Release_iOS-17-0_macOS-14-0

This commit is contained in:
Cyrus Daboo
2023-09-14 17:37:05 -04:00
parent 5a8fb0deb2
commit 72c2a0a69f
254 changed files with 6787 additions and 969 deletions
@@ -9,6 +9,8 @@ payload:
introduced: '13.0'
tvOS:
introduced: '16.0'
watchOS:
introduced: '10.0'
payloadkeys:
- key: StandardConfigurations
type: <array>
@@ -0,0 +1,68 @@
title: Asset:Credential ACME
description: A reference to an ACME identity.
payload:
declarationtype: com.apple.asset.credential.acme
supportedOS:
iOS:
introduced: '17.0'
macOS:
introduced: '14.0'
tvOS:
introduced: '17.0'
watchOS:
introduced: '10.0'
payloadkeys:
- key: Reference
type: <dictionary>
presence: required
content: |-
The external reference. Ensure that the asset data:
* Is a JSON document that represents the 'com.apple.credential.acme' credential type
* Uses a media type of 'application/json', and if it includes a 'ContentType' sub-key, that sub-key media type is also 'application/json'
subkeys:
- key: DataURL
type: <string>
presence: required
content: The URL that hosts the credential data. The URL must start with 'https://'.
- key: ContentType
type: <string>
presence: optional
content: The media type that describes the data.
- key: Size
type: <integer>
presence: optional
content: The size of the data at the 'DataURL'. Use this value to verify that
the returned data is the expected data. Use this value to detect when the data
changes.
- key: Hash-SHA-256
type: <string>
presence: optional
content: |-
A SHA-256 hash of the data at the 'DataURL'. Use this value to verify that the returned data is the expected data. Use this value to detect when the data changes.
If 'Size' is '0', clients need to ignore this value or set it to an empty string.
- key: Authentication
type: <dictionary>
presence: optional
content: The server authentication details.
subkeys:
- key: Type
type: <string>
presence: required
rangelist:
- MDM
- None
content: |-
Type of authentication:
* MDM - a request using MDM semantics (includes the device identity certificate, and any user authentication). Equivalent to an MDM request made to the CheckInURL or ServerURL. This option can only be used when using declarative device management.
* None - a standard GET request is carried out.
- key: Accessible
type: <string>
presence: optional
rangelist:
- Default
- AfterFirstUnlock
default: Default
content: |-
The keychain accessibility that determines when the keychain item is available for use, which has these allowed values:
* 'Default': The most restrictive accessibility that still satisfies all uses of the asset by configurations that reference it.
* 'AfterFirstUnlock': The keychain item is only available after the first unlock of the device.
@@ -0,0 +1,57 @@
title: Asset:Credential Certificate
description: 'A reference to a PKCS #1 or PEM encoded certificate.'
payload:
declarationtype: com.apple.asset.credential.certificate
supportedOS:
iOS:
introduced: '17.0'
macOS:
introduced: '14.0'
tvOS:
introduced: '17.0'
watchOS:
introduced: '10.0'
payloadkeys:
- key: Reference
type: <dictionary>
presence: required
content: The external reference. Ensure that the asset data uses a media type of
'application/pkcs1' or 'application/pem' to correctly identify the type of encoded
certificate. If the asset data includes a 'ContentType' sub-key, set it to the
corresponding media type.
subkeys:
- key: DataURL
type: <string>
presence: required
content: The URL that hosts the credential data. The URL must start with 'https://'.
- key: ContentType
type: <string>
presence: optional
content: The media type that describes the data.
- key: Size
type: <integer>
presence: optional
content: The size of the data at the 'DataURL'. Use this value to verify that
the returned data is the expected data. Use this value to detect when the data
changes.
- key: Hash-SHA-256
type: <string>
presence: optional
content: |-
A SHA-256 hash of the data at the 'DataURL'. Use this value to verify that the returned data is the expected data. Use this value to detect when the data changes.
If 'Size' is '0', clients need to ignore this value or set it to an empty string.
- key: Authentication
type: <dictionary>
presence: optional
content: The server authentication details.
subkeys:
- key: Type
type: <string>
presence: required
rangelist:
- MDM
- None
content: |-
Type of authentication:
* MDM - a request using MDM semantics (includes the device identity certificate, and any user authentication). Equivalent to an MDM request made to the CheckInURL or ServerURL. This option can only be used when using declarative device management.
* None - a standard GET request is carried out.
@@ -0,0 +1,68 @@
title: Asset:Credential Identity
description: 'A reference to a PKCS #12 password-protected identity.'
payload:
declarationtype: com.apple.asset.credential.identity
supportedOS:
iOS:
introduced: '17.0'
macOS:
introduced: '14.0'
tvOS:
introduced: '17.0'
watchOS:
introduced: '10.0'
payloadkeys:
- key: Reference
type: <dictionary>
presence: required
content: |-
The external reference. Ensure that the asset data:
* Is a JSON document that represents the 'com.apple.credential.identity' credential type
* Uses a media type of 'application/json', and if it includes a 'ContentType' sub-key, that sub-key media type is also 'application/json'
subkeys:
- key: DataURL
type: <string>
presence: required
content: The URL that hosts the credential data. The URL must start with 'https://'.
- key: ContentType
type: <string>
presence: optional
content: The media type that describes the data.
- key: Size
type: <integer>
presence: optional
content: The size of the data at the 'DataURL'. Use this value to verify that
the returned data is the expected data. Use this value to detect when the data
changes.
- key: Hash-SHA-256
type: <string>
presence: optional
content: |-
A SHA-256 hash of the data at the 'DataURL'. Use this value to verify that the returned data is the expected data. Use this value to detect when the data changes.
If 'Size' is '0', clients need to ignore this value or set it to an empty string.
- key: Authentication
type: <dictionary>
presence: optional
content: The server authentication details.
subkeys:
- key: Type
type: <string>
presence: required
rangelist:
- MDM
- None
content: |-
Type of authentication:
* MDM - a request using MDM semantics (includes the device identity certificate, and any user authentication). Equivalent to an MDM request made to the CheckInURL or ServerURL. This option can only be used when using declarative device management.
* None - a standard GET request is carried out.
- key: Accessible
type: <string>
presence: optional
rangelist:
- Default
- AfterFirstUnlock
default: Default
content: |-
The keychain accessibility that determines when the keychain item is available for use, which has these allowed values:
* 'Default': The most restrictive accessibility that still satisfies all uses of the asset by configurations that reference it.
* 'AfterFirstUnlock': The keychain item is only available after the first unlock of the device.
@@ -0,0 +1,68 @@
title: Asset:Credential SCEP
description: A reference to a SCEP identity.
payload:
declarationtype: com.apple.asset.credential.scep
supportedOS:
iOS:
introduced: '17.0'
macOS:
introduced: '14.0'
tvOS:
introduced: '17.0'
watchOS:
introduced: '10.0'
payloadkeys:
- key: Reference
type: <dictionary>
presence: required
content: |-
The external reference. Ensure that the asset data:
* Is a JSON document that represents the 'com.apple.credential.scep' credential type
* Uses a media type of 'application/json', and if it includes a 'ContentType' sub-key, that sub-key media type is also 'application/json'
subkeys:
- key: DataURL
type: <string>
presence: required
content: The URL that hosts the credential data. The URL must start with 'https://'.
- key: ContentType
type: <string>
presence: optional
content: The media type that describes the data.
- key: Size
type: <integer>
presence: optional
content: The size of the data at the 'DataURL'. Use this value to verify that
the returned data is the expected data. Use this value to detect when the data
changes.
- key: Hash-SHA-256
type: <string>
presence: optional
content: |-
A SHA-256 hash of the data at the 'DataURL'. Use this value to verify that the returned data is the expected data. Use this value to detect when the data changes.
If 'Size' is '0', clients need to ignore this value or set it to an empty string.
- key: Authentication
type: <dictionary>
presence: optional
content: The server authentication details.
subkeys:
- key: Type
type: <string>
presence: required
rangelist:
- MDM
- None
content: |-
Type of authentication:
* MDM - a request using MDM semantics (includes the device identity certificate, and any user authentication). Equivalent to an MDM request made to the CheckInURL or ServerURL. This option can only be used when using declarative device management.
* None - a standard GET request is carried out.
- key: Accessible
type: <string>
presence: optional
rangelist:
- Default
- AfterFirstUnlock
default: Default
content: |-
The keychain accessibility that determines when the keychain item is available for use, which has these allowed values:
* 'Default': The most restrictive accessibility that still satisfies all uses of the asset by configurations that reference it.
* 'AfterFirstUnlock': The keychain item is only available after the first unlock of the device.
@@ -1,6 +1,6 @@
title: Credential:User Name and Password
title: Asset:Credential User Name and Password
description: A reference to data describing a credential representing a user name
and password. Note that this should always be considered as security sensitive data.
and password.
payload:
declarationtype: com.apple.asset.credential.userpassword
supportedOS:
@@ -10,11 +10,16 @@ payload:
introduced: '13.0'
tvOS:
introduced: '16.0'
watchOS:
introduced: '10.0'
payloadkeys:
- key: Reference
type: <dictionary>
presence: required
content: The reference to the credential.
content: |-
The external reference. Ensure that the asset data:
* Is a JSON document that represents the 'com.apple.credential.usernameandpassword' credential type
* Uses a media type of 'application/json', and if it includes a 'ContentType' sub-key, that sub-key media type is also 'application/json'
subkeys:
- key: DataURL
type: <string>
@@ -22,17 +27,41 @@ payloadkeys:
content: The URL that hosts the credential data. The URL must start with 'https://'.
- key: ContentType
type: <string>
presence: required
presence: optional
content: The media type that describes the data.
- key: Size
type: <integer>
presence: required
presence: optional
content: The size of the data at the 'DataURL'. Use this value to verify that
the returned data is the expected data. Use this value to detect when the data
changes.
- key: Hash-SHA-256
type: <string>
presence: required
presence: optional
content: |-
A SHA-256 hash of the data at the 'DataURL'. Use this value to verify that the returned data is the expected data. Use this value to detect when the data changes.
If 'Size' is '0', clients need to ignore this value or set it to an empty string.
- key: Authentication
supportedOS:
iOS:
introduced: '17.0'
macOS:
introduced: '14.0'
tvOS:
introduced: '17.0'
watchOS:
introduced: '10.0'
type: <dictionary>
presence: optional
content: The server authentication details.
subkeys:
- key: Type
type: <string>
presence: required
rangelist:
- MDM
- None
content: |-
Type of authentication:
* MDM - a request using MDM semantics (includes the device identity certificate, and any user authentication). Equivalent to an MDM request made to the CheckInURL or ServerURL. This option can only be used when using declarative device management.
* None - a standard GET request is carried out.
@@ -0,0 +1,138 @@
title: ACME Credential
description: An ACME identity that should be generated by the device.
payload:
credentialtype: com.apple.credential.acme
supportedOS:
iOS:
introduced: '17.0'
macOS:
introduced: '14.0'
tvOS:
introduced: '17.0'
watchOS:
introduced: '10.0'
payloadkeys:
- key: DirectoryURL
title: ACME directory URL
type: <string>
presence: required
content: Specifies the directory URL of the ACME server. Use the 'https' scheme
for the URL.
- key: ClientIdentifier
title: Client identifier
type: <string>
presence: required
content: The server can use this as a nonce to prevent issuing multiple certificates.
It also indicates to the ACME server that the device has access to a valid client
identifier that the enterprise infrastructure issued. This can help the ACME server
determine whether to trust the device, however this is a relatively weak indication
because of the risk that an attacker may intercept and duplicate the client identifier.
- key: KeySize
title: Key Size
type: <integer>
presence: required
content: The valid values for 'KeySize' depend on the values of 'KeyType' and 'HardwareBound'.
See those keys for specific requirements.
- key: KeyType
title: Key Type
type: <string>
presence: required
rangelist:
- RSA
- ECSECPrimeRandom
content: |-
Specifies the type of key pair to generate.
'RSA' specifies an RSA key pair. If you set this value to 'RSA', set 'KeySize' in the range '[1024..4096]' inclusive and a multiple of '8', and set 'HardwareBound' to 'false'.
'ECSECPrimeRandom' specifies a key pair on the P-256, P-384 or P-521 curves as defined in FIPS Pub 186-4, and 'KeySize' determines the specific curve. If you set this value to 'ECSECPrimeRandom', set 'KeySize' to '256', '384', or '521'. The system only supports '256' and '384' for hardware bound keys.
The key size is '521', not '512', even though the other key sizes are multiples of '64'.
- key: HardwareBound
title: Hardware Bound
type: <boolean>
presence: required
content: |-
If 'false', the private key isn't bound to the device.
If 'true', the private key is bound to the device. The Secure Enclave generates the key pair, and the private key is cryptographically entangled with a system key. This protects the private key from being exported.
If 'true', 'KeyType' needs to be 'ECSECPrimeRandom' and 'KeySize' needs to be '256' or '384'.
On macOS, this is a required key. Set the value to 'false'.
- key: Subject
title: Subject
type: <array>
presence: required
content: |-
The device requests this subject for the certificate that the ACME server issues. The ACME server may override or ignore this field in the certificate it issues.
The representation of an X.500 name is an array of OID and value. For example, '/C=US/O=Apple Inc./CN=foo/1.2.5.3=bar' corresponds to:
'[ [ [”C”, “US”] ], [ [”O”, “Apple Inc.”] ], [ [ “CN”, “foo”] ], [ [ “1.2.5.3”, “bar” ] ] ]'
You can represent OIDs as dotted numbers or use shortcuts for country ('C'), locality ('L'), state ('ST'), organization ('O'), organizational unit ('OU'), and common name ('CN').
subkeys:
- key: ACMESubjectArrayInnerArray
title: Array Inside ACME Subject Array
type: <array>
subkeys:
- key: ACMESubjectArrayPair
title: Subject Array Pair
type: <array>
subkeys:
- key: ACMESubjectArrayPairItem
title: ACME Subject Array Pair Item
type: <string>
repetition:
min: 2
max: 2
content: One item in the array representing a pair of OID and value
- key: SubjectAltName
title: Subject Alt Name
type: <dictionary>
presence: optional
content: Specifies the subject's alternative name that the device requests for the
certificate that the ACME server issues. The ACME server may override or ignore
this field in the certificate it issues.
subkeys:
- key: rfc822Name
title: RFC 822 Name
type: <string>
presence: optional
content: The RFC 822 email address.
- key: dNSName
title: DNS Name
type: <string>
presence: optional
content: The DNS name.
- key: uniformResourceIdentifier
title: URI
type: <string>
presence: optional
content: The uniform resource identifier.
- key: ntPrincipalName
title: NT Principal Name
type: <string>
presence: optional
content: The NT principal name.
- key: UsageFlags
title: Key Usage
type: <integer>
presence: optional
content: |-
The device requests this key usage for the certificate that the ACME server issues. The ACME server may override or ignore this field in the certificate it issues.
The value is a bit field. Bit '0x01' indicates digital signature, and bit '0x04' indicates key encipherment.
- key: ExtendedKeyUsage
title: Extended Key Usage
type: <array>
presence: optional
content: |-
The device requests this extended key usage for the certificate that the ACME server issues. The ACME server may override or ignore this field in the certificate it issues.
The value is an array of strings. Each string is an OID in dotted notation. For example, '[”1.3.6.1.5.5.7.3.2”, “1.3.6.1.5.5.7.3.4”]' indicates client authentication and email protection.
subkeys:
- key: OID
type: <string>
presence: optional
- key: Attest
title: Attest
type: <boolean>
presence: optional
default: false
content: If 'true', the device provides attestations that describe the device and
the generated key to the ACME server. The server can use the attestations as strong
evidence that the key is bound to the device, and that the device has properties
listed in the attestation. The server can use that as part of a trust score to
decide whether to issue the requested certificate. When 'Attest' is 'true', set
'HardwareBound' to 'true'. On macOS, set this key, if present, to 'false'.
@@ -0,0 +1,22 @@
title: Identity Credential
description: 'Data for a PKCS #12 password-protected identity.'
payload:
credentialtype: com.apple.credential.identity
supportedOS:
iOS:
introduced: '17.0'
macOS:
introduced: '14.0'
tvOS:
introduced: '17.0'
watchOS:
introduced: '10.0'
payloadkeys:
- key: Password
type: <string>
presence: required
content: 'The password required to decrypt the PKCS #12 identity data.'
- key: Identity
type: <data>
presence: required
content: 'The PKCS #12 identity data.'
@@ -0,0 +1,125 @@
title: SCEP Credential
description: A SCEP identity that should be generated by the device.
payload:
credentialtype: com.apple.credential.scep
supportedOS:
iOS:
introduced: '17.0'
macOS:
introduced: '14.0'
tvOS:
introduced: '17.0'
watchOS:
introduced: '10.0'
payloadkeys:
- key: URL
title: URL
type: <string>
presence: required
content: The SCEP URL.
- key: Name
title: Name
type: <string>
presence: optional
content: Any string that the SCEP server recognizes. For example, it could be a
domain name such as 'example.org'. If a certificate authority has multiple CA
certificates, you can use this field to specify the required certificate.
- key: Subject
title: Subject
type: <array>
presence: optional
content: |-
The representation of an X.500 name is an array of OID and value. For example, '/C=US/O=Apple Inc./CN=foo/1.2.5.3=bar' corresponds to:
'[ [ [”C”, “US”] ], [ [”O”, “Apple Inc.”] ], [ [ “CN”, “foo”] ], [ [ “1.2.5.3”, “bar” ] ] ]'
You can represent OIDs as dotted numbers or use shortcuts for country ('C'), locality ('L'), state ('ST'), organization ('O'), organizational unit ('OU'), and common name ('CN').
subkeys:
- key: SCEPSubjectArrayInnerArray
title: Array Inside SCEP Subject Array
type: <array>
subkeys:
- key: SCEPSubjectArrayPair
title: Subject Array Pair
type: <array>
subkeys:
- key: SCEPSubjectArrayPairItem
title: SCEP Subject Array Pair Item
type: <string>
repetition:
min: 2
max: 2
content: One item in the array representing a pair of OID and value
- key: Challenge
title: Challenge
type: <string>
presence: optional
content: A preshared secret.
- key: Keysize
title: Key Size
type: <integer>
presence: optional
rangelist:
- 1024
- 2048
- 4096
default: 1024
content: The key size in bits, either '1024', '2048', or '4096'.
- key: Key Type
title: Key Type
type: <string>
presence: optional
default: RSA
content: The key type, which always has the value 'RSA'.
- key: Key Usage
title: Key Usage
type: <integer>
presence: optional
default: 0
content: 'A bitmask that specifies the use of the key: ''1'' is signing, ''4'' is
encryption, and ''5'' is both signing and encryption. Some certificate authorities,
such as Windows CA, support only encryption or signing, but not both at the same
time.'
- key: CAFingerprint
title: Fingerprint
type: <data>
presence: optional
content: The fingerprint of the Certificate Authority certificate.
- key: Retries
title: Retries
type: <integer>
presence: optional
default: 3
content: The number of times the device should retry if the server sends a 'PENDING'
response.
- key: RetryDelay
title: Retry Delay
type: <integer>
presence: optional
default: 10
content: The number of seconds to wait between subsequent retries. The system makes
the first retry without this delay.
- key: SubjectAltName
title: Subject Alt Name
type: <dictionary>
presence: optional
content: The subject's alternative name for the certificate.
subkeys:
- key: rfc822Name
title: RFC 822 Name
type: <string>
presence: optional
content: The RFC 822 email address.
- key: dNSName
title: DNS Name
type: <string>
presence: optional
content: The DNS name.
- key: uniformResourceIdentifier
title: URI
type: <string>
presence: optional
content: The uniform resource identifier.
- key: ntPrincipalName
title: NT Principal Name
type: <string>
presence: optional
content: The NT principal name.
@@ -1,4 +1,4 @@
title: User Name and Password Credentials
title: User Name and Password Credential
description: Data describing a credential representing a user name and password.
payload:
credentialtype: com.apple.credential.usernameandpassword
@@ -9,12 +9,14 @@ payload:
introduced: '13.0'
tvOS:
introduced: '16.0'
watchOS:
introduced: '10.0'
payloadkeys:
- key: UserName
type: <string>
presence: required
content: The user's user name for the credential.
content: The user name for this credential.
- key: Password
type: <string>
presence: optional
content: The user's password for the credential.
content: The password for this credential.
+54
View File
@@ -0,0 +1,54 @@
title: Asset:Data
description: A reference to arbitrary data with a specific media type.
payload:
declarationtype: com.apple.asset.data
supportedOS:
iOS:
introduced: '17.0'
macOS:
introduced: '14.0'
tvOS:
introduced: '17.0'
watchOS:
introduced: '10.0'
payloadkeys:
- key: Reference
type: <dictionary>
presence: required
content: The external reference.
subkeys:
- key: DataURL
type: <string>
presence: required
content: The URL that hosts the credential data. The URL must start with 'https://'.
- key: ContentType
type: <string>
presence: optional
content: The media type that describes the data.
- key: Size
type: <integer>
presence: optional
content: The size of the data at the 'DataURL'. Use this value to verify that
the returned data is the expected data. Use this value to detect when the data
changes.
- key: Hash-SHA-256
type: <string>
presence: optional
content: |-
A SHA-256 hash of the data at the 'DataURL'. Use this value to verify that the returned data is the expected data. Use this value to detect when the data changes.
If 'Size' is '0', clients need to ignore this value or set it to an empty string.
- key: Authentication
type: <dictionary>
presence: optional
content: The server authentication details.
subkeys:
- key: Type
type: <string>
presence: required
rangelist:
- MDM
- None
content: |-
Type of authentication:
* MDM - a request using MDM semantics (includes the device identity certificate, and any user authentication). Equivalent to an MDM request made to the CheckInURL or ServerURL. This option can only be used when using declarative device management.
* None - a standard GET request is carried out.
@@ -1,4 +1,4 @@
title: User Identity
title: Asset:User Identity
description: User identity data.
payload:
declarationtype: com.apple.asset.useridentity
@@ -9,6 +9,8 @@ payload:
introduced: '13.0'
tvOS:
introduced: '16.0'
watchOS:
introduced: '10.0'
payloadkeys:
- key: FullName
title: Full Name
@@ -19,4 +21,4 @@ payloadkeys:
title: Email Address
type: <string>
presence: optional
content: The user's email address.
content: The email address of the user.
@@ -5,20 +5,27 @@ payload:
supportedOS:
iOS:
introduced: '15.0'
allowed-enrollments:
- device
- user
- local
allowed-scopes:
- system
sharedipad:
mode: allowed
devicechannel: false
userchannel: true
userenrollment:
mode: allowed
allowed-scopes:
- user
macOS:
introduced: '13.0'
devicechannel: false
userchannel: true
userenrollment:
mode: allowed
allowed-enrollments:
- device
- user
- local
allowed-scopes:
- user
tvOS:
introduced: n/a
watchOS:
introduced: n/a
content: A CalDAV configuration defines a CalDAV calendar and reminders account
for a user.
payloadkeys:
@@ -32,7 +39,7 @@ payloadkeys:
title: Server Host Name
type: <string>
presence: required
content: The hostname of the CalDAV server (or IP address).
content: The hostname or IP address of the CalDAV server.
- key: Port
title: Server Port
type: <integer>
@@ -46,6 +53,8 @@ payloadkeys:
- key: AuthenticationCredentialsAssetReference
title: Authentication Credentials Asset Reference
type: <string>
assettypes:
- com.apple.asset.credential.userpassword
presence: optional
content: The identifier of an asset declaration that contains the credentials for
this account. The corresponding asset must be of type CredentialUserNameAndPassword.
this account. Set the corresponding asset type to 'CredentialUserNameAndPassword'.
@@ -5,20 +5,27 @@ payload:
supportedOS:
iOS:
introduced: '15.0'
allowed-enrollments:
- device
- user
- local
allowed-scopes:
- system
sharedipad:
mode: allowed
devicechannel: false
userchannel: true
userenrollment:
mode: allowed
allowed-scopes:
- user
macOS:
introduced: '13.0'
devicechannel: false
userchannel: true
userenrollment:
mode: allowed
allowed-enrollments:
- device
- user
- local
allowed-scopes:
- user
tvOS:
introduced: n/a
watchOS:
introduced: n/a
content: A CardDAV configuration defines a CardDAV contacts account for a user.
payloadkeys:
- key: VisibleName
@@ -31,7 +38,7 @@ payloadkeys:
title: Server Host Name
type: <string>
presence: required
content: The hostname of the CardDAV server (or IP address).
content: The hostname or IP address of the CardDAV server.
- key: Port
title: Server Port
type: <integer>
@@ -45,6 +52,8 @@ payloadkeys:
- key: AuthenticationCredentialsAssetReference
title: Authentication Credentials Asset Reference
type: <string>
assettypes:
- com.apple.asset.credential.userpassword
presence: optional
content: The identifier of an asset declaration that contains the credentials for
this account. The corresponding asset must be of type CredentialUserNameAndPassword.
this account. Set the corresponding asset type to 'CredentialUserNameAndPassword'.
@@ -6,20 +6,27 @@ payload:
supportedOS:
iOS:
introduced: '15.0'
allowed-enrollments:
- device
- user
- local
allowed-scopes:
- system
sharedipad:
mode: allowed
devicechannel: false
userchannel: true
userenrollment:
mode: allowed
allowed-scopes:
- user
macOS:
introduced: '13.0'
devicechannel: false
userchannel: true
userenrollment:
mode: allowed
allowed-enrollments:
- device
- user
- local
allowed-scopes:
- user
tvOS:
introduced: n/a
watchOS:
introduced: n/a
content: This payload configures an Exchange ActiveSync account on an iOS device.
payloadkeys:
- key: VisibleName
@@ -48,9 +55,11 @@ payloadkeys:
- key: UserIdentityAssetReference
title: User Identity Asset Reference
type: <string>
assettypes:
- com.apple.asset.useridentity
presence: optional
content: The identifier of an asset declaration that contains the user identity
for this account. The corresponding asset must be of type UserIdentity.
for this account. The corresponding asset must be of type 'UserIdentity'.
- key: HostName
title: Server Host Name
type: <string>
@@ -133,10 +142,111 @@ payloadkeys:
- key: AuthenticationCredentialsAssetReference
title: Authentication Credentials Asset Reference
type: <string>
assettypes:
- com.apple.asset.credential.userpassword
presence: optional
content: The identifier of an asset declaration that contains the credentials for
this account to authenticate with an Exchange server. The corresponding asset
must be of type CredentialUserNameAndPassword.
this account to authenticate with an Exchange server. Set the corresponding asset
type to 'CredentialUserNameAndPassword'.
- key: AuthenticationIdentityAssetReference
title: Authentication Identity Asset Reference
type: <string>
assettypes:
- com.apple.asset.credential.acme
- com.apple.asset.credential.identity
- com.apple.asset.credential.scep
presence: optional
content: Specifies the identifier of a credential asset declaration that contains
the identity that this account requires to authenticate with the Exchange server.
- key: SMIME
title: S/MIME Settings
supportedOS:
iOS:
introduced: '17.0'
macOS:
introduced: n/a
type: <dictionary>
presence: optional
content: Settings for S/MIME.
subkeys:
- key: Signing
title: S/MIME Signing Settings
type: <dictionary>
presence: optional
content: Settings for S/MIME signing.
subkeys:
- key: Enabled
title: Signing Enabled
type: <boolean>
presence: required
content: If 'true', the system enables S/MIME signing.
- key: IdentityAssetReference
title: S/MIME Signing Identity Asset Reference
type: <string>
assettypes:
- com.apple.asset.credential.acme
- com.apple.asset.credential.identity
- com.apple.asset.credential.scep
presence: optional
content: Specifies the identifier of an asset declaration containing the identity
required for S/MIME signing of messages sent from this account.
- key: UserOverrideable
title: Signing User Overrideable
type: <boolean>
presence: optional
default: false
content: If 'true', the user can turn S/MIME signing on or off in Settings.
- key: IdentityUserOverrideable
title: Signing Identity User Overrideable
type: <boolean>
presence: optional
default: false
content: If 'true', the user can select an S/MIME signing identity in Settings.
- key: Encryption
title: S/MIME Encryption Settings
type: <dictionary>
presence: optional
content: Settings for S/MIME encryption.
subkeys:
- key: Enabled
title: Encryption By Default Enabled
type: <boolean>
presence: required
content: If 'true', the system enables S/MIME encryption by default, which the
user can't override if 'PerMessageSwitchEnabled' is 'false'.
- key: IdentityAssetReference
title: S/MIME Encryption Identity Asset Reference
type: <string>
assettypes:
- com.apple.asset.credential.acme
- com.apple.asset.credential.identity
- com.apple.asset.credential.scep
presence: optional
content: Specifies the identifier of an asset declaration containing the identity
required for S/MIME encryption. The system attaches the public certificate
to outgoing mail to allow the user to receive encrypted mail. When the user
sends encrypted mail, the system uses the public certificate to encrypt the
copy of the mail in their Sent mailbox.
- key: UserOverrideable
title: Encryption By Default User Overrideable
type: <boolean>
presence: optional
default: false
content: If 'true', the user can turn S/MIME encryption by default on or off
in Settings.
- key: IdentityUserOverrideable
title: Encryption Identity User Overrideable
type: <boolean>
presence: optional
default: false
content: If 'true', the user can select an S/MIME signing identity in Settings.
- key: PerMessageSwitchEnabled
title: Per Message Switch Enabled
type: <boolean>
presence: optional
default: false
content: If 'true', the system enables the per-message encryption switch in
the compose view.
- key: MailServiceActive
supportedOS:
macOS:
@@ -5,20 +5,27 @@ payload:
supportedOS:
iOS:
introduced: '15.0'
allowed-enrollments:
- device
- user
- local
allowed-scopes:
- system
sharedipad:
mode: allowed
devicechannel: false
userchannel: true
userenrollment:
mode: allowed
allowed-scopes:
- user
macOS:
introduced: '13.0'
devicechannel: false
userchannel: true
userenrollment:
mode: allowed
allowed-enrollments:
- device
- user
- local
allowed-scopes:
- user
tvOS:
introduced: n/a
watchOS:
introduced: n/a
content: A Google configuration defines a Google account for a user. The user will
be prompted to enter their credentials shortly after the configuration successfully
installs.
@@ -32,8 +39,10 @@ payloadkeys:
- key: UserIdentityAssetReference
title: User Identity Asset Reference
type: <string>
assettypes:
- com.apple.asset.useridentity
presence: required
content: The identifier of an asset declaration that contains the user identity
for this Google account. The corresponding asset must be of type UserIdentity.
The asset must contain an 'EmailAddress' key that specifies the full Google email
for this Google account. Set the corresponding asset type to 'UserIdentity' and
ensure that it contains an 'EmailAddress' key that specifies the full Google email
address for the account.
@@ -5,20 +5,27 @@ payload:
supportedOS:
iOS:
introduced: '15.0'
allowed-enrollments:
- device
- user
- local
allowed-scopes:
- system
sharedipad:
mode: allowed
devicechannel: false
userchannel: true
userenrollment:
mode: allowed
allowed-scopes:
- user
macOS:
introduced: '13.0'
devicechannel: false
userchannel: true
userenrollment:
mode: allowed
allowed-enrollments:
- device
- user
- local
allowed-scopes:
- user
tvOS:
introduced: n/a
watchOS:
introduced: n/a
content: An LDAP configuration defines an LDAP directory account for a user.
payloadkeys:
- key: VisibleName
@@ -31,18 +38,20 @@ payloadkeys:
title: Server Host Name
type: <string>
presence: required
content: The hostname of the LDAP server (or IP address).
content: The hostname or IP address of the LDAP server.
- key: Port
title: Server Port
type: <integer>
presence: optional
content: The port number of the LDAP server (or IP address).
content: The port number or IP address of the LDAP server.
- key: AuthenticationCredentialsAssetReference
title: Authentication Credentials Asset Reference
type: <string>
assettypes:
- com.apple.asset.credential.userpassword
presence: optional
content: The identifier of an asset declaration that contains the credentials for
this account. The corresponding asset must be of type CredentialUserNameAndPassword.
this account. Set the corresponding asset type to 'CredentialUserNameAndPassword'.
- key: SearchSettings
title: Search Settings
type: <array>
@@ -5,20 +5,27 @@ payload:
supportedOS:
iOS:
introduced: '15.0'
allowed-enrollments:
- device
- user
- local
allowed-scopes:
- system
sharedipad:
mode: allowed
devicechannel: false
userchannel: true
userenrollment:
mode: allowed
allowed-scopes:
- user
macOS:
introduced: '13.0'
devicechannel: false
userchannel: true
userenrollment:
mode: allowed
allowed-enrollments:
- device
- user
- local
allowed-scopes:
- user
tvOS:
introduced: n/a
watchOS:
introduced: n/a
content: An email configuration defines an email account for a user.
payloadkeys:
- key: VisibleName
@@ -30,9 +37,11 @@ payloadkeys:
- key: UserIdentityAssetReference
title: User Identity Asset Reference
type: <string>
assettypes:
- com.apple.asset.useridentity
presence: optional
content: The identifier of an asset declaration that contains the user identity
for this account. The corresponding asset must be of type UserIdentity.
for this account. Set the corresponding asset type to 'UserIdentity'.
- key: IncomingServer
title: Incoming Server Settings
type: <dictionary>
@@ -71,9 +80,11 @@ payloadkeys:
- key: AuthenticationCredentialsAssetReference
title: Authentication Credentials Asset Reference
type: <string>
assettypes:
- com.apple.asset.credential.userpassword
presence: optional
content: |-
The identifier of an asset declaration that contains the credentials for this account to authenticate with an incoming mail server. The corresponding asset must be of type CredentialUserNameAndPassword.
The identifier of an asset declaration that contains the credentials for this account to authenticate with an incoming mail server. The corresponding asset must be of type 'CredentialUserNameAndPassword'.
If the 'AuthenticationMethod' is 'None', this field must be blank. Otherwise, the declaration must contain this field.
- key: IMAPPathPrefix
title: IMAP Path Prefix
@@ -111,7 +122,98 @@ payloadkeys:
- key: AuthenticationCredentialsAssetReference
title: Authentication Credentials Asset Reference
type: <string>
assettypes:
- com.apple.asset.credential.userpassword
presence: optional
content: |-
The identifier of an asset declaration that contains the credentials for this account to authenticate with an outgoing mail server. The corresponding asset must be of type CredentialUserNameAndPassword.
The identifier of an asset declaration that contains the credentials for this account to authenticate with an outgoing mail server. The corresponding asset must be of type 'CredentialUserNameAndPassword'.
If the 'AuthenticationMethod' is 'None', this field must be blank. Otherwise, the declaration must contain this field.
- key: SMIME
title: S/MIME Settings
supportedOS:
iOS:
introduced: '17.0'
macOS:
introduced: n/a
type: <dictionary>
presence: optional
content: Settings for S/MIME.
subkeys:
- key: Signing
title: S/MIME Signing Settings
type: <dictionary>
presence: optional
content: Settings for S/MIME signing.
subkeys:
- key: Enabled
title: Signing Enabled
type: <boolean>
presence: required
content: If 'true', the system enables S/MIME signing.
- key: IdentityAssetReference
title: S/MIME Signing Identity Asset Reference
type: <string>
assettypes:
- com.apple.asset.credential.acme
- com.apple.asset.credential.identity
- com.apple.asset.credential.scep
presence: optional
content: Specifies the identifier of an asset declaration containing the identity
required for S/MIME signing of messages sent from this account.
- key: UserOverrideable
title: Signing User Overrideable
type: <boolean>
presence: optional
default: false
content: If 'true', the user can turn S/MIME signing on or off in Settings.
- key: IdentityUserOverrideable
title: Signing Identity User Overrideable
type: <boolean>
presence: optional
default: false
content: If 'true', the user can select an S/MIME signing identity in Settings.
- key: Encryption
title: S/MIME Encryption Settings
type: <dictionary>
presence: optional
content: Settings for S/MIME encryption.
subkeys:
- key: Enabled
title: Encryption By Default Enabled
type: <boolean>
presence: required
content: If 'true', the system enables S/MIME encryption by default, which the
user can't override if 'PerMessageSwitchEnabled' is 'false'.
- key: IdentityAssetReference
title: S/MIME Encryption Identity Asset Reference
type: <string>
assettypes:
- com.apple.asset.credential.acme
- com.apple.asset.credential.identity
- com.apple.asset.credential.scep
presence: optional
content: Specifies the identifier of an asset declaration containing the identity
required for S/MIME encryption. The system attaches the public certificate
to outgoing mail to allow the user to receive encrypted mail. When the user
sends encrypted mail, the system uses the public certificate to encrypt the
copy of the mail in their Sent mailbox.
- key: UserOverrideable
title: Encryption By Default User Overrideable
type: <boolean>
presence: optional
default: false
content: If 'true', the user can set the default value for S/MIME encryption
to on or off in Settings.
- key: IdentityUserOverrideable
title: Encryption Identity User Overrideable
type: <boolean>
presence: optional
default: false
content: If 'true', the user can select an S/MIME signing identity in Settings.
- key: PerMessageSwitchEnabled
title: Per Message Switch Enabled
type: <boolean>
presence: optional
default: false
content: If 'true', the system enables the per-message encryption switch in
the compose view.
@@ -5,16 +5,27 @@ payload:
supportedOS:
iOS:
introduced: '15.0'
allowed-enrollments:
- device
- user
- local
allowed-scopes:
- system
sharedipad:
mode: allowed
devicechannel: false
userchannel: true
userenrollment:
mode: allowed
allowed-scopes:
- user
macOS:
introduced: n/a
introduced: '14.0'
allowed-enrollments:
- device
- user
- local
allowed-scopes:
- user
tvOS:
introduced: n/a
watchOS:
introduced: n/a
content: A subscribed calendar configuration defines a subscribed calendar for a
user.
payloadkeys:
@@ -28,11 +39,13 @@ payloadkeys:
title: Calendar URL
type: <string>
presence: required
content: The URL of the subscribed calendar. The URL must start with 'https://'.
content: The URL of the subscribed calendar, which needs to start with 'https://'.
- key: AuthenticationCredentialsAssetReference
title: Authentication Credentials Asset Reference
type: <string>
assettypes:
- com.apple.asset.credential.userpassword
presence: optional
content: The identifier of an asset declaration that contains the credentials for
this account to authenticate with a calendar server. The corresponding asset must
be of type CredentialUserNameAndPassword.
this account to authenticate with a calendar server. Set the corresponding asset
type to 'CredentialUserNameAndPassword'.
@@ -6,26 +6,37 @@ payload:
supportedOS:
iOS:
introduced: '15.0'
allowed-enrollments:
- device
- user
allowed-scopes:
- system
sharedipad:
mode: forbidden
userenrollment:
mode: allowed
allowed-scopes: []
macOS:
introduced: '13.0'
devicechannel: true
userchannel: true
userenrollment:
mode: allowed
allowed-enrollments:
- device
- user
allowed-scopes:
- system
- user
tvOS:
introduced: '16.0'
allowed-enrollments:
- device
allowed-scopes:
- system
watchOS:
introduced: n/a
payloadkeys:
- key: ProfileURL
title: Profile's URL.
type: <string>
presence: required
content: |-
The URL of the profile to download and install. This must be an 'https://' URL.
If a user enrollment triggers this configuration, the system silently ignores any MDM 1 payloads in macOS where the User Enrollment Mode setting is 'forbidden'. In iOS and tvOS, the system rejects the entire profile.
The URL of the profile to download and install, which needs to start with 'https://', and must be hosted by the MDM server. The system silently ignores any account or passcode payloads in the profile. Use their declarative configurations instead.
If a user enrollment triggers this configuration, the system silently ignores any MDM 1 payloads in macOS where the User Enrollment Mode setting is 'forbidden'. In iOS, the system rejects the entire profile.
- key: VisibleName
title: Configuration Visible Name
type: <string>
@@ -5,25 +5,44 @@ payload:
supportedOS:
iOS:
introduced: '15.0'
allowed-enrollments:
- device
- user
- local
allowed-scopes:
- system
sharedipad:
mode: allowed
devicechannel: true
userchannel: true
userenrollment:
mode: allowed
allowed-scopes:
- system
- user
macOS:
introduced: '13.0'
devicechannel: true
userchannel: true
userenrollment:
mode: allowed
allowed-enrollments:
- device
- user
- local
allowed-scopes:
- system
- user
tvOS:
introduced: '16.0'
allowed-enrollments:
- device
- local
allowed-scopes:
- system
watchOS:
introduced: '10.0'
allowed-enrollments:
- device
- local
allowed-scopes:
- system
payloadkeys:
- key: ProfileURL
title: Profile's URL.
type: <string>
presence: required
content: |-
The URL of the profile to download and install. This must be an 'https://' URL.
The URL of the profile to download and install, which needs to start with 'https://', and must be hosted by the MDM server. The system silently ignores any account or passcode payloads in the profile. Use their declarative configurations instead.
If a user enrollment triggers this configuration, the system silently ignores any MDM 1 payloads in macOS where the User Enrollment Mode setting is 'forbidden'. In iOS and tvOS, the system rejects the entire profile.
@@ -6,20 +6,35 @@ payload:
supportedOS:
iOS:
introduced: '15.0'
allowed-enrollments:
- device
- user
allowed-scopes:
- system
sharedipad:
mode: allowed
devicechannel: true
userchannel: true
userenrollment:
mode: allowed
allowed-scopes:
- system
- user
macOS:
introduced: '13.0'
devicechannel: true
userchannel: true
userenrollment:
mode: allowed
allowed-enrollments:
- device
- user
allowed-scopes:
- system
- user
tvOS:
introduced: '16.0'
allowed-enrollments:
- device
allowed-scopes:
- system
watchOS:
introduced: '10.0'
allowed-enrollments:
- device
allowed-scopes:
- system
payloadkeys:
- key: StatusItems
title: Status Items
@@ -5,26 +5,60 @@ payload:
supportedOS:
iOS:
introduced: '15.0'
allowed-enrollments:
- device
- user
- local
allowed-scopes:
- system
sharedipad:
mode: allowed
devicechannel: true
userchannel: true
userenrollment:
mode: allowed
allowed-scopes:
- system
- user
macOS:
introduced: '13.0'
devicechannel: true
userchannel: true
userenrollment:
mode: allowed
allowed-enrollments:
- device
- user
- local
allowed-scopes:
- system
- user
tvOS:
introduced: '16.0'
allowed-enrollments:
- device
- local
allowed-scopes:
- system
watchOS:
introduced: '10.0'
allowed-enrollments:
- device
- local
allowed-scopes:
- system
payloadkeys:
- key: Echo
title: Status Echo
type: <string>
presence: required
content: The string to echo back in a status response reason.
- key: EchoDataAssetReference
title: Status Echo from Asset
supportedOS:
iOS:
introduced: '17.0'
macOS:
introduced: '14.0'
tvOS:
introduced: '17.0'
type: <string>
assettypes:
- com.apple.asset.data
presence: optional
content: The string to read from a data asset to echo back in status response reason
description.
- key: ReturnStatus
title: Status to Return
type: <string>
@@ -5,16 +5,31 @@ payload:
supportedOS:
iOS:
introduced: '15.0'
allowed-enrollments:
- device
- user
- local
allowed-scopes:
- system
sharedipad:
mode: forbidden
userenrollment:
mode: allowed
allowed-scopes: []
macOS:
introduced: '13.0'
userenrollment:
mode: forbidden
allowed-enrollments:
- device
- local
allowed-scopes:
- system
- user
tvOS:
introduced: n/a
watchOS:
introduced: '10.0'
allowed-enrollments:
- device
- local
allowed-scopes:
- system
payloadkeys:
- key: RequirePasscode
title: Require Passcode on Device
@@ -31,18 +46,20 @@ payloadkeys:
introduced: '16.2'
macOS:
introduced: '13.1'
watchOS:
introduced: n/a
type: <boolean>
presence: optional
default: false
content: If set to true, the passcode must consist of at least one alphabetic characters
("abcd"), and at least one number.
content: If 'true', the passcode needs to consist of at least one alphabetic character
and at least one number.
- key: RequireComplexPasscode
title: Require Complex Passcode
type: <boolean>
presence: optional
default: false
content: If 'true', requires a complex passcode. A complex passcode is one that
doesn't contain repeated characters or increasing/decreasing characters (such
doesn't contain repeated characters or increasing or decreasing characters (such
as 123 or CBA).
- key: MinimumLength
title: Minimum Passcode Length
@@ -60,14 +77,17 @@ payloadkeys:
introduced: '16.2'
macOS:
introduced: '13.1'
watchOS:
introduced: n/a
type: <integer>
presence: optional
range:
min: 0
max: 4
default: 1
content: Specifies the minimum number of complex characters that must be present.
Only used when RequireComplexPasscode is true.
default: 0
content: Specifies the minimum number of complex characters in the password. A complex
character is a character other than a number or a letter, such as '&', '%', '$',
and '#'.
- key: MaximumFailedAttempts
title: Maximum Number of Failed Attempts
type: <integer>
@@ -86,11 +106,13 @@ payloadkeys:
introduced: n/a
macOS:
introduced: '13.1'
watchOS:
introduced: n/a
type: <integer>
presence: optional
content: The number of minutes before the login will be reset after the maximum
number of failed attempts has been reached. The MaximumFailedAttempts key must
be set for this to take effect.
content: The number of minutes before the login is reset after the maximum number
of failed attempts. Also set the 'MaximumFailedAttempts' key for this to take
effect.
- key: MaximumGracePeriodInMinutes
title: Maximum Grace Period
type: <integer>
@@ -120,9 +142,9 @@ payloadkeys:
range:
min: 0
max: 730
content: Specifies the maximum number of days for which the passcode can remain
unchanged. After this number of days, the user is forced to change the passcode
before the device is unlocked.
content: Specifies the maximum number of days that the passcode can remain unchanged.
After this number of days, the system forces the user to change the passcode before
it unlocks the device.
- key: PasscodeReuseLimit
title: Passcode Reuse Limit
type: <integer>
@@ -141,10 +163,46 @@ payloadkeys:
introduced: n/a
macOS:
introduced: '13.1'
watchOS:
introduced: n/a
type: <boolean>
presence: optional
default: false
content: If set to true, forces a password reset to occur the next time the user
tries to authenticate. If this key is set in a configuration in the system scope
(device channel), the setting takes effect for all users, and admin authentications
may fail until the admin user password is also reset.
content: If 'true', the system forces a password reset the next time the user tries
to authenticate. If you set this key in a configuration in the system scope (device
channel), the setting takes effect for all users, and admin authentication may
fail until the admin user password is also reset.
- key: CustomRegex
supportedOS:
iOS:
introduced: n/a
macOS:
introduced: '14.0'
watchOS:
introduced: n/a
type: <dictionary>
presence: optional
content: Specifies a regular expression, and its description, to enforce password
compliance. Use the simpler passcode settings whenever possible, and rely on regular
expression matching only when necessary. Mistakes in regular expressions can lead
to frustrating user experiences, such as unsatisfiable passcode policies, or policy
descriptions that don't match the enforced policy.
subkeys:
- key: Regex
type: <string>
presence: required
content: A regular expression string to match against the password to determine
whether it complies with a policy. The regular expression uses the ICU syntax.
The string can't exceed 2048 characters in length.
- key: Description
type: <dictionary>
presence: optional
content: A dictionary with supported OS language IDs for the keys (such as 'en-US'),
and values that represent a localized description of the policy that the regular
expression enforces. Use the special 'default' key for languages that the dictionary
doesn't contain.
subkeys:
- key: ANY
type: <string>
presence: optional
content: A localized description.
@@ -0,0 +1,42 @@
title: Screen Sharing:Connection Group
description: Use this configuration to define a group of Screen Sharing connections.
payload:
declarationtype: com.apple.configuration.screensharing.connection.group
supportedOS:
iOS:
introduced: n/a
macOS:
introduced: '14.0'
allowed-enrollments:
- device
- user
- local
allowed-scopes:
- system
- user
tvOS:
introduced: n/a
watchOS:
introduced: n/a
payloadkeys:
- key: ConnectionGroupUUID
title: Unique Identifier
type: <string>
presence: required
content: A string which uniquely identifies this connection group.
- key: GroupName
title: Group Name
type: <string>
presence: required
content: The name of the Connection Group.
- key: Members
title: Group Members
type: <array>
presence: required
content: |-
Array of ConnectionUUIDs (matching a connection declared in a
com.apple.configuration.screensharing.connection configuration) of the Connections
that should be members of this group.
subkeys:
- key: ConnectionUUID
type: <string>
@@ -0,0 +1,66 @@
title: Screen Sharing:Connection
description: Use this configuration to define a connection to a Screen Sharing host.
payload:
declarationtype: com.apple.configuration.screensharing.connection
supportedOS:
iOS:
introduced: n/a
macOS:
introduced: '14.0'
allowed-enrollments:
- device
- user
- local
allowed-scopes:
- system
- user
tvOS:
introduced: n/a
watchOS:
introduced: n/a
payloadkeys:
- key: ConnectionUUID
title: Unique Identifier
type: <string>
presence: required
content: A unique identifier for this connection when it's in a connection group.
- key: DisplayName
title: The name of the connection.
type: <string>
presence: required
content: The name of the connection.
- key: HostName
title: Host Name
type: <string>
presence: required
content: The host name or IP address of the Mac that hosts the screen-sharing connection.
- key: Port
title: TCP Port
type: <integer>
presence: optional
content: Specifies the TCP port number on the host to initiate the connection.
- key: DisplayConfiguration
title: Display Configuration
type: <dictionary>
presence: required
content: The display configuration for this connection.
subkeys:
- key: DisplayType
type: <string>
presence: required
rangelist:
- Virtual1
- Virtual2
content: |-
The type of display for the connection, which has these allowed values:
* 'Virtual1': Create one virtual display.
* 'Virtual2': Create two virtual displays.
- key: AuthenticationCredentialsAssetReference
title: Authentication Credentials Asset Reference
type: <string>
assettypes:
- com.apple.asset.credential.userpassword
presence: optional
content: Specifies the identifier of an asset declaration that contains the required
credentials for this connection to authenticate with the screen-sharing server.
Set the corresponding asset type to 'com.apple.asset.credential.userpassword'.
@@ -0,0 +1,58 @@
title: Screen Sharing:Host Settings
description: Use this configuration to define Screen Sharing host settings and restrictions.
payload:
declarationtype: com.apple.configuration.screensharing.host.settings
supportedOS:
iOS:
introduced: n/a
macOS:
introduced: '14.0'
allowed-enrollments:
- device
- local
allowed-scopes:
- system
tvOS:
introduced: n/a
watchOS:
introduced: n/a
payloadkeys:
- key: MaximumVirtualDisplays
title: Maximum number of Virtual Displays
type: <integer>
presence: optional
range:
min: 0
max: 2
content: Sets the maximum number of Virtual Displays to make available to clients.
- key: PortBase
title: UDP Port base
type: <integer>
presence: optional
range:
min: 1024
max: 65535
content: |-
Specifies the initial UDP port number for connecting to the host. Screen Sharing needs multiple connections
so additional connections will increment this base port number by 1 for each needed connection. This does not
change the port number used to initially establish a connection with a host, which is always TCP port 5900.
- key: PreventCopyFilesFromHost
title: Prevent copying files from host
type: <boolean>
presence: optional
default: false
content: Set to true to prevent users from copying files from the Screen Sharing
host.
- key: PreventCopyFilesToHost
title: Prevent copying files to host
type: <boolean>
presence: optional
default: false
content: Set to true to prevent users from copying files to the Screen Sharing host.
- key: PreventHighPerformanceConnections
title: Prevent High Performance connections
type: <boolean>
presence: optional
default: false
content: Set to true to prevent clients from establishing High Performance connections
to the host.
@@ -0,0 +1,49 @@
title: Security:Certificate
description: Use this configuration to add a certificate to the device.
payload:
declarationtype: com.apple.configuration.security.certificate
supportedOS:
iOS:
introduced: '17.0'
allowed-enrollments:
- device
- user
- local
allowed-scopes:
- system
sharedipad:
allowed-scopes:
- system
- user
macOS:
introduced: '14.0'
allowed-enrollments:
- device
- user
- local
allowed-scopes:
- system
- user
tvOS:
introduced: '17.0'
allowed-enrollments:
- device
- local
allowed-scopes:
- system
watchOS:
introduced: '10.0'
allowed-enrollments:
- device
- local
allowed-scopes:
- system
payloadkeys:
- key: CredentialAssetReference
title: Credential asset reference
type: <string>
assettypes:
- com.apple.asset.credential.certificate
presence: required
content: Specifies the identifier of an asset declaration that contains the certificate
to install.
@@ -0,0 +1,73 @@
title: Security:Identity
description: Use this configuration to install an identity on the device.
payload:
declarationtype: com.apple.configuration.security.identity
supportedOS:
iOS:
introduced: '17.0'
allowed-enrollments:
- device
- user
- local
allowed-scopes:
- system
sharedipad:
allowed-scopes:
- system
- user
macOS:
introduced: '14.0'
allowed-enrollments:
- device
- user
- local
allowed-scopes:
- system
- user
tvOS:
introduced: '17.0'
allowed-enrollments:
- device
- local
allowed-scopes:
- system
watchOS:
introduced: '10.0'
allowed-enrollments:
- device
- local
allowed-scopes:
- system
payloadkeys:
- key: CredentialAssetReference
title: Credential asset reference
type: <string>
assettypes:
- com.apple.asset.credential.identity
- com.apple.asset.credential.scep
- com.apple.asset.credential.acme
presence: required
content: Specifies the identifier of an asset declaration that contains the identity
to install.
- key: AllowAllAppsAccess
title: Allow all apps access
supportedOS:
iOS:
introduced: n/a
tvOS:
introduced: n/a
type: <boolean>
presence: optional
default: false
content: If 'true', apps can access the private key.
- key: KeyIsExtractable
title: Key is extractable
supportedOS:
iOS:
introduced: n/a
tvOS:
introduced: n/a
type: <boolean>
presence: optional
default: true
content: If 'true', the private key is extractable in the keychain.
@@ -0,0 +1,54 @@
title: Security:Passkey:Attestation
description: Configures the device to allow WebAuthn enterprise attestation for certain
passkeys.
payload:
declarationtype: com.apple.configuration.security.passkey.attestation
supportedOS:
iOS:
introduced: '17.0'
allowed-enrollments:
- device
allowed-scopes:
- system
sharedipad:
allowed-scopes: []
macOS:
introduced: '14.0'
allowed-enrollments:
- device
allowed-scopes:
- user
tvOS:
introduced: n/a
watchOS:
introduced: n/a
payloadkeys:
- key: AttestationIdentityAssetReference
title: Attestation identity asset reference.
type: <string>
assettypes:
- com.apple.asset.credential.identity
- com.apple.asset.credential.scep
- com.apple.asset.credential.acme
presence: required
content: Specifies the identifier of an asset declaration that contains the identity
to install and use for passkey attestation.
- key: AttestationIdentityKeyIsExtractable
title: Attestation identity key is extractable
supportedOS:
iOS:
introduced: n/a
type: <boolean>
presence: optional
default: true
content: If 'true', the private key for the attestation identity is extractable
in the keychain.
- key: RelyingParties
title: Relying parties
type: <array>
presence: required
content: Relying parties to allow enterprise attestation.
subkeys:
- key: RelyingParty
title: Relying party
type: <string>
@@ -0,0 +1,45 @@
title: Services Configuration Files
description: Specifies managed configuration files for services
payload:
declarationtype: com.apple.configuration.services.configuration-files
supportedOS:
iOS:
introduced: n/a
macOS:
introduced: '14.0'
allowed-enrollments:
- device
allowed-scopes:
- system
tvOS:
introduced: n/a
watchOS:
introduced: n/a
payloadkeys:
- key: ServiceType
title: Service Type
type: <string>
presence: required
content: |-
The identifier of the system service with managed configuration files.
Use a reverse DNS style for this identifier. However, the system reserves 'com.apple.' prefix for built-in services.
The available built-in services are:
* 'com.apple.sshd' configures sshd
* 'com.apple.sudo' configures sudo
* 'com.apple.pam' configures PAM
* 'com.apple.cups' configures CUPS
* 'com.apple.apache.httpd' configures Apache httpd
* 'com.apple.bash' configures bash
* 'com.apple.zsh' configures zsh
- key: DataAssetReference
title: Data Asset Reference
type: <string>
assettypes:
- com.apple.asset.data
presence: required
content: |-
Specifies the identifier of an asset declaration that contains a reference to the files to use for system service configuration. Ensure that the corresponding asset:
* Is of type 'com.apple.asset.data'
* Is a zip archive of an entire directory
* Has a 'Reference' key that includes the 'ContentType' and 'Hash-SHA-256' keys, which the system requires
The system expands the zip archive and stores the data in a well-known location for the service.
@@ -0,0 +1,55 @@
title: Software Update:Enforcement:Specific
description: A software update enforcement policy for a specific OS release
payload:
declarationtype: com.apple.configuration.softwareupdate.enforcement.specific
supportedOS:
iOS:
introduced: '17.0'
allowed-enrollments:
- device
allowed-scopes:
- system
sharedipad:
allowed-scopes:
- system
macOS:
introduced: '14.0'
allowed-enrollments:
- device
allowed-scopes:
- system
tvOS:
introduced: n/a
watchOS:
introduced: n/a
payloadkeys:
- key: TargetOSVersion
title: Target OS Version
type: <string>
presence: required
content: The target OS version to update the device to by the appropriate time.
This is the OS version number, for example, '16.1'. It may also include a supplemental
version identifier, for example, '16.1.1'.
- key: TargetBuildVersion
title: Target Build Version
type: <string>
presence: optional
content: The target build version to update the device to by the appropriate time,
for example, '20A242'. The system uses the build version for testing during seeding
periods. The build version can include a supplemental version identifier, for
example, '20A242a'. If the build version isn't consistent with the target OS version
specified in the 'TargetOSVersion' key, the target OS version takes precedence.
- key: TargetLocalDateTime
title: Target Local Date Time
type: <string>
presence: required
content: The local date time value that specifies when to force install the software
update. Use the format 'yyyy-mm-ddThh:mm:ss', which is derived from RFC3339 but
doesn't include a time zone offset. If the user doesn't trigger the software update
before this time, the device force installs it.
- key: DetailsURL
title: Details URL
type: <string>
presence: optional
content: The URL of a web page that shows details that the organization provides
about the enforced update.
@@ -0,0 +1,43 @@
title: Watch:Enrollment
description: Specifies an MDMv1 Apple Watch enrollment profile
payload:
declarationtype: com.apple.configuration.watch.enrollment
supportedOS:
iOS:
introduced: '17.0'
allowed-enrollments:
- device
allowed-scopes:
- system
sharedipad:
allowed-scopes: []
macOS:
introduced: n/a
tvOS:
introduced: n/a
watchOS:
introduced: n/a
payloadkeys:
- key: EnrollmentProfileURL
title: Watch Enrollment Profile's URL.
type: <string>
presence: required
content: The URL of the profile that the Apple Watch downloads and installs if the
user opts in to management during the pairing process, which needs to start with
'https://'. Successful enrollment requires that the pairing iPhone is supervised
and the profile contains an MDM payload. Apple Watch attempts to install each
payload that the profile contains.
- key: AnchorCertificateAssetReferences
title: Anchor Certificate Asset References.
type: <array>
assettypes:
- com.apple.asset.credential.certificate
presence: optional
content: Specifies an array of identifiers of asset declarations that contain anchor
certificates to use to evaluate the trust of the enrollment profile server. Set
the type of the corresponding assets to 'com.apple.asset.credential.certificate'.
subkeys:
- key: AnchorCertificateAssetReferenceItem
type: <string>
content: Specifies the identifier of an asset declaration containing the anchor
certificate to be used.
@@ -9,6 +9,8 @@ payload:
introduced: '13.0'
tvOS:
introduced: '16.0'
watchOS:
introduced: '10.0'
payloadkeys:
- key: Type
type: <string>
@@ -27,3 +29,212 @@ payloadkeys:
type: <dictionary>
presence: required
content: The payload describing this declaration.
reasons:
- value: Error.ActivationFailed
description: A configuration or asset cannot be activated due to an activation that
failed.
details:
- key: Identifier
type: <string>
description: The `Identifier` of the declaration.
- key: ServerToken
type: <string>
description: The `ServerToken` of the declaration.
- value: Error.AssetCannotBeDeserialized
description: The asset data does not conform to the expected data type.
details:
- key: Error
type: <string>
description: Description of the underlying NSError.
- value: Error.AssetCannotBeDownloaded
description: The asset data cannot be downloaded.
details:
- key: Error
type: <string>
description: Description of the underlying NSError.
- value: Error.AssetCannotBeVerified
description: The downloaded asset data cannot be verified.
details:
- key: Error
type: <string>
description: Description of the underlying NSError.
- value: Error.ConfigurationCannotBeApplied
description: The configuration cannot be applied to the device.
details:
- key: Error
type: <string>
description: Description of the underlying NSError.
- value: Error.ConfigurationCannotBeDeserialized
description: The configuration is not valid.
details:
- key: Error
type: <string>
description: Description of the underlying NSError.
- value: Error.ConfigurationFailed
description: An asset cannot be activated due to a configuration that failed.
details:
- key: Identifier
type: <string>
description: The `Identifier` of the declaration.
- key: ServerToken
type: <string>
description: The `ServerToken` of the declaration.
- value: Error.ConfigurationIsInvalid
description: The configuration is not valid for applying to the device.
details:
- key: Error
type: <string>
description: Description of the underlying NSError.
- value: Error.ConfigurationNotSupported
description: The configuration is not supported for this platform, scope, or enrollment
type.
details:
- key: Identifier
type: <string>
description: The `Identifier` of the configuration.
- key: ServerToken
type: <string>
description: The `ServerToken` of the configuration.
- value: Error.InvalidPayload
description: A declaration is not fully loaded.
details:
- key: Identifier
type: <string>
description: The `Identifier` of the declaration.
- key: ServerToken
type: <string>
description: The `ServerToken` of the declaration.
- value: Error.MissingAssets
description: A configuration being activated references assets that are not present.
details:
- key: Identifier
type: <string>
description: The `Identifier` of the configuration.
- key: ServerToken
type: <string>
description: The `ServerToken` of the configuration.
- key: AssetIdentifiers
type: <array>
description: Array of strings containing each missing asset `Identifier` value.
- value: Error.MissingConfigurations
description: An activation being activated references configurations that are not
present.
details:
- key: Identifier
type: <string>
description: The `Identifier` of the activation.
- key: ServerToken
type: <string>
description: The `ServerToken` of the activation.
- key: ConfigurationIdentifiers
type: <array>
description: Array of strings containing each missing configuration `Identifier`
value.
- value: Error.MissingState
description: A declaration is missing internal state information.
details:
- key: Identifier
type: <string>
description: The `Identifier` of the declaration.
- key: ServerToken
type: <string>
description: The `ServerToken` of the declaration.
- value: Error.PredicateFailed
description: A predicate evaluation failed.
details:
- key: Identifier
type: <string>
description: The `Identifier` of the activation whose predicate failed.
- key: ServerToken
type: <string>
description: The `ServerToken` of the activation whose predicate failed.
- key: Predicate
type: <string>
description: The predicate description of the predicate that failed.
- key: Domain
type: <string>
description: Underlying NSError's domain.
- key: Code
type: <string>
description: Underlying NSError's code.
- value: Error.UnableToEvaluatePredicate
description: A predicate cannot be evaluated.
details:
- key: Identifier
type: <string>
description: The `Identifier` of the activation whose predicate failed to evaluate.
- key: ServerToken
type: <string>
description: The `ServerToken` of the activation whose predicate failed to evaluate.
- key: Predicate
type: <string>
description: The predicate description of the predicate that failed to evaluate.
- value: Error.UnableToParsePredicate
description: A predicate expression cannot be parsed.
details:
- key: Identifier
type: <string>
description: The `Identifier` of the activation whose predicate failed to parse.
- key: ServerToken
type: <string>
description: The `ServerToken` of the activation whose predicate failed to parse.
- key: Predicate
type: <string>
description: The predicate description of the predicate that failed to parse.
- value: Error.UnableToParsePredicateWithCustomOperator
description: A predicate expression with a custom operator cannot be parsed.
details:
- key: Identifier
type: <string>
description: The `Identifier` of the activation whose predicate failed to parse.
- key: ServerToken
type: <string>
description: The `ServerToken` of the activation whose predicate failed to parse.
- key: Predicate
type: <string>
description: The predicate description of the predicate that failed to parse.
- value: Error.Unknown
description: An unrecognized NSError was generated.
details:
- key: Domain
type: <string>
description: NSError's domain.
- key: Code
type: <string>
description: NSError's code.
- value: Error.UnknownPayloadKeys
description: A declaration contains unknown payloads keys.
details:
- key: UnknownPayloadKeys
type: <array>
description: Array of strings containing each unknown key-path.
- value: Info.NotReferencedByActivation
description: A configuration is not referenced in any activation.
details:
- key: Identifier
type: <string>
description: The `Identifier` of the configuration.
- key: ServerToken
type: <string>
description: The `ServerToken` of the configuration.
- value: Info.NotReferencedByConfiguration
description: An asset is not referenced in any configuration.
details:
- key: Identifier
type: <string>
description: The `Identifier` of the asset.
- key: ServerToken
type: <string>
description: The `ServerToken` of the asset.
- value: Info.Predicate
description: A predicate evaluated to false.
details:
- key: Identifier
type: <string>
description: The `Identifier` of the activation whose predicate is false.
- key: ServerToken
type: <string>
description: The `ServerToken` of the activation whose predicate is false.
- key: Predicate
type: <string>
description: The predicate description of the predicate that is false.
@@ -10,6 +10,8 @@ payload:
introduced: '13.0'
tvOS:
introduced: '16.0'
watchOS:
introduced: '10.0'
payloadkeys:
- key: Name
title: Organization Name
@@ -9,6 +9,8 @@ payload:
introduced: '13.0'
tvOS:
introduced: '16.0'
watchOS:
introduced: '10.0'
payloadkeys:
- key: ANY
title: Property
@@ -9,6 +9,8 @@ payload:
introduced: '13.0'
tvOS:
introduced: '16.0'
watchOS:
introduced: '10.0'
payloadkeys:
- key: Version
title: Protocol Version
@@ -9,6 +9,8 @@ payload:
introduced: '13.0'
tvOS:
introduced: '16.0'
watchOS:
introduced: '10.0'
payloadkeys:
- key: Declarations
title: Manifest Declaration Items
+20
View File
@@ -9,6 +9,8 @@ payload:
introduced: '13.0'
tvOS:
introduced: '16.0'
watchOS:
introduced: '10.0'
payloadkeys:
- key: StatusItems
title: Status Items
@@ -59,3 +61,21 @@ payloadkeys:
type: <dictionary>
presence: optional
content: A dictionary that contains further details about this error.
- key: FullReport
title: Full Report
supportedOS:
iOS:
introduced: '17.0'
macOS:
introduced: '14.0'
tvOS:
introduced: '17.0'
type: <boolean>
presence: optional
default: false
content: When set to "true", this indicates that the status report contains the
full set of current status, and is not an incremental report. This will include
the full set of items in any status array item (not just the changes). Servers
can use this to replace their entire set of status for the device, rather than
do incremental update processing. Devices will set this to "true" when sending
a "safety sync" status report, which is typically sent every 24 hours or so.
+2
View File
@@ -9,6 +9,8 @@ payload:
introduced: '13.0'
tvOS:
introduced: '16.0'
watchOS:
introduced: '10.0'
payloadkeys:
- key: SyncTokens
title: Synchronization Tokens
+19 -9
View File
@@ -5,22 +5,33 @@ payload:
supportedOS:
iOS:
introduced: '16.0'
allowed-enrollments:
- device
- user
- local
allowed-scopes:
- system
sharedipad:
mode: allowed
devicechannel: false
userchannel: true
allowed-scopes:
- user
macOS:
introduced: '13.0'
devicechannel: false
userchannel: true
allowed-enrollments:
- device
- user
- local
allowed-scopes:
- user
tvOS:
introduced: n/a
watchOS:
introduced: n/a
payloadkeys:
- key: account.list.caldav
title: Status item value.
type: <array>
presence: required
content: The status value of the account.
content: A list of status values for the CalDAV accounts.
subkeytype: Account
subkeys:
- key: status_value
@@ -36,9 +47,8 @@ payloadkeys:
type: <boolean>
presence: optional
default: false
content: To indicate removal of an account, this key's value is set to true,
and only this key and the "identifier" key will be present in the status item
object.
content: If 'true', the account is removed and the status item object only contains
this key and the 'identifier' key.
- key: declaration-identifier
title: Identifier of the declaration that installed the account.
type: <string>
+23 -14
View File
@@ -5,22 +5,33 @@ payload:
supportedOS:
iOS:
introduced: '16.0'
allowed-enrollments:
- device
- user
- local
allowed-scopes:
- system
sharedipad:
mode: allowed
devicechannel: false
userchannel: true
allowed-scopes:
- user
macOS:
introduced: '13.0'
devicechannel: false
userchannel: true
allowed-enrollments:
- device
- user
- local
allowed-scopes:
- user
tvOS:
introduced: n/a
watchOS:
introduced: n/a
payloadkeys:
- key: account.list.carddav
title: Status item value.
type: <array>
presence: required
content: Status value.
content: A list of status values for the CardDAV accounts.
subkeytype: Account
subkeys:
- key: status_value
@@ -30,22 +41,20 @@ payloadkeys:
title: Unique identifier of the account.
type: <string>
presence: required
content: The unique identifier of the account. This can be used as a "primary
key" to access a specific account.
content: The unique identifier for the account.
- key: _removed
title: Indicates removal of the account.
type: <boolean>
presence: optional
default: false
content: To indicate removal of an account, this key's value is set to true,
and only this key and the "identifier" key will be present in the status item
object.
content: If 'true', the account is removed and the status item object only contains
this key and the 'identifier' key.
- key: declaration-identifier
title: Identifier of the declaration that installed the account.
type: <string>
presence: optional
content: The identifier of the declaration that installed the account. Only
present if the account was installed by a declaration.
present if a declaration installed the account.
- key: visible-name
title: Account name
type: <string>
@@ -55,7 +64,7 @@ payloadkeys:
title: Account hostname
type: <string>
presence: optional
content: The server host name of the account.
content: The server host name for the account.
- key: port
title: Server Port
type: <integer>
@@ -65,4 +74,4 @@ payloadkeys:
title: Account username
type: <string>
presence: optional
content: The user name of the account.
content: The user name for the account.
+33 -20
View File
@@ -5,22 +5,33 @@ payload:
supportedOS:
iOS:
introduced: '16.0'
allowed-enrollments:
- device
- user
- local
allowed-scopes:
- system
sharedipad:
mode: allowed
devicechannel: false
userchannel: true
allowed-scopes:
- user
macOS:
introduced: '13.0'
devicechannel: false
userchannel: true
allowed-enrollments:
- device
- user
- local
allowed-scopes:
- user
tvOS:
introduced: n/a
watchOS:
introduced: n/a
payloadkeys:
- key: account.list.exchange
title: Status item value.
type: <array>
presence: required
content: Status value.
content: A list of status values for the exchange accounts.
subkeytype: Account
subkeys:
- key: status_value
@@ -30,22 +41,20 @@ payloadkeys:
title: Unique identifier of the account.
type: <string>
presence: required
content: The unique identifier of the account. This can be used as a "primary
key" to access a specific account.
content: The unique identifier for the account.
- key: _removed
title: Indicates removal of the account.
type: <boolean>
presence: optional
default: false
content: To indicate removal of an account, this key's value is set to true,
and only this key and the "identifier" key will be present in the status item
object.
content: If 'true', the account is removed and the status item object only contains
this key and the 'identifier' key.
- key: declaration-identifier
title: Identifier of the declaration that installed the account.
type: <string>
presence: optional
content: The identifier of the declaration that installed the account. Only
present if the account was installed by a declaration.
present if a declaration installed the account.
- key: visible-name
title: Account name
type: <string>
@@ -55,7 +64,7 @@ payloadkeys:
title: Account hostname
type: <string>
presence: optional
content: The server host name of the account.
content: The server host name for the account.
- key: port
title: Server Port
type: <integer>
@@ -65,30 +74,34 @@ payloadkeys:
title: Account username
type: <string>
presence: optional
content: The user name of the account.
content: The user name for the account.
- key: is-mail-enabled
title: Is mail enabled
type: <boolean>
presence: optional
content: Indicates if mail for this account are being displayed in Mail.app.
content: A Boolean value that indicates whether the Mail app displays mail for
this account.
- key: are-calendars-enabled
title: Are calendars enabled
type: <boolean>
presence: optional
content: Indicates if calendars and events for the account are being displayed
in Calendar.app.
content: A Boolean value that indicates whether the Calendar app displays calendars
and events for this account.
- key: are-contacts-enabled
title: Are contacts enabled
type: <boolean>
presence: optional
content: Indicates if contacts for the account are being displayed in Contacts.app.
content: A Boolean value that indicates whether the Contacts app displays contacts
for this account.
- key: are-notes-enabled
title: Are notes enabled
type: <boolean>
presence: optional
content: Indicates if notes for this account are being displayed in Notes.app.
content: A Boolean value that indicates whether the Notes app displays notes
for this account.
- key: are-reminders-enabled
title: Are reminders enabled
type: <boolean>
presence: optional
content: Indicates if reminders for the account are being displayed in Reminders.app.
content: A Boolean value that indicates whether the Reminders app displays reminders
for this account.
+30 -18
View File
@@ -5,22 +5,33 @@ payload:
supportedOS:
iOS:
introduced: '16.0'
allowed-enrollments:
- device
- user
- local
allowed-scopes:
- system
sharedipad:
mode: allowed
devicechannel: false
userchannel: true
allowed-scopes:
- user
macOS:
introduced: '13.0'
devicechannel: false
userchannel: true
allowed-enrollments:
- device
- user
- local
allowed-scopes:
- user
tvOS:
introduced: n/a
watchOS:
introduced: n/a
payloadkeys:
- key: account.list.google
title: Status item value.
type: <array>
presence: required
content: Status value.
content: A list of status values for the Google accounts.
subkeytype: Account
subkeys:
- key: status_value
@@ -30,22 +41,20 @@ payloadkeys:
title: Unique identifier of the account.
type: <string>
presence: required
content: The unique identifier of the account. This can be used as a "primary
key" to access a specific account.
content: The unique identifier for the account.
- key: _removed
title: Indicates removal of the account.
type: <boolean>
presence: optional
default: false
content: To indicate removal of an account, this key's value is set to true,
and only this key and the "identifier" key will be present in the status item
object.
content: If 'true', the account is removed and the status item object only contains
this key and the 'identifier' key.
- key: declaration-identifier
title: Identifier of the declaration that installed the account.
type: <string>
presence: optional
content: The identifier of the declaration that installed the account. Only
present if the account was installed by a declaration.
present if a declaration installed the account.
- key: visible-name
title: Account name
type: <string>
@@ -55,25 +64,28 @@ payloadkeys:
title: Account username
type: <string>
presence: optional
content: The user name of the account.
content: The user name for the account.
- key: is-mail-enabled
title: Is mail enabled
type: <boolean>
presence: optional
content: Indicates if mail for this account are being displayed in Mail.app.
content: A Boolean value that indicates whether the Mail app displays mail for
this account.
- key: are-calendars-enabled
title: Are calendars enabled
type: <boolean>
presence: optional
content: Indicates if calendars and events for the account are being displayed
in Calendar.app.
content: A Boolean value that indicates whether the Calendar app displays calendars
and events for this account.
- key: are-contacts-enabled
title: Are contacts enabled
type: <boolean>
presence: optional
content: Indicates if contacts for the account are being displayed in Contacts.app.
content: A Boolean value that indicates whether the Contacts app displays contacts
for this account.
- key: are-notes-enabled
title: Are notes enabled
type: <boolean>
presence: optional
content: Indicates if notes for this account are being displayed in Notes.app.
content: A Boolean value that indicates whether the Notes app displays notes
for this account.
+23 -13
View File
@@ -5,22 +5,33 @@ payload:
supportedOS:
iOS:
introduced: '16.0'
allowed-enrollments:
- device
- user
- local
allowed-scopes:
- system
sharedipad:
mode: allowed
devicechannel: false
userchannel: true
allowed-scopes:
- user
macOS:
introduced: '13.0'
devicechannel: false
userchannel: true
allowed-enrollments:
- device
- user
- local
allowed-scopes:
- user
tvOS:
introduced: n/a
watchOS:
introduced: n/a
payloadkeys:
- key: account.list.ldap
title: Status item value.
type: <array>
presence: required
content: Status value.
content: A list of status values for the LDAP accounts.
subkeytype: Account
subkeys:
- key: status_value
@@ -30,22 +41,20 @@ payloadkeys:
title: Unique identifier of the account.
type: <string>
presence: required
content: The unique identifier of the account. This can be used as a "primary
key" to access a specific account.
content: The unique identifier for the account.
- key: _removed
title: Indicates removal of the account.
type: <boolean>
presence: optional
default: false
content: To indicate removal of an account, this key's value is set to true,
and only this key and the "identifier" key will be present in the status item
object.
content: If 'true', the account is removed and the status item object only contains
this key and the 'identifier' key.
- key: declaration-identifier
title: Identifier of the declaration that installed the account.
type: <string>
presence: optional
content: The identifier of the declaration that installed the account. Only
present if the account was installed by a declaration.
present if a declaration installed the account.
- key: visible-name
title: Account name
type: <string>
@@ -70,4 +79,5 @@ payloadkeys:
title: Is account enabled
type: <boolean>
presence: optional
content: Indicates if the account is enabled for use with Contacts.app.
content: A Boolean value that indicates whether the account is enabled for use
with the Contacts app.
@@ -5,22 +5,33 @@ payload:
supportedOS:
iOS:
introduced: '16.0'
allowed-enrollments:
- device
- user
- local
allowed-scopes:
- system
sharedipad:
mode: allowed
devicechannel: false
userchannel: true
allowed-scopes:
- user
macOS:
introduced: '13.0'
devicechannel: false
userchannel: true
allowed-enrollments:
- device
- user
- local
allowed-scopes:
- user
tvOS:
introduced: n/a
watchOS:
introduced: n/a
payloadkeys:
- key: account.list.mail.incoming
title: Status item value.
type: <array>
presence: required
content: Status value.
content: A list of status values for the incoming mail accounts.
subkeytype: Account
subkeys:
- key: status_value
@@ -30,22 +41,20 @@ payloadkeys:
title: Unique identifier of the account.
type: <string>
presence: required
content: The unique identifier of the account. This can be used as a "primary
key" to access a specific account.
content: The unique identifier for the account.
- key: _removed
title: Indicates removal of the account.
type: <boolean>
presence: optional
default: false
content: To indicate removal of an account, this key's value is set to true,
and only this key and the "identifier" key will be present in the status item
object.
content: If 'true', the account is removed and the status item object only contains
this key and the 'identifier' key.
- key: declaration-identifier
title: Identifier of the declaration that installed the account.
type: <string>
presence: optional
content: The identifier of the declaration that installed the account. Only
present if the account was installed by a declaration.
present if a declaration installed the account.
- key: visible-name
title: Account name
type: <string>
@@ -55,7 +64,7 @@ payloadkeys:
title: Account hostname
type: <string>
presence: optional
content: The server host name of the account.
content: The server host name for the account.
- key: port
title: Server Port
type: <integer>
@@ -65,14 +74,16 @@ payloadkeys:
title: Account username
type: <string>
presence: optional
content: The user name of the account.
content: The user name for the account.
- key: is-mail-enabled
title: Is mail enabled
type: <boolean>
presence: optional
content: Indicates if mail for this account are being displayed in Mail.app.
content: A Boolean value that indicates whether the Mail app displays mail for
this account.
- key: are-notes-enabled
title: Are notes enabled
type: <boolean>
presence: optional
content: Indicates if notes for this account are being displayed in Notes.app.
content: A Boolean value that indicates whether the Notes app displays notes
for this account.
@@ -5,22 +5,33 @@ payload:
supportedOS:
iOS:
introduced: '16.0'
allowed-enrollments:
- device
- user
- local
allowed-scopes:
- system
sharedipad:
mode: allowed
devicechannel: false
userchannel: true
allowed-scopes:
- user
macOS:
introduced: '13.0'
devicechannel: false
userchannel: true
allowed-enrollments:
- device
- user
- local
allowed-scopes:
- user
tvOS:
introduced: n/a
watchOS:
introduced: n/a
payloadkeys:
- key: account.list.mail.outgoing
title: Status item value.
type: <array>
presence: required
content: Status value.
content: A list of status values for the outgoing mail accounts.
subkeytype: Account
subkeys:
- key: status_value
@@ -30,22 +41,20 @@ payloadkeys:
title: Unique identifier of the account.
type: <string>
presence: required
content: The unique identifier of the account. This can be used as a "primary
key" to access a specific account.
content: The unique identifier for the account.
- key: _removed
title: Indicates removal of the account.
type: <boolean>
presence: optional
default: false
content: To indicate removal of an account, this key's value is set to true,
and only this key and the "identifier" key will be present in the status item
object.
content: If 'true', the account is removed and the status item object only contains
this key and the 'identifier' key.
- key: declaration-identifier
title: Identifier of the declaration that installed the account.
type: <string>
presence: optional
content: The identifier of the declaration that installed the account. Only
present if the account was installed by a declaration.
present if a declaration installed the account.
- key: visible-name
title: Account name
type: <string>
@@ -55,7 +64,7 @@ payloadkeys:
title: Account hostname
type: <string>
presence: optional
content: The server host name of the account.
content: The server host name for the account.
- key: port
title: Server Port
type: <integer>
@@ -65,4 +74,4 @@ payloadkeys:
title: Account username
type: <string>
presence: optional
content: The user name of the account.
content: The user name for the account.
@@ -5,20 +5,33 @@ payload:
supportedOS:
iOS:
introduced: '16.0'
allowed-enrollments:
- device
- user
- local
allowed-scopes:
- system
sharedipad:
mode: allowed
devicechannel: false
userchannel: true
allowed-scopes:
- user
macOS:
introduced: n/a
introduced: '14.0'
allowed-enrollments:
- device
- user
- local
allowed-scopes:
- user
tvOS:
introduced: n/a
watchOS:
introduced: n/a
payloadkeys:
- key: account.list.subscribed-calendar
title: Status item value.
type: <array>
presence: required
content: Status value.
content: A list of status values for the calendar accounts.
subkeytype: Account
subkeys:
- key: status_value
@@ -28,22 +41,20 @@ payloadkeys:
title: Unique identifier of the account.
type: <string>
presence: required
content: The unique identifier of the account. This can be used as a "primary
key" to access a specific account.
content: The unique identifier for the account.
- key: _removed
title: Indicates removal of the account.
type: <boolean>
presence: optional
default: false
content: To indicate removal of an account, this key's value is set to true,
and only this key and the "identifier" key will be present in the status item
object.
content: If 'true', the account is removed and the status item object only contains
this key and the 'identifier' key.
- key: declaration-identifier
title: Identifier of the declaration that installed the account.
type: <string>
presence: optional
content: The identifier of the declaration that installed the account. Only
present if the account was installed by a declaration.
present if a declaration installed the account.
- key: visible-name
title: Account name
type: <string>
@@ -58,9 +69,10 @@ payloadkeys:
title: Account username
type: <string>
presence: optional
content: The user name of the account.
content: The user name for the account.
- key: is-enabled
title: Is the calendar enabled
type: <boolean>
presence: optional
content: Indicates if the calendar is being displayed in Calendar.app.
content: A Boolean value that indicates whether the Calendar app displays this
calendar.
@@ -5,17 +5,40 @@ payload:
supportedOS:
iOS:
introduced: '16.0'
userenrollment:
mode: forbidden
allowed-enrollments:
- device
- local
allowed-scopes:
- system
sharedipad:
allowed-scopes:
- system
- user
macOS:
introduced: '13.0'
userenrollment:
mode: forbidden
allowed-enrollments:
- device
- local
allowed-scopes:
- system
- user
tvOS:
introduced: '16.0'
allowed-enrollments:
- device
- local
allowed-scopes:
- system
watchOS:
introduced: '10.0'
allowed-enrollments:
- device
- local
allowed-scopes:
- system
payloadkeys:
- key: device.identifier.serial-number
title: Status item value.
type: <string>
presence: required
content: Status value.
content: The device's serial number.
+27 -4
View File
@@ -5,14 +5,37 @@ payload:
supportedOS:
iOS:
introduced: '16.0'
userenrollment:
mode: forbidden
allowed-enrollments:
- device
- local
allowed-scopes:
- system
sharedipad:
allowed-scopes:
- system
- user
macOS:
introduced: '13.0'
userenrollment:
mode: forbidden
allowed-enrollments:
- device
- local
allowed-scopes:
- system
- user
tvOS:
introduced: '16.0'
allowed-enrollments:
- device
- local
allowed-scopes:
- system
watchOS:
introduced: '10.0'
allowed-enrollments:
- device
- local
allowed-scopes:
- system
payloadkeys:
- key: device.identifier.udid
title: Status item value.
+30 -2
View File
@@ -5,14 +5,42 @@ payload:
supportedOS:
iOS:
introduced: '15.0'
allowed-enrollments:
- device
- user
- local
allowed-scopes:
- system
sharedipad:
allowed-scopes:
- system
- user
macOS:
introduced: '13.0'
allowed-enrollments:
- device
- user
- local
allowed-scopes:
- system
- user
tvOS:
introduced: '16.0'
allowed-enrollments:
- device
- local
allowed-scopes:
- system
watchOS:
introduced: '10.0'
allowed-enrollments:
- device
- local
allowed-scopes:
- system
payloadkeys:
- key: device.model.family
title: Status item value.
type: <string>
presence: required
content: A string that describes the hardware family of the device, such as 'Mac',
'iPhone', or 'iPad'.
content: The hardware family of the device, such as 'Mac', 'iPhone', or 'iPad'.
@@ -5,17 +5,46 @@ payload:
supportedOS:
iOS:
introduced: '15.0'
allowed-enrollments:
- device
- user
- local
allowed-scopes:
- system
sharedipad:
allowed-scopes:
- system
- user
macOS:
introduced: '13.0'
allowed-enrollments:
- device
- user
- local
allowed-scopes:
- system
- user
tvOS:
introduced: '16.0'
allowed-enrollments:
- device
- local
allowed-scopes:
- system
watchOS:
introduced: '10.0'
allowed-enrollments:
- device
- local
allowed-scopes:
- system
payloadkeys:
- key: device.model.identifier
title: Status item value.
type: <string>
presence: required
content: A two-part string that uniquely identifies the device's model. The first
part describes device's model family, and the second part describes the model's
version. The model's version is a comma-separated number where the first part
of the number is the version, and the second part is a variant, such as 'MacBookPro15,1'
or 'iPhone13,2'.
content: A two-part string that specifies the device's model. The first part specifies
device's model family, and the second part specifies the model's version. The
model's version is a comma-separated number where the first part of the number
is the version, and the second part is a variant, such as 'MacBookPro15,1' or
'iPhone13,2'.
@@ -5,14 +5,44 @@ payload:
supportedOS:
iOS:
introduced: '15.0'
allowed-enrollments:
- device
- user
- local
allowed-scopes:
- system
sharedipad:
allowed-scopes:
- system
- user
macOS:
introduced: '13.0'
allowed-enrollments:
- device
- user
- local
allowed-scopes:
- system
- user
tvOS:
introduced: '16.0'
allowed-enrollments:
- device
- local
allowed-scopes:
- system
watchOS:
introduced: '10.0'
allowed-enrollments:
- device
- local
allowed-scopes:
- system
payloadkeys:
- key: device.model.marketing-name
title: Status item value.
type: <string>
presence: required
content: A string that identifies the device's marketing name, such as 'iPhone 12'.
This value may not always be available.
content: The device's marketing name, such as 'iPhone 12'. This value may not always
be available. Alternatively, use 'device.model.configuration-code' to look up
the marketing name through the web API.
@@ -0,0 +1,46 @@
title: Status Device Model Number
description: The device's hardware number.
payload:
statusitemtype: device.model.number
supportedOS:
iOS:
introduced: '17.0'
allowed-enrollments:
- device
- user
- local
allowed-scopes:
- system
sharedipad:
allowed-scopes:
- system
- user
macOS:
introduced: '14.0'
allowed-enrollments:
- device
- user
- local
allowed-scopes:
- system
- user
tvOS:
introduced: '17.0'
allowed-enrollments:
- device
- local
allowed-scopes:
- system
watchOS:
introduced: '10.0'
allowed-enrollments:
- device
- local
allowed-scopes:
- system
payloadkeys:
- key: device.model.number
title: Status item value.
type: <string>
presence: required
content: The device's model number.
@@ -5,14 +5,42 @@ payload:
supportedOS:
iOS:
introduced: '15.0'
allowed-enrollments:
- device
- user
- local
allowed-scopes:
- system
sharedipad:
allowed-scopes:
- system
- user
macOS:
introduced: '13.0'
allowed-enrollments:
- device
- user
- local
allowed-scopes:
- system
- user
tvOS:
introduced: '16.0'
allowed-enrollments:
- device
- local
allowed-scopes:
- system
watchOS:
introduced: '10.0'
allowed-enrollments:
- device
- local
allowed-scopes:
- system
payloadkeys:
- key: device.operating-system.build-version
title: Status item value.
type: <string>
presence: required
content: A string that identifies the operating system's build version on the device,
such as '18F132'.
content: The operating system's build version on the device, such as '18F132'.
@@ -5,14 +5,42 @@ payload:
supportedOS:
iOS:
introduced: '15.0'
allowed-enrollments:
- device
- user
- local
allowed-scopes:
- system
sharedipad:
allowed-scopes:
- system
- user
macOS:
introduced: '13.0'
allowed-enrollments:
- device
- user
- local
allowed-scopes:
- system
- user
tvOS:
introduced: '16.0'
allowed-enrollments:
- device
- local
allowed-scopes:
- system
watchOS:
introduced: '10.0'
allowed-enrollments:
- device
- local
allowed-scopes:
- system
payloadkeys:
- key: device.operating-system.family
title: Status item value.
type: <string>
presence: required
content: A string that identifies the operating system family in use on the device,
such as 'macOS' or 'iOS'.
content: The operating system family in use on the device, such as 'macOS' or 'iOS'.
@@ -5,14 +5,42 @@ payload:
supportedOS:
iOS:
introduced: '15.0'
allowed-enrollments:
- device
- user
- local
allowed-scopes:
- system
sharedipad:
allowed-scopes:
- system
- user
macOS:
introduced: '13.0'
allowed-enrollments:
- device
- user
- local
allowed-scopes:
- system
- user
tvOS:
introduced: '16.0'
allowed-enrollments:
- device
- local
allowed-scopes:
- system
watchOS:
introduced: '10.0'
allowed-enrollments:
- device
- local
allowed-scopes:
- system
payloadkeys:
- key: device.operating-system.marketing-name
title: Status item value.
type: <string>
presence: required
content: A string that identifies the operating system's marketing name in use on
the device, such as 'Catalina'.
content: The operating system's marketing name in use on the device, such as 'Catalina'.
@@ -5,14 +5,43 @@ payload:
supportedOS:
iOS:
introduced: '16.1'
allowed-enrollments:
- device
- user
- local
allowed-scopes:
- system
sharedipad:
allowed-scopes:
- system
- user
macOS:
introduced: '13.0'
allowed-enrollments:
- device
- user
- local
allowed-scopes:
- system
- user
tvOS:
introduced: '16.1'
allowed-enrollments:
- device
- local
allowed-scopes:
- system
watchOS:
introduced: '10.0'
allowed-enrollments:
- device
- local
allowed-scopes:
- system
payloadkeys:
- key: device.operating-system.supplemental.build-version
title: Status item value.
type: <string>
presence: required
content: Identifies the operating system's build and rapid security response versions
in use on the device (for example, '20A123a', or '20B27c').
content: The operating system's build and rapid security response versions in use
on the device, for example, '20A123a' or '20B27c'.
@@ -5,14 +5,43 @@ payload:
supportedOS:
iOS:
introduced: '16.1'
allowed-enrollments:
- device
- user
- local
allowed-scopes:
- system
sharedipad:
allowed-scopes:
- system
- user
macOS:
introduced: '13.0'
allowed-enrollments:
- device
- user
- local
allowed-scopes:
- system
- user
tvOS:
introduced: '16.1'
allowed-enrollments:
- device
- local
allowed-scopes:
- system
watchOS:
introduced: '10.0'
allowed-enrollments:
- device
- local
allowed-scopes:
- system
payloadkeys:
- key: device.operating-system.supplemental.extra-version
title: Status item value.
type: <string>
presence: required
content: Identifies the operating system's rapid security response version in use
on the device (for example, 'a').
content: The operating system's rapid security response version in use on the device,
for example, 'a'.
@@ -5,14 +5,42 @@ payload:
supportedOS:
iOS:
introduced: '15.0'
allowed-enrollments:
- device
- user
- local
allowed-scopes:
- system
sharedipad:
allowed-scopes:
- system
- user
macOS:
introduced: '13.0'
allowed-enrollments:
- device
- user
- local
allowed-scopes:
- system
- user
tvOS:
introduced: '16.0'
allowed-enrollments:
- device
- local
allowed-scopes:
- system
watchOS:
introduced: '10.0'
allowed-enrollments:
- device
- local
allowed-scopes:
- system
payloadkeys:
- key: device.operating-system.version
title: Status item value.
type: <string>
presence: required
content: A string that identifies the operating system's version in use on the device,
such as '15.0'.
content: The operating system's version in use on the device, such as '15.0'.
@@ -0,0 +1,40 @@
title: Status Device Battery Health
description: The health of the battery.
payload:
statusitemtype: device.power.battery-health
supportedOS:
iOS:
introduced: '17.0'
allowed-enrollments:
- device
- local
allowed-scopes:
- system
sharedipad:
allowed-scopes:
- system
macOS:
introduced: n/a
tvOS:
introduced: n/a
watchOS:
introduced: n/a
payloadkeys:
- key: device.power.battery-health
title: Status item value.
type: <string>
presence: required
rangelist:
- non-genuine
- normal
- service-recommended
- unknown
- unsupported
content: |-
The battery health status:
* non-genuine - the battery is not a genuine Apple battery
* normal - the battery is operating normally
* service-recommended - battery service is recommended
* unknown - battery health information could not be determined
* unsupported - battery health reporting is not supported on the device
Only supported on iPhones. iPads will return "unsupported".
@@ -0,0 +1,24 @@
title: Status Disk Management File Vault Enabled
description: The enabled status of the File Vault.
payload:
statusitemtype: diskmanagement.filevault.enabled
supportedOS:
iOS:
introduced: n/a
macOS:
introduced: '14.0'
allowed-enrollments:
- device
- local
allowed-scopes:
- system
tvOS:
introduced: n/a
watchOS:
introduced: n/a
payloadkeys:
- key: diskmanagement.filevault.enabled
title: Status item value.
type: <boolean>
presence: required
content: A Boolean value that specifies the File Vault enabled status on the device.
@@ -5,10 +5,35 @@ payload:
supportedOS:
iOS:
introduced: '15.0'
allowed-enrollments:
- device
- user
allowed-scopes:
- system
sharedipad:
allowed-scopes:
- system
- user
macOS:
introduced: '13.0'
allowed-enrollments:
- device
- user
allowed-scopes:
- system
- user
tvOS:
introduced: '16.0'
allowed-enrollments:
- device
allowed-scopes:
- system
watchOS:
introduced: '10.0'
allowed-enrollments:
- device
allowed-scopes:
- system
payloadkeys:
- key: management.client-capabilities
title: Status item value.
@@ -5,10 +5,35 @@ payload:
supportedOS:
iOS:
introduced: '15.0'
allowed-enrollments:
- device
- user
allowed-scopes:
- system
sharedipad:
allowed-scopes:
- system
- user
macOS:
introduced: '13.0'
allowed-enrollments:
- device
- user
allowed-scopes:
- system
- user
tvOS:
introduced: '16.0'
allowed-enrollments:
- device
allowed-scopes:
- system
watchOS:
introduced: '10.0'
allowed-enrollments:
- device
allowed-scopes:
- system
payloadkeys:
- key: management.declarations
title: Status item value.
+21 -3
View File
@@ -5,10 +5,29 @@ payload:
supportedOS:
iOS:
introduced: '16.0'
allowed-enrollments:
- device
- user
allowed-scopes:
- system
sharedipad:
allowed-scopes:
- system
- user
macOS:
introduced: n/a
tvOS:
introduced: '16.0'
allowed-enrollments:
- device
allowed-scopes:
- system
watchOS:
introduced: '10.0'
allowed-enrollments:
- device
allowed-scopes:
- system
payloadkeys:
- key: mdm.app
title: Status item value.
@@ -30,9 +49,8 @@ payloadkeys:
type: <boolean>
presence: optional
default: false
content: To indicate removal of an app, this key's value is set to true, and
only this key and the "identifier" key will be present in the status item
object.
content: If 'true', the app is removed and the status item object only contains
this key and the 'identifier' key.
- key: name
title: App name
type: <string>
@@ -5,10 +5,27 @@ payload:
supportedOS:
iOS:
introduced: '16.0'
allowed-enrollments:
- device
- user
- local
allowed-scopes:
- system
sharedipad:
allowed-scopes:
- system
- user
macOS:
introduced: n/a
tvOS:
introduced: n/a
watchOS:
introduced: '10.0'
allowed-enrollments:
- device
- local
allowed-scopes:
- system
payloadkeys:
- key: passcode.is-compliant
title: Status item value.
+20 -3
View File
@@ -5,10 +5,27 @@ payload:
supportedOS:
iOS:
introduced: '16.0'
allowed-enrollments:
- device
- user
- local
allowed-scopes:
- system
sharedipad:
allowed-scopes:
- system
- user
macOS:
introduced: n/a
tvOS:
introduced: n/a
watchOS:
introduced: '10.0'
allowed-enrollments:
- device
- local
allowed-scopes:
- system
payloadkeys:
- key: passcode.is-present
title: Status item value.
@@ -16,6 +33,6 @@ payloadkeys:
presence: required
content: If 'true', a passcode is present on the device. If 'false', a passcode
isn't present on the device. When a passcode is present, the specific attributes
of the passcode (length, number of complex characters, etc), isn't reported. Instead,
use the 'passcode.is-compliant' status item to verify that the passcode complies
with all passcode policies set on the device.
of the passcode, such as length or number of complex characters, aren't reported.
Instead, use the 'passcode.is-compliant' status item to verify that the passcode
complies with all passcode policies set on the device.
@@ -0,0 +1,85 @@
title: Status Security Certificate List
description: The client's managed certificates.
payload:
statusitemtype: security.certificate.list
supportedOS:
iOS:
introduced: '17.0'
allowed-enrollments:
- device
- user
- local
allowed-scopes:
- system
sharedipad:
allowed-scopes:
- system
- user
macOS:
introduced: '14.0'
allowed-enrollments:
- device
- user
- local
allowed-scopes:
- system
- user
tvOS:
introduced: '17.0'
allowed-enrollments:
- device
- local
allowed-scopes:
- system
watchOS:
introduced: '10.0'
allowed-enrollments:
- device
- local
allowed-scopes:
- system
payloadkeys:
- key: security.certificate.list
title: Status item value.
type: <array>
presence: required
content: A list of the device's managed certificates.
subkeytype: Certificate
subkeys:
- key: status_value
type: <dictionary>
subkeys:
- key: identifier
title: Unique identifier of the certificate.
type: <string>
presence: required
content: The unique identifier of the certificate which the system uses as the
primary key.
- key: _removed
title: Indicates removal of the certificate.
type: <boolean>
presence: optional
default: false
content: If 'true', the certificate is removed and the status item object only
contains this key and the 'identifier' key.
- key: declaration-identifier
title: Asset declaration identifier.
type: <string>
presence: optional
content: The identifier of the asset declaration that installed the certificate,
which is only present if a declaration installed the certificate.
- key: subject-summary
title: Subject summary
type: <string>
presence: required
content: The summary of the certificate's subject.
- key: is-identity
title: Is Identity
type: <boolean>
presence: required
content: If 'true', the certificate is an identity certificate.
- key: data
title: Certificate Data
type: <data>
presence: required
content: The certificate data in DER-encoded X.509 format.
@@ -0,0 +1,110 @@
title: Status Services Background Task
description: The client's background task details.
payload:
statusitemtype: services.background-task
supportedOS:
iOS:
introduced: n/a
macOS:
introduced: '14.0'
allowed-enrollments:
- device
- local
allowed-scopes:
- system
tvOS:
introduced: n/a
watchOS:
introduced: n/a
payloadkeys:
- key: services.background-task
title: Status item value.
type: <array>
presence: required
content: The background task.
subkeytype: Background Task
subkeys:
- key: status_value
type: <dictionary>
subkeys:
- key: identifier
title: Identifier
type: <string>
presence: required
content: The background task UUID which the system uses as the primary key.
- key: _removed
title: Indicates removal of a background task.
type: <boolean>
presence: optional
default: false
content: If 'true', the background task is removed and the status item object
only contains this key and the 'identifier' key.
- key: code-signature
title: Code signature
type: <string>
presence: optional
content: For types other than 'agent' or 'daemon', this is the code signature
designated requirement of the item, if available.
- key: uid
title: Numeric user identifier
type: <integer>
presence: required
content: The numeric user identifier of the owner of the background task.
- key: path
title: Path
type: <string>
presence: required
content: For an 'agent' or 'daemon', the path to the 'launchd' 'plist' file.
For other types, the path to the app or the document.
- key: state
title: Background task state
type: <string>
presence: required
rangelist:
- not-registered
- enabled
- requires-approval
- not-found
content: The SMAppServiceStatus enumeration.
- key: type
title: Background task type
type: <string>
presence: required
rangelist:
- daemon
- agent
- login-item
- app
- user-item
content: The daemon, agent, or SFL login item type.
- key: launchd
title: Launchd background task
type: <dictionary>
presence: optional
content: Details about a 'launchd'-based background task, which is only present
when the type is 'daemon' or 'agent'.
subkeys:
- key: label
title: Label
type: <string>
presence: required
content: The label of the 'launchd'-based background task.
- key: program
title: Program
type: <string>
presence: required
content: The program that the 'launchd' 'plist' file specifies.
- key: program-arguments
title: Program arguments
type: <array>
presence: optional
content: The program arguments that the 'launchd' 'plist' file specifies.
subkeys:
- key: program-arguments-item
title: Program argument
type: <string>
- key: checksum
title: The hash value of the launchd plist.
type: <string>
presence: required
content: The hash value of the 'launchd' 'plist' file.
@@ -0,0 +1,51 @@
title: Status Software Update Failure Reason
description: The software update failure reason state.
payload:
statusitemtype: softwareupdate.failure-reason
supportedOS:
iOS:
introduced: '17.0'
allowed-enrollments:
- device
allowed-scopes:
- system
sharedipad:
allowed-scopes:
- system
macOS:
introduced: '14.0'
allowed-enrollments:
- device
allowed-scopes:
- system
tvOS:
introduced: n/a
watchOS:
introduced: n/a
payloadkeys:
- key: softwareupdate.failure-reason
title: The software update failure reason state.
type: <dictionary>
presence: required
content: Details about a software update failure.
subkeytype: Dictionary
subkeys:
- key: count
title: The software update failure count.
type: <integer>
presence: required
content: The number of times the current software update failed. If there are
no failures, or no pending software update, this is '0'.
- key: reason
title: The reason for the software update failure.
type: <string>
presence: optional
content: If present, this describes the reason for last software update failure.
This key isn't present if there are no failures or no pending software update.
- key: timestamp
title: The timestamp of the software update failure.
type: <string>
presence: optional
content: If present, this is the RFC 3339 timestamp of the last software update
failure. This key isn't present if there are no failures or no pending software
update.
@@ -0,0 +1,69 @@
title: Status Software Update Install Reason
description: The software update install reason state.
payload:
statusitemtype: softwareupdate.install-reason
supportedOS:
iOS:
introduced: '17.0'
allowed-enrollments:
- device
allowed-scopes:
- system
sharedipad:
allowed-scopes:
- system
macOS:
introduced: '14.0'
allowed-enrollments:
- device
allowed-scopes:
- system
tvOS:
introduced: n/a
watchOS:
introduced: n/a
payloadkeys:
- key: softwareupdate.install-reason
title: The software update install reason state.
type: <dictionary>
presence: required
content: Details about the reason for a pending software update.
subkeytype: Dictionary
subkeys:
- key: reason
title: The software update install reason state.
type: <array>
presence: required
content: A list of reasons for the pending software update. An empty list indicates
that no software update is pending.
subkeys:
- key: softwareupdate-reason
title: The software update install reason.
type: <string>
presence: required
rangelist:
- system-settings
- install-tonight
- auto-update
- notification
- setup-assistant
- command-line
- mdm
- declaration
content: |-
The software update install reason state:
* system-settings - software update was triggered via Settings.app
* install-tonight - software update was triggered via install tonight action
* auto-update - software update was triggered via an automatic update
* notification - software update was triggered via user notification action
* setup-assistant - software update was triggered via Setup Assistant
* command-line - software update was triggered via `softwareupdate` command line tool
* mdm - software update was triggered via an MDM command
* declaration - software update was triggered via a declarative device management configuration
- key: declaration-id
title: The identifier of the declaration causing the software update to occur.
type: <string>
presence: optional
content: The identifier of the declaration that caused the software update to
occur. This key is present only if the 'reason' array contains the 'declaration'
value.
@@ -0,0 +1,43 @@
title: Status Software Update Install State
description: The software update install state.
payload:
statusitemtype: softwareupdate.install-state
supportedOS:
iOS:
introduced: '17.0'
allowed-enrollments:
- device
allowed-scopes:
- system
sharedipad:
allowed-scopes:
- system
macOS:
introduced: '14.0'
allowed-enrollments:
- device
allowed-scopes:
- system
tvOS:
introduced: n/a
watchOS:
introduced: n/a
payloadkeys:
- key: softwareupdate.install-state
title: The software update install state.
type: <string>
presence: required
rangelist:
- none
- downloading
- prepared
- installing
- failed
content: |-
The software update install status:
* 'none': There's no software update pending, and any previous software update succeeded.
* 'waiting': A software update is waiting to start.
* 'downloading': The system is downloading data for a software update.
* 'prepared': The system prepared the software update and it's ready for installation.
* 'installing': The system is installing the software update.
* 'failed': The software update failed.
@@ -0,0 +1,45 @@
title: Status Software Update Pending Version
description: The pending software update version.
payload:
statusitemtype: softwareupdate.pending-version
supportedOS:
iOS:
introduced: '17.0'
allowed-enrollments:
- device
allowed-scopes:
- system
sharedipad:
allowed-scopes:
- system
macOS:
introduced: '14.0'
allowed-enrollments:
- device
allowed-scopes:
- system
tvOS:
introduced: n/a
watchOS:
introduced: n/a
payloadkeys:
- key: softwareupdate.pending-version
title: Pending software update version.
type: <dictionary>
presence: required
content: A dictionary that contains the build and OS versions of the software update
that's pending on the device.
subkeytype: Dictionary
subkeys:
- key: os-version
title: The OS version
type: <string>
presence: required
content: The OS version of the pending software update, including any rapid security
response version. This string is empty if no update is pending.
- key: build-version
title: The build version
type: <string>
presence: required
content: The build version of the pending software update, including any rapid
security response version. This string is empty if no update is pending.
+2
View File
@@ -9,6 +9,8 @@ payload:
introduced: '13.0'
tvOS:
introduced: '16.0'
watchOS:
introduced: '10.0'
payloadkeys:
- key: code
title: Error Code
+30 -1
View File
@@ -5,16 +5,45 @@ payload:
supportedOS:
iOS:
introduced: '16.0'
allowed-enrollments:
- device
- user
- local
allowed-scopes:
- system
sharedipad:
allowed-scopes:
- system
- user
macOS:
introduced: '13.0'
allowed-enrollments:
- device
- user
- local
allowed-scopes:
- system
- user
tvOS:
introduced: '16.0'
allowed-enrollments:
- device
- local
allowed-scopes:
- system
watchOS:
introduced: '10.0'
allowed-enrollments:
- device
- local
allowed-scopes:
- system
payloadkeys:
- key: test.array-value
title: Status item value.
type: <array>
presence: required
content: Status value.
content: The test status item array value.
subkeytype: Array
subkeys:
- key: status_value
+30 -1
View File
@@ -5,13 +5,42 @@ payload:
supportedOS:
iOS:
introduced: '16.0'
allowed-enrollments:
- device
- user
- local
allowed-scopes:
- system
sharedipad:
allowed-scopes:
- system
- user
macOS:
introduced: '13.0'
allowed-enrollments:
- device
- user
- local
allowed-scopes:
- system
- user
tvOS:
introduced: '16.0'
allowed-enrollments:
- device
- local
allowed-scopes:
- system
watchOS:
introduced: '10.0'
allowed-enrollments:
- device
- local
allowed-scopes:
- system
payloadkeys:
- key: test.boolean-value
title: Status item value.
type: <boolean>
presence: required
content: Status value.
content: The test status Boolean value.
+30 -1
View File
@@ -5,16 +5,45 @@ payload:
supportedOS:
iOS:
introduced: '16.0'
allowed-enrollments:
- device
- user
- local
allowed-scopes:
- system
sharedipad:
allowed-scopes:
- system
- user
macOS:
introduced: '13.0'
allowed-enrollments:
- device
- user
- local
allowed-scopes:
- system
- user
tvOS:
introduced: '16.0'
allowed-enrollments:
- device
- local
allowed-scopes:
- system
watchOS:
introduced: '10.0'
allowed-enrollments:
- device
- local
allowed-scopes:
- system
payloadkeys:
- key: test.dictionary-value
title: Status item value.
type: <dictionary>
presence: required
content: Status value.
content: The test status dictionary value.
subkeytype: Dictionary
subkeys:
- key: key1
+30 -1
View File
@@ -5,13 +5,42 @@ payload:
supportedOS:
iOS:
introduced: '16.0'
allowed-enrollments:
- device
- user
- local
allowed-scopes:
- system
sharedipad:
allowed-scopes:
- system
- user
macOS:
introduced: '13.0'
allowed-enrollments:
- device
- user
- local
allowed-scopes:
- system
- user
tvOS:
introduced: '16.0'
allowed-enrollments:
- device
- local
allowed-scopes:
- system
watchOS:
introduced: '10.0'
allowed-enrollments:
- device
- local
allowed-scopes:
- system
payloadkeys:
- key: test.error-value
title: Status item value.
type: <string>
presence: required
content: Status value.
content: The test status error value.
+30 -1
View File
@@ -5,13 +5,42 @@ payload:
supportedOS:
iOS:
introduced: '16.0'
allowed-enrollments:
- device
- user
- local
allowed-scopes:
- system
sharedipad:
allowed-scopes:
- system
- user
macOS:
introduced: '13.0'
allowed-enrollments:
- device
- user
- local
allowed-scopes:
- system
- user
tvOS:
introduced: '16.0'
allowed-enrollments:
- device
- local
allowed-scopes:
- system
watchOS:
introduced: '10.0'
allowed-enrollments:
- device
- local
allowed-scopes:
- system
payloadkeys:
- key: test.integer-value
title: Status item value.
type: <integer>
presence: required
content: Status value.
content: The test status integer value.
+30 -1
View File
@@ -5,13 +5,42 @@ payload:
supportedOS:
iOS:
introduced: '16.0'
allowed-enrollments:
- device
- user
- local
allowed-scopes:
- system
sharedipad:
allowed-scopes:
- system
- user
macOS:
introduced: '13.0'
allowed-enrollments:
- device
- user
- local
allowed-scopes:
- system
- user
tvOS:
introduced: '16.0'
allowed-enrollments:
- device
- local
allowed-scopes:
- system
watchOS:
introduced: '10.0'
allowed-enrollments:
- device
- local
allowed-scopes:
- system
payloadkeys:
- key: test.real-value
title: Status item value.
type: <real>
presence: required
content: Status value.
content: The test status real value.
+30 -1
View File
@@ -5,13 +5,42 @@ payload:
supportedOS:
iOS:
introduced: '16.0'
allowed-enrollments:
- device
- user
- local
allowed-scopes:
- system
sharedipad:
allowed-scopes:
- system
- user
macOS:
introduced: '13.0'
allowed-enrollments:
- device
- user
- local
allowed-scopes:
- system
- user
tvOS:
introduced: '16.0'
allowed-enrollments:
- device
- local
allowed-scopes:
- system
watchOS:
introduced: '10.0'
allowed-enrollments:
- device
- local
allowed-scopes:
- system
payloadkeys:
- key: test.string-value
title: Status item value.
type: <string>
presence: required
content: Status value.
content: The test status string value.