From 7d4ba1a2bde50a4053fa5a5e0ed6c17388d82ab2 Mon Sep 17 00:00:00 2001 From: Cyrus Daboo Date: Wed, 2 Apr 2025 20:05:30 -0400 Subject: [PATCH] Release_iOS-18-4_macOS-15-4 --- README.md | 10 +- .../configurations/account.exchange.yaml | 4 +- .../configurations/app.managed.yaml | 196 ++++++++++++- .../softwareupdate.enforcement.specific.yaml | 7 +- .../softwareupdate.settings.yaml | 36 ++- declarative/status/app.managed.list.yaml | 90 ++++-- .../status/device.power.battery-health.yaml | 2 +- .../status/softwareupdate.device-id.yaml | 7 +- .../status/softwareupdate.failure-reason.yaml | 7 +- .../status/softwareupdate.install-reason.yaml | 7 +- .../status/softwareupdate.install-state.yaml | 7 +- .../softwareupdate.pending-version.yaml | 7 +- docs/errata.md | 13 + docs/schema.md | 2 +- mdm/commands/application.install.yaml | 2 - mdm/commands/application.managed.list.yaml | 9 +- mdm/commands/information.device.yaml | 7 +- mdm/commands/settings.yaml | 20 +- mdm/profiles/com.apple.DiscRecording.yaml | 2 +- mdm/profiles/com.apple.MCX.FileVault2.yaml | 2 +- mdm/profiles/com.apple.applicationaccess.yaml | 270 ++++++++++++++++-- mdm/profiles/com.apple.cellular.yaml | 5 - ...e.configurationprofile.identification.yaml | 1 + .../com.apple.dnsSettings.managed.yaml | 1 - mdm/profiles/com.apple.eas.account.yaml | 4 +- .../com.apple.extensiblesso(kerberos).yaml | 3 +- mdm/profiles/com.apple.extensiblesso.yaml | 9 + mdm/profiles/com.apple.relay.managed.yaml | 44 +++ mdm/profiles/com.apple.security.acme.yaml | 5 +- mdm/profiles/com.apple.security.scep.yaml | 8 +- .../com.apple.security.smartcard.yaml | 1 - mdm/profiles/com.apple.vpn.managed.yaml | 20 +- mdm/profiles/com.apple.xsan.yaml | 14 +- other/esso.yaml | 25 +- other/skipkeys.yaml | 20 +- 35 files changed, 755 insertions(+), 112 deletions(-) diff --git a/README.md b/README.md index aba6b5f..448adfb 100644 --- a/README.md +++ b/README.md @@ -8,11 +8,11 @@ This release corresponds to the following OS versions | OS | Version | |----------|---------| -| iOS | 18.3 | -| macOS | 15.3 | -| tvOS | 18.3 | -| visionOS | 2.3 | -| watchOS | 11.3 | +| iOS | 18.4 | +| macOS | 15.4 | +| tvOS | 18.4 | +| visionOS | 2.4 | +| watchOS | 11.4 | ## Important Release Notes diff --git a/declarative/declarations/configurations/account.exchange.yaml b/declarative/declarations/configurations/account.exchange.yaml index 8cfa194..88b3089 100644 --- a/declarative/declarations/configurations/account.exchange.yaml +++ b/declarative/declarations/configurations/account.exchange.yaml @@ -75,9 +75,7 @@ payloadkeys: title: Server Host Name type: presence: optional - content: The hostname of the EWS server (or IP address). This is a required field - on iOS and visionOS, unless the declaration contains an 'OAuth' property, with - 'Enabled' set to 'true' and without a 'SignInURL'. + content: Specifies the Exchange server host name (or IP address). - key: Port title: Server Port supportedOS: diff --git a/declarative/declarations/configurations/app.managed.yaml b/declarative/declarations/configurations/app.managed.yaml index 4d517ae..a06d016 100644 --- a/declarative/declarations/configurations/app.managed.yaml +++ b/declarative/declarations/configurations/app.managed.yaml @@ -19,11 +19,16 @@ payload: tvOS: introduced: n/a visionOS: - introduced: n/a + introduced: '2.4' + allowed-enrollments: + - supervised + - device + - user + allowed-scopes: + - system watchOS: introduced: n/a apply: multiple - beta: true payloadkeys: - key: AppStoreID title: App Store ID @@ -90,6 +95,8 @@ payloadkeys: removed: '18.0' macOS: removed: '15.0' + visionOS: + introduced: n/a type: presence: optional rangelist: @@ -136,6 +143,9 @@ payloadkeys: content: If 'true', the system enables direct downloads for the 'AssociatedDomains'. - key: CellularSliceUUID title: Cellular Slice UUID + supportedOS: + visionOS: + introduced: n/a type: presence: optional content: The cellular slice identifier, which can be the data network name (DNN) @@ -152,6 +162,31 @@ payloadkeys: type: presence: optional content: The UUID of the DNS proxy to associate with the app. + - key: Hideable + title: Hideable + supportedOS: + iOS: + introduced: '18.1' + visionOS: + introduced: n/a + type: + presence: optional + default: true + content: If `false`, the user cannot hide the app. It does not affect the user's + ability to leave it in the App Library, while removing it from the home screen. + - key: Lockable + title: Lockable + supportedOS: + iOS: + introduced: '18.1' + visionOS: + introduced: n/a + type: + presence: optional + default: true + content: If `false`, the user cannot lock or hide the app. Because hiding an app + also requires locking it, disallowing the user from locking the app will also + prevent the user from hiding it. - key: RelayUUID title: Relay UUID type: @@ -159,6 +194,9 @@ payloadkeys: content: The UUID of the relay to associate with the app. - key: TapToPayScreenLock title: Tap to Pay Screen Lock + supportedOS: + visionOS: + introduced: n/a type: presence: optional default: false @@ -169,6 +207,160 @@ payloadkeys: type: presence: optional content: The UUID of the VPN to associate with the app. +- key: AppConfig + title: App Config + supportedOS: + iOS: + introduced: '18.4' + macOS: + introduced: n/a + type: + presence: optional + content: A dictionary of app config data and credentials. + subkeytype: AppConfigDictionary + subkeys: &id001 + - key: DataAssetReference + title: App/Extension Config Data Asset Reference + type: + assettypes: + - com.apple.asset.data + asset-content-types: + - application/plist + - application/x-plist + - application/xml + - text/xml + presence: optional + content: Specifies the identifier of an asset declaration containing a reference + to the app/extension config data. The corresponding asset must be of type "com.apple.asset.data". + The referenced data must be a property list file, and the asset's "ContentType" + value should be set to match the data type. + - key: Passwords + title: Password App/Extension Configs. + type: + presence: optional + content: Provides passwords to the managed app/extension. Each element in the + array contains a password asset reference and an associated identifier, which + the app/extension may use to look up the password. + subkeytype: CredentialConfig + subkeys: + - key: PasswordAppConfigItem + type: + presence: required + subkeys: + - key: Identifier + title: Password Identifier + type: + presence: required + content: The app/extension uses this identifier to fetch the corresponding + password using the ManagedApp framework. App developers will define what + values can be used for these identifiers. + - key: AssetReference + title: Asset Reference + type: + assettypes: + - com.apple.asset.credential.userpassword + presence: required + content: Specifies the identifier of an asset declaration containing a user + name and password. The password is made available to the managed app/extension. + The user name is ignored. + - key: Identities + title: Identity App/Extension Configs. + type: + presence: optional + content: Provides identities to the managed app/extension. Each element in the + array contains an identity asset reference and an associated identifier, which + the app/extension may use to look up the identity. + subkeytype: CredentialConfig + subkeys: + - key: IdentityAppConfigItem + type: + presence: required + subkeys: + - key: Identifier + title: Identity Identifier + type: + presence: required + content: The app/extension uses this identifier to fetch the corresponding + identity using the ManagedApp framework. App developers will define what + values can be used for these identifiers. + - key: AssetReference + title: Asset Reference + type: + assettypes: + - com.apple.asset.credential.identity + - com.apple.asset.credential.scep + - com.apple.asset.credential.acme + presence: required + content: Specifies the identifier of an asset declaration containing an identity + that is made available to the managed app/extension. + - key: Certificates + title: Certificate App/Extension Configs. + type: + presence: optional + content: Provides certificates to the managed app/extension. Each element in the + array contains a certificate asset reference and an associated identifier, which + the app/extension may use to look up the certificate. + subkeytype: CredentialConfig + subkeys: + - key: CertificateAppConfigItem + type: + presence: required + subkeys: + - key: Identifier + title: Certificate Identifier + type: + presence: required + content: The app/extension uses this identifier to fetch the corresponding + certificate using the ManagedApp framework. App developers will define what + values can be used for these identifiers. + - key: AssetReference + title: Asset Reference + type: + assettypes: + - com.apple.asset.credential.certificate + presence: required + content: Specifies the identifier of an asset declaration containing a certificate + that is made available to the managed app/extension. +- key: ExtensionConfigs + title: Extension Configs + supportedOS: + iOS: + introduced: '18.4' + macOS: + introduced: n/a + type: + presence: optional + content: A dictionary of extension config data and credentials. + subkeys: + - key: ANY + title: Extension Composed Identifier + type: + presence: optional + content: A dictionary mapping extension composed identifiers to the extension + config data and credentials. The expected format is "Identifier (TeamIdentifier)". + subkeytype: AppConfigDictionary + subkeys: *id001 +- key: LegacyAppConfigAssetReference + title: App Config MDMv1 Asset Reference + supportedOS: + iOS: + introduced: '18.4' + macOS: + introduced: n/a + type: + assettypes: + - com.apple.asset.data + asset-content-types: + - application/plist + - application/x-plist + - application/xml + - text/xml + presence: optional + content: Specifies the identifier of an asset declaration containing a reference + to the app config data. This app config data is applied and made available to + the app using the traditional MDMv1 behavior. The corresponding asset must be + of type "com.apple.asset.data". The referenced data must be a property list file, + and the asset's "ContentType" value should be set to match the data type. related-status-items: - status-items: - app.managed.list diff --git a/declarative/declarations/configurations/softwareupdate.enforcement.specific.yaml b/declarative/declarations/configurations/softwareupdate.enforcement.specific.yaml index a42a307..863f84b 100644 --- a/declarative/declarations/configurations/softwareupdate.enforcement.specific.yaml +++ b/declarative/declarations/configurations/softwareupdate.enforcement.specific.yaml @@ -20,7 +20,12 @@ payload: allowed-scopes: - system tvOS: - introduced: n/a + introduced: '18.4' + allowed-enrollments: + - supervised + - device + allowed-scopes: + - system visionOS: introduced: n/a watchOS: diff --git a/declarative/declarations/configurations/softwareupdate.settings.yaml b/declarative/declarations/configurations/softwareupdate.settings.yaml index 32fdbfa..fe23abc 100644 --- a/declarative/declarations/configurations/softwareupdate.settings.yaml +++ b/declarative/declarations/configurations/softwareupdate.settings.yaml @@ -20,7 +20,12 @@ payload: allowed-scopes: - system tvOS: - introduced: n/a + introduced: '18.4' + allowed-enrollments: + - supervised + - device + allowed-scopes: + - system visionOS: introduced: n/a watchOS: @@ -42,6 +47,9 @@ payloadkeys: iOS: allowed-enrollments: - supervised + tvOS: + allowed-enrollments: + - supervised type: presence: optional content: This object configures the deferral of software updates. Rapid Security @@ -66,6 +74,8 @@ payloadkeys: supportedOS: iOS: introduced: n/a + tvOS: + introduced: n/a type: presence: optional range: @@ -80,6 +90,8 @@ payloadkeys: supportedOS: iOS: introduced: n/a + tvOS: + introduced: n/a type: presence: optional range: @@ -95,6 +107,8 @@ payloadkeys: supportedOS: iOS: introduced: n/a + tvOS: + introduced: n/a type: presence: optional range: @@ -109,6 +123,8 @@ payloadkeys: supportedOS: macOS: introduced: n/a + tvOS: + introduced: n/a type: presence: optional rangelist: @@ -127,12 +143,18 @@ payloadkeys: iOS: allowed-enrollments: - supervised + tvOS: + allowed-enrollments: + - supervised type: presence: optional content: This object configures various automatic Software Update functionality. subkeys: - key: Download title: Automatic downloads of available updates. + supportedOS: + tvOS: + introduced: n/a type: presence: optional rangelist: @@ -166,6 +188,8 @@ payloadkeys: supportedOS: iOS: introduced: n/a + tvOS: + introduced: n/a type: presence: optional rangelist: @@ -185,6 +209,8 @@ payloadkeys: iOS: allowed-enrollments: - supervised + tvOS: + introduced: n/a type: presence: optional content: These configurations set user access to interacting with Rapid Security @@ -213,6 +239,8 @@ payloadkeys: supportedOS: iOS: introduced: n/a + tvOS: + introduced: n/a type: presence: optional default: true @@ -223,6 +251,12 @@ payloadkeys: - key: Beta supportedOS: macOS: + introduced: '15.4' + allowed-enrollments: + - supervised + allowed-scopes: + - system + tvOS: introduced: n/a type: presence: optional diff --git a/declarative/status/app.managed.list.yaml b/declarative/status/app.managed.list.yaml index b421e19..a429406 100644 --- a/declarative/status/app.managed.list.yaml +++ b/declarative/status/app.managed.list.yaml @@ -19,10 +19,15 @@ payload: tvOS: introduced: n/a visionOS: - introduced: n/a + introduced: '2.4' + allowed-enrollments: + - supervised + - device + - user + allowed-scopes: + - system watchOS: introduced: n/a - beta: true payloadkeys: - key: app.managed.list title: Status item value. @@ -121,8 +126,57 @@ payloadkeys: * 'prompting-for-update-login': The system is displaying an App Store sign-in prompt to the user to allow app installation. * 'updating': The app is updating. * 'failed': The app update failed. - This key is only present if 'state' is 'managed' and an update is available. + - key: config-state + title: Managed application configuration status + supportedOS: + iOS: + introduced: '18.4' + macOS: + introduced: n/a + type: + presence: optional + content: The status of app or extension managed configurations. This key is + only present when managed configurations are available for the managed app + or any of its extensions. + subkeytype: ManagedConfiguration + subkeys: + - key: app-config-state + title: Application managed configuration status + type: + presence: optional + content: The status of any app managed configuration. This key is only present + when the managed app has a managed configuration. + subkeytype: ManagedConfigurationState + subkeys: &id001 + - key: state + title: Managed configuration status + type: + presence: required + rangelist: + - unknown + - invalid + - valid + content: |- + The managed configuration status. + * 'unknown' - the managed configuration has not been read + * 'invalid' - the managed configuration was read and deemed to be invalid + * 'valid' - the managed configuration was read and deemed to be valid + - key: extension-config-state + title: Extensions managed configuration status + type: + presence: optional + content: The status of any app extension managed configuration. This key's + value is a dictionary whose keys are the bundle identifiers of app extensions + that have a managed configuration. The values of each key represent the + status of the corresponding app extension's managed configuration. + subkeys: + - key: ANY + type: + presence: optional + content: The bundle identifier of the managed app extension. + subkeytype: ManagedConfigurationState + subkeys: *id001 - key: reasons title: Status Reasons type: @@ -158,34 +212,36 @@ payloadkeys: presence: optional content: Additional keys may be present. reasons: -- value: Error.UnmanagedAppAlreadyInstalled - description: An unmanaged app is already installed and cannot be managed. -- value: Error.DuplicateConfiguredApp - description: The app is already being managed. -- value: Error.UserRejected - description: The user rejected management of the app. - value: Error.AppStoreDisabled description: The App Store is disabled. -- value: Error.LicenseNotFound - description: A license for the app was not available. -- value: Error.InvalidAppID - description: The app id could not be found. -- value: Error.NotAnApp - description: The downloaded data is not a valid app. -- value: Error.NotSupported - description: The app is not supported on this device. - value: Error.DownloadFailed description: The app download failed. details: - key: Timestamp type: description: The RFC 3339 timestamp of the last download failure. +- value: Error.DuplicateConfiguredApp + description: The app is already being managed. - value: Error.InstallFailed description: The app install failed. details: - key: Timestamp type: description: The RFC 3339 timestamp of the last install failure. +- value: Error.InvalidAppID + description: The app id could not be found. +- value: Error.IsSystemApp + description: The app is a system app that cannot be managed. +- value: Error.LicenseNotFound + description: A license for the app was not available. +- value: Error.NotAnApp + description: The downloaded data is not a valid app. +- value: Error.NotSupported + description: The app is not supported on this device. +- value: Error.UnmanagedAppAlreadyInstalled + description: An unmanaged app is already installed and cannot be managed. +- value: Error.UserRejected + description: The user rejected management of the app. - value: Info.UpdateAvailable description: An update is available for the app. - value: Error.UpdateFailed diff --git a/declarative/status/device.power.battery-health.yaml b/declarative/status/device.power.battery-health.yaml index 55df950..1d9d45c 100644 --- a/declarative/status/device.power.battery-health.yaml +++ b/declarative/status/device.power.battery-health.yaml @@ -47,4 +47,4 @@ payloadkeys: * 'unknown': The system couldn't determine battery health information. * 'unsupported': The device doesn't support battery health reporting. - Available in iOS 17 and later on iPhone only, and macOS 14.4 and later on Apple silicon Mac computers. iPad and Intel-based Macs return 'unsupported'. + Available in iOS 17 and later on iPhone, iPadOS 18.4 and later on supported iPad models, and macOS 14.4 and later on Apple silicon Mac computers. diff --git a/declarative/status/softwareupdate.device-id.yaml b/declarative/status/softwareupdate.device-id.yaml index d7aa7af..0ea1be4 100644 --- a/declarative/status/softwareupdate.device-id.yaml +++ b/declarative/status/softwareupdate.device-id.yaml @@ -20,7 +20,12 @@ payload: allowed-scopes: - system tvOS: - introduced: n/a + introduced: '18.4' + allowed-enrollments: + - supervised + - device + allowed-scopes: + - system visionOS: introduced: n/a watchOS: diff --git a/declarative/status/softwareupdate.failure-reason.yaml b/declarative/status/softwareupdate.failure-reason.yaml index 2bd3753..f6aac8f 100644 --- a/declarative/status/softwareupdate.failure-reason.yaml +++ b/declarative/status/softwareupdate.failure-reason.yaml @@ -20,7 +20,12 @@ payload: allowed-scopes: - system tvOS: - introduced: n/a + introduced: '18.4' + allowed-enrollments: + - supervised + - device + allowed-scopes: + - system visionOS: introduced: n/a watchOS: diff --git a/declarative/status/softwareupdate.install-reason.yaml b/declarative/status/softwareupdate.install-reason.yaml index 6753f15..b660627 100644 --- a/declarative/status/softwareupdate.install-reason.yaml +++ b/declarative/status/softwareupdate.install-reason.yaml @@ -20,7 +20,12 @@ payload: allowed-scopes: - system tvOS: - introduced: n/a + introduced: '18.4' + allowed-enrollments: + - supervised + - device + allowed-scopes: + - system visionOS: introduced: n/a watchOS: diff --git a/declarative/status/softwareupdate.install-state.yaml b/declarative/status/softwareupdate.install-state.yaml index 983e55b..90a1a1f 100644 --- a/declarative/status/softwareupdate.install-state.yaml +++ b/declarative/status/softwareupdate.install-state.yaml @@ -20,7 +20,12 @@ payload: allowed-scopes: - system tvOS: - introduced: n/a + introduced: '18.4' + allowed-enrollments: + - supervised + - device + allowed-scopes: + - system visionOS: introduced: n/a watchOS: diff --git a/declarative/status/softwareupdate.pending-version.yaml b/declarative/status/softwareupdate.pending-version.yaml index 6d05b53..89b1d7e 100644 --- a/declarative/status/softwareupdate.pending-version.yaml +++ b/declarative/status/softwareupdate.pending-version.yaml @@ -20,7 +20,12 @@ payload: allowed-scopes: - system tvOS: - introduced: n/a + introduced: '18.4' + allowed-enrollments: + - supervised + - device + allowed-scopes: + - system visionOS: introduced: n/a watchOS: diff --git a/docs/errata.md b/docs/errata.md index 4581266..9c25d79 100644 --- a/docs/errata.md +++ b/docs/errata.md @@ -2,6 +2,19 @@ This document lists errata for the YAML schema. This is used when older versions of the schema are incorrect, and a fix was made in later schema to correct the problem. + +## iOS 18.4 / macOS 15.4 + +Added AuthName, AuthPassword and RemoteAddress keys to VPN subkey that were previously missing + +Removed Password key from VPN subkey that was incorrectly added + +## iOS 18.4 + +Adjusted supportedOS information for Shared iPad for a number of restrictions + +Hideable and Lockable attributes in the app.managed configuration were missing - originally added in 18.1. + ## macOS 15.2 Added missing supervised key to macOS across profiles and commands diff --git a/docs/schema.md b/docs/schema.md index 6b9edc1..4fe1f5d 100644 --- a/docs/schema.md +++ b/docs/schema.md @@ -267,6 +267,6 @@ The `subkeys` sequence in a `` container defines the type of items in the * if the single item's type is a scalar type, then the array is a list of items with elements matching the scalar type (e.g. an array of `` values). In some cases the scalar type may have a `subkeys` key, and each element of that sequence defines a possible value for the scalar type in the array. -* if the single item's type is ``, then the array is a list of dictionary items, with each dictionary conforming to the schema defined by the `subkeys` item of the single item (e.g., an array of `` values). Note that the single item `` is only a place holder for the keys used in the `` array items, and as such does not itself appear as the an array item. +* if the single item's type is ``, then the array is a list of dictionary items, with each dictionary conforming to the schema defined by the `subkeys` item of the single item (e.g., an array of `` values). Note that the single item `` is only a place holder for the keys used in the `` array items, and as such does not itself appear as an array item. * if the single item's type is ``, then the array is a list of array items, with each array item conforming to the schema defined for an `` container as described in this section. diff --git a/mdm/commands/application.install.yaml b/mdm/commands/application.install.yaml index bbec1ad..46b543d 100644 --- a/mdm/commands/application.install.yaml +++ b/mdm/commands/application.install.yaml @@ -105,11 +105,9 @@ payloadkeys: - 5 content: |- A bitwise OR of the management flags. The possible values are: - * '1': If 'InstallAsManaged' is 'true', remove the app upon removal of the MDM profile. * '4': Prevent backup of app data. * '5': Both '1' and '4'. - Available in iOS 5 and later, macOS 11 and later, and tvOS 10.2 and later. - key: Configuration supportedOS: diff --git a/mdm/commands/application.managed.list.yaml b/mdm/commands/application.managed.list.yaml index b9a72d0..5c2119b 100644 --- a/mdm/commands/application.managed.list.yaml +++ b/mdm/commands/application.managed.list.yaml @@ -52,9 +52,12 @@ payloadkeys: introduced: '7.0' type: presence: optional - content: |- - The bundle identifiers of the managed apps to include in the response. - For a watchOS app, the identifier needs to be the watch's bundle identifier, which differs from the main bundle identifier for the iPhone to which the watch is paired. Obtain the watch's bundle identifier for an app with a watch bundle, in the 'watchBundleId' key that's part of the Content Metadata query. For more information on this query, see Getting App and Book Information (Legacy). + content: The bundle identifiers of the managed apps to include in the response. + For a watchOS app, the identifier needs to be the watch's bundle identifier, which + differs from the main bundle identifier for the iPhone to which the watch is paired. + Obtain the watch's bundle identifier for an app with a watch bundle, in the 'watchBundleId' + key that's part of the Content Metadata query. For more information on this query, + see Getting App and Book Information (Legacy). subkeys: - key: IdentifiersItem type: diff --git a/mdm/commands/information.device.yaml b/mdm/commands/information.device.yaml index b2e260f..38ef616 100644 --- a/mdm/commands/information.device.yaml +++ b/mdm/commands/information.device.yaml @@ -2085,12 +2085,10 @@ responsekeys: - 3 content: |- The cellular technology type, which is one of the following values: - * '0': None * '1': GSM * '2': CDMA * '3': GSM and CDMA - Requires the Device Information access right. Available in iOS 4.2.6 and later. - key: BatteryLevel supportedOS: @@ -2315,9 +2313,8 @@ responsekeys: removed: '15.0' type: presence: optional - content: The result code of last software update scan; '”0”' = success. This - value is available in macOS 10.11 and later. This key was removed in macOS - 15 as it has been unsupported since macOS 11. + content: The result code of last software update scan; '0' = success. This value + is available in macOS 10.11 and no longer available in macOS 15 and later. - key: PerformPeriodicCheck type: content: If 'true', start a new scan. This value is available in macOS 10.11 diff --git a/mdm/commands/settings.yaml b/mdm/commands/settings.yaml index 0816e5d..1d81ab7 100644 --- a/mdm/commands/settings.yaml +++ b/mdm/commands/settings.yaml @@ -92,11 +92,9 @@ payloadkeys: - 3 content: |- A number that indicates where to use the wallpaper, which is one of the following values: - * '1': Lock screen * '2': Home screen * '3': Both lock and home screens. - In iOS 16 and later, and iPadOS 17 and later, when you set the wallpaper for the first time, the system sets both the lock screen and home screen. After that, you can separately set each location. - key: DataRoaming supportedOS: @@ -723,6 +721,24 @@ payloadkeys: here overrides the value specified in MDM, and only applies when 'BootstrapTokenAllowedForAuthentication' is 'true' in the SecurityInfoResponse.SecurityInfo response. This value is available for Apple silicon in macOS 11 and later. + - key: IdleRebootAllowed + supportedOS: + iOS: + introduced: '18.4' + macOS: + introduced: n/a + tvOS: + introduced: n/a + visionOS: + introduced: n/a + watchOS: + introduced: n/a + type: + presence: optional + default: false + content: If true, device will automatically reboot while locked after several + days of inactivity. This will be turned off by default upon enrollment on + supervised devices. - key: MaximumResidentUsers supportedOS: iOS: diff --git a/mdm/profiles/com.apple.DiscRecording.yaml b/mdm/profiles/com.apple.DiscRecording.yaml index f70e74b..81ff638 100644 --- a/mdm/profiles/com.apple.DiscRecording.yaml +++ b/mdm/profiles/com.apple.DiscRecording.yaml @@ -34,5 +34,5 @@ payloadkeys: Configure disc-burn. Allowed values: * 'off': The system disables disc burning. - * 'on': The system allows normal default operation. Setting this key to 'on' doesn't enable disc burn support if other mechanisms or preferences disabled it. Needs to be enabled with the Finder profile + * 'on': The system allows normal default operation. Setting this key to 'on' doesn't enable disc burn support if other mechanisms or preferences disabled it. Needs to be enabled with the Finder profile. * 'authenticate': The system requires authentication. diff --git a/mdm/profiles/com.apple.MCX.FileVault2.yaml b/mdm/profiles/com.apple.MCX.FileVault2.yaml index e7503ff..2b9259e 100644 --- a/mdm/profiles/com.apple.MCX.FileVault2.yaml +++ b/mdm/profiles/com.apple.MCX.FileVault2.yaml @@ -100,7 +100,7 @@ payloadkeys: content: The maximum number of times users can bypass enabling FileVault before the system requires the user to enable it to log in. If the value is '0', the system requires the user to enable FileVault the next time they attempt to log - in. Set this key to '–1' to disable this feature. + in. Set this key to '-1' to disable this feature. - key: DeferDontAskAtUserLogout supportedOS: macOS: diff --git a/mdm/profiles/com.apple.applicationaccess.yaml b/mdm/profiles/com.apple.applicationaccess.yaml index c7588f2..1d95fb4 100644 --- a/mdm/profiles/com.apple.applicationaccess.yaml +++ b/mdm/profiles/com.apple.applicationaccess.yaml @@ -299,10 +299,37 @@ payloadkeys: content: |- If 'false', the system disables the App Store, and the system removes its icon from the Home screen. Users are unable to install or update their apps. This applies to App Store apps, marketplace apps, and locally installed apps (using Configurator, Xcode, etc). In iOS 10 and later, MDM commands can override this restriction. Available in iOS 4 and later, and watchOS 10 and later. Requires a supervised device in iOS 13 and later, and watchOS. +- key: allowAppleIntelligenceReport + title: Allow Apple Intelligence Report + supportedOS: + iOS: + introduced: '18.4' + supervised: true + sharedipad: + mode: forbidden + userenrollment: + mode: forbidden + macOS: + introduced: '15.4' + userenrollment: + mode: forbidden + tvOS: + introduced: n/a + visionOS: + introduced: n/a + watchOS: + introduced: n/a + type: + presence: optional + default: true + content: If 'false', the system disables Apple Intelligence reports. Available in + iOS 18.4 and later, and macOS 15.4 and later. - key: allowApplePersonalizedAdvertising supportedOS: iOS: introduced: '14.0' + sharedipad: + mode: ignored userenrollment: mode: forbidden macOS: @@ -350,6 +377,8 @@ payloadkeys: iOS: introduced: '18.0' supervised: true + sharedipad: + mode: ignored userenrollment: mode: forbidden macOS: @@ -372,6 +401,8 @@ payloadkeys: iOS: introduced: '18.0' supervised: true + sharedipad: + mode: ignored userenrollment: mode: forbidden macOS: @@ -554,6 +585,8 @@ payloadkeys: supportedOS: iOS: introduced: '14.5' + sharedipad: + mode: forbidden userenrollment: mode: forbidden macOS: @@ -1101,6 +1134,50 @@ payloadkeys: content: If 'false', disables default browser preference modification. The MDM Settings command to set the default browser preference will still work when this is applied. Available in iOS 18.2 and later, and visionOS 2.2 and later. +- key: allowDefaultCallingAppModification + title: Allow default calling app modification + supportedOS: + iOS: + introduced: '18.4' + supervised: true + userenrollment: + mode: forbidden + macOS: + introduced: n/a + tvOS: + introduced: n/a + visionOS: + introduced: n/a + watchOS: + introduced: n/a + type: + presence: optional + default: true + content: If 'false', disables default calling app preference modification. The MDM + Settings command to set the default calling app preference still works when this + is applied. Available in iOS 18.4 and later. +- key: allowDefaultMessagingAppModification + title: Allow default messaging app modification + supportedOS: + iOS: + introduced: '18.4' + supervised: true + userenrollment: + mode: forbidden + macOS: + introduced: n/a + tvOS: + introduced: n/a + visionOS: + introduced: n/a + watchOS: + introduced: n/a + type: + presence: optional + default: true + content: If 'false', disables default messaging app preference modification. The + MDM Settings command to set the default messaging app preference still works when + this is applied. Available in iOS 18.4 and later. - key: allowDefinitionLookup title: Allow Define supportedOS: @@ -1255,17 +1332,21 @@ payloadkeys: tvOS: introduced: n/a visionOS: - introduced: n/a + introduced: '2.4' + supervised: true + allowmanualinstall: false + userenrollment: + mode: forbidden watchOS: introduced: n/a type: presence: optional - content: Array of strings, but currently restricted to a single element. If present, - Apple Intelligence will only allow the given external integration workspace ID - to be used, and will require a sign-in in order to make requests; the user will - be required to sign in to integrations that support signing in. Multiple payloads - will combine using an intersect operation. This means the allowed set of workspace - IDs can become the empty set if conflicting values are specified in multiple payloads. + content: An array of strings, but currently restricted to a single element. If present, + Apple Intelligence only allows the given external integration workspace ID to + be used, and requires a sign-in to make requests; the user will be required to + sign in to integrations that support signing in. Multiple payloads combine using + an intersect operation. This means the allowed set of workspace IDs can become + the empty set if conflicting values are specified in multiple payloads. subkeys: - key: allowedWorkspaceID title: Allowed Workspace ID @@ -1276,6 +1357,8 @@ payloadkeys: iOS: introduced: '8.0' supervised: true + sharedipad: + mode: ignored userenrollment: mode: forbidden macOS: @@ -1457,7 +1540,6 @@ payloadkeys: supportedOS: iOS: introduced: '18.2' - supervised: false sharedipad: mode: forbidden userenrollment: @@ -1469,7 +1551,9 @@ payloadkeys: tvOS: introduced: n/a visionOS: - introduced: n/a + introduced: '2.4' + userenrollment: + mode: allowed watchOS: introduced: n/a type: @@ -1485,19 +1569,20 @@ payloadkeys: supportedOS: iOS: introduced: '18.2' - supervised: true sharedipad: mode: forbidden userenrollment: - mode: forbidden + mode: allowed macOS: introduced: '15.2' userenrollment: - mode: forbidden + mode: allowed tvOS: introduced: n/a visionOS: - introduced: n/a + introduced: '2.4' + userenrollment: + mode: allowed watchOS: introduced: n/a type: @@ -1575,6 +1660,8 @@ payloadkeys: iOS: introduced: '13.0' supervised: true + sharedipad: + mode: forbidden userenrollment: mode: forbidden macOS: @@ -1597,6 +1684,8 @@ payloadkeys: iOS: introduced: '13.0' supervised: true + sharedipad: + mode: forbidden userenrollment: mode: forbidden macOS: @@ -1692,6 +1781,8 @@ payloadkeys: iOS: introduced: '6.0' supervised: true + sharedipad: + mode: ignored userenrollment: mode: forbidden macOS: @@ -1727,7 +1818,10 @@ payloadkeys: tvOS: introduced: n/a visionOS: - introduced: n/a + introduced: '2.4' + supervised: true + userenrollment: + mode: forbidden watchOS: introduced: n/a type: @@ -1795,7 +1889,10 @@ payloadkeys: tvOS: introduced: n/a visionOS: - introduced: n/a + introduced: '2.4' + supervised: true + userenrollment: + mode: forbidden watchOS: introduced: n/a type: @@ -1818,7 +1915,10 @@ payloadkeys: tvOS: introduced: n/a visionOS: - introduced: n/a + introduced: '2.4' + supervised: true + userenrollment: + mode: forbidden watchOS: introduced: n/a type: @@ -2118,6 +2218,33 @@ payloadkeys: default: true content: If 'false', the system disables Mail Privacy Protection on the device. Requires a supervised device. Available in iOS 15.2 and later. +- key: allowMailSmartReplies + supportedOS: + iOS: + introduced: '18.4' + supervised: true + sharedipad: + mode: forbidden + userenrollment: + mode: forbidden + macOS: + introduced: '15.4' + userenrollment: + mode: forbidden + tvOS: + introduced: n/a + visionOS: + introduced: '2.4' + supervised: true + userenrollment: + mode: forbidden + watchOS: + introduced: n/a + type: + presence: optional + default: true + content: If 'false', disables smart replies in Mail. Available in iOS 18.2 and later, + and macOS 15.2 and later. - key: allowMailSummary supportedOS: iOS: @@ -2134,7 +2261,10 @@ payloadkeys: tvOS: introduced: n/a visionOS: - introduced: n/a + introduced: '2.4' + supervised: true + userenrollment: + mode: forbidden watchOS: introduced: n/a type: @@ -2192,6 +2322,8 @@ payloadkeys: iOS: introduced: '17.4' supervised: true + sharedipad: + mode: forbidden userenrollment: mode: forbidden macOS: @@ -2316,6 +2448,30 @@ payloadkeys: default: true content: If 'false', the system disables NFC. Requires a supervised device. Available in iOS 14.2 and later. +- key: allowNotesTranscription + supportedOS: + iOS: + introduced: '18.4' + supervised: true + sharedipad: + mode: forbidden + userenrollment: + mode: forbidden + macOS: + introduced: '15.4' + userenrollment: + mode: forbidden + tvOS: + introduced: n/a + visionOS: + introduced: n/a + watchOS: + introduced: n/a + type: + presence: optional + default: true + content: If 'false', disables transcription in Notes. Available in iOS 18.2 and + later, and macOS 15.2 and later. - key: allowNotesTranscriptionSummary supportedOS: iOS: @@ -2338,7 +2494,8 @@ payloadkeys: type: presence: optional default: true - content: If false, disables transcription summarization in Notes. + content: If 'false', disables transcription summarization in Notes. Available in + iOS 18.3 and later, and macOS 15.3 and later. - key: allowNotificationsModification title: Allow Modifying Notifications Settings supportedOS: @@ -2468,6 +2625,8 @@ payloadkeys: iOS: introduced: '9.0' supervised: true + sharedipad: + mode: forbidden userenrollment: mode: forbidden macOS: @@ -2533,6 +2692,7 @@ payloadkeys: mode: forbidden tvOS: introduced: '12.0' + deprecated: '17.4' supervised: true visionOS: introduced: n/a @@ -2543,7 +2703,8 @@ payloadkeys: default: true content: If 'false', the system disables requesting passwords from nearby devices. Available in iOS 12 and later, macOS 10.14 and later, and tvOS 12 and later. Requires - a supervised device in iOS and tvOS. + a supervised device in iOS and tvOS. Deprecated on tvOS 17.4 or later as guest + password sharing is no longer supported. - key: allowPasswordSharing supportedOS: iOS: @@ -2701,6 +2862,8 @@ payloadkeys: iOS: introduced: '11.0' supervised: true + sharedipad: + mode: ignored userenrollment: mode: forbidden macOS: @@ -2885,6 +3048,33 @@ payloadkeys: removes its icon from the Home screen. This setting also prevents users from opening web clips. As of iOS 13, requires a supervised device. Available in iOS 4 and later. +- key: allowSafariSummary + supportedOS: + iOS: + introduced: '18.4' + supervised: true + sharedipad: + mode: forbidden + userenrollment: + mode: forbidden + macOS: + introduced: '15.4' + userenrollment: + mode: forbidden + tvOS: + introduced: n/a + visionOS: + introduced: '2.4' + supervised: true + userenrollment: + mode: forbidden + watchOS: + introduced: n/a + type: + presence: optional + default: true + content: If 'false', the system disables the ability to summarize content in Safari. + Available in iOS 18.2 and later, and macOS 15.2 and later. - key: allowSatelliteConnection title: Allow use of satellite connectivity supportedOS: @@ -2906,7 +3096,8 @@ payloadkeys: type: presence: optional default: true - content: If false, the connection to and use of satellite services is prohibited. + content: If 'false', the system prohibits the connection to and use of satellite + services. Available in iOS 18.2 and later. - key: allowScreenShot title: Allow Screenshots and Screen Recording supportedOS: @@ -2930,6 +3121,8 @@ payloadkeys: iOS: introduced: '13.4' supervised: true + sharedipad: + mode: required userenrollment: mode: forbidden macOS: @@ -3256,6 +3449,27 @@ payloadkeys: default: true content: If 'false', the system hides the FaceTime app. Available in iOS 4 and later. Requires a supervised device in iOS 13 and later. +- key: allowVideoConferencingRemoteControl + title: Allow Video Conferencing Remote Control + supportedOS: + iOS: + introduced: '18.4' + supervised: true + userenrollment: + mode: forbidden + macOS: + introduced: n/a + tvOS: + introduced: n/a + visionOS: + introduced: n/a + watchOS: + introduced: n/a + type: + presence: optional + default: true + content: When false, disables the ability for a remote FaceTime session to request + control of the device. - key: allowVisualIntelligenceSummary title: Allow Visual Intelligence Summary supportedOS: @@ -3277,7 +3491,8 @@ payloadkeys: type: presence: optional default: true - content: When false, disables visual intelligence summarization. + content: If 'false', the system disables visual intelligence summarization. Available + in iOS 18.3 and later. - key: allowVoiceDialing title: Allow Voice Dialing While Device is Locked supportedOS: @@ -3351,6 +3566,8 @@ payloadkeys: iOS: introduced: '17.5' supervised: true + sharedipad: + mode: forbidden userenrollment: mode: forbidden macOS: @@ -3383,7 +3600,10 @@ payloadkeys: tvOS: introduced: n/a visionOS: - introduced: n/a + introduced: '2.4' + supervised: true + userenrollment: + mode: forbidden watchOS: introduced: n/a type: @@ -4022,6 +4242,8 @@ payloadkeys: iOS: introduced: '17.2' supervised: true + sharedipad: + mode: forbidden userenrollment: mode: forbidden macOS: @@ -4147,7 +4369,6 @@ payloadkeys: content: |- The maximum level of app content allowed on the device. Preinstalled (first party) apps ignore this restriction. Available in iOS 4.0 and later, macOS 15 and later, and tvOS 11.3 and later. Support for this restriction on unsupervised devices is deprecated. Possible values, with the US description of the rating level: - * '1000': All * '600': 17+ * '300': 12+ @@ -4179,7 +4400,6 @@ payloadkeys: content: |- The maximum level of movie content allowed on the device. Available in iOS 4.0 and later, macOS 15 and later, and tvOS 11.3 and later. Support for this restriction on unsupervised devices is deprecated. Possible values, with the US description of the rating level: - * '1000': All * '500': NC-17 * '400': R @@ -4234,7 +4454,6 @@ payloadkeys: content: |- The maximum level of TV content allowed on the device. Available in iOS 4.0 and later, macOS 15 and later, and tvOS 11.3 and later. Support for this restriction on unsupervised devices is deprecated. Possible values, with the US description of the rating level: - * '1000': All * '600': TV-MA * '500': TV-14 @@ -4284,7 +4503,6 @@ payloadkeys: default: 2.0 content: |- Defines the conditions under which the device accepts cookies. The user-facing settings changed in iOS 11, although the possible values remain the same. Available in iOS 4 and later. Support for this restriction on unsupervised devices is deprecated. Allowed values: - * '0': Enables Prevent Cross-Site Tracking and Block All Cookies, and the user canʼt disable either setting. * '1' or '1.5': Enables Prevent Cross-Site Tracking, and the user canʼt disable it. Doesn't enable Block All Cookies, but the user can enable it. * '2': Enables Prevent Cross-Site Tracking but doesn't enable Block All Cookies. The user can toggle either setting. diff --git a/mdm/profiles/com.apple.cellular.yaml b/mdm/profiles/com.apple.cellular.yaml index 52dab6f..5d65038 100644 --- a/mdm/profiles/com.apple.cellular.yaml +++ b/mdm/profiles/com.apple.cellular.yaml @@ -72,7 +72,6 @@ payloadkeys: - 3 content: |- The Internet Protocol versions that the system supports. Allowed values: - * '1': IPv4 * '2': IPv6 * '3': Both @@ -135,7 +134,6 @@ payloadkeys: - 3 content: |- The default Internet Protocol versions. Available in iOS 10.3 but no longer used in iOS 11 and later. Allowed values: - * '1': IPv4 * '2': IPv6 * '3': Both @@ -152,7 +150,6 @@ payloadkeys: - 3 content: |- The Internet Protocol versions that the system supports. Available in iOS 10.3 and later. Allowed values: - * '1': IPv4 * '2': IPv6 * '3': Both @@ -169,7 +166,6 @@ payloadkeys: - 3 content: |- The Internet Protocol versions that the system supports while roaming. Available in iOS 10.3 and later. Allowed values: - * '1': IPv4 * '2': IPv6 * '3': Both @@ -186,7 +182,6 @@ payloadkeys: - 3 content: |- The Internet Protocol versions that the system supports while roaming. Available in iOS 10.3 and later. Allowed values: - * '1': IPv4 * '2': IPv6 * '3': Both diff --git a/mdm/profiles/com.apple.configurationprofile.identification.yaml b/mdm/profiles/com.apple.configurationprofile.identification.yaml index 260c105..9791fdc 100644 --- a/mdm/profiles/com.apple.configurationprofile.identification.yaml +++ b/mdm/profiles/com.apple.configurationprofile.identification.yaml @@ -6,6 +6,7 @@ payload: introduced: n/a macOS: introduced: '10.7' + deprecated: '15.4' multiple: false devicechannel: true userchannel: true diff --git a/mdm/profiles/com.apple.dnsSettings.managed.yaml b/mdm/profiles/com.apple.dnsSettings.managed.yaml index 4f43df4..503550a 100644 --- a/mdm/profiles/com.apple.dnsSettings.managed.yaml +++ b/mdm/profiles/com.apple.dnsSettings.managed.yaml @@ -111,7 +111,6 @@ payloadkeys: - EvaluateConnection content: |- The action to take if this dictionary matches the current network. Allowed values: - * 'Connect': Apply DNS Settings when the dictionary matches. * 'Disconnect': Don't apply DNS Settings when the dictionary matches. * 'EvaluateConnection': Apply DNS Settings with per-domain exceptions when the dictionary matches. diff --git a/mdm/profiles/com.apple.eas.account.yaml b/mdm/profiles/com.apple.eas.account.yaml index 06a1b8c..74ec39d 100644 --- a/mdm/profiles/com.apple.eas.account.yaml +++ b/mdm/profiles/com.apple.eas.account.yaml @@ -41,9 +41,7 @@ payloadkeys: title: Exchange ActiveSync Host type: presence: optional - content: |- - The Exchange server host name or IP address. - If using OAuth without an OAuthSignInURL, the host name is ignored. + content: The Exchange server host name or IP address. - key: SSL title: Use SSL type: diff --git a/mdm/profiles/com.apple.extensiblesso(kerberos).yaml b/mdm/profiles/com.apple.extensiblesso(kerberos).yaml index 98309a8..28feeda 100644 --- a/mdm/profiles/com.apple.extensiblesso(kerberos).yaml +++ b/mdm/profiles/com.apple.extensiblesso(kerberos).yaml @@ -381,8 +381,7 @@ payloadkeys: * 'always': The system always uses the credential if the SPN matches the Kerberos Extension 'Hosts' array and the caller hasn't specified another credential. However, the system won't use the credential if the calling app isn't in the 'credentialBundleIDACL'. * 'whenNotSpecified': The system only uses the extension credential if the SPN matches the Kerberos Extension 'Hosts' array. However, the system won't use the credential if the calling app isn't in the 'credentialBundleIDACL'. - * 'kerberosDefault': The system uses the default Kerberos processes to select credentials, and normally uses the default Kerberos credential. This is the same as turning off this capability. - + * 'kerberosDefault': The system uses the default Kerberos processes to select credentials, and normally uses the default Kerberos credential. This is the same as turning off this capabiliity. Available in macOS 11 and later. - key: preferredKDCs supportedOS: diff --git a/mdm/profiles/com.apple.extensiblesso.yaml b/mdm/profiles/com.apple.extensiblesso.yaml index bb2f5a9..47fba83 100644 --- a/mdm/profiles/com.apple.extensiblesso.yaml +++ b/mdm/profiles/com.apple.extensiblesso.yaml @@ -440,3 +440,12 @@ payloadkeys: type: presence: required content: A local account username. + - key: AllowDeviceIdentifiersInAttestation + supportedOS: + macOS: + introduced: '15.4' + type: + presence: optional + default: false + content: If set to true, the device UDID and serial number will be included in + Platform SSO attestations. diff --git a/mdm/profiles/com.apple.relay.managed.yaml b/mdm/profiles/com.apple.relay.managed.yaml index 48d7b50..0523b37 100644 --- a/mdm/profiles/com.apple.relay.managed.yaml +++ b/mdm/profiles/com.apple.relay.managed.yaml @@ -119,6 +119,50 @@ payloadkeys: - key: ExcludedDomainsElement title: Excluded Domains Element type: +- key: MatchFQDNs + title: Match FQDNs + supportedOS: + iOS: + introduced: '18.4' + macOS: + introduced: '15.4' + tvOS: + introduced: '18.4' + visionOS: + introduced: '2.4' + type: + presence: optional + content: A list of Fully Qualified Domain Names (FQDNs), also known as hostnames, + that should be routed through the servers contained in Relays. Any connection + that matches this exact FQDN or hostname will use the relays. If no FQDNs and + no 'MatchDomains' are listed, traffic to all domains, except those matching an + excluded domain or excluded FQDN, will be routed to the relay servers. + subkeys: + - key: MatchFQDNsElement + title: Match FQDNs Element + type: +- key: Excluded FQDNs + title: Excluded FQDNs + supportedOS: + iOS: + introduced: '18.4' + macOS: + introduced: '15.4' + tvOS: + introduced: '18.4' + visionOS: + introduced: '2.4' + type: + presence: optional + content: A list of Fully Qualified Domain Names (FQDNs), also known as hostnames, + that should not be routed through the servers contained in Relays. Any connection + that matches the FQDN exactly will not use the relay server. When 'MatchDomains' + are also specified any FQDN listed here in 'ExcludedFQDNs' should be a subdomain + of at least one MatchDomain otherwise it will not have any effect. + subkeys: + - key: ExcludedFQDNsElement + title: Excluded FQDNs Element + type: - key: RelayUUID type: presence: optional diff --git a/mdm/profiles/com.apple.security.acme.yaml b/mdm/profiles/com.apple.security.acme.yaml index 180ebee..b36100d 100644 --- a/mdm/profiles/com.apple.security.acme.yaml +++ b/mdm/profiles/com.apple.security.acme.yaml @@ -87,7 +87,6 @@ payloadkeys: - ECSECPrimeRandom content: |- The type of key pair to generate. Allowed values: - * 'RSA': Specifies an RSA key pair. RSA key pairs need to have a 'KeySize' that's a multiple of 8 in the range of 1024 through 4096 (inclusive), and 'HardwareBound' needs to be 'false'. * 'ECSECPrimeRandom': Specifies a key pair on the P-192, P-256, P-384, or P-521 curves as defined in FIPS Pub 186-4. 'KeySize' defines the particular curve, which needs to be '192', '256', '384', or '521'. Hardware bound keys only support values of '256' and '384'. Note that the key size is '521', not '512', even though the other key sizes are multiples of 64. @@ -107,7 +106,7 @@ payloadkeys: content: |- The device requests this subject for the certificate that the ACME server issues. The ACME server may override or ignore this field in the certificate it issues. The representation of a X.500 name represented as an array of OID and value. For example, '/C=US/O=Apple Inc./CN=foo/1.2.5.3=bar' corresponds to: - '[ [ [”C”, “US”] ], [ [”O”, “Apple Inc.”] ], ..., [ [ “1.2.5.3”, “bar” ] ] ]' + '[ [ ['C', 'US'] ], [ ['O', 'Apple Inc.'] ], ..., [ [ '1.2.5.3', 'bar' ] ] ]' Dotted numbers can represent OIDs , with shortcuts for country (C), locality (L), state (ST), organization (O), organizational unit (OU), and common name (CN). subkeys: - key: ACMESubjectArrayInnerArray @@ -166,7 +165,7 @@ payloadkeys: type: presence: optional content: |- - The value is an array of strings. Each string is an OID in dotted notation. For instance, '[”1.3.6.1.5.5.7.3.2”, “1.3.6.1.5.5.7.3.4”]' indicates client authentication and email protection. + The value is an array of strings. Each string is an OID in dotted notation. For instance, '['1.3.6.1.5.5.7.3.2', '1.3.6.1.5.5.7.3.4']' indicates client authentication and email protection. The device requests this field for the certificate that the ACME server issues. The ACME server may override or ignore this field in the certificate it issues. subkeys: - key: OID diff --git a/mdm/profiles/com.apple.security.scep.yaml b/mdm/profiles/com.apple.security.scep.yaml index bf264b9..353ce48 100644 --- a/mdm/profiles/com.apple.security.scep.yaml +++ b/mdm/profiles/com.apple.security.scep.yaml @@ -72,7 +72,7 @@ payloadkeys: presence: optional content: |- The representation of an X.500 name as an array of OID and value. - For example, '/C=US/O=Apple Inc./CN=foo/1.2.5.3=bar' translates to '[ [ [“C”, “US”] ], [ [“O”, “Apple Inc.'] ], …, [ [ “1.2.5.3”, “bar” ] ] ]'. + For example, '/C=US/O=Apple Inc./CN=foo/1.2.5.3=bar' translates to '[ [ ['C', 'US'] ], [ ['O', 'Apple Inc.'] ], …, [ [ '1.2.5.3', 'bar' ] ] ]'. OIDs can be represented as dotted numbers, with shortcuts for country (C), locality (L), state (ST), organization (O), organizational unit (OU), and common name (CN). subkeys: - key: SCEPSubjectArrayInnerArray @@ -120,10 +120,8 @@ payloadkeys: default: 0 content: |- A bitmask indicating the use of the key. Possible values: - - * 1: Signing - * 4: Encryption - + * '1': Signing + * '4': Encryption Some certificate authorities, such as Windows CA, support only encryption or signing, but not both at the same time. - key: CAFingerprint title: Fingerprint diff --git a/mdm/profiles/com.apple.security.smartcard.yaml b/mdm/profiles/com.apple.security.smartcard.yaml index 066a7b3..48d4522 100644 --- a/mdm/profiles/com.apple.security.smartcard.yaml +++ b/mdm/profiles/com.apple.security.smartcard.yaml @@ -48,7 +48,6 @@ payloadkeys: default: 0 content: |- Configures the certificate trust check and has one of the following possible values: - * '0': Turns off certificate trust check. * '1': Turns on certificate trust check. A standard validity check is performed but doesn't include additional revocation checks. * '2': Turns on certificate trust check. A soft revocation check is also performed. Until the certificate is explicitly rejected by CRL/OCSP, it's considered valid. This setting means that unavailable or unreachable CRL/OCSP allow this check to succeed. diff --git a/mdm/profiles/com.apple.vpn.managed.yaml b/mdm/profiles/com.apple.vpn.managed.yaml index f099d1b..1bd3b65 100644 --- a/mdm/profiles/com.apple.vpn.managed.yaml +++ b/mdm/profiles/com.apple.vpn.managed.yaml @@ -113,6 +113,21 @@ payloadkeys: presence: optional content: The VPN dictionary is used when VPNType is VPN. subkeys: + - key: AuthName + title: Account Username + type: + presence: optional + content: The VPN account username. + - key: AuthPassword + title: Account Password + type: + presence: optional + content: The VPN account password. Only used if AuthenticationMethod is Password. + - key: RemoteAddress + title: RemoteAddress + type: + presence: required + content: IP address or hostname of the VPN server. - key: AuthenticationMethod title: Authentication Method type: @@ -129,11 +144,6 @@ payloadkeys: presence: optional content: The UUID of the certificate payload within the same profile to use for account credentials. - - key: Password - title: Account Password - type: - presence: optional - content: The VPN user password. - key: ProviderBundleIdentifier title: Provider Bundle Identifier type: diff --git a/mdm/profiles/com.apple.xsan.yaml b/mdm/profiles/com.apple.xsan.yaml index 715ae3f..81df616 100644 --- a/mdm/profiles/com.apple.xsan.yaml +++ b/mdm/profiles/com.apple.xsan.yaml @@ -22,6 +22,7 @@ payload: watchOS: introduced: n/a content: Sets up Xsan clients and controls certain Xsan volume mount behaviors. + The payload should include either sanConfigURLs or fsnameservers, but not both. payloadkeys: - key: sanName type: @@ -30,9 +31,9 @@ payloadkeys: exactly match the name of the SAN defined in the metadata server. - key: sanConfigURLs type: - presence: required + presence: optional content: |- - An array of LDAP URLs where Xsan systems can obtain SAN configuration updates. This key is required for all Xsan SANs. There should be one entry for each Xsan MDC. + This key is required for all Xsan SANs. Each string in this array contains an LDAP URL where Xsan systems can obtain SAN configuration updates. There should be one entry for each Xsan MDC. Example URL: 'ldaps://mdc1.example.com:389'. subkeys: - key: sanConfigURLsItem @@ -41,10 +42,11 @@ payloadkeys: content: A URL. - key: fsnameservers type: - presence: required - content: |- - An array of storage area network (SAN) File System Name Server coordinators. The list should contain the same addresses in the same order as the metadata controller (MDC) '/Library/Preferences/Xsan/fsnameservers' file. Xsan SAN clients automatically receive updates to the 'fsnameservers' list from the SAN configuration servers whenever this list changes. StorNext administrators should update their profile whenever the 'fsnameservers' list changes. - This key is required for StorNext SANs. + presence: optional + content: This key is required for StorNext SANs. This array contains one string + value for each of the SAN's File System Name Server coordinators. The list should + contain the same addresses in the same order as the MDC's /Library/Preferences/Xsan/fsnameservers + file. subkeys: - key: fsnameserversItem type: diff --git a/other/esso.yaml b/other/esso.yaml index 9a788f3..a354d92 100644 --- a/other/esso.yaml +++ b/other/esso.yaml @@ -10,7 +10,7 @@ payload: tvOS: introduced: n/a visionOS: - introduced: n/a + introduced: '2.0' watchOS: introduced: n/a payloadkeys: @@ -53,7 +53,28 @@ payloadkeys: - key: ConfigurationProfile title: Configuration Profile type: - presence: required + presence: optional content: The profile containing an ExtensibleSingleSignOn payload that specifies the SSO extension in the downloaded app prior to enrollment. This profile may contain certificate payloads. +- key: Declarations + title: Declarations + supportedOS: + iOS: + introduced: '18.4' + visionOS: + introduced: '2.4' + type: + presence: optional + content: The set of declarative device management declarations used to specify the + managed app and its configuration (including any certificates or identities). + The set of declarations must include one `com.apple.configuration.app.managed` + configuration, and one activation declaration that references the configuration. + Asset declarations may be present if required by the app config. The app configuration + must include `AppStoreID` when developer mode is not being used, or it must include + `BundleID` when developer mode is used. One of `ConfigurationProfile` and `Declarations` + must be present. + subkeys: + - key: Declaration + title: Declaration Domain + type: diff --git a/other/skipkeys.yaml b/other/skipkeys.yaml index 294ed33..d80ea62 100644 --- a/other/skipkeys.yaml +++ b/other/skipkeys.yaml @@ -375,6 +375,19 @@ payloadkeys: type: presence: optional content: The key to skip the Safety pane. This key is available in iOS 16 and later. +- key: SafetyAndHandling + title: Skips Safety and Handling pane + supportedOS: + iOS: + introduced: '18.4' + macOS: + introduced: n/a + tvOS: + introduced: n/a + type: + presence: optional + content: If the key is included in the SkipSetup array the Safety and Handling pane + will be skipped. - key: ScreenTime title: Skip Screen Time pane supportedOS: @@ -399,8 +412,9 @@ payloadkeys: introduced: n/a type: presence: optional - content: The key to skip the add cellular plan pane. This key is available in iOS - 12 and later. + content: The key to skip the add cellular plan pane. Skipping this pane prevents + automatic eSIM setup during Setup Assistant. This key is available in iOS 12 and + later. - key: Siri title: Disables Siri supportedOS: @@ -416,7 +430,7 @@ payloadkeys: iOS: introduced: '12.0' macOS: - introduced: n/a + introduced: '15.4' tvOS: introduced: n/a type: