CalvinBackup/apple_device-management
1
0
Fork 0
mirror of https://github.com/apple/device-management.git synced 2026-02-12 12:52:53 +00:00
Code Issues Packages Projects Releases Wiki Activity

Release_iOS-16-4_macOS-13-3

Browse Source
This commit is contained in:
Cyrus Daboo
2023-04-05 21:17:00 -04:00
parent eb51fb0cb9
commit 5a8fb0deb2
23 changed files with 386 additions and 62 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
README.md
View File

@@ -8,10 +8,10 @@ This release corresponds to the following OS versions
| OS | Version |
|---------|---------|
| iOS | 16.2 |
| macOS | 13.1 |
| tvOS | 16.2 |
| watchOS | 9.2 |
| iOS | 16.4 |
| macOS | 13.3 |
| tvOS | 16.4 |
| watchOS | 9.4 |
## What's Available

2
declarative/declarations/configurations/account.caldav.yaml
View File

@@ -48,4 +48,4 @@ payloadkeys:
type: <string>
presence: optional
content: The identifier of an asset declaration that contains the credentials for
this account. The corresponding asset must be of type UserNameAndPasswordCredentials.
this account. The corresponding asset must be of type CredentialUserNameAndPassword.

2
declarative/declarations/configurations/account.carddav.yaml
View File

@@ -47,4 +47,4 @@ payloadkeys:
type: <string>
presence: optional
content: The identifier of an asset declaration that contains the credentials for
this account. The corresponding asset must be of type UserNameAndPasswordCredentials.
this account. The corresponding asset must be of type CredentialUserNameAndPassword.

2
declarative/declarations/configurations/account.ldap.yaml
View File

@@ -42,7 +42,7 @@ payloadkeys:
type: <string>
presence: optional
content: The identifier of an asset declaration that contains the credentials for
this account. The corresponding asset must be of type UserNameAndPasswordCredentials.
this account. The corresponding asset must be of type CredentialUserNameAndPassword.
- key: SearchSettings
title: Search Settings
type: <array>

3
declarative/status/device.operating-system.supplemental.build-version.yaml
View File

@@ -14,4 +14,5 @@ payloadkeys:
title: Status item value.
type: <string>
presence: required
content: Status value.
content: Identifies the operating system's build and rapid security response versions
in use on the device (for example, '20A123a', or '20B27c').

3
declarative/status/device.operating-system.supplemental.extra-version.yaml
View File

@@ -14,4 +14,5 @@ payloadkeys:
title: Status item value.
type: <string>
presence: required
content: Status value.
content: Identifies the operating system's rapid security response version in use
on the device (for example, 'a').

80
mdm/checkin/declarativemanagement.yaml
View File

@@ -33,10 +33,6 @@ payloadkeys:
rangelist:
- DeclarativeManagement
content: The message type, which must have a value of 'DeclarativeManagement'.
- key: EnrollmentID
type: <string>
presence: required
content: The per-enrollment identifier for the device.
- key: Endpoint
type: <string>
presence: required
@@ -50,3 +46,79 @@ payloadkeys:
type: <data>
presence: optional
content: A Base64-encoded JSON object using the SynchronizationTokens schema.
- key: UDID
supportedOS:
iOS:
userenrollment:
mode: forbidden
macOS:
userenrollment:
mode: forbidden
type: <string>
presence: required
content: The device's UDID.
- key: EnrollmentID
supportedOS:
iOS:
userenrollment:
mode: required
macOS:
userenrollment:
mode: required
tvOS:
introduced: n/a
type: <string>
presence: required
content: The per-enrollment identifier for the device.
- key: EnrollmentUserID
supportedOS:
iOS:
introduced: n/a
macOS:
devicechannel: false
userenrollment:
mode: required
tvOS:
introduced: n/a
type: <string>
presence: required
content: A per-enrollment identifier that identifies the user for user enrollments.
- key: UserShortName
supportedOS:
iOS:
sharedipad:
mode: required
macOS:
devicechannel: false
tvOS:
introduced: n/a
type: <string>
presence: optional
content: On Shared iPad, this value returns the Managed Apple ID of the user. When
present indicates that the token is for the user channel. On macOS, this value
always returns the short name of the user.
- key: UserID
supportedOS:
iOS:
sharedipad:
mode: required
macOS:
devicechannel: false
tvOS:
introduced: n/a
type: <string>
presence: optional
content: On macOS, this value always returns the ID of the user. On Shared iPad,
this value is always set to FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFF to indicate that
no authentication will occur.
- key: UserLongName
supportedOS:
iOS:
introduced: n/a
macOS:
devicechannel: false
tvOS:
introduced: n/a
type: <string>
presence: required
content: The full name of the user.

15
mdm/commands/application.install.yaml
View File

@@ -178,6 +178,21 @@ payloadkeys:
default: true
content: If 'false', this app isn't removable while it's a managed app. This value
is available in iOS 14 and later, and tvOS 14 and later.
- key: TapToPayScreenLock
supportedOS:
iOS:
introduced: '16.4'
macOS:
introduced: n/a
tvOS:
introduced: n/a
type: <boolean>
presence: optional
default: false
content: Enabling this setting will require Tap to Pay on iPhone users to use
Face ID or a passcode to unlock their device after every transaction that requires
a customers card PIN. Disabling this setting will allow users to configure
this setting on their device based on personal preference.
- key: ChangeManagementState
supportedOS:
iOS:

2
mdm/commands/application.managed.list.yaml
View File

@@ -60,6 +60,7 @@ responsekeys:
type: <string>
presence: required
rangelist:
- Queued
- NeedsRedemption
- Redeeming
- Prompting
@@ -81,6 +82,7 @@ responsekeys:
- Failed
content: |-
The status of the managed app, which is one of the following values:
* 'Queued': The app is scheduled for installation.
* 'NeedsRedemption': The app needs a redemption code to complete installation.
* 'Redeeming': The device is redeeming the redemption code for the app.
* 'Prompting': The app installation is prompting the user.

100
mdm/commands/information.device.yaml
View File

@@ -242,6 +242,20 @@ payloadkeys:
type: <string>
content: The key to get the model. This value requires the Device Information
access right.
- key: ModelNumber
supportedOS:
iOS:
introduced: '16.4'
accessrights: AllowQueryDeviceInformation
macOS:
introduced: '13.3'
accessrights: AllowQueryDeviceInformation
tvOS:
introduced: '16.4'
accessrights: AllowQueryDeviceInformation
type: <string>
content: The device's hardware model number, including region info, e.g. "MK1A3LL/A".
Requires Device Information right. Requires Apple silicon on macOS.
- key: IsAppleSilicon
supportedOS:
iOS:
@@ -365,12 +379,24 @@ payloadkeys:
introduced: '5.0'
accessrights: AllowQueryDeviceInformation
macOS:
introduced: n/a
introduced: '13.3'
accessrights: AllowQueryDeviceInformation
tvOS:
introduced: n/a
type: <string>
content: The key to get the battery level. This value requires the Device Information
access right, and is available in iOS 5 and later.
- key: HasBattery
supportedOS:
iOS:
introduced: n/a
macOS:
introduced: '13.3'
accessrights: AllowQueryDeviceInformation
tvOS:
introduced: n/a
type: <string>
content: Whether the device has an internal battery.
- key: IsSupervised
supportedOS:
iOS:
@@ -1180,6 +1206,21 @@ payloadkeys:
content: |-
The key to get an attestation of the device's properties.
Available in iOS 16 and later and tvOS 16 and later.
- key: EACSPreflight
supportedOS:
iOS:
introduced: n/a
macOS:
introduced: '13.3'
accessrights: AllowQueryDeviceInformation
userchannel: false
userenrollment:
mode: forbidden
tvOS:
introduced: n/a
type: <string>
content: Determines whether the device could perform an EraseDevice using Erase
All Content and Settings.
- key: DeviceAttestationNonce
supportedOS:
iOS:
@@ -1380,6 +1421,17 @@ responsekeys:
- key: Model
type: <string>
content: The model. This value requires the Device Information access right.
- key: ModelNumber
supportedOS:
iOS:
introduced: '16.4'
macOS:
introduced: '13.3'
tvOS:
introduced: '16.4'
type: <string>
content: The device's hardware model number, including region info, e.g. "MK1A3LL/A".
Requires Device Information right. Requires Apple silicon on macOS.
- key: IsAppleSilicon
supportedOS:
iOS:
@@ -1474,13 +1526,23 @@ responsekeys:
iOS:
introduced: '5.0'
macOS:
introduced: n/a
introduced: '13.3'
tvOS:
introduced: n/a
type: <real>
content: The battery level, between '0.0' and '1.0', or '-1.0' if MDM can't determine
the battery level. This value requires the Device Information access right,
and is available in iOS 5 and later.
- key: HasBattery
supportedOS:
iOS:
introduced: n/a
macOS:
introduced: '13.3'
tvOS:
introduced: n/a
type: <boolean>
content: Whether the device has an internal battery.
- key: IsSupervised
supportedOS:
iOS:
@@ -1648,7 +1710,7 @@ responsekeys:
type: <boolean>
content: If 'true', start a new scan. This value is available in macOS 10.11
and later.
- key: AutomaticCheckEnabled
- key: AutoCheckEnabled
type: <boolean>
content: The preference to automatically check for app updates. This value is
available in macOS 10.11 and later.
@@ -2268,9 +2330,12 @@ responsekeys:
subkeys:
- key: RecommendationsCadence
type: <integer>
content: Which software updates are presented to the user. 0 (the default) allows
all updates, 1 allows only older updates. 2 allows only newer updates. No
effect if only a single update would be offered to the user for this device.
content: |-
Which software updates to present to the user.
* '0' (the default) allows all updates.
* '1' allows only older updates.
* '2' allows only newer updates.
No effect if the device qualifies for only a single update.
- key: AccessibilitySettings
supportedOS:
iOS:
@@ -2318,8 +2383,9 @@ responsekeys:
- 9
- 10
- 11
content: The accessibility text size apps that support dynamic text use. 0 is
the smallest value, and 11 is the largest available.
content: |-
The accessibility text size apps that support dynamic text use. 0 is the smallest value, and 11 is the largest available.
'-1' indicates that the current size is unknown or hasn't been explicitly set.
- key: TouchAccommodationsEnabled
type: <boolean>
content: If 'true', device has enabled touch accommodations.
@@ -2347,3 +2413,21 @@ responsekeys:
subkeys:
- key: AttestationCertificate
type: <data>
- key: EACSPreflight
supportedOS:
iOS:
introduced: n/a
macOS:
introduced: '13.3'
userenrollment:
mode: forbidden
tvOS:
introduced: n/a
type: <string>
content: |-
Determines whether the device could perform an EraseDevice using Erase All Content and Settings.
Responses can include:
"success" -> device supports EACS and everything looks OK
"not supported" -> device is too old to support EACS (does not contain T2 or AppleSilicon)
"unknown failure" -> something went wrong for which we don't have a better error message
(other string) -> reason why EACS cannot be performed at the current time (e.g. "System is not sealed")

17
mdm/commands/settings.yaml
View File

@@ -344,6 +344,21 @@ payloadkeys:
default: true
content: If 'false', this app isn't removable while it's managed. This value
is available in iOS 14 and later, and tvOS 14 and later.
- key: TapToPayScreenLock
supportedOS:
iOS:
introduced: '16.4'
macOS:
introduced: n/a
tvOS:
introduced: n/a
type: <boolean>
presence: optional
default: false
content: Enabling this setting will require Tap to Pay on iPhone users to
use Face ID or a passcode to unlock their device after every transaction
that requires a customers card PIN. Disabling this setting will allow users
to configure this setting on their device based on personal preference.
- key: DeviceName
supportedOS:
iOS:
@@ -853,6 +868,8 @@ payloadkeys:
introduced: n/a
type: <dictionary>
presence: optional
content: A dictionary that contains accessibility settings. Available in iOS 16
and later.
subkeys:
- key: Item
type: <string>

28
mdm/profiles/com.apple.applicationaccess.yaml
View File

@@ -237,7 +237,7 @@ payloadkeys:
presence: optional
default: true
content: If 'false', limits Apple personalized advertising. Available in iOS 14
and later.
and later and macOS 12 and later.
- key: allowAppRemoval
title: Allow App Removal
supportedOS:
@@ -571,8 +571,8 @@ payloadkeys:
presence: optional
default: true
content: If 'false', disables document and key-value syncing to iCloud. As of iOS
13, this restriction requires a supervised device. Available in iOS 5 and later,
and macOS 10.11 and later.
13, this restriction requires a supervised device and shared iPads don't support
it. Available in iOS 5 and later, and macOS 10.11 and later.
- key: allowCloudKeychainSync
supportedOS:
iOS:
@@ -1251,8 +1251,8 @@ payloadkeys:
type: <boolean>
presence: optional
default: true
content: If 'false', disables Mail Privacy Protection on the device. Available in
iOS 15.2 and later.
content: If 'false', disables Mail Privacy Protection on the device. Requires a
supervised device. Available in iOS 15.2 and later.
- key: allowManagedAppsCloudSync
title: Allow iCloud Sync for Managed Apps
supportedOS:
@@ -1648,7 +1648,7 @@ payloadkeys:
type: <boolean>
presence: optional
default: true
content: If set to false, rapid security responses can't be installed.
content: If 'false', prohibits installation of rapid security responses.
- key: allowRapidSecurityResponseRemoval
title: Allow Rapid Security Response Removal
supportedOS:
@@ -1666,7 +1666,7 @@ payloadkeys:
type: <boolean>
presence: optional
default: true
content: If set to false, rapid security responses can't be removed.
content: If 'false', prohibits removal of rapid security responses.
- key: allowRemoteAppPairing
title: Allow pairing with Remote app
supportedOS:
@@ -1936,7 +1936,8 @@ payloadkeys:
default: true
content: |-
If 'false', allows the device to always connect to USB accessories while locked. On macOS, allows new USB accessories to connect without authorization.
This value is ignored if Lockdown mode is enabled. Requires a supervised device. Available in iOS 11.4.1 and later and macOS 13 and later.
If the system has Lockdown mode enabled, the system ignores this value.
Requires a supervised device. Available in iOS 11.4.1 and later and macOS 13 and later.
- key: allowVideoConferencing
title: Allow Video Conferencing
supportedOS:
@@ -2063,9 +2064,9 @@ payloadkeys:
supervised: true
type: <array>
presence: optional
content: If present, prevents bundle IDs listed in the array from being shown or
launchable. Include the value 'com.apple.webapp' to restrict all webclips. Requires
a supervised device. Available in iOS 9.3 and later, and tvOS 11.0 and later.
content: |-
If present, prevents bundle IDs listed in the array from being shown or launchable. Include the value 'com.apple.webapp' to restrict all webclips. Note that denying system apps may disable other functionality. For example, denying the App Store app may prevent users from accepting the terms and conditions for user-based VPP.
Requires a supervised device. Available in iOS 9.3 and later, and tvOS 11.0 and later.
subkeys:
- key: appBlockedBundleID
title: Blocked App
@@ -2083,8 +2084,9 @@ payloadkeys:
type: <integer>
presence: optional
default: 172800
content: The value, in seconds, after which the fingerprint unlock will require
a password to authenticate. The default value is 48 hours.
content: |-
The value, in seconds, after which the fingerprint unlock requires a password to authenticate. The default value is 48 hours.
Available in macOS 12 and later.
- key: enforcedSoftwareUpdateDelay
supportedOS:
iOS:

4
mdm/profiles/com.apple.dnsSettings.managed.yaml
View File

@@ -79,8 +79,8 @@ payloadkeys:
title: On Demand Rules
type: <array>
presence: optional
content: An array of rules defining the DNS settings. If rules are not present,
the system always applies the DNS settings. These rules are identical to the 'OnDemandRules'
content: An array of rules defining the DNS settings. If rules aren't present, the
system always applies the DNS settings. These rules are identical to the 'OnDemandRules'
array in VPN payloads.
subkeytype: OnDemandRulesElement
subkeys:

5
mdm/profiles/com.apple.domains.yaml
View File

@@ -82,8 +82,9 @@ payloadkeys:
allowmanualinstall: false
type: <array>
presence: optional
content: An array of up to 10 strings. URLs matching the patterns listed here will
have relaxed enforcement of cross-site tracking prevention.
content: |-
An array of up to 10 strings. URLs matching the patterns listed here have relaxed enforcement of cross-site tracking prevention.
Available in iOS 16.2 and later and macOS 13.1 and later.
subkeys:
- key: CrossSiteTrackingPreventionRelaxedDomainItem
type: <string>

14
mdm/profiles/com.apple.mdm.yaml
View File

@@ -116,7 +116,8 @@ payloadkeys:
type: <string>
presence: optional
content: The Managed Apple ID of the user. Available in iOS 13.1 and later, and
macOS 10.15 and later.
macOS 10.15 and later. This is only used with the profile-based BYOD enrollment
flow.
- key: AssignedManagedAppleID
title: Assigned Managed Apple ID
supportedOS:
@@ -128,9 +129,8 @@ payloadkeys:
introduced: n/a
type: <string>
presence: optional
content: |-
The Managed Apple ID pre-assigned to the authenticated user. This is only used with the BYOD enrollment flow.
Available in iOS 15 and later.
content: The Managed Apple ID pre-assigned to the authenticated user. This is only
used with the account-based BYOD enrollment flow. Available in iOS 15 and later.
- key: EnrollmentMode
title: Enrollment Mode
supportedOS:
@@ -144,9 +144,9 @@ payloadkeys:
presence: optional
rangelist:
- BYOD
content: |-
The enrollment mode the server indicates must be used when enrolling. This must be present for BYOD enrollments.
Available in iOS 15 and later.
content: The enrollment mode the server indicates must be used when enrolling. This
must be present for account-based BYOD enrollments, but must not be present for
profile-based BYOD enrollments. Available in iOS 15 and later.
- key: ServerURLPinningCertificateUUIDs
supportedOS:
iOS:

3
mdm/profiles/com.apple.mobiledevice.passwordpolicy.yaml
View File

@@ -75,7 +75,8 @@ payloadkeys:
being unlocked by the user, before it gets locked by the system. When this limit
is reached, the device is locked and the passcode must be entered. The user can
edit this setting, but the value cannot exceed the 'maxInactivity' value. In macOS,
this inactivity value is translated to screen-saver settings.
this inactivity value is translated to screen-saver settings. The maximum value
for macOS is 60 minutes.
- key: maxPINAgeInDays
title: Maximum Passcode Age
supportedOS:

8
mdm/profiles/com.apple.security.acme.yaml
View File

@@ -158,7 +158,7 @@ payloadkeys:
content: |-
If 'true', the device provides attestations describing the device and the generated key to the ACME server. The server can use the attestations as strong evidence that the key is bound to the device, and that the device has properties listed in the attestation. The server can use that as part of a trust score to decide whether to issue the requested certificate.
When 'Attest' is 'true', 'HardwareBound' must also be 'true'.
On macOS, this key, if present, must have a value of 'false'.
On macOS, if this key is present, it must have a value of 'false'.
- key: KeyIsExtractable
supportedOS:
iOS:
@@ -168,8 +168,8 @@ payloadkeys:
type: <boolean>
presence: optional
default: true
content: Whether the private key of the identity obtained via SCEP should be tagged
as "non-extractable" in the keychain.
content: If true, the private key of the identity obtained via SCEP should be tagged
as non-extractable in the keychain.
- key: AllowAllAppsAccess
title: Allow All Apps Access
supportedOS:
@@ -180,4 +180,4 @@ payloadkeys:
type: <boolean>
presence: optional
default: false
content: If true, all apps have access to the private key.
content: If 'true', all apps have access to the private key.

1
mdm/profiles/com.apple.security.firewall.yaml
View File

@@ -17,7 +17,6 @@ payload:
Notes:
* The payload must exist in a "system" scoped profile.
* If more than one profile contains this payload, the most restrictive union of settings will be used.
* Per Firewall team's request, the "Automatically allow signed downloaded software" and "Automatically allow built-in software" options are not supported but both will be forced ON when this payload is present.
payloadkeys:
- key: EnableFirewall
type: <boolean>

3
mdm/profiles/com.apple.security.pkcs12.yaml
View File

@@ -62,7 +62,8 @@ payloadkeys:
type: <boolean>
presence: optional
default: false
content: If 'true', allows apps access to the private key.
content: If 'true', allows apps access to the private key. Available in macOS 10.10
and later.
- key: KeyIsExtractable
supportedOS:
iOS:

10
mdm/profiles/com.apple.servicemanagement.yaml
View File

@@ -20,7 +20,7 @@ payloadkeys:
title: Rules
type: <array>
presence: required
content: An array of rule dictionaries.
content: An array of service management rules.
subkeys:
- key: Rule
title: Rule
@@ -43,8 +43,8 @@ payloadkeys:
title: Rule Value
type: <string>
presence: required
content: The value to compare with each login item's value, to determine a match
to this rule.
content: The value to compare with each login item's value, to determine if
this rule is a match.
- key: Comment
title: Comment
type: <string>
@@ -54,5 +54,5 @@ payloadkeys:
title: Team Identifier
type: <string>
presence: optional
content: An additional constraint to limit the scope of the rule that is tested
after matching the RuleType/RuleValue.
content: An additional constraint to limit the scope of the rule that the system
tests after matching the 'RuleType' and 'RuleValue'.

125
mdm/profiles/com.apple.vpn.managed.yaml
View File

@@ -170,7 +170,13 @@ payloadkeys:
- 0
- 1
default: 0
content: If 'true', routes all traffic through the VPN.
content: |-
If 1, then all network traffic will be routed through the VPN, with some exclusions. Several of the exclusions can be controlled with the ExcludeLocalNetworks, ExcludeCellularServices, and ExcludeAPNs properties. See the documentation for those properties. The following traffic is always excluded from the tunnel.
* Traffic necessary for connecting and maintaining the device's network connection, such as DHCP.
* Traffic necessary for connecting to captive networks.
* Certain cellular services traffic that is not routable over the internet and is instead directly routed to the cellular network. See the ExcludeCellularServices property for more details.
* Network communication with a companion device such as a watchOS device.
- key: EnforceRoutes
title: Enforce Routes
supportedOS:
@@ -202,6 +208,39 @@ payloadkeys:
- 1
content: If 'true' and 'IncludeAllNetworks' is 'true', routes all local network
traffic outside the VPN.
- key: ExcludeCellularServices
title: Exclude Cellular Services
supportedOS:
iOS:
introduced: '16.4'
macOS:
introduced: '13.3'
type: <integer>
presence: optional
rangelist:
- 0
- 1
default: 1
content: If 1 and IncludeAllNetworks is 1, then internet-routable network traffic
for cellular services (VoLTE, Wi-Fi Calling, IMS, MMS, Visual Voicemail, etc.)
is excluded from the tunnel. Note that some cellular carriers route cellular
services traffic directly to the carrier network, bypassing the internet. Such
cellular services traffic is always excluded from the tunnel.
- key: ExcludeAPNs
title: Exclude APNs
supportedOS:
iOS:
introduced: '16.4'
macOS:
introduced: '13.3'
type: <integer>
presence: optional
rangelist:
- 0
- 1
default: 1
content: If 1 and IncludeAllNetworks is 1, then network traffic for the Apple
Push Notification service (APNs) is excluded from the tunnel.
- key: OnDemandEnabled
title: Enable VPN On Demand
type: <integer>
@@ -953,6 +992,90 @@ payloadkeys:
content: |-
The Maximum Transmission Unit (MTU) specifies the maximum size in bytes of each packet that will be sent over the IKEv2 VPN interface.
Available in iOS 14 and later, and macOS 11 and later.
- key: IncludeAllNetworks
title: Include All Networks
supportedOS:
iOS:
introduced: '14.0'
macOS:
introduced: '10.15'
type: <integer>
presence: optional
rangelist:
- 0
- 1
default: 0
content: |-
If 1, then all network traffic will be routed through the VPN, with some exclusions. Several of the exclusions can be controlled with the ExcludeLocalNetworks, ExcludeCellularServices, and ExcludeAPNs properties. See the documentation for those properties. The following traffic is always excluded from the tunnel.
* Traffic necessary for connecting and maintaining the device's network connection, such as DHCP.
* Traffic necessary for connecting to captive networks.
* Certain cellular services traffic that is not routable over the internet and is instead directly routed to the cellular network. See the ExcludeCellularServices property for more details.
* Network communication with a companion device such as a watchOS device.
- key: EnforceRoutes
title: Enforce Routes
supportedOS:
iOS:
introduced: '14.2'
macOS:
introduced: '11.0'
type: <integer>
presence: optional
rangelist:
- 0
- 1
default: 0
content: If 1, then all the VPN's non-default routes will take precedence over
any locally-defined routes. If IncludeAllNetworks is 1, the value of EnforceRoutes
is ignored.
- key: ExcludeLocalNetworks
title: Exclude Local Networks
supportedOS:
iOS:
introduced: '14.2'
macOS:
introduced: '10.15'
type: <integer>
presence: optional
rangelist:
- 0
- 1
content: If 1 and either IncludeAllNetworks or EnforceRoutes are 1, then local
network traffic will be routed outside of the VPN. The default for this value
is 0 on macOS and 1 on iOS.
- key: ExcludeCellularServices
title: Exclude Cellular Services
supportedOS:
iOS:
introduced: '16.4'
macOS:
introduced: '13.3'
type: <integer>
presence: optional
rangelist:
- 0
- 1
default: 1
content: If 1 and IncludeAllNetworks is 1, then internet-routable network traffic
for cellular services (VoLTE, Wi-Fi Calling, IMS, MMS, Visual Voicemail, etc.)
is excluded from the tunnel. Note that some cellular carriers route cellular
services traffic directly to the carrier network, bypassing the internet. Such
cellular services traffic is always excluded from the tunnel.
- key: ExcludeAPNs
title: Exclude APNs
supportedOS:
iOS:
introduced: '16.4'
macOS:
introduced: '13.3'
type: <integer>
presence: optional
rangelist:
- 0
- 1
default: 1
content: If 1 and IncludeAllNetworks is 1, then network traffic for the Apple
Push Notification service (APNs) is excluded from the tunnel.
- key: IKESecurityAssociationParameters
title: IKESecurityAssociationParameters
type: <dictionary>

11
mdm/profiles/com.apple.wifi.managed.yaml
View File

@@ -87,9 +87,14 @@ payloadkeys:
default: Any
content: |-
The encryption type for the network.
WPA specifies WPA only; WPA2 applies to both encryption types.
Available in iOS 4.0 and later, and in all versions of macOS. The 'None' value is available in iOS 5.0 and later, and the 'WPA2' value is available in iOS 8.0 and later.
If set to anything except 'None', the payload may contain the following three keys: 'Password', 'PayloadCertificateUUID', or 'EAPClientConfiguration'.
As of iOS 16, tvOS 16, watchOS 9, and macOS 13:
* 'WPA' allows joining WPA or WPA2 networks
* 'WPA2' allows joining WPA2 or WPA3 networks
* 'WPA3' allows joining WPA3 networks only
* 'Any' allows joining WPA, WPA2, WPA3, and WEP networks.
Prior to iOS 16, tvOS 16, and watchOS 9, specifying 'WPA', 'WPA2', and 'WPA3' were equivalent and would allow joining any WPA network.
Prior to macOS 13, the encryption type, if specified explicitly, needed to match the encryption type of the network exactly.
- key: Password
title: Password
type: <string>

2
other/skipkeys.yaml
View File

@@ -286,7 +286,7 @@ payloadkeys:
introduced: n/a
type: <string>
presence: optional
content: If the key is included in the SkipSetup array the Safety pane will be skipped.
content: 'Skips the Safety pane. Availability: iOS 16+.'
- key: ScreenTime
title: Skip Screen Time pane
supportedOS: