mirror of
https://github.com/apple/device-management.git
synced 2026-07-10 21:13:42 +02:00
Release_iOS-17-0_macOS-14-0
This commit is contained in:
@@ -9,6 +9,8 @@ payload:
|
||||
introduced: '13.0'
|
||||
tvOS:
|
||||
introduced: '16.0'
|
||||
watchOS:
|
||||
introduced: '10.0'
|
||||
payloadkeys:
|
||||
- key: StandardConfigurations
|
||||
type: <array>
|
||||
|
||||
@@ -0,0 +1,68 @@
|
||||
title: Asset:Credential ACME
|
||||
description: A reference to an ACME identity.
|
||||
payload:
|
||||
declarationtype: com.apple.asset.credential.acme
|
||||
supportedOS:
|
||||
iOS:
|
||||
introduced: '17.0'
|
||||
macOS:
|
||||
introduced: '14.0'
|
||||
tvOS:
|
||||
introduced: '17.0'
|
||||
watchOS:
|
||||
introduced: '10.0'
|
||||
payloadkeys:
|
||||
- key: Reference
|
||||
type: <dictionary>
|
||||
presence: required
|
||||
content: |-
|
||||
The external reference. Ensure that the asset data:
|
||||
* Is a JSON document that represents the 'com.apple.credential.acme' credential type
|
||||
* Uses a media type of 'application/json', and if it includes a 'ContentType' sub-key, that sub-key media type is also 'application/json'
|
||||
subkeys:
|
||||
- key: DataURL
|
||||
type: <string>
|
||||
presence: required
|
||||
content: The URL that hosts the credential data. The URL must start with 'https://'.
|
||||
- key: ContentType
|
||||
type: <string>
|
||||
presence: optional
|
||||
content: The media type that describes the data.
|
||||
- key: Size
|
||||
type: <integer>
|
||||
presence: optional
|
||||
content: The size of the data at the 'DataURL'. Use this value to verify that
|
||||
the returned data is the expected data. Use this value to detect when the data
|
||||
changes.
|
||||
- key: Hash-SHA-256
|
||||
type: <string>
|
||||
presence: optional
|
||||
content: |-
|
||||
A SHA-256 hash of the data at the 'DataURL'. Use this value to verify that the returned data is the expected data. Use this value to detect when the data changes.
|
||||
If 'Size' is '0', clients need to ignore this value or set it to an empty string.
|
||||
- key: Authentication
|
||||
type: <dictionary>
|
||||
presence: optional
|
||||
content: The server authentication details.
|
||||
subkeys:
|
||||
- key: Type
|
||||
type: <string>
|
||||
presence: required
|
||||
rangelist:
|
||||
- MDM
|
||||
- None
|
||||
content: |-
|
||||
Type of authentication:
|
||||
* MDM - a request using MDM semantics (includes the device identity certificate, and any user authentication). Equivalent to an MDM request made to the CheckInURL or ServerURL. This option can only be used when using declarative device management.
|
||||
* None - a standard GET request is carried out.
|
||||
- key: Accessible
|
||||
type: <string>
|
||||
presence: optional
|
||||
rangelist:
|
||||
- Default
|
||||
- AfterFirstUnlock
|
||||
default: Default
|
||||
content: |-
|
||||
The keychain accessibility that determines when the keychain item is available for use, which has these allowed values:
|
||||
* 'Default': The most restrictive accessibility that still satisfies all uses of the asset by configurations that reference it.
|
||||
* 'AfterFirstUnlock': The keychain item is only available after the first unlock of the device.
|
||||
@@ -0,0 +1,57 @@
|
||||
title: Asset:Credential Certificate
|
||||
description: 'A reference to a PKCS #1 or PEM encoded certificate.'
|
||||
payload:
|
||||
declarationtype: com.apple.asset.credential.certificate
|
||||
supportedOS:
|
||||
iOS:
|
||||
introduced: '17.0'
|
||||
macOS:
|
||||
introduced: '14.0'
|
||||
tvOS:
|
||||
introduced: '17.0'
|
||||
watchOS:
|
||||
introduced: '10.0'
|
||||
payloadkeys:
|
||||
- key: Reference
|
||||
type: <dictionary>
|
||||
presence: required
|
||||
content: The external reference. Ensure that the asset data uses a media type of
|
||||
'application/pkcs1' or 'application/pem' to correctly identify the type of encoded
|
||||
certificate. If the asset data includes a 'ContentType' sub-key, set it to the
|
||||
corresponding media type.
|
||||
subkeys:
|
||||
- key: DataURL
|
||||
type: <string>
|
||||
presence: required
|
||||
content: The URL that hosts the credential data. The URL must start with 'https://'.
|
||||
- key: ContentType
|
||||
type: <string>
|
||||
presence: optional
|
||||
content: The media type that describes the data.
|
||||
- key: Size
|
||||
type: <integer>
|
||||
presence: optional
|
||||
content: The size of the data at the 'DataURL'. Use this value to verify that
|
||||
the returned data is the expected data. Use this value to detect when the data
|
||||
changes.
|
||||
- key: Hash-SHA-256
|
||||
type: <string>
|
||||
presence: optional
|
||||
content: |-
|
||||
A SHA-256 hash of the data at the 'DataURL'. Use this value to verify that the returned data is the expected data. Use this value to detect when the data changes.
|
||||
If 'Size' is '0', clients need to ignore this value or set it to an empty string.
|
||||
- key: Authentication
|
||||
type: <dictionary>
|
||||
presence: optional
|
||||
content: The server authentication details.
|
||||
subkeys:
|
||||
- key: Type
|
||||
type: <string>
|
||||
presence: required
|
||||
rangelist:
|
||||
- MDM
|
||||
- None
|
||||
content: |-
|
||||
Type of authentication:
|
||||
* MDM - a request using MDM semantics (includes the device identity certificate, and any user authentication). Equivalent to an MDM request made to the CheckInURL or ServerURL. This option can only be used when using declarative device management.
|
||||
* None - a standard GET request is carried out.
|
||||
@@ -0,0 +1,68 @@
|
||||
title: Asset:Credential Identity
|
||||
description: 'A reference to a PKCS #12 password-protected identity.'
|
||||
payload:
|
||||
declarationtype: com.apple.asset.credential.identity
|
||||
supportedOS:
|
||||
iOS:
|
||||
introduced: '17.0'
|
||||
macOS:
|
||||
introduced: '14.0'
|
||||
tvOS:
|
||||
introduced: '17.0'
|
||||
watchOS:
|
||||
introduced: '10.0'
|
||||
payloadkeys:
|
||||
- key: Reference
|
||||
type: <dictionary>
|
||||
presence: required
|
||||
content: |-
|
||||
The external reference. Ensure that the asset data:
|
||||
* Is a JSON document that represents the 'com.apple.credential.identity' credential type
|
||||
* Uses a media type of 'application/json', and if it includes a 'ContentType' sub-key, that sub-key media type is also 'application/json'
|
||||
subkeys:
|
||||
- key: DataURL
|
||||
type: <string>
|
||||
presence: required
|
||||
content: The URL that hosts the credential data. The URL must start with 'https://'.
|
||||
- key: ContentType
|
||||
type: <string>
|
||||
presence: optional
|
||||
content: The media type that describes the data.
|
||||
- key: Size
|
||||
type: <integer>
|
||||
presence: optional
|
||||
content: The size of the data at the 'DataURL'. Use this value to verify that
|
||||
the returned data is the expected data. Use this value to detect when the data
|
||||
changes.
|
||||
- key: Hash-SHA-256
|
||||
type: <string>
|
||||
presence: optional
|
||||
content: |-
|
||||
A SHA-256 hash of the data at the 'DataURL'. Use this value to verify that the returned data is the expected data. Use this value to detect when the data changes.
|
||||
If 'Size' is '0', clients need to ignore this value or set it to an empty string.
|
||||
- key: Authentication
|
||||
type: <dictionary>
|
||||
presence: optional
|
||||
content: The server authentication details.
|
||||
subkeys:
|
||||
- key: Type
|
||||
type: <string>
|
||||
presence: required
|
||||
rangelist:
|
||||
- MDM
|
||||
- None
|
||||
content: |-
|
||||
Type of authentication:
|
||||
* MDM - a request using MDM semantics (includes the device identity certificate, and any user authentication). Equivalent to an MDM request made to the CheckInURL or ServerURL. This option can only be used when using declarative device management.
|
||||
* None - a standard GET request is carried out.
|
||||
- key: Accessible
|
||||
type: <string>
|
||||
presence: optional
|
||||
rangelist:
|
||||
- Default
|
||||
- AfterFirstUnlock
|
||||
default: Default
|
||||
content: |-
|
||||
The keychain accessibility that determines when the keychain item is available for use, which has these allowed values:
|
||||
* 'Default': The most restrictive accessibility that still satisfies all uses of the asset by configurations that reference it.
|
||||
* 'AfterFirstUnlock': The keychain item is only available after the first unlock of the device.
|
||||
@@ -0,0 +1,68 @@
|
||||
title: Asset:Credential SCEP
|
||||
description: A reference to a SCEP identity.
|
||||
payload:
|
||||
declarationtype: com.apple.asset.credential.scep
|
||||
supportedOS:
|
||||
iOS:
|
||||
introduced: '17.0'
|
||||
macOS:
|
||||
introduced: '14.0'
|
||||
tvOS:
|
||||
introduced: '17.0'
|
||||
watchOS:
|
||||
introduced: '10.0'
|
||||
payloadkeys:
|
||||
- key: Reference
|
||||
type: <dictionary>
|
||||
presence: required
|
||||
content: |-
|
||||
The external reference. Ensure that the asset data:
|
||||
* Is a JSON document that represents the 'com.apple.credential.scep' credential type
|
||||
* Uses a media type of 'application/json', and if it includes a 'ContentType' sub-key, that sub-key media type is also 'application/json'
|
||||
subkeys:
|
||||
- key: DataURL
|
||||
type: <string>
|
||||
presence: required
|
||||
content: The URL that hosts the credential data. The URL must start with 'https://'.
|
||||
- key: ContentType
|
||||
type: <string>
|
||||
presence: optional
|
||||
content: The media type that describes the data.
|
||||
- key: Size
|
||||
type: <integer>
|
||||
presence: optional
|
||||
content: The size of the data at the 'DataURL'. Use this value to verify that
|
||||
the returned data is the expected data. Use this value to detect when the data
|
||||
changes.
|
||||
- key: Hash-SHA-256
|
||||
type: <string>
|
||||
presence: optional
|
||||
content: |-
|
||||
A SHA-256 hash of the data at the 'DataURL'. Use this value to verify that the returned data is the expected data. Use this value to detect when the data changes.
|
||||
If 'Size' is '0', clients need to ignore this value or set it to an empty string.
|
||||
- key: Authentication
|
||||
type: <dictionary>
|
||||
presence: optional
|
||||
content: The server authentication details.
|
||||
subkeys:
|
||||
- key: Type
|
||||
type: <string>
|
||||
presence: required
|
||||
rangelist:
|
||||
- MDM
|
||||
- None
|
||||
content: |-
|
||||
Type of authentication:
|
||||
* MDM - a request using MDM semantics (includes the device identity certificate, and any user authentication). Equivalent to an MDM request made to the CheckInURL or ServerURL. This option can only be used when using declarative device management.
|
||||
* None - a standard GET request is carried out.
|
||||
- key: Accessible
|
||||
type: <string>
|
||||
presence: optional
|
||||
rangelist:
|
||||
- Default
|
||||
- AfterFirstUnlock
|
||||
default: Default
|
||||
content: |-
|
||||
The keychain accessibility that determines when the keychain item is available for use, which has these allowed values:
|
||||
* 'Default': The most restrictive accessibility that still satisfies all uses of the asset by configurations that reference it.
|
||||
* 'AfterFirstUnlock': The keychain item is only available after the first unlock of the device.
|
||||
@@ -1,6 +1,6 @@
|
||||
title: Credential:User Name and Password
|
||||
title: Asset:Credential User Name and Password
|
||||
description: A reference to data describing a credential representing a user name
|
||||
and password. Note that this should always be considered as security sensitive data.
|
||||
and password.
|
||||
payload:
|
||||
declarationtype: com.apple.asset.credential.userpassword
|
||||
supportedOS:
|
||||
@@ -10,11 +10,16 @@ payload:
|
||||
introduced: '13.0'
|
||||
tvOS:
|
||||
introduced: '16.0'
|
||||
watchOS:
|
||||
introduced: '10.0'
|
||||
payloadkeys:
|
||||
- key: Reference
|
||||
type: <dictionary>
|
||||
presence: required
|
||||
content: The reference to the credential.
|
||||
content: |-
|
||||
The external reference. Ensure that the asset data:
|
||||
* Is a JSON document that represents the 'com.apple.credential.usernameandpassword' credential type
|
||||
* Uses a media type of 'application/json', and if it includes a 'ContentType' sub-key, that sub-key media type is also 'application/json'
|
||||
subkeys:
|
||||
- key: DataURL
|
||||
type: <string>
|
||||
@@ -22,17 +27,41 @@ payloadkeys:
|
||||
content: The URL that hosts the credential data. The URL must start with 'https://'.
|
||||
- key: ContentType
|
||||
type: <string>
|
||||
presence: required
|
||||
presence: optional
|
||||
content: The media type that describes the data.
|
||||
- key: Size
|
||||
type: <integer>
|
||||
presence: required
|
||||
presence: optional
|
||||
content: The size of the data at the 'DataURL'. Use this value to verify that
|
||||
the returned data is the expected data. Use this value to detect when the data
|
||||
changes.
|
||||
- key: Hash-SHA-256
|
||||
type: <string>
|
||||
presence: required
|
||||
presence: optional
|
||||
content: |-
|
||||
A SHA-256 hash of the data at the 'DataURL'. Use this value to verify that the returned data is the expected data. Use this value to detect when the data changes.
|
||||
If 'Size' is '0', clients need to ignore this value or set it to an empty string.
|
||||
- key: Authentication
|
||||
supportedOS:
|
||||
iOS:
|
||||
introduced: '17.0'
|
||||
macOS:
|
||||
introduced: '14.0'
|
||||
tvOS:
|
||||
introduced: '17.0'
|
||||
watchOS:
|
||||
introduced: '10.0'
|
||||
type: <dictionary>
|
||||
presence: optional
|
||||
content: The server authentication details.
|
||||
subkeys:
|
||||
- key: Type
|
||||
type: <string>
|
||||
presence: required
|
||||
rangelist:
|
||||
- MDM
|
||||
- None
|
||||
content: |-
|
||||
Type of authentication:
|
||||
* MDM - a request using MDM semantics (includes the device identity certificate, and any user authentication). Equivalent to an MDM request made to the CheckInURL or ServerURL. This option can only be used when using declarative device management.
|
||||
* None - a standard GET request is carried out.
|
||||
|
||||
@@ -0,0 +1,138 @@
|
||||
title: ACME Credential
|
||||
description: An ACME identity that should be generated by the device.
|
||||
payload:
|
||||
credentialtype: com.apple.credential.acme
|
||||
supportedOS:
|
||||
iOS:
|
||||
introduced: '17.0'
|
||||
macOS:
|
||||
introduced: '14.0'
|
||||
tvOS:
|
||||
introduced: '17.0'
|
||||
watchOS:
|
||||
introduced: '10.0'
|
||||
payloadkeys:
|
||||
- key: DirectoryURL
|
||||
title: ACME directory URL
|
||||
type: <string>
|
||||
presence: required
|
||||
content: Specifies the directory URL of the ACME server. Use the 'https' scheme
|
||||
for the URL.
|
||||
- key: ClientIdentifier
|
||||
title: Client identifier
|
||||
type: <string>
|
||||
presence: required
|
||||
content: The server can use this as a nonce to prevent issuing multiple certificates.
|
||||
It also indicates to the ACME server that the device has access to a valid client
|
||||
identifier that the enterprise infrastructure issued. This can help the ACME server
|
||||
determine whether to trust the device, however this is a relatively weak indication
|
||||
because of the risk that an attacker may intercept and duplicate the client identifier.
|
||||
- key: KeySize
|
||||
title: Key Size
|
||||
type: <integer>
|
||||
presence: required
|
||||
content: The valid values for 'KeySize' depend on the values of 'KeyType' and 'HardwareBound'.
|
||||
See those keys for specific requirements.
|
||||
- key: KeyType
|
||||
title: Key Type
|
||||
type: <string>
|
||||
presence: required
|
||||
rangelist:
|
||||
- RSA
|
||||
- ECSECPrimeRandom
|
||||
content: |-
|
||||
Specifies the type of key pair to generate.
|
||||
'RSA' specifies an RSA key pair. If you set this value to 'RSA', set 'KeySize' in the range '[1024..4096]' inclusive and a multiple of '8', and set 'HardwareBound' to 'false'.
|
||||
'ECSECPrimeRandom' specifies a key pair on the P-256, P-384 or P-521 curves as defined in FIPS Pub 186-4, and 'KeySize' determines the specific curve. If you set this value to 'ECSECPrimeRandom', set 'KeySize' to '256', '384', or '521'. The system only supports '256' and '384' for hardware bound keys.
|
||||
The key size is '521', not '512', even though the other key sizes are multiples of '64'.
|
||||
- key: HardwareBound
|
||||
title: Hardware Bound
|
||||
type: <boolean>
|
||||
presence: required
|
||||
content: |-
|
||||
If 'false', the private key isn't bound to the device.
|
||||
If 'true', the private key is bound to the device. The Secure Enclave generates the key pair, and the private key is cryptographically entangled with a system key. This protects the private key from being exported.
|
||||
If 'true', 'KeyType' needs to be 'ECSECPrimeRandom' and 'KeySize' needs to be '256' or '384'.
|
||||
On macOS, this is a required key. Set the value to 'false'.
|
||||
- key: Subject
|
||||
title: Subject
|
||||
type: <array>
|
||||
presence: required
|
||||
content: |-
|
||||
The device requests this subject for the certificate that the ACME server issues. The ACME server may override or ignore this field in the certificate it issues.
|
||||
The representation of an X.500 name is an array of OID and value. For example, '/C=US/O=Apple Inc./CN=foo/1.2.5.3=bar' corresponds to:
|
||||
'[ [ [”C”, “US”] ], [ [”O”, “Apple Inc.”] ], [ [ “CN”, “foo”] ], [ [ “1.2.5.3”, “bar” ] ] ]'
|
||||
You can represent OIDs as dotted numbers or use shortcuts for country ('C'), locality ('L'), state ('ST'), organization ('O'), organizational unit ('OU'), and common name ('CN').
|
||||
subkeys:
|
||||
- key: ACMESubjectArrayInnerArray
|
||||
title: Array Inside ACME Subject Array
|
||||
type: <array>
|
||||
subkeys:
|
||||
- key: ACMESubjectArrayPair
|
||||
title: Subject Array Pair
|
||||
type: <array>
|
||||
subkeys:
|
||||
- key: ACMESubjectArrayPairItem
|
||||
title: ACME Subject Array Pair Item
|
||||
type: <string>
|
||||
repetition:
|
||||
min: 2
|
||||
max: 2
|
||||
content: One item in the array representing a pair of OID and value
|
||||
- key: SubjectAltName
|
||||
title: Subject Alt Name
|
||||
type: <dictionary>
|
||||
presence: optional
|
||||
content: Specifies the subject's alternative name that the device requests for the
|
||||
certificate that the ACME server issues. The ACME server may override or ignore
|
||||
this field in the certificate it issues.
|
||||
subkeys:
|
||||
- key: rfc822Name
|
||||
title: RFC 822 Name
|
||||
type: <string>
|
||||
presence: optional
|
||||
content: The RFC 822 email address.
|
||||
- key: dNSName
|
||||
title: DNS Name
|
||||
type: <string>
|
||||
presence: optional
|
||||
content: The DNS name.
|
||||
- key: uniformResourceIdentifier
|
||||
title: URI
|
||||
type: <string>
|
||||
presence: optional
|
||||
content: The uniform resource identifier.
|
||||
- key: ntPrincipalName
|
||||
title: NT Principal Name
|
||||
type: <string>
|
||||
presence: optional
|
||||
content: The NT principal name.
|
||||
- key: UsageFlags
|
||||
title: Key Usage
|
||||
type: <integer>
|
||||
presence: optional
|
||||
content: |-
|
||||
The device requests this key usage for the certificate that the ACME server issues. The ACME server may override or ignore this field in the certificate it issues.
|
||||
The value is a bit field. Bit '0x01' indicates digital signature, and bit '0x04' indicates key encipherment.
|
||||
- key: ExtendedKeyUsage
|
||||
title: Extended Key Usage
|
||||
type: <array>
|
||||
presence: optional
|
||||
content: |-
|
||||
The device requests this extended key usage for the certificate that the ACME server issues. The ACME server may override or ignore this field in the certificate it issues.
|
||||
The value is an array of strings. Each string is an OID in dotted notation. For example, '[”1.3.6.1.5.5.7.3.2”, “1.3.6.1.5.5.7.3.4”]' indicates client authentication and email protection.
|
||||
subkeys:
|
||||
- key: OID
|
||||
type: <string>
|
||||
presence: optional
|
||||
- key: Attest
|
||||
title: Attest
|
||||
type: <boolean>
|
||||
presence: optional
|
||||
default: false
|
||||
content: If 'true', the device provides attestations that describe the device and
|
||||
the generated key to the ACME server. The server can use the attestations as strong
|
||||
evidence that the key is bound to the device, and that the device has properties
|
||||
listed in the attestation. The server can use that as part of a trust score to
|
||||
decide whether to issue the requested certificate. When 'Attest' is 'true', set
|
||||
'HardwareBound' to 'true'. On macOS, set this key, if present, to 'false'.
|
||||
@@ -0,0 +1,22 @@
|
||||
title: Identity Credential
|
||||
description: 'Data for a PKCS #12 password-protected identity.'
|
||||
payload:
|
||||
credentialtype: com.apple.credential.identity
|
||||
supportedOS:
|
||||
iOS:
|
||||
introduced: '17.0'
|
||||
macOS:
|
||||
introduced: '14.0'
|
||||
tvOS:
|
||||
introduced: '17.0'
|
||||
watchOS:
|
||||
introduced: '10.0'
|
||||
payloadkeys:
|
||||
- key: Password
|
||||
type: <string>
|
||||
presence: required
|
||||
content: 'The password required to decrypt the PKCS #12 identity data.'
|
||||
- key: Identity
|
||||
type: <data>
|
||||
presence: required
|
||||
content: 'The PKCS #12 identity data.'
|
||||
@@ -0,0 +1,125 @@
|
||||
title: SCEP Credential
|
||||
description: A SCEP identity that should be generated by the device.
|
||||
payload:
|
||||
credentialtype: com.apple.credential.scep
|
||||
supportedOS:
|
||||
iOS:
|
||||
introduced: '17.0'
|
||||
macOS:
|
||||
introduced: '14.0'
|
||||
tvOS:
|
||||
introduced: '17.0'
|
||||
watchOS:
|
||||
introduced: '10.0'
|
||||
payloadkeys:
|
||||
- key: URL
|
||||
title: URL
|
||||
type: <string>
|
||||
presence: required
|
||||
content: The SCEP URL.
|
||||
- key: Name
|
||||
title: Name
|
||||
type: <string>
|
||||
presence: optional
|
||||
content: Any string that the SCEP server recognizes. For example, it could be a
|
||||
domain name such as 'example.org'. If a certificate authority has multiple CA
|
||||
certificates, you can use this field to specify the required certificate.
|
||||
- key: Subject
|
||||
title: Subject
|
||||
type: <array>
|
||||
presence: optional
|
||||
content: |-
|
||||
The representation of an X.500 name is an array of OID and value. For example, '/C=US/O=Apple Inc./CN=foo/1.2.5.3=bar' corresponds to:
|
||||
'[ [ [”C”, “US”] ], [ [”O”, “Apple Inc.”] ], [ [ “CN”, “foo”] ], [ [ “1.2.5.3”, “bar” ] ] ]'
|
||||
You can represent OIDs as dotted numbers or use shortcuts for country ('C'), locality ('L'), state ('ST'), organization ('O'), organizational unit ('OU'), and common name ('CN').
|
||||
subkeys:
|
||||
- key: SCEPSubjectArrayInnerArray
|
||||
title: Array Inside SCEP Subject Array
|
||||
type: <array>
|
||||
subkeys:
|
||||
- key: SCEPSubjectArrayPair
|
||||
title: Subject Array Pair
|
||||
type: <array>
|
||||
subkeys:
|
||||
- key: SCEPSubjectArrayPairItem
|
||||
title: SCEP Subject Array Pair Item
|
||||
type: <string>
|
||||
repetition:
|
||||
min: 2
|
||||
max: 2
|
||||
content: One item in the array representing a pair of OID and value
|
||||
- key: Challenge
|
||||
title: Challenge
|
||||
type: <string>
|
||||
presence: optional
|
||||
content: A preshared secret.
|
||||
- key: Keysize
|
||||
title: Key Size
|
||||
type: <integer>
|
||||
presence: optional
|
||||
rangelist:
|
||||
- 1024
|
||||
- 2048
|
||||
- 4096
|
||||
default: 1024
|
||||
content: The key size in bits, either '1024', '2048', or '4096'.
|
||||
- key: Key Type
|
||||
title: Key Type
|
||||
type: <string>
|
||||
presence: optional
|
||||
default: RSA
|
||||
content: The key type, which always has the value 'RSA'.
|
||||
- key: Key Usage
|
||||
title: Key Usage
|
||||
type: <integer>
|
||||
presence: optional
|
||||
default: 0
|
||||
content: 'A bitmask that specifies the use of the key: ''1'' is signing, ''4'' is
|
||||
encryption, and ''5'' is both signing and encryption. Some certificate authorities,
|
||||
such as Windows CA, support only encryption or signing, but not both at the same
|
||||
time.'
|
||||
- key: CAFingerprint
|
||||
title: Fingerprint
|
||||
type: <data>
|
||||
presence: optional
|
||||
content: The fingerprint of the Certificate Authority certificate.
|
||||
- key: Retries
|
||||
title: Retries
|
||||
type: <integer>
|
||||
presence: optional
|
||||
default: 3
|
||||
content: The number of times the device should retry if the server sends a 'PENDING'
|
||||
response.
|
||||
- key: RetryDelay
|
||||
title: Retry Delay
|
||||
type: <integer>
|
||||
presence: optional
|
||||
default: 10
|
||||
content: The number of seconds to wait between subsequent retries. The system makes
|
||||
the first retry without this delay.
|
||||
- key: SubjectAltName
|
||||
title: Subject Alt Name
|
||||
type: <dictionary>
|
||||
presence: optional
|
||||
content: The subject's alternative name for the certificate.
|
||||
subkeys:
|
||||
- key: rfc822Name
|
||||
title: RFC 822 Name
|
||||
type: <string>
|
||||
presence: optional
|
||||
content: The RFC 822 email address.
|
||||
- key: dNSName
|
||||
title: DNS Name
|
||||
type: <string>
|
||||
presence: optional
|
||||
content: The DNS name.
|
||||
- key: uniformResourceIdentifier
|
||||
title: URI
|
||||
type: <string>
|
||||
presence: optional
|
||||
content: The uniform resource identifier.
|
||||
- key: ntPrincipalName
|
||||
title: NT Principal Name
|
||||
type: <string>
|
||||
presence: optional
|
||||
content: The NT principal name.
|
||||
@@ -1,4 +1,4 @@
|
||||
title: User Name and Password Credentials
|
||||
title: User Name and Password Credential
|
||||
description: Data describing a credential representing a user name and password.
|
||||
payload:
|
||||
credentialtype: com.apple.credential.usernameandpassword
|
||||
@@ -9,12 +9,14 @@ payload:
|
||||
introduced: '13.0'
|
||||
tvOS:
|
||||
introduced: '16.0'
|
||||
watchOS:
|
||||
introduced: '10.0'
|
||||
payloadkeys:
|
||||
- key: UserName
|
||||
type: <string>
|
||||
presence: required
|
||||
content: The user's user name for the credential.
|
||||
content: The user name for this credential.
|
||||
- key: Password
|
||||
type: <string>
|
||||
presence: optional
|
||||
content: The user's password for the credential.
|
||||
content: The password for this credential.
|
||||
|
||||
@@ -0,0 +1,54 @@
|
||||
title: Asset:Data
|
||||
description: A reference to arbitrary data with a specific media type.
|
||||
payload:
|
||||
declarationtype: com.apple.asset.data
|
||||
supportedOS:
|
||||
iOS:
|
||||
introduced: '17.0'
|
||||
macOS:
|
||||
introduced: '14.0'
|
||||
tvOS:
|
||||
introduced: '17.0'
|
||||
watchOS:
|
||||
introduced: '10.0'
|
||||
payloadkeys:
|
||||
- key: Reference
|
||||
type: <dictionary>
|
||||
presence: required
|
||||
content: The external reference.
|
||||
subkeys:
|
||||
- key: DataURL
|
||||
type: <string>
|
||||
presence: required
|
||||
content: The URL that hosts the credential data. The URL must start with 'https://'.
|
||||
- key: ContentType
|
||||
type: <string>
|
||||
presence: optional
|
||||
content: The media type that describes the data.
|
||||
- key: Size
|
||||
type: <integer>
|
||||
presence: optional
|
||||
content: The size of the data at the 'DataURL'. Use this value to verify that
|
||||
the returned data is the expected data. Use this value to detect when the data
|
||||
changes.
|
||||
- key: Hash-SHA-256
|
||||
type: <string>
|
||||
presence: optional
|
||||
content: |-
|
||||
A SHA-256 hash of the data at the 'DataURL'. Use this value to verify that the returned data is the expected data. Use this value to detect when the data changes.
|
||||
If 'Size' is '0', clients need to ignore this value or set it to an empty string.
|
||||
- key: Authentication
|
||||
type: <dictionary>
|
||||
presence: optional
|
||||
content: The server authentication details.
|
||||
subkeys:
|
||||
- key: Type
|
||||
type: <string>
|
||||
presence: required
|
||||
rangelist:
|
||||
- MDM
|
||||
- None
|
||||
content: |-
|
||||
Type of authentication:
|
||||
* MDM - a request using MDM semantics (includes the device identity certificate, and any user authentication). Equivalent to an MDM request made to the CheckInURL or ServerURL. This option can only be used when using declarative device management.
|
||||
* None - a standard GET request is carried out.
|
||||
@@ -1,4 +1,4 @@
|
||||
title: User Identity
|
||||
title: Asset:User Identity
|
||||
description: User identity data.
|
||||
payload:
|
||||
declarationtype: com.apple.asset.useridentity
|
||||
@@ -9,6 +9,8 @@ payload:
|
||||
introduced: '13.0'
|
||||
tvOS:
|
||||
introduced: '16.0'
|
||||
watchOS:
|
||||
introduced: '10.0'
|
||||
payloadkeys:
|
||||
- key: FullName
|
||||
title: Full Name
|
||||
@@ -19,4 +21,4 @@ payloadkeys:
|
||||
title: Email Address
|
||||
type: <string>
|
||||
presence: optional
|
||||
content: The user's email address.
|
||||
content: The email address of the user.
|
||||
|
||||
@@ -5,20 +5,27 @@ payload:
|
||||
supportedOS:
|
||||
iOS:
|
||||
introduced: '15.0'
|
||||
allowed-enrollments:
|
||||
- device
|
||||
- user
|
||||
- local
|
||||
allowed-scopes:
|
||||
- system
|
||||
sharedipad:
|
||||
mode: allowed
|
||||
devicechannel: false
|
||||
userchannel: true
|
||||
userenrollment:
|
||||
mode: allowed
|
||||
allowed-scopes:
|
||||
- user
|
||||
macOS:
|
||||
introduced: '13.0'
|
||||
devicechannel: false
|
||||
userchannel: true
|
||||
userenrollment:
|
||||
mode: allowed
|
||||
allowed-enrollments:
|
||||
- device
|
||||
- user
|
||||
- local
|
||||
allowed-scopes:
|
||||
- user
|
||||
tvOS:
|
||||
introduced: n/a
|
||||
watchOS:
|
||||
introduced: n/a
|
||||
content: A CalDAV configuration defines a CalDAV calendar and reminders account
|
||||
for a user.
|
||||
payloadkeys:
|
||||
@@ -32,7 +39,7 @@ payloadkeys:
|
||||
title: Server Host Name
|
||||
type: <string>
|
||||
presence: required
|
||||
content: The hostname of the CalDAV server (or IP address).
|
||||
content: The hostname or IP address of the CalDAV server.
|
||||
- key: Port
|
||||
title: Server Port
|
||||
type: <integer>
|
||||
@@ -46,6 +53,8 @@ payloadkeys:
|
||||
- key: AuthenticationCredentialsAssetReference
|
||||
title: Authentication Credentials Asset Reference
|
||||
type: <string>
|
||||
assettypes:
|
||||
- com.apple.asset.credential.userpassword
|
||||
presence: optional
|
||||
content: The identifier of an asset declaration that contains the credentials for
|
||||
this account. The corresponding asset must be of type CredentialUserNameAndPassword.
|
||||
this account. Set the corresponding asset type to 'CredentialUserNameAndPassword'.
|
||||
|
||||
@@ -5,20 +5,27 @@ payload:
|
||||
supportedOS:
|
||||
iOS:
|
||||
introduced: '15.0'
|
||||
allowed-enrollments:
|
||||
- device
|
||||
- user
|
||||
- local
|
||||
allowed-scopes:
|
||||
- system
|
||||
sharedipad:
|
||||
mode: allowed
|
||||
devicechannel: false
|
||||
userchannel: true
|
||||
userenrollment:
|
||||
mode: allowed
|
||||
allowed-scopes:
|
||||
- user
|
||||
macOS:
|
||||
introduced: '13.0'
|
||||
devicechannel: false
|
||||
userchannel: true
|
||||
userenrollment:
|
||||
mode: allowed
|
||||
allowed-enrollments:
|
||||
- device
|
||||
- user
|
||||
- local
|
||||
allowed-scopes:
|
||||
- user
|
||||
tvOS:
|
||||
introduced: n/a
|
||||
watchOS:
|
||||
introduced: n/a
|
||||
content: A CardDAV configuration defines a CardDAV contacts account for a user.
|
||||
payloadkeys:
|
||||
- key: VisibleName
|
||||
@@ -31,7 +38,7 @@ payloadkeys:
|
||||
title: Server Host Name
|
||||
type: <string>
|
||||
presence: required
|
||||
content: The hostname of the CardDAV server (or IP address).
|
||||
content: The hostname or IP address of the CardDAV server.
|
||||
- key: Port
|
||||
title: Server Port
|
||||
type: <integer>
|
||||
@@ -45,6 +52,8 @@ payloadkeys:
|
||||
- key: AuthenticationCredentialsAssetReference
|
||||
title: Authentication Credentials Asset Reference
|
||||
type: <string>
|
||||
assettypes:
|
||||
- com.apple.asset.credential.userpassword
|
||||
presence: optional
|
||||
content: The identifier of an asset declaration that contains the credentials for
|
||||
this account. The corresponding asset must be of type CredentialUserNameAndPassword.
|
||||
this account. Set the corresponding asset type to 'CredentialUserNameAndPassword'.
|
||||
|
||||
@@ -6,20 +6,27 @@ payload:
|
||||
supportedOS:
|
||||
iOS:
|
||||
introduced: '15.0'
|
||||
allowed-enrollments:
|
||||
- device
|
||||
- user
|
||||
- local
|
||||
allowed-scopes:
|
||||
- system
|
||||
sharedipad:
|
||||
mode: allowed
|
||||
devicechannel: false
|
||||
userchannel: true
|
||||
userenrollment:
|
||||
mode: allowed
|
||||
allowed-scopes:
|
||||
- user
|
||||
macOS:
|
||||
introduced: '13.0'
|
||||
devicechannel: false
|
||||
userchannel: true
|
||||
userenrollment:
|
||||
mode: allowed
|
||||
allowed-enrollments:
|
||||
- device
|
||||
- user
|
||||
- local
|
||||
allowed-scopes:
|
||||
- user
|
||||
tvOS:
|
||||
introduced: n/a
|
||||
watchOS:
|
||||
introduced: n/a
|
||||
content: This payload configures an Exchange ActiveSync account on an iOS device.
|
||||
payloadkeys:
|
||||
- key: VisibleName
|
||||
@@ -48,9 +55,11 @@ payloadkeys:
|
||||
- key: UserIdentityAssetReference
|
||||
title: User Identity Asset Reference
|
||||
type: <string>
|
||||
assettypes:
|
||||
- com.apple.asset.useridentity
|
||||
presence: optional
|
||||
content: The identifier of an asset declaration that contains the user identity
|
||||
for this account. The corresponding asset must be of type UserIdentity.
|
||||
for this account. The corresponding asset must be of type 'UserIdentity'.
|
||||
- key: HostName
|
||||
title: Server Host Name
|
||||
type: <string>
|
||||
@@ -133,10 +142,111 @@ payloadkeys:
|
||||
- key: AuthenticationCredentialsAssetReference
|
||||
title: Authentication Credentials Asset Reference
|
||||
type: <string>
|
||||
assettypes:
|
||||
- com.apple.asset.credential.userpassword
|
||||
presence: optional
|
||||
content: The identifier of an asset declaration that contains the credentials for
|
||||
this account to authenticate with an Exchange server. The corresponding asset
|
||||
must be of type CredentialUserNameAndPassword.
|
||||
this account to authenticate with an Exchange server. Set the corresponding asset
|
||||
type to 'CredentialUserNameAndPassword'.
|
||||
- key: AuthenticationIdentityAssetReference
|
||||
title: Authentication Identity Asset Reference
|
||||
type: <string>
|
||||
assettypes:
|
||||
- com.apple.asset.credential.acme
|
||||
- com.apple.asset.credential.identity
|
||||
- com.apple.asset.credential.scep
|
||||
presence: optional
|
||||
content: Specifies the identifier of a credential asset declaration that contains
|
||||
the identity that this account requires to authenticate with the Exchange server.
|
||||
- key: SMIME
|
||||
title: S/MIME Settings
|
||||
supportedOS:
|
||||
iOS:
|
||||
introduced: '17.0'
|
||||
macOS:
|
||||
introduced: n/a
|
||||
type: <dictionary>
|
||||
presence: optional
|
||||
content: Settings for S/MIME.
|
||||
subkeys:
|
||||
- key: Signing
|
||||
title: S/MIME Signing Settings
|
||||
type: <dictionary>
|
||||
presence: optional
|
||||
content: Settings for S/MIME signing.
|
||||
subkeys:
|
||||
- key: Enabled
|
||||
title: Signing Enabled
|
||||
type: <boolean>
|
||||
presence: required
|
||||
content: If 'true', the system enables S/MIME signing.
|
||||
- key: IdentityAssetReference
|
||||
title: S/MIME Signing Identity Asset Reference
|
||||
type: <string>
|
||||
assettypes:
|
||||
- com.apple.asset.credential.acme
|
||||
- com.apple.asset.credential.identity
|
||||
- com.apple.asset.credential.scep
|
||||
presence: optional
|
||||
content: Specifies the identifier of an asset declaration containing the identity
|
||||
required for S/MIME signing of messages sent from this account.
|
||||
- key: UserOverrideable
|
||||
title: Signing User Overrideable
|
||||
type: <boolean>
|
||||
presence: optional
|
||||
default: false
|
||||
content: If 'true', the user can turn S/MIME signing on or off in Settings.
|
||||
- key: IdentityUserOverrideable
|
||||
title: Signing Identity User Overrideable
|
||||
type: <boolean>
|
||||
presence: optional
|
||||
default: false
|
||||
content: If 'true', the user can select an S/MIME signing identity in Settings.
|
||||
- key: Encryption
|
||||
title: S/MIME Encryption Settings
|
||||
type: <dictionary>
|
||||
presence: optional
|
||||
content: Settings for S/MIME encryption.
|
||||
subkeys:
|
||||
- key: Enabled
|
||||
title: Encryption By Default Enabled
|
||||
type: <boolean>
|
||||
presence: required
|
||||
content: If 'true', the system enables S/MIME encryption by default, which the
|
||||
user can't override if 'PerMessageSwitchEnabled' is 'false'.
|
||||
- key: IdentityAssetReference
|
||||
title: S/MIME Encryption Identity Asset Reference
|
||||
type: <string>
|
||||
assettypes:
|
||||
- com.apple.asset.credential.acme
|
||||
- com.apple.asset.credential.identity
|
||||
- com.apple.asset.credential.scep
|
||||
presence: optional
|
||||
content: Specifies the identifier of an asset declaration containing the identity
|
||||
required for S/MIME encryption. The system attaches the public certificate
|
||||
to outgoing mail to allow the user to receive encrypted mail. When the user
|
||||
sends encrypted mail, the system uses the public certificate to encrypt the
|
||||
copy of the mail in their Sent mailbox.
|
||||
- key: UserOverrideable
|
||||
title: Encryption By Default User Overrideable
|
||||
type: <boolean>
|
||||
presence: optional
|
||||
default: false
|
||||
content: If 'true', the user can turn S/MIME encryption by default on or off
|
||||
in Settings.
|
||||
- key: IdentityUserOverrideable
|
||||
title: Encryption Identity User Overrideable
|
||||
type: <boolean>
|
||||
presence: optional
|
||||
default: false
|
||||
content: If 'true', the user can select an S/MIME signing identity in Settings.
|
||||
- key: PerMessageSwitchEnabled
|
||||
title: Per Message Switch Enabled
|
||||
type: <boolean>
|
||||
presence: optional
|
||||
default: false
|
||||
content: If 'true', the system enables the per-message encryption switch in
|
||||
the compose view.
|
||||
- key: MailServiceActive
|
||||
supportedOS:
|
||||
macOS:
|
||||
|
||||
@@ -5,20 +5,27 @@ payload:
|
||||
supportedOS:
|
||||
iOS:
|
||||
introduced: '15.0'
|
||||
allowed-enrollments:
|
||||
- device
|
||||
- user
|
||||
- local
|
||||
allowed-scopes:
|
||||
- system
|
||||
sharedipad:
|
||||
mode: allowed
|
||||
devicechannel: false
|
||||
userchannel: true
|
||||
userenrollment:
|
||||
mode: allowed
|
||||
allowed-scopes:
|
||||
- user
|
||||
macOS:
|
||||
introduced: '13.0'
|
||||
devicechannel: false
|
||||
userchannel: true
|
||||
userenrollment:
|
||||
mode: allowed
|
||||
allowed-enrollments:
|
||||
- device
|
||||
- user
|
||||
- local
|
||||
allowed-scopes:
|
||||
- user
|
||||
tvOS:
|
||||
introduced: n/a
|
||||
watchOS:
|
||||
introduced: n/a
|
||||
content: A Google configuration defines a Google account for a user. The user will
|
||||
be prompted to enter their credentials shortly after the configuration successfully
|
||||
installs.
|
||||
@@ -32,8 +39,10 @@ payloadkeys:
|
||||
- key: UserIdentityAssetReference
|
||||
title: User Identity Asset Reference
|
||||
type: <string>
|
||||
assettypes:
|
||||
- com.apple.asset.useridentity
|
||||
presence: required
|
||||
content: The identifier of an asset declaration that contains the user identity
|
||||
for this Google account. The corresponding asset must be of type UserIdentity.
|
||||
The asset must contain an 'EmailAddress' key that specifies the full Google email
|
||||
for this Google account. Set the corresponding asset type to 'UserIdentity' and
|
||||
ensure that it contains an 'EmailAddress' key that specifies the full Google email
|
||||
address for the account.
|
||||
|
||||
@@ -5,20 +5,27 @@ payload:
|
||||
supportedOS:
|
||||
iOS:
|
||||
introduced: '15.0'
|
||||
allowed-enrollments:
|
||||
- device
|
||||
- user
|
||||
- local
|
||||
allowed-scopes:
|
||||
- system
|
||||
sharedipad:
|
||||
mode: allowed
|
||||
devicechannel: false
|
||||
userchannel: true
|
||||
userenrollment:
|
||||
mode: allowed
|
||||
allowed-scopes:
|
||||
- user
|
||||
macOS:
|
||||
introduced: '13.0'
|
||||
devicechannel: false
|
||||
userchannel: true
|
||||
userenrollment:
|
||||
mode: allowed
|
||||
allowed-enrollments:
|
||||
- device
|
||||
- user
|
||||
- local
|
||||
allowed-scopes:
|
||||
- user
|
||||
tvOS:
|
||||
introduced: n/a
|
||||
watchOS:
|
||||
introduced: n/a
|
||||
content: An LDAP configuration defines an LDAP directory account for a user.
|
||||
payloadkeys:
|
||||
- key: VisibleName
|
||||
@@ -31,18 +38,20 @@ payloadkeys:
|
||||
title: Server Host Name
|
||||
type: <string>
|
||||
presence: required
|
||||
content: The hostname of the LDAP server (or IP address).
|
||||
content: The hostname or IP address of the LDAP server.
|
||||
- key: Port
|
||||
title: Server Port
|
||||
type: <integer>
|
||||
presence: optional
|
||||
content: The port number of the LDAP server (or IP address).
|
||||
content: The port number or IP address of the LDAP server.
|
||||
- key: AuthenticationCredentialsAssetReference
|
||||
title: Authentication Credentials Asset Reference
|
||||
type: <string>
|
||||
assettypes:
|
||||
- com.apple.asset.credential.userpassword
|
||||
presence: optional
|
||||
content: The identifier of an asset declaration that contains the credentials for
|
||||
this account. The corresponding asset must be of type CredentialUserNameAndPassword.
|
||||
this account. Set the corresponding asset type to 'CredentialUserNameAndPassword'.
|
||||
- key: SearchSettings
|
||||
title: Search Settings
|
||||
type: <array>
|
||||
|
||||
@@ -5,20 +5,27 @@ payload:
|
||||
supportedOS:
|
||||
iOS:
|
||||
introduced: '15.0'
|
||||
allowed-enrollments:
|
||||
- device
|
||||
- user
|
||||
- local
|
||||
allowed-scopes:
|
||||
- system
|
||||
sharedipad:
|
||||
mode: allowed
|
||||
devicechannel: false
|
||||
userchannel: true
|
||||
userenrollment:
|
||||
mode: allowed
|
||||
allowed-scopes:
|
||||
- user
|
||||
macOS:
|
||||
introduced: '13.0'
|
||||
devicechannel: false
|
||||
userchannel: true
|
||||
userenrollment:
|
||||
mode: allowed
|
||||
allowed-enrollments:
|
||||
- device
|
||||
- user
|
||||
- local
|
||||
allowed-scopes:
|
||||
- user
|
||||
tvOS:
|
||||
introduced: n/a
|
||||
watchOS:
|
||||
introduced: n/a
|
||||
content: An email configuration defines an email account for a user.
|
||||
payloadkeys:
|
||||
- key: VisibleName
|
||||
@@ -30,9 +37,11 @@ payloadkeys:
|
||||
- key: UserIdentityAssetReference
|
||||
title: User Identity Asset Reference
|
||||
type: <string>
|
||||
assettypes:
|
||||
- com.apple.asset.useridentity
|
||||
presence: optional
|
||||
content: The identifier of an asset declaration that contains the user identity
|
||||
for this account. The corresponding asset must be of type UserIdentity.
|
||||
for this account. Set the corresponding asset type to 'UserIdentity'.
|
||||
- key: IncomingServer
|
||||
title: Incoming Server Settings
|
||||
type: <dictionary>
|
||||
@@ -71,9 +80,11 @@ payloadkeys:
|
||||
- key: AuthenticationCredentialsAssetReference
|
||||
title: Authentication Credentials Asset Reference
|
||||
type: <string>
|
||||
assettypes:
|
||||
- com.apple.asset.credential.userpassword
|
||||
presence: optional
|
||||
content: |-
|
||||
The identifier of an asset declaration that contains the credentials for this account to authenticate with an incoming mail server. The corresponding asset must be of type CredentialUserNameAndPassword.
|
||||
The identifier of an asset declaration that contains the credentials for this account to authenticate with an incoming mail server. The corresponding asset must be of type 'CredentialUserNameAndPassword'.
|
||||
If the 'AuthenticationMethod' is 'None', this field must be blank. Otherwise, the declaration must contain this field.
|
||||
- key: IMAPPathPrefix
|
||||
title: IMAP Path Prefix
|
||||
@@ -111,7 +122,98 @@ payloadkeys:
|
||||
- key: AuthenticationCredentialsAssetReference
|
||||
title: Authentication Credentials Asset Reference
|
||||
type: <string>
|
||||
assettypes:
|
||||
- com.apple.asset.credential.userpassword
|
||||
presence: optional
|
||||
content: |-
|
||||
The identifier of an asset declaration that contains the credentials for this account to authenticate with an outgoing mail server. The corresponding asset must be of type CredentialUserNameAndPassword.
|
||||
The identifier of an asset declaration that contains the credentials for this account to authenticate with an outgoing mail server. The corresponding asset must be of type 'CredentialUserNameAndPassword'.
|
||||
If the 'AuthenticationMethod' is 'None', this field must be blank. Otherwise, the declaration must contain this field.
|
||||
- key: SMIME
|
||||
title: S/MIME Settings
|
||||
supportedOS:
|
||||
iOS:
|
||||
introduced: '17.0'
|
||||
macOS:
|
||||
introduced: n/a
|
||||
type: <dictionary>
|
||||
presence: optional
|
||||
content: Settings for S/MIME.
|
||||
subkeys:
|
||||
- key: Signing
|
||||
title: S/MIME Signing Settings
|
||||
type: <dictionary>
|
||||
presence: optional
|
||||
content: Settings for S/MIME signing.
|
||||
subkeys:
|
||||
- key: Enabled
|
||||
title: Signing Enabled
|
||||
type: <boolean>
|
||||
presence: required
|
||||
content: If 'true', the system enables S/MIME signing.
|
||||
- key: IdentityAssetReference
|
||||
title: S/MIME Signing Identity Asset Reference
|
||||
type: <string>
|
||||
assettypes:
|
||||
- com.apple.asset.credential.acme
|
||||
- com.apple.asset.credential.identity
|
||||
- com.apple.asset.credential.scep
|
||||
presence: optional
|
||||
content: Specifies the identifier of an asset declaration containing the identity
|
||||
required for S/MIME signing of messages sent from this account.
|
||||
- key: UserOverrideable
|
||||
title: Signing User Overrideable
|
||||
type: <boolean>
|
||||
presence: optional
|
||||
default: false
|
||||
content: If 'true', the user can turn S/MIME signing on or off in Settings.
|
||||
- key: IdentityUserOverrideable
|
||||
title: Signing Identity User Overrideable
|
||||
type: <boolean>
|
||||
presence: optional
|
||||
default: false
|
||||
content: If 'true', the user can select an S/MIME signing identity in Settings.
|
||||
- key: Encryption
|
||||
title: S/MIME Encryption Settings
|
||||
type: <dictionary>
|
||||
presence: optional
|
||||
content: Settings for S/MIME encryption.
|
||||
subkeys:
|
||||
- key: Enabled
|
||||
title: Encryption By Default Enabled
|
||||
type: <boolean>
|
||||
presence: required
|
||||
content: If 'true', the system enables S/MIME encryption by default, which the
|
||||
user can't override if 'PerMessageSwitchEnabled' is 'false'.
|
||||
- key: IdentityAssetReference
|
||||
title: S/MIME Encryption Identity Asset Reference
|
||||
type: <string>
|
||||
assettypes:
|
||||
- com.apple.asset.credential.acme
|
||||
- com.apple.asset.credential.identity
|
||||
- com.apple.asset.credential.scep
|
||||
presence: optional
|
||||
content: Specifies the identifier of an asset declaration containing the identity
|
||||
required for S/MIME encryption. The system attaches the public certificate
|
||||
to outgoing mail to allow the user to receive encrypted mail. When the user
|
||||
sends encrypted mail, the system uses the public certificate to encrypt the
|
||||
copy of the mail in their Sent mailbox.
|
||||
- key: UserOverrideable
|
||||
title: Encryption By Default User Overrideable
|
||||
type: <boolean>
|
||||
presence: optional
|
||||
default: false
|
||||
content: If 'true', the user can set the default value for S/MIME encryption
|
||||
to on or off in Settings.
|
||||
- key: IdentityUserOverrideable
|
||||
title: Encryption Identity User Overrideable
|
||||
type: <boolean>
|
||||
presence: optional
|
||||
default: false
|
||||
content: If 'true', the user can select an S/MIME signing identity in Settings.
|
||||
- key: PerMessageSwitchEnabled
|
||||
title: Per Message Switch Enabled
|
||||
type: <boolean>
|
||||
presence: optional
|
||||
default: false
|
||||
content: If 'true', the system enables the per-message encryption switch in
|
||||
the compose view.
|
||||
|
||||
@@ -5,16 +5,27 @@ payload:
|
||||
supportedOS:
|
||||
iOS:
|
||||
introduced: '15.0'
|
||||
allowed-enrollments:
|
||||
- device
|
||||
- user
|
||||
- local
|
||||
allowed-scopes:
|
||||
- system
|
||||
sharedipad:
|
||||
mode: allowed
|
||||
devicechannel: false
|
||||
userchannel: true
|
||||
userenrollment:
|
||||
mode: allowed
|
||||
allowed-scopes:
|
||||
- user
|
||||
macOS:
|
||||
introduced: n/a
|
||||
introduced: '14.0'
|
||||
allowed-enrollments:
|
||||
- device
|
||||
- user
|
||||
- local
|
||||
allowed-scopes:
|
||||
- user
|
||||
tvOS:
|
||||
introduced: n/a
|
||||
watchOS:
|
||||
introduced: n/a
|
||||
content: A subscribed calendar configuration defines a subscribed calendar for a
|
||||
user.
|
||||
payloadkeys:
|
||||
@@ -28,11 +39,13 @@ payloadkeys:
|
||||
title: Calendar URL
|
||||
type: <string>
|
||||
presence: required
|
||||
content: The URL of the subscribed calendar. The URL must start with 'https://'.
|
||||
content: The URL of the subscribed calendar, which needs to start with 'https://'.
|
||||
- key: AuthenticationCredentialsAssetReference
|
||||
title: Authentication Credentials Asset Reference
|
||||
type: <string>
|
||||
assettypes:
|
||||
- com.apple.asset.credential.userpassword
|
||||
presence: optional
|
||||
content: The identifier of an asset declaration that contains the credentials for
|
||||
this account to authenticate with a calendar server. The corresponding asset must
|
||||
be of type CredentialUserNameAndPassword.
|
||||
this account to authenticate with a calendar server. Set the corresponding asset
|
||||
type to 'CredentialUserNameAndPassword'.
|
||||
|
||||
@@ -6,26 +6,37 @@ payload:
|
||||
supportedOS:
|
||||
iOS:
|
||||
introduced: '15.0'
|
||||
allowed-enrollments:
|
||||
- device
|
||||
- user
|
||||
allowed-scopes:
|
||||
- system
|
||||
sharedipad:
|
||||
mode: forbidden
|
||||
userenrollment:
|
||||
mode: allowed
|
||||
allowed-scopes: []
|
||||
macOS:
|
||||
introduced: '13.0'
|
||||
devicechannel: true
|
||||
userchannel: true
|
||||
userenrollment:
|
||||
mode: allowed
|
||||
allowed-enrollments:
|
||||
- device
|
||||
- user
|
||||
allowed-scopes:
|
||||
- system
|
||||
- user
|
||||
tvOS:
|
||||
introduced: '16.0'
|
||||
allowed-enrollments:
|
||||
- device
|
||||
allowed-scopes:
|
||||
- system
|
||||
watchOS:
|
||||
introduced: n/a
|
||||
payloadkeys:
|
||||
- key: ProfileURL
|
||||
title: Profile's URL.
|
||||
type: <string>
|
||||
presence: required
|
||||
content: |-
|
||||
The URL of the profile to download and install. This must be an 'https://' URL.
|
||||
If a user enrollment triggers this configuration, the system silently ignores any MDM 1 payloads in macOS where the User Enrollment Mode setting is 'forbidden'. In iOS and tvOS, the system rejects the entire profile.
|
||||
The URL of the profile to download and install, which needs to start with 'https://', and must be hosted by the MDM server. The system silently ignores any account or passcode payloads in the profile. Use their declarative configurations instead.
|
||||
If a user enrollment triggers this configuration, the system silently ignores any MDM 1 payloads in macOS where the User Enrollment Mode setting is 'forbidden'. In iOS, the system rejects the entire profile.
|
||||
- key: VisibleName
|
||||
title: Configuration Visible Name
|
||||
type: <string>
|
||||
|
||||
@@ -5,25 +5,44 @@ payload:
|
||||
supportedOS:
|
||||
iOS:
|
||||
introduced: '15.0'
|
||||
allowed-enrollments:
|
||||
- device
|
||||
- user
|
||||
- local
|
||||
allowed-scopes:
|
||||
- system
|
||||
sharedipad:
|
||||
mode: allowed
|
||||
devicechannel: true
|
||||
userchannel: true
|
||||
userenrollment:
|
||||
mode: allowed
|
||||
allowed-scopes:
|
||||
- system
|
||||
- user
|
||||
macOS:
|
||||
introduced: '13.0'
|
||||
devicechannel: true
|
||||
userchannel: true
|
||||
userenrollment:
|
||||
mode: allowed
|
||||
allowed-enrollments:
|
||||
- device
|
||||
- user
|
||||
- local
|
||||
allowed-scopes:
|
||||
- system
|
||||
- user
|
||||
tvOS:
|
||||
introduced: '16.0'
|
||||
allowed-enrollments:
|
||||
- device
|
||||
- local
|
||||
allowed-scopes:
|
||||
- system
|
||||
watchOS:
|
||||
introduced: '10.0'
|
||||
allowed-enrollments:
|
||||
- device
|
||||
- local
|
||||
allowed-scopes:
|
||||
- system
|
||||
payloadkeys:
|
||||
- key: ProfileURL
|
||||
title: Profile's URL.
|
||||
type: <string>
|
||||
presence: required
|
||||
content: |-
|
||||
The URL of the profile to download and install. This must be an 'https://' URL.
|
||||
The URL of the profile to download and install, which needs to start with 'https://', and must be hosted by the MDM server. The system silently ignores any account or passcode payloads in the profile. Use their declarative configurations instead.
|
||||
If a user enrollment triggers this configuration, the system silently ignores any MDM 1 payloads in macOS where the User Enrollment Mode setting is 'forbidden'. In iOS and tvOS, the system rejects the entire profile.
|
||||
|
||||
@@ -6,20 +6,35 @@ payload:
|
||||
supportedOS:
|
||||
iOS:
|
||||
introduced: '15.0'
|
||||
allowed-enrollments:
|
||||
- device
|
||||
- user
|
||||
allowed-scopes:
|
||||
- system
|
||||
sharedipad:
|
||||
mode: allowed
|
||||
devicechannel: true
|
||||
userchannel: true
|
||||
userenrollment:
|
||||
mode: allowed
|
||||
allowed-scopes:
|
||||
- system
|
||||
- user
|
||||
macOS:
|
||||
introduced: '13.0'
|
||||
devicechannel: true
|
||||
userchannel: true
|
||||
userenrollment:
|
||||
mode: allowed
|
||||
allowed-enrollments:
|
||||
- device
|
||||
- user
|
||||
allowed-scopes:
|
||||
- system
|
||||
- user
|
||||
tvOS:
|
||||
introduced: '16.0'
|
||||
allowed-enrollments:
|
||||
- device
|
||||
allowed-scopes:
|
||||
- system
|
||||
watchOS:
|
||||
introduced: '10.0'
|
||||
allowed-enrollments:
|
||||
- device
|
||||
allowed-scopes:
|
||||
- system
|
||||
payloadkeys:
|
||||
- key: StatusItems
|
||||
title: Status Items
|
||||
|
||||
@@ -5,26 +5,60 @@ payload:
|
||||
supportedOS:
|
||||
iOS:
|
||||
introduced: '15.0'
|
||||
allowed-enrollments:
|
||||
- device
|
||||
- user
|
||||
- local
|
||||
allowed-scopes:
|
||||
- system
|
||||
sharedipad:
|
||||
mode: allowed
|
||||
devicechannel: true
|
||||
userchannel: true
|
||||
userenrollment:
|
||||
mode: allowed
|
||||
allowed-scopes:
|
||||
- system
|
||||
- user
|
||||
macOS:
|
||||
introduced: '13.0'
|
||||
devicechannel: true
|
||||
userchannel: true
|
||||
userenrollment:
|
||||
mode: allowed
|
||||
allowed-enrollments:
|
||||
- device
|
||||
- user
|
||||
- local
|
||||
allowed-scopes:
|
||||
- system
|
||||
- user
|
||||
tvOS:
|
||||
introduced: '16.0'
|
||||
allowed-enrollments:
|
||||
- device
|
||||
- local
|
||||
allowed-scopes:
|
||||
- system
|
||||
watchOS:
|
||||
introduced: '10.0'
|
||||
allowed-enrollments:
|
||||
- device
|
||||
- local
|
||||
allowed-scopes:
|
||||
- system
|
||||
payloadkeys:
|
||||
- key: Echo
|
||||
title: Status Echo
|
||||
type: <string>
|
||||
presence: required
|
||||
content: The string to echo back in a status response reason.
|
||||
- key: EchoDataAssetReference
|
||||
title: Status Echo from Asset
|
||||
supportedOS:
|
||||
iOS:
|
||||
introduced: '17.0'
|
||||
macOS:
|
||||
introduced: '14.0'
|
||||
tvOS:
|
||||
introduced: '17.0'
|
||||
type: <string>
|
||||
assettypes:
|
||||
- com.apple.asset.data
|
||||
presence: optional
|
||||
content: The string to read from a data asset to echo back in status response reason
|
||||
description.
|
||||
- key: ReturnStatus
|
||||
title: Status to Return
|
||||
type: <string>
|
||||
|
||||
@@ -5,16 +5,31 @@ payload:
|
||||
supportedOS:
|
||||
iOS:
|
||||
introduced: '15.0'
|
||||
allowed-enrollments:
|
||||
- device
|
||||
- user
|
||||
- local
|
||||
allowed-scopes:
|
||||
- system
|
||||
sharedipad:
|
||||
mode: forbidden
|
||||
userenrollment:
|
||||
mode: allowed
|
||||
allowed-scopes: []
|
||||
macOS:
|
||||
introduced: '13.0'
|
||||
userenrollment:
|
||||
mode: forbidden
|
||||
allowed-enrollments:
|
||||
- device
|
||||
- local
|
||||
allowed-scopes:
|
||||
- system
|
||||
- user
|
||||
tvOS:
|
||||
introduced: n/a
|
||||
watchOS:
|
||||
introduced: '10.0'
|
||||
allowed-enrollments:
|
||||
- device
|
||||
- local
|
||||
allowed-scopes:
|
||||
- system
|
||||
payloadkeys:
|
||||
- key: RequirePasscode
|
||||
title: Require Passcode on Device
|
||||
@@ -31,18 +46,20 @@ payloadkeys:
|
||||
introduced: '16.2'
|
||||
macOS:
|
||||
introduced: '13.1'
|
||||
watchOS:
|
||||
introduced: n/a
|
||||
type: <boolean>
|
||||
presence: optional
|
||||
default: false
|
||||
content: If set to true, the passcode must consist of at least one alphabetic characters
|
||||
("abcd"), and at least one number.
|
||||
content: If 'true', the passcode needs to consist of at least one alphabetic character
|
||||
and at least one number.
|
||||
- key: RequireComplexPasscode
|
||||
title: Require Complex Passcode
|
||||
type: <boolean>
|
||||
presence: optional
|
||||
default: false
|
||||
content: If 'true', requires a complex passcode. A complex passcode is one that
|
||||
doesn't contain repeated characters or increasing/decreasing characters (such
|
||||
doesn't contain repeated characters or increasing or decreasing characters (such
|
||||
as 123 or CBA).
|
||||
- key: MinimumLength
|
||||
title: Minimum Passcode Length
|
||||
@@ -60,14 +77,17 @@ payloadkeys:
|
||||
introduced: '16.2'
|
||||
macOS:
|
||||
introduced: '13.1'
|
||||
watchOS:
|
||||
introduced: n/a
|
||||
type: <integer>
|
||||
presence: optional
|
||||
range:
|
||||
min: 0
|
||||
max: 4
|
||||
default: 1
|
||||
content: Specifies the minimum number of complex characters that must be present.
|
||||
Only used when RequireComplexPasscode is true.
|
||||
default: 0
|
||||
content: Specifies the minimum number of complex characters in the password. A complex
|
||||
character is a character other than a number or a letter, such as '&', '%', '$',
|
||||
and '#'.
|
||||
- key: MaximumFailedAttempts
|
||||
title: Maximum Number of Failed Attempts
|
||||
type: <integer>
|
||||
@@ -86,11 +106,13 @@ payloadkeys:
|
||||
introduced: n/a
|
||||
macOS:
|
||||
introduced: '13.1'
|
||||
watchOS:
|
||||
introduced: n/a
|
||||
type: <integer>
|
||||
presence: optional
|
||||
content: The number of minutes before the login will be reset after the maximum
|
||||
number of failed attempts has been reached. The MaximumFailedAttempts key must
|
||||
be set for this to take effect.
|
||||
content: The number of minutes before the login is reset after the maximum number
|
||||
of failed attempts. Also set the 'MaximumFailedAttempts' key for this to take
|
||||
effect.
|
||||
- key: MaximumGracePeriodInMinutes
|
||||
title: Maximum Grace Period
|
||||
type: <integer>
|
||||
@@ -120,9 +142,9 @@ payloadkeys:
|
||||
range:
|
||||
min: 0
|
||||
max: 730
|
||||
content: Specifies the maximum number of days for which the passcode can remain
|
||||
unchanged. After this number of days, the user is forced to change the passcode
|
||||
before the device is unlocked.
|
||||
content: Specifies the maximum number of days that the passcode can remain unchanged.
|
||||
After this number of days, the system forces the user to change the passcode before
|
||||
it unlocks the device.
|
||||
- key: PasscodeReuseLimit
|
||||
title: Passcode Reuse Limit
|
||||
type: <integer>
|
||||
@@ -141,10 +163,46 @@ payloadkeys:
|
||||
introduced: n/a
|
||||
macOS:
|
||||
introduced: '13.1'
|
||||
watchOS:
|
||||
introduced: n/a
|
||||
type: <boolean>
|
||||
presence: optional
|
||||
default: false
|
||||
content: If set to true, forces a password reset to occur the next time the user
|
||||
tries to authenticate. If this key is set in a configuration in the system scope
|
||||
(device channel), the setting takes effect for all users, and admin authentications
|
||||
may fail until the admin user password is also reset.
|
||||
content: If 'true', the system forces a password reset the next time the user tries
|
||||
to authenticate. If you set this key in a configuration in the system scope (device
|
||||
channel), the setting takes effect for all users, and admin authentication may
|
||||
fail until the admin user password is also reset.
|
||||
- key: CustomRegex
|
||||
supportedOS:
|
||||
iOS:
|
||||
introduced: n/a
|
||||
macOS:
|
||||
introduced: '14.0'
|
||||
watchOS:
|
||||
introduced: n/a
|
||||
type: <dictionary>
|
||||
presence: optional
|
||||
content: Specifies a regular expression, and its description, to enforce password
|
||||
compliance. Use the simpler passcode settings whenever possible, and rely on regular
|
||||
expression matching only when necessary. Mistakes in regular expressions can lead
|
||||
to frustrating user experiences, such as unsatisfiable passcode policies, or policy
|
||||
descriptions that don't match the enforced policy.
|
||||
subkeys:
|
||||
- key: Regex
|
||||
type: <string>
|
||||
presence: required
|
||||
content: A regular expression string to match against the password to determine
|
||||
whether it complies with a policy. The regular expression uses the ICU syntax.
|
||||
The string can't exceed 2048 characters in length.
|
||||
- key: Description
|
||||
type: <dictionary>
|
||||
presence: optional
|
||||
content: A dictionary with supported OS language IDs for the keys (such as 'en-US'),
|
||||
and values that represent a localized description of the policy that the regular
|
||||
expression enforces. Use the special 'default' key for languages that the dictionary
|
||||
doesn't contain.
|
||||
subkeys:
|
||||
- key: ANY
|
||||
type: <string>
|
||||
presence: optional
|
||||
content: A localized description.
|
||||
|
||||
@@ -0,0 +1,42 @@
|
||||
title: Screen Sharing:Connection Group
|
||||
description: Use this configuration to define a group of Screen Sharing connections.
|
||||
payload:
|
||||
declarationtype: com.apple.configuration.screensharing.connection.group
|
||||
supportedOS:
|
||||
iOS:
|
||||
introduced: n/a
|
||||
macOS:
|
||||
introduced: '14.0'
|
||||
allowed-enrollments:
|
||||
- device
|
||||
- user
|
||||
- local
|
||||
allowed-scopes:
|
||||
- system
|
||||
- user
|
||||
tvOS:
|
||||
introduced: n/a
|
||||
watchOS:
|
||||
introduced: n/a
|
||||
payloadkeys:
|
||||
- key: ConnectionGroupUUID
|
||||
title: Unique Identifier
|
||||
type: <string>
|
||||
presence: required
|
||||
content: A string which uniquely identifies this connection group.
|
||||
- key: GroupName
|
||||
title: Group Name
|
||||
type: <string>
|
||||
presence: required
|
||||
content: The name of the Connection Group.
|
||||
- key: Members
|
||||
title: Group Members
|
||||
type: <array>
|
||||
presence: required
|
||||
content: |-
|
||||
Array of ConnectionUUIDs (matching a connection declared in a
|
||||
com.apple.configuration.screensharing.connection configuration) of the Connections
|
||||
that should be members of this group.
|
||||
subkeys:
|
||||
- key: ConnectionUUID
|
||||
type: <string>
|
||||
@@ -0,0 +1,66 @@
|
||||
title: Screen Sharing:Connection
|
||||
description: Use this configuration to define a connection to a Screen Sharing host.
|
||||
payload:
|
||||
declarationtype: com.apple.configuration.screensharing.connection
|
||||
supportedOS:
|
||||
iOS:
|
||||
introduced: n/a
|
||||
macOS:
|
||||
introduced: '14.0'
|
||||
allowed-enrollments:
|
||||
- device
|
||||
- user
|
||||
- local
|
||||
allowed-scopes:
|
||||
- system
|
||||
- user
|
||||
tvOS:
|
||||
introduced: n/a
|
||||
watchOS:
|
||||
introduced: n/a
|
||||
payloadkeys:
|
||||
- key: ConnectionUUID
|
||||
title: Unique Identifier
|
||||
type: <string>
|
||||
presence: required
|
||||
content: A unique identifier for this connection when it's in a connection group.
|
||||
- key: DisplayName
|
||||
title: The name of the connection.
|
||||
type: <string>
|
||||
presence: required
|
||||
content: The name of the connection.
|
||||
- key: HostName
|
||||
title: Host Name
|
||||
type: <string>
|
||||
presence: required
|
||||
content: The host name or IP address of the Mac that hosts the screen-sharing connection.
|
||||
- key: Port
|
||||
title: TCP Port
|
||||
type: <integer>
|
||||
presence: optional
|
||||
content: Specifies the TCP port number on the host to initiate the connection.
|
||||
- key: DisplayConfiguration
|
||||
title: Display Configuration
|
||||
type: <dictionary>
|
||||
presence: required
|
||||
content: The display configuration for this connection.
|
||||
subkeys:
|
||||
- key: DisplayType
|
||||
type: <string>
|
||||
presence: required
|
||||
rangelist:
|
||||
- Virtual1
|
||||
- Virtual2
|
||||
content: |-
|
||||
The type of display for the connection, which has these allowed values:
|
||||
* 'Virtual1': Create one virtual display.
|
||||
* 'Virtual2': Create two virtual displays.
|
||||
- key: AuthenticationCredentialsAssetReference
|
||||
title: Authentication Credentials Asset Reference
|
||||
type: <string>
|
||||
assettypes:
|
||||
- com.apple.asset.credential.userpassword
|
||||
presence: optional
|
||||
content: Specifies the identifier of an asset declaration that contains the required
|
||||
credentials for this connection to authenticate with the screen-sharing server.
|
||||
Set the corresponding asset type to 'com.apple.asset.credential.userpassword'.
|
||||
@@ -0,0 +1,58 @@
|
||||
title: Screen Sharing:Host Settings
|
||||
description: Use this configuration to define Screen Sharing host settings and restrictions.
|
||||
payload:
|
||||
declarationtype: com.apple.configuration.screensharing.host.settings
|
||||
supportedOS:
|
||||
iOS:
|
||||
introduced: n/a
|
||||
macOS:
|
||||
introduced: '14.0'
|
||||
allowed-enrollments:
|
||||
- device
|
||||
- local
|
||||
allowed-scopes:
|
||||
- system
|
||||
tvOS:
|
||||
introduced: n/a
|
||||
watchOS:
|
||||
introduced: n/a
|
||||
payloadkeys:
|
||||
- key: MaximumVirtualDisplays
|
||||
title: Maximum number of Virtual Displays
|
||||
type: <integer>
|
||||
presence: optional
|
||||
range:
|
||||
min: 0
|
||||
max: 2
|
||||
content: Sets the maximum number of Virtual Displays to make available to clients.
|
||||
- key: PortBase
|
||||
title: UDP Port base
|
||||
type: <integer>
|
||||
presence: optional
|
||||
range:
|
||||
min: 1024
|
||||
max: 65535
|
||||
content: |-
|
||||
Specifies the initial UDP port number for connecting to the host. Screen Sharing needs multiple connections
|
||||
so additional connections will increment this base port number by 1 for each needed connection. This does not
|
||||
change the port number used to initially establish a connection with a host, which is always TCP port 5900.
|
||||
- key: PreventCopyFilesFromHost
|
||||
title: Prevent copying files from host
|
||||
type: <boolean>
|
||||
presence: optional
|
||||
default: false
|
||||
content: Set to true to prevent users from copying files from the Screen Sharing
|
||||
host.
|
||||
- key: PreventCopyFilesToHost
|
||||
title: Prevent copying files to host
|
||||
type: <boolean>
|
||||
presence: optional
|
||||
default: false
|
||||
content: Set to true to prevent users from copying files to the Screen Sharing host.
|
||||
- key: PreventHighPerformanceConnections
|
||||
title: Prevent High Performance connections
|
||||
type: <boolean>
|
||||
presence: optional
|
||||
default: false
|
||||
content: Set to true to prevent clients from establishing High Performance connections
|
||||
to the host.
|
||||
@@ -0,0 +1,49 @@
|
||||
title: Security:Certificate
|
||||
description: Use this configuration to add a certificate to the device.
|
||||
payload:
|
||||
declarationtype: com.apple.configuration.security.certificate
|
||||
supportedOS:
|
||||
iOS:
|
||||
introduced: '17.0'
|
||||
allowed-enrollments:
|
||||
- device
|
||||
- user
|
||||
- local
|
||||
allowed-scopes:
|
||||
- system
|
||||
sharedipad:
|
||||
allowed-scopes:
|
||||
- system
|
||||
- user
|
||||
macOS:
|
||||
introduced: '14.0'
|
||||
allowed-enrollments:
|
||||
- device
|
||||
- user
|
||||
- local
|
||||
allowed-scopes:
|
||||
- system
|
||||
- user
|
||||
tvOS:
|
||||
introduced: '17.0'
|
||||
allowed-enrollments:
|
||||
- device
|
||||
- local
|
||||
allowed-scopes:
|
||||
- system
|
||||
watchOS:
|
||||
introduced: '10.0'
|
||||
allowed-enrollments:
|
||||
- device
|
||||
- local
|
||||
allowed-scopes:
|
||||
- system
|
||||
payloadkeys:
|
||||
- key: CredentialAssetReference
|
||||
title: Credential asset reference
|
||||
type: <string>
|
||||
assettypes:
|
||||
- com.apple.asset.credential.certificate
|
||||
presence: required
|
||||
content: Specifies the identifier of an asset declaration that contains the certificate
|
||||
to install.
|
||||
@@ -0,0 +1,73 @@
|
||||
title: Security:Identity
|
||||
description: Use this configuration to install an identity on the device.
|
||||
payload:
|
||||
declarationtype: com.apple.configuration.security.identity
|
||||
supportedOS:
|
||||
iOS:
|
||||
introduced: '17.0'
|
||||
allowed-enrollments:
|
||||
- device
|
||||
- user
|
||||
- local
|
||||
allowed-scopes:
|
||||
- system
|
||||
sharedipad:
|
||||
allowed-scopes:
|
||||
- system
|
||||
- user
|
||||
macOS:
|
||||
introduced: '14.0'
|
||||
allowed-enrollments:
|
||||
- device
|
||||
- user
|
||||
- local
|
||||
allowed-scopes:
|
||||
- system
|
||||
- user
|
||||
tvOS:
|
||||
introduced: '17.0'
|
||||
allowed-enrollments:
|
||||
- device
|
||||
- local
|
||||
allowed-scopes:
|
||||
- system
|
||||
watchOS:
|
||||
introduced: '10.0'
|
||||
allowed-enrollments:
|
||||
- device
|
||||
- local
|
||||
allowed-scopes:
|
||||
- system
|
||||
payloadkeys:
|
||||
- key: CredentialAssetReference
|
||||
title: Credential asset reference
|
||||
type: <string>
|
||||
assettypes:
|
||||
- com.apple.asset.credential.identity
|
||||
- com.apple.asset.credential.scep
|
||||
- com.apple.asset.credential.acme
|
||||
presence: required
|
||||
content: Specifies the identifier of an asset declaration that contains the identity
|
||||
to install.
|
||||
- key: AllowAllAppsAccess
|
||||
title: Allow all apps access
|
||||
supportedOS:
|
||||
iOS:
|
||||
introduced: n/a
|
||||
tvOS:
|
||||
introduced: n/a
|
||||
type: <boolean>
|
||||
presence: optional
|
||||
default: false
|
||||
content: If 'true', apps can access the private key.
|
||||
- key: KeyIsExtractable
|
||||
title: Key is extractable
|
||||
supportedOS:
|
||||
iOS:
|
||||
introduced: n/a
|
||||
tvOS:
|
||||
introduced: n/a
|
||||
type: <boolean>
|
||||
presence: optional
|
||||
default: true
|
||||
content: If 'true', the private key is extractable in the keychain.
|
||||
@@ -0,0 +1,54 @@
|
||||
title: Security:Passkey:Attestation
|
||||
description: Configures the device to allow WebAuthn enterprise attestation for certain
|
||||
passkeys.
|
||||
payload:
|
||||
declarationtype: com.apple.configuration.security.passkey.attestation
|
||||
supportedOS:
|
||||
iOS:
|
||||
introduced: '17.0'
|
||||
allowed-enrollments:
|
||||
- device
|
||||
allowed-scopes:
|
||||
- system
|
||||
sharedipad:
|
||||
allowed-scopes: []
|
||||
macOS:
|
||||
introduced: '14.0'
|
||||
allowed-enrollments:
|
||||
- device
|
||||
allowed-scopes:
|
||||
- user
|
||||
tvOS:
|
||||
introduced: n/a
|
||||
watchOS:
|
||||
introduced: n/a
|
||||
payloadkeys:
|
||||
- key: AttestationIdentityAssetReference
|
||||
title: Attestation identity asset reference.
|
||||
type: <string>
|
||||
assettypes:
|
||||
- com.apple.asset.credential.identity
|
||||
- com.apple.asset.credential.scep
|
||||
- com.apple.asset.credential.acme
|
||||
presence: required
|
||||
content: Specifies the identifier of an asset declaration that contains the identity
|
||||
to install and use for passkey attestation.
|
||||
- key: AttestationIdentityKeyIsExtractable
|
||||
title: Attestation identity key is extractable
|
||||
supportedOS:
|
||||
iOS:
|
||||
introduced: n/a
|
||||
type: <boolean>
|
||||
presence: optional
|
||||
default: true
|
||||
content: If 'true', the private key for the attestation identity is extractable
|
||||
in the keychain.
|
||||
- key: RelyingParties
|
||||
title: Relying parties
|
||||
type: <array>
|
||||
presence: required
|
||||
content: Relying parties to allow enterprise attestation.
|
||||
subkeys:
|
||||
- key: RelyingParty
|
||||
title: Relying party
|
||||
type: <string>
|
||||
@@ -0,0 +1,45 @@
|
||||
title: Services Configuration Files
|
||||
description: Specifies managed configuration files for services
|
||||
payload:
|
||||
declarationtype: com.apple.configuration.services.configuration-files
|
||||
supportedOS:
|
||||
iOS:
|
||||
introduced: n/a
|
||||
macOS:
|
||||
introduced: '14.0'
|
||||
allowed-enrollments:
|
||||
- device
|
||||
allowed-scopes:
|
||||
- system
|
||||
tvOS:
|
||||
introduced: n/a
|
||||
watchOS:
|
||||
introduced: n/a
|
||||
payloadkeys:
|
||||
- key: ServiceType
|
||||
title: Service Type
|
||||
type: <string>
|
||||
presence: required
|
||||
content: |-
|
||||
The identifier of the system service with managed configuration files.
|
||||
Use a reverse DNS style for this identifier. However, the system reserves 'com.apple.' prefix for built-in services.
|
||||
The available built-in services are:
|
||||
* 'com.apple.sshd' configures sshd
|
||||
* 'com.apple.sudo' configures sudo
|
||||
* 'com.apple.pam' configures PAM
|
||||
* 'com.apple.cups' configures CUPS
|
||||
* 'com.apple.apache.httpd' configures Apache httpd
|
||||
* 'com.apple.bash' configures bash
|
||||
* 'com.apple.zsh' configures zsh
|
||||
- key: DataAssetReference
|
||||
title: Data Asset Reference
|
||||
type: <string>
|
||||
assettypes:
|
||||
- com.apple.asset.data
|
||||
presence: required
|
||||
content: |-
|
||||
Specifies the identifier of an asset declaration that contains a reference to the files to use for system service configuration. Ensure that the corresponding asset:
|
||||
* Is of type 'com.apple.asset.data'
|
||||
* Is a zip archive of an entire directory
|
||||
* Has a 'Reference' key that includes the 'ContentType' and 'Hash-SHA-256' keys, which the system requires
|
||||
The system expands the zip archive and stores the data in a well-known location for the service.
|
||||
@@ -0,0 +1,55 @@
|
||||
title: Software Update:Enforcement:Specific
|
||||
description: A software update enforcement policy for a specific OS release
|
||||
payload:
|
||||
declarationtype: com.apple.configuration.softwareupdate.enforcement.specific
|
||||
supportedOS:
|
||||
iOS:
|
||||
introduced: '17.0'
|
||||
allowed-enrollments:
|
||||
- device
|
||||
allowed-scopes:
|
||||
- system
|
||||
sharedipad:
|
||||
allowed-scopes:
|
||||
- system
|
||||
macOS:
|
||||
introduced: '14.0'
|
||||
allowed-enrollments:
|
||||
- device
|
||||
allowed-scopes:
|
||||
- system
|
||||
tvOS:
|
||||
introduced: n/a
|
||||
watchOS:
|
||||
introduced: n/a
|
||||
payloadkeys:
|
||||
- key: TargetOSVersion
|
||||
title: Target OS Version
|
||||
type: <string>
|
||||
presence: required
|
||||
content: The target OS version to update the device to by the appropriate time.
|
||||
This is the OS version number, for example, '16.1'. It may also include a supplemental
|
||||
version identifier, for example, '16.1.1'.
|
||||
- key: TargetBuildVersion
|
||||
title: Target Build Version
|
||||
type: <string>
|
||||
presence: optional
|
||||
content: The target build version to update the device to by the appropriate time,
|
||||
for example, '20A242'. The system uses the build version for testing during seeding
|
||||
periods. The build version can include a supplemental version identifier, for
|
||||
example, '20A242a'. If the build version isn't consistent with the target OS version
|
||||
specified in the 'TargetOSVersion' key, the target OS version takes precedence.
|
||||
- key: TargetLocalDateTime
|
||||
title: Target Local Date Time
|
||||
type: <string>
|
||||
presence: required
|
||||
content: The local date time value that specifies when to force install the software
|
||||
update. Use the format 'yyyy-mm-ddThh:mm:ss', which is derived from RFC3339 but
|
||||
doesn't include a time zone offset. If the user doesn't trigger the software update
|
||||
before this time, the device force installs it.
|
||||
- key: DetailsURL
|
||||
title: Details URL
|
||||
type: <string>
|
||||
presence: optional
|
||||
content: The URL of a web page that shows details that the organization provides
|
||||
about the enforced update.
|
||||
@@ -0,0 +1,43 @@
|
||||
title: Watch:Enrollment
|
||||
description: Specifies an MDMv1 Apple Watch enrollment profile
|
||||
payload:
|
||||
declarationtype: com.apple.configuration.watch.enrollment
|
||||
supportedOS:
|
||||
iOS:
|
||||
introduced: '17.0'
|
||||
allowed-enrollments:
|
||||
- device
|
||||
allowed-scopes:
|
||||
- system
|
||||
sharedipad:
|
||||
allowed-scopes: []
|
||||
macOS:
|
||||
introduced: n/a
|
||||
tvOS:
|
||||
introduced: n/a
|
||||
watchOS:
|
||||
introduced: n/a
|
||||
payloadkeys:
|
||||
- key: EnrollmentProfileURL
|
||||
title: Watch Enrollment Profile's URL.
|
||||
type: <string>
|
||||
presence: required
|
||||
content: The URL of the profile that the Apple Watch downloads and installs if the
|
||||
user opts in to management during the pairing process, which needs to start with
|
||||
'https://'. Successful enrollment requires that the pairing iPhone is supervised
|
||||
and the profile contains an MDM payload. Apple Watch attempts to install each
|
||||
payload that the profile contains.
|
||||
- key: AnchorCertificateAssetReferences
|
||||
title: Anchor Certificate Asset References.
|
||||
type: <array>
|
||||
assettypes:
|
||||
- com.apple.asset.credential.certificate
|
||||
presence: optional
|
||||
content: Specifies an array of identifiers of asset declarations that contain anchor
|
||||
certificates to use to evaluate the trust of the enrollment profile server. Set
|
||||
the type of the corresponding assets to 'com.apple.asset.credential.certificate'.
|
||||
subkeys:
|
||||
- key: AnchorCertificateAssetReferenceItem
|
||||
type: <string>
|
||||
content: Specifies the identifier of an asset declaration containing the anchor
|
||||
certificate to be used.
|
||||
@@ -9,6 +9,8 @@ payload:
|
||||
introduced: '13.0'
|
||||
tvOS:
|
||||
introduced: '16.0'
|
||||
watchOS:
|
||||
introduced: '10.0'
|
||||
payloadkeys:
|
||||
- key: Type
|
||||
type: <string>
|
||||
@@ -27,3 +29,212 @@ payloadkeys:
|
||||
type: <dictionary>
|
||||
presence: required
|
||||
content: The payload describing this declaration.
|
||||
reasons:
|
||||
- value: Error.ActivationFailed
|
||||
description: A configuration or asset cannot be activated due to an activation that
|
||||
failed.
|
||||
details:
|
||||
- key: Identifier
|
||||
type: <string>
|
||||
description: The `Identifier` of the declaration.
|
||||
- key: ServerToken
|
||||
type: <string>
|
||||
description: The `ServerToken` of the declaration.
|
||||
- value: Error.AssetCannotBeDeserialized
|
||||
description: The asset data does not conform to the expected data type.
|
||||
details:
|
||||
- key: Error
|
||||
type: <string>
|
||||
description: Description of the underlying NSError.
|
||||
- value: Error.AssetCannotBeDownloaded
|
||||
description: The asset data cannot be downloaded.
|
||||
details:
|
||||
- key: Error
|
||||
type: <string>
|
||||
description: Description of the underlying NSError.
|
||||
- value: Error.AssetCannotBeVerified
|
||||
description: The downloaded asset data cannot be verified.
|
||||
details:
|
||||
- key: Error
|
||||
type: <string>
|
||||
description: Description of the underlying NSError.
|
||||
- value: Error.ConfigurationCannotBeApplied
|
||||
description: The configuration cannot be applied to the device.
|
||||
details:
|
||||
- key: Error
|
||||
type: <string>
|
||||
description: Description of the underlying NSError.
|
||||
- value: Error.ConfigurationCannotBeDeserialized
|
||||
description: The configuration is not valid.
|
||||
details:
|
||||
- key: Error
|
||||
type: <string>
|
||||
description: Description of the underlying NSError.
|
||||
- value: Error.ConfigurationFailed
|
||||
description: An asset cannot be activated due to a configuration that failed.
|
||||
details:
|
||||
- key: Identifier
|
||||
type: <string>
|
||||
description: The `Identifier` of the declaration.
|
||||
- key: ServerToken
|
||||
type: <string>
|
||||
description: The `ServerToken` of the declaration.
|
||||
- value: Error.ConfigurationIsInvalid
|
||||
description: The configuration is not valid for applying to the device.
|
||||
details:
|
||||
- key: Error
|
||||
type: <string>
|
||||
description: Description of the underlying NSError.
|
||||
- value: Error.ConfigurationNotSupported
|
||||
description: The configuration is not supported for this platform, scope, or enrollment
|
||||
type.
|
||||
details:
|
||||
- key: Identifier
|
||||
type: <string>
|
||||
description: The `Identifier` of the configuration.
|
||||
- key: ServerToken
|
||||
type: <string>
|
||||
description: The `ServerToken` of the configuration.
|
||||
- value: Error.InvalidPayload
|
||||
description: A declaration is not fully loaded.
|
||||
details:
|
||||
- key: Identifier
|
||||
type: <string>
|
||||
description: The `Identifier` of the declaration.
|
||||
- key: ServerToken
|
||||
type: <string>
|
||||
description: The `ServerToken` of the declaration.
|
||||
- value: Error.MissingAssets
|
||||
description: A configuration being activated references assets that are not present.
|
||||
details:
|
||||
- key: Identifier
|
||||
type: <string>
|
||||
description: The `Identifier` of the configuration.
|
||||
- key: ServerToken
|
||||
type: <string>
|
||||
description: The `ServerToken` of the configuration.
|
||||
- key: AssetIdentifiers
|
||||
type: <array>
|
||||
description: Array of strings containing each missing asset `Identifier` value.
|
||||
- value: Error.MissingConfigurations
|
||||
description: An activation being activated references configurations that are not
|
||||
present.
|
||||
details:
|
||||
- key: Identifier
|
||||
type: <string>
|
||||
description: The `Identifier` of the activation.
|
||||
- key: ServerToken
|
||||
type: <string>
|
||||
description: The `ServerToken` of the activation.
|
||||
- key: ConfigurationIdentifiers
|
||||
type: <array>
|
||||
description: Array of strings containing each missing configuration `Identifier`
|
||||
value.
|
||||
- value: Error.MissingState
|
||||
description: A declaration is missing internal state information.
|
||||
details:
|
||||
- key: Identifier
|
||||
type: <string>
|
||||
description: The `Identifier` of the declaration.
|
||||
- key: ServerToken
|
||||
type: <string>
|
||||
description: The `ServerToken` of the declaration.
|
||||
- value: Error.PredicateFailed
|
||||
description: A predicate evaluation failed.
|
||||
details:
|
||||
- key: Identifier
|
||||
type: <string>
|
||||
description: The `Identifier` of the activation whose predicate failed.
|
||||
- key: ServerToken
|
||||
type: <string>
|
||||
description: The `ServerToken` of the activation whose predicate failed.
|
||||
- key: Predicate
|
||||
type: <string>
|
||||
description: The predicate description of the predicate that failed.
|
||||
- key: Domain
|
||||
type: <string>
|
||||
description: Underlying NSError's domain.
|
||||
- key: Code
|
||||
type: <string>
|
||||
description: Underlying NSError's code.
|
||||
- value: Error.UnableToEvaluatePredicate
|
||||
description: A predicate cannot be evaluated.
|
||||
details:
|
||||
- key: Identifier
|
||||
type: <string>
|
||||
description: The `Identifier` of the activation whose predicate failed to evaluate.
|
||||
- key: ServerToken
|
||||
type: <string>
|
||||
description: The `ServerToken` of the activation whose predicate failed to evaluate.
|
||||
- key: Predicate
|
||||
type: <string>
|
||||
description: The predicate description of the predicate that failed to evaluate.
|
||||
- value: Error.UnableToParsePredicate
|
||||
description: A predicate expression cannot be parsed.
|
||||
details:
|
||||
- key: Identifier
|
||||
type: <string>
|
||||
description: The `Identifier` of the activation whose predicate failed to parse.
|
||||
- key: ServerToken
|
||||
type: <string>
|
||||
description: The `ServerToken` of the activation whose predicate failed to parse.
|
||||
- key: Predicate
|
||||
type: <string>
|
||||
description: The predicate description of the predicate that failed to parse.
|
||||
- value: Error.UnableToParsePredicateWithCustomOperator
|
||||
description: A predicate expression with a custom operator cannot be parsed.
|
||||
details:
|
||||
- key: Identifier
|
||||
type: <string>
|
||||
description: The `Identifier` of the activation whose predicate failed to parse.
|
||||
- key: ServerToken
|
||||
type: <string>
|
||||
description: The `ServerToken` of the activation whose predicate failed to parse.
|
||||
- key: Predicate
|
||||
type: <string>
|
||||
description: The predicate description of the predicate that failed to parse.
|
||||
- value: Error.Unknown
|
||||
description: An unrecognized NSError was generated.
|
||||
details:
|
||||
- key: Domain
|
||||
type: <string>
|
||||
description: NSError's domain.
|
||||
- key: Code
|
||||
type: <string>
|
||||
description: NSError's code.
|
||||
- value: Error.UnknownPayloadKeys
|
||||
description: A declaration contains unknown payloads keys.
|
||||
details:
|
||||
- key: UnknownPayloadKeys
|
||||
type: <array>
|
||||
description: Array of strings containing each unknown key-path.
|
||||
- value: Info.NotReferencedByActivation
|
||||
description: A configuration is not referenced in any activation.
|
||||
details:
|
||||
- key: Identifier
|
||||
type: <string>
|
||||
description: The `Identifier` of the configuration.
|
||||
- key: ServerToken
|
||||
type: <string>
|
||||
description: The `ServerToken` of the configuration.
|
||||
- value: Info.NotReferencedByConfiguration
|
||||
description: An asset is not referenced in any configuration.
|
||||
details:
|
||||
- key: Identifier
|
||||
type: <string>
|
||||
description: The `Identifier` of the asset.
|
||||
- key: ServerToken
|
||||
type: <string>
|
||||
description: The `ServerToken` of the asset.
|
||||
- value: Info.Predicate
|
||||
description: A predicate evaluated to false.
|
||||
details:
|
||||
- key: Identifier
|
||||
type: <string>
|
||||
description: The `Identifier` of the activation whose predicate is false.
|
||||
- key: ServerToken
|
||||
type: <string>
|
||||
description: The `ServerToken` of the activation whose predicate is false.
|
||||
- key: Predicate
|
||||
type: <string>
|
||||
description: The predicate description of the predicate that is false.
|
||||
|
||||
@@ -10,6 +10,8 @@ payload:
|
||||
introduced: '13.0'
|
||||
tvOS:
|
||||
introduced: '16.0'
|
||||
watchOS:
|
||||
introduced: '10.0'
|
||||
payloadkeys:
|
||||
- key: Name
|
||||
title: Organization Name
|
||||
|
||||
@@ -9,6 +9,8 @@ payload:
|
||||
introduced: '13.0'
|
||||
tvOS:
|
||||
introduced: '16.0'
|
||||
watchOS:
|
||||
introduced: '10.0'
|
||||
payloadkeys:
|
||||
- key: ANY
|
||||
title: Property
|
||||
|
||||
@@ -9,6 +9,8 @@ payload:
|
||||
introduced: '13.0'
|
||||
tvOS:
|
||||
introduced: '16.0'
|
||||
watchOS:
|
||||
introduced: '10.0'
|
||||
payloadkeys:
|
||||
- key: Version
|
||||
title: Protocol Version
|
||||
|
||||
Reference in New Issue
Block a user