Release_iOS-17-0_macOS-14-0

This commit is contained in:
Cyrus Daboo
2023-09-14 17:37:05 -04:00
parent 5a8fb0deb2
commit 72c2a0a69f
254 changed files with 6787 additions and 969 deletions
@@ -9,6 +9,8 @@ payload:
introduced: '13.0'
tvOS:
introduced: '16.0'
watchOS:
introduced: '10.0'
payloadkeys:
- key: StandardConfigurations
type: <array>
@@ -0,0 +1,68 @@
title: Asset:Credential ACME
description: A reference to an ACME identity.
payload:
declarationtype: com.apple.asset.credential.acme
supportedOS:
iOS:
introduced: '17.0'
macOS:
introduced: '14.0'
tvOS:
introduced: '17.0'
watchOS:
introduced: '10.0'
payloadkeys:
- key: Reference
type: <dictionary>
presence: required
content: |-
The external reference. Ensure that the asset data:
* Is a JSON document that represents the 'com.apple.credential.acme' credential type
* Uses a media type of 'application/json', and if it includes a 'ContentType' sub-key, that sub-key media type is also 'application/json'
subkeys:
- key: DataURL
type: <string>
presence: required
content: The URL that hosts the credential data. The URL must start with 'https://'.
- key: ContentType
type: <string>
presence: optional
content: The media type that describes the data.
- key: Size
type: <integer>
presence: optional
content: The size of the data at the 'DataURL'. Use this value to verify that
the returned data is the expected data. Use this value to detect when the data
changes.
- key: Hash-SHA-256
type: <string>
presence: optional
content: |-
A SHA-256 hash of the data at the 'DataURL'. Use this value to verify that the returned data is the expected data. Use this value to detect when the data changes.
If 'Size' is '0', clients need to ignore this value or set it to an empty string.
- key: Authentication
type: <dictionary>
presence: optional
content: The server authentication details.
subkeys:
- key: Type
type: <string>
presence: required
rangelist:
- MDM
- None
content: |-
Type of authentication:
* MDM - a request using MDM semantics (includes the device identity certificate, and any user authentication). Equivalent to an MDM request made to the CheckInURL or ServerURL. This option can only be used when using declarative device management.
* None - a standard GET request is carried out.
- key: Accessible
type: <string>
presence: optional
rangelist:
- Default
- AfterFirstUnlock
default: Default
content: |-
The keychain accessibility that determines when the keychain item is available for use, which has these allowed values:
* 'Default': The most restrictive accessibility that still satisfies all uses of the asset by configurations that reference it.
* 'AfterFirstUnlock': The keychain item is only available after the first unlock of the device.
@@ -0,0 +1,57 @@
title: Asset:Credential Certificate
description: 'A reference to a PKCS #1 or PEM encoded certificate.'
payload:
declarationtype: com.apple.asset.credential.certificate
supportedOS:
iOS:
introduced: '17.0'
macOS:
introduced: '14.0'
tvOS:
introduced: '17.0'
watchOS:
introduced: '10.0'
payloadkeys:
- key: Reference
type: <dictionary>
presence: required
content: The external reference. Ensure that the asset data uses a media type of
'application/pkcs1' or 'application/pem' to correctly identify the type of encoded
certificate. If the asset data includes a 'ContentType' sub-key, set it to the
corresponding media type.
subkeys:
- key: DataURL
type: <string>
presence: required
content: The URL that hosts the credential data. The URL must start with 'https://'.
- key: ContentType
type: <string>
presence: optional
content: The media type that describes the data.
- key: Size
type: <integer>
presence: optional
content: The size of the data at the 'DataURL'. Use this value to verify that
the returned data is the expected data. Use this value to detect when the data
changes.
- key: Hash-SHA-256
type: <string>
presence: optional
content: |-
A SHA-256 hash of the data at the 'DataURL'. Use this value to verify that the returned data is the expected data. Use this value to detect when the data changes.
If 'Size' is '0', clients need to ignore this value or set it to an empty string.
- key: Authentication
type: <dictionary>
presence: optional
content: The server authentication details.
subkeys:
- key: Type
type: <string>
presence: required
rangelist:
- MDM
- None
content: |-
Type of authentication:
* MDM - a request using MDM semantics (includes the device identity certificate, and any user authentication). Equivalent to an MDM request made to the CheckInURL or ServerURL. This option can only be used when using declarative device management.
* None - a standard GET request is carried out.
@@ -0,0 +1,68 @@
title: Asset:Credential Identity
description: 'A reference to a PKCS #12 password-protected identity.'
payload:
declarationtype: com.apple.asset.credential.identity
supportedOS:
iOS:
introduced: '17.0'
macOS:
introduced: '14.0'
tvOS:
introduced: '17.0'
watchOS:
introduced: '10.0'
payloadkeys:
- key: Reference
type: <dictionary>
presence: required
content: |-
The external reference. Ensure that the asset data:
* Is a JSON document that represents the 'com.apple.credential.identity' credential type
* Uses a media type of 'application/json', and if it includes a 'ContentType' sub-key, that sub-key media type is also 'application/json'
subkeys:
- key: DataURL
type: <string>
presence: required
content: The URL that hosts the credential data. The URL must start with 'https://'.
- key: ContentType
type: <string>
presence: optional
content: The media type that describes the data.
- key: Size
type: <integer>
presence: optional
content: The size of the data at the 'DataURL'. Use this value to verify that
the returned data is the expected data. Use this value to detect when the data
changes.
- key: Hash-SHA-256
type: <string>
presence: optional
content: |-
A SHA-256 hash of the data at the 'DataURL'. Use this value to verify that the returned data is the expected data. Use this value to detect when the data changes.
If 'Size' is '0', clients need to ignore this value or set it to an empty string.
- key: Authentication
type: <dictionary>
presence: optional
content: The server authentication details.
subkeys:
- key: Type
type: <string>
presence: required
rangelist:
- MDM
- None
content: |-
Type of authentication:
* MDM - a request using MDM semantics (includes the device identity certificate, and any user authentication). Equivalent to an MDM request made to the CheckInURL or ServerURL. This option can only be used when using declarative device management.
* None - a standard GET request is carried out.
- key: Accessible
type: <string>
presence: optional
rangelist:
- Default
- AfterFirstUnlock
default: Default
content: |-
The keychain accessibility that determines when the keychain item is available for use, which has these allowed values:
* 'Default': The most restrictive accessibility that still satisfies all uses of the asset by configurations that reference it.
* 'AfterFirstUnlock': The keychain item is only available after the first unlock of the device.
@@ -0,0 +1,68 @@
title: Asset:Credential SCEP
description: A reference to a SCEP identity.
payload:
declarationtype: com.apple.asset.credential.scep
supportedOS:
iOS:
introduced: '17.0'
macOS:
introduced: '14.0'
tvOS:
introduced: '17.0'
watchOS:
introduced: '10.0'
payloadkeys:
- key: Reference
type: <dictionary>
presence: required
content: |-
The external reference. Ensure that the asset data:
* Is a JSON document that represents the 'com.apple.credential.scep' credential type
* Uses a media type of 'application/json', and if it includes a 'ContentType' sub-key, that sub-key media type is also 'application/json'
subkeys:
- key: DataURL
type: <string>
presence: required
content: The URL that hosts the credential data. The URL must start with 'https://'.
- key: ContentType
type: <string>
presence: optional
content: The media type that describes the data.
- key: Size
type: <integer>
presence: optional
content: The size of the data at the 'DataURL'. Use this value to verify that
the returned data is the expected data. Use this value to detect when the data
changes.
- key: Hash-SHA-256
type: <string>
presence: optional
content: |-
A SHA-256 hash of the data at the 'DataURL'. Use this value to verify that the returned data is the expected data. Use this value to detect when the data changes.
If 'Size' is '0', clients need to ignore this value or set it to an empty string.
- key: Authentication
type: <dictionary>
presence: optional
content: The server authentication details.
subkeys:
- key: Type
type: <string>
presence: required
rangelist:
- MDM
- None
content: |-
Type of authentication:
* MDM - a request using MDM semantics (includes the device identity certificate, and any user authentication). Equivalent to an MDM request made to the CheckInURL or ServerURL. This option can only be used when using declarative device management.
* None - a standard GET request is carried out.
- key: Accessible
type: <string>
presence: optional
rangelist:
- Default
- AfterFirstUnlock
default: Default
content: |-
The keychain accessibility that determines when the keychain item is available for use, which has these allowed values:
* 'Default': The most restrictive accessibility that still satisfies all uses of the asset by configurations that reference it.
* 'AfterFirstUnlock': The keychain item is only available after the first unlock of the device.
@@ -1,6 +1,6 @@
title: Credential:User Name and Password
title: Asset:Credential User Name and Password
description: A reference to data describing a credential representing a user name
and password. Note that this should always be considered as security sensitive data.
and password.
payload:
declarationtype: com.apple.asset.credential.userpassword
supportedOS:
@@ -10,11 +10,16 @@ payload:
introduced: '13.0'
tvOS:
introduced: '16.0'
watchOS:
introduced: '10.0'
payloadkeys:
- key: Reference
type: <dictionary>
presence: required
content: The reference to the credential.
content: |-
The external reference. Ensure that the asset data:
* Is a JSON document that represents the 'com.apple.credential.usernameandpassword' credential type
* Uses a media type of 'application/json', and if it includes a 'ContentType' sub-key, that sub-key media type is also 'application/json'
subkeys:
- key: DataURL
type: <string>
@@ -22,17 +27,41 @@ payloadkeys:
content: The URL that hosts the credential data. The URL must start with 'https://'.
- key: ContentType
type: <string>
presence: required
presence: optional
content: The media type that describes the data.
- key: Size
type: <integer>
presence: required
presence: optional
content: The size of the data at the 'DataURL'. Use this value to verify that
the returned data is the expected data. Use this value to detect when the data
changes.
- key: Hash-SHA-256
type: <string>
presence: required
presence: optional
content: |-
A SHA-256 hash of the data at the 'DataURL'. Use this value to verify that the returned data is the expected data. Use this value to detect when the data changes.
If 'Size' is '0', clients need to ignore this value or set it to an empty string.
- key: Authentication
supportedOS:
iOS:
introduced: '17.0'
macOS:
introduced: '14.0'
tvOS:
introduced: '17.0'
watchOS:
introduced: '10.0'
type: <dictionary>
presence: optional
content: The server authentication details.
subkeys:
- key: Type
type: <string>
presence: required
rangelist:
- MDM
- None
content: |-
Type of authentication:
* MDM - a request using MDM semantics (includes the device identity certificate, and any user authentication). Equivalent to an MDM request made to the CheckInURL or ServerURL. This option can only be used when using declarative device management.
* None - a standard GET request is carried out.
@@ -0,0 +1,138 @@
title: ACME Credential
description: An ACME identity that should be generated by the device.
payload:
credentialtype: com.apple.credential.acme
supportedOS:
iOS:
introduced: '17.0'
macOS:
introduced: '14.0'
tvOS:
introduced: '17.0'
watchOS:
introduced: '10.0'
payloadkeys:
- key: DirectoryURL
title: ACME directory URL
type: <string>
presence: required
content: Specifies the directory URL of the ACME server. Use the 'https' scheme
for the URL.
- key: ClientIdentifier
title: Client identifier
type: <string>
presence: required
content: The server can use this as a nonce to prevent issuing multiple certificates.
It also indicates to the ACME server that the device has access to a valid client
identifier that the enterprise infrastructure issued. This can help the ACME server
determine whether to trust the device, however this is a relatively weak indication
because of the risk that an attacker may intercept and duplicate the client identifier.
- key: KeySize
title: Key Size
type: <integer>
presence: required
content: The valid values for 'KeySize' depend on the values of 'KeyType' and 'HardwareBound'.
See those keys for specific requirements.
- key: KeyType
title: Key Type
type: <string>
presence: required
rangelist:
- RSA
- ECSECPrimeRandom
content: |-
Specifies the type of key pair to generate.
'RSA' specifies an RSA key pair. If you set this value to 'RSA', set 'KeySize' in the range '[1024..4096]' inclusive and a multiple of '8', and set 'HardwareBound' to 'false'.
'ECSECPrimeRandom' specifies a key pair on the P-256, P-384 or P-521 curves as defined in FIPS Pub 186-4, and 'KeySize' determines the specific curve. If you set this value to 'ECSECPrimeRandom', set 'KeySize' to '256', '384', or '521'. The system only supports '256' and '384' for hardware bound keys.
The key size is '521', not '512', even though the other key sizes are multiples of '64'.
- key: HardwareBound
title: Hardware Bound
type: <boolean>
presence: required
content: |-
If 'false', the private key isn't bound to the device.
If 'true', the private key is bound to the device. The Secure Enclave generates the key pair, and the private key is cryptographically entangled with a system key. This protects the private key from being exported.
If 'true', 'KeyType' needs to be 'ECSECPrimeRandom' and 'KeySize' needs to be '256' or '384'.
On macOS, this is a required key. Set the value to 'false'.
- key: Subject
title: Subject
type: <array>
presence: required
content: |-
The device requests this subject for the certificate that the ACME server issues. The ACME server may override or ignore this field in the certificate it issues.
The representation of an X.500 name is an array of OID and value. For example, '/C=US/O=Apple Inc./CN=foo/1.2.5.3=bar' corresponds to:
'[ [ [”C”, “US”] ], [ [”O”, “Apple Inc.”] ], [ [ “CN”, “foo”] ], [ [ “1.2.5.3”, “bar” ] ] ]'
You can represent OIDs as dotted numbers or use shortcuts for country ('C'), locality ('L'), state ('ST'), organization ('O'), organizational unit ('OU'), and common name ('CN').
subkeys:
- key: ACMESubjectArrayInnerArray
title: Array Inside ACME Subject Array
type: <array>
subkeys:
- key: ACMESubjectArrayPair
title: Subject Array Pair
type: <array>
subkeys:
- key: ACMESubjectArrayPairItem
title: ACME Subject Array Pair Item
type: <string>
repetition:
min: 2
max: 2
content: One item in the array representing a pair of OID and value
- key: SubjectAltName
title: Subject Alt Name
type: <dictionary>
presence: optional
content: Specifies the subject's alternative name that the device requests for the
certificate that the ACME server issues. The ACME server may override or ignore
this field in the certificate it issues.
subkeys:
- key: rfc822Name
title: RFC 822 Name
type: <string>
presence: optional
content: The RFC 822 email address.
- key: dNSName
title: DNS Name
type: <string>
presence: optional
content: The DNS name.
- key: uniformResourceIdentifier
title: URI
type: <string>
presence: optional
content: The uniform resource identifier.
- key: ntPrincipalName
title: NT Principal Name
type: <string>
presence: optional
content: The NT principal name.
- key: UsageFlags
title: Key Usage
type: <integer>
presence: optional
content: |-
The device requests this key usage for the certificate that the ACME server issues. The ACME server may override or ignore this field in the certificate it issues.
The value is a bit field. Bit '0x01' indicates digital signature, and bit '0x04' indicates key encipherment.
- key: ExtendedKeyUsage
title: Extended Key Usage
type: <array>
presence: optional
content: |-
The device requests this extended key usage for the certificate that the ACME server issues. The ACME server may override or ignore this field in the certificate it issues.
The value is an array of strings. Each string is an OID in dotted notation. For example, '[”1.3.6.1.5.5.7.3.2”, “1.3.6.1.5.5.7.3.4”]' indicates client authentication and email protection.
subkeys:
- key: OID
type: <string>
presence: optional
- key: Attest
title: Attest
type: <boolean>
presence: optional
default: false
content: If 'true', the device provides attestations that describe the device and
the generated key to the ACME server. The server can use the attestations as strong
evidence that the key is bound to the device, and that the device has properties
listed in the attestation. The server can use that as part of a trust score to
decide whether to issue the requested certificate. When 'Attest' is 'true', set
'HardwareBound' to 'true'. On macOS, set this key, if present, to 'false'.
@@ -0,0 +1,22 @@
title: Identity Credential
description: 'Data for a PKCS #12 password-protected identity.'
payload:
credentialtype: com.apple.credential.identity
supportedOS:
iOS:
introduced: '17.0'
macOS:
introduced: '14.0'
tvOS:
introduced: '17.0'
watchOS:
introduced: '10.0'
payloadkeys:
- key: Password
type: <string>
presence: required
content: 'The password required to decrypt the PKCS #12 identity data.'
- key: Identity
type: <data>
presence: required
content: 'The PKCS #12 identity data.'
@@ -0,0 +1,125 @@
title: SCEP Credential
description: A SCEP identity that should be generated by the device.
payload:
credentialtype: com.apple.credential.scep
supportedOS:
iOS:
introduced: '17.0'
macOS:
introduced: '14.0'
tvOS:
introduced: '17.0'
watchOS:
introduced: '10.0'
payloadkeys:
- key: URL
title: URL
type: <string>
presence: required
content: The SCEP URL.
- key: Name
title: Name
type: <string>
presence: optional
content: Any string that the SCEP server recognizes. For example, it could be a
domain name such as 'example.org'. If a certificate authority has multiple CA
certificates, you can use this field to specify the required certificate.
- key: Subject
title: Subject
type: <array>
presence: optional
content: |-
The representation of an X.500 name is an array of OID and value. For example, '/C=US/O=Apple Inc./CN=foo/1.2.5.3=bar' corresponds to:
'[ [ [”C”, “US”] ], [ [”O”, “Apple Inc.”] ], [ [ “CN”, “foo”] ], [ [ “1.2.5.3”, “bar” ] ] ]'
You can represent OIDs as dotted numbers or use shortcuts for country ('C'), locality ('L'), state ('ST'), organization ('O'), organizational unit ('OU'), and common name ('CN').
subkeys:
- key: SCEPSubjectArrayInnerArray
title: Array Inside SCEP Subject Array
type: <array>
subkeys:
- key: SCEPSubjectArrayPair
title: Subject Array Pair
type: <array>
subkeys:
- key: SCEPSubjectArrayPairItem
title: SCEP Subject Array Pair Item
type: <string>
repetition:
min: 2
max: 2
content: One item in the array representing a pair of OID and value
- key: Challenge
title: Challenge
type: <string>
presence: optional
content: A preshared secret.
- key: Keysize
title: Key Size
type: <integer>
presence: optional
rangelist:
- 1024
- 2048
- 4096
default: 1024
content: The key size in bits, either '1024', '2048', or '4096'.
- key: Key Type
title: Key Type
type: <string>
presence: optional
default: RSA
content: The key type, which always has the value 'RSA'.
- key: Key Usage
title: Key Usage
type: <integer>
presence: optional
default: 0
content: 'A bitmask that specifies the use of the key: ''1'' is signing, ''4'' is
encryption, and ''5'' is both signing and encryption. Some certificate authorities,
such as Windows CA, support only encryption or signing, but not both at the same
time.'
- key: CAFingerprint
title: Fingerprint
type: <data>
presence: optional
content: The fingerprint of the Certificate Authority certificate.
- key: Retries
title: Retries
type: <integer>
presence: optional
default: 3
content: The number of times the device should retry if the server sends a 'PENDING'
response.
- key: RetryDelay
title: Retry Delay
type: <integer>
presence: optional
default: 10
content: The number of seconds to wait between subsequent retries. The system makes
the first retry without this delay.
- key: SubjectAltName
title: Subject Alt Name
type: <dictionary>
presence: optional
content: The subject's alternative name for the certificate.
subkeys:
- key: rfc822Name
title: RFC 822 Name
type: <string>
presence: optional
content: The RFC 822 email address.
- key: dNSName
title: DNS Name
type: <string>
presence: optional
content: The DNS name.
- key: uniformResourceIdentifier
title: URI
type: <string>
presence: optional
content: The uniform resource identifier.
- key: ntPrincipalName
title: NT Principal Name
type: <string>
presence: optional
content: The NT principal name.
@@ -1,4 +1,4 @@
title: User Name and Password Credentials
title: User Name and Password Credential
description: Data describing a credential representing a user name and password.
payload:
credentialtype: com.apple.credential.usernameandpassword
@@ -9,12 +9,14 @@ payload:
introduced: '13.0'
tvOS:
introduced: '16.0'
watchOS:
introduced: '10.0'
payloadkeys:
- key: UserName
type: <string>
presence: required
content: The user's user name for the credential.
content: The user name for this credential.
- key: Password
type: <string>
presence: optional
content: The user's password for the credential.
content: The password for this credential.
+54
View File
@@ -0,0 +1,54 @@
title: Asset:Data
description: A reference to arbitrary data with a specific media type.
payload:
declarationtype: com.apple.asset.data
supportedOS:
iOS:
introduced: '17.0'
macOS:
introduced: '14.0'
tvOS:
introduced: '17.0'
watchOS:
introduced: '10.0'
payloadkeys:
- key: Reference
type: <dictionary>
presence: required
content: The external reference.
subkeys:
- key: DataURL
type: <string>
presence: required
content: The URL that hosts the credential data. The URL must start with 'https://'.
- key: ContentType
type: <string>
presence: optional
content: The media type that describes the data.
- key: Size
type: <integer>
presence: optional
content: The size of the data at the 'DataURL'. Use this value to verify that
the returned data is the expected data. Use this value to detect when the data
changes.
- key: Hash-SHA-256
type: <string>
presence: optional
content: |-
A SHA-256 hash of the data at the 'DataURL'. Use this value to verify that the returned data is the expected data. Use this value to detect when the data changes.
If 'Size' is '0', clients need to ignore this value or set it to an empty string.
- key: Authentication
type: <dictionary>
presence: optional
content: The server authentication details.
subkeys:
- key: Type
type: <string>
presence: required
rangelist:
- MDM
- None
content: |-
Type of authentication:
* MDM - a request using MDM semantics (includes the device identity certificate, and any user authentication). Equivalent to an MDM request made to the CheckInURL or ServerURL. This option can only be used when using declarative device management.
* None - a standard GET request is carried out.
@@ -1,4 +1,4 @@
title: User Identity
title: Asset:User Identity
description: User identity data.
payload:
declarationtype: com.apple.asset.useridentity
@@ -9,6 +9,8 @@ payload:
introduced: '13.0'
tvOS:
introduced: '16.0'
watchOS:
introduced: '10.0'
payloadkeys:
- key: FullName
title: Full Name
@@ -19,4 +21,4 @@ payloadkeys:
title: Email Address
type: <string>
presence: optional
content: The user's email address.
content: The email address of the user.
@@ -5,20 +5,27 @@ payload:
supportedOS:
iOS:
introduced: '15.0'
allowed-enrollments:
- device
- user
- local
allowed-scopes:
- system
sharedipad:
mode: allowed
devicechannel: false
userchannel: true
userenrollment:
mode: allowed
allowed-scopes:
- user
macOS:
introduced: '13.0'
devicechannel: false
userchannel: true
userenrollment:
mode: allowed
allowed-enrollments:
- device
- user
- local
allowed-scopes:
- user
tvOS:
introduced: n/a
watchOS:
introduced: n/a
content: A CalDAV configuration defines a CalDAV calendar and reminders account
for a user.
payloadkeys:
@@ -32,7 +39,7 @@ payloadkeys:
title: Server Host Name
type: <string>
presence: required
content: The hostname of the CalDAV server (or IP address).
content: The hostname or IP address of the CalDAV server.
- key: Port
title: Server Port
type: <integer>
@@ -46,6 +53,8 @@ payloadkeys:
- key: AuthenticationCredentialsAssetReference
title: Authentication Credentials Asset Reference
type: <string>
assettypes:
- com.apple.asset.credential.userpassword
presence: optional
content: The identifier of an asset declaration that contains the credentials for
this account. The corresponding asset must be of type CredentialUserNameAndPassword.
this account. Set the corresponding asset type to 'CredentialUserNameAndPassword'.
@@ -5,20 +5,27 @@ payload:
supportedOS:
iOS:
introduced: '15.0'
allowed-enrollments:
- device
- user
- local
allowed-scopes:
- system
sharedipad:
mode: allowed
devicechannel: false
userchannel: true
userenrollment:
mode: allowed
allowed-scopes:
- user
macOS:
introduced: '13.0'
devicechannel: false
userchannel: true
userenrollment:
mode: allowed
allowed-enrollments:
- device
- user
- local
allowed-scopes:
- user
tvOS:
introduced: n/a
watchOS:
introduced: n/a
content: A CardDAV configuration defines a CardDAV contacts account for a user.
payloadkeys:
- key: VisibleName
@@ -31,7 +38,7 @@ payloadkeys:
title: Server Host Name
type: <string>
presence: required
content: The hostname of the CardDAV server (or IP address).
content: The hostname or IP address of the CardDAV server.
- key: Port
title: Server Port
type: <integer>
@@ -45,6 +52,8 @@ payloadkeys:
- key: AuthenticationCredentialsAssetReference
title: Authentication Credentials Asset Reference
type: <string>
assettypes:
- com.apple.asset.credential.userpassword
presence: optional
content: The identifier of an asset declaration that contains the credentials for
this account. The corresponding asset must be of type CredentialUserNameAndPassword.
this account. Set the corresponding asset type to 'CredentialUserNameAndPassword'.
@@ -6,20 +6,27 @@ payload:
supportedOS:
iOS:
introduced: '15.0'
allowed-enrollments:
- device
- user
- local
allowed-scopes:
- system
sharedipad:
mode: allowed
devicechannel: false
userchannel: true
userenrollment:
mode: allowed
allowed-scopes:
- user
macOS:
introduced: '13.0'
devicechannel: false
userchannel: true
userenrollment:
mode: allowed
allowed-enrollments:
- device
- user
- local
allowed-scopes:
- user
tvOS:
introduced: n/a
watchOS:
introduced: n/a
content: This payload configures an Exchange ActiveSync account on an iOS device.
payloadkeys:
- key: VisibleName
@@ -48,9 +55,11 @@ payloadkeys:
- key: UserIdentityAssetReference
title: User Identity Asset Reference
type: <string>
assettypes:
- com.apple.asset.useridentity
presence: optional
content: The identifier of an asset declaration that contains the user identity
for this account. The corresponding asset must be of type UserIdentity.
for this account. The corresponding asset must be of type 'UserIdentity'.
- key: HostName
title: Server Host Name
type: <string>
@@ -133,10 +142,111 @@ payloadkeys:
- key: AuthenticationCredentialsAssetReference
title: Authentication Credentials Asset Reference
type: <string>
assettypes:
- com.apple.asset.credential.userpassword
presence: optional
content: The identifier of an asset declaration that contains the credentials for
this account to authenticate with an Exchange server. The corresponding asset
must be of type CredentialUserNameAndPassword.
this account to authenticate with an Exchange server. Set the corresponding asset
type to 'CredentialUserNameAndPassword'.
- key: AuthenticationIdentityAssetReference
title: Authentication Identity Asset Reference
type: <string>
assettypes:
- com.apple.asset.credential.acme
- com.apple.asset.credential.identity
- com.apple.asset.credential.scep
presence: optional
content: Specifies the identifier of a credential asset declaration that contains
the identity that this account requires to authenticate with the Exchange server.
- key: SMIME
title: S/MIME Settings
supportedOS:
iOS:
introduced: '17.0'
macOS:
introduced: n/a
type: <dictionary>
presence: optional
content: Settings for S/MIME.
subkeys:
- key: Signing
title: S/MIME Signing Settings
type: <dictionary>
presence: optional
content: Settings for S/MIME signing.
subkeys:
- key: Enabled
title: Signing Enabled
type: <boolean>
presence: required
content: If 'true', the system enables S/MIME signing.
- key: IdentityAssetReference
title: S/MIME Signing Identity Asset Reference
type: <string>
assettypes:
- com.apple.asset.credential.acme
- com.apple.asset.credential.identity
- com.apple.asset.credential.scep
presence: optional
content: Specifies the identifier of an asset declaration containing the identity
required for S/MIME signing of messages sent from this account.
- key: UserOverrideable
title: Signing User Overrideable
type: <boolean>
presence: optional
default: false
content: If 'true', the user can turn S/MIME signing on or off in Settings.
- key: IdentityUserOverrideable
title: Signing Identity User Overrideable
type: <boolean>
presence: optional
default: false
content: If 'true', the user can select an S/MIME signing identity in Settings.
- key: Encryption
title: S/MIME Encryption Settings
type: <dictionary>
presence: optional
content: Settings for S/MIME encryption.
subkeys:
- key: Enabled
title: Encryption By Default Enabled
type: <boolean>
presence: required
content: If 'true', the system enables S/MIME encryption by default, which the
user can't override if 'PerMessageSwitchEnabled' is 'false'.
- key: IdentityAssetReference
title: S/MIME Encryption Identity Asset Reference
type: <string>
assettypes:
- com.apple.asset.credential.acme
- com.apple.asset.credential.identity
- com.apple.asset.credential.scep
presence: optional
content: Specifies the identifier of an asset declaration containing the identity
required for S/MIME encryption. The system attaches the public certificate
to outgoing mail to allow the user to receive encrypted mail. When the user
sends encrypted mail, the system uses the public certificate to encrypt the
copy of the mail in their Sent mailbox.
- key: UserOverrideable
title: Encryption By Default User Overrideable
type: <boolean>
presence: optional
default: false
content: If 'true', the user can turn S/MIME encryption by default on or off
in Settings.
- key: IdentityUserOverrideable
title: Encryption Identity User Overrideable
type: <boolean>
presence: optional
default: false
content: If 'true', the user can select an S/MIME signing identity in Settings.
- key: PerMessageSwitchEnabled
title: Per Message Switch Enabled
type: <boolean>
presence: optional
default: false
content: If 'true', the system enables the per-message encryption switch in
the compose view.
- key: MailServiceActive
supportedOS:
macOS:
@@ -5,20 +5,27 @@ payload:
supportedOS:
iOS:
introduced: '15.0'
allowed-enrollments:
- device
- user
- local
allowed-scopes:
- system
sharedipad:
mode: allowed
devicechannel: false
userchannel: true
userenrollment:
mode: allowed
allowed-scopes:
- user
macOS:
introduced: '13.0'
devicechannel: false
userchannel: true
userenrollment:
mode: allowed
allowed-enrollments:
- device
- user
- local
allowed-scopes:
- user
tvOS:
introduced: n/a
watchOS:
introduced: n/a
content: A Google configuration defines a Google account for a user. The user will
be prompted to enter their credentials shortly after the configuration successfully
installs.
@@ -32,8 +39,10 @@ payloadkeys:
- key: UserIdentityAssetReference
title: User Identity Asset Reference
type: <string>
assettypes:
- com.apple.asset.useridentity
presence: required
content: The identifier of an asset declaration that contains the user identity
for this Google account. The corresponding asset must be of type UserIdentity.
The asset must contain an 'EmailAddress' key that specifies the full Google email
for this Google account. Set the corresponding asset type to 'UserIdentity' and
ensure that it contains an 'EmailAddress' key that specifies the full Google email
address for the account.
@@ -5,20 +5,27 @@ payload:
supportedOS:
iOS:
introduced: '15.0'
allowed-enrollments:
- device
- user
- local
allowed-scopes:
- system
sharedipad:
mode: allowed
devicechannel: false
userchannel: true
userenrollment:
mode: allowed
allowed-scopes:
- user
macOS:
introduced: '13.0'
devicechannel: false
userchannel: true
userenrollment:
mode: allowed
allowed-enrollments:
- device
- user
- local
allowed-scopes:
- user
tvOS:
introduced: n/a
watchOS:
introduced: n/a
content: An LDAP configuration defines an LDAP directory account for a user.
payloadkeys:
- key: VisibleName
@@ -31,18 +38,20 @@ payloadkeys:
title: Server Host Name
type: <string>
presence: required
content: The hostname of the LDAP server (or IP address).
content: The hostname or IP address of the LDAP server.
- key: Port
title: Server Port
type: <integer>
presence: optional
content: The port number of the LDAP server (or IP address).
content: The port number or IP address of the LDAP server.
- key: AuthenticationCredentialsAssetReference
title: Authentication Credentials Asset Reference
type: <string>
assettypes:
- com.apple.asset.credential.userpassword
presence: optional
content: The identifier of an asset declaration that contains the credentials for
this account. The corresponding asset must be of type CredentialUserNameAndPassword.
this account. Set the corresponding asset type to 'CredentialUserNameAndPassword'.
- key: SearchSettings
title: Search Settings
type: <array>
@@ -5,20 +5,27 @@ payload:
supportedOS:
iOS:
introduced: '15.0'
allowed-enrollments:
- device
- user
- local
allowed-scopes:
- system
sharedipad:
mode: allowed
devicechannel: false
userchannel: true
userenrollment:
mode: allowed
allowed-scopes:
- user
macOS:
introduced: '13.0'
devicechannel: false
userchannel: true
userenrollment:
mode: allowed
allowed-enrollments:
- device
- user
- local
allowed-scopes:
- user
tvOS:
introduced: n/a
watchOS:
introduced: n/a
content: An email configuration defines an email account for a user.
payloadkeys:
- key: VisibleName
@@ -30,9 +37,11 @@ payloadkeys:
- key: UserIdentityAssetReference
title: User Identity Asset Reference
type: <string>
assettypes:
- com.apple.asset.useridentity
presence: optional
content: The identifier of an asset declaration that contains the user identity
for this account. The corresponding asset must be of type UserIdentity.
for this account. Set the corresponding asset type to 'UserIdentity'.
- key: IncomingServer
title: Incoming Server Settings
type: <dictionary>
@@ -71,9 +80,11 @@ payloadkeys:
- key: AuthenticationCredentialsAssetReference
title: Authentication Credentials Asset Reference
type: <string>
assettypes:
- com.apple.asset.credential.userpassword
presence: optional
content: |-
The identifier of an asset declaration that contains the credentials for this account to authenticate with an incoming mail server. The corresponding asset must be of type CredentialUserNameAndPassword.
The identifier of an asset declaration that contains the credentials for this account to authenticate with an incoming mail server. The corresponding asset must be of type 'CredentialUserNameAndPassword'.
If the 'AuthenticationMethod' is 'None', this field must be blank. Otherwise, the declaration must contain this field.
- key: IMAPPathPrefix
title: IMAP Path Prefix
@@ -111,7 +122,98 @@ payloadkeys:
- key: AuthenticationCredentialsAssetReference
title: Authentication Credentials Asset Reference
type: <string>
assettypes:
- com.apple.asset.credential.userpassword
presence: optional
content: |-
The identifier of an asset declaration that contains the credentials for this account to authenticate with an outgoing mail server. The corresponding asset must be of type CredentialUserNameAndPassword.
The identifier of an asset declaration that contains the credentials for this account to authenticate with an outgoing mail server. The corresponding asset must be of type 'CredentialUserNameAndPassword'.
If the 'AuthenticationMethod' is 'None', this field must be blank. Otherwise, the declaration must contain this field.
- key: SMIME
title: S/MIME Settings
supportedOS:
iOS:
introduced: '17.0'
macOS:
introduced: n/a
type: <dictionary>
presence: optional
content: Settings for S/MIME.
subkeys:
- key: Signing
title: S/MIME Signing Settings
type: <dictionary>
presence: optional
content: Settings for S/MIME signing.
subkeys:
- key: Enabled
title: Signing Enabled
type: <boolean>
presence: required
content: If 'true', the system enables S/MIME signing.
- key: IdentityAssetReference
title: S/MIME Signing Identity Asset Reference
type: <string>
assettypes:
- com.apple.asset.credential.acme
- com.apple.asset.credential.identity
- com.apple.asset.credential.scep
presence: optional
content: Specifies the identifier of an asset declaration containing the identity
required for S/MIME signing of messages sent from this account.
- key: UserOverrideable
title: Signing User Overrideable
type: <boolean>
presence: optional
default: false
content: If 'true', the user can turn S/MIME signing on or off in Settings.
- key: IdentityUserOverrideable
title: Signing Identity User Overrideable
type: <boolean>
presence: optional
default: false
content: If 'true', the user can select an S/MIME signing identity in Settings.
- key: Encryption
title: S/MIME Encryption Settings
type: <dictionary>
presence: optional
content: Settings for S/MIME encryption.
subkeys:
- key: Enabled
title: Encryption By Default Enabled
type: <boolean>
presence: required
content: If 'true', the system enables S/MIME encryption by default, which the
user can't override if 'PerMessageSwitchEnabled' is 'false'.
- key: IdentityAssetReference
title: S/MIME Encryption Identity Asset Reference
type: <string>
assettypes:
- com.apple.asset.credential.acme
- com.apple.asset.credential.identity
- com.apple.asset.credential.scep
presence: optional
content: Specifies the identifier of an asset declaration containing the identity
required for S/MIME encryption. The system attaches the public certificate
to outgoing mail to allow the user to receive encrypted mail. When the user
sends encrypted mail, the system uses the public certificate to encrypt the
copy of the mail in their Sent mailbox.
- key: UserOverrideable
title: Encryption By Default User Overrideable
type: <boolean>
presence: optional
default: false
content: If 'true', the user can set the default value for S/MIME encryption
to on or off in Settings.
- key: IdentityUserOverrideable
title: Encryption Identity User Overrideable
type: <boolean>
presence: optional
default: false
content: If 'true', the user can select an S/MIME signing identity in Settings.
- key: PerMessageSwitchEnabled
title: Per Message Switch Enabled
type: <boolean>
presence: optional
default: false
content: If 'true', the system enables the per-message encryption switch in
the compose view.
@@ -5,16 +5,27 @@ payload:
supportedOS:
iOS:
introduced: '15.0'
allowed-enrollments:
- device
- user
- local
allowed-scopes:
- system
sharedipad:
mode: allowed
devicechannel: false
userchannel: true
userenrollment:
mode: allowed
allowed-scopes:
- user
macOS:
introduced: n/a
introduced: '14.0'
allowed-enrollments:
- device
- user
- local
allowed-scopes:
- user
tvOS:
introduced: n/a
watchOS:
introduced: n/a
content: A subscribed calendar configuration defines a subscribed calendar for a
user.
payloadkeys:
@@ -28,11 +39,13 @@ payloadkeys:
title: Calendar URL
type: <string>
presence: required
content: The URL of the subscribed calendar. The URL must start with 'https://'.
content: The URL of the subscribed calendar, which needs to start with 'https://'.
- key: AuthenticationCredentialsAssetReference
title: Authentication Credentials Asset Reference
type: <string>
assettypes:
- com.apple.asset.credential.userpassword
presence: optional
content: The identifier of an asset declaration that contains the credentials for
this account to authenticate with a calendar server. The corresponding asset must
be of type CredentialUserNameAndPassword.
this account to authenticate with a calendar server. Set the corresponding asset
type to 'CredentialUserNameAndPassword'.
@@ -6,26 +6,37 @@ payload:
supportedOS:
iOS:
introduced: '15.0'
allowed-enrollments:
- device
- user
allowed-scopes:
- system
sharedipad:
mode: forbidden
userenrollment:
mode: allowed
allowed-scopes: []
macOS:
introduced: '13.0'
devicechannel: true
userchannel: true
userenrollment:
mode: allowed
allowed-enrollments:
- device
- user
allowed-scopes:
- system
- user
tvOS:
introduced: '16.0'
allowed-enrollments:
- device
allowed-scopes:
- system
watchOS:
introduced: n/a
payloadkeys:
- key: ProfileURL
title: Profile's URL.
type: <string>
presence: required
content: |-
The URL of the profile to download and install. This must be an 'https://' URL.
If a user enrollment triggers this configuration, the system silently ignores any MDM 1 payloads in macOS where the User Enrollment Mode setting is 'forbidden'. In iOS and tvOS, the system rejects the entire profile.
The URL of the profile to download and install, which needs to start with 'https://', and must be hosted by the MDM server. The system silently ignores any account or passcode payloads in the profile. Use their declarative configurations instead.
If a user enrollment triggers this configuration, the system silently ignores any MDM 1 payloads in macOS where the User Enrollment Mode setting is 'forbidden'. In iOS, the system rejects the entire profile.
- key: VisibleName
title: Configuration Visible Name
type: <string>
@@ -5,25 +5,44 @@ payload:
supportedOS:
iOS:
introduced: '15.0'
allowed-enrollments:
- device
- user
- local
allowed-scopes:
- system
sharedipad:
mode: allowed
devicechannel: true
userchannel: true
userenrollment:
mode: allowed
allowed-scopes:
- system
- user
macOS:
introduced: '13.0'
devicechannel: true
userchannel: true
userenrollment:
mode: allowed
allowed-enrollments:
- device
- user
- local
allowed-scopes:
- system
- user
tvOS:
introduced: '16.0'
allowed-enrollments:
- device
- local
allowed-scopes:
- system
watchOS:
introduced: '10.0'
allowed-enrollments:
- device
- local
allowed-scopes:
- system
payloadkeys:
- key: ProfileURL
title: Profile's URL.
type: <string>
presence: required
content: |-
The URL of the profile to download and install. This must be an 'https://' URL.
The URL of the profile to download and install, which needs to start with 'https://', and must be hosted by the MDM server. The system silently ignores any account or passcode payloads in the profile. Use their declarative configurations instead.
If a user enrollment triggers this configuration, the system silently ignores any MDM 1 payloads in macOS where the User Enrollment Mode setting is 'forbidden'. In iOS and tvOS, the system rejects the entire profile.
@@ -6,20 +6,35 @@ payload:
supportedOS:
iOS:
introduced: '15.0'
allowed-enrollments:
- device
- user
allowed-scopes:
- system
sharedipad:
mode: allowed
devicechannel: true
userchannel: true
userenrollment:
mode: allowed
allowed-scopes:
- system
- user
macOS:
introduced: '13.0'
devicechannel: true
userchannel: true
userenrollment:
mode: allowed
allowed-enrollments:
- device
- user
allowed-scopes:
- system
- user
tvOS:
introduced: '16.0'
allowed-enrollments:
- device
allowed-scopes:
- system
watchOS:
introduced: '10.0'
allowed-enrollments:
- device
allowed-scopes:
- system
payloadkeys:
- key: StatusItems
title: Status Items
@@ -5,26 +5,60 @@ payload:
supportedOS:
iOS:
introduced: '15.0'
allowed-enrollments:
- device
- user
- local
allowed-scopes:
- system
sharedipad:
mode: allowed
devicechannel: true
userchannel: true
userenrollment:
mode: allowed
allowed-scopes:
- system
- user
macOS:
introduced: '13.0'
devicechannel: true
userchannel: true
userenrollment:
mode: allowed
allowed-enrollments:
- device
- user
- local
allowed-scopes:
- system
- user
tvOS:
introduced: '16.0'
allowed-enrollments:
- device
- local
allowed-scopes:
- system
watchOS:
introduced: '10.0'
allowed-enrollments:
- device
- local
allowed-scopes:
- system
payloadkeys:
- key: Echo
title: Status Echo
type: <string>
presence: required
content: The string to echo back in a status response reason.
- key: EchoDataAssetReference
title: Status Echo from Asset
supportedOS:
iOS:
introduced: '17.0'
macOS:
introduced: '14.0'
tvOS:
introduced: '17.0'
type: <string>
assettypes:
- com.apple.asset.data
presence: optional
content: The string to read from a data asset to echo back in status response reason
description.
- key: ReturnStatus
title: Status to Return
type: <string>
@@ -5,16 +5,31 @@ payload:
supportedOS:
iOS:
introduced: '15.0'
allowed-enrollments:
- device
- user
- local
allowed-scopes:
- system
sharedipad:
mode: forbidden
userenrollment:
mode: allowed
allowed-scopes: []
macOS:
introduced: '13.0'
userenrollment:
mode: forbidden
allowed-enrollments:
- device
- local
allowed-scopes:
- system
- user
tvOS:
introduced: n/a
watchOS:
introduced: '10.0'
allowed-enrollments:
- device
- local
allowed-scopes:
- system
payloadkeys:
- key: RequirePasscode
title: Require Passcode on Device
@@ -31,18 +46,20 @@ payloadkeys:
introduced: '16.2'
macOS:
introduced: '13.1'
watchOS:
introduced: n/a
type: <boolean>
presence: optional
default: false
content: If set to true, the passcode must consist of at least one alphabetic characters
("abcd"), and at least one number.
content: If 'true', the passcode needs to consist of at least one alphabetic character
and at least one number.
- key: RequireComplexPasscode
title: Require Complex Passcode
type: <boolean>
presence: optional
default: false
content: If 'true', requires a complex passcode. A complex passcode is one that
doesn't contain repeated characters or increasing/decreasing characters (such
doesn't contain repeated characters or increasing or decreasing characters (such
as 123 or CBA).
- key: MinimumLength
title: Minimum Passcode Length
@@ -60,14 +77,17 @@ payloadkeys:
introduced: '16.2'
macOS:
introduced: '13.1'
watchOS:
introduced: n/a
type: <integer>
presence: optional
range:
min: 0
max: 4
default: 1
content: Specifies the minimum number of complex characters that must be present.
Only used when RequireComplexPasscode is true.
default: 0
content: Specifies the minimum number of complex characters in the password. A complex
character is a character other than a number or a letter, such as '&', '%', '$',
and '#'.
- key: MaximumFailedAttempts
title: Maximum Number of Failed Attempts
type: <integer>
@@ -86,11 +106,13 @@ payloadkeys:
introduced: n/a
macOS:
introduced: '13.1'
watchOS:
introduced: n/a
type: <integer>
presence: optional
content: The number of minutes before the login will be reset after the maximum
number of failed attempts has been reached. The MaximumFailedAttempts key must
be set for this to take effect.
content: The number of minutes before the login is reset after the maximum number
of failed attempts. Also set the 'MaximumFailedAttempts' key for this to take
effect.
- key: MaximumGracePeriodInMinutes
title: Maximum Grace Period
type: <integer>
@@ -120,9 +142,9 @@ payloadkeys:
range:
min: 0
max: 730
content: Specifies the maximum number of days for which the passcode can remain
unchanged. After this number of days, the user is forced to change the passcode
before the device is unlocked.
content: Specifies the maximum number of days that the passcode can remain unchanged.
After this number of days, the system forces the user to change the passcode before
it unlocks the device.
- key: PasscodeReuseLimit
title: Passcode Reuse Limit
type: <integer>
@@ -141,10 +163,46 @@ payloadkeys:
introduced: n/a
macOS:
introduced: '13.1'
watchOS:
introduced: n/a
type: <boolean>
presence: optional
default: false
content: If set to true, forces a password reset to occur the next time the user
tries to authenticate. If this key is set in a configuration in the system scope
(device channel), the setting takes effect for all users, and admin authentications
may fail until the admin user password is also reset.
content: If 'true', the system forces a password reset the next time the user tries
to authenticate. If you set this key in a configuration in the system scope (device
channel), the setting takes effect for all users, and admin authentication may
fail until the admin user password is also reset.
- key: CustomRegex
supportedOS:
iOS:
introduced: n/a
macOS:
introduced: '14.0'
watchOS:
introduced: n/a
type: <dictionary>
presence: optional
content: Specifies a regular expression, and its description, to enforce password
compliance. Use the simpler passcode settings whenever possible, and rely on regular
expression matching only when necessary. Mistakes in regular expressions can lead
to frustrating user experiences, such as unsatisfiable passcode policies, or policy
descriptions that don't match the enforced policy.
subkeys:
- key: Regex
type: <string>
presence: required
content: A regular expression string to match against the password to determine
whether it complies with a policy. The regular expression uses the ICU syntax.
The string can't exceed 2048 characters in length.
- key: Description
type: <dictionary>
presence: optional
content: A dictionary with supported OS language IDs for the keys (such as 'en-US'),
and values that represent a localized description of the policy that the regular
expression enforces. Use the special 'default' key for languages that the dictionary
doesn't contain.
subkeys:
- key: ANY
type: <string>
presence: optional
content: A localized description.
@@ -0,0 +1,42 @@
title: Screen Sharing:Connection Group
description: Use this configuration to define a group of Screen Sharing connections.
payload:
declarationtype: com.apple.configuration.screensharing.connection.group
supportedOS:
iOS:
introduced: n/a
macOS:
introduced: '14.0'
allowed-enrollments:
- device
- user
- local
allowed-scopes:
- system
- user
tvOS:
introduced: n/a
watchOS:
introduced: n/a
payloadkeys:
- key: ConnectionGroupUUID
title: Unique Identifier
type: <string>
presence: required
content: A string which uniquely identifies this connection group.
- key: GroupName
title: Group Name
type: <string>
presence: required
content: The name of the Connection Group.
- key: Members
title: Group Members
type: <array>
presence: required
content: |-
Array of ConnectionUUIDs (matching a connection declared in a
com.apple.configuration.screensharing.connection configuration) of the Connections
that should be members of this group.
subkeys:
- key: ConnectionUUID
type: <string>
@@ -0,0 +1,66 @@
title: Screen Sharing:Connection
description: Use this configuration to define a connection to a Screen Sharing host.
payload:
declarationtype: com.apple.configuration.screensharing.connection
supportedOS:
iOS:
introduced: n/a
macOS:
introduced: '14.0'
allowed-enrollments:
- device
- user
- local
allowed-scopes:
- system
- user
tvOS:
introduced: n/a
watchOS:
introduced: n/a
payloadkeys:
- key: ConnectionUUID
title: Unique Identifier
type: <string>
presence: required
content: A unique identifier for this connection when it's in a connection group.
- key: DisplayName
title: The name of the connection.
type: <string>
presence: required
content: The name of the connection.
- key: HostName
title: Host Name
type: <string>
presence: required
content: The host name or IP address of the Mac that hosts the screen-sharing connection.
- key: Port
title: TCP Port
type: <integer>
presence: optional
content: Specifies the TCP port number on the host to initiate the connection.
- key: DisplayConfiguration
title: Display Configuration
type: <dictionary>
presence: required
content: The display configuration for this connection.
subkeys:
- key: DisplayType
type: <string>
presence: required
rangelist:
- Virtual1
- Virtual2
content: |-
The type of display for the connection, which has these allowed values:
* 'Virtual1': Create one virtual display.
* 'Virtual2': Create two virtual displays.
- key: AuthenticationCredentialsAssetReference
title: Authentication Credentials Asset Reference
type: <string>
assettypes:
- com.apple.asset.credential.userpassword
presence: optional
content: Specifies the identifier of an asset declaration that contains the required
credentials for this connection to authenticate with the screen-sharing server.
Set the corresponding asset type to 'com.apple.asset.credential.userpassword'.
@@ -0,0 +1,58 @@
title: Screen Sharing:Host Settings
description: Use this configuration to define Screen Sharing host settings and restrictions.
payload:
declarationtype: com.apple.configuration.screensharing.host.settings
supportedOS:
iOS:
introduced: n/a
macOS:
introduced: '14.0'
allowed-enrollments:
- device
- local
allowed-scopes:
- system
tvOS:
introduced: n/a
watchOS:
introduced: n/a
payloadkeys:
- key: MaximumVirtualDisplays
title: Maximum number of Virtual Displays
type: <integer>
presence: optional
range:
min: 0
max: 2
content: Sets the maximum number of Virtual Displays to make available to clients.
- key: PortBase
title: UDP Port base
type: <integer>
presence: optional
range:
min: 1024
max: 65535
content: |-
Specifies the initial UDP port number for connecting to the host. Screen Sharing needs multiple connections
so additional connections will increment this base port number by 1 for each needed connection. This does not
change the port number used to initially establish a connection with a host, which is always TCP port 5900.
- key: PreventCopyFilesFromHost
title: Prevent copying files from host
type: <boolean>
presence: optional
default: false
content: Set to true to prevent users from copying files from the Screen Sharing
host.
- key: PreventCopyFilesToHost
title: Prevent copying files to host
type: <boolean>
presence: optional
default: false
content: Set to true to prevent users from copying files to the Screen Sharing host.
- key: PreventHighPerformanceConnections
title: Prevent High Performance connections
type: <boolean>
presence: optional
default: false
content: Set to true to prevent clients from establishing High Performance connections
to the host.
@@ -0,0 +1,49 @@
title: Security:Certificate
description: Use this configuration to add a certificate to the device.
payload:
declarationtype: com.apple.configuration.security.certificate
supportedOS:
iOS:
introduced: '17.0'
allowed-enrollments:
- device
- user
- local
allowed-scopes:
- system
sharedipad:
allowed-scopes:
- system
- user
macOS:
introduced: '14.0'
allowed-enrollments:
- device
- user
- local
allowed-scopes:
- system
- user
tvOS:
introduced: '17.0'
allowed-enrollments:
- device
- local
allowed-scopes:
- system
watchOS:
introduced: '10.0'
allowed-enrollments:
- device
- local
allowed-scopes:
- system
payloadkeys:
- key: CredentialAssetReference
title: Credential asset reference
type: <string>
assettypes:
- com.apple.asset.credential.certificate
presence: required
content: Specifies the identifier of an asset declaration that contains the certificate
to install.
@@ -0,0 +1,73 @@
title: Security:Identity
description: Use this configuration to install an identity on the device.
payload:
declarationtype: com.apple.configuration.security.identity
supportedOS:
iOS:
introduced: '17.0'
allowed-enrollments:
- device
- user
- local
allowed-scopes:
- system
sharedipad:
allowed-scopes:
- system
- user
macOS:
introduced: '14.0'
allowed-enrollments:
- device
- user
- local
allowed-scopes:
- system
- user
tvOS:
introduced: '17.0'
allowed-enrollments:
- device
- local
allowed-scopes:
- system
watchOS:
introduced: '10.0'
allowed-enrollments:
- device
- local
allowed-scopes:
- system
payloadkeys:
- key: CredentialAssetReference
title: Credential asset reference
type: <string>
assettypes:
- com.apple.asset.credential.identity
- com.apple.asset.credential.scep
- com.apple.asset.credential.acme
presence: required
content: Specifies the identifier of an asset declaration that contains the identity
to install.
- key: AllowAllAppsAccess
title: Allow all apps access
supportedOS:
iOS:
introduced: n/a
tvOS:
introduced: n/a
type: <boolean>
presence: optional
default: false
content: If 'true', apps can access the private key.
- key: KeyIsExtractable
title: Key is extractable
supportedOS:
iOS:
introduced: n/a
tvOS:
introduced: n/a
type: <boolean>
presence: optional
default: true
content: If 'true', the private key is extractable in the keychain.
@@ -0,0 +1,54 @@
title: Security:Passkey:Attestation
description: Configures the device to allow WebAuthn enterprise attestation for certain
passkeys.
payload:
declarationtype: com.apple.configuration.security.passkey.attestation
supportedOS:
iOS:
introduced: '17.0'
allowed-enrollments:
- device
allowed-scopes:
- system
sharedipad:
allowed-scopes: []
macOS:
introduced: '14.0'
allowed-enrollments:
- device
allowed-scopes:
- user
tvOS:
introduced: n/a
watchOS:
introduced: n/a
payloadkeys:
- key: AttestationIdentityAssetReference
title: Attestation identity asset reference.
type: <string>
assettypes:
- com.apple.asset.credential.identity
- com.apple.asset.credential.scep
- com.apple.asset.credential.acme
presence: required
content: Specifies the identifier of an asset declaration that contains the identity
to install and use for passkey attestation.
- key: AttestationIdentityKeyIsExtractable
title: Attestation identity key is extractable
supportedOS:
iOS:
introduced: n/a
type: <boolean>
presence: optional
default: true
content: If 'true', the private key for the attestation identity is extractable
in the keychain.
- key: RelyingParties
title: Relying parties
type: <array>
presence: required
content: Relying parties to allow enterprise attestation.
subkeys:
- key: RelyingParty
title: Relying party
type: <string>
@@ -0,0 +1,45 @@
title: Services Configuration Files
description: Specifies managed configuration files for services
payload:
declarationtype: com.apple.configuration.services.configuration-files
supportedOS:
iOS:
introduced: n/a
macOS:
introduced: '14.0'
allowed-enrollments:
- device
allowed-scopes:
- system
tvOS:
introduced: n/a
watchOS:
introduced: n/a
payloadkeys:
- key: ServiceType
title: Service Type
type: <string>
presence: required
content: |-
The identifier of the system service with managed configuration files.
Use a reverse DNS style for this identifier. However, the system reserves 'com.apple.' prefix for built-in services.
The available built-in services are:
* 'com.apple.sshd' configures sshd
* 'com.apple.sudo' configures sudo
* 'com.apple.pam' configures PAM
* 'com.apple.cups' configures CUPS
* 'com.apple.apache.httpd' configures Apache httpd
* 'com.apple.bash' configures bash
* 'com.apple.zsh' configures zsh
- key: DataAssetReference
title: Data Asset Reference
type: <string>
assettypes:
- com.apple.asset.data
presence: required
content: |-
Specifies the identifier of an asset declaration that contains a reference to the files to use for system service configuration. Ensure that the corresponding asset:
* Is of type 'com.apple.asset.data'
* Is a zip archive of an entire directory
* Has a 'Reference' key that includes the 'ContentType' and 'Hash-SHA-256' keys, which the system requires
The system expands the zip archive and stores the data in a well-known location for the service.
@@ -0,0 +1,55 @@
title: Software Update:Enforcement:Specific
description: A software update enforcement policy for a specific OS release
payload:
declarationtype: com.apple.configuration.softwareupdate.enforcement.specific
supportedOS:
iOS:
introduced: '17.0'
allowed-enrollments:
- device
allowed-scopes:
- system
sharedipad:
allowed-scopes:
- system
macOS:
introduced: '14.0'
allowed-enrollments:
- device
allowed-scopes:
- system
tvOS:
introduced: n/a
watchOS:
introduced: n/a
payloadkeys:
- key: TargetOSVersion
title: Target OS Version
type: <string>
presence: required
content: The target OS version to update the device to by the appropriate time.
This is the OS version number, for example, '16.1'. It may also include a supplemental
version identifier, for example, '16.1.1'.
- key: TargetBuildVersion
title: Target Build Version
type: <string>
presence: optional
content: The target build version to update the device to by the appropriate time,
for example, '20A242'. The system uses the build version for testing during seeding
periods. The build version can include a supplemental version identifier, for
example, '20A242a'. If the build version isn't consistent with the target OS version
specified in the 'TargetOSVersion' key, the target OS version takes precedence.
- key: TargetLocalDateTime
title: Target Local Date Time
type: <string>
presence: required
content: The local date time value that specifies when to force install the software
update. Use the format 'yyyy-mm-ddThh:mm:ss', which is derived from RFC3339 but
doesn't include a time zone offset. If the user doesn't trigger the software update
before this time, the device force installs it.
- key: DetailsURL
title: Details URL
type: <string>
presence: optional
content: The URL of a web page that shows details that the organization provides
about the enforced update.
@@ -0,0 +1,43 @@
title: Watch:Enrollment
description: Specifies an MDMv1 Apple Watch enrollment profile
payload:
declarationtype: com.apple.configuration.watch.enrollment
supportedOS:
iOS:
introduced: '17.0'
allowed-enrollments:
- device
allowed-scopes:
- system
sharedipad:
allowed-scopes: []
macOS:
introduced: n/a
tvOS:
introduced: n/a
watchOS:
introduced: n/a
payloadkeys:
- key: EnrollmentProfileURL
title: Watch Enrollment Profile's URL.
type: <string>
presence: required
content: The URL of the profile that the Apple Watch downloads and installs if the
user opts in to management during the pairing process, which needs to start with
'https://'. Successful enrollment requires that the pairing iPhone is supervised
and the profile contains an MDM payload. Apple Watch attempts to install each
payload that the profile contains.
- key: AnchorCertificateAssetReferences
title: Anchor Certificate Asset References.
type: <array>
assettypes:
- com.apple.asset.credential.certificate
presence: optional
content: Specifies an array of identifiers of asset declarations that contain anchor
certificates to use to evaluate the trust of the enrollment profile server. Set
the type of the corresponding assets to 'com.apple.asset.credential.certificate'.
subkeys:
- key: AnchorCertificateAssetReferenceItem
type: <string>
content: Specifies the identifier of an asset declaration containing the anchor
certificate to be used.
@@ -9,6 +9,8 @@ payload:
introduced: '13.0'
tvOS:
introduced: '16.0'
watchOS:
introduced: '10.0'
payloadkeys:
- key: Type
type: <string>
@@ -27,3 +29,212 @@ payloadkeys:
type: <dictionary>
presence: required
content: The payload describing this declaration.
reasons:
- value: Error.ActivationFailed
description: A configuration or asset cannot be activated due to an activation that
failed.
details:
- key: Identifier
type: <string>
description: The `Identifier` of the declaration.
- key: ServerToken
type: <string>
description: The `ServerToken` of the declaration.
- value: Error.AssetCannotBeDeserialized
description: The asset data does not conform to the expected data type.
details:
- key: Error
type: <string>
description: Description of the underlying NSError.
- value: Error.AssetCannotBeDownloaded
description: The asset data cannot be downloaded.
details:
- key: Error
type: <string>
description: Description of the underlying NSError.
- value: Error.AssetCannotBeVerified
description: The downloaded asset data cannot be verified.
details:
- key: Error
type: <string>
description: Description of the underlying NSError.
- value: Error.ConfigurationCannotBeApplied
description: The configuration cannot be applied to the device.
details:
- key: Error
type: <string>
description: Description of the underlying NSError.
- value: Error.ConfigurationCannotBeDeserialized
description: The configuration is not valid.
details:
- key: Error
type: <string>
description: Description of the underlying NSError.
- value: Error.ConfigurationFailed
description: An asset cannot be activated due to a configuration that failed.
details:
- key: Identifier
type: <string>
description: The `Identifier` of the declaration.
- key: ServerToken
type: <string>
description: The `ServerToken` of the declaration.
- value: Error.ConfigurationIsInvalid
description: The configuration is not valid for applying to the device.
details:
- key: Error
type: <string>
description: Description of the underlying NSError.
- value: Error.ConfigurationNotSupported
description: The configuration is not supported for this platform, scope, or enrollment
type.
details:
- key: Identifier
type: <string>
description: The `Identifier` of the configuration.
- key: ServerToken
type: <string>
description: The `ServerToken` of the configuration.
- value: Error.InvalidPayload
description: A declaration is not fully loaded.
details:
- key: Identifier
type: <string>
description: The `Identifier` of the declaration.
- key: ServerToken
type: <string>
description: The `ServerToken` of the declaration.
- value: Error.MissingAssets
description: A configuration being activated references assets that are not present.
details:
- key: Identifier
type: <string>
description: The `Identifier` of the configuration.
- key: ServerToken
type: <string>
description: The `ServerToken` of the configuration.
- key: AssetIdentifiers
type: <array>
description: Array of strings containing each missing asset `Identifier` value.
- value: Error.MissingConfigurations
description: An activation being activated references configurations that are not
present.
details:
- key: Identifier
type: <string>
description: The `Identifier` of the activation.
- key: ServerToken
type: <string>
description: The `ServerToken` of the activation.
- key: ConfigurationIdentifiers
type: <array>
description: Array of strings containing each missing configuration `Identifier`
value.
- value: Error.MissingState
description: A declaration is missing internal state information.
details:
- key: Identifier
type: <string>
description: The `Identifier` of the declaration.
- key: ServerToken
type: <string>
description: The `ServerToken` of the declaration.
- value: Error.PredicateFailed
description: A predicate evaluation failed.
details:
- key: Identifier
type: <string>
description: The `Identifier` of the activation whose predicate failed.
- key: ServerToken
type: <string>
description: The `ServerToken` of the activation whose predicate failed.
- key: Predicate
type: <string>
description: The predicate description of the predicate that failed.
- key: Domain
type: <string>
description: Underlying NSError's domain.
- key: Code
type: <string>
description: Underlying NSError's code.
- value: Error.UnableToEvaluatePredicate
description: A predicate cannot be evaluated.
details:
- key: Identifier
type: <string>
description: The `Identifier` of the activation whose predicate failed to evaluate.
- key: ServerToken
type: <string>
description: The `ServerToken` of the activation whose predicate failed to evaluate.
- key: Predicate
type: <string>
description: The predicate description of the predicate that failed to evaluate.
- value: Error.UnableToParsePredicate
description: A predicate expression cannot be parsed.
details:
- key: Identifier
type: <string>
description: The `Identifier` of the activation whose predicate failed to parse.
- key: ServerToken
type: <string>
description: The `ServerToken` of the activation whose predicate failed to parse.
- key: Predicate
type: <string>
description: The predicate description of the predicate that failed to parse.
- value: Error.UnableToParsePredicateWithCustomOperator
description: A predicate expression with a custom operator cannot be parsed.
details:
- key: Identifier
type: <string>
description: The `Identifier` of the activation whose predicate failed to parse.
- key: ServerToken
type: <string>
description: The `ServerToken` of the activation whose predicate failed to parse.
- key: Predicate
type: <string>
description: The predicate description of the predicate that failed to parse.
- value: Error.Unknown
description: An unrecognized NSError was generated.
details:
- key: Domain
type: <string>
description: NSError's domain.
- key: Code
type: <string>
description: NSError's code.
- value: Error.UnknownPayloadKeys
description: A declaration contains unknown payloads keys.
details:
- key: UnknownPayloadKeys
type: <array>
description: Array of strings containing each unknown key-path.
- value: Info.NotReferencedByActivation
description: A configuration is not referenced in any activation.
details:
- key: Identifier
type: <string>
description: The `Identifier` of the configuration.
- key: ServerToken
type: <string>
description: The `ServerToken` of the configuration.
- value: Info.NotReferencedByConfiguration
description: An asset is not referenced in any configuration.
details:
- key: Identifier
type: <string>
description: The `Identifier` of the asset.
- key: ServerToken
type: <string>
description: The `ServerToken` of the asset.
- value: Info.Predicate
description: A predicate evaluated to false.
details:
- key: Identifier
type: <string>
description: The `Identifier` of the activation whose predicate is false.
- key: ServerToken
type: <string>
description: The `ServerToken` of the activation whose predicate is false.
- key: Predicate
type: <string>
description: The predicate description of the predicate that is false.
@@ -10,6 +10,8 @@ payload:
introduced: '13.0'
tvOS:
introduced: '16.0'
watchOS:
introduced: '10.0'
payloadkeys:
- key: Name
title: Organization Name
@@ -9,6 +9,8 @@ payload:
introduced: '13.0'
tvOS:
introduced: '16.0'
watchOS:
introduced: '10.0'
payloadkeys:
- key: ANY
title: Property
@@ -9,6 +9,8 @@ payload:
introduced: '13.0'
tvOS:
introduced: '16.0'
watchOS:
introduced: '10.0'
payloadkeys:
- key: Version
title: Protocol Version