From 5a8fb0deb23799aa77ff15f284c9b31208d39ad1 Mon Sep 17 00:00:00 2001 From: Cyrus Daboo Date: Wed, 5 Apr 2023 21:17:00 -0400 Subject: [PATCH] Release_iOS-16-4_macOS-13-3 --- README.md | 8 +- .../configurations/account.caldav.yaml | 2 +- .../configurations/account.carddav.yaml | 2 +- .../configurations/account.ldap.yaml | 2 +- ...ing-system.supplemental.build-version.yaml | 3 +- ...ing-system.supplemental.extra-version.yaml | 3 +- mdm/checkin/declarativemanagement.yaml | 80 ++++++++++- mdm/commands/application.install.yaml | 15 +++ mdm/commands/application.managed.list.yaml | 2 + mdm/commands/information.device.yaml | 100 ++++++++++++-- mdm/commands/settings.yaml | 17 +++ mdm/profiles/com.apple.applicationaccess.yaml | 28 ++-- .../com.apple.dnsSettings.managed.yaml | 4 +- mdm/profiles/com.apple.domains.yaml | 5 +- mdm/profiles/com.apple.mdm.yaml | 14 +- ...com.apple.mobiledevice.passwordpolicy.yaml | 3 +- mdm/profiles/com.apple.security.acme.yaml | 8 +- mdm/profiles/com.apple.security.firewall.yaml | 1 - mdm/profiles/com.apple.security.pkcs12.yaml | 3 +- mdm/profiles/com.apple.servicemanagement.yaml | 10 +- mdm/profiles/com.apple.vpn.managed.yaml | 125 +++++++++++++++++- mdm/profiles/com.apple.wifi.managed.yaml | 11 +- other/skipkeys.yaml | 2 +- 23 files changed, 386 insertions(+), 62 deletions(-) diff --git a/README.md b/README.md index dfc9ea4..013cc7f 100644 --- a/README.md +++ b/README.md @@ -8,10 +8,10 @@ This release corresponds to the following OS versions | OS | Version | |---------|---------| -| iOS | 16.2 | -| macOS | 13.1 | -| tvOS | 16.2 | -| watchOS | 9.2 | +| iOS | 16.4 | +| macOS | 13.3 | +| tvOS | 16.4 | +| watchOS | 9.4 | ## What's Available diff --git a/declarative/declarations/configurations/account.caldav.yaml b/declarative/declarations/configurations/account.caldav.yaml index 0d0f01f..d7fb2ef 100644 --- a/declarative/declarations/configurations/account.caldav.yaml +++ b/declarative/declarations/configurations/account.caldav.yaml @@ -48,4 +48,4 @@ payloadkeys: type: presence: optional content: The identifier of an asset declaration that contains the credentials for - this account. The corresponding asset must be of type UserNameAndPasswordCredentials. + this account. The corresponding asset must be of type CredentialUserNameAndPassword. diff --git a/declarative/declarations/configurations/account.carddav.yaml b/declarative/declarations/configurations/account.carddav.yaml index 777e00a..3a3c4c4 100644 --- a/declarative/declarations/configurations/account.carddav.yaml +++ b/declarative/declarations/configurations/account.carddav.yaml @@ -47,4 +47,4 @@ payloadkeys: type: presence: optional content: The identifier of an asset declaration that contains the credentials for - this account. The corresponding asset must be of type UserNameAndPasswordCredentials. + this account. The corresponding asset must be of type CredentialUserNameAndPassword. diff --git a/declarative/declarations/configurations/account.ldap.yaml b/declarative/declarations/configurations/account.ldap.yaml index 4f84d1a..32ce8fa 100644 --- a/declarative/declarations/configurations/account.ldap.yaml +++ b/declarative/declarations/configurations/account.ldap.yaml @@ -42,7 +42,7 @@ payloadkeys: type: presence: optional content: The identifier of an asset declaration that contains the credentials for - this account. The corresponding asset must be of type UserNameAndPasswordCredentials. + this account. The corresponding asset must be of type CredentialUserNameAndPassword. - key: SearchSettings title: Search Settings type: diff --git a/declarative/status/device.operating-system.supplemental.build-version.yaml b/declarative/status/device.operating-system.supplemental.build-version.yaml index a2651a1..5d1edea 100644 --- a/declarative/status/device.operating-system.supplemental.build-version.yaml +++ b/declarative/status/device.operating-system.supplemental.build-version.yaml @@ -14,4 +14,5 @@ payloadkeys: title: Status item value. type: presence: required - content: Status value. + content: Identifies the operating system's build and rapid security response versions + in use on the device (for example, '20A123a', or '20B27c'). diff --git a/declarative/status/device.operating-system.supplemental.extra-version.yaml b/declarative/status/device.operating-system.supplemental.extra-version.yaml index 3eef9b7..a434a82 100644 --- a/declarative/status/device.operating-system.supplemental.extra-version.yaml +++ b/declarative/status/device.operating-system.supplemental.extra-version.yaml @@ -14,4 +14,5 @@ payloadkeys: title: Status item value. type: presence: required - content: Status value. + content: Identifies the operating system's rapid security response version in use + on the device (for example, 'a'). diff --git a/mdm/checkin/declarativemanagement.yaml b/mdm/checkin/declarativemanagement.yaml index 14169e0..f9ab012 100644 --- a/mdm/checkin/declarativemanagement.yaml +++ b/mdm/checkin/declarativemanagement.yaml @@ -33,10 +33,6 @@ payloadkeys: rangelist: - DeclarativeManagement content: The message type, which must have a value of 'DeclarativeManagement'. -- key: EnrollmentID - type: - presence: required - content: The per-enrollment identifier for the device. - key: Endpoint type: presence: required @@ -50,3 +46,79 @@ payloadkeys: type: presence: optional content: A Base64-encoded JSON object using the SynchronizationTokens schema. +- key: UDID + supportedOS: + iOS: + userenrollment: + mode: forbidden + macOS: + userenrollment: + mode: forbidden + type: + presence: required + content: The device's UDID. +- key: EnrollmentID + supportedOS: + iOS: + userenrollment: + mode: required + macOS: + userenrollment: + mode: required + tvOS: + introduced: n/a + type: + presence: required + content: The per-enrollment identifier for the device. +- key: EnrollmentUserID + supportedOS: + iOS: + introduced: n/a + macOS: + devicechannel: false + userenrollment: + mode: required + tvOS: + introduced: n/a + type: + presence: required + content: A per-enrollment identifier that identifies the user for user enrollments. +- key: UserShortName + supportedOS: + iOS: + sharedipad: + mode: required + macOS: + devicechannel: false + tvOS: + introduced: n/a + type: + presence: optional + content: On Shared iPad, this value returns the Managed Apple ID of the user. When + present indicates that the token is for the user channel. On macOS, this value + always returns the short name of the user. +- key: UserID + supportedOS: + iOS: + sharedipad: + mode: required + macOS: + devicechannel: false + tvOS: + introduced: n/a + type: + presence: optional + content: On macOS, this value always returns the ID of the user. On Shared iPad, + this value is always set to FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFF to indicate that + no authentication will occur. +- key: UserLongName + supportedOS: + iOS: + introduced: n/a + macOS: + devicechannel: false + tvOS: + introduced: n/a + type: + presence: required + content: The full name of the user. diff --git a/mdm/commands/application.install.yaml b/mdm/commands/application.install.yaml index 7523343..05fb4c8 100644 --- a/mdm/commands/application.install.yaml +++ b/mdm/commands/application.install.yaml @@ -178,6 +178,21 @@ payloadkeys: default: true content: If 'false', this app isn't removable while it's a managed app. This value is available in iOS 14 and later, and tvOS 14 and later. + - key: TapToPayScreenLock + supportedOS: + iOS: + introduced: '16.4' + macOS: + introduced: n/a + tvOS: + introduced: n/a + type: + presence: optional + default: false + content: Enabling this setting will require Tap to Pay on iPhone users to use + Face ID or a passcode to unlock their device after every transaction that requires + a customer’s card PIN. Disabling this setting will allow users to configure + this setting on their device based on personal preference. - key: ChangeManagementState supportedOS: iOS: diff --git a/mdm/commands/application.managed.list.yaml b/mdm/commands/application.managed.list.yaml index c2350bf..2ebd70c 100644 --- a/mdm/commands/application.managed.list.yaml +++ b/mdm/commands/application.managed.list.yaml @@ -60,6 +60,7 @@ responsekeys: type: presence: required rangelist: + - Queued - NeedsRedemption - Redeeming - Prompting @@ -81,6 +82,7 @@ responsekeys: - Failed content: |- The status of the managed app, which is one of the following values: + * 'Queued': The app is scheduled for installation. * 'NeedsRedemption': The app needs a redemption code to complete installation. * 'Redeeming': The device is redeeming the redemption code for the app. * 'Prompting': The app installation is prompting the user. diff --git a/mdm/commands/information.device.yaml b/mdm/commands/information.device.yaml index 2cb28f1..8af2cf4 100644 --- a/mdm/commands/information.device.yaml +++ b/mdm/commands/information.device.yaml @@ -242,6 +242,20 @@ payloadkeys: type: content: The key to get the model. This value requires the Device Information access right. + - key: ModelNumber + supportedOS: + iOS: + introduced: '16.4' + accessrights: AllowQueryDeviceInformation + macOS: + introduced: '13.3' + accessrights: AllowQueryDeviceInformation + tvOS: + introduced: '16.4' + accessrights: AllowQueryDeviceInformation + type: + content: The device's hardware model number, including region info, e.g. "MK1A3LL/A". + Requires Device Information right. Requires Apple silicon on macOS. - key: IsAppleSilicon supportedOS: iOS: @@ -365,12 +379,24 @@ payloadkeys: introduced: '5.0' accessrights: AllowQueryDeviceInformation macOS: - introduced: n/a + introduced: '13.3' + accessrights: AllowQueryDeviceInformation tvOS: introduced: n/a type: content: The key to get the battery level. This value requires the Device Information access right, and is available in iOS 5 and later. + - key: HasBattery + supportedOS: + iOS: + introduced: n/a + macOS: + introduced: '13.3' + accessrights: AllowQueryDeviceInformation + tvOS: + introduced: n/a + type: + content: Whether the device has an internal battery. - key: IsSupervised supportedOS: iOS: @@ -1180,6 +1206,21 @@ payloadkeys: content: |- The key to get an attestation of the device's properties. Available in iOS 16 and later and tvOS 16 and later. + - key: EACSPreflight + supportedOS: + iOS: + introduced: n/a + macOS: + introduced: '13.3' + accessrights: AllowQueryDeviceInformation + userchannel: false + userenrollment: + mode: forbidden + tvOS: + introduced: n/a + type: + content: Determines whether the device could perform an EraseDevice using Erase + All Content and Settings. - key: DeviceAttestationNonce supportedOS: iOS: @@ -1380,6 +1421,17 @@ responsekeys: - key: Model type: content: The model. This value requires the Device Information access right. + - key: ModelNumber + supportedOS: + iOS: + introduced: '16.4' + macOS: + introduced: '13.3' + tvOS: + introduced: '16.4' + type: + content: The device's hardware model number, including region info, e.g. "MK1A3LL/A". + Requires Device Information right. Requires Apple silicon on macOS. - key: IsAppleSilicon supportedOS: iOS: @@ -1474,13 +1526,23 @@ responsekeys: iOS: introduced: '5.0' macOS: - introduced: n/a + introduced: '13.3' tvOS: introduced: n/a type: content: The battery level, between '0.0' and '1.0', or '-1.0' if MDM can't determine the battery level. This value requires the Device Information access right, and is available in iOS 5 and later. + - key: HasBattery + supportedOS: + iOS: + introduced: n/a + macOS: + introduced: '13.3' + tvOS: + introduced: n/a + type: + content: Whether the device has an internal battery. - key: IsSupervised supportedOS: iOS: @@ -1648,7 +1710,7 @@ responsekeys: type: content: If 'true', start a new scan. This value is available in macOS 10.11 and later. - - key: AutomaticCheckEnabled + - key: AutoCheckEnabled type: content: The preference to automatically check for app updates. This value is available in macOS 10.11 and later. @@ -2268,9 +2330,12 @@ responsekeys: subkeys: - key: RecommendationsCadence type: - content: Which software updates are presented to the user. 0 (the default) allows - all updates, 1 allows only older updates. 2 allows only newer updates. No - effect if only a single update would be offered to the user for this device. + content: |- + Which software updates to present to the user. + * '0' (the default) allows all updates. + * '1' allows only older updates. + * '2' allows only newer updates. + No effect if the device qualifies for only a single update. - key: AccessibilitySettings supportedOS: iOS: @@ -2318,8 +2383,9 @@ responsekeys: - 9 - 10 - 11 - content: The accessibility text size apps that support dynamic text use. 0 is - the smallest value, and 11 is the largest available. + content: |- + The accessibility text size apps that support dynamic text use. 0 is the smallest value, and 11 is the largest available. + '-1' indicates that the current size is unknown or hasn't been explicitly set. - key: TouchAccommodationsEnabled type: content: If 'true', device has enabled touch accommodations. @@ -2347,3 +2413,21 @@ responsekeys: subkeys: - key: AttestationCertificate type: + - key: EACSPreflight + supportedOS: + iOS: + introduced: n/a + macOS: + introduced: '13.3' + userenrollment: + mode: forbidden + tvOS: + introduced: n/a + type: + content: |- + Determines whether the device could perform an EraseDevice using Erase All Content and Settings. + Responses can include: + "success" -> device supports EACS and everything looks OK + "not supported" -> device is too old to support EACS (does not contain T2 or AppleSilicon) + "unknown failure" -> something went wrong for which we don't have a better error message + (other string) -> reason why EACS cannot be performed at the current time (e.g. "System is not sealed") diff --git a/mdm/commands/settings.yaml b/mdm/commands/settings.yaml index 3d16795..41cabd6 100644 --- a/mdm/commands/settings.yaml +++ b/mdm/commands/settings.yaml @@ -344,6 +344,21 @@ payloadkeys: default: true content: If 'false', this app isn't removable while it's managed. This value is available in iOS 14 and later, and tvOS 14 and later. + - key: TapToPayScreenLock + supportedOS: + iOS: + introduced: '16.4' + macOS: + introduced: n/a + tvOS: + introduced: n/a + type: + presence: optional + default: false + content: Enabling this setting will require Tap to Pay on iPhone users to + use Face ID or a passcode to unlock their device after every transaction + that requires a customer’s card PIN. Disabling this setting will allow users + to configure this setting on their device based on personal preference. - key: DeviceName supportedOS: iOS: @@ -853,6 +868,8 @@ payloadkeys: introduced: n/a type: presence: optional + content: A dictionary that contains accessibility settings. Available in iOS 16 + and later. subkeys: - key: Item type: diff --git a/mdm/profiles/com.apple.applicationaccess.yaml b/mdm/profiles/com.apple.applicationaccess.yaml index b10bb2c..819fc92 100644 --- a/mdm/profiles/com.apple.applicationaccess.yaml +++ b/mdm/profiles/com.apple.applicationaccess.yaml @@ -237,7 +237,7 @@ payloadkeys: presence: optional default: true content: If 'false', limits Apple personalized advertising. Available in iOS 14 - and later. + and later and macOS 12 and later. - key: allowAppRemoval title: Allow App Removal supportedOS: @@ -571,8 +571,8 @@ payloadkeys: presence: optional default: true content: If 'false', disables document and key-value syncing to iCloud. As of iOS - 13, this restriction requires a supervised device. Available in iOS 5 and later, - and macOS 10.11 and later. + 13, this restriction requires a supervised device and shared iPads don't support + it. Available in iOS 5 and later, and macOS 10.11 and later. - key: allowCloudKeychainSync supportedOS: iOS: @@ -1251,8 +1251,8 @@ payloadkeys: type: presence: optional default: true - content: If 'false', disables Mail Privacy Protection on the device. Available in - iOS 15.2 and later. + content: If 'false', disables Mail Privacy Protection on the device. Requires a + supervised device. Available in iOS 15.2 and later. - key: allowManagedAppsCloudSync title: Allow iCloud Sync for Managed Apps supportedOS: @@ -1648,7 +1648,7 @@ payloadkeys: type: presence: optional default: true - content: If set to false, rapid security responses can't be installed. + content: If 'false', prohibits installation of rapid security responses. - key: allowRapidSecurityResponseRemoval title: Allow Rapid Security Response Removal supportedOS: @@ -1666,7 +1666,7 @@ payloadkeys: type: presence: optional default: true - content: If set to false, rapid security responses can't be removed. + content: If 'false', prohibits removal of rapid security responses. - key: allowRemoteAppPairing title: Allow pairing with Remote app supportedOS: @@ -1936,7 +1936,8 @@ payloadkeys: default: true content: |- If 'false', allows the device to always connect to USB accessories while locked. On macOS, allows new USB accessories to connect without authorization. - This value is ignored if Lockdown mode is enabled. Requires a supervised device. Available in iOS 11.4.1 and later and macOS 13 and later. + If the system has Lockdown mode enabled, the system ignores this value. + Requires a supervised device. Available in iOS 11.4.1 and later and macOS 13 and later. - key: allowVideoConferencing title: Allow Video Conferencing supportedOS: @@ -2063,9 +2064,9 @@ payloadkeys: supervised: true type: presence: optional - content: If present, prevents bundle IDs listed in the array from being shown or - launchable. Include the value 'com.apple.webapp' to restrict all webclips. Requires - a supervised device. Available in iOS 9.3 and later, and tvOS 11.0 and later. + content: |- + If present, prevents bundle IDs listed in the array from being shown or launchable. Include the value 'com.apple.webapp' to restrict all webclips. Note that denying system apps may disable other functionality. For example, denying the App Store app may prevent users from accepting the terms and conditions for user-based VPP. + Requires a supervised device. Available in iOS 9.3 and later, and tvOS 11.0 and later. subkeys: - key: appBlockedBundleID title: Blocked App @@ -2083,8 +2084,9 @@ payloadkeys: type: presence: optional default: 172800 - content: The value, in seconds, after which the fingerprint unlock will require - a password to authenticate. The default value is 48 hours. + content: |- + The value, in seconds, after which the fingerprint unlock requires a password to authenticate. The default value is 48 hours. + Available in macOS 12 and later. - key: enforcedSoftwareUpdateDelay supportedOS: iOS: diff --git a/mdm/profiles/com.apple.dnsSettings.managed.yaml b/mdm/profiles/com.apple.dnsSettings.managed.yaml index 260bf20..aca726b 100644 --- a/mdm/profiles/com.apple.dnsSettings.managed.yaml +++ b/mdm/profiles/com.apple.dnsSettings.managed.yaml @@ -79,8 +79,8 @@ payloadkeys: title: On Demand Rules type: presence: optional - content: An array of rules defining the DNS settings. If rules are not present, - the system always applies the DNS settings. These rules are identical to the 'OnDemandRules' + content: An array of rules defining the DNS settings. If rules aren't present, the + system always applies the DNS settings. These rules are identical to the 'OnDemandRules' array in VPN payloads. subkeytype: OnDemandRulesElement subkeys: diff --git a/mdm/profiles/com.apple.domains.yaml b/mdm/profiles/com.apple.domains.yaml index 7f14511..91281ca 100644 --- a/mdm/profiles/com.apple.domains.yaml +++ b/mdm/profiles/com.apple.domains.yaml @@ -82,8 +82,9 @@ payloadkeys: allowmanualinstall: false type: presence: optional - content: An array of up to 10 strings. URLs matching the patterns listed here will - have relaxed enforcement of cross-site tracking prevention. + content: |- + An array of up to 10 strings. URLs matching the patterns listed here have relaxed enforcement of cross-site tracking prevention. + Available in iOS 16.2 and later and macOS 13.1 and later. subkeys: - key: CrossSiteTrackingPreventionRelaxedDomainItem type: diff --git a/mdm/profiles/com.apple.mdm.yaml b/mdm/profiles/com.apple.mdm.yaml index 11a9eb4..ac522f6 100644 --- a/mdm/profiles/com.apple.mdm.yaml +++ b/mdm/profiles/com.apple.mdm.yaml @@ -116,7 +116,8 @@ payloadkeys: type: presence: optional content: The Managed Apple ID of the user. Available in iOS 13.1 and later, and - macOS 10.15 and later. + macOS 10.15 and later. This is only used with the profile-based BYOD enrollment + flow. - key: AssignedManagedAppleID title: Assigned Managed Apple ID supportedOS: @@ -128,9 +129,8 @@ payloadkeys: introduced: n/a type: presence: optional - content: |- - The Managed Apple ID pre-assigned to the authenticated user. This is only used with the BYOD enrollment flow. - Available in iOS 15 and later. + content: The Managed Apple ID pre-assigned to the authenticated user. This is only + used with the account-based BYOD enrollment flow. Available in iOS 15 and later. - key: EnrollmentMode title: Enrollment Mode supportedOS: @@ -144,9 +144,9 @@ payloadkeys: presence: optional rangelist: - BYOD - content: |- - The enrollment mode the server indicates must be used when enrolling. This must be present for BYOD enrollments. - Available in iOS 15 and later. + content: The enrollment mode the server indicates must be used when enrolling. This + must be present for account-based BYOD enrollments, but must not be present for + profile-based BYOD enrollments. Available in iOS 15 and later. - key: ServerURLPinningCertificateUUIDs supportedOS: iOS: diff --git a/mdm/profiles/com.apple.mobiledevice.passwordpolicy.yaml b/mdm/profiles/com.apple.mobiledevice.passwordpolicy.yaml index 6a931ec..d8e16b9 100644 --- a/mdm/profiles/com.apple.mobiledevice.passwordpolicy.yaml +++ b/mdm/profiles/com.apple.mobiledevice.passwordpolicy.yaml @@ -75,7 +75,8 @@ payloadkeys: being unlocked by the user, before it gets locked by the system. When this limit is reached, the device is locked and the passcode must be entered. The user can edit this setting, but the value cannot exceed the 'maxInactivity' value. In macOS, - this inactivity value is translated to screen-saver settings. + this inactivity value is translated to screen-saver settings. The maximum value + for macOS is 60 minutes. - key: maxPINAgeInDays title: Maximum Passcode Age supportedOS: diff --git a/mdm/profiles/com.apple.security.acme.yaml b/mdm/profiles/com.apple.security.acme.yaml index b101f3b..794fd41 100644 --- a/mdm/profiles/com.apple.security.acme.yaml +++ b/mdm/profiles/com.apple.security.acme.yaml @@ -158,7 +158,7 @@ payloadkeys: content: |- If 'true', the device provides attestations describing the device and the generated key to the ACME server. The server can use the attestations as strong evidence that the key is bound to the device, and that the device has properties listed in the attestation. The server can use that as part of a trust score to decide whether to issue the requested certificate. When 'Attest' is 'true', 'HardwareBound' must also be 'true'. - On macOS, this key, if present, must have a value of 'false'. + On macOS, if this key is present, it must have a value of 'false'. - key: KeyIsExtractable supportedOS: iOS: @@ -168,8 +168,8 @@ payloadkeys: type: presence: optional default: true - content: Whether the private key of the identity obtained via SCEP should be tagged - as "non-extractable" in the keychain. + content: If true, the private key of the identity obtained via SCEP should be tagged + as “non-extractable” in the keychain. - key: AllowAllAppsAccess title: Allow All Apps Access supportedOS: @@ -180,4 +180,4 @@ payloadkeys: type: presence: optional default: false - content: If true, all apps have access to the private key. + content: If 'true', all apps have access to the private key. diff --git a/mdm/profiles/com.apple.security.firewall.yaml b/mdm/profiles/com.apple.security.firewall.yaml index c5f1245..9c519b6 100644 --- a/mdm/profiles/com.apple.security.firewall.yaml +++ b/mdm/profiles/com.apple.security.firewall.yaml @@ -17,7 +17,6 @@ payload: Notes: * The payload must exist in a "system" scoped profile. * If more than one profile contains this payload, the most restrictive union of settings will be used. - * Per Firewall team's request, the "Automatically allow signed downloaded software" and "Automatically allow built-in software" options are not supported but both will be forced ON when this payload is present. payloadkeys: - key: EnableFirewall type: diff --git a/mdm/profiles/com.apple.security.pkcs12.yaml b/mdm/profiles/com.apple.security.pkcs12.yaml index 6d4d27e..7843204 100644 --- a/mdm/profiles/com.apple.security.pkcs12.yaml +++ b/mdm/profiles/com.apple.security.pkcs12.yaml @@ -62,7 +62,8 @@ payloadkeys: type: presence: optional default: false - content: If 'true', allows apps access to the private key. + content: If 'true', allows apps access to the private key. Available in macOS 10.10 + and later. - key: KeyIsExtractable supportedOS: iOS: diff --git a/mdm/profiles/com.apple.servicemanagement.yaml b/mdm/profiles/com.apple.servicemanagement.yaml index f714070..1fc67e6 100644 --- a/mdm/profiles/com.apple.servicemanagement.yaml +++ b/mdm/profiles/com.apple.servicemanagement.yaml @@ -20,7 +20,7 @@ payloadkeys: title: Rules type: presence: required - content: An array of rule dictionaries. + content: An array of service management rules. subkeys: - key: Rule title: Rule @@ -43,8 +43,8 @@ payloadkeys: title: Rule Value type: presence: required - content: The value to compare with each login item's value, to determine a match - to this rule. + content: The value to compare with each login item's value, to determine if + this rule is a match. - key: Comment title: Comment type: @@ -54,5 +54,5 @@ payloadkeys: title: Team Identifier type: presence: optional - content: An additional constraint to limit the scope of the rule that is tested - after matching the RuleType/RuleValue. + content: An additional constraint to limit the scope of the rule that the system + tests after matching the 'RuleType' and 'RuleValue'. diff --git a/mdm/profiles/com.apple.vpn.managed.yaml b/mdm/profiles/com.apple.vpn.managed.yaml index ea404d0..369de54 100644 --- a/mdm/profiles/com.apple.vpn.managed.yaml +++ b/mdm/profiles/com.apple.vpn.managed.yaml @@ -170,7 +170,13 @@ payloadkeys: - 0 - 1 default: 0 - content: If 'true', routes all traffic through the VPN. + content: |- + If 1, then all network traffic will be routed through the VPN, with some exclusions. Several of the exclusions can be controlled with the ExcludeLocalNetworks, ExcludeCellularServices, and ExcludeAPNs properties. See the documentation for those properties. The following traffic is always excluded from the tunnel. + + * Traffic necessary for connecting and maintaining the device's network connection, such as DHCP. + * Traffic necessary for connecting to captive networks. + * Certain cellular services traffic that is not routable over the internet and is instead directly routed to the cellular network. See the ExcludeCellularServices property for more details. + * Network communication with a companion device such as a watchOS device. - key: EnforceRoutes title: Enforce Routes supportedOS: @@ -202,6 +208,39 @@ payloadkeys: - 1 content: If 'true' and 'IncludeAllNetworks' is 'true', routes all local network traffic outside the VPN. + - key: ExcludeCellularServices + title: Exclude Cellular Services + supportedOS: + iOS: + introduced: '16.4' + macOS: + introduced: '13.3' + type: + presence: optional + rangelist: + - 0 + - 1 + default: 1 + content: If 1 and IncludeAllNetworks is 1, then internet-routable network traffic + for cellular services (VoLTE, Wi-Fi Calling, IMS, MMS, Visual Voicemail, etc.) + is excluded from the tunnel. Note that some cellular carriers route cellular + services traffic directly to the carrier network, bypassing the internet. Such + cellular services traffic is always excluded from the tunnel. + - key: ExcludeAPNs + title: Exclude APNs + supportedOS: + iOS: + introduced: '16.4' + macOS: + introduced: '13.3' + type: + presence: optional + rangelist: + - 0 + - 1 + default: 1 + content: If 1 and IncludeAllNetworks is 1, then network traffic for the Apple + Push Notification service (APNs) is excluded from the tunnel. - key: OnDemandEnabled title: Enable VPN On Demand type: @@ -953,6 +992,90 @@ payloadkeys: content: |- The Maximum Transmission Unit (MTU) specifies the maximum size in bytes of each packet that will be sent over the IKEv2 VPN interface. Available in iOS 14 and later, and macOS 11 and later. + - key: IncludeAllNetworks + title: Include All Networks + supportedOS: + iOS: + introduced: '14.0' + macOS: + introduced: '10.15' + type: + presence: optional + rangelist: + - 0 + - 1 + default: 0 + content: |- + If 1, then all network traffic will be routed through the VPN, with some exclusions. Several of the exclusions can be controlled with the ExcludeLocalNetworks, ExcludeCellularServices, and ExcludeAPNs properties. See the documentation for those properties. The following traffic is always excluded from the tunnel. + + * Traffic necessary for connecting and maintaining the device's network connection, such as DHCP. + * Traffic necessary for connecting to captive networks. + * Certain cellular services traffic that is not routable over the internet and is instead directly routed to the cellular network. See the ExcludeCellularServices property for more details. + * Network communication with a companion device such as a watchOS device. + - key: EnforceRoutes + title: Enforce Routes + supportedOS: + iOS: + introduced: '14.2' + macOS: + introduced: '11.0' + type: + presence: optional + rangelist: + - 0 + - 1 + default: 0 + content: If 1, then all the VPN's non-default routes will take precedence over + any locally-defined routes. If IncludeAllNetworks is 1, the value of EnforceRoutes + is ignored. + - key: ExcludeLocalNetworks + title: Exclude Local Networks + supportedOS: + iOS: + introduced: '14.2' + macOS: + introduced: '10.15' + type: + presence: optional + rangelist: + - 0 + - 1 + content: If 1 and either IncludeAllNetworks or EnforceRoutes are 1, then local + network traffic will be routed outside of the VPN. The default for this value + is 0 on macOS and 1 on iOS. + - key: ExcludeCellularServices + title: Exclude Cellular Services + supportedOS: + iOS: + introduced: '16.4' + macOS: + introduced: '13.3' + type: + presence: optional + rangelist: + - 0 + - 1 + default: 1 + content: If 1 and IncludeAllNetworks is 1, then internet-routable network traffic + for cellular services (VoLTE, Wi-Fi Calling, IMS, MMS, Visual Voicemail, etc.) + is excluded from the tunnel. Note that some cellular carriers route cellular + services traffic directly to the carrier network, bypassing the internet. Such + cellular services traffic is always excluded from the tunnel. + - key: ExcludeAPNs + title: Exclude APNs + supportedOS: + iOS: + introduced: '16.4' + macOS: + introduced: '13.3' + type: + presence: optional + rangelist: + - 0 + - 1 + default: 1 + content: If 1 and IncludeAllNetworks is 1, then network traffic for the Apple + Push Notification service (APNs) is excluded from the tunnel. - key: IKESecurityAssociationParameters title: IKESecurityAssociationParameters type: diff --git a/mdm/profiles/com.apple.wifi.managed.yaml b/mdm/profiles/com.apple.wifi.managed.yaml index ec3bd09..d8a779d 100644 --- a/mdm/profiles/com.apple.wifi.managed.yaml +++ b/mdm/profiles/com.apple.wifi.managed.yaml @@ -87,9 +87,14 @@ payloadkeys: default: Any content: |- The encryption type for the network. - - WPA specifies WPA only; WPA2 applies to both encryption types. - Available in iOS 4.0 and later, and in all versions of macOS. The 'None' value is available in iOS 5.0 and later, and the 'WPA2' value is available in iOS 8.0 and later. + If set to anything except 'None', the payload may contain the following three keys: 'Password', 'PayloadCertificateUUID', or 'EAPClientConfiguration'. + As of iOS 16, tvOS 16, watchOS 9, and macOS 13: + * 'WPA' allows joining WPA or WPA2 networks + * 'WPA2' allows joining WPA2 or WPA3 networks + * 'WPA3' allows joining WPA3 networks only + * 'Any' allows joining WPA, WPA2, WPA3, and WEP networks. + Prior to iOS 16, tvOS 16, and watchOS 9, specifying 'WPA', 'WPA2', and 'WPA3' were equivalent and would allow joining any WPA network. + Prior to macOS 13, the encryption type, if specified explicitly, needed to match the encryption type of the network exactly. - key: Password title: Password type: diff --git a/other/skipkeys.yaml b/other/skipkeys.yaml index a77b107..99c65e1 100644 --- a/other/skipkeys.yaml +++ b/other/skipkeys.yaml @@ -286,7 +286,7 @@ payloadkeys: introduced: n/a type: presence: optional - content: If the key is included in the SkipSetup array the Safety pane will be skipped. + content: 'Skips the Safety pane. Availability: iOS 16+.' - key: ScreenTime title: Skip Screen Time pane supportedOS: