imposed before a passcode + can be entered again. The delay increases with each attempt. In macOS, set 'minutesUntilFailedLoginReset' + to define a delay before the next passcode can be entered. When this number is + exceeded in macOS, the device is locked; in iOS, the device is wiped. +- key: maxInactivity + title: Auto-Lock + supportedOS: + iOS: + userenrollment: + mode: ignored + type: + presence: optional + range: + min: 0 + max: 15 + content: The maximum number of minutes for which the device can be idle, without + being unlocked by the user, before it gets locked by the system. When this limit + is reached, the device is locked and the passcode must be entered. The user can + edit this setting, but the value cannot exceed the 'maxInactivity' value. In macOS, + this inactivity value is translated to screen-saver settings. +- key: maxPINAgeInDays + title: Maximum Passcode Age + supportedOS: + iOS: + userenrollment: + mode: ignored + type: + presence: optional + range: + min: 0 + max: 730 + content: The number of days for which the passcode can remain unchanged. After this + number of days, the user is forced to change the passcode before the device is + unlocked. +- key: minComplexChars + title: Minimum Number of Complex Characters + supportedOS: + iOS: + userenrollment: + mode: ignored + type: + presence: optional + range: + min: 0 + max: 4 + default: 0 + content: |- + The minimum number of complex characters that a passcode must contain. A complex character is a character other than a number or a letter, such as & % $ #. + This property is ignored for User Enrollments. +- key: minLength + title: Minimum Passcode Length + supportedOS: + iOS: + userenrollment: + mode: ignored + type: + presence: optional + range: + min: 0 + max: 16 + default: 0 + content: The minimum overall length of the passcode. This parameter is independent + of the also optional minComplexChars argument. +- key: requireAlphanumeric + title: Require Alphabetic Value + supportedOS: + iOS: + userenrollment: + mode: ignored + type: + presence: optional + default: false + content: If 'true', requires alphabetic characters (abcd) instead of only numeric + characters. +- key: pinHistory + title: Passcode History + supportedOS: + iOS: + userenrollment: + mode: ignored + type: + presence: optional + range: + min: 1 + max: 50 + content: This value defines N, where the new passcode must be unique within the + last N entries in the passcode history. +- key: maxGracePeriod + title: Grace Period for Device Lock + supportedOS: + iOS: + userenrollment: + mode: ignored + type: + presence: optional + default: 0 + content: The maximum grace period, in minutes, to unlock the phone without entering + a passcode. The default is 0, which is no grace period and requires a passcode + immediately. In macOS, this grace period value is translated to screen-saver settings. +- key: minutesUntilFailedLoginReset + supportedOS: + iOS: + introduced: n/a + macOS: + introduced: '10.10' + userenrollment: + mode: ignored + type: + presence: optional + content: The number of minutes before the login is reset after the maximum number + of unsuccessful login attempts is reached. This key requires setting 'maxFailedAttempts'. + Available in macOS 10.10 and later. +- key: changeAtNextAuth + supportedOS: + iOS: + introduced: n/a + macOS: + introduced: '10.13' + userenrollment: + mode: ignored + type: + presence: optional + default: false + content: If 'true', causes a password reset to occur the next time the user tries + to authenticate. If this key is set in a device profile, the setting takes effect + for all users, and admin authentications may fail until the admin user password + is also reset. Available in macOS 10.13 and later. diff --git a/mdm/profiles/com.apple.networkusagerules.yaml b/mdm/profiles/com.apple.networkusagerules.yaml new file mode 100644 index 0000000..36af07c --- /dev/null +++ b/mdm/profiles/com.apple.networkusagerules.yaml @@ -0,0 +1,82 @@ +title: Network Usage Rules +description: '' +payload: + payloadtype: com.apple.networkusagerules + supportedOS: + iOS: + introduced: '9.0' + supervised: false + allowmanualinstall: false + sharedipad: + mode: allowed + devicechannel: true + userchannel: false + userenrollment: + mode: forbidden + content: Network Usage Rules allow enterprises to specify how devices use networks, + such as cellular data networks. iOS 9-12 support only ApplicationRules. In iOS + 13, ApplicationRules, SIMRules, or both must be present. +payloadkeys: +- key: ApplicationRules + type: + presence: optional + content: An array of application rules, that apply to only managed apps. + subkeys: + - key: ApplicationRulesItem + type: + subkeys: + - key: AppIdentifierMatches + type: + presence: optional + content: |- + A list of managed app identifiers, as strings, that must follow the associated rules. If this key is missing, the rules apply to all managed apps on the device. + + Each string in the 'AppIdentifierMatches' array may either be an exact app identifier match (for example, 'com.mycompany.myapp') or it may specify a prefix match for the bundle ID by using the * wildcard character. If used, this character must appear after a period (.) and may only appear once, at the end of the string; for example, 'com.mycompany.*'. + subkeys: + - key: AppIdentifierMatchesItem + type: + presence: required + content: A managed app identifier. + - key: AllowRoamingCellularData + type: + presence: optional + default: true + content: If 'false', disables cellular data while roaming for all matching managed + apps. + - key: AllowCellularData + type: + presence: optional + default: true + content: If 'false', disables cellular data for all matching managed apps. +- key: SIMRules + supportedOS: + iOS: + introduced: '13.0' + type: + presence: optional + content: An array of SIM rules, that apply to all apps. + subkeys: + - key: SIMRulesItem + type: + subkeys: + - key: ICCIDs + type: + presence: required + content: One or more ICCIDs of SIM cards for which the 'WiFiAssistPolicy' applies. + All ICCIDs in all installed Network Usage Rules payloads must be unique. An + example ICCID is '89310410106543789301'. + subkeys: + - key: ICCID + type: + presence: required + content: An ICCID. + - key: WiFiAssistPolicy + type: + presence: required + rangelist: + - 2 + - 3 + content: |- + The Wi-Fi Assist policy to apply to the SIM cards specified in the ICCIDs. See About Wi-Fi Assist to learn more. + * '2': Use the default system policy for the specified SIM card(s). + * '3': Make Wi-Fi Assist switch more aggressively from a poor Wi-Fi connection to cellular data for the specified SIM card(s). This setting may increase cellular data use and may impact battery life. diff --git a/mdm/profiles/com.apple.notificationsettings.yaml b/mdm/profiles/com.apple.notificationsettings.yaml new file mode 100644 index 0000000..8b1106b --- /dev/null +++ b/mdm/profiles/com.apple.notificationsettings.yaml @@ -0,0 +1,163 @@ +title: Notifications +description: Configures notifications settings for apps +payload: + payloadtype: com.apple.notificationsettings + supportedOS: + iOS: + introduced: '9.3' + supervised: true + allowmanualinstall: true + sharedipad: + mode: allowed + devicechannel: true + userchannel: true + userenrollment: + mode: forbidden + macOS: + introduced: '10.15' + devicechannel: true + userchannel: true + requiresdep: false + allowmanualinstall: true + userenrollment: + mode: forbidden + content: A notification settings payload specifies the restriction enforced notification + settings for apps using their bundle identifier. The profile specifies notification + settings by bundle identifier (even for apps that aren’t installed on the device + yet), and those settings will always be enforced. +payloadkeys: +- key: NotificationSettings + title: Notification Settings + type: + presence: required + content: An array of notification settings dictionaries. + subkeys: + - key: NotificationSettingsItem + title: Notification Setting + type: + subkeys: + - key: BundleIdentifier + title: App Bundle Identifier + type: + presence: required + content: |- + The bundle identifier of the app to which to apply these notification settings. + Available in iOS 9.3 and later and macOS 10.15 and later. + - key: NotificationsEnabled + title: Enable Notifications + type: + presence: optional + default: true + content: |- + If 'true', enables notifications for this app. + Available in iOS 9.3 and later and macOS 10.15 and later. + - key: ShowInNotificationCenter + title: Show in Notification Center + type: + presence: optional + default: true + content: |- + If 'true', enables notifications in the notification center for this app. + Available in iOS 9.3 and later and macOS 10.15 and later. + - key: ShowInLockScreen + title: Show in Lock Screen + type: + presence: optional + default: true + content: |- + If 'true', enables notifications on the lock screen for this app. + Available in iOS 9.3 and later and macOS 10.15 and later. + - key: AlertType + title: Alert Type + type: + presence: optional + rangelist: + - 0 + - 1 + - 2 + default: 1 + content: |- + The type of alert for notifications for this app: + * '0': None + * '1': Temporary Banner + * '2': Persistent Banner + Available in iOS 9.3 and later and macOS 10.15 and later. + - key: BadgesEnabled + title: Badges Enabled + type: + presence: optional + default: true + content: |- + If 'true', enables badges for this app. + Available in iOS 9.3 and later and macOS 10.15 and later. + - key: SoundsEnabled + title: Sounds Enabled + type: + presence: optional + default: true + content: If 'true', enables sounds for this app. + - key: ShowInCarPlay + title: Show in CarPlay + supportedOS: + iOS: + introduced: '12.0' + macOS: + introduced: n/a + type: + presence: optional + default: true + content: |- + If 'true', enables notifications in CarPlay for this app. + Available in iOS 12 and later. + - key: CriticalAlertEnabled + title: Critical Alert Enabled + supportedOS: + iOS: + introduced: '12.0' + type: + presence: optional + default: false + content: |- + If 'true', enables critical alerts that can ignore Do Not Disturb and ringer settings for this app. + Available in iOS 12 and later and macOS 10.15 and later. + - key: GroupingType + title: Grouping Type + supportedOS: + iOS: + introduced: '12.0' + macOS: + introduced: n/a + type: + presence: optional + rangelist: + - 0 + - 1 + - 2 + default: 0 + content: |- + The type of grouping for notifications for this app: + * '0': Automatic: Group notifications into app-specified groups. + * '1': By app: Group notifications into one group. + * '2': Off: Don't group notifications. + Available in iOS 12 and later. + - key: PreviewType + title: Preview Type + supportedOS: + iOS: + introduced: '14.0' + macOS: + introduced: n/a + type: + presence: optional + rangelist: + - 0 + - 1 + - 2 + content: |- + The type previews for notifications. This key overrides the value at Settings>Notifications>Show Previews. + * '0' - Always: Previews will be shown when the device is locked and unlocked + * '1' - When Unlocked: Previews will only be shown when the device is unlocked + * '2' - Never: Previews will never be shown + + + Available in iOS 14 and later. diff --git a/mdm/profiles/com.apple.osxserver.account.yaml b/mdm/profiles/com.apple.osxserver.account.yaml new file mode 100644 index 0000000..b655656 --- /dev/null +++ b/mdm/profiles/com.apple.osxserver.account.yaml @@ -0,0 +1,60 @@ +title: macOS Server Account +description: Use this section to define a macOS Server account +payload: + payloadtype: com.apple.osxserver.account + supportedOS: + iOS: + introduced: '9.0' + deprecated: '12.0' + removed: '12.0' + supervised: false + allowmanualinstall: true + sharedipad: + mode: forbidden + userenrollment: + mode: forbidden +payloadkeys: +- key: HostName + title: Account Hostname + type: + presence: required + content: The server's address. +- key: UserName + title: Account Username + type: + presence: required + content: The user's user name. +- key: Password + title: Account Password + type: + presence: optional + content: The user's password. +- key: AccountDescription + title: Account Description + type: + presence: optional + content: The description of the account. +- key: ConfiguredAccounts + title: Configured Accounts + type: + presence: required + content: Array of dictionaries containing configured account types and relevant + settings + subkeys: + - key: ConfiguredAccountsItem + title: Configured Account + type: + subkeys: + - key: Type + title: Account Type + type: + presence: required + rangelist: + - com.apple.osxserver.documents + content: com.apple.osxserver.documents (the Documents account type). + - key: Port + title: Port Number + type: + presence: optional + content: Designates the port number to use when contacting the server. If no + port number is specified, the default port is used. diff --git a/mdm/profiles/com.apple.preference.security.yaml b/mdm/profiles/com.apple.preference.security.yaml new file mode 100644 index 0000000..3562fe1 --- /dev/null +++ b/mdm/profiles/com.apple.preference.security.yaml @@ -0,0 +1,29 @@ +title: Security Preferences +payload: + payloadtype: com.apple.preference.security + supportedOS: + macOS: + introduced: '10.10' + devicechannel: true + userchannel: true + requiresdep: false + userapprovedmdm: false + allowmanualinstall: true + userenrollment: + mode: forbidden +payloadkeys: +- key: dontAllowPasswordResetUI + type: + presence: optional + default: false + content: If 'true', disables user changes to the password. +- key: dontAllowLockMessageUI + type: + presence: optional + default: false + content: If 'true', disables user changes to the lock message. +- key: dontAllowFireWallUI + type: + presence: optional + default: false + content: If 'true', disables user changes to the firewall settings. diff --git a/mdm/profiles/com.apple.preferences.users.yaml b/mdm/profiles/com.apple.preferences.users.yaml new file mode 100644 index 0000000..8d8bbcf --- /dev/null +++ b/mdm/profiles/com.apple.preferences.users.yaml @@ -0,0 +1,19 @@ +title: User Preferences +payload: + payloadtype: com.apple.preference.users + supportedOS: + macOS: + introduced: '10.12' + devicechannel: true + userchannel: true + requiresdep: false + userapprovedmdm: false + allowmanualinstall: true + userenrollment: + mode: allowed +payloadkeys: +- key: DisableUsingiCloudPassword + type: + presence: optional + default: false + content: If 'true', disables the iCloud password for local accounts. diff --git a/mdm/profiles/com.apple.profileRemovalPassword.yaml b/mdm/profiles/com.apple.profileRemovalPassword.yaml new file mode 100644 index 0000000..23d0c66 --- /dev/null +++ b/mdm/profiles/com.apple.profileRemovalPassword.yaml @@ -0,0 +1,32 @@ +title: Profile Removal Password +description: Use this section to define settings for profile removal +payload: + payloadtype: com.apple.profileRemovalPassword + supportedOS: + iOS: + introduced: '4.0' + supervised: true + allowmanualinstall: true + sharedipad: + mode: forbidden + userenrollment: + mode: forbidden + macOS: + introduced: '10.7' + devicechannel: true + userchannel: true + requiresdep: false + userapprovedmdm: false + allowmanualinstall: true + userenrollment: + mode: forbidden + tvOS: + introduced: '9.0' + supervised: true + allowmanualinstall: true +payloadkeys: +- key: RemovalPassword + title: Removal Password + type: + presence: optional + content: The password for allowing the profile to be removed. diff --git a/mdm/profiles/com.apple.proxy.http.global.yaml b/mdm/profiles/com.apple.proxy.http.global.yaml new file mode 100644 index 0000000..0abe10b --- /dev/null +++ b/mdm/profiles/com.apple.proxy.http.global.yaml @@ -0,0 +1,90 @@ +title: Global HTTP Proxy +description: Global HTTP Proxy (Supervised devices only) +payload: + payloadtype: com.apple.proxy.http.global + supportedOS: + iOS: + introduced: '6.0' + supervised: true + allowmanualinstall: true + sharedipad: + mode: allowed + devicechannel: true + userchannel: false + userenrollment: + mode: forbidden + macOS: + introduced: '10.9' + devicechannel: true + userchannel: false + supervised: true + requiresdep: false + userapprovedmdm: false + allowmanualinstall: true + userenrollment: + mode: forbidden + tvOS: + introduced: '6.0' + supervised: true + allowmanualinstall: true + content: PEM-encoded cer +payloadkeys: +- key: ProxyType + title: Proxy Type + type: + presence: optional + rangelist: + - Manual + - Auto + default: Manual + content: The proxy type. For a manual proxy type, the profile contains the proxy + server address, including its port, and optionally a user name and password. For + an auto proxy type, you can enter a PAC URL. +- key: ProxyServer + title: Proxy Server + type: + subtype: hostname + presence: required + content: The proxy server's network address. +- key: ProxyServerPort + title: Proxy Server Port + type: + presence: required + content: The proxy server's port number. +- key: ProxyUsername + title: Proxy Username + type: + presence: optional + content: The user name used to authenticate to the proxy server. +- key: ProxyPassword + title: Proxy Password + type: + presence: optional + content: The password used to authenticate to the proxy server. +- key: ProxyPACURL + title: Proxy PAC URL + type: + presence: optional + content: The URL of the PAC file that defines the proxy configuration. Starting + in iOS 13 and macOS 10.15, only URLs that begin with 'http://' or 'https://' are + allowed. +- key: ProxyPACFallbackAllowed + title: Proxy PAC Fallback Allowed + supportedOS: + iOS: + introduced: '7.0' + type: + presence: optional + default: false + content: If 'true', allows connecting directly to the destination if the proxy autoconfiguration + (PAC) file is unreachable. +- key: ProxyCaptiveLoginAllowed + title: Proxy Bypass Allowed + supportedOS: + iOS: + introduced: '7.0' + type: + presence: optional + default: false + content: If 'true', allows the device to bypass the proxy server to display the + login page for captive networks. diff --git a/mdm/profiles/com.apple.screensaver.user.yaml b/mdm/profiles/com.apple.screensaver.user.yaml new file mode 100644 index 0000000..9c8e567 --- /dev/null +++ b/mdm/profiles/com.apple.screensaver.user.yaml @@ -0,0 +1,30 @@ +title: Screensaver User +description: '' +payload: + payloadtype: com.apple.screensaver.user + supportedOS: + macOS: + introduced: '10.11' + devicechannel: false + userchannel: true + requiresdep: false + userapprovedmdm: false + allowmanualinstall: true + userenrollment: + mode: forbidden + content: Specifies *user* screensaver settings. (Settings for loginwindow screensaver + use a different payload) +payloadkeys: +- key: moduleName + type: + presence: required + content: The name of the screen saver module. +- key: modulePath + type: + presence: optional + content: A full path to the screen-saver module to use. +- key: idleTime + type: + presence: optional + content: The number of seconds of inactivity before the screen saver activates ('0' + = Never activate). diff --git a/mdm/profiles/com.apple.screensaver.yaml b/mdm/profiles/com.apple.screensaver.yaml new file mode 100644 index 0000000..db6efde --- /dev/null +++ b/mdm/profiles/com.apple.screensaver.yaml @@ -0,0 +1,49 @@ +title: Screensaver +description: '' +payload: + payloadtype: com.apple.screensaver + supportedOS: + macOS: + introduced: '10.11' + devicechannel: true + userchannel: false + requiresdep: false + userapprovedmdm: false + allowmanualinstall: true + userenrollment: + mode: forbidden + content: Specifies grace period for screensaver locking +payloadkeys: +- key: askForPassword + supportedOS: + macOS: + introduced: '10.13' + type: + presence: optional + default: false + content: If 'true', the user is prompted for a password when the screen saver is + unlocked or stopped. When you use this prompt, you must also provide 'askForPasswordDelay'. + Available in macOS 10.13 and later. +- key: askForPasswordDelay + supportedOS: + macOS: + introduced: '10.13' + type: + presence: optional + content: The number of seconds to delay before the password will be required to + unlock or stop the screen saver (the grace period). A value of '2147483647' (for + example, '0x7FFFFFFF') disables this requirement. To use this option, you must + set 'askForPassword' to 'true'. Available in macOS 10.13 and later. +- key: loginWindowIdleTime + type: + presence: optional + content: The number of seconds of inactivity before the screen saver activates (0 + = Never activate). +- key: loginWindowModulePath + type: + presence: optional + content: The full path to the screen-saver module to use. +- key: moduleName + type: + presence: required + content: The name of the screen saver module. diff --git a/mdm/profiles/com.apple.secondactiveethernet.managed.yaml b/mdm/profiles/com.apple.secondactiveethernet.managed.yaml new file mode 100644 index 0000000..b129fd2 --- /dev/null +++ b/mdm/profiles/com.apple.secondactiveethernet.managed.yaml @@ -0,0 +1,21 @@ +title: '802.1X: Second Active Ethernet' +description: '' +payload: + payloadtype: com.apple.secondactiveethernet.managed + supportedOS: + macOS: + introduced: '10.7' + devicechannel: true + userchannel: true + requiresdep: false + userapprovedmdm: false + allowmanualinstall: true + userenrollment: + mode: allowed +payloadkeys: +- key: ANY + type: + presence: optional + content: Keys relevant to 802.1x configuration. User enrollment payloads do not + support the various proxy keys including ProxyType, ProxyServer, ProxyServerPort, + ProxyUsername, ProxyPassword,, ProxyPACURL and ProxyPACFallbackAllowed. diff --git a/mdm/profiles/com.apple.secondethernet.managed.yaml b/mdm/profiles/com.apple.secondethernet.managed.yaml new file mode 100644 index 0000000..32ee7ea --- /dev/null +++ b/mdm/profiles/com.apple.secondethernet.managed.yaml @@ -0,0 +1,21 @@ +title: '802.1X: Second Ethernet' +description: '' +payload: + payloadtype: com.apple.secondethernet.managed + supportedOS: + macOS: + introduced: '10.7' + devicechannel: true + userchannel: true + requiresdep: false + userapprovedmdm: false + allowmanualinstall: true + userenrollment: + mode: allowed +payloadkeys: +- key: ANY + type: + presence: optional + content: Keys relevant to 802.1x configuration. User enrollment payloads do not + support the various proxy keys including ProxyType, ProxyServer, ProxyServerPort, + ProxyUsername, ProxyPassword,, ProxyPACURL and ProxyPACFallbackAllowed. diff --git a/mdm/profiles/com.apple.security.FDERecoveryKeyEscrow.yaml b/mdm/profiles/com.apple.security.FDERecoveryKeyEscrow.yaml new file mode 100644 index 0000000..3e37fe4 --- /dev/null +++ b/mdm/profiles/com.apple.security.FDERecoveryKeyEscrow.yaml @@ -0,0 +1,43 @@ +title: FDE Recovery Key Escrow +description: '' +payload: + payloadtype: com.apple.security.FDERecoveryKeyEscrow + supportedOS: + macOS: + introduced: '10.13' + devicechannel: true + userchannel: false + requiresdep: false + userapprovedmdm: false + allowmanualinstall: true + userenrollment: + mode: forbidden + content: |- + If FileVault is enabled after this payload is installed on the system, the FileVault PRK will be encrypted with the specified certificate, wrapped with a CMS envelope and stored at: + /var/db/FileVaultPRK.dat + The encrypted data will be made available to the MDM server as part of the SecurityInfo command. Alternatively, if a site uses their own administration software, they can extract the PRK from the above location at any time. As the PRK will be encrypted using the certificate provided in the profile, only the author of the profile can extract the data. + Notes: + * The payload must exist in a "system" scoped profile. + * It will be an error to install more than one payload of this type per machine. + * The old payload ("com.apple.security.FDERecoveryRedirect") will no longer be supported. It will still be allowed to be installed, but will be ignored. (This is so servers can send out the same profile to old and new clients). + * If only an old-style redirection payload is installed at the time FileVault is turned on (via Security Pref pane), an error will be displayed and FileVault will not be allowed to be enabled. + * No warning/error will be provided if FileVault is already enabled and an old-style payload is installed. In this case, it's assumed the recovery key has already been escrowed with the server. +payloadkeys: +- key: Location + type: + presence: required + content: The description of the location where the recovery key will be escrowed. + This text will be inserted into the message the user sees when enabling FileVault. +- key: EncryptCertPayloadUUID + type: + presence: required + content: The UUID of a payload within the same profile that contains the certificate + that will be used to encrypt the recovery key. The referenced payload must be + of type 'com.apple.security.pkcs1'. +- key: DeviceKey + type: + presence: optional + content: |- + The string that's included in help text if the user appears to have forgotten the password. Site admins can use this key to look up the escrowed key for the particular computer. + + This key replaces the 'RecordNumber' key used in the previous escrow mechanism. If the key is missing, the device serial number is used instead. diff --git a/mdm/profiles/com.apple.security.FDERecoveryRedirect.yaml b/mdm/profiles/com.apple.security.FDERecoveryRedirect.yaml new file mode 100644 index 0000000..d16d160 --- /dev/null +++ b/mdm/profiles/com.apple.security.FDERecoveryRedirect.yaml @@ -0,0 +1,34 @@ +title: FDE Recovery Key Redirection +description: '' +payload: + payloadtype: com.apple.security.FDERecoveryRedirect + supportedOS: + macOS: + introduced: '10.9' + deprecated: '10.13' + devicechannel: true + userchannel: false + requiresdep: false + userapprovedmdm: false + allowmanualinstall: true + userenrollment: + mode: forbidden + content: |- + *** This payload will be ignored on macOS 10.13 and later. See "com.apple.security.FDERecoveryKeyEscrow" payload. *** + Old notes: + Once installed, this payload will cause any FDE (Full Disk Encryption) recovery keys to be redirected to the specified URL instead of being sent to Apple. This will require sites to implement their own HTTPS server that will receive the recovery keys via a POST request. Details of the data sent to the server will be provided in a different document. + Notes: + * The payload must exist in a "system" scoped profile. + * It will be an error to install more than one payload of this type per machine. +payloadkeys: +- key: RedirectURL + type: + presence: required + content: The URL to which FDE recovery keys should be sent instead of to Apple. + The URL must begin with https://. +- key: EncryptCertPayloadUUID + type: + presence: required + content: The UUID of a payload within the same profile that contains a certificate + used to encrypt the recovery key when it's sent to the redirected URL. The referenced + payload must be of type `com.apple.security.pkcs1`. diff --git a/mdm/profiles/com.apple.security.certificatepreference.yaml b/mdm/profiles/com.apple.security.certificatepreference.yaml new file mode 100644 index 0000000..8c7d5f7 --- /dev/null +++ b/mdm/profiles/com.apple.security.certificatepreference.yaml @@ -0,0 +1,29 @@ +title: Certificate Preference +description: '' +payload: + payloadtype: com.apple.security.certificatepreference + supportedOS: + macOS: + introduced: '10.12' + devicechannel: false + userchannel: true + requiresdep: false + userapprovedmdm: false + allowmanualinstall: true + userenrollment: + mode: allowed + content: Defines a Certificate Preference item in the user's keychain that references + a certificate payload included in the same profile. Can only appear in a user + profile (not a device profile). See also "com.apple.security.identitypreference" + for setting up identity preferences. +payloadkeys: +- key: Name + type: + presence: required + content: An email address (in RFC 822 format) or other name for which a preferred + certificate is requested. +- key: PayloadCertificateUUID + type: + presence: required + content: The UUID of the certificate payload within the same profile to use for + the identity credential. diff --git a/mdm/profiles/com.apple.security.certificaterevocation.yaml b/mdm/profiles/com.apple.security.certificaterevocation.yaml new file mode 100644 index 0000000..3ae5129 --- /dev/null +++ b/mdm/profiles/com.apple.security.certificaterevocation.yaml @@ -0,0 +1,41 @@ +title: Certificate Revocation +description: Use this section to define settings for certificate revocation. +payload: + payloadtype: com.apple.security.certificaterevocation + supportedOS: + iOS: + introduced: '14.2' + supervised: false + allowmanualinstall: true + sharedipad: + mode: allowed + devicechannel: true + userchannel: false + userenrollment: + mode: allowed + content: Policies that affect system-wide certificate revocation checking. +payloadkeys: +- key: EnabledForCerts + title: Enabled Certs + type: + presence: optional + content: |- + An array of certificates that the system checks for revocation. + Specifying a certificate authority (CA) enables revocation checking for all certificates chaining up to that CA. + It is not necessary to specify trusted root certificates because they are implicitly specified. See for the available trusted root certificates for Apple operating systems. + subkeys: + - key: SubjectPublicKeyInfoHashDict + type: + subkeys: + - key: Algorithm + type: + presence: required + rangelist: + - sha256 + content: The algorithm must be 'sha256'. + - key: Hash + type: + presence: required + content: |- + The hash of the DER-encoding of the certificate's 'subjectPublicKeyInfo'. + The hash field requires the data ('subjectPublicKeyInfo' hash) in a specific format: a Base64 encoded (binary) SHA-256 hash of the certificate's public key. diff --git a/mdm/profiles/com.apple.security.certificatetransparency.yaml b/mdm/profiles/com.apple.security.certificatetransparency.yaml new file mode 100644 index 0000000..51d621a --- /dev/null +++ b/mdm/profiles/com.apple.security.certificatetransparency.yaml @@ -0,0 +1,69 @@ +title: Certificate Transparency +description: Use this section to define settings for certificate transparency. +payload: + payloadtype: com.apple.security.certificatetransparency + supportedOS: + iOS: + introduced: 12.1.1 + supervised: false + allowmanualinstall: true + sharedipad: + mode: allowed + devicechannel: true + userchannel: false + userenrollment: + mode: allowed + macOS: + introduced: 10.14.2 + devicechannel: true + userchannel: false + requiresdep: false + userapprovedmdm: false + allowmanualinstall: true + userenrollment: + mode: allowed + tvOS: + introduced: 12.1.1 + supervised: false + allowmanualinstall: true + watchOS: + introduced: 5.1.1 + supervised: false + allowmanualinstall: true + content: Policies that affect system-wide certificate transparency enforcement. +payloadkeys: +- key: DisabledForCerts + title: Disabled Certs + type: + presence: optional + content: |- + An array of certificates for which certificate transparency is disabled. For Certificate Transparency enforcement to be disabled when this policy is set, one of the following conditions must be met: + * The hash is of the server certificate's 'subjectPublicKeyInfo'. + * The hash is of a 'subjectPublicKeyInfo' that appears in a CA certificate in the certificate chain; the CA certificate is constrained through the X.509v3 'nameConstraints' extension; one or more 'directoryName' 'nameConstraints' are present in the 'permittedSubtrees;' and the 'directoryName' contains an 'organizationName' attribute. + * The hash is of a 'subjectPublicKeyInfo' that appears in a CA certificate in the certificate chain; the CA certificate has one or more 'organizationName' attributes in the certificate 'Subject;' and the server's certificate contains the same number of 'organizationName' attributes, in the same order, and with byte-for-byte identical values. + subkeys: + - key: SubjectPublicKeyInfoHashDict + type: + subkeys: + - key: Algorithm + type: + presence: required + rangelist: + - sha256 + content: The algorithm must be 'sha256'. + - key: Hash + type: + presence: required + content: |- + The hash of the DER-encoding of the certificate's 'subjectPublicKeyInfo'. + The hash field requires the data ('subjectPublicKeyInfo' hash) in a specific format: a Base64 encoded (binary) SHA-256 hash of the certificate's public key. +- key: DisabledForDomains + title: Disabled domains + type: + presence: optional + content: |- + An array of strings representing the domains to be excluded from certificate transparency enforcement. A leading period (.) is supported to signify subdomains. + Wildcard domains are not supported. If a leading period (.) is specified, the domain cannot be a top-level domain (for example, '.com' and '.co.uk' are disallowed). + subkeys: + - key: domain + type: diff --git a/mdm/profiles/com.apple.security.firewall.yaml b/mdm/profiles/com.apple.security.firewall.yaml new file mode 100644 index 0000000..74d1cf1 --- /dev/null +++ b/mdm/profiles/com.apple.security.firewall.yaml @@ -0,0 +1,74 @@ +title: Firewall +description: '' +payload: + payloadtype: com.apple.security.firewall + supportedOS: + macOS: + introduced: '10.12' + devicechannel: true + userchannel: false + requiresdep: false + userapprovedmdm: false + allowmanualinstall: true + userenrollment: + mode: forbidden + content: |- + Manages the Application Firewall settings (e.g. Security pref pane -> Firewall). + Notes: + * The payload must exist in a "system" scoped profile. + * If more than one profile contains this payload, the most restrictive union of settings will be used. + * Per Firewall team's request, the "Automatically allow signed downloaded software" and "Automatically allow built-in software" options are not supported but both will be forced ON when this payload is present. +payloadkeys: +- key: EnableFirewall + type: + presence: required + content: If 'true', enables the firewall. +- key: BlockAllIncoming + type: + presence: optional + content: If 'true', enables blocking of all incoming connections. +- key: EnableStealthMode + type: + presence: optional + content: If 'true', enables stealth mode. +- key: Applications + type: + presence: optional + content: The list of apps with connections controlled by the firewall. + subkeys: + - key: ApplicationsItem + title: Applications + type: + subkeys: + - key: BundleID + title: Application Identifier + type: + presence: required + content: The bundle identifier for an app. + - key: Allowed + title: Allow connections + type: + presence: required + content: If true, allows connections for the app. +- key: EnableLogging + supportedOS: + macOS: + introduced: '12.0' + type: + presence: optional + content: |- + If 'true', enables logging. + Available in macOS 12 and later. +- key: LoggingOption + supportedOS: + macOS: + introduced: '12.0' + type: + presence: optional + rangelist: + - throttled + - brief + - detail + content: |- + This string specifies the type of logging. + Available in macOS 12 and later. diff --git a/mdm/profiles/com.apple.security.identitypreference.yaml b/mdm/profiles/com.apple.security.identitypreference.yaml new file mode 100644 index 0000000..77b0d2e --- /dev/null +++ b/mdm/profiles/com.apple.security.identitypreference.yaml @@ -0,0 +1,29 @@ +title: Identity Preference +description: '' +payload: + payloadtype: com.apple.security.identitypreference + supportedOS: + macOS: + introduced: '10.12' + devicechannel: false + userchannel: true + requiresdep: false + userapprovedmdm: false + allowmanualinstall: true + userenrollment: + mode: allowed + content: Defines an Identity Preference item in the user's keychain that references + a identity payload included in the same profile. Can only appear in a user profile + (not a device profile). See also "com.apple.security.certificatepreference" for + setting up certificate preferences. +payloadkeys: +- key: Name + type: + presence: required + content: The email address (in RFC 822 format), DNS host name, or other name that + uniquely identifies a service requiring this identity. +- key: PayloadCertificateUUID + type: + presence: required + content: The UUID of the certificate payload within the same profile to use for + the identity credential. diff --git a/mdm/profiles/com.apple.security.pem.yaml b/mdm/profiles/com.apple.security.pem.yaml new file mode 100644 index 0000000..54fedba --- /dev/null +++ b/mdm/profiles/com.apple.security.pem.yaml @@ -0,0 +1,43 @@ +title: Certificate (PEM) +description: Use this section to define settings for a pem certificate. +payload: + payloadtype: com.apple.security.pem + supportedOS: + iOS: + introduced: '4.0' + supervised: false + allowmanualinstall: true + sharedipad: + mode: allowed + devicechannel: true + userchannel: false + userenrollment: + mode: allowed + macOS: + introduced: '10.7' + devicechannel: true + userchannel: true + requiresdep: false + userapprovedmdm: false + allowmanualinstall: true + userenrollment: + mode: allowed + tvOS: + introduced: '5.0' + supervised: false + allowmanualinstall: true + watchOS: + introduced: '3.0' + allowmanualinstall: true + content: PEM-encoded certificate without private key. May contain root certificates. +payloadkeys: +- key: PayloadCertificateFileName + title: Payload Certificate Filename + type: + presence: optional + content: The file name of the enclosed certificate. +- key: PayloadContent + title: Payload Certificate Filename + type: + presence: required + content: The binary representation of the payload, encoded in Base64. diff --git a/mdm/profiles/com.apple.security.pkcs1.yaml b/mdm/profiles/com.apple.security.pkcs1.yaml new file mode 100644 index 0000000..727c4ae --- /dev/null +++ b/mdm/profiles/com.apple.security.pkcs1.yaml @@ -0,0 +1,43 @@ +title: 'Certificate (PKCS #1)' +description: Use this section to define settings for a pkcs1 certificate. +payload: + payloadtype: com.apple.security.pkcs1 + supportedOS: + iOS: + introduced: '4.0' + supervised: false + allowmanualinstall: true + sharedipad: + mode: allowed + devicechannel: true + userchannel: false + userenrollment: + mode: allowed + macOS: + introduced: '10.7' + devicechannel: true + userchannel: true + requiresdep: false + userapprovedmdm: false + allowmanualinstall: true + userenrollment: + mode: allowed + tvOS: + introduced: '5.0' + supervised: false + allowmanualinstall: true + watchOS: + introduced: '3.0' + allowmanualinstall: true + content: DER-encoded certificate without private key. May contain root certificates. +payloadkeys: +- key: PayloadCertificateFileName + title: Payload Certificate Filename + type: + presence: optional + content: The file name of the enclosed certificate. +- key: PayloadContent + title: Payload Certificate Filename + type: + presence: required + content: The binary representation of the payload, encoded in Base64. diff --git a/mdm/profiles/com.apple.security.pkcs12.yaml b/mdm/profiles/com.apple.security.pkcs12.yaml new file mode 100644 index 0000000..6d4d27e --- /dev/null +++ b/mdm/profiles/com.apple.security.pkcs12.yaml @@ -0,0 +1,79 @@ +title: 'Certificate (PKCS #12)' +description: Use this section to define settings for a pkcs12 certificate. +payload: + payloadtype: com.apple.security.pkcs12 + supportedOS: + iOS: + introduced: '4.0' + supervised: false + allowmanualinstall: true + sharedipad: + mode: allowed + devicechannel: true + userchannel: false + userenrollment: + mode: allowed + macOS: + introduced: '10.7' + devicechannel: true + userchannel: true + requiresdep: false + userapprovedmdm: false + allowmanualinstall: true + userenrollment: + mode: allowed + tvOS: + introduced: '5.0' + supervised: false + allowmanualinstall: true + watchOS: + introduced: '3.0' + allowmanualinstall: true + content: Password-protected identity certificate. Only one certificate may be included. +payloadkeys: +- key: PayloadCertificateFileName + title: Payload Certificate Filename + type: + presence: optional + content: The file name of the enclosed certificate. +- key: PayloadContent + title: Payload Certificate Filename + type: + presence: required + content: The binary representation of the payload, encoded in Base64. +- key: Password + title: Password + type: + presence: optional + content: |- + This is the password to the identity. + Security Caution: Because the password string is stored in the clear (unencrypted) in the profile, you should encrypt the entire profile. +- key: AllowAllAppsAccess + title: Allow All Apps Access + supportedOS: + iOS: + introduced: n/a + macOS: + introduced: '10.10' + tvOS: + introduced: n/a + watchOS: + introduced: n/a + type: + presence: optional + default: false + content: If 'true', allows apps access to the private key. +- key: KeyIsExtractable + supportedOS: + iOS: + introduced: n/a + macOS: + introduced: '10.15' + tvOS: + introduced: n/a + watchOS: + introduced: n/a + type: + presence: optional + default: true + content: If false, does not tag the private key data as extractable in the keychain. diff --git a/mdm/profiles/com.apple.security.root.yaml b/mdm/profiles/com.apple.security.root.yaml new file mode 100644 index 0000000..aed88f1 --- /dev/null +++ b/mdm/profiles/com.apple.security.root.yaml @@ -0,0 +1,43 @@ +title: Certificate (Root) +description: Use this section to define settings for a root certificate. +payload: + payloadtype: com.apple.security.root + supportedOS: + iOS: + introduced: '4.0' + supervised: false + allowmanualinstall: true + sharedipad: + mode: allowed + devicechannel: true + userchannel: false + userenrollment: + mode: allowed + macOS: + introduced: '10.7' + devicechannel: true + userchannel: true + requiresdep: false + userapprovedmdm: false + allowmanualinstall: true + userenrollment: + mode: allowed + tvOS: + introduced: '5.0' + supervised: false + allowmanualinstall: true + watchOS: + introduced: '3.0' + allowmanualinstall: true + content: Alias for com.apple.security.pkcs1. +payloadkeys: +- key: PayloadCertificateFileName + title: Payload Certificate Filename + type: + presence: optional + content: The file name of the enclosed certificate. +- key: PayloadContent + title: Payload Certificate Filename + type: + presence: required + content: The binary representation of the payload encoded in base64. diff --git a/mdm/profiles/com.apple.security.scep.yaml b/mdm/profiles/com.apple.security.scep.yaml new file mode 100644 index 0000000..0bb1025 --- /dev/null +++ b/mdm/profiles/com.apple.security.scep.yaml @@ -0,0 +1,186 @@ +title: SCEP +description: Use this section to define settings for configuration access to SCEP + servers. +payload: + payloadtype: com.apple.security.scep + supportedOS: + iOS: + introduced: '4.0' + supervised: false + allowmanualinstall: true + sharedipad: + mode: allowed + devicechannel: true + userchannel: false + userenrollment: + mode: allowed + macOS: + introduced: '10.7' + devicechannel: true + userchannel: true + requiresdep: false + userapprovedmdm: false + allowmanualinstall: true + userenrollment: + mode: allowed + tvOS: + introduced: '6.0' + supervised: false + allowmanualinstall: true +payloadkeys: +- key: PayloadContent + title: Payload Content + type: + presence: required + content: An array of payload dictionaries. This array isn't present if 'IsEncrypted' + is 'true'. + subkeys: + - key: URL + title: URL + supportedOS: + macOS: + introduced: '10.7' + type: + presence: required + content: The SCEP URL. See Over-the-Air Profile Delivery and Configuration for + more information about SCEP. + - key: Name + title: Name + type: + presence: optional + content: A string that's understood by the SCEP server; for example, a domain + name like example.org. If a certificate authority has multiple CA certificates, + this field can be used to distinguish which is required. + - key: Subject + title: Subject + type: + presence: optional + content: |- + The representation of an X.500 name as an array of OID and value. + For example, '/C=US/O=Apple Inc./CN=foo/1.2.5.3=bar' translates to '[ [ [“C”, “US”] ], [ [“O”, “Apple Inc.'] ], …, [ [ “1.2.5.3”, “bar” ] ] ]'. + + OIDs can be represented as dotted numbers, with shortcuts for country (C), locality (L), state (ST), organization (O), organizational unit (OU), and common name (CN). + subkeys: + - key: SCEPSubjectArrayInnerArray + title: Array Inside SCEP Subject Array + type: + subkeys: + - key: SCEPSubjectArrayPair + title: Subject Array Pair + type: + subkeys: + - key: SCEPSubjectArrayPairItem + title: SCEP Subject Array Pair Item + type: + repetition: + min: 2 + max: 2 + - key: Challenge + title: Challenge + type: + presence: optional + content: A preshared secret. + - key: Keysize + title: Key Size + type: + presence: optional + rangelist: + - 1024 + - 2048 + - 4096 + default: 1024 + content: The key size, in bits. + - key: Key Type + title: Key Type + type: + presence: optional + default: RSA + content: Always 'RSA'. + - key: Key Usage + title: Key Usage + supportedOS: + macOS: + introduced: '10.11' + type: + presence: optional + default: 0 + content: |- + A bitmask indicating the use of the key. + + * 1: Signing + * 4: Encryption + + Some certificate authorities, such as Windows CA, support only encryption or signing, but not both at the same time. + - key: CAFingerprint + title: Fingerprint + type: + presence: optional + content: The fingerprint of the Certificate Authority certificate. + - key: Retries + title: Retries + supportedOS: + macOS: + introduced: '10.10' + type: + presence: optional + default: 3 + content: The number of times the device should retry if the server sends a PENDING + response. + - key: RetryDelay + title: Retry Delay + supportedOS: + macOS: + introduced: '10.10' + type: + presence: optional + default: 10 + content: The number of seconds to wait between subsequent retries. The first retry + is attempted without this delay. + - key: SubjectAltName + title: Subject Alt Name + type: + presence: optional + content: The SCEP payload can specify an optional 'SubjectAltName' dictionary + that provides values required by the CA for issuing a certificate. You can specify + a single string or an array of strings for each key. The values you specify + depend on the CA you're using, but might include DNS name, URL, or email values. + For an example, see Sample Configuration Profile or Over-the-Air Profile Delivery + and Configuration. + subkeys: + - key: rfc822Name + title: RFC 822 Name + type: + presence: optional + content: The RFC 822 (email address) string. + - key: dNSName + title: DNS Name + type: + presence: optional + content: The DNS name. + - key: uniformResourceIdentifier + title: URI + type: + presence: optional + content: The Uniform Resource Identifier. + - key: ntPrincipalName + title: NT Principal Name + type: + presence: optional + content: The NT principal name. + - key: KeyIsExtractable + supportedOS: + macOS: + introduced: 10.13.4 + type: + presence: optional + default: true + content: If 'false', disables exporting the private key from the keychain. + - key: AllowAllAppsAccess + title: Allow All Apps Access + supportedOS: + macOS: + introduced: '10.10' + type: + presence: optional + default: false + content: If 'true', all apps have access to the private key. diff --git a/mdm/profiles/com.apple.security.smartcard.yaml b/mdm/profiles/com.apple.security.smartcard.yaml new file mode 100644 index 0000000..3ed7bf6 --- /dev/null +++ b/mdm/profiles/com.apple.security.smartcard.yaml @@ -0,0 +1,71 @@ +title: SmartCard +description: '' +payload: + payloadtype: com.apple.security.smartcard + supportedOS: + macOS: + introduced: 10.12.4 + devicechannel: true + userchannel: false + requiresdep: false + userapprovedmdm: false + allowmanualinstall: true + userenrollment: + mode: forbidden + content: Restrictions and settings for SmartCard pairing on macOS +payloadkeys: +- key: UserPairing + type: + presence: optional + default: true + content: If 'false', users don't get the pairing dialog, although existing pairings + still work. +- key: allowSmartCard + type: + presence: optional + default: true + content: If 'false', disables the SmartCard for logins, authorizations, and screen + saver unlocking. It is still allowed for other functions, such as signing emails + and accessing the web. A restart is required for a setting change to take effect. +- key: checkCertificateTrust + type: + presence: optional + rangelist: + - 0 + - 1 + - 2 + - 3 + default: 0 + content: |- + Valid values are 0 to 3: + '0': Turns off certificate trust check. + '1': Turns on certificate trust check. A standard validity check is performed but doesn't include additional revocation checks. + '2': Turns on certificate trust check. A soft revocation check is also performed. Until the certificate is explicitly rejected by CRL/OCSP, it's considered valid. This setting means that unavailable or unreachable CRL/OCSP allow this check to succeed. + '3': Turns on certificate trust check. A hard revocation check is also performed. Unless CRL/OCSP explicitly says 'This certificate is OK,' it's considered invalid. This option is the most secure. +- key: oneCardPerUser + type: + presence: optional + default: false + content: If 'true', a user can pair with only one SmartCard, although existing pairings + are allowed if already set up. +- key: tokenRemovalAction + supportedOS: + macOS: + introduced: 10.13.4 + type: + presence: optional + rangelist: + - 0 + - 1 + default: 0 + content: If '1', enables the screen saver when the SmartCard is removed. Available + in macOS 10.13.4 and later. +- key: enforceSmartCard + supportedOS: + macOS: + introduced: 10.13.2 + type: + presence: optional + default: false + content: If 'true', a user can only log in or authenticate with a SmartCard. Available + in macOS 10.13.2 and later. diff --git a/mdm/profiles/com.apple.security.wapi-identity.yaml b/mdm/profiles/com.apple.security.wapi-identity.yaml new file mode 100644 index 0000000..c186850 --- /dev/null +++ b/mdm/profiles/com.apple.security.wapi-identity.yaml @@ -0,0 +1,9 @@ +title: WAPI Identity Certificate +description: '' +payload: + payloadtype: com.apple.security.wapi-identity +payloadkeys: +- key: PEMData + type: + presence: required + content: Certificate data in PEM format. diff --git a/mdm/profiles/com.apple.shareddeviceconfiguration.yaml b/mdm/profiles/com.apple.shareddeviceconfiguration.yaml new file mode 100644 index 0000000..1980e04 --- /dev/null +++ b/mdm/profiles/com.apple.shareddeviceconfiguration.yaml @@ -0,0 +1,40 @@ +title: Lock Screen Message +description: Use this section to define text displayed by shared devices in the login + window and lock screen. +payload: + payloadtype: com.apple.shareddeviceconfiguration + supportedOS: + iOS: + introduced: '9.3' + supervised: true + allowmanualinstall: true + sharedipad: + mode: allowed + devicechannel: true + userchannel: false + userenrollment: + mode: forbidden + content: Allows admins to specify optional text displayed on the login window and + lock screen (i.e. a footnote and Asset Tag Information). +payloadkeys: +- key: AssetTagInformation + title: Asset Tag + type: + presence: optional + content: The asset tag information for the device, displayed in the login window + and Lock screen. +- key: IfLostReturnToMessage + title: If Lost message + supportedOS: + iOS: + introduced: 9.3.1 + type: + presence: optional + content: Deprecated. Use 'LockScreenFootnote' instead. +- key: LockScreenFootnote + supportedOS: + iOS: + introduced: 9.3.1 + type: + presence: optional + content: The footnote displayed in the login window and Lock screen. diff --git a/mdm/profiles/com.apple.sso.yaml b/mdm/profiles/com.apple.sso.yaml new file mode 100644 index 0000000..198c10b --- /dev/null +++ b/mdm/profiles/com.apple.sso.yaml @@ -0,0 +1,66 @@ +title: Single Sign-On +description: '' +payload: + payloadtype: com.apple.sso + supportedOS: + iOS: + introduced: '7.0' + supervised: false + allowmanualinstall: true + sharedipad: + mode: forbidden + userenrollment: + mode: allowed +payloadkeys: +- key: Name + type: + presence: required + content: The human-readable name for the account. +- key: Kerberos + type: + presence: optional + content: The Kerberos dictionary. + subkeys: + - key: PrincipalName + type: + presence: optional + content: The principal name. If not provided, the user will be prompted for one + during profile installation. This field is required for MDM installation. + - key: PayloadCertificateUUID + supportedOS: + iOS: + introduced: '8.0' + type: + presence: optional + content: The 'PayloadUUID' of an identity certificate payload that can be used + to renew the Kerberos credential without user interaction. The certificate payload + must have either the 'com.apple.security.pkcs12' or 'com.apple.security.scep' + payload type. Both the Single Sign On payload and the identity certificate payload + must be included in the same configuration profile. + - key: Realm + type: + presence: required + content: The realm name. This value should be properly capitalized. + - key: URLPrefixMatches + type: + presence: optional + content: |- + The list of URL prefixes that must be matched in order to use this account for Kerberos authentication over HTTP. If this key is missing, the account will be eligible to match all 'http://' and 'https://' URLs. + The URL matching patterns must begin with either 'http://' or 'https://'. A simple string match is performed, so the URL prefix 'http://www.apple.com/' will not match 'http://www.apple.com:80/'. However, if a matching pattern does not end in '/', a '/' will be appended to it. + subkeys: + - key: URLPrefixMatchesItem + type: + presence: required + content: A URL prefix. + - key: AppIdentifierMatches + type: + presence: optional + content: |- + The list of app identifiers that are allowed to use this login. If this field missing, this login will match all app identifiers. + This array may not be empty. + This array must contain strings that match App Bundle IDs. These strings may be exact matches, e.g. 'com.mycompany.myapp' or may specify a prefix match on the Bundle ID by using the '*' wildcard character. The wildcard character must appear after a period character ('.'), and may only appear once, at the end of the string, e.g. 'com.mycompany.*'. When a wildcard is given, any app whose Bundle ID begins with the prefix will be granted access to the account. + subkeys: + - key: AppIdentifierMatchesItem + type: + presence: required + content: An app identifier. diff --git a/mdm/profiles/com.apple.subscribedcalendar.account.yaml b/mdm/profiles/com.apple.subscribedcalendar.account.yaml new file mode 100644 index 0000000..ff2cc7a --- /dev/null +++ b/mdm/profiles/com.apple.subscribedcalendar.account.yaml @@ -0,0 +1,52 @@ +title: Subscribed Calendars +description: Use this section to define settings for subscribed calendar account. +payload: + payloadtype: com.apple.subscribedcalendar.account + supportedOS: + iOS: + introduced: '4.0' + supervised: false + allowmanualinstall: true + sharedipad: + mode: allowed + devicechannel: false + userchannel: true + userenrollment: + mode: allowed +payloadkeys: +- key: SubCalAccountDescription + title: Description + type: + presence: optional + content: The description of the account. +- key: SubCalAccountHostName + title: URL + type: + presence: required + content: The server's address. +- key: SubCalAccountUsername + title: Username + type: + presence: optional + content: The user's user name. +- key: SubCalAccountPassword + title: Password + type: + presence: optional + content: The user's password. +- key: SubCalAccountUseSSL + title: Use SSL + type: + presence: optional + default: false + content: If 'true', enables SSL. +- key: VPNUUID + title: VPNUUID + supportedOS: + iOS: + introduced: '14.0' + type: + presence: optional + content: |- + The VPNUUID of the per-app VPN the account uses for network communication. + Available in iOS 14 and later. diff --git a/mdm/profiles/com.apple.syspolicy.kernel-extension-policy.yaml b/mdm/profiles/com.apple.syspolicy.kernel-extension-policy.yaml new file mode 100644 index 0000000..cca6117 --- /dev/null +++ b/mdm/profiles/com.apple.syspolicy.kernel-extension-policy.yaml @@ -0,0 +1,59 @@ +title: System Policy - Kernel Extensions +description: '' +payload: + payloadtype: com.apple.syspolicy.kernel-extension-policy + supportedOS: + macOS: + introduced: 10.13.2 + devicechannel: true + userchannel: false + requiresdep: false + userapprovedmdm: true + allowmanualinstall: false + userenrollment: + mode: forbidden + content: Provides a way of enabling a set of team identifiers or specific kernel + extensions for loading without user approval. Also provides a way to block users + from approving additional kernel extensions. Payload must be user-approved only. +payloadkeys: +- key: AllowNonAdminUserApprovals + supportedOS: + macOS: + introduced: '11.0' + type: + presence: optional + default: false + content: |- + If 'true', nonadministrative users can approve additional kernel extensions in the Security & Privacy preferences. + Available in macOS 11 and later. +- key: AllowUserOverrides + type: + presence: optional + default: false + content: If 'true', users can approve additional kernel extensions that configuration + profiles don't explicitly allow. +- key: AllowedTeamIdentifiers + type: + presence: optional + content: The array of team identifiers that define which validly signed kernel extensions + can load. + subkeys: + - key: AllowedTeamIdentifiersItem + title: Identifier + type: +- key: AllowedKernelExtensions + type: + presence: optional + content: The dictionary that represents a set of kernel extensions that the system + always allows to load on the computer. The dictionary maps team identifiers (keys) + to arrays of bundle identifiers. + subkeys: + - key: ANY + type: + presence: optional + content: The kernal extension data. + subkeys: + - key: AllowedKernelExtensionsItems + type: + presence: required + content: Kernel extension data. diff --git a/mdm/profiles/com.apple.system-extension-policy.yaml b/mdm/profiles/com.apple.system-extension-policy.yaml new file mode 100644 index 0000000..fe76aee --- /dev/null +++ b/mdm/profiles/com.apple.system-extension-policy.yaml @@ -0,0 +1,96 @@ +title: System Extensions +description: '' +payload: + payloadtype: com.apple.system-extension-policy + supportedOS: + macOS: + introduced: '10.15' + devicechannel: true + userchannel: false + requiresdep: false + userapprovedmdm: true + allowmanualinstall: false + userenrollment: + mode: forbidden + content: Provides a way of enabling a set of team identifiers or specific system + extensions for loading without user approval. Also provides a way to block users + from approving additional system extensions. Payload must be user-approved only. + Starting in macOS 11.3, installing or removing this payload can change the state + of system extensions on the machine. If a system extension has been activated + by its containing application but is still in a pending state, installing a payload + which specifies that extension is Allowed will complete the activation process. + If a system extension is active, removing a payload which specified that extension + was Allowed will deactivate the extension. +payloadkeys: +- key: AllowUserOverrides + type: + presence: optional + default: true + content: If 'false', restricts users from approving additional system extensions + that configuration profiles don't explicitly allow. +- key: AllowedTeamIdentifiers + type: + presence: optional + content: |- + An array of team identifiers that defines valid, signed system extensions that are allowable to load. Approved system extensions are those signed with any of the specified team identifiers. + To avoid requiring an administrator to authorize the operation, you can activate system extensions that this key specifies using activationRequestForExtension:queue:. + It's an error for the same team identifier to appear in both this array and as a key in the 'AllowedSystemExtensions' dictionary. + subkeys: + - key: AllowedTeamIdentifiersItem + title: Identifier + type: +- key: AllowedSystemExtensionTypes + type: + presence: optional + content: |- + A dictionary that maps a team identifier to an array of strings, where each string is a type of system extension that you can install for that team identifier. The allowed extension types are 'DriverExtension', 'NetworkExtension', and 'EndpointSecurityExtension'. + If there's no entry for a specified team identifier in the dictionary, the system allows all extension types. + subkeys: + - key: ANY + type: + presence: optional + content: The mapping of team identifier to an array of strings, where each string + is a type of system extension that may be installed for that team identifier. + subkeys: + - key: AllowedSystemExtensionTypesItems + type: + presence: required + content: Permitted System Extension Type +- key: AllowedSystemExtensions + type: + presence: optional + content: |- + A dictionary of approved system extensions on the computer. The dictionary maps the team identifiers (keys) to arrays of bundle identifiers, where the bundle identifier defines the system extension to install. + To avoid requiring an administrator to authorize the operation, you can activate system extensions that this key specifies using activationRequestForExtension:queue:. + It's an error for the same team identifier to appear in both the 'AllowedTeamIdentifiers' array and as a key in this dictionary. + subkeys: + - key: ANY + type: + presence: optional + content: The mapping of team identifiers to arrays of bundle identifiers, where + the bundle identifier is that of the system extension to be installed. + subkeys: + - key: AllowedSystemExtensionsItems + type: + presence: required + content: Allowed system extension bundle ID +- key: RemovableSystemExtensions + supportedOS: + macOS: + introduced: '12.0' + type: + presence: optional + content: |- + A dictionary of system extensions that are allowed to remove themselves from the machine. The dictionary maps team identifiers (keys) to arrays of bundle identifiers, where the bundle identifier defines the system extension. An application using the 'OSSystemExtensionDeactivationRequest' API can deactivate the specified system extensions without requiring an administrator to authorize the operation. + Available in macOS 12 and later. + subkeys: + - key: ANY + type: + presence: optional + content: The dictionary maps team identifiers (keys) to arrays of bundle identifiers, + where the bundle identifier defines the system extension. + subkeys: + - key: RemovableSystemExtensionsItems + type: + presence: required + content: Removed system extension bundle ID diff --git a/mdm/profiles/com.apple.system.logging.yaml b/mdm/profiles/com.apple.system.logging.yaml new file mode 100644 index 0000000..fdcb13e --- /dev/null +++ b/mdm/profiles/com.apple.system.logging.yaml @@ -0,0 +1,48 @@ +title: System Logging +description: '' +payload: + payloadtype: com.apple.system.logging + supportedOS: + macOS: + introduced: '10.12' + devicechannel: true + userchannel: true + requiresdep: false + userapprovedmdm: false + allowmanualinstall: true + userenrollment: + mode: forbidden +payloadkeys: +- key: Processes + supportedOS: + macOS: + introduced: n/a + type: + presence: optional + content: Not to be used. + subkeytype: Item + subkeys: &id001 + - key: ANY + type: + presence: optional + content: TBD +- key: Subsystems + supportedOS: + macOS: + introduced: n/a + type: + presence: optional + content: A dictionary enabling the logging level for subsystems. See 'Customizing + Logging Behavior While Debugging' for more details about the format of the dictionary. + subkeytype: Item + subkeys: *id001 +- key: System + supportedOS: + macOS: + introduced: n/a + type: + presence: optional + content: This dictionary has one key, 'Enable-Private-Data'. Setting that value + to 'true' enables private data logging for the entire system. + subkeytype: Item + subkeys: *id001 diff --git a/mdm/profiles/com.apple.systemmigration.yaml b/mdm/profiles/com.apple.systemmigration.yaml new file mode 100644 index 0000000..5ea24bc --- /dev/null +++ b/mdm/profiles/com.apple.systemmigration.yaml @@ -0,0 +1,52 @@ +title: System Migration +description: '' +payload: + payloadtype: com.apple.systemmigration + supportedOS: + macOS: + introduced: 10.12.4 + devicechannel: true + userchannel: false + requiresdep: false + userapprovedmdm: false + allowmanualinstall: true + userenrollment: + mode: forbidden + content: Provides a way of customizing items migrated during System Migration. +payloadkeys: +- key: CustomBehavior + type: + presence: optional + content: The list of custom behavior dictionaries. + subkeys: + - key: CustomBehaviorItem + type: + subkeys: + - key: Context + type: + presence: required + content: The context that custom paths apply to. + - key: Paths + type: + presence: required + content: The list of custom behavior path dictionaries. + subkeys: + - key: PathsItem + type: + subkeys: + - key: SourcePath + type: + presence: required + content: The path to the migrating file or directory on the source system. + - key: SourcePathInUserHome + type: + presence: required + content: If 'true', the source path is located within a user home directory. + - key: TargetPath + type: + presence: required + content: The path to the destination file or directory on the target system. + - key: TargetPathInUserHome + type: + presence: required + content: If 'true', the target path is located within a user home directory. diff --git a/mdm/profiles/com.apple.systempolicy.control.yaml b/mdm/profiles/com.apple.systempolicy.control.yaml new file mode 100644 index 0000000..e67dcda --- /dev/null +++ b/mdm/profiles/com.apple.systempolicy.control.yaml @@ -0,0 +1,28 @@ +title: System Policy Control +description: '' +payload: + payloadtype: com.apple.systempolicy.control + supportedOS: + macOS: + introduced: '10.8' + devicechannel: true + userchannel: false + requiresdep: false + userapprovedmdm: false + allowmanualinstall: true + userenrollment: + mode: forbidden + content: Provides a way of enabling System Policy assessment processing. This corresponds + to the Gatekeeper UI in the Security pref pane. +payloadkeys: +- key: EnableAssessment + type: + presence: optional + content: If 'true', enables Gatekeeper. +- key: AllowIdentifiedDevelopers + type: + presence: optional + content: |- + If 'true', enables Gatekeeper's 'Mac App Store and identified developers' option. + If 'false', enables Gatekeeper's 'Mac App Store' option. + If the value of 'EnableAssessment' isn't set to 'true', this key has no effect. diff --git a/mdm/profiles/com.apple.systempolicy.managed.yaml b/mdm/profiles/com.apple.systempolicy.managed.yaml new file mode 100644 index 0000000..5b8f48c --- /dev/null +++ b/mdm/profiles/com.apple.systempolicy.managed.yaml @@ -0,0 +1,22 @@ +title: System Policy Managed +description: '' +payload: + payloadtype: com.apple.systempolicy.managed + supportedOS: + macOS: + introduced: '10.8' + devicechannel: true + userchannel: true + requiresdep: false + userapprovedmdm: false + allowmanualinstall: true + userenrollment: + mode: forbidden + content: Provides a way of disabling the Finder's contextual menu that allows bypass + of System Policy restrictions. +payloadkeys: +- key: DisableOverride + type: + presence: optional + default: false + content: If 'true', disables the Finder's contextual menu item. diff --git a/mdm/profiles/com.apple.systempolicy.rule.yaml b/mdm/profiles/com.apple.systempolicy.rule.yaml new file mode 100644 index 0000000..ced246e --- /dev/null +++ b/mdm/profiles/com.apple.systempolicy.rule.yaml @@ -0,0 +1,50 @@ +title: System Policy Rule +description: '' +payload: + payloadtype: com.apple.systempolicy.rule + supportedOS: + macOS: + introduced: '10.8' + devicechannel: true + userchannel: false + requiresdep: false + userapprovedmdm: false + allowmanualinstall: true + userenrollment: + mode: forbidden + content: This payload allows control over Gatekeeper's system policy rules. The + keys and functionality are tightly related to the spctl command line tool. For + more information, see the manual page for spctl. +payloadkeys: +- key: Requirement + type: + presence: optional + content: The policy requirement. This key must follow the syntax described in Code + Signing Requirement Language . +- key: Comment + type: + presence: optional + content: This string appears in the System Policy UI. If it's missing, 'PayloadDisplayName' + or 'PayloadDescription' is entered into this field before the rule is added to + the System Policy database. +- key: Priority + type: + presence: optional + content: The rule's priority. +- key: Expiration + type: + presence: optional + content: The expiration date for rules being processed. +- key: OperationType + type: + presence: optional + rangelist: + - operation:execute + - operation:install + - operation:lsopen + default: operation:execute + content: The type of operation. +- key: LeafCertificate + type: + presence: optional + content: The single leaf certificate for the app that is in the allow list. diff --git a/mdm/profiles/com.apple.systempreferences.yaml b/mdm/profiles/com.apple.systempreferences.yaml new file mode 100644 index 0000000..7d68e15 --- /dev/null +++ b/mdm/profiles/com.apple.systempreferences.yaml @@ -0,0 +1,78 @@ +title: System Preferences +payload: + payloadtype: com.apple.systempreferences + supportedOS: + macOS: + introduced: '10.7' + devicechannel: true + userchannel: true + requiresdep: false + userapprovedmdm: false + allowmanualinstall: true + userenrollment: + mode: forbidden + content: |- + Hide and show individual System Preference panes. + The following preference pane items are no longer supported on macOS 10.14: + • com.apple.preferences.appstore + The following preference pane items are no longer supported on macOS 10.15: + • com.apple.preference.ink + • com.apple.preferences.icloud + • com.apple.preferences.parentalcontrols +payloadkeys: +- key: EnabledPreferencePanes + type: + presence: optional + content: The list of enabled System Preferences panes. + subkeys: &id001 + - key: PreferencePanes + type: + presence: optional + rangelist: + - com.apple.ClassroomSettings + - com.apple.Localization + - com.apple.preference.datetime + - com.apple.preference.desktopscreeneffect + - com.apple.preference.digihub.discs + - com.apple.preference.displays + - com.apple.preference.dock + - com.apple.preference.energysaver + - com.apple.preference.expose + - com.apple.preference.general + - com.apple.preference.ink + - com.apple.preference.keyboard + - com.apple.preference.mouse + - com.apple.preference.network + - com.apple.preference.notifications + - com.apple.preference.printfax + - com.apple.preference.screentime + - com.apple.preference.security + - com.apple.preference.sidecar + - com.apple.preference.sound + - com.apple.preference.speech + - com.apple.preference.spotlight + - com.apple.preference.startupdisk + - com.apple.preference.trackpad + - com.apple.preference.universalaccess + - com.apple.preferences.AppleIDPrefPane + - com.apple.preferences.appstore + - com.apple.preferences.Bluetooth + - com.apple.preferences.configurationprofiles + - com.apple.preferences.extensions + - com.apple.preferences.FamilySharingPrefPane + - com.apple.preferences.icloud + - com.apple.preferences.internetaccounts + - com.apple.preferences.parentalcontrols + - com.apple.preferences.password + - com.apple.preferences.sharing + - com.apple.preferences.softwareupdate + - com.apple.preferences.users + - com.apple.preferences.wallet + - com.apple.prefpanel.fibrechannel + - com.apple.prefs.backup + - com.apple.Xsan +- key: DisabledPreferencePanes + type: + presence: optional + content: The list of disabled System Preferences panes. + subkeys: *id001 diff --git a/mdm/profiles/com.apple.systemuiserver.yaml b/mdm/profiles/com.apple.systemuiserver.yaml new file mode 100644 index 0000000..08443c1 --- /dev/null +++ b/mdm/profiles/com.apple.systemuiserver.yaml @@ -0,0 +1,122 @@ +title: 'Media Management: Allowed Media' +description: '' +payload: + payloadtype: com.apple.systemuiserver + supportedOS: + macOS: + introduced: '10.7' + deprecated: '11.0' + devicechannel: true + userchannel: true + requiresdep: false + userapprovedmdm: false + allowmanualinstall: true + userenrollment: + mode: forbidden +payloadkeys: +- key: logout-eject + type: + presence: optional + content: The media type dictionary that defines volumes to eject when the user logs + out. + subkeytype: MediaItems + subkeys: &id002 + - key: all-media + type: + presence: optional + content: Unused; set to an empty string. + - key: cd + type: + presence: optional + content: A media action string or an array of media action strings. + subkeytype: ActionStringItem + subkeys: &id001 + - key: ActionStringItem + type: + presence: optional + rangelist: + - authenticate + - read-only + - deny + - eject + content: |- + One of the following values: + * authenticate - User will be authenticated before media is mounted + * read-only - The media will be mounted read-only. Not valid for unmount-controls. + * deny - The media will not be mounted. + * eject - The media will not be mounted and it will be ejected if possible. Note that some volumes are not defined as ejectable, so using the deny key may be the best solution. Not valid for unmount-controls. + - key: dvd + type: + presence: optional + content: A media action string or an array of media action strings. + subkeytype: ActionStringItem + subkeys: *id001 + - key: bd + type: + presence: optional + content: A media action string or an array of media action strings. + subkeytype: ActionStringItem + subkeys: *id001 + - key: blankcd + type: + presence: optional + content: A media action string or an array of media action strings. + subkeytype: ActionStringItem + subkeys: *id001 + - key: blankdvd + type: + presence: optional + content: A media action string or an array of media action strings. + subkeytype: ActionStringItem + subkeys: *id001 + - key: blankbd + type: + presence: optional + content: A media action string or an array of media action strings. + subkeytype: ActionStringItem + subkeys: *id001 + - key: dvdram + type: + presence: optional + content: A media action string or an array of media action strings. + subkeytype: ActionStringItem + subkeys: *id001 + - key: disk-image + type: + presence: optional + content: A media action string or an array of media action strings. + subkeytype: ActionStringItem + subkeys: *id001 + - key: harddisk-internal + type: + presence: optional + content: A media action string or an array of media action strings. + subkeytype: ActionStringItem + subkeys: *id001 + - key: harddisk-external + type: + presence: optional + content: |- + A string or an array of media action strings. Internally installed SD cards and USB flash drives are included in the hard disk-external category. + + This key is the default for media types that don't fall into other categories. + subkeytype: ActionStringItem + subkeys: *id001 + - key: networkdisk + type: + presence: optional + content: A media action string or an array of media action strings. + subkeytype: ActionStringItem + subkeys: *id001 +- key: mount-controls + type: + presence: optional + content: The media type dictionary that controls volume mounting. + subkeytype: MediaItems + subkeys: *id002 +- key: unmount-controls + type: + presence: optional + content: The media type dictionary that controls volume unmounting. + subkeytype: MediaItems + subkeys: *id002 diff --git a/mdm/profiles/com.apple.thirdactiveethernet.managed.yaml b/mdm/profiles/com.apple.thirdactiveethernet.managed.yaml new file mode 100644 index 0000000..98d8839 --- /dev/null +++ b/mdm/profiles/com.apple.thirdactiveethernet.managed.yaml @@ -0,0 +1,21 @@ +title: '802.1X: Third Active Ethernet' +description: '' +payload: + payloadtype: com.apple.thirdactiveethernet.managed + supportedOS: + macOS: + introduced: '10.7' + devicechannel: true + userchannel: true + requiresdep: false + userapprovedmdm: false + allowmanualinstall: true + userenrollment: + mode: allowed +payloadkeys: +- key: ANY + type: + presence: optional + content: Keys relevant to 802.1x configuration. User enrollment payloads do not + support the various proxy keys including ProxyType, ProxyServer, ProxyServerPort, + ProxyUsername, ProxyPassword,, ProxyPACURL and ProxyPACFallbackAllowed. diff --git a/mdm/profiles/com.apple.thirdethernet.managed.yaml b/mdm/profiles/com.apple.thirdethernet.managed.yaml new file mode 100644 index 0000000..0ed8917 --- /dev/null +++ b/mdm/profiles/com.apple.thirdethernet.managed.yaml @@ -0,0 +1,21 @@ +title: '802.1X: Third Ethernet' +description: '' +payload: + payloadtype: com.apple.thirdethernet.managed + supportedOS: + macOS: + introduced: '10.7' + devicechannel: true + userchannel: true + requiresdep: false + userapprovedmdm: false + allowmanualinstall: true + userenrollment: + mode: allowed +payloadkeys: +- key: ANY + type: + presence: optional + content: Keys relevant to 802.1x configuration. User enrollment payloads do not + support the various proxy keys including ProxyType, ProxyServer, ProxyServerPort, + ProxyUsername, ProxyPassword,, ProxyPACURL and ProxyPACFallbackAllowed. diff --git a/mdm/profiles/com.apple.tvremote.yaml b/mdm/profiles/com.apple.tvremote.yaml new file mode 100644 index 0000000..949a76c --- /dev/null +++ b/mdm/profiles/com.apple.tvremote.yaml @@ -0,0 +1,60 @@ +title: TV Remote +description: '' +payload: + payloadtype: com.apple.tvremote + supportedOS: + iOS: + introduced: '11.3' + supervised: true + allowmanualinstall: true + sharedipad: + mode: allowed + devicechannel: true + userchannel: true + userenrollment: + mode: forbidden + tvOS: + introduced: '11.3' + supervised: true + allowmanualinstall: true +payloadkeys: +- key: AllowedRemotes + supportedOS: + iOS: + introduced: n/a + type: + presence: optional + content: The array of valid devices that Apple TV can connect to. + subkeys: + - key: AllowedRemotesItem + type: + subkeys: + - key: RemoteDeviceID + type: + presence: required + content: The MAC address of a permitted iOS device that can control this Apple + TV. Use the format xx:xx:xx:xx:xx:xx. The field isn't case sensitive. +- key: AllowedTVs + supportedOS: + tvOS: + introduced: n/a + type: + presence: optional + content: The array of valid Apple TV identifiers that the remote can connect to. + subkeys: + - key: AllowedTVsItem + type: + subkeys: + - key: TVDeviceID + type: + presence: required + content: The MAC address of an Apple TV device that this iOS device is permitted + to control. Use the format xx:xx:xx:xx:xx:xx. The field isn't case sensitive. + - key: TVDeviceName + supportedOS: + iOS: + introduced: '15.0' + type: + presence: optional + content: The name of an Apple TV device that this iOS device is permitted to + control. diff --git a/mdm/profiles/com.apple.universalaccess.yaml b/mdm/profiles/com.apple.universalaccess.yaml new file mode 100644 index 0000000..11e9798 --- /dev/null +++ b/mdm/profiles/com.apple.universalaccess.yaml @@ -0,0 +1,132 @@ +title: Accessibility +payload: + payloadtype: com.apple.universalaccess + supportedOS: + macOS: + introduced: '10.9' + devicechannel: true + userchannel: true + requiresdep: false + userapprovedmdm: false + allowmanualinstall: true + userenrollment: + mode: forbidden +payloadkeys: +- key: closeViewFarPoint + type: + presence: optional + content: The minimum zoom level in the Zoom options. +- key: closeViewHotkeysEnabled + type: + presence: optional + default: false + content: If 'true', enables 'Use keyboard shortcuts' in the Zoom options. +- key: closeViewNearPoint + type: + presence: optional + content: The maximum zoom level in the Zoom options. +- key: closeViewScrollWheelToggle + type: + presence: optional + default: false + content: If 'true', enables 'Use scroll gesture' in the Zoom options. +- key: closeViewShowPreview + supportedOS: + macOS: + introduced: '10.9' + deprecated: '10.15' + type: + presence: optional + default: false + content: If 'true', enables 'Show preview rectangle' in the Zoom options. Only available + in macOS 10.15 and earlier. +- key: closeViewSmoothImages + type: + presence: optional + default: false + content: If 'true', enables 'Smooth images' in the Zoom options. +- key: contrast + type: + presence: optional + content: The contrast value in the Display options. +- key: flashScreen + type: + presence: optional + default: false + content: If 'true', enables 'Flash the screen' in the Audio options. +- key: grayscale + supportedOS: + macOS: + deprecated: '11.0' + type: + presence: optional + default: false + content: |- + If 'true', enables 'Use grayscale' in the Display options. + This option is deprecated in macOS 11. +- key: mouseDriver + type: + presence: optional + default: false + content: If 'true', enables Mouse Keys in the Mouse & Trackpad options. +- key: mouseDriverCursorSize + type: + presence: optional + content: The size of the cursor. +- key: mouseDriverIgnoreTrackpad + type: + presence: optional + default: false + content: If 'true', ignores the built-in trackpad. +- key: mouseDriverInitialDelay + type: + presence: optional + content: The initial delay before moving the mouse with Mouse Keys. +- key: mouseDriverMaxSpeed + type: + presence: optional + content: The maximum speed for the cursor when using Mouse Keys. +- key: slowKey + type: + presence: optional + default: false + content: If 'true', enables 'Slow Keys' in the Keyboard options. +- key: slowKeyBeepOn + type: + presence: optional + default: false + content: If 'true', enables 'click key sounds' for Slow Keys. +- key: slowKeyDelay + type: + presence: optional + content: The acceptance delay, in milliseconds, for Slow Keys. +- key: stereoAsMono + type: + presence: optional + default: false + content: If 'true', plays stereo audio as mono. +- key: stickyKey + type: + presence: optional + default: false + content: If 'true', enables Sticky Keys in the Keyboard options. +- key: stickyKeyBeepOnModifier + type: + presence: optional + default: false + content: If 'true', enables the beep when a modifier key is set for Sticky Keys. +- key: stickyKeyShowWindow + type: + presence: optional + default: false + content: If 'true', enables 'Display pressed keys on screen' for Sticky Keys. +- key: voiceOverOnOffKey + type: + presence: optional + default: false + content: If 'true', enables Voice Over. +- key: whiteOnBlack + type: + presence: optional + default: false + content: If 'true', enables Invert Colors in Display Accommodations. diff --git a/mdm/profiles/com.apple.vpn.managed.applayer.yaml b/mdm/profiles/com.apple.vpn.managed.applayer.yaml new file mode 100644 index 0000000..c5c7f9c --- /dev/null +++ b/mdm/profiles/com.apple.vpn.managed.applayer.yaml @@ -0,0 +1,167 @@ +title: App-Layer VPN +description: '' +payload: + payloadtype: com.apple.vpn.managed.applayer + supportedOS: + iOS: + introduced: '7.0' + supervised: false + allowmanualinstall: true + sharedipad: + mode: allowed + devicechannel: true + userchannel: false + userenrollment: + mode: allowed + macOS: + introduced: '10.9' + devicechannel: true + userchannel: true + requiresdep: false + userapprovedmdm: false + allowmanualinstall: true + userenrollment: + mode: allowed + content: The fields in this payload are the same as the VPN payload, with the addition + of the fields shown below. +payloadkeys: +- key: VPNUUID + type: + presence: required + content: A globally unique identifier for this VPN configuration. +- key: SafariDomains + type: + presence: optional + content: An array with entries that must each specify a domain that triggers the + VPN connection in Safari. Each entry is in the format 'www.apple.com'. + subkeys: + - key: SafariDomainsItem + type: + presence: required + content: A domain. +- key: MailDomains + supportedOS: + iOS: + introduced: '13.0' + deprecated: '13.4' + macOS: + introduced: '10.15' + type: + presence: optional + content: |- + An array with entries that must each specify a domain that triggers this VPN connection in Mail. Each entry is in the format 'www.apple.com'. + This property is deprecated in iOS 13.4 and later; use the 'VPNUUID' property of the Mail or ExchangeActiveSync payload instead. + subkeys: + - key: MailDomainsItem + type: + presence: required + content: A domain. +- key: CalendarDomains + supportedOS: + iOS: + introduced: '13.0' + deprecated: '13.4' + macOS: + introduced: '10.15' + type: + presence: optional + content: |- + An array with entries that must each specify a domain that triggers this VPN connection in Calendar. Each entry is in the format 'www.apple.com'. + This property is deprecated in iOS 13.4 and later; use the 'VPNUUID' property of the CalDAV payload instead. + subkeys: + - key: CalendarDomainsItem + type: + presence: required + content: A domain. +- key: ContactsDomains + supportedOS: + iOS: + introduced: '13.0' + deprecated: '13.4' + macOS: + introduced: '10.15' + type: + presence: optional + content: |- + An array with entries that must each specify a domain that triggers this VPN connection in Contacts. Each entry is in the format 'www.apple.com'. + This property is deprecated in iOS 13.4 and later; use the 'VPNUUID' property of the CardDAV payload instead. + subkeys: + - key: ContactsDomainsItem + type: + presence: required + content: A domain. +- key: AssociatedDomains + supportedOS: + iOS: + introduced: '14.0' + macOS: + introduced: '11.0' + type: + presence: optional + content: |- + An array with entries that must each specify a domain that triggers this VPN. The domains must also be part of the 'apple-app-site-association' file, as described in Supporting Associated Domains. + Available in iOS 14 and later, and macOS 11 and later. + subkeys: + - key: AssociatedDomainsItem + type: + presence: required + content: A domain. +- key: ExcludedDomains + supportedOS: + iOS: + introduced: '14.0' + macOS: + introduced: '11.0' + type: + presence: optional + content: |- + An array with entries that each specify a domain that doesn't trigger this VPN for connections to the domain. + Available in iOS 14 and later, and macOS 11 and later. + subkeys: + - key: ExcludedDomainsItem + type: + presence: required + content: A domain. +- key: OnDemandMatchAppEnabled + type: + presence: optional + rangelist: + - 0 + - 1 + content: If 'true', automatically connects the VPN when associated apps for this + per-app VPN service initiate network communication. Otherwise, the user must initiate + the connection manually before those apps can initiate network communication. + If this key isn't present, the value of the 'OnDemandEnabled' key determines the + status of per-app VPN On Demand. +- key: SMBDomains + supportedOS: + iOS: + introduced: '13.0' + macOS: + introduced: n/a + type: + presence: optional + content: |- + An array of SMB domains that's accessible through this VPN connection. + Available in iOS 13 and later. + subkeys: + - key: SMBDomainsItem + type: + presence: required + content: An SMB domain. +- key: VPN + title: VPN + type: + presence: optional + content: A dictionary with additional VPN settings. + subkeys: + - key: ProviderType + type: + presence: optional + rangelist: + - packet-tunnel + - app-proxy + default: app-proxy + content: The type of VPN service. If it is 'app-proxy', the service will tunnel + traffic at the application level. If it is 'packet-tunnel', the service will + tunnel traffic at the IP layer. diff --git a/mdm/profiles/com.apple.vpn.managed.appmapping.yaml b/mdm/profiles/com.apple.vpn.managed.appmapping.yaml new file mode 100644 index 0000000..586699a --- /dev/null +++ b/mdm/profiles/com.apple.vpn.managed.appmapping.yaml @@ -0,0 +1,94 @@ +title: App-to-App-Layer VPN Mapping +description: '' +payload: + payloadtype: com.apple.vpn.managed.appmapping + supportedOS: + macOS: + introduced: '10.9' + devicechannel: true + userchannel: false + requiresdep: false + userapprovedmdm: false + allowmanualinstall: true + userenrollment: + mode: allowed + content: This payload is only valid on macOS. +payloadkeys: +- key: AppLayerVPNMapping + type: + presence: required + content: The array of VPN mapping dictionaries. + subkeys: + - key: AppLayerVPNMappingItem + type: + subkeys: + - key: Identifier + type: + presence: required + content: The bundle identifier of the app using the per-app VPN. + - key: VPNUUID + type: + presence: required + content: The identifier of the per-app VPN payload, which defines the per-app + VPN that the app uses. See the 'VPNUUID' key of the AppLayerVPN payload. + - key: DesignatedRequirement + supportedOS: + macOS: + introduced: '10.10' + type: + presence: required + content: The code signature designated requirement of the app using the per-app + VPN. + - key: SigningIdentifier + supportedOS: + macOS: + introduced: '10.10' + type: + presence: required + content: The code signature signing identifier of the app using the per-app + VPN. + - key: Path + supportedOS: + macOS: + introduced: '10.15' + type: + presence: optional + content: The file-system path of the executable using the per-app VPN. + - key: MatchTools + supportedOS: + macOS: + introduced: 10.15.4 + type: + presence: optional + content: |- + An array of dictionaries. Each dictionary specifies a per-app VPN rule. Use this property to restrict this per-app VPN rule to only match the app's spawned helper tool network traffic. + For example, to match network traffic that the 'curl' command generates when run from the Terminal.app, create an app mapping payload for Terminal.app and set the payload's 'MatchTools' key to an array that contains a dictionary that matches the 'curl' command-line tool. + If you don't specify the 'MatchTools' key, this per-app VPN rule matches all network traffic that the matching app and its spawned helper tools generate. + subkeys: + - key: MatchToolsItem + type: + subkeys: + - key: DesignatedRequirement + supportedOS: + macOS: + introduced: 10.15.4 + type: + presence: required + content: The code signature designated requirement of the command-line tool + using the per-app VPN. + - key: SigningIdentifier + supportedOS: + macOS: + introduced: 10.15.4 + type: + presence: required + content: The code signature signing identifier of the command-line tool + using the per-app VPN. + - key: Path + supportedOS: + macOS: + introduced: 10.15.4 + type: + presence: optional + content: The file-system path of the command-line tool using the per-app + VPN. diff --git a/mdm/profiles/com.apple.vpn.managed.yaml b/mdm/profiles/com.apple.vpn.managed.yaml new file mode 100644 index 0000000..e414b02 --- /dev/null +++ b/mdm/profiles/com.apple.vpn.managed.yaml @@ -0,0 +1,1311 @@ +title: VPN +description: Use this section to define settings for VPN access. +payload: + payloadtype: com.apple.vpn.managed + supportedOS: + iOS: + introduced: '4.0' + supervised: false + allowmanualinstall: true + sharedipad: + mode: allowed + devicechannel: true + userchannel: false + userenrollment: + mode: forbidden + macOS: + introduced: '10.7' + devicechannel: true + userchannel: true + requiresdep: false + userapprovedmdm: false + allowmanualinstall: true + userenrollment: + mode: forbidden +payloadkeys: +- key: VPNType + title: Type + type: + presence: required + rangelist: + - VPN + - L2TP + - PPTP + - IPSec + - IKEv2 + - AlwaysOn + content: |- + The type of the VPN, which defines which settings are appropriate for this VPN payload. + If the type is 'VPN', then 'VPNSubType' is required. +- key: VPNSubType + title: VPN Subtype + type: + presence: optional + content: "An identifier for a vendor-specified configuration dictionary if 'VPNType'\ + \ is 'VPN'.\nIf 'VPNType' is 'VPN', this field is required. If the configuration\ + \ is targeted at a VPN solution that uses a VPN plugin, then this field contains\ + \ the bundle identifier of the plugin. Here are some examples:\n* CiscoAnyConnect:\ + \ \L'com.cisco.anyconnect.applevpn.plugin'\n* JuniperSSL: 'net.juniper.sslvpn'\n\ + * F5SSL: 'com.f5.F5-Edge-Client.vpnplugin'\n* SonicWALLMobileConnect: \L'com.sonicwall.SonicWALL-SSLVPN.vpnplugin\ + \ '\n* ''ArubaVIA: \L'com.arubanetworks.aruba-via.vpnplugin'\nIf the configuration\ + \ is targeted at a VPN solution that uses a network extension provider, then this\ + \ field contains the bundle identifier of the app that contains the provider.\ + \ Contact the VPN solution vendor for the value of the identifier.\nIf 'VPNType'\ + \ is 'IKEv2', then the 'VPNSubType' field is optional and is reserved for future\ + \ use. If it is specified, it must contain the empty string." +- key: UserDefinedName + title: User Defined Name + type: + presence: required + content: The description of the VPN connection displayed on the device. +- key: VendorConfig + title: Vendor Configuration Dictionary + type: + presence: optional + content: The vendor-specific configuration dictionary. This dictionary is read only + if 'VPNSubType' is specified. + subkeys: + - key: Realm + title: Realm + type: + presence: optional + content: The Kerberos realm name. This value should be properly capitalized. + - key: Role + title: Role + type: + presence: optional + content: |- + The role to select when connecting to the server. + This key is valid only for Juniper SSL. + - key: Group + title: Group + type: + presence: optional + content: |- + The group to connect to on the head end. + This key is valid only for Cisco AnyConnect + - key: LoginGroupOrDomain + title: Login Group or Domain + type: + presence: optional + content: The login group or domain. +- key: VPN + title: VPN + type: + presence: optional + content: A dictionary used to specify a VPN when 'VPNType' is set to 'VPN', 'IPSec', + or 'IKEv2'. + subkeys: + - key: AuthenticationMethod + title: Authentication Method + type: + presence: optional + rangelist: + - Password + - Certificate + - Password+Certificate + default: Password + content: The authentication method to use. + - key: PayloadCertificateUUID + title: Certificate UUID + type: + presence: optional + content: The UUID of the certificate payload within the same profile to use for + account credentials. + - key: Password + title: Account Password + type: + presence: optional + content: The VPN user password. + - key: ProviderBundleIdentifier + title: Provider Bundle Identifier + type: + presence: optional + content: The bundle identifier for the VPN provider. + - key: ProviderDesignatedRequirement + title: Provider Designated Requirement + supportedOS: + iOS: + introduced: n/a + macOS: + introduced: '10.15' + type: + presence: optional + content: If the VPN provider is implemented as a system extension, then this field + is required. + - key: DisconnectOnIdle + title: Enable Disconnect on Idle + type: + presence: optional + rangelist: + - 0 + - 1 + default: 0 + content: If 'true', disconnects after an on-demand connection idles. + - key: DisconnectOnIdleTimer + title: Disconnect on Idle time + type: + presence: optional + content: The length of time to wait before disconnecting an on-demand connection + - key: ProviderType + type: + presence: optional + rangelist: + - packet-tunnel + - app-proxy + default: packet-tunnel + content: The type of VPN service. If it is 'app-proxy', the service will tunnel + traffic at the application level. If it is 'packet-tunnel', the service will + tunnel traffic at the IP layer. + - key: IncludeAllNetworks + title: Include All Networks + supportedOS: + iOS: + introduced: '14.0' + macOS: + introduced: '10.15' + type: + presence: optional + rangelist: + - 0 + - 1 + default: 0 + content: If 'true', routes all traffic through the VPN. + - key: EnforceRoutes + title: Enforce Routes + supportedOS: + iOS: + introduced: '14.2' + macOS: + introduced: '11.0' + type: + presence: optional + rangelist: + - 0 + - 1 + default: 0 + content: |- + If 'true', all the VPN's non-default routes take precedence over any locally defined routes. + If 'IncludeAllNetworks' is 'true', the value of 'EnforceRoutes' is ignored. + Available in iOS 14.2 and later, and macOS 11 and later. + - key: ExcludeLocalNetworks + title: Exclude Local Networks + supportedOS: + iOS: + introduced: '14.2' + macOS: + introduced: '10.15' + type: + presence: optional + rangelist: + - 0 + - 1 + content: If 'true' and 'IncludeAllNetworks' is 'true', routes all local network + traffic outside the VPN. + - key: OnDemandEnabled + title: Enable VPN On Demand + type: + presence: optional + rangelist: + - 0 + - 1 + default: 0 + content: If 'true', enables VPN On Demand. + - key: OnDemandUserOverrideDisabled + title: Prevent users from toggling VPN On Demand + supportedOS: + iOS: + introduced: '14.0' + macOS: + introduced: n/a + type: + presence: optional + rangelist: + - 0 + - 1 + default: 0 + content: |- + If 'true', the Connect On Demand toggle in Settings is disabled for this configuration. + Available in iOS 14 and later. + - key: OnDemandMatchDomainsAlways + title: On Demand Match Domains Always + type: + presence: optional + content: |- + A list of domain names. The associated domain names are treated as though they were associated with the 'OnDemandMatchDomainsOnRetry' key. + + This behavior can be overridden by 'OnDemandRules'. + subkeytype: MatchDomainAlwaysElement + subkeys: &id001 + - key: MatchDomainAlwaysElement + title: Match Domain Always Element + type: + - key: OnDemandMatchDomainsNever + title: On Demand Match Domains Never + type: + presence: optional + content: |- + A list of domain names. If the host name ends with one of these domain names, the VPN isn't started automatically. This is used to exclude a subdomain within an included domain. + + In iOS 7 and later, this key is deprecated (but still supported) in favor of 'EvaluateConnection' actions in the 'OnDemandRules' dictionaries. + subkeytype: MatchDomainNeverElement + subkeys: &id002 + - key: MatchDomainNeverElement + title: Match Domain Never Element + type: + - key: OnDemandMatchDomainsOnRetry + title: On Demand Match Domains On Retry + type: + presence: optional + content: |- + A list of domain names. If the host name ends with one of these domain names and a DNS query for that domain name fails, the VPN is started automatically. + + In iOS 7 and later, this key is deprecated (but still supported) in favor of 'EvaluateConnection' actions in the 'OnDemandRules' dictionaries. + subkeytype: MatchDomainOnRetryElement + subkeys: &id003 + - key: MatchDomainOnRetryElement + title: Match Domain On Retry Element + type: + - key: OnDemandRules + title: On Demand Rules + type: + presence: optional + content: An array of dictionaries defining On Demand Rules. + subkeytype: OnDemandRulesElement + subkeys: &id004 + - key: OnDemandRulesElement + title: On Demand Rules Element + type: + subkeys: + - key: Action + title: On Demand Action + type: + presence: required + rangelist: + - Allow + - Connect + - Disconnect + - EvaluateConnection + - Ignore + content: |- + The action to take if this dictionary matches the current network. Possible values are: + * 'Allow': Deprecated. Allow VPN On Demand to connect if triggered. + * 'Connect': Unconditionally initiate a VPN connection on the next network attempt. + * 'Disconnect': Tear down the VPN connection and do not reconnect on demand as long as this dictionary matches. + * 'EvaluateConnection': Evaluate the ActionParameters array for each connection attempt. + * 'Ignore:' Leave any existing VPN connection up, but do not reconnect on demand as long as this dictionary matches. + - key: ActionParameters + title: Action Parameters + type: + presence: optional + content: |- + A dictionary that provides rules similar to the 'OnDemandRules' dictionary, but evaluated on each connection instead of when the network changes. These dictionaries are evaluated in order, and the behavior is determined by the first dictionary that matches. + The keys allowed in each dictionary are described below. Note: This array is used only for dictionaries in which 'EvaluateConnection' is the 'Action' value. + subkeys: + - key: Domains + title: Domains + type: + presence: required + content: The domains for which this evaluation applies. + subkeys: + - key: DomainsElement + title: Domains Element + type: + - key: DomainAction + title: Domain Action + type: + presence: required + rangelist: + - ConnectIfNeeded + - NeverConnect + content: |- + Defines the VPN behavior for the specified domains. Allowed values are: + * 'ConnectIfNeeded': The specified domains should trigger a VPN connection attempt if domain name resolution fails, such as when the DNS server indicates that it cannot resolve the domain, responds with a redirection to a different server, or fails to respond (timeout). + * 'NeverConnect': The specified domains should never trigger a VPN connection attempt. + - key: RequiredDNSServers + title: Required DNS Servers + type: + presence: optional + content: |- + An array of IP addresses of DNS servers to be used for resolving the specified domains. These servers need not be part of the device's current network configuration. If these DNS servers are not reachable, a VPN connection is established in response. These DNS servers should be either internal DNS servers or trusted external DNS servers. + Note: This key is valid only if the value of 'DomainAction' is 'ConnectIfNeeded'. + subkeys: + - key: RequiredDNSServersElement + title: Required DNS Servers Element + type: + - key: RequiredURLStringProbe + title: Required URL String Probe + type: + presence: optional + content: |- + An HTTP or HTTPS (preferred) URL to probe, using a GET request. If the URL's hostname cannot be resolved, if the server is unreachable, or if the server does not respond with a 200 HTTP status code, a VPN connection is established in response. + Note: This key is valid only if the value of 'DomainAction' is 'ConnectIfNeeded'. + - key: DNSDomainMatch + title: DNS Domain Match + type: + presence: optional + content: |- + An array of domain names. This rule matches if any of the domain names in the specified list matches any domain in the device's search domains list. + A wildcard '*' prefix is supported. For example, '*.example.com' matches against either 'mydomain.example.com' or 'yourdomain.example.com'. + subkeys: + - key: DNSDomainMatchElement + title: DNS Domain Match Element + type: + - key: DNSServerAddressMatch + title: DNS Server Address Match + type: + presence: optional + content: |- + An array of IP addresses. This rule matches if any of the network's specified DNS servers match any entry in the array. + Matching with a single wildcard is supported. For example, 17.* matches any DNS server in the 17.0.0.0/8 subnet. + subkeys: + - key: DNSServerAddressMatchElement + title: DNS Server Address Match Element + type: + - key: InterfaceTypeMatch + title: Interface Type Match + type: + presence: optional + rangelist: + - Ethernet + - WiFi + - Cellular + content: An interface type. If specified, this rule matches only if the primary + network interface hardware matches the specified type. + - key: SSIDMatch + title: SSID Match + type: + presence: optional + content: |- + An array of SSIDs to match against the current network. If the network is not a Wi-Fi network or if the SSID does not appear in this array, the match fails. + Omit this key and the corresponding array to match against any SSID. + subkeys: + - key: SSIDMatchElement + title: SSID Match Element + type: + - key: URLStringProbe + title: URL String Probe + type: + presence: optional + content: A URL to probe. If this URL is successfully fetched (returning a + 200 HTTP status code) without redirection, this rule matches. +- key: IPv4 + title: IPv4 Settings + type: + presence: optional + content: The dictionary containing IPv4 settings. + subkeys: + - key: OverridePrimary + title: Override Primary Connection + type: + presence: optional + rangelist: + - 0 + - 1 + default: 0 + content: If 'true', all network traffic is sent over VPN. +- key: PPP + title: PPP + type: + presence: optional + content: The dictionary used when 'VPNType' is set to 'L2TP' or 'PTPP'. + subkeys: + - key: AuthName + title: Account Username + type: + presence: optional + content: The VPN account user name. This key is used for L2TP and PPTP networks. + - key: AuthPassword + title: Account Password + type: + presence: optional + content: If TokenCard is 'false', use this password for authentication. This key + is used for L2TP and PPTP networks. + - key: TokenCard + title: Use Token Card + type: + presence: optional + rangelist: + - 0 + - 1 + default: 0 + content: |- + If 'true', uses a token card such as an RSA SecurID card for connecting. + + This key is used for L2TP networks. + - key: CommRemoteAddress + title: Remote Address + type: + presence: optional + content: |- + The IP address or host name of VPN server. + + This key is used for L2TP and PPTP networks. + - key: AuthEAPPlugins + title: EAP Plugins + type: + presence: optional + content: An array of authentication plugins. If RSA SecurID is being used, this + array should only have one value, 'EAP-RSA'. This key is used for L2TP and PPTP + networks. + subkeys: + - key: EAPPluginElement + title: EAP Plugin + type: + rangelist: + - EAP-RSA + - EAP-TLS + - EAP-KRB + repetition: + min: 1 + max: 1 + - key: AuthProtocol + title: Protocol + type: + presence: optional + content: An array of authentication protocols. If RSA SecurID is being used, this + array should have one value, 'EAP'. This key is used for L2TP and PPTP networks. + subkeys: + - key: AuthProtocolElement + title: Auth Protocol + type: + rangelist: + - EAP + repetition: + min: 1 + max: 1 + - key: CCPMPPE40Enabled + title: Enable CCPMPPE40 + type: + presence: optional + rangelist: + - 0 + - 1 + content: If 'true' and 'CCPEnabled' is also 'true', enables CCPMPPE128 encryption. + - key: CCPMPPE128Enabled + title: Enable CCPMPPE128 + type: + presence: optional + rangelist: + - 0 + - 1 + content: If 'true' and 'CCPEnabled' is also 'true', enables CCPMPPE40 encryption. + - key: CCPEnabled + title: Enable CCP + type: + presence: optional + rangelist: + - 0 + - 1 + content: |- + If 'true', enables encryption on the connection. + + This key is used for PPTP networks. + - key: DisconnectOnIdle + title: Enable Disconnect on Idle + type: + presence: optional + rangelist: + - 0 + - 1 + default: 0 + content: If 'true', disconnects after an on demand connection idles. + - key: DisconnectOnIdleTimer + title: Disconnect on Idle time + type: + presence: optional + content: The length of time to wait before disconnecting an on demand connection +- key: IPSec + title: IPSec Settings + type: + presence: optional + content: The dictionary containing IPSec settings. + subkeys: + - key: RemoteAddress + title: Remote Address + type: + presence: optional + content: The IP address or host name of the VPN server. + - key: AuthenticationMethod + title: Authentication Method + type: + presence: optional + rangelist: + - SharedSecret + - Certificate + default: SharedSecret + content: The authentication method. Used for L2TP and Cisco IPSec. + - key: XAuthName + title: Username + type: + presence: optional + content: The user name for the VPN account for Cisco IPSec. + - key: XAuthPassword + title: Password + type: + presence: optional + content: The VPN account password used for Cisco IPSec. + - key: XAuthEnabled + title: XAUTH Enabled + type: + presence: optional + rangelist: + - 0 + - 1 + content: If 'true', enables Xauth for Cisco IPSec VPNs. + - key: XAuthPasswordEncryption + title: XAUTH Password Encryption + type: + presence: optional + rangelist: + - Prompt + content: String value is either “Prompt” or not present. + - key: LocalIdentifier + title: Local Identifier + type: + presence: optional + content: |- + The name of the group. If Hybrid Authentication is used, the string must end with 'hybrid'. + + Present only if 'AuthenticationMethod' is 'SharedSecret' and using for Cisco IPSec. + - key: LocalIdentifierType + title: Local Identifier Type + type: + presence: optional + rangelist: + - KeyID + default: KeyID + content: |- + Present only if 'AuthenticationMethod' is 'SharedSecret'. The value is 'KeyID'. + + This type is used for L2TP and Cisco IPSec VPNs. + - key: SharedSecret + title: Shared Secret + type: + presence: optional + content: |- + The shared secret for this VPN account. + + Only use this with L2TP and Cisco IPSec VPNs and if the 'AuthenticationMethod' key is set to 'SharedSecret'. + - key: PayloadCertificateUUID + title: Certificate UUID + type: + presence: optional + content: |- + The UUID of the certificate payload within the same profile to use for the account credentials. + + Only use this with Cisco IPSec VPNs and if the 'AuthenticationMethod' key is set to 'Certificate'. + - key: PromptForVPNPIN + title: Prompt for PIN + type: + presence: optional + default: false + content: If 'true', prompts for a PIN when connecting to Cisco IPSec VPNs. + - key: DisconnectOnIdle + title: Enable Disconnect on Idle + type: + presence: optional + rangelist: + - 0 + - 1 + default: 0 + content: If 'true', disconnect after an on-demand connection idles. + - key: DisconnectOnIdleTimer + title: Disconnect on Idle time + type: + presence: optional + content: The length of time to wait before disconnecting an on-demand connection. + - key: OnDemandEnabled + title: Enable VPN On Demand + type: + presence: optional + rangelist: + - 0 + - 1 + default: 0 + content: If 'true', bring the VPN connection up on demand. + - key: OnDemandMatchDomainsAlways + title: On Demand Match Domains Always + type: + presence: optional + content: Deprecated. A list of domain names. In iOS 7 and later, if this key is + present, the associated domain names are treated as though they were associated + with the 'OnDemandMatchDomainsOnRetry' key. This behavior can be overridden + by 'OnDemandRules'. + subkeytype: MatchDomainAlwaysElement + subkeys: *id001 + - key: OnDemandMatchDomainsNever + title: On Demand Match Domains Never + type: + presence: optional + content: Deprecated. A list of domain names. In iOS 7 and later, this key is deprecated + (but still supported) in favor of 'EvaluateConnection' actions in the 'OnDemandRules' + dictionaries. + subkeytype: MatchDomainNeverElement + subkeys: *id002 + - key: OnDemandMatchDomainsOnRetry + title: On Demand Match Domains On Retry + type: + presence: optional + content: Deprecated. A list of domain names. In iOS 7 and later, this key is deprecated + (but still supported) in favor of 'EvaluateConnection' actions in the 'OnDemandRules' + dictionaries. + subkeytype: MatchDomainOnRetryElement + subkeys: *id003 + - key: OnDemandRules + title: On Demand Rules + type: + presence: optional + content: The on-demand rules dictionary. + subkeytype: OnDemandRulesElement + subkeys: *id004 +- key: IKEv2 + title: IKEv2 + type: + presence: optional + content: The dictionary used when 'VPNType' is set to 'IKEv2.' + subkeys: + - key: RemoteAddress + title: RemoteAddress + type: + presence: required + content: The IP address or host name of the VPN server. + - key: LocalIdentifier + title: LocalIdentifier + type: + presence: required + content: Identifier of the IKEv2 client. + - key: RemoteIdentifier + title: RemoteIdentifier + type: + presence: required + content: The remote identifier. + - key: AuthenticationMethod + title: AuthenticationMethod + type: + presence: required + rangelist: + - None + - SharedSecret + - Certificate + content: |- + The type of authentication method for the VPN. + + To enable EAP-only authentication, the authentication method should be set to 'None' and the 'ExtendedAuthEnabled' key should be set to 1. If this key is set to 'None' and the 'ExtendedAuthEnabled' key isn't set, the authentication configuration defaults to 'SharedSecret'. + - key: CertificateType + title: Certificate Type + type: + presence: optional + rangelist: + - RSA + - ECDSA256 + - ECDSA384 + - ECDSA521 + - Ed25519 + default: RSA + content: This key specifies the type of 'PayloadCertificateUUID' used for IKEv2 + machine authentication. If this key is included, the 'ServerCertificateIssuerCommonName' + key is required. + - key: PayloadCertificateUUID + title: PayloadCertificateUUID + type: + presence: optional + content: The UUID of the certificate payload within the same profile to use as + the account credential. If the value of 'AuthenticationMethod' is 'Certificate', + this certificate is sent out for IKEv2 machine authentication. If extended authentication + (EAP) is used, it is sent out for EAP-TLS authentication. + - key: SharedSecret + title: SharedSecret + type: + presence: optional + content: If 'AuthenticationMethod' is 'SharedSecret', this value is used for IKE + authentication. + - key: ExtendedAuthEnabled + title: ExtendedAuthEnabled + type: + presence: optional + rangelist: + - 0 + - 1 + default: 0 + content: If 'true', enables EAP-only authentication. + - key: AuthName + title: AuthName + type: + presence: optional + content: The user name used for authentication. + - key: AuthPassword + title: AuthPassword + type: + presence: optional + content: The password used for authentication. + - key: DeadPeerDetectionRate + title: Dead Peer Detection Rate + type: + presence: optional + rangelist: + - None + - Low + - Medium + - High + default: Medium + content: |- + One of the following: + * 'None': No keepalive. + * 'Low': Send keepalive every 30 minutes. + * 'Medium': Send keepalive every 10 minutes. + * 'High': Send keepalive every 1 minute. + - key: ServerCertificateIssuerCommonName + title: ServerCertificateIssuerCommonName + type: + presence: optional + content: Common Name of the server certificate issuer. If set, this field causes + IKE to send a certificate request based on this certificate issuer to the server. + This key is required if the 'CertificateType' key is included and the 'ExtendedAuthEnabled' + key is set to 1. + - key: ServerCertificateCommonName + title: ServerCertificateCommonName + type: + presence: optional + content: The common name of the server certificate. This name is used to validate + the certificate sent by the IKE server. If not set, the remote identifier is + used to validate the certificate. + - key: TLSMinimumVersion + title: TLS Minimum Version + supportedOS: + iOS: + introduced: '11.0' + macOS: + introduced: '10.13' + type: + presence: optional + rangelist: + - '1.0' + - '1.1' + - '1.2' + default: '1.0' + content: The minimum TLS version to be used with EAP-TLS authentication. + - key: TLSMaximumVersion + title: TLS Maximum Version + supportedOS: + iOS: + introduced: '11.0' + macOS: + introduced: '10.13' + type: + presence: optional + rangelist: + - '1.0' + - '1.1' + - '1.2' + default: '1.2' + content: The maximum TLS version to be used with EAP-TLS authentication. + - key: UseConfigurationAttributeInternalIPSubnet + title: Use IPv4 / IPv6 Internal Subnet Attributes + supportedOS: + iOS: + introduced: '9.0' + type: + presence: optional + rangelist: + - 0 + - 1 + default: 0 + content: If 'true', negotiations should use IKEv2 Configuration Attribute INTERNAL_IP4_SUBNET + and INTERNAL_IP6_SUBNET. + - key: DisableMOBIKE + title: Disable Mobility and Multihoming + supportedOS: + iOS: + introduced: '9.0' + type: + presence: optional + rangelist: + - 0 + - 1 + default: 0 + content: If 'true', disables MOBIKE. + - key: DisableRedirect + title: Disable Redirect + supportedOS: + iOS: + introduced: '9.0' + type: + presence: optional + rangelist: + - 0 + - 1 + default: 0 + content: If 'true', disables IKEv2 redirect. If not set, the IKEv2 connection + is redirected if a redirect request is received from the server. + - key: NATKeepAliveOffloadEnable + title: NAT Keep Alive Offload Enable + supportedOS: + iOS: + introduced: '9.0' + type: + presence: optional + rangelist: + - 0 + - 1 + default: 1 + content: |- + If 'true', enables NAT Keepalive offload for Always On VPN IKEv2 connections. Keepalive packets are sent by the device to maintain NAT mappings for IKEv2 connections that have a NAT on the path. Keepalive packets are sent at regular interval when the device is awake. If 'NATKeepAliveOffloadEnable' is set to 'true', Keepalive packets will be offloaded to hardware while the device is asleep. + + NAT Keepalive offload has an impact on the battery life since extra workload is added during sleep. The default interval for the Keepalive offload packets is 20 seconds over WiFi and 110 seconds over Cellular interface. The default NAT Keepalive works well on networks with small NAT mapping timeouts but imposes a potential battery impact. If a network is known to have larger NAT mapping timeouts, larger Keepalive intervals may be safely used to minimize battery impact. The Keepalive interval can be modified by setting the `NATKeepAliveInterval` key. + - key: NATKeepAliveInterval + title: NAT Keepalive Interval + supportedOS: + iOS: + introduced: '9.0' + type: + presence: optional + default: 20 + content: The NAT Keepalive interval for Always On VPN IKEv2 connections. This + value controls the interval over which Keepalive offload packets are sent by + the device. The minimum value is 20 seconds. If no key is specified, the default + is 20 seconds over Wi-Fi and 110 seconds over a cellular interface. + - key: EnablePFS + title: Enable perfect forward secrecy + supportedOS: + iOS: + introduced: '9.0' + type: + presence: optional + rangelist: + - 0 + - 1 + default: 0 + content: If 'true', enables Perfect Forward Secrecy (PFS) for IKEv2 Connections. + - key: EnableCertificateRevocationCheck + title: Enable certificate revocation check + supportedOS: + iOS: + introduced: '9.0' + type: + presence: optional + rangelist: + - 0 + - 1 + default: 0 + content: If 'true', performs a certificate revocation check for IKEv2 connections. + This is a best-effort revocation check; server response timeouts won't cause + it to fail. + - key: EnableFallback + title: Enable fallback + supportedOS: + iOS: + introduced: '13.0' + macOS: + introduced: n/a + type: + presence: optional + rangelist: + - 0 + - 1 + default: 0 + content: |- + If true, enables a tunnel over cellular data to carry traffic that is eligible for WiFi Assist and also requires VPN. + Enabling fallback requires that the server support multiple tunnels for a single user. + - key: MTU + title: Maximum Tranmission Unit + supportedOS: + iOS: + introduced: '14.0' + macOS: + introduced: '11.0' + type: + presence: optional + range: + min: 1280 + max: 1400 + default: 1280 + content: |- + The Maximum Transmission Unit (MTU) specifies the maximum size in bytes of each packet that will be sent over the IKEv2 VPN interface. + Available in iOS 14 and later, and macOS 11 and later. + - key: IKESecurityAssociationParameters + title: IKESecurityAssociationParameters + type: + presence: optional + content: These parameters apply to Child Security Association unless 'ChildSecurityAssociationParameters' + is specified. + subkeytype: SecurityAssociationParameters + subkeys: &id005 + - key: EncryptionAlgorithm + title: EncryptionAlgorithm + type: + presence: optional + rangelist: + - DES + - 3DES + - AES-128 + - AES-256 + - AES-128-GCM + - AES-256-GCM + - ChaCha20Poly1305 + default: AES-256 + content: The encryption algorithm. + - key: IntegrityAlgorithm + title: IntegrityAlgorithm + type: + presence: optional + rangelist: + - SHA1-96 + - SHA1-160 + - SHA2-256 + - SHA2-384 + - SHA2-512 + default: SHA2-256 + content: The integrity algorithm. + - key: DiffieHellmanGroup + title: DiffieHellmanGroup + type: + presence: optional + rangelist: + - 1 + - 2 + - 5 + - 14 + - 15 + - 16 + - 17 + - 18 + - 19 + - 20 + - 21 + - 31 + default: 14 + content: The Diffie-Hellman group. For AlwaysOn VPN, minimum allowed Diffie + Hellman Group is 14 in iOS 14.2 and later. + - key: LifeTimeInMinutes + title: LifeTimeInMinutes + type: + presence: optional + range: + min: 10 + max: 1440 + default: 1440 + content: The SA lifetime (rekey interval) in minutes. + - key: ChildSecurityAssociationParameters + title: ChildSecurityAssociationParameters + type: + presence: optional + content: The 'ChildSecurityAssociationParameters' dictionaries. + subkeytype: SecurityAssociationParameters + subkeys: *id005 +- key: DNS + title: DNS + type: + presence: optional + content: A dictionary used for all VPN types. + subkeys: + - key: ServerAddresses + title: DNS Server Addresses + supportedOS: + iOS: + introduced: '10.0' + macOS: + introduced: '10.12' + type: + presence: required + content: The array of DNS server IP address strings. These IP addresses can be + a mixture of IPv4 and IPv6 addresses. + subkeys: + - key: ServerAddressesElement + title: Server Address Element + type: + - key: SearchDomains + title: DNS Search Domains + supportedOS: + iOS: + introduced: '10.0' + macOS: + introduced: '10.12' + type: + presence: optional + content: The list of domain strings used to fully qualify single-label host names. + subkeys: + - key: SearchDomainsElement + title: Search Domains Element + type: + - key: DomainName + title: Domain Name + supportedOS: + iOS: + introduced: '10.0' + macOS: + introduced: '10.12' + type: + presence: optional + content: The primary domain of the tunnel. + - key: SupplementalMatchDomains + title: Supplemental Match Domains + supportedOS: + iOS: + introduced: '10.0' + macOS: + introduced: '10.12' + type: + presence: optional + content: |- + The list of domain strings used to determine which DNS queries will use the DNS resolver settings contained in 'ServerAddresses'. This key is used to create a split DNS configuration where only hosts in certain domains are resolved using the tunnel's DNS resolver. Hosts not in one of the domains in this list are resolved using the system's default resolver. + + If 'SupplementalMatchDomains' contains the empty string it becomes the default domain. + + Split-tunnel configurations can direct all DNS queries to the VPN DNS servers before the primary DNS servers. If the VPN tunnel becomes the network's default route, the servers listed in 'ServerAddresses' become the default resolver and the 'SupplementalMatchDomains' list is ignored. + subkeys: &id006 + - key: SupplementalMatchDomainsElement + title: Supplemental Match Domains Element + type: + - key: SupplementalMatchDomainsNoSearch + title: Supplemental Match Domains No Search + supportedOS: + iOS: + introduced: '10.0' + macOS: + introduced: '10.12' + type: + presence: optional + rangelist: + - 0 + - 1 + default: 0 + content: If 'false', append the domains in the 'SupplementalMatchDomains' list + to the resolver's list of search domains. +- key: Proxies + title: Proxies + type: + presence: optional + content: The dictionary used to configure 'Proxies' for use with 'VPN'. + subkeys: + - key: ProxyAutoConfigEnable + title: Proxy AutoConfig Enable + type: + presence: optional + rangelist: + - 0 + - 1 + content: If 'true', enables automatic proxy configuration. + - key: ProxyAutoDiscoveryEnable + title: Proxy Auto Discovery Enable + type: + presence: optional + rangelist: + - 0 + - 1 + default: 1 + content: If 'true', enables proxy auto discovery. + - key: ProxyAutoConfigURLString + title: Proxy Server URL + type: + presence: optional + content: The URL to the location of the proxy auto-configuration file. Used only + when 'ProxyAutoConfigEnable' is 'true'. + - key: SupplementalMatchDomains + title: Supplemental Match Domains + type: + presence: optional + content: An array of domains that defines which hosts use proxy settings for hosts. + subkeys: *id006 + - key: HTTPEnable + title: Enable HTTP + type: + presence: optional + rangelist: + - 0 + - 1 + default: 0 + content: If 'true', enables proxy for HTTP traffic. + - key: HTTPProxy + title: HTTP Proxy + type: + presence: optional + content: The port number of the HTTP proxy. This field is required if 'HTTPProxy' + is specified. + - key: HTTPPort + title: HTTP Port + type: + presence: optional + range: + min: 0 + max: 65535 + content: The host name of the HTTP proxy. + - key: HTTPProxyUsername + title: HTTP ProxyUsername + type: + presence: optional + content: The user name used for authentication. + - key: HTTPProxyPassword + title: HTTP ProxyPassword + type: + presence: optional + content: The password used for authentication. + - key: HTTPSEnable + title: Enable HTTPS + type: + presence: optional + rangelist: + - 0 + - 1 + default: 0 + content: If 'true', enables proxy for HTTPS traffic. + - key: HTTPSProxy + title: HTTPS Proxy + type: + presence: optional + content: The host name of the HTTPS proxy. + - key: HTTPSPort + title: HTTPS Port + type: + presence: optional + range: + min: 0 + max: 65535 + content: The port number of the HTTPS proxy. This field is required if 'HTTPSProxy' + is specified. +- key: AlwaysOn + title: AlwaysOn + supportedOS: + iOS: + introduced: '8.0' + macOS: + introduced: n/a + type: + presence: optional + content: The dictionary used when 'VPNType' is set to 'AlwaysOn'. + subkeys: + - key: UIToggleEnabled + title: UI Toggle Enabled + type: + presence: optional + rangelist: + - 0 + - 1 + default: 0 + content: If 'true', allows the user to disable the VPN configuration. + - key: TunnelConfigurations + title: TunnelConfigurations + type: + presence: required + content: An array that contains an arbitrary number of tunnel configurations. + subkeys: + - key: TunnelConfigurationElement + title: A TunnelConfiguration Element + type: + subkeys: + - key: ProtocolType + title: Protocol Type + type: + presence: required + rangelist: + - IKEv2 + content: The type of connection, which must be 'IKEv2'. + - key: Interfaces + title: Interfaces + type: + presence: optional + content: The interfaces to apply this configuration to. + subkeys: + - key: InterfacesElement + title: Interfaces Element + type: + rangelist: + - Cellular + - WiFi + - key: ServiceExceptions + title: ServiceExceptions + type: + presence: optional + content: An array that contains an arbitrary number of service exceptions. + subkeys: + - key: ServiceExceptionElement + title: A ServiceException Element + type: + subkeys: + - key: ServiceName + title: Service Name + type: + presence: required + rangelist: + - VoiceMail + - AirPrint + - CellularServices + content: The name of a service which is exempt from Always On VPN. 'CellularServices' + is available in iOS 11.3 and later; it exempts 'VoLTE', 'IMS' and 'MMS'. + WiFiCalling is exempted in iOS 13.4 and later. + - key: Action + title: Action + type: + presence: required + rangelist: + - Allow + - Drop + content: The action to take with network connections from the named service. + - key: ApplicationExceptions + title: ApplicationExceptions + supportedOS: + iOS: + introduced: '13.6' + type: + presence: optional + content: An array that contains an arbitrary number of applications whose connections + will occur outside the VPN. + subkeys: + - key: ApplicationExceptionElement + title: A ApplicationException Element + type: + subkeys: + - key: BundleIdentifier + title: Bundle Identifier + type: + presence: required + content: The app's bundle identifier. + - key: LimitToProtocols + title: LimitToProtocols + type: + presence: optional + content: Limit the exception to only the specified list of protocol(s). Only + 'UDP' is supported. + subkeys: + - key: LimitToProtocolElement + title: LimitToProtocol Element + type: + rangelist: + - UDP + - key: AllowCaptiveWebSheet + title: Allow Captive Web Sheet + type: + presence: optional + rangelist: + - 0 + - 1 + default: 0 + content: If 'true', allows traffic from Captive Web Sheet outside the VPN tunnel. + - key: AllowAllCaptiveNetworkPlugins + title: Allow All Captive Network Plugins + type: + presence: optional + rangelist: + - 0 + - 1 + default: 0 + content: If 'true', allows traffic from all captive networking apps outside the + VPN tunnel to perform captive network handling. + - key: AllowedCaptiveNetworkPlugins + title: AllowedCaptiveNetworkPlugins + type: + presence: optional + content: The array of captive networking apps whose traffic is allowed outside + the VPN tunnel, to perform captive network handling. Used only when 'AllowAllCaptiveNetworkPlugins + 'is 'false'. + subkeys: + - key: AllowedCaptiveNetworkPluginElement + title: An AllowedCaptiveNetworkPlugin Element + type: + subkeys: + - key: BundleIdentifier + title: Bundle Identifier + type: + presence: required + content: The bundle identifier for the app that is allowed on the captive + network. diff --git a/mdm/profiles/com.apple.webClip.managed.yaml b/mdm/profiles/com.apple.webClip.managed.yaml new file mode 100644 index 0000000..ad25aa2 --- /dev/null +++ b/mdm/profiles/com.apple.webClip.managed.yaml @@ -0,0 +1,97 @@ +title: Web Clip +description: Use this section to define web clips +payload: + payloadtype: com.apple.webClip.managed + supportedOS: + iOS: + introduced: '4.0' + supervised: false + allowmanualinstall: true + sharedipad: + mode: allowed + devicechannel: false + userchannel: true + userenrollment: + mode: allowed + macOS: + introduced: '10.7' + devicechannel: false + userchannel: true + requiresdep: false + userapprovedmdm: false + allowmanualinstall: true + userenrollment: + mode: allowed +payloadkeys: +- key: Precomposed + title: Precomposed Icon + supportedOS: + macOS: + introduced: n/a + type: + presence: optional + default: false + content: If 'true', prevents SpringBoard from adding 'shine' to the icon. +- key: FullScreen + title: Full Screen + supportedOS: + macOS: + introduced: n/a + type: + presence: optional + default: false + content: If 'true', launches the web clip as a full-screen web app. +- key: URL + title: URL + type: + subtype: url + presence: required + content: The URL that the web clip should open when clicked. If the URL doesn't + begin with 'HTTP' or 'HTTPS', it doesn't work. +- key: Icon + title: Icon + type: + presence: optional + content: |- + The PNG icon to be shown on the Home screen. + For best results, provide a square image that's no larger than 400 x 400 pixels and less than 1 MB when uncompressed. The graphics file is automatically scaled and cropped to fit, if necessary, and converted to PNG format. Web clip icons are 144 x 144 pixels for iPad devices with a Retina display, and 114 x 114 pixels for iPhone devices. To prevent the device from adding a shine to the image, set 'Precomposed' to 'true'. + If this property isn't specified, a white square is shown. +- key: IsRemovable + title: Removable + supportedOS: + macOS: + introduced: n/a + type: + presence: optional + default: true + content: If 'true', enables removing the web clip. +- key: Label + title: Label + type: + presence: required + content: The name of the web clip as displayed on the Home screen. +- key: IgnoreManifestScope + title: Ignore Web Clip manifest scope + supportedOS: + iOS: + introduced: '14.0' + macOS: + introduced: n/a + type: + presence: optional + default: false + content: |- + If 'true', a full screen web clip can navigate to an external web site without showing Safari UI. Otherwise, Safari UI appears when navigating away from the web clip's URL. + This key has no effect when 'FullScreen' is 'false'. +- key: TargetApplicationBundleIdentifier + title: Target Application Bundle Identifier + supportedOS: + iOS: + introduced: '14.0' + macOS: + introduced: n/a + type: + presence: optional + content: The application bundle identifier that specifies the application which + opens the URL. To use this property, the profile must be installed through an + MDM. diff --git a/mdm/profiles/com.apple.webcontent-filter.yaml b/mdm/profiles/com.apple.webcontent-filter.yaml new file mode 100644 index 0000000..acf4d98 --- /dev/null +++ b/mdm/profiles/com.apple.webcontent-filter.yaml @@ -0,0 +1,283 @@ +title: Web Content Filter +description: Use this section to define managed email and web domains. +payload: + payloadtype: com.apple.webcontent-filter + supportedOS: + iOS: + introduced: '7.0' + supervised: true + allowmanualinstall: true + sharedipad: + mode: allowed + devicechannel: true + userchannel: false + userenrollment: + mode: forbidden + macOS: + introduced: '10.15' + devicechannel: true + userchannel: false + requiresdep: false + userapprovedmdm: false + allowmanualinstall: true + userenrollment: + mode: forbidden +payloadkeys: +- key: FilterType + title: FilterType + supportedOS: + iOS: + introduced: '8.0' + type: + presence: optional + rangelist: + - BuiltIn + - Plugin + default: BuiltIn + content: The type of filter, built-in or plug-in. In macOS, the system supports + only the plug-in value. +- key: AutoFilterEnabled + title: Web filter enabled + supportedOS: + macOS: + introduced: n/a + type: + presence: optional + default: false + content: If 'true', automatic filtering is in an enabled state. This function evaluates + each web page as it loads and attempts to identify and block content not suitable + for children. The search algorithm is complex and may vary from release to release, + but it's basically looking for adult language. +- key: PermittedURLs + title: PermittedURLs + supportedOS: + macOS: + introduced: n/a + type: + presence: optional + content: An array or URLs that are accessible whether or not the automatic filter + allows access. The system uses this array only when 'AutoFilterEnabled' is 'true'. + Otherwise, it ignores this field. + subkeys: + - key: PermittedURLItems + title: Permitted url items + type: +- key: BlacklistedURLs + title: BlacklistedURLs + supportedOS: + iOS: + deprecated: '14.5' + macOS: + introduced: n/a + type: + presence: optional + content: Use 'DenyListURLs' instead. + subkeys: + - key: BlacklistedURLItems + title: Blacklisted url items + type: +- key: DenyListURLs + title: DenyListURLs + supportedOS: + iOS: + introduced: '14.5' + macOS: + introduced: n/a + type: + presence: optional + content: An array of URLs that are inaccessible. Limit the number of these URLs + to about 500. + subkeys: + - key: DenyListURLItems + title: Denylisted url items + type: +- key: WhitelistedBookmarks + title: White list + supportedOS: + iOS: + deprecated: '14.5' + macOS: + introduced: n/a + type: + presence: optional + content: Use 'AllowListBookmarks' instead. + subkeys: + - key: WhitelistedBookmarksItem + title: Identifier + type: + subkeys: + - key: URL + title: URL + type: + presence: required + content: The URL of the bookmark in the allow list. + - key: Title + title: Title + type: + presence: required + content: The title of the bookmark. +- key: AllowListBookmarks + title: Allow list + supportedOS: + iOS: + introduced: '14.5' + macOS: + introduced: n/a + type: + presence: optional + content: An array of dictionaries defining the pages that the user can visit. + subkeys: + - key: AllowListBookmarksItem + title: Identifier + type: + subkeys: + - key: URL + title: URL + type: + presence: required + content: The URL of the bookmark in the allow list. + - key: Title + title: Title + type: + presence: required + content: The title of the bookmark. +- key: UserDefinedName + title: UserDefinedName + type: + presence: optional + content: The display name for this filtering configuration. +- key: PluginBundleID + title: PluginBundleID + type: + presence: optional + content: The bundle ID of the plug-in that provides filtering service. +- key: ServerAddress + title: ServerAddress + type: + presence: optional + content: The server address, which may be the IP address, hostname, or URL. +- key: UserName + title: Username + type: + presence: optional + content: The user name for the service. +- key: Password + title: Password + type: + presence: optional + content: The password for the service. +- key: PayloadCertificateUUID + title: Certificate UUID + type: + presence: optional + format: ^[0-9A-Za-z]{8}-[0-9A-Za-z]{4}-[0-9A-Za-z]{4}-[0-9A-Za-z]{4}-[0-9A-Za-z]{12}$ + content: The UUID of the certificate payload within the same profile that the system + uses to authenticate the user. +- key: Organization + title: Organization + type: + presence: optional + content: The organization string that passes to the third-party plug-in. +- key: VendorConfig + type: + presence: optional + content: The custom dictionary that the filtering service plug-in needs. + subkeys: + - key: ANY + type: + presence: required + content: The custom key/value pairs for the filtering service. +- key: FilterBrowsers + title: FilterBrowsers + supportedOS: + macOS: + introduced: n/a + type: + presence: optional + default: true + content: If 'true', enables the filtering of WebKit traffic. +- key: FilterSockets + title: FilterSockets + type: + presence: optional + default: true + content: If 'true', enables the filtering of socket traffic. +- key: FilterDataProviderDesignatedRequirement + title: Filter Data Provider Designated Requirement + supportedOS: + iOS: + introduced: n/a + macOS: + introduced: '10.15' + type: + presence: optional + content: |- + The designated requirement string that the system embeds in the code signature of the filter data provider system extension. This string identifies the filter data provider when the filter starts running. This field is a requirement if 'FilterSockets' is 'true'. + Available in macOS 10.15 and later. +- key: FilterDataProviderBundleIdentifier + title: Filter Data Provider Bundle Identifier + supportedOS: + iOS: + introduced: n/a + macOS: + introduced: '10.15' + type: + presence: optional + content: |- + The bundle identifier string of the filter data provider system extension. This string identifies the filter data provider when the filter starts running. This field is a requirement if 'FilterSockets' is 'true'. + Available in macOS 10.15 and later. +- key: FilterPackets + title: Filter Network Packets + supportedOS: + iOS: + introduced: n/a + macOS: + introduced: '10.15' + type: + presence: optional + default: true + content: |- + If this value is 'true', the property enables the filtering of network packets. + Either 'FilterPackets' or 'FilterSockets' must be 'true' for the filter to have an effect. + You can use this when 'FilterType' is 'Plugin'. + Available in macOS 10.15 and later. +- key: FilterPacketProviderDesignatedRequirement + title: Filter Packet Provider Designated Requirement + supportedOS: + iOS: + introduced: n/a + macOS: + introduced: '10.15' + type: + presence: optional + content: |- + The designated requirement string that the system embeds in the code signature of the filter packet provider system extension. This string identifies the filter packet provider when the filter starts running. This field is a requirement if 'FilterPackets' is 'true'. + Available in macOS 10.15 and later. +- key: FilterPacketProviderBundleIdentifier + title: Filter Packet Provider Bundle Identifier + supportedOS: + iOS: + introduced: n/a + macOS: + introduced: '10.15' + type: + presence: optional + content: |- + The bundle identifier string of the filter packet provider system extension. This string identifies the filter packet provider when the filter starts running. This field is a requirement if 'FilterPackets' is 'true'. + Available in macOS 10.15 and later. +- key: FilterGrade + title: Filter Grade + supportedOS: + iOS: + introduced: n/a + macOS: + introduced: '10.15' + type: + presence: optional + rangelist: + - firewall + - inspector + default: firewall + content: |- + This value is for deriving the relative order of content filters. Filters with a grade of 'firewall' see network traffic before filters with a grade of 'inspector'. The system doesn't define the order of filters within a grade. + Available in macOS 10.15 and later. diff --git a/mdm/profiles/com.apple.wifi.managed.yaml b/mdm/profiles/com.apple.wifi.managed.yaml new file mode 100644 index 0000000..ec3bd09 --- /dev/null +++ b/mdm/profiles/com.apple.wifi.managed.yaml @@ -0,0 +1,627 @@ +title: Wi-Fi +description: Use this section to define Wi-Fi settings +payload: + payloadtype: com.apple.wifi.managed + supportedOS: + iOS: + introduced: '4.0' + supervised: false + allowmanualinstall: true + sharedipad: + mode: allowed + devicechannel: true + userchannel: false + userenrollment: + mode: allowed + macOS: + introduced: '10.7' + devicechannel: true + userchannel: true + requiresdep: false + userapprovedmdm: false + allowmanualinstall: true + userenrollment: + mode: allowed + tvOS: + introduced: '5.1' + supervised: false + allowmanualinstall: true + watchOS: + introduced: '3.2' + allowmanualinstall: true +payloadkeys: +- key: AutoJoin + title: Auto Join + supportedOS: + iOS: + introduced: '5.0' + type: + presence: optional + default: true + content: |- + If 'true', the device joins the network automatically. + If 'false', the user must tap the network name to join it. + Available in iOS 5.0 and later, and in macOS 10.7 and later. +- key: SSID_STR + title: SSID + supportedOS: + iOS: + introduced: '7.0' + type: + presence: optional + content: The SSID of the Wi-Fi network to be used. In iOS 7.0 and later, the SSID + is optional if a 'DomainName' value is provided. +- key: HIDDEN_NETWORK + title: Hidden + type: + presence: optional + default: false + content: If 'true', defines this network as hidden. +- key: ProxyType + title: Proxy Type + supportedOS: + iOS: + userenrollment: + mode: forbidden + type: + presence: optional + rangelist: + - None + - Manual + - Auto + default: None + content: |- + The proxy type, if any, to use. If you choose the manual proxy type, you need the proxy server address, including its port and optionally a user name and password into the proxy server. If you choose the auto proxy type, you can enter a proxy autoconfiguration (PAC) URL. + Available in iOS 5.0 and later, and on all versions of macOS. +- key: EncryptionType + title: Encryption Type + type: + presence: optional + rangelist: + - WEP + - WPA + - WPA2 + - WPA3 + - Any + - None + default: Any + content: |- + The encryption type for the network. + + WPA specifies WPA only; WPA2 applies to both encryption types. + Available in iOS 4.0 and later, and in all versions of macOS. The 'None' value is available in iOS 5.0 and later, and the 'WPA2' value is available in iOS 8.0 and later. +- key: Password + title: Password + type: + presence: optional + content: The password for the access point. +- key: PayloadCertificateUUID + title: Certificate UUID + type: + presence: optional + format: ^[0-9A-Za-z]{8}-[0-9A-Za-z]{4}-[0-9A-Za-z]{4}-[0-9A-Za-z]{4}-[0-9A-Za-z]{12}$ + content: The UUID of the certificate payload within the same profile to use for + the client credential. +- key: EAPClientConfiguration + title: EAP Client Configuration + type: + presence: optional + content: The enterprise network configuration. + subkeys: + - key: AcceptEAPTypes + title: Accept EAP Types + type: + presence: required + content: |- + The system accepts the following EAP types: + 13 = TLS + 17 = LEAP + 18 = EAP-SIM + 21 = TTLS + 23 = EAP-AKA + 25 = PEAP + 43 = EAP-FAST + + For EAP-TLS authentication without a network payload, install the necessary identity certificates and have your users select EAP-TLS mode in the 802.1X credentials dialog that appears when they connect to the network. For other EAP types, a network payload is necessary and must specify the correct settings for the network. + subkeys: + - key: EAPType + title: EAP Type + type: + rangelist: + - 13 + - 17 + - 18 + - 21 + - 23 + - 25 + - 43 + - key: UserName + title: Username + type: + presence: optional + content: The user name for the account. If you don't specify a value, the system + prompts the user during login. + - key: UserPassword + title: Password + type: + presence: optional + content: The user's password. If you don't specify a value, the system prompts + the user during login. + - key: OneTimePassword + supportedOS: + iOS: + introduced: '8.0' + type: + presence: optional + default: false + content: If 'true', the user receives a prompt for a password each time they connect + to the network. + - key: PayloadCertificateAnchorUUID + title: Certificate Anchor UUID + type: + presence: optional + content: An array of the UUID of a certificate payload to trust for authentication. + Use this key to prevent the device from asking the user whether to trust the + listed certificates. Dynamic trust (the certificate dialogue) is in a disabled + state if you specify this property without also enabling 'TLSAllowTrustExceptions'. + subkeys: + - key: CertificateAnchorUUID + title: Individual Certificate Anchor UUID + type: + format: ^[0-9A-Za-z]{8}-[0-9A-Za-z]{4}-[0-9A-Za-z]{4}-[0-9A-Za-z]{4}-[0-9A-Za-z]{12}$ + - key: TLSTrustedCertificates + title: TLS Trusted Certificates + type: + presence: optional + content: An array of trusted certificates. Each entry in the array must contain + certificate data that represents an anchor certificate used for verifying the + server certificate. + subkeys: + - key: TLSTrustedCertificatesItem + type: + presence: required + content: A certificate identifier. + - key: TLSTrustedServerNames + title: TLS Trusted Server Names + type: + presence: optional + content: |- + The list of accepted server certificate common names. If a server presents a certificate that isn't in this list, the system doesn't trust it. + If you specify this property, the system disables dynamic trust (the certificate dialog) unless you also specify 'TLSAllowTrustExceptions' with the value 'true'. + If necessary, use wildcards to specify the name, such as 'wpa.*.example.com'. + subkeys: + - key: TLSTrustedServerName + title: Individual Trusted TLS Server Name + type: + - key: TLSAllowTrustExceptions + title: Allow Trust Exceptions + supportedOS: + iOS: + removed: '8.0' + type: + presence: optional + default: true + content: |- + If 'true', allows a dynamic trust decision by the user. The dynamic trust is the certificate dialogue that appears when the system doesn't trust a certificate. + If 'false', the authentication fails if the system doesn't already trust the certificate. + As of iOS 8, Apple no longer supports this key. + - key: TLSCertificateIsRequired + supportedOS: + iOS: + introduced: '7.0' + type: + presence: optional + default: false + content: |- + If 'true', allows for two-factor authentication for EAP-TTLS, PEAP, or EAP-FAST. If 'false', allows for zero-factor authentication for EAP-TLS. + If you don't specify a value, the default is 'true' for EAP-TLS, and 'false' for other EAP types. + - key: TTLSInnerAuthentication + title: TTLS Inner Authentication + type: + presence: optional + rangelist: + - PAP + - EAP + - CHAP + - MSCHAP + - MSCHAPv2 + default: MSCHAPv2 + content: The inner authentication that the TTLS module uses. + - key: TLSMinimumVersion + supportedOS: + iOS: + introduced: '11.0' + macOS: + introduced: '10.13' + tvOS: + introduced: '11.0' + type: + presence: optional + rangelist: + - '1.0' + - '1.1' + - '1.2' + default: '1.0' + content: The minimum TLS version for EAP authentication. + - key: TLSMaximumVersion + supportedOS: + iOS: + introduced: '11.0' + macOS: + introduced: '10.13' + tvOS: + introduced: '11.0' + type: + presence: optional + rangelist: + - '1.0' + - '1.1' + - '1.2' + default: '1.2' + content: The maximum TLS version for EAP authentication. + - key: OuterIdentity + title: Outer Identity + type: + presence: optional + content: |- + A name that hides the user's true name. The user's actual name appears only inside the encrypted tunnel. For example, you might set this to anonymous or anon, or anon@mycompany.net. It can increase security because an attacker can't see the authenticating user's name in the clear. + + This key is only relevant to TTLS, PEAP, and EAP-FAST. + - key: EAPFASTUsePAC + title: Use PAC + type: + presence: optional + default: false + content: If 'true', the device uses an existing PAC if it's present. Otherwise, + the server must present its identity using a certificate. + - key: EAPFASTProvisionPAC + title: Provision PAC + type: + presence: optional + default: false + content: |- + If 'true', allows PAC provisioning. + + This value is only applicable if 'EAPFASTUsePAC' is 'true'. This value must be 'true' for EAP-FAST PAC usage to succeed because there is no other way to provision a PAC. + - key: EAPFASTProvisionPACAnonymously + title: Provision PAC Anonymously + type: + presence: optional + default: false + content: If 'true', provisions the device anonymously. Note that there are known + machine-in-the-middle attacks for anonymous provisioning. + - key: EAPSIMNumberOfRANDs + title: Allow Two RANDs + supportedOS: + iOS: + introduced: '8.0' + type: + presence: optional + rangelist: + - 2 + - 3 + default: 3 + content: |- + The minimum number of RAND values to accept from the server. + For use with EAP-SIM only. + - key: SystemModeCredentialsSource + type: + presence: optional + content: |- + Set this string to 'ActiveDirectory' to use the AD computer name and password credentials. + If using this property, you can't use 'SystemModeUseOpenDirectoryCredentials'. + - key: SystemModeUseOpenDirectoryCredentials + type: + presence: optional + default: false + content: |- + If 'true', the system mode connection tries to use the Open Directory credentials. + If using this property, you can't use 'SystemModeCredentialsSource'. + - key: OneTimeUserPassword + title: Per-Connection Password + type: + presence: optional + default: false + content: If 'true', the user receives a prompt for a password each time they connect + to the network. +- key: DisplayedOperatorName + title: Displayed Operator Name + supportedOS: + iOS: + introduced: '7.0' + macOS: + introduced: '10.9' + type: + presence: optional + content: |- + The operator name to display when connected to this network. Used only with Wi-Fi Hotspot 2.0 access points. + Available in iOS 7.0 and later, and in macOS 10.9 and later. +- key: DomainName + title: Domain Name + supportedOS: + iOS: + introduced: '7.0' + macOS: + introduced: '10.9' + type: + presence: optional + content: |- + The primary domain of the tunnel. + Available in iOS 7.0 and later, and in macOS 10.9 and later. +- key: RoamingConsortiumOIs + title: Roaming OIs + supportedOS: + iOS: + introduced: '7.0' + macOS: + introduced: '10.9' + type: + presence: optional + content: |- + An array of Roaming Consortium Organization Identifiers used for Wi-Fi Hotspot 2.0 negotiation. + Available in iOS 7.0 and later, and in macOS 10.9 and later. + subkeys: + - key: RoamingConsortiumOI + type: + format: ^([0-9A-Za-z]{6})|([0-9A-Za-z]{9})$ +- key: ServiceProviderRoamingEnabled + title: Roaming Enable + supportedOS: + iOS: + introduced: '7.0' + macOS: + introduced: '10.9' + type: + presence: optional + default: false + content: |- + If 'true', allows connection to roaming service providers. + Available in iOS 7.0 and later, and in macOS 10.9 and later. +- key: IsHotspot + title: Is Hotspot + supportedOS: + iOS: + introduced: '7.0' + macOS: + introduced: '10.9' + type: + presence: optional + default: false + content: |- + If 'true', the device treats the network as a hotspot. + Available in iOS 7.0 and later, and in macOS 10.9 and later. +- key: HESSID + supportedOS: + iOS: + introduced: '7.0' + type: + presence: optional + content: The HESSID used for Wi-Fi Hotspot 2.0 negotiation. +- key: NAIRealmNames + title: Realm Names + supportedOS: + iOS: + introduced: '7.0' + macOS: + introduced: '10.9' + type: + presence: optional + content: |- + An array of Network Access Identifier Realm names used for Wi-Fi Hotspot 2.0 negotiation. + Available in iOS 7.0 and later, and in macOS 10.9 and later. + subkeys: + - key: NAIRealmName + type: +- key: MCCAndMNCs + title: MCC/MNCs + supportedOS: + iOS: + introduced: '7.0' + macOS: + introduced: n/a + type: + presence: optional + content: |- + An array of Mobile Country Code/Mobile Network Code (MCC/MNC) pairs used for Wi-Fi Hotspot 2.0 negotiation. Each string must contain exactly six digits. + Available in iOS 7.0 and later. This feature is not supported in macOS. + subkeys: + - key: MCCAndMNC + type: + format: ^[0-9]{6}$ +- key: CaptiveBypass + title: Disable Captive Network Detection + supportedOS: + iOS: + introduced: '10.0' + macOS: + introduced: n/a + type: + presence: optional + default: false + content: |- + If 'true', Captive Network detection will be bypassed when the device connects to the network. + Available in iOS 10.0 and later. +- key: QoSMarkingPolicy + title: QoS Marking Policy + supportedOS: + iOS: + introduced: '10.0' + macOS: + introduced: '10.13' + type: + presence: optional + content: |- + A dictionary that contains the list of apps that are allowed to benefit from L2 and L3 marking. When this dictionary isn't present, all apps are allowed to use L2 and L3 marking when the Wi-Fi network supports Cisco QoS fast lane. + Available in iOS 10.0 and later, and in macOS 10.13 and later. + subkeys: + - key: QoSMarkingAllowListAppIdentifiers + title: Allowlisted App Identifiers + supportedOS: + iOS: + introduced: '14.5' + macOS: + introduced: n/a + type: + presence: optional + content: An array of app bundle identifiers that defines the allow list for L2 + and L3 marking for traffic that goes to the Wi-Fi network. If the array isn't + present, but the 'QoSMarkingPolicy' key is present — even empty — no apps can + use L2 and L3 marking. + subkeys: &id001 + - key: appBundleID + title: Allowlisted App + type: + - key: QoSMarkingWhitelistedAppIdentifiers + title: Whitelisted App Identifiers + supportedOS: + iOS: + deprecated: '14.5' + type: + presence: optional + content: Use 'QoSMarkingAllowListAppIdentifiers' instead. + subkeys: *id001 + - key: QoSMarkingAppleAudioVideoCalls + title: QoS marking for audio/video calls + type: + presence: optional + default: true + content: If 'true', adds audio and video traffic of built-in audio/video services, + such as FaceTime and Wi-Fi Calling, to the allow list for L2 and L3 marking + for traffic that goes to the Wi-Fi network. + - key: QoSMarkingEnabled + title: Allow QoS marking + type: + presence: optional + default: true + content: |- + If 'true', disables L3 marking and only uses L2 marking for traffic that goes to the Wi-Fi network. + + If 'false', the system behaves as if Wi-Fi doesn't have an association with a Cisco QoS fast lane network. +- key: SetupModes + supportedOS: + iOS: + introduced: n/a + macOS: + introduced: '10.7' + tvOS: + introduced: n/a + watchOS: + introduced: n/a + type: + presence: optional + content: An array of strings that contain the type of connection mode to be attached. + subkeys: + - key: SetupModesItem + type: + presence: required + rangelist: + - System + - Loginwindow + content: A type of connection mode. +- key: EnableIPv6 + type: + presence: optional + default: true + content: If 'true', enables IPv6 on this interface. +- key: TLSCertificateRequired + title: Certificate Required + type: + presence: optional + default: false + content: |- + If 'true', allows for two-factor authentication for EAP-TTLS, PEAP, or EAP-FAST. + If 'false', allows for zero-factor authentication for EAP-TLS. +- key: ProxyServer + title: Proxy Server + supportedOS: + iOS: + userenrollment: + mode: forbidden + macOS: + userenrollment: + mode: forbidden + type: + presence: optional + content: The proxy server's network address. +- key: ProxyServerPort + title: Proxy Server Port + supportedOS: + iOS: + userenrollment: + mode: forbidden + macOS: + userenrollment: + mode: forbidden + type: + presence: optional + range: + min: 0 + max: 65535 + content: The proxy server's port number. +- key: ProxyUsername + title: Proxy Username + supportedOS: + iOS: + userenrollment: + mode: forbidden + macOS: + userenrollment: + mode: forbidden + type: + presence: optional + content: The user name used to authenticate to the proxy server. +- key: ProxyPassword + title: Proxy Password + supportedOS: + iOS: + userenrollment: + mode: forbidden + type: + presence: optional + content: The password used to authenticate to the proxy server. +- key: ProxyPACURL + title: Proxy Username + supportedOS: + iOS: + userenrollment: + mode: forbidden + macOS: + userenrollment: + mode: forbidden + type: + presence: optional + content: The URL of the PAC file that defines the proxy configuration. +- key: ProxyPACFallbackAllowed + title: Proxy PAC Fallback Allowed + supportedOS: + iOS: + userenrollment: + mode: forbidden + macOS: + userenrollment: + mode: forbidden + type: + presence: optional + default: false + content: If 'true', allows connecting directly to the destination if the PAC file + is unreachable. +- key: DisableAssociationMACRandomization + title: Disable MAC address randomization during association + supportedOS: + iOS: + introduced: '14.0' + userenrollment: + mode: forbidden + macOS: + introduced: n/a + tvOS: + introduced: n/a + watchOS: + introduced: '7.0' + type: + presence: optional + default: false + content: |- + If 'true,' disables MAC address randomization for a Wi-Fi network while associated with that network. This feature also shows a privacy warning in Settings indicating that the network has reduced privacy protections. + This value is only locked when the profile is installed by MDM. If the profile is manually installed, the value is set but the user can change it. + Available in iOS 14 and later, and watchOS 7 and later. diff --git a/mdm/profiles/com.apple.xsan.preferences.yaml b/mdm/profiles/com.apple.xsan.preferences.yaml new file mode 100644 index 0000000..83cb559 --- /dev/null +++ b/mdm/profiles/com.apple.xsan.preferences.yaml @@ -0,0 +1,71 @@ +title: Xsan Preferences +description: '' +payload: + payloadtype: com.apple.xsan.preferences + supportedOS: + macOS: + introduced: '10.11' + devicechannel: true + userchannel: false + requiresdep: false + userapprovedmdm: false + allowmanualinstall: true + userenrollment: + mode: forbidden + content: The Xsan preferences payload can be used to configure which volumes automatically + mount at startup. For StorNext volumes this payload also determines whether the + mount uses Fibre Channel or Distributed LAN Client (DLC). +payloadkeys: +- key: onlyMount + type: + presence: optional + content: An array of Xsan or StorNext volume names. The Xsan client attempts to + automatically mount these volumes at startup. The system administrator can mount + additional volumes manually by using the 'xsanctl(8)' mount command. + subkeys: + - key: onlyMountItem + type: + presence: required + content: A volume name. +- key: denyMount + type: + presence: optional + content: An array of Xsan or StorNext volume names. If no 'onlyMount' array is present, + the Xsan client automatically attempts to mount all SAN volumes except the volumes + in this array. The system administrator can mount those volumes manually by using + the 'xsanctl(8)' mount command. + subkeys: + - key: denyMountItem + type: + presence: required + content: A volume name. +- key: denyDLC + type: + presence: optional + content: An array of StorNext volume names. If the Xsan client is attempting to + mount a volume named in this array, the client only mounts the volume if its logical + units (LUNs) are available through Fibre Channel. It doesn't attempt to mount + the volume using Distributed LAN Client (DLC). + subkeys: + - key: denyDLCItem + type: + presence: required + content: A volume name. +- key: preferDLC + type: + presence: optional + content: An array of StorNext volume names. If the Xsan client is attempting to + mount a volume named in this array, the Xsan client attempts to mount the volume + using DLC. If DLC isn't available, the client attempts to mount the volume if + its LUNs are available through Fibre Channel. The volume name must not also appear + in 'denyDLC'. + subkeys: + - key: preferDLCItem + type: + presence: required + content: A volume name. +- key: useDLC + type: + presence: optional + default: false + content: If 'true', use the DLC for all volumes. diff --git a/mdm/profiles/com.apple.xsan.yaml b/mdm/profiles/com.apple.xsan.yaml new file mode 100644 index 0000000..5ae7759 --- /dev/null +++ b/mdm/profiles/com.apple.xsan.yaml @@ -0,0 +1,60 @@ +title: Xsan +description: '' +payload: + payloadtype: com.apple.xsan + supportedOS: + macOS: + introduced: '10.10' + devicechannel: true + userchannel: false + requiresdep: false + userapprovedmdm: false + allowmanualinstall: true + userenrollment: + mode: forbidden + content: Sets up Xsan clients and controls certain Xsan volume mount behaviors. +payloadkeys: +- key: sanName + type: + presence: required + content: The name of the SAN. This key is required for all Xsan SANs. The name must + exactly match the name of the SAN defined in the metadata server. +- key: sanConfigURLs + type: + presence: required + content: |- + An array of LDAP URLs where Xsan systems can obtain SAN configuration updates. This key is required for all Xsan SANs. There should be one entry for each Xsan MDC. + + Example URL: 'ldaps://mdc1.example.com:389'. + subkeys: + - key: sanConfigURLsItem + type: + presence: required + content: A URL. +- key: fsnameservers + type: + presence: required + content: |- + An array of storage area network (SAN) File System Name Server coordinators. The list should contain the same addresses in the same order as the metadata controller (MDC) '/Library/Preferences/Xsan/fsnameservers' file. Xsan SAN clients automatically receive updates to the 'fsnameservers' list from the SAN configuration servers whenever this list changes. StorNext administrators should update their profile whenever the 'fsnameservers' list changes. + + This key is required for StorNext SANs. + subkeys: + - key: fsnameserversItem + type: + presence: required + content: A name server. +- key: sanAuthMethod + type: + presence: optional + rangelist: + - auth_secret + content: |- + The authentication method for the SAN. This key is required for all Xsan SANs. It's optional for StorNext SANs but should be set if the StorNext SAN uses an 'auth_secret' file. + + Only one value is accepted: 'auth_secret' +- key: sharedSecret + type: + presence: required + content: The shared secret used for Xsan network authentication. This key is required + when the 'sanAuthMethod' key is present. The value should equal the content of + the MDC's '/Library/Preferences/Xsan/.auth_secret' file. diff --git a/mdm/profiles/loginwindow.yaml b/mdm/profiles/loginwindow.yaml new file mode 100644 index 0000000..51da148 --- /dev/null +++ b/mdm/profiles/loginwindow.yaml @@ -0,0 +1,25 @@ +title: 'Login Window: Login Items' +description: '' +payload: + payloadtype: loginwindow + supportedOS: + macOS: + introduced: '10.7' + devicechannel: true + userchannel: false + requiresdep: false + userapprovedmdm: false + allowmanualinstall: true + userenrollment: + mode: forbidden + content: This payload handles login items management. +payloadkeys: +- key: DisableLoginItemsSuppression + supportedOS: + macOS: + introduced: all + type: + presence: optional + default: false + content: If 'true', prevents the user from disabling login item launches by using + the Shift key.