diff --git a/README.md b/README.md index 2d7366a..2f68208 100644 --- a/README.md +++ b/README.md @@ -8,11 +8,11 @@ This release corresponds to the following OS versions | OS | Version | |----------|---------| -| iOS | 17.5 | -| macOS | 14.5 | -| tvOS | 17.5 | -| visionOS | 1.2 | -| watchOS | 10.5 | +| iOS | 18.0 | +| macOS | 15.0 | +| tvOS | 18.0 | +| visionOS | 2.0 | +| watchOS | 11.0 | ## Important Release Notes diff --git a/declarative/declarations/assets/credential.acme.yaml b/declarative/declarations/assets/credential.acme.yaml index 706b991..1074cbc 100644 --- a/declarative/declarations/assets/credential.acme.yaml +++ b/declarative/declarations/assets/credential.acme.yaml @@ -16,6 +16,8 @@ payload: payloadkeys: - key: Reference type: + asset-content-types: + - application/json presence: required content: |- The external reference. Ensure that the asset data: diff --git a/declarative/declarations/assets/credential.certificate.yaml b/declarative/declarations/assets/credential.certificate.yaml index 933f7eb..3b038ed 100644 --- a/declarative/declarations/assets/credential.certificate.yaml +++ b/declarative/declarations/assets/credential.certificate.yaml @@ -16,6 +16,9 @@ payload: payloadkeys: - key: Reference type: + asset-content-types: + - application/pkcs1 + - application/pem presence: required content: The external reference. Ensure that the asset data uses a media type of 'application/pkcs1' or 'application/pem' to correctly identify the type of encoded diff --git a/declarative/declarations/assets/credential.identity.yaml b/declarative/declarations/assets/credential.identity.yaml index 0270966..2e23b9a 100644 --- a/declarative/declarations/assets/credential.identity.yaml +++ b/declarative/declarations/assets/credential.identity.yaml @@ -16,6 +16,8 @@ payload: payloadkeys: - key: Reference type: + asset-content-types: + - application/json presence: required content: |- The external reference. Ensure that the asset data: diff --git a/declarative/declarations/assets/credential.scep.yaml b/declarative/declarations/assets/credential.scep.yaml index e0e06cd..e612d71 100644 --- a/declarative/declarations/assets/credential.scep.yaml +++ b/declarative/declarations/assets/credential.scep.yaml @@ -16,6 +16,8 @@ payload: payloadkeys: - key: Reference type: + asset-content-types: + - application/json presence: required content: |- The external reference. Ensure that the asset data: diff --git a/declarative/declarations/assets/credential.userpassword.yaml b/declarative/declarations/assets/credential.userpassword.yaml index fdd7029..e3029aa 100644 --- a/declarative/declarations/assets/credential.userpassword.yaml +++ b/declarative/declarations/assets/credential.userpassword.yaml @@ -17,6 +17,8 @@ payload: payloadkeys: - key: Reference type: + asset-content-types: + - application/json presence: required content: |- The external reference. Ensure that the asset data: diff --git a/declarative/declarations/assets/credentials/acme.yaml b/declarative/declarations/assets/credentials/acme.yaml index 2c2fd1b..9c04475 100644 --- a/declarative/declarations/assets/credentials/acme.yaml +++ b/declarative/declarations/assets/credentials/acme.yaml @@ -24,11 +24,12 @@ payloadkeys: title: Client identifier type: presence: required - content: The server can use this as a nonce to prevent issuing multiple certificates. - It also indicates to the ACME server that the device has access to a valid client - identifier that the enterprise infrastructure issued. This can help the ACME server - determine whether to trust the device, however this is a relatively weak indication - because of the risk that an attacker may intercept and duplicate the client identifier. + content: The server can use this as a one-time code to prevent issuing multiple + certificates. It also indicates to the ACME server that the device has access + to a valid client identifier that the enterprise infrastructure issued. This can + help the ACME server determine whether to trust the device, however this is a + relatively weak indication because of the risk that an attacker may intercept + and duplicate the client identifier. - key: KeySize title: Key Size type: @@ -137,4 +138,15 @@ payloadkeys: evidence that the key is bound to the device, and that the device has properties listed in the attestation. The server can use that as part of a trust score to decide whether to issue the requested certificate. When 'Attest' is 'true', set - 'HardwareBound' to 'true'. On macOS, set this key, if present, to 'false'. + 'HardwareBound' to 'true'. See the ACME attestation hardware support note for + hardware requirements. +notes: +- title: ACME attestation hardware support + content: |- + The following table indicates which System on Chips (SoCs) support ACME attestation. + If the Attest key is ignored, the ACME server does not receive an attestation. + + | Attest key support | iPhone, iPad | Mac | Apple TV | Apple Watch | Vision Pro | + |--------------------|--------------------------------------|----------------|-------------------------|----------------|------------| + | Ignored | A10x Fusion and earlier | Intel | A10x Fusion and earlier | S3 and earlier | none | + | Supported | A11 Bionic and later
All M series | Apple Silicon | A12 Bionic and later | S4 and later | All | diff --git a/declarative/declarations/configurations/account.caldav.yaml b/declarative/declarations/configurations/account.caldav.yaml index 97df29e..86e19ab 100644 --- a/declarative/declarations/configurations/account.caldav.yaml +++ b/declarative/declarations/configurations/account.caldav.yaml @@ -28,6 +28,7 @@ payload: visionOS: introduced: '1.1' allowed-enrollments: + - supervised - device - user - local diff --git a/declarative/declarations/configurations/account.carddav.yaml b/declarative/declarations/configurations/account.carddav.yaml index cdea24d..3eb4710 100644 --- a/declarative/declarations/configurations/account.carddav.yaml +++ b/declarative/declarations/configurations/account.carddav.yaml @@ -28,6 +28,7 @@ payload: visionOS: introduced: '1.1' allowed-enrollments: + - supervised - device - user - local diff --git a/declarative/declarations/configurations/account.exchange.yaml b/declarative/declarations/configurations/account.exchange.yaml index 16ccafe..1e7e42c 100644 --- a/declarative/declarations/configurations/account.exchange.yaml +++ b/declarative/declarations/configurations/account.exchange.yaml @@ -29,6 +29,7 @@ payload: visionOS: introduced: '1.1' allowed-enrollments: + - supervised - device - user - local @@ -268,9 +269,6 @@ payloadkeys: content: If 'true', the system enables the per-message encryption switch in the compose view. - key: MailServiceActive - supportedOS: - macOS: - introduced: n/a type: presence: optional default: true @@ -285,9 +283,6 @@ payloadkeys: content: If 'true', the system prevents the user from changing the status of the mail service for this account. - key: ContactsServiceActive - supportedOS: - macOS: - introduced: n/a type: presence: optional default: true @@ -302,9 +297,6 @@ payloadkeys: content: If 'true', the system prevents the user from changing the status of the address book service for this account. - key: CalendarServiceActive - supportedOS: - macOS: - introduced: n/a type: presence: optional default: true @@ -319,9 +311,6 @@ payloadkeys: content: If 'true', the system prevents the user from changing the status of the calendar service for this account. - key: RemindersServiceActive - supportedOS: - macOS: - introduced: n/a type: presence: optional default: true @@ -336,9 +325,6 @@ payloadkeys: content: If 'true', the system prevents the user from changing the status of the reminders service for this account. - key: NotesServiceActive - supportedOS: - macOS: - introduced: n/a type: presence: optional default: true diff --git a/declarative/declarations/configurations/account.google.yaml b/declarative/declarations/configurations/account.google.yaml index e3a9677..e333075 100644 --- a/declarative/declarations/configurations/account.google.yaml +++ b/declarative/declarations/configurations/account.google.yaml @@ -28,6 +28,7 @@ payload: visionOS: introduced: '1.1' allowed-enrollments: + - supervised - device - user - local diff --git a/declarative/declarations/configurations/account.ldap.yaml b/declarative/declarations/configurations/account.ldap.yaml index 19320f0..a5bce74 100644 --- a/declarative/declarations/configurations/account.ldap.yaml +++ b/declarative/declarations/configurations/account.ldap.yaml @@ -28,6 +28,7 @@ payload: visionOS: introduced: '1.1' allowed-enrollments: + - supervised - device - user - local diff --git a/declarative/declarations/configurations/account.mail.yaml b/declarative/declarations/configurations/account.mail.yaml index 7308a19..77f6481 100644 --- a/declarative/declarations/configurations/account.mail.yaml +++ b/declarative/declarations/configurations/account.mail.yaml @@ -28,6 +28,7 @@ payload: visionOS: introduced: '1.1' allowed-enrollments: + - supervised - device - user - local diff --git a/declarative/declarations/configurations/account.subscribed-calendar.yaml b/declarative/declarations/configurations/account.subscribed-calendar.yaml index fc611ae..91aea78 100644 --- a/declarative/declarations/configurations/account.subscribed-calendar.yaml +++ b/declarative/declarations/configurations/account.subscribed-calendar.yaml @@ -28,6 +28,7 @@ payload: visionOS: introduced: '1.1' allowed-enrollments: + - supervised - device - user - local diff --git a/declarative/declarations/configurations/app.managed.yaml b/declarative/declarations/configurations/app.managed.yaml index bd9857d..4d517ae 100644 --- a/declarative/declarations/configurations/app.managed.yaml +++ b/declarative/declarations/configurations/app.managed.yaml @@ -29,19 +29,20 @@ payloadkeys: title: App Store ID type: presence: optional - content: The App Store ID of the managed app. One and only one of 'AppStoreID', - 'BundleID', or 'ManifestURL' must be present. + content: The App Store ID of the managed app that is downloaded from the App Store. + One and only one of 'AppStoreID', 'BundleID', or 'ManifestURL' must be present. - key: BundleID title: Bundle ID type: presence: optional - content: The bundle ID of the managed app. One and only one of 'AppStoreID', 'BundleID', - or 'ManifestURL' must be present. + content: The bundle ID of the managed app that is downloaded from the App Store. + One and only one of 'AppStoreID', 'BundleID', or 'ManifestURL' must be present. - key: ManifestURL title: Manifest URL type: presence: optional - content: The URL of the manifest for the managed app. One and only one of 'AppStoreID', + content: The URL of the manifest for the managed app that is downloaded from a web + site. The manifest is returned as a property list. One and only one of 'AppStoreID', 'BundleID', or 'ManifestURL' must be present. - key: InstallBehavior title: Install Behavior @@ -70,8 +71,25 @@ payloadkeys: presence: optional content: A dictionary that describes the app's license. subkeys: + - key: Assignment + title: Assignment + type: + presence: optional + rangelist: + - Device + - User + content: |- + Indicates what type of license to use when an App Store app is installed: + * Device - the license is assigned to the device. + * User - the license is assigned to the user. + This key must be present for App Store apps, when either 'AppStoreID' or 'BundleID' are present in the configuration. - key: VPPType title: VPP Type + supportedOS: + iOS: + removed: '18.0' + macOS: + removed: '15.0' type: presence: optional rangelist: diff --git a/declarative/declarations/configurations/diskmanagement.settings.yaml b/declarative/declarations/configurations/diskmanagement.settings.yaml new file mode 100644 index 0000000..b8f7f8e --- /dev/null +++ b/declarative/declarations/configurations/diskmanagement.settings.yaml @@ -0,0 +1,55 @@ +title: Disk Management:Settings +description: Use this configuration to install disk management settings on the device. +payload: + declarationtype: com.apple.configuration.diskmanagement.settings + supportedOS: + iOS: + introduced: n/a + macOS: + introduced: '15.0' + allowed-enrollments: + - supervised + - local + allowed-scopes: + - system + tvOS: + introduced: n/a + visionOS: + introduced: n/a + watchOS: + introduced: n/a + apply: combined +payloadkeys: +- key: Restrictions + type: + presence: optional + content: Defines the restrictions for disks + subkeys: + - key: ExternalStorage + title: External Storage + type: + presence: optional + rangelist: + - Allowed + - ReadOnly + - Disallowed + combinetype: enum-last + content: |- + Specifies the mount policy for external storage: + * Allowed - external storage that is read-write or read-only will be mounted. + * ReadOnly - only external storage that is read-only will be automatically mounted. Note that external storage that is read-write will not be mounted read-only. + * Disallowed - no external storage will be mounted. + - key: NetworkStorage + title: Network Storage + type: + presence: optional + rangelist: + - Allowed + - ReadOnly + - Disallowed + combinetype: enum-last + content: |- + Specifies the mount policy for network storage: + * Allowed - network storage that is read-write or read-only will be mounted. + * ReadOnly - only network storage that is read-only will be mounted. Note that network storage that is read-write will not be mounted read-only. + * Disallowed - no network storage will be mounted. diff --git a/declarative/declarations/configurations/legacy.interactive.yaml b/declarative/declarations/configurations/legacy.interactive.yaml index 24acf51..8a9c300 100644 --- a/declarative/declarations/configurations/legacy.interactive.yaml +++ b/declarative/declarations/configurations/legacy.interactive.yaml @@ -32,6 +32,7 @@ payload: visionOS: introduced: '1.1' allowed-enrollments: + - supervised - device - user allowed-scopes: @@ -45,7 +46,7 @@ payloadkeys: type: presence: required content: |- - The URL of the profile to download and install, which needs to start with 'https://', and must be hosted by the MDM server. The system silently ignores any account or passcode payloads in the profile. Use their declarative configurations instead. + The URL of the profile to download and install, which needs to start with 'https://', and must be hosted by the MDM server. If a user enrollment triggers this configuration, the system silently ignores any MDM 1 payloads in macOS where the User Enrollment Mode setting is 'forbidden'. In iOS, the system rejects the entire profile. - key: VisibleName title: Configuration Visible Name diff --git a/declarative/declarations/configurations/legacy.yaml b/declarative/declarations/configurations/legacy.yaml index c6b5551..f12dd08 100644 --- a/declarative/declarations/configurations/legacy.yaml +++ b/declarative/declarations/configurations/legacy.yaml @@ -36,6 +36,7 @@ payload: visionOS: introduced: '1.1' allowed-enrollments: + - supervised - device - user - local @@ -55,5 +56,5 @@ payloadkeys: type: presence: required content: |- - The URL of the profile to download and install, which needs to start with 'https://', and must be hosted by the MDM server. The system silently ignores any account or passcode payloads in the profile. Use their declarative configurations instead. + The URL of the profile to download and install, which needs to start with 'https://', and must be hosted by the MDM server. If a user enrollment triggers this configuration, the system silently ignores any MDM 1 payloads in macOS where the User Enrollment Mode setting is 'forbidden'. In iOS and tvOS, the system rejects the entire profile. diff --git a/declarative/declarations/configurations/management.status-subscriptions.yaml b/declarative/declarations/configurations/management.status-subscriptions.yaml index a9daae6..6c3d450 100644 --- a/declarative/declarations/configurations/management.status-subscriptions.yaml +++ b/declarative/declarations/configurations/management.status-subscriptions.yaml @@ -34,6 +34,7 @@ payload: visionOS: introduced: '1.1' allowed-enrollments: + - supervised - device - user allowed-scopes: diff --git a/declarative/declarations/configurations/management.test.yaml b/declarative/declarations/configurations/management.test.yaml index 9927c9a..0127445 100644 --- a/declarative/declarations/configurations/management.test.yaml +++ b/declarative/declarations/configurations/management.test.yaml @@ -36,6 +36,7 @@ payload: visionOS: introduced: '1.1' allowed-enrollments: + - supervised - device - user - local diff --git a/declarative/declarations/configurations/math.settings.yaml b/declarative/declarations/configurations/math.settings.yaml new file mode 100644 index 0000000..51af9b0 --- /dev/null +++ b/declarative/declarations/configurations/math.settings.yaml @@ -0,0 +1,118 @@ +title: Math Settings +description: Use this configuration to configure math-related settings +payload: + declarationtype: com.apple.configuration.math.settings + supportedOS: + iOS: + introduced: '18.0' + allowed-enrollments: + - supervised + allowed-scopes: + - system + sharedipad: + allowed-scopes: + - system + - user + macOS: + introduced: '15.0' + allowed-enrollments: + - supervised + allowed-scopes: + - user + tvOS: + introduced: n/a + visionOS: + introduced: n/a + watchOS: + introduced: n/a + apply: combined + content: Configures the built-in math and calculator app settings. +payloadkeys: +- key: Calculator + type: + presence: optional + content: If present, configures the built-in Calculator app. + subkeys: + - key: BasicMode + type: + presence: optional + content: If present, configures the basic mode of the calculator. Basic mode is + always enabled. + subkeys: + - key: AddSquareRoot + type: + presence: required + combinetype: boolean-or + content: Add the square root button to the basic calculator by replacing the + +/- button. Normally, the square root button is available in scientific mode, + so this key can be used to make it available when the scientific mode is restricted. + - key: ScientificMode + type: + presence: optional + content: If present, configures the scientific mode of the calculator. If not + present, scientific mode is enabled. + subkeys: + - key: Enabled + type: + presence: required + combinetype: boolean-and + content: Controls whether the mode is enabled. + - key: ProgrammerMode + supportedOS: + iOS: + introduced: n/a + type: + presence: optional + content: If present, configures the programmer mode of the calculator. If not + present, programmer mode is enabled. + subkeys: + - key: Enabled + type: + presence: required + combinetype: boolean-and + content: Controls whether the mode is enabled. + - key: MathNotesMode + type: + presence: optional + content: If present, configures the Math Notes mode of the calculator. If not + present, math notes mode is enabled. + subkeys: + - key: Enabled + type: + presence: required + combinetype: boolean-and + content: Controls whether the mode is enabled. + - key: InputModes + type: + presence: optional + content: If present, controls global input options of the calculator. If not present, + all input modes are enabled. + subkeys: + - key: UnitConversion + type: + presence: required + combinetype: boolean-and + content: Configures whether unit conversions are enabled. + - key: RPN + supportedOS: + iOS: + introduced: n/a + type: + presence: required + combinetype: boolean-and + content: Configures whether RPN input is enabled. +- key: SystemBehavior + type: + presence: optional + content: If present, configures math behavior in the system. + subkeys: + - key: KeyboardSuggestions + type: + presence: required + combinetype: boolean-and + content: Controls whether keyboard suggestions include math solutions + - key: MathNotes + type: + presence: required + combinetype: boolean-and + content: Controls whether Math Notes is allowed in other apps such as Notes. diff --git a/declarative/declarations/configurations/passcode.settings.yaml b/declarative/declarations/configurations/passcode.settings.yaml index 7d9d9a8..9706378 100644 --- a/declarative/declarations/configurations/passcode.settings.yaml +++ b/declarative/declarations/configurations/passcode.settings.yaml @@ -25,7 +25,14 @@ payload: tvOS: introduced: n/a visionOS: - introduced: n/a + introduced: '2.0' + allowed-enrollments: + - supervised + - device + - user + - local + allowed-scopes: + - system watchOS: introduced: '10.0' allowed-enrollments: @@ -116,6 +123,8 @@ payloadkeys: introduced: n/a macOS: introduced: '13.1' + visionOS: + introduced: n/a watchOS: introduced: n/a type: @@ -181,6 +190,8 @@ payloadkeys: introduced: n/a macOS: introduced: '13.1' + visionOS: + introduced: n/a watchOS: introduced: n/a type: @@ -197,6 +208,8 @@ payloadkeys: introduced: n/a macOS: introduced: '14.0' + visionOS: + introduced: n/a watchOS: introduced: n/a type: diff --git a/declarative/declarations/configurations/safari.extensions.settings.yaml b/declarative/declarations/configurations/safari.extensions.settings.yaml new file mode 100644 index 0000000..1c20241 --- /dev/null +++ b/declarative/declarations/configurations/safari.extensions.settings.yaml @@ -0,0 +1,101 @@ +title: Safari:Extension Settings +description: Use this configuration to manage Safari Extensions. +payload: + declarationtype: com.apple.configuration.safari.extensions.settings + supportedOS: + iOS: + introduced: '18.0' + allowed-enrollments: + - supervised + allowed-scopes: + - system + sharedipad: + allowed-scopes: + - user + macOS: + introduced: '15.0' + allowed-enrollments: + - supervised + allowed-scopes: + - user + tvOS: + introduced: n/a + visionOS: + introduced: n/a + watchOS: + introduced: n/a + apply: combined +payloadkeys: +- key: ManagedExtensions + title: Managed Extensions + type: + presence: optional + content: Extensions being managed + subkeys: + - key: ANY + type: + presence: optional + content: The composed identifier of the managed extension, or "*" for all extensions. + In order for the extension to be managed, its host app must be present on the + device. To generate this string use codesign -dv . The browser + extension is located in the PlugIns folder inside the app bundle. The expected + format is "Identifier (TeamIdentifier)". For extensions that are not also available + on macOS the app developer will need to provide this information. + subkeytype: ExtensionDictionary + subkeys: + - key: State + title: Extension state + type: + presence: optional + rangelist: + - Allowed + - AlwaysOn + - AlwaysOff + combinetype: enum-last + content: |- + Controls whether an extension is allowed. + * Allowed - The user is allowed to turn the extension on or off + * AlwaysOn - The extension will always be on + * AlwaysOff - The extension will always be off + - key: PrivateBrowsing + title: Private Browsing state + type: + presence: optional + rangelist: + - Allowed + - AlwaysOn + - AlwaysOff + combinetype: enum-last + content: |- + Controls whether an extension is allowed in Private Browsing. + * Allowed - The user is allowed to turn the extension on or off in Private Browsing + * AlwaysOn - The extension will always be on in Private Browsing if the extension is on outside of Private Browsing + * AlwaysOff - The extension will never be on in Private Browsing + - key: AllowedDomains + title: Allowed domains + type: + presence: optional + combinetype: set-union + content: Controls the domains and sub-domains the extension is granted access + to. Any non-prefixed domains take precedence over prefixed domains, and DeniedDomains + takes precedence over AllowedDomains. Any domains not specified in AllowedDomains + or DeniedDomains are configurable by the user. + subkeys: + - key: Domain + title: Domain + type: + content: A domain or set of sub-domains where the extension is allowed + - key: DeniedDomains + title: Denied domains + type: + presence: optional + combinetype: set-union + content: Controls the domains and sub-domains the extension is not allowed to + access. Any non-prefixed domains take precedence over prefixed domains, and + DeniedDomains takes precedence over AllowedDomains. Any domains not specified + in AllowedDomains or DeniedDomains are configurable by the user. + subkeys: + - key: Domain + title: Domain + type: + content: A domain or set of sub-domains where the extension is not allowed diff --git a/declarative/declarations/configurations/security.certificate.yaml b/declarative/declarations/configurations/security.certificate.yaml index 58bbbe9..fd45b03 100644 --- a/declarative/declarations/configurations/security.certificate.yaml +++ b/declarative/declarations/configurations/security.certificate.yaml @@ -36,6 +36,7 @@ payload: visionOS: introduced: '1.1' allowed-enrollments: + - supervised - device - user - local diff --git a/declarative/declarations/configurations/security.identity.yaml b/declarative/declarations/configurations/security.identity.yaml index 37c2069..438b3d3 100644 --- a/declarative/declarations/configurations/security.identity.yaml +++ b/declarative/declarations/configurations/security.identity.yaml @@ -36,6 +36,7 @@ payload: visionOS: introduced: '1.1' allowed-enrollments: + - supervised - device - user - local diff --git a/declarative/declarations/configurations/services.background-tasks.yaml b/declarative/declarations/configurations/services.background-tasks.yaml new file mode 100644 index 0000000..8758a49 --- /dev/null +++ b/declarative/declarations/configurations/services.background-tasks.yaml @@ -0,0 +1,91 @@ +title: Services Background Tasks +description: Specifies management of a background tasks +payload: + declarationtype: com.apple.configuration.services.background-tasks + supportedOS: + iOS: + introduced: n/a + macOS: + introduced: '15.0' + allowed-enrollments: + - supervised + allowed-scopes: + - system + tvOS: + introduced: n/a + visionOS: + introduced: n/a + watchOS: + introduced: n/a + apply: multiple +payloadkeys: +- key: TaskType + title: Task Type + type: + presence: required + content: The unique identifier of the set of background tasks managed with this + configuration. This should be a reverse DNS style identifier. This is used solely + by the management system to differentiate between tasks in different configurations. +- key: TaskDescription + title: Task Description + type: + presence: optional + content: A description of the set of background tasks managed by this configuration. +- key: ExecutableAssetReference + title: Executable Asset Reference + type: + assettypes: + - com.apple.asset.data + asset-content-types: + - application/zip + presence: optional + content: |- + Specifies the identifier of an asset declaration containing a reference + to the files to be used for the background task configuration. The corresponding + asset must be of type "com.apple.asset.data". The referenced data must be a zip + archive of an entire directory, that will be expanded and stored in a well known + location for the background task. The asset's "ContentType" and "Hash-SHA-256" + keys in the "Reference" key are required. + + This file should contain background task executables, scripts, and configuration + files, but not the launchd configuration files. +- key: LaunchdConfigurations + title: Launchd Configurations + type: + presence: optional + content: An array of launchd configuration files used to run the background tasks. + subkeys: + - key: launchd-item + type: + presence: required + subkeys: + - key: FileAssetReference + title: File Asset Reference + type: + assettypes: + - com.apple.asset.data + asset-content-types: + - application/plist + - application/x-plist + - application/xml + - text/xml + presence: required + content: |- + Specifies the identifier of an asset declaration containing a reference + to the launchd configuration file for the background task. The referenced data must be a + property list file conforming to the launchd.plist format. The asset's "ContentType" and "Hash-SHA-256" + keys in the "Reference" key are required. + - key: Context + title: Launchd Context + type: + presence: required + rangelist: + - daemon + - agent + content: Indicates whether the launchd configuration file is applied to the + system daemon, or system agent domain. +related-status-items: +- status-items: + - services.background-task + note: Each service managed by a configuration will have a corresponding status item + that will contain a reference to the configuration. diff --git a/declarative/declarations/configurations/services.configuration-files.yaml b/declarative/declarations/configurations/services.configuration-files.yaml index 2c8ecd6..debc7b1 100644 --- a/declarative/declarations/configurations/services.configuration-files.yaml +++ b/declarative/declarations/configurations/services.configuration-files.yaml @@ -37,6 +37,8 @@ payloadkeys: type: assettypes: - com.apple.asset.data + asset-content-types: + - application/zip presence: required content: |- The identifier of an asset declaration that contains a reference to the files to use for system service configuration. Ensure that the corresponding asset: diff --git a/declarative/declarations/configurations/softwareupdate.settings.yaml b/declarative/declarations/configurations/softwareupdate.settings.yaml new file mode 100644 index 0000000..8db66e5 --- /dev/null +++ b/declarative/declarations/configurations/softwareupdate.settings.yaml @@ -0,0 +1,304 @@ +title: Software Update:Settings +description: Software update settings +payload: + declarationtype: com.apple.configuration.softwareupdate.settings + supportedOS: + iOS: + introduced: '18.0' + allowed-enrollments: + - supervised + - device + allowed-scopes: + - system + sharedipad: + allowed-scopes: + - system + macOS: + introduced: '15.0' + allowed-enrollments: + - supervised + allowed-scopes: + - system + tvOS: + introduced: n/a + visionOS: + introduced: n/a + watchOS: + introduced: n/a + apply: combined +payloadkeys: +- key: Notifications + title: Software Update Notifications + type: + presence: optional + default: true + combinetype: boolean-and + content: If 'true', the device shows all software update enforcement notifications. + If 'false', the device only shows notifications triggered one hour before the + enforcement deadline, and the restart countdown notification. +- key: Deferrals + title: Software Update Deferrals + supportedOS: + iOS: + allowed-enrollments: + - supervised + type: + presence: optional + content: Controls the deferral of software updates. Rapid Security Responses are + not considered within 'Major', 'Minor', or 'System' deferral mechanism. + subkeys: + - key: CombinedPeriodInDays + title: Combined Major/Minor Update Deferral Period + supportedOS: + macOS: + introduced: n/a + type: + presence: optional + range: + min: 1 + max: 90 + combinetype: number-max + content: Specifies the number of days to defer a major or minor OS software update + on the device. When set, software updates only appear after the specified delay, + following the release of the software update. + - key: MajorPeriodInDays + title: Major Update Deferral Period + supportedOS: + iOS: + introduced: n/a + type: + presence: optional + range: + min: 1 + max: 90 + combinetype: number-max + content: Specifies the number of days to defer a major OS software update on the + device. When set, software updates only appear after the specified delay, following + the release of the software update. + - key: MinorPeriodInDays + title: Minor Update Deferral Period + supportedOS: + iOS: + introduced: n/a + type: + presence: optional + range: + min: 1 + max: 90 + combinetype: number-max + content: Specifies the number of days to defer a minor OS software update on the + device. When set, software updates only appear after the specified delay, following + the release of the software update. + - key: SystemPeriodInDays + title: System Update Deferral Period + supportedOS: + iOS: + introduced: n/a + type: + presence: optional + range: + min: 1 + max: 90 + combinetype: number-max + content: Specifies the number of days to defer system or non-OS updates. When + set, updates only appear after the specified delay, following the release of + the update. +- key: RecommendedCadence + title: Software Update Recommended Cadence + supportedOS: + macOS: + introduced: n/a + type: + presence: optional + rangelist: + - All + - Oldest + - Newest + combinetype: enum-last + content: |- + Specifies how the device shows software updates to the user. When more than one update is available update, the device behaves as follows: + * "All" - Shows all software update versions. + * "Oldest" - Shows only the oldest (lower numbered) software update version. + * "Newest" - Shows only the newest (highest numbered) software update version. +- key: AutomaticActions + title: Automatic Software Update Settings + supportedOS: + iOS: + allowed-enrollments: + - supervised + type: + presence: optional + content: Specifies various automatic Software Update functionality. + subkeys: + - key: Download + title: Automatic downloads of available updates. + type: + presence: optional + rangelist: + - Allowed + - AlwaysOn + - AlwaysOff + default: Allowed + combinetype: enum-last + content: |- + Specifies whether automatic downloads of available updates can be controlled by the user: + * "Allowed" - the user can enable or disable automatic downloads. + * "AlwaysOn" - automatic downloads are always enabled. + * "AlwaysOff" - automatic downloads are always disabled. + - key: InstallOSUpdates + title: Automatic installs of OS updates. + type: + presence: optional + rangelist: + - Allowed + - AlwaysOn + - AlwaysOff + default: Allowed + combinetype: enum-last + content: |- + Specifies whether automatic install of available OS updates can be controlled by the user: + * "Allowed" - the user can enable or disable automatic installs. + * "AlwaysOn" - automatic installs are always enabled. + * "AlwaysOff" - automatic installs are always disabled. + - key: InstallSecurityUpdate + title: Automatic installs of available security updates. + supportedOS: + iOS: + introduced: n/a + type: + presence: optional + rangelist: + - Allowed + - AlwaysOn + - AlwaysOff + default: Allowed + combinetype: enum-last + content: |- + Specifies whether automatic install of available security updates can be controlled by the user: + * "Allowed" - the user can enable or disable automatic installs. + * "AlwaysOn" - automatic installs are always enabled. + * "AlwaysOff" - automatic installs are always disabled. +- key: RapidSecurityResponse + title: Rapid Security Response Settings + supportedOS: + iOS: + allowed-enrollments: + - supervised + type: + presence: optional + content: These configurations allow for setting user access to interacting with + Rapid Security Responses (RSRs). + subkeys: + - key: Enable + title: Enable Rapid Security Response Installation + type: + presence: optional + default: true + combinetype: boolean-and + content: If 'false', Rapid Security Responses are not offered for user installation. + Rapid Security Responses can still be installed via 'com.apple.configuration.softwareupdate.enforcement.specific' + configurations. If 'true', Rapid Security Responses are offered to the user. + - key: EnableRollback + title: Enable Rapid Security Response Rollbacks + type: + presence: optional + default: true + combinetype: boolean-and + content: If 'false', Rapid Security Response rollbacks are not offered to the + user. If 'true', Rapid Security Response rollbacks are offered to the user. +- key: AllowStandardUserOSUpdates + title: Allow Standard User OS Updates + supportedOS: + iOS: + introduced: n/a + type: + presence: optional + default: true + combinetype: boolean-and + content: If 'true', a standard user can perform Major and Minor Software Updates. + If 'false', only administrators can perform Major and Minor Software Updates. +- key: Beta + supportedOS: + macOS: + introduced: n/a + type: + presence: optional + content: Configurations for controlling or specifying the beta programs associated + with a device. + subkeys: + - key: ProgramEnrollment + supportedOS: + iOS: + allowed-enrollments: + - supervised + type: + presence: optional + rangelist: + - Allowed + - AlwaysOn + - AlwaysOff + default: Allowed + combinetype: enum-last + content: |- + Specifies whether beta program enrollment can be controlled by the user in software update settings UI: + * "Allowed" - the user can enroll in any applicable beta programs associated with their + logged in Apple Account. If the `OfferPrograms` key is present, then the programs listed in + that key are also presented to the user. + * "AlwaysOn" - the beta programs specified by the organization are used, and the user + is not be able to enroll in a beta program using their logged in Apple Account. The device + is automatically enrolled into the beta program specified by the `RequireProgram` key if + it is present. Otherwise, the programs listed in the `OfferPrograms` key are + presented to the user to choose which to enroll with. + * "AlwaysOff" - The device is not allowed to enroll in any beta programs. The device is + removed from any beta programs, if already enrolled. + - key: OfferPrograms + type: + presence: optional + combinetype: set-union + content: An array of beta programs allowed on the device. This key must only be + present if the `ProgramEnrollment` key is set to `Allowed` or `AlwaysOn`. This + key must not be present if the `RequireProgram` key is present. This key can + be present on unsupervised devices where the `ProgramEnrollment` key is not + supported but is implicitly set to `Allowed`. + subkeys: + - key: Program + type: + presence: required + content: The name and token associated with a specific beta program to be allowed. + subkeys: + - key: Description + type: + presence: required + content: A human readable description of the beta program. + - key: Token + type: + presence: required + content: The Apple Business Manager or Apple School Manager seeding service + token for the organization the MDM server is part of. This token is used + to enroll the device in the corresponding beta program. + - key: RequireProgram + supportedOS: + iOS: + allowed-enrollments: + - supervised + type: + presence: optional + combinetype: first + content: The device automatically enrolls in this beta program. This key must + only be present if the `ProgramEnrollment` key is set to `AlwaysOn`. The `OfferPrograms` + key must not be present if this key is present. + subkeys: + - key: Description + type: + presence: required + content: A human readable description of the beta program. + - key: Token + type: + presence: required + content: The Apple Business Manager or Apple School Manager seeding service + token for the organization the MDM server is part of. This token is used to + enroll the device in the corresponding beta program. +related-status-items: +- status-items: + - softwareupdate.beta-enrollment + - softwareupdate.pending-version diff --git a/declarative/declarations/configurations/watch.enrollment.yaml b/declarative/declarations/configurations/watch.enrollment.yaml index 8d751bd..962d76a 100644 --- a/declarative/declarations/configurations/watch.enrollment.yaml +++ b/declarative/declarations/configurations/watch.enrollment.yaml @@ -36,9 +36,10 @@ payloadkeys: assettypes: - com.apple.asset.credential.certificate presence: optional - content: An array of identifiers of asset declarations that contain anchor certificates - to use to evaluate the trust of the enrollment profile server. Set the type of - the corresponding assets to 'com.apple.asset.credential.certificate'. + content: |- + An array of identifiers of asset declarations that contain anchor certificates to use to evaluate the trust of the enrollment profile server. Set the type of the corresponding assets to 'com.apple.asset.credential.certificate'. + These certificates are pinned, meaning that the server specified by the 'EnrollmentProfileURL' must use a certificate that chains to one of the certs in this array. + If it chains to one of the built-in trusted root certificates but not one of the 'AnchorCertificateAssetReferences' certs, the connection will fail. subkeys: - key: AnchorCertificateAssetReferenceItem type: diff --git a/declarative/status/account.list.caldav.yaml b/declarative/status/account.list.caldav.yaml index 683c805..38664ac 100644 --- a/declarative/status/account.list.caldav.yaml +++ b/declarative/status/account.list.caldav.yaml @@ -28,6 +28,7 @@ payload: visionOS: introduced: '1.1' allowed-enrollments: + - supervised - device - user - local diff --git a/declarative/status/account.list.carddav.yaml b/declarative/status/account.list.carddav.yaml index 7f25271..661dee7 100644 --- a/declarative/status/account.list.carddav.yaml +++ b/declarative/status/account.list.carddav.yaml @@ -28,6 +28,7 @@ payload: visionOS: introduced: '1.1' allowed-enrollments: + - supervised - device - user - local diff --git a/declarative/status/account.list.exchange.yaml b/declarative/status/account.list.exchange.yaml index 85f6cf0..0f3360d 100644 --- a/declarative/status/account.list.exchange.yaml +++ b/declarative/status/account.list.exchange.yaml @@ -28,6 +28,7 @@ payload: visionOS: introduced: '1.1' allowed-enrollments: + - supervised - device - user - local diff --git a/declarative/status/account.list.google.yaml b/declarative/status/account.list.google.yaml index 3acaead..932a328 100644 --- a/declarative/status/account.list.google.yaml +++ b/declarative/status/account.list.google.yaml @@ -28,6 +28,7 @@ payload: visionOS: introduced: '1.1' allowed-enrollments: + - supervised - device - user - local diff --git a/declarative/status/account.list.ldap.yaml b/declarative/status/account.list.ldap.yaml index 6d31841..f268daf 100644 --- a/declarative/status/account.list.ldap.yaml +++ b/declarative/status/account.list.ldap.yaml @@ -28,6 +28,7 @@ payload: visionOS: introduced: '1.1' allowed-enrollments: + - supervised - device - user - local diff --git a/declarative/status/account.list.mail.incoming.yaml b/declarative/status/account.list.mail.incoming.yaml index c3d429d..6666da6 100644 --- a/declarative/status/account.list.mail.incoming.yaml +++ b/declarative/status/account.list.mail.incoming.yaml @@ -28,6 +28,7 @@ payload: visionOS: introduced: '1.1' allowed-enrollments: + - supervised - device - user - local diff --git a/declarative/status/account.list.mail.outgoing.yaml b/declarative/status/account.list.mail.outgoing.yaml index 8610069..b565b4e 100644 --- a/declarative/status/account.list.mail.outgoing.yaml +++ b/declarative/status/account.list.mail.outgoing.yaml @@ -28,6 +28,7 @@ payload: visionOS: introduced: '1.1' allowed-enrollments: + - supervised - device - user - local diff --git a/declarative/status/account.list.subscribed-calendar.yaml b/declarative/status/account.list.subscribed-calendar.yaml index edb2daf..9361b66 100644 --- a/declarative/status/account.list.subscribed-calendar.yaml +++ b/declarative/status/account.list.subscribed-calendar.yaml @@ -28,6 +28,7 @@ payload: visionOS: introduced: '1.1' allowed-enrollments: + - supervised - device - user - local diff --git a/declarative/status/device.identifier.serial-number.yaml b/declarative/status/device.identifier.serial-number.yaml index c3cd141..05262f4 100644 --- a/declarative/status/device.identifier.serial-number.yaml +++ b/declarative/status/device.identifier.serial-number.yaml @@ -34,6 +34,7 @@ payload: visionOS: introduced: '1.1' allowed-enrollments: + - supervised - device - local allowed-scopes: diff --git a/declarative/status/device.identifier.udid.yaml b/declarative/status/device.identifier.udid.yaml index 09503df..5a87626 100644 --- a/declarative/status/device.identifier.udid.yaml +++ b/declarative/status/device.identifier.udid.yaml @@ -34,6 +34,7 @@ payload: visionOS: introduced: '1.1' allowed-enrollments: + - supervised - device - local allowed-scopes: diff --git a/declarative/status/device.model.family.yaml b/declarative/status/device.model.family.yaml index 4085ac4..a2e6266 100644 --- a/declarative/status/device.model.family.yaml +++ b/declarative/status/device.model.family.yaml @@ -36,6 +36,7 @@ payload: visionOS: introduced: '1.1' allowed-enrollments: + - supervised - device - user - local diff --git a/declarative/status/device.model.identifier.yaml b/declarative/status/device.model.identifier.yaml index ea9d640..4dda4d5 100644 --- a/declarative/status/device.model.identifier.yaml +++ b/declarative/status/device.model.identifier.yaml @@ -36,6 +36,7 @@ payload: visionOS: introduced: '1.1' allowed-enrollments: + - supervised - device - user - local diff --git a/declarative/status/device.model.marketing-name.yaml b/declarative/status/device.model.marketing-name.yaml index 72881ee..ecb43b1 100644 --- a/declarative/status/device.model.marketing-name.yaml +++ b/declarative/status/device.model.marketing-name.yaml @@ -36,6 +36,7 @@ payload: visionOS: introduced: '1.1' allowed-enrollments: + - supervised - device - user - local diff --git a/declarative/status/device.model.number.yaml b/declarative/status/device.model.number.yaml index d867e7d..28b3ea6 100644 --- a/declarative/status/device.model.number.yaml +++ b/declarative/status/device.model.number.yaml @@ -36,6 +36,7 @@ payload: visionOS: introduced: '1.1' allowed-enrollments: + - supervised - device - user - local diff --git a/declarative/status/device.operating-system.build-version.yaml b/declarative/status/device.operating-system.build-version.yaml index d9ac145..3f472cc 100644 --- a/declarative/status/device.operating-system.build-version.yaml +++ b/declarative/status/device.operating-system.build-version.yaml @@ -36,6 +36,7 @@ payload: visionOS: introduced: '1.1' allowed-enrollments: + - supervised - device - user - local diff --git a/declarative/status/device.operating-system.family.yaml b/declarative/status/device.operating-system.family.yaml index 0ec0ba1..564d0df 100644 --- a/declarative/status/device.operating-system.family.yaml +++ b/declarative/status/device.operating-system.family.yaml @@ -36,6 +36,7 @@ payload: visionOS: introduced: '1.1' allowed-enrollments: + - supervised - device - user - local diff --git a/declarative/status/device.operating-system.marketing-name.yaml b/declarative/status/device.operating-system.marketing-name.yaml index 155b93d..5a87041 100644 --- a/declarative/status/device.operating-system.marketing-name.yaml +++ b/declarative/status/device.operating-system.marketing-name.yaml @@ -36,6 +36,7 @@ payload: visionOS: introduced: '1.1' allowed-enrollments: + - supervised - device - user - local diff --git a/declarative/status/device.operating-system.supplemental.build-version.yaml b/declarative/status/device.operating-system.supplemental.build-version.yaml index c8ffe3c..f6dfd77 100644 --- a/declarative/status/device.operating-system.supplemental.build-version.yaml +++ b/declarative/status/device.operating-system.supplemental.build-version.yaml @@ -36,6 +36,7 @@ payload: visionOS: introduced: '1.1' allowed-enrollments: + - supervised - device - user - local diff --git a/declarative/status/device.operating-system.supplemental.extra-version.yaml b/declarative/status/device.operating-system.supplemental.extra-version.yaml index f1f22a9..e63ca3f 100644 --- a/declarative/status/device.operating-system.supplemental.extra-version.yaml +++ b/declarative/status/device.operating-system.supplemental.extra-version.yaml @@ -36,6 +36,7 @@ payload: visionOS: introduced: '1.1' allowed-enrollments: + - supervised - device - user - local diff --git a/declarative/status/device.operating-system.version.yaml b/declarative/status/device.operating-system.version.yaml index 824e478..b527c38 100644 --- a/declarative/status/device.operating-system.version.yaml +++ b/declarative/status/device.operating-system.version.yaml @@ -36,6 +36,7 @@ payload: visionOS: introduced: '1.1' allowed-enrollments: + - supervised - device - user - local diff --git a/declarative/status/management.client-capabilities.yaml b/declarative/status/management.client-capabilities.yaml index 92f2d05..ec429fe 100644 --- a/declarative/status/management.client-capabilities.yaml +++ b/declarative/status/management.client-capabilities.yaml @@ -33,6 +33,7 @@ payload: visionOS: introduced: '1.1' allowed-enrollments: + - supervised - device - user allowed-scopes: diff --git a/declarative/status/management.declarations.yaml b/declarative/status/management.declarations.yaml index d031363..15cf551 100644 --- a/declarative/status/management.declarations.yaml +++ b/declarative/status/management.declarations.yaml @@ -33,6 +33,7 @@ payload: visionOS: introduced: '1.1' allowed-enrollments: + - supervised - device - user allowed-scopes: diff --git a/declarative/status/mdm.app.yaml b/declarative/status/mdm.app.yaml index 05f429e..bbbb212 100644 --- a/declarative/status/mdm.app.yaml +++ b/declarative/status/mdm.app.yaml @@ -27,6 +27,7 @@ payload: visionOS: introduced: '1.1' allowed-enrollments: + - supervised - device - user allowed-scopes: @@ -61,7 +62,8 @@ payloadkeys: default: false content: To indicate removal of an app, this key's value is set to true, and only this key and the "identifier" key will be present in the status item - object. + object. An MDM installed app will be reported as removed if management of + the app has been transferred to declarative device management. - key: name title: App name type: diff --git a/declarative/status/passcode.is-compliant.yaml b/declarative/status/passcode.is-compliant.yaml index 7ae00fe..1f0a729 100644 --- a/declarative/status/passcode.is-compliant.yaml +++ b/declarative/status/passcode.is-compliant.yaml @@ -23,6 +23,7 @@ payload: visionOS: introduced: '1.1' allowed-enrollments: + - supervised - device - user - local diff --git a/declarative/status/passcode.is-present.yaml b/declarative/status/passcode.is-present.yaml index 394ccde..e289d32 100644 --- a/declarative/status/passcode.is-present.yaml +++ b/declarative/status/passcode.is-present.yaml @@ -23,6 +23,7 @@ payload: visionOS: introduced: '1.1' allowed-enrollments: + - supervised - device - user - local diff --git a/declarative/status/security.certificate.list.yaml b/declarative/status/security.certificate.list.yaml index 17c0b3c..487c97b 100644 --- a/declarative/status/security.certificate.list.yaml +++ b/declarative/status/security.certificate.list.yaml @@ -36,6 +36,7 @@ payload: visionOS: introduced: '1.1' allowed-enrollments: + - supervised - device - user - local diff --git a/declarative/status/services.background-task.yaml b/declarative/status/services.background-task.yaml index 887ce32..0c615a7 100644 --- a/declarative/status/services.background-task.yaml +++ b/declarative/status/services.background-task.yaml @@ -110,3 +110,33 @@ payloadkeys: type: presence: required content: The hash value of the 'launchd' 'plist' file. + - key: device-management + title: Device Management + supportedOS: + macOS: + introduced: '15.0' + type: + presence: optional + content: If present, indicates this background task was created by a 'services.background-tasks' + configuration. This dictionary contains properties that identify the configuration + and specific version of the declaration asset that provided the launchd + plist for the task. + subkeys: + - key: configuration-identifier + title: Configuration Identifier + type: + presence: required + content: The identifier of the 'services.background-tasks' configuration + that created this task. + - key: asset-identifier + title: Asset Identifier + type: + presence: required + content: The identifier of the declaration asset that provided the launchd + plist for this task. + - key: asset-server-token + title: Asset Server Token + type: + presence: required + content: The server token of the declaration asset that provided the launchd + plist for this task. diff --git a/declarative/status/softwareupdate.beta-enrollment.yaml b/declarative/status/softwareupdate.beta-enrollment.yaml new file mode 100644 index 0000000..51e73fd --- /dev/null +++ b/declarative/status/softwareupdate.beta-enrollment.yaml @@ -0,0 +1,34 @@ +title: Status Software Update Beta Enrollment +description: The device's enrolled beta program. +payload: + statusitemtype: softwareupdate.beta-enrollment + supportedOS: + iOS: + introduced: '18.0' + allowed-enrollments: + - supervised + - device + allowed-scopes: + - system + sharedipad: + allowed-scopes: + - system + macOS: + introduced: '15.0' + allowed-enrollments: + - supervised + allowed-scopes: + - system + tvOS: + introduced: n/a + visionOS: + introduced: n/a + watchOS: + introduced: n/a +payloadkeys: +- key: softwareupdate.beta-enrollment + title: The device's enrolled beta program. + type: + presence: required + content: The device's enrolled beta program name, or an empty string if there is + no enrolled beta program. diff --git a/declarative/status/softwareupdate.device-id.yaml b/declarative/status/softwareupdate.device-id.yaml new file mode 100644 index 0000000..d95aa3f --- /dev/null +++ b/declarative/status/softwareupdate.device-id.yaml @@ -0,0 +1,34 @@ +title: Status Software Update Device ID +description: The device's software update device ID. +payload: + statusitemtype: softwareupdate.device-id + supportedOS: + iOS: + introduced: '18.0' + allowed-enrollments: + - supervised + - device + allowed-scopes: + - system + sharedipad: + allowed-scopes: + - system + macOS: + introduced: '15.0' + allowed-enrollments: + - supervised + allowed-scopes: + - system + tvOS: + introduced: n/a + visionOS: + introduced: n/a + watchOS: + introduced: n/a +payloadkeys: +- key: softwareupdate.device-id + title: The device's software update device ID. + type: + presence: required + content: The device identifier to use when looking up available software updates + via . diff --git a/declarative/status/test.array-value.yaml b/declarative/status/test.array-value.yaml index 14d07b5..d2c0eea 100644 --- a/declarative/status/test.array-value.yaml +++ b/declarative/status/test.array-value.yaml @@ -36,6 +36,7 @@ payload: visionOS: introduced: '1.1' allowed-enrollments: + - supervised - device - user - local diff --git a/declarative/status/test.boolean-value.yaml b/declarative/status/test.boolean-value.yaml index 6ea1a6f..a18c63c 100644 --- a/declarative/status/test.boolean-value.yaml +++ b/declarative/status/test.boolean-value.yaml @@ -36,6 +36,7 @@ payload: visionOS: introduced: '1.1' allowed-enrollments: + - supervised - device - user - local diff --git a/declarative/status/test.dictionary-value.yaml b/declarative/status/test.dictionary-value.yaml index 8f40710..c9f7ca6 100644 --- a/declarative/status/test.dictionary-value.yaml +++ b/declarative/status/test.dictionary-value.yaml @@ -36,6 +36,7 @@ payload: visionOS: introduced: '1.1' allowed-enrollments: + - supervised - device - user - local diff --git a/declarative/status/test.error-value.yaml b/declarative/status/test.error-value.yaml index 05a1526..f02cba4 100644 --- a/declarative/status/test.error-value.yaml +++ b/declarative/status/test.error-value.yaml @@ -36,6 +36,7 @@ payload: visionOS: introduced: '1.1' allowed-enrollments: + - supervised - device - user - local diff --git a/declarative/status/test.integer-value.yaml b/declarative/status/test.integer-value.yaml index 5ff5717..ee98887 100644 --- a/declarative/status/test.integer-value.yaml +++ b/declarative/status/test.integer-value.yaml @@ -36,6 +36,7 @@ payload: visionOS: introduced: '1.1' allowed-enrollments: + - supervised - device - user - local diff --git a/declarative/status/test.real-value.yaml b/declarative/status/test.real-value.yaml index dbc6115..11766e5 100644 --- a/declarative/status/test.real-value.yaml +++ b/declarative/status/test.real-value.yaml @@ -36,6 +36,7 @@ payload: visionOS: introduced: '1.1' allowed-enrollments: + - supervised - device - user - local diff --git a/declarative/status/test.string-value.yaml b/declarative/status/test.string-value.yaml index 0b89288..f7038b1 100644 --- a/declarative/status/test.string-value.yaml +++ b/declarative/status/test.string-value.yaml @@ -36,6 +36,7 @@ payload: visionOS: introduced: '1.1' allowed-enrollments: + - supervised - device - user - local diff --git a/docs/errata.md b/docs/errata.md index 61f7611..d29cb09 100644 --- a/docs/errata.md +++ b/docs/errata.md @@ -2,13 +2,37 @@ This document lists errata for the YAML schema. This is used when older versions of the schema are incorrect, and a fix was made in later schema to correct the problem. +## iOS 18 / macOS 15 + +### tvOS + +tvOS `introduced` values have been set to a minimum value of `9.0` to reflect the first version of tvOS itself, as opposed to earlier versions of the Apple TV Software. + +### declarative/declarations/configurations/account.exchange.yaml + +The `Active` keys were incorrectly marked as unsupported on macOS. + +### mdm/profiles/com.apple.ManagedClient.preferences.yaml + +The `PayloadContent` key of the `com.apple.ManagedClient.preferences` profile +payload was incorrectly named `PreferenceDomain`; the key itself also represents +a dictionary of application preference domain identifiers to +`ManagedPreference.PreferenceDomain`s (rather than a single +`ManagedPreference.PreferenceDomain`). + +### mdm/profiles/com.apple.cellularprivatenetwork.managed.yaml + +iOS 17 supported multiple private network payloads, but the `multiple` key was set to false. + +iOS 17 also mistakenly forbade multiple private network payloads in a single profile. + ## iOS 17 / macOS 14 -### profiles/com.apple.education.yaml +### mdm/profiles/com.apple.education.yaml The `GroupBeaconIDs` key in the `DepartmentsItem` dictionary in the `com.apple.education` profile payload incorrectly listed its type as an array of `string`. The correct type is an array of `integer`. -### profiles/com.apple.vpn.managed.yaml +### mdm/profiles/com.apple.vpn.managed.yaml The `CertificateType` key in the `com.apple.vpn.managed` profile payload incorrectly listed `Ed25519` as a supported certificate type. That type was never supported and has now been removed. @@ -18,32 +42,32 @@ There were a number of keys in the VPN dictionary that were implied to appear in The `ActionParameters` key in the profile payload has always been an array of dictionaries. -### mdmprotocol/commands passcode.firmware.set.yaml passcode.firmware.verify.yaml +### mdm/commands passcode.firmware.set.yaml passcode.firmware.verify.yaml The response keys were incorrectly listed as being top-level keys in the response dictionary when in fact they were nested one-level deep. -### profiles/com.apple.vpn.managed.applayer.yaml +### mdm/profiles/com.apple.vpn.managed.applayer.yaml The `OnDemandMatchAppEnabled` key in the `com.apple.vpn.managed.applayer` profile payload incorrectly listed its type as `integer`. The correct type is `boolean`. -### profiles/com.apple.wifi.managed.yaml +### mdm/profiles/com.apple.wifi.managed.yaml The EAPClientConfiguration dictionary listed both OneTimePassword and OneTimeUserPassword as valid keys. The erroneous OneTimePassword key has been removed. -### profiles/com.apple.security.scep.yaml +### mdm/profiles/com.apple.security.scep.yaml The documentation indicated that all the keys in the SubjectAltName value could be either string or array types. The ntPrincipalName cannot be an array and must be a string. This has been clarified in the description. Note that the type field for the rfc822Name, dNSName, and uniformResourceIdentifier still indicates these are strings. This has not been corrected as the schema does not support polymorphic types. -### profiles/com.apple.universalaccess.yaml +### mdm/profiles/com.apple.universalaccess.yaml The `contrast` key in the `com.apple.universalaccess` profile payload incorrectly listed its type as `integer`. The correct type is `real`. -### profiles/com.apple.extensiblesso.yaml +### mdm/profiles/com.apple.extensiblesso.yaml The `AuthorizationGroups` key was updated as the key values-pairs in the dictionary were incorrectly stated. -### profiles/com.apple.dnsSettings.managed +### mdm/profiles/com.apple.dnsSettings.managed The `ActionParameters` key in the `com.apple.dnsSettings.managed` profile payload has always been an array of dictionaries. diff --git a/docs/schema.md b/docs/schema.md index e4a7658..6b9edc1 100644 --- a/docs/schema.md +++ b/docs/schema.md @@ -14,6 +14,7 @@ The definition of the schema used here is in the `schema.yaml` file. That file c | payloadkeys | array | A list of YAML objects representing the command request | | responsekeys | array | A list of YAML objects representing the command response | | reasons | array | A list of YAML objects representing declarative device management status reason codes | +| notes | array | A list of YAML objects representing additional notes for the schema item as a whole | ### Payload Object @@ -95,8 +96,9 @@ The `mode` can have one of four values: `allowed`, `required`, `forbidden`, and | title | string | The title of the key | | supportedOS | object | Identifies the range of supported OS versions that support the key | | type | string | The type of key | -| subtype | string | Indicates the expected format of the string value of the key | -| assettypes | string | Indicates the set of allowed asset types | +| subtype | string | Indicates the expected format of the string value of the key (deprecated) | +| valuetype | string | Indicates the expected format of the string value of the key | +| assettypes | array | Indicates the set of allowed asset types | | presence | string | Whether the key is required or optional | | rangelist | array | List of allowed values for this key | | range | object | Bounds for the value of this key | @@ -110,11 +112,62 @@ The `mode` can have one of four values: `allowed`, `required`, `forbidden`, and __Notes__ -The `type` value can be one of: ``, ``, ``, ``, ``, ``, ``, ``, or ``. The value `` may be used to indicate that any of the standard values can be used without any expectation that the value will be validated. +The `subtype` key is deprecated in favor of the `valuetype` key. -The `subtype` value can be one of: ``, ``, or ``, to indicate the expected value of a string. +The `presence` value must be one of: `required` or `optional`. -The `presence` value can be one of: `required` or `optional`. +#### Type Values + +| Name | Description | +|---------------|-------------| +| \ | A string value | +| \ | An integer value | +| \ | A real value | +| \ | A boolean value | +| \ | A date value (deprecated) | +| \ | A data value | +| \ | An array value | +| \ | A dictionary value | +| \ | Any standard value | + +__Notes__ + +If the `` value is used, the `valuetype` key may also be specified to define a specific format for the string (see below). + +The value `` may be used to indicate that any of the standard values can be used without any expectation that the value will be validated. + +The `` value is deprecated. Instead `` will be used with a suitable `` set to indicate one of several date-time formats. + +#### Valuetype Values + +`domain` +: The string value is a domain name. This is an exact match (i.e., `example.com` will match `example.com` and will not match `test.example.com`, `1example.com`, `example.com2`). + +`domain-prefix` +: The string value is a domain name pattern, with matching rules as follows: +* If the string starts with a `*.`, the pattern will match any sub-domain of the parent domain, but not the parent domain itself (i.e., `*.example.com` will match `test.example.com` and will not match `example.com`, `test.1example.com`, `test.example.com2`). +* If the match prefix is not present, the pattern will match the exact domain only (i.e., `example.com` will match `example.com` and will not match `test.example.com`, `1example.com`, `example.com2`). + +`email` +: The string value is an email address conforming to the syntax of [RFC 5322](https://www.rfc-editor.org/rfc/rfc5322.txt). e.g., `user@example.com`. + +`hostname` +: The string value is a hostname, IPv4 address, or IPv6 address (with the IPV6 literal enclosed in square braces). e.g., `server.example.com`, `10.0.1.1`, `[fe80::1]`. + +`localtime` +: The string value is a date and time conforming to the syntax of [RFC 3339](https://www.rfc-editor.org/rfc/rfc3339.txt) without a `time-offset` or `time-secfrac` element: `YYYY-MM-DDTHH:MM:SS`. e.g., `2023-09-21T12:00:00`. + +`regex` +: The string value is a regular expression. + +`timestamp` +: The string value is a date and time conforming to the syntax of [RFC 3339](https://www.rfc-editor.org/rfc/rfc3339.txt) with a `time-offset` element, and without a `time-secfrac` element: `YYYY-MM-DDTHH:MM:SSZ` or `YYYY-MM-DDTHH:MM:SS+ZZZZ`. e.g., `2023-09-21T12:00:00Z`, `2023-09-21T12:00:00-0500`. + +`url` +: The string value is a URL conforming to the syntax of [RFC 3986](https://www.rfc-editor.org/rfc/rfc3986.txt). + +`uuid` +: The string value is a 36-character UUID, with both lowercase and uppercase hexadecimal digits allowed. ### Range Object diff --git a/docs/schema.yaml b/docs/schema.yaml index 053a174..a7a16b0 100644 --- a/docs/schema.yaml +++ b/docs/schema.yaml @@ -369,3 +369,21 @@ properties: note: type: string description: A description of the relationship. + + notes: + type: array + description: An array of additional notes about a payload. These are published to the open source repository. + items: + type: object + description: An additional note about a payload. A note is written in "markdown" and can be transformed to HTML if needed. + additionalProperties: false + required: + - title + - content + properties: + title: + type: string + description: Title for the note. + content: + type: string + description: The note content in "markdown" format. diff --git a/mdm/checkin/declarativemanagement.yaml b/mdm/checkin/declarativemanagement.yaml index 7aa384c..842cb84 100644 --- a/mdm/checkin/declarativemanagement.yaml +++ b/mdm/checkin/declarativemanagement.yaml @@ -120,9 +120,9 @@ payloadkeys: introduced: n/a type: presence: optional - content: On Shared iPad, this value returns the Managed Apple ID of the user. When - present indicates that the token is for the user channel. On macOS, this value - always returns the short name of the user. + content: On Shared iPad, this value returns the Managed Apple Account of the user. + When present indicates that the token is for the user channel. On macOS, this + value always returns the short name of the user. - key: UserID supportedOS: iOS: diff --git a/mdm/checkin/gettoken.yaml b/mdm/checkin/gettoken.yaml index 08bfaff..b57d353 100644 --- a/mdm/checkin/gettoken.yaml +++ b/mdm/checkin/gettoken.yaml @@ -151,9 +151,9 @@ payloadkeys: introduced: n/a type: presence: optional - content: On Shared iPad, this value returns the Managed Apple ID of the user. When - present, it indicates that the token is for the user channel. In macOS, this value - returns the short name of the user. + content: On Shared iPad, this value returns the Managed Apple Account identifier + of the user. When present, it indicates that the token is for the user channel. + In macOS, this value returns the short name of the user. - key: UserID supportedOS: iOS: diff --git a/mdm/checkin/tokenupdate.yaml b/mdm/checkin/tokenupdate.yaml index e5a2a1a..67bb59f 100644 --- a/mdm/checkin/tokenupdate.yaml +++ b/mdm/checkin/tokenupdate.yaml @@ -129,7 +129,7 @@ payloadkeys: type: presence: optional content: |- - On Shared iPad: This is the Managed Apple ID of the user on Shared iPad. It indicates that the token is for the user channel. + On Shared iPad: This is the Managed Apple Account identifier of the user on Shared iPad. It indicates that the token is for the user channel. On macOS, this is the short name of the user. - key: UserID supportedOS: diff --git a/mdm/commands/application.extensions.listactive.yaml b/mdm/commands/application.extensions.listactive.yaml index 57978b4..1393a07 100644 --- a/mdm/commands/application.extensions.listactive.yaml +++ b/mdm/commands/application.extensions.listactive.yaml @@ -1,4 +1,4 @@ -title: Application:List Active NSExtensions +title: Active NSExtensions Command description: Returns information about the active NSExtensions for a particular user. payload: requesttype: ActiveNSExtensions diff --git a/mdm/commands/application.extensions.mappings.yaml b/mdm/commands/application.extensions.mappings.yaml index 893755d..0a6b6fe 100644 --- a/mdm/commands/application.extensions.mappings.yaml +++ b/mdm/commands/application.extensions.mappings.yaml @@ -1,4 +1,4 @@ -title: NSExtensions Mappings NSExtensions +title: NSExtension Mappings Command description: This command returns information about installed extensions for a user. payload: requesttype: NSExtensionMappings diff --git a/mdm/commands/application.install.enterprise.yaml b/mdm/commands/application.install.enterprise.yaml index d5b77fa..8b122c4 100644 --- a/mdm/commands/application.install.enterprise.yaml +++ b/mdm/commands/application.install.enterprise.yaml @@ -40,7 +40,8 @@ payloadkeys: - key: ManifestURL type: presence: optional - content: The URL of the app manifest, which needs to begin with 'https:'. + content: The URL of the app manifest, which needs to begin with 'https:'. The manifest + is returned as a property list. - key: ManifestURLPinningCerts type: presence: optional diff --git a/mdm/commands/application.install.yaml b/mdm/commands/application.install.yaml index 61d8cfe..d8b548b 100644 --- a/mdm/commands/application.install.yaml +++ b/mdm/commands/application.install.yaml @@ -88,7 +88,8 @@ payloadkeys: introduced: '7.0' type: presence: optional - content: The URL of the app manifest, which needs to begin with 'https:'. + content: The URL of the app manifest, which needs to begin with 'https:'. The manifest + is returned as a property list. - key: ManagementFlags supportedOS: macOS: @@ -350,6 +351,7 @@ responsekeys: - ManagementChangeNotSupported - NotAnApp - NotSupported + - Other - PurchaseMethodNotSupported - PurchaseMethodNotSupportedInMultiUser - content: The reason, if installation fails. + content: The reason, if installation fails. macOS only returns "Other". diff --git a/mdm/commands/application.installed.list.yaml b/mdm/commands/application.installed.list.yaml index c1006cb..55fbe15 100644 --- a/mdm/commands/application.installed.list.yaml +++ b/mdm/commands/application.installed.list.yaml @@ -1,4 +1,4 @@ -title: Application List Command +title: Installed Application List Command description: This command allows the server to query for installed 3rd party applications. payload: requesttype: InstalledApplicationList @@ -221,8 +221,8 @@ responsekeys: introduced: '11.3' type: presence: optional - content: If 'true', installing the app didn't require an Apple ID. This value - is available in iOS 11.3 and later, and tvOS 11.3 and later. + content: If 'true', installing the app didn't require an Apple Account. This + value is available in iOS 11.3 and later, and tvOS 11.3 and later. - key: BetaApp supportedOS: iOS: @@ -294,6 +294,17 @@ responsekeys: default: false content: If 'true', the app is an App Clip. Available in iOS 16 and later. - key: Source + supportedOS: + iOS: + introduced: '17.2' + macOS: + introduced: n/a + tvOS: + introduced: n/a + visionOS: + introduced: n/a + watchOS: + introduced: n/a type: presence: optional content: The source of the application. When the app is managed by Declarative diff --git a/mdm/commands/certificate.list.yaml b/mdm/commands/certificate.list.yaml index 66b6685..df2e3fb 100644 --- a/mdm/commands/certificate.list.yaml +++ b/mdm/commands/certificate.list.yaml @@ -29,7 +29,7 @@ payload: userenrollment: mode: allowed tvOS: - introduced: '6.0' + introduced: '9.0' accessrights: AllowInspection supervised: false visionOS: diff --git a/mdm/commands/device.activationlock.bypasscode.yaml b/mdm/commands/device.activationlock.bypasscode.yaml index 62fb7db..8bdc347 100644 --- a/mdm/commands/device.activationlock.bypasscode.yaml +++ b/mdm/commands/device.activationlock.bypasscode.yaml @@ -24,7 +24,12 @@ payload: tvOS: introduced: n/a visionOS: - introduced: n/a + introduced: '2.0' + accessrights: None + supervised: true + requiresdep: false + userenrollment: + mode: forbidden watchOS: introduced: n/a content: Retrieves the Activation Lock bypass code from the device. This bypass diff --git a/mdm/commands/device.activationlock.clearbypasscode.yaml b/mdm/commands/device.activationlock.clearbypasscode.yaml index 128b422..0b49aa9 100644 --- a/mdm/commands/device.activationlock.clearbypasscode.yaml +++ b/mdm/commands/device.activationlock.clearbypasscode.yaml @@ -24,7 +24,12 @@ payload: tvOS: introduced: n/a visionOS: - introduced: n/a + introduced: '2.0' + accessrights: None + supervised: true + requiresdep: false + userenrollment: + mode: forbidden watchOS: introduced: n/a content: Clears the Activation Lock bypass code from the device. diff --git a/mdm/commands/device.configured.yaml b/mdm/commands/device.configured.yaml index e962e73..b87c67f 100644 --- a/mdm/commands/device.configured.yaml +++ b/mdm/commands/device.configured.yaml @@ -28,7 +28,12 @@ payload: accessrights: None supervised: true visionOS: - introduced: n/a + introduced: '2.0' + accessrights: None + supervised: true + requiresdep: true + userenrollment: + mode: forbidden watchOS: introduced: n/a content: Informs the device that it can continue past DEP enrollment. Only works diff --git a/mdm/commands/device.erase.yaml b/mdm/commands/device.erase.yaml index 75a8869..6f8b227 100644 --- a/mdm/commands/device.erase.yaml +++ b/mdm/commands/device.erase.yaml @@ -1,4 +1,4 @@ -title: Device Erase Command +title: Erase Device Command description: This command allows the server to remotely erase the device. This command requires the Device Erase right. payload: @@ -131,7 +131,7 @@ payloadkeys: macOS: introduced: n/a tvOS: - introduced: n/a + introduced: '18.0' visionOS: introduced: n/a watchOS: @@ -139,7 +139,7 @@ payloadkeys: type: presence: optional content: The configuration settings for Return to Service. This value is available - in iOS 17 and later. + in iOS 17 and later and with Shared iPad and tvOS 18 and later. subkeys: - key: Enabled title: Use Return to Service diff --git a/mdm/commands/device.esim.yaml b/mdm/commands/device.esim.yaml index 7bace41..e333414 100644 --- a/mdm/commands/device.esim.yaml +++ b/mdm/commands/device.esim.yaml @@ -1,4 +1,4 @@ -title: eSIM Cellular Plan Management Command +title: Refresh Cellular Plans Command description: Instructs the device to query for active cellular plan eSIM "profiles" at the designated carrier eSIM server URL. payload: diff --git a/mdm/commands/device.lock.yaml b/mdm/commands/device.lock.yaml index da80d2e..bb0ab7f 100644 --- a/mdm/commands/device.lock.yaml +++ b/mdm/commands/device.lock.yaml @@ -26,7 +26,12 @@ payload: tvOS: introduced: n/a visionOS: - introduced: n/a + introduced: '2.0' + accessrights: AllowPasscodeRemovalAndLock + supervised: false + requiresdep: false + userenrollment: + mode: allowed watchOS: introduced: '10.0' accessrights: AllowPasscodeRemovalAndLock @@ -42,6 +47,8 @@ payloadkeys: mode: ignored macOS: introduced: '10.14' + visionOS: + introduced: n/a type: presence: optional content: The message to display on the Lock screen of the device. This value doesn't @@ -55,6 +62,8 @@ payloadkeys: mode: ignored macOS: introduced: '11.5' + visionOS: + introduced: n/a type: presence: optional content: The phone number to display on the Lock screen. This value doesn't apply @@ -66,6 +75,8 @@ payloadkeys: introduced: n/a macOS: introduced: '10.8' + visionOS: + introduced: n/a watchOS: introduced: n/a type: diff --git a/mdm/commands/device.lostmode.disable.yaml b/mdm/commands/device.lostmode.disable.yaml index 0c577f7..d238d42 100644 --- a/mdm/commands/device.lostmode.disable.yaml +++ b/mdm/commands/device.lostmode.disable.yaml @@ -1,4 +1,4 @@ -title: Disable MDM Lost Mode Command +title: Disable Lost Mode Command description: This command allows the server to take the device out of MDM lost mode. payload: requesttype: DisableLostMode diff --git a/mdm/commands/device.lostmode.enable.yaml b/mdm/commands/device.lostmode.enable.yaml index 8e02907..ae519f6 100644 --- a/mdm/commands/device.lostmode.enable.yaml +++ b/mdm/commands/device.lostmode.enable.yaml @@ -1,4 +1,4 @@ -title: Enable MDM Lost Mode Command +title: Enable Lost Mode Command description: This command allows the server to put the device in MDM lost mode, with a message, phone number, and footnote text. A message or phone number must be provided. payload: diff --git a/mdm/commands/device.restart.yaml b/mdm/commands/device.restart.yaml index 1c296ef..1ec823c 100644 --- a/mdm/commands/device.restart.yaml +++ b/mdm/commands/device.restart.yaml @@ -1,4 +1,4 @@ -title: Device Restart Command +title: Restart Device Command description: This command requires the Device Lock access right. The device will restart immediately. payload: diff --git a/mdm/commands/device.restrictions.list.yaml b/mdm/commands/device.restrictions.list.yaml index 150a111..2799429 100644 --- a/mdm/commands/device.restrictions.list.yaml +++ b/mdm/commands/device.restrictions.list.yaml @@ -1,4 +1,4 @@ -title: Device Restrictions Command +title: Restrictions Command description: This command allows the server to determine what restrictions are being enforced on the device, and the total sum of all restrictions. This command requires the Restrictions Query access right. @@ -19,7 +19,7 @@ payload: macOS: introduced: n/a tvOS: - introduced: '6.1' + introduced: '9.0' accessrights: AllowQueryRestrictions supervised: false visionOS: diff --git a/mdm/commands/device.shutdown.yaml b/mdm/commands/device.shutdown.yaml index e442391..2aed195 100644 --- a/mdm/commands/device.shutdown.yaml +++ b/mdm/commands/device.shutdown.yaml @@ -1,4 +1,4 @@ -title: Device Shut Down Command +title: Shut Down Device Command description: This command requires the Device Lock access right. The device will shut down immediately. payload: diff --git a/mdm/commands/information.device.yaml b/mdm/commands/information.device.yaml index d3c250c..06570d1 100644 --- a/mdm/commands/information.device.yaml +++ b/mdm/commands/information.device.yaml @@ -24,7 +24,7 @@ payload: userenrollment: mode: allowed tvOS: - introduced: '6.0' + introduced: '9.0' accessrights: Special Case supervised: false visionOS: @@ -68,6 +68,7 @@ payloadkeys: watchOS: accessrights: n/a type: + presence: optional content: The key to get the unique identifier of the device. - key: ProvisioningUDID supportedOS: @@ -85,6 +86,7 @@ payloadkeys: watchOS: introduced: n/a type: + presence: optional content: The key to get the device identifier for provisioning profiles. This value differs from the UDID for Apple silicon. Available in macOS 11.3 and later. @@ -103,6 +105,7 @@ payloadkeys: watchOS: accessrights: n/a type: + presence: optional content: The key to get the contents of SettingsCommand.Command.Settings.OrganizationInfo.OrganizationInfo. - key: MDMOptions supportedOS: @@ -119,6 +122,7 @@ payloadkeys: watchOS: introduced: '10.0' type: + presence: optional content: The key to get the contents of SettingsCommand.Command.Settings.MDMOptions.MDMOptions. - key: LastCloudBackupDate supportedOS: @@ -136,6 +140,7 @@ payloadkeys: watchOS: introduced: n/a type: + presence: optional content: The key to get the date of the most recent iCloud backup. Available in iOS 8 and later. - key: AwaitingConfiguration @@ -154,10 +159,13 @@ payloadkeys: introduced: '10.2' accessrights: n/a visionOS: - introduced: n/a + introduced: '2.0' + userenrollment: + mode: forbidden watchOS: accessrights: n/a type: + presence: optional content: The key to determine whether the device is waiting for a DeviceConfigured or UserConfigured Command to continue through Setup Assistant on the device channel or user channel, respectively. @@ -181,6 +189,7 @@ payloadkeys: watchOS: accessrights: AllowAppInstallation type: + presence: optional content: The key to determine whether iTunes Store account is active. Requires the App Installation access right. - key: iTunesStoreAccountHash @@ -203,6 +212,7 @@ payloadkeys: watchOS: accessrights: AllowAppInstallation type: + presence: optional content: The key to get a hash of the logged-in iTunes Store account. Also see GetVppUserRequest. This value requires the App Installation access right. - key: DeviceName @@ -218,6 +228,7 @@ payloadkeys: watchOS: accessrights: AllowQueryDeviceInformation type: + presence: optional content: The key to get the device name. Requires the Device Information access right. - key: OSVersion @@ -233,6 +244,7 @@ payloadkeys: watchOS: accessrights: AllowQueryDeviceInformation type: + presence: optional content: The key to get the operating system version. Requires the Device Information access right. - key: SupplementalOSVersionExtra @@ -251,6 +263,7 @@ payloadkeys: watchOS: accessrights: AllowQueryDeviceInformation type: + presence: optional content: The key to get the OS update rapid security response version letter, if a rapid security response update is installed. This value requires the Device Information access right. @@ -267,6 +280,7 @@ payloadkeys: watchOS: accessrights: AllowQueryDeviceInformation type: + presence: optional content: The key to get the operating system version. This value requires the Device Information access right. - key: SupplementalBuildVersion @@ -285,6 +299,7 @@ payloadkeys: watchOS: accessrights: AllowQueryDeviceInformation type: + presence: optional content: The key to get the build version for the currently installed rapid security response. If there's no installed rapid security response, this value is the same as 'BuildVersion'. Requires the Device Information access right. @@ -301,6 +316,7 @@ payloadkeys: watchOS: accessrights: AllowQueryDeviceInformation type: + presence: optional content: The key to get the model name, such as iPhone. Requires the Device Information access right. - key: Model @@ -316,6 +332,7 @@ payloadkeys: watchOS: accessrights: AllowQueryDeviceInformation type: + presence: optional content: The key to get the model. Requires the Device Information access right. - key: ModelNumber supportedOS: @@ -333,6 +350,7 @@ payloadkeys: watchOS: accessrights: AllowQueryDeviceInformation type: + presence: optional content: The key to get the device's hardware model number including region info, such as 'MK1A3LL/A'. Requires the Device Information access right. Requires Apple silicon on macOS. @@ -350,6 +368,7 @@ payloadkeys: watchOS: introduced: n/a type: + presence: optional content: The key to determine whether the device is a Mac with Apple silicon (for example, an Apple M1 chip). Available in macOS 12 and later. - key: ProductName @@ -365,6 +384,7 @@ payloadkeys: watchOS: accessrights: AllowQueryDeviceInformation type: + presence: optional content: The key to get the product name, such as iPad8,12. This value requires the Device Information access right. - key: SerialNumber @@ -386,6 +406,7 @@ payloadkeys: watchOS: accessrights: AllowQueryDeviceInformation type: + presence: optional content: The key to get the serial number. Requires the Device Information access right. - key: DeviceCapacity @@ -401,6 +422,7 @@ payloadkeys: watchOS: accessrights: AllowQueryDeviceInformation type: + presence: optional content: The key to get the device's total capacity. Requires the Device Information access right. Available in iOS 4 and later, and macOS 10.7 and later. - key: AvailableDeviceCapacity @@ -416,6 +438,7 @@ payloadkeys: watchOS: accessrights: AllowQueryDeviceInformation type: + presence: optional content: The key to get the available capacity. Requires the Device Information access right. Available in iOS 4 and later, and macOS 10.7 and later. - key: IMEI @@ -434,6 +457,7 @@ payloadkeys: watchOS: introduced: n/a type: + presence: optional content: The key to get the International Mobile Equipment Identity (IMEI) number. Requires the Device Information access right. Available as of iOS 4 and deprecated in iOS 16. @@ -453,6 +477,7 @@ payloadkeys: watchOS: introduced: n/a type: + presence: optional content: The key to get the mobile equipment ID (MEID). Requires the Device Information access right. Available as of iOS 4 and deprecated in iOS 16. - key: ModemFirmwareVersion @@ -470,6 +495,7 @@ payloadkeys: watchOS: introduced: n/a type: + presence: optional content: The key to get the modem firmware version. Requires the Device Information access right. Available in iOS 4 and later. - key: CellularTechnology @@ -486,6 +512,7 @@ payloadkeys: watchOS: introduced: n/a type: + presence: optional content: The key to get the cellular technology type. Requires the Device Information access right. Available in iOS 4.2.6 and later. - key: BatteryLevel @@ -503,6 +530,7 @@ payloadkeys: watchOS: accessrights: AllowQueryDeviceInformation type: + presence: optional content: The key to get the battery level. Requires the Device Information access right. Available in iOS 5 and later. - key: HasBattery @@ -519,6 +547,7 @@ payloadkeys: watchOS: introduced: n/a type: + presence: optional content: The key to determine whether the device has an internal battery. - key: IsSupervised supportedOS: @@ -535,6 +564,7 @@ payloadkeys: watchOS: accessrights: AllowQueryDeviceInformation type: + presence: optional content: The key to determine whether the device is supervised. Requires the Device Information access right. Available in iOS 6 and later, macOS 10.15 and later, and tvOS 9 and later. @@ -552,6 +582,7 @@ payloadkeys: watchOS: introduced: n/a type: + presence: optional content: The key to determine whether the device is a Shared iPad. Requires the Device Information access right. Available in iOS 9.3 and later. - key: IsDeviceLocatorServiceEnabled @@ -568,6 +599,7 @@ payloadkeys: watchOS: accessrights: AllowQueryDeviceInformation type: + presence: optional content: The key to determine whether the system enabled a device locator service such as Find My on the device. Requires the Device Information access right. Available in iOS 7 and later. @@ -593,6 +625,7 @@ payloadkeys: deprecated: '10.0' accessrights: AllowQueryDeviceInformation type: + presence: optional content: The key to determine whether the system enabled Activation Lock on the device. Requires the Device Information access right. Available as of iOS 7 and macOS 10.15, and deprecated in iOS 16 and macOS 13. @@ -612,6 +645,7 @@ payloadkeys: watchOS: introduced: n/a type: + presence: optional content: The key to determine whether the device supports Activation Lock. Also see 'IsActivationLockManageable' in SecurityInfoResponse.SecurityInfo.ManagementStatus. Available in macOS 10.9 and later. @@ -633,6 +667,7 @@ payloadkeys: watchOS: accessrights: AllowQueryDeviceInformation type: + presence: optional content: The key to determine whether the device is in Do Not Disturb (DND) mode. Requires the Device Information access right. Available in iOS 7 and later. @@ -643,13 +678,14 @@ payloadkeys: macOS: introduced: n/a tvOS: - introduced: '6.0' + introduced: '9.0' accessrights: AllowQueryDeviceInformation visionOS: introduced: n/a watchOS: introduced: n/a type: + presence: optional content: The key to get the device ID. Requires the Device Information access right. Available in tvOS 6 and later. - key: EASDeviceIdentifier @@ -666,6 +702,7 @@ payloadkeys: watchOS: introduced: n/a type: + presence: optional content: The key to get the device identifier for Exchange ActiveSync (EAS). Requires the Device Information access right. Available in iOS 7 and later. - key: IsCloudBackupEnabled @@ -686,6 +723,7 @@ payloadkeys: watchOS: introduced: n/a type: + presence: optional content: The key to determine whether the system enabled iCloud Backup on the device. Requires the Device Information access right. Available in iOS 7.1 and later. @@ -704,6 +742,7 @@ payloadkeys: watchOS: introduced: n/a type: + presence: optional content: The key to get an array of directory GUIDs for logged-in managed users. Requires the Device Information access right. Available in macOS 10.11 and later. @@ -723,6 +762,7 @@ payloadkeys: watchOS: introduced: n/a type: + presence: optional content: The key to get the contents of DeviceInformationResponse.QueryResponses.OSUpdateSettings. Requires the Device Information access right. Available in macOS 10.11 and later. @@ -740,6 +780,7 @@ payloadkeys: watchOS: introduced: n/a type: + presence: optional content: The key to get the local hostname from Bonjour. Available in macOS 10.11 and later. - key: HostName @@ -756,6 +797,7 @@ payloadkeys: watchOS: introduced: n/a type: + presence: optional content: The key to get the hostname. Available in macOS 10.11 and later. - key: AutoSetupAdminAccounts supportedOS: @@ -774,6 +816,7 @@ payloadkeys: watchOS: introduced: n/a type: + presence: optional content: The key to get the contents of DeviceInformationResponse.QueryResponses.AutoSetupAdminAccountsItem, which Setup Assistant automatically creates during enrollment. Requires the Device Information access right. Available in macOS 10.11 and later. @@ -791,6 +834,7 @@ payloadkeys: watchOS: introduced: n/a type: + presence: optional content: The key to determine whether the system enabled System Integrity Protection on the device. This value requires the Device Information access right, and is available in macOS 10.12 and later. @@ -808,6 +852,7 @@ payloadkeys: watchOS: introduced: n/a type: + presence: optional content: The key to determine whether the device can receive 'PowerON', 'PowerOFF', and 'Reset' commands from a lights-out management (LOM) controller. Available in macOS 11 and later. @@ -827,6 +872,7 @@ payloadkeys: watchOS: accessrights: AllowQueryDeviceInformation type: + presence: optional content: The key to determine whether the system enabled Managed Lost Mode on the device. Requires the Device Information access right. Available in iOS 9.3 and later. @@ -852,6 +898,7 @@ payloadkeys: watchOS: introduced: n/a type: + presence: optional content: The key to get the maximum number of users that can use this Shared iPad device. In iOS 13.4 and later, this value is always '32'. Requires the Device Information access right. Available in iOS 9.3 and later. @@ -877,6 +924,7 @@ payloadkeys: watchOS: introduced: n/a type: + presence: optional content: The key to get the estimated number of users that can use this Shared iPad device, according to the available space of the device and each user's quota. Requires the Device Information access right. Available in iOS 14 and @@ -903,6 +951,7 @@ payloadkeys: watchOS: introduced: n/a type: + presence: optional content: The key to get the quota size for each user on this Shared iPad device. Requires the Device Information access right. Available in iOS 13.4 and later. - key: ResidentUsers @@ -927,6 +976,7 @@ payloadkeys: watchOS: introduced: n/a type: + presence: optional content: The key to get the number of users currently on this Shared iPad device. Requires the Device Information access right. Available in iOS 13.4 and later. - key: UserSessionTimeout @@ -951,6 +1001,7 @@ payloadkeys: watchOS: introduced: n/a type: + presence: optional content: The key to get the timeout interval for the user session. - key: TemporarySessionTimeout supportedOS: @@ -974,6 +1025,7 @@ payloadkeys: watchOS: introduced: n/a type: + presence: optional content: The key to get the timeout interval for the temporary session. - key: TemporarySessionOnly supportedOS: @@ -997,6 +1049,7 @@ payloadkeys: watchOS: introduced: n/a type: + presence: optional content: The key to determine whether the device only allows temporary sessions. - key: ManagedAppleIDDefaultDomains supportedOS: @@ -1020,6 +1073,7 @@ payloadkeys: watchOS: introduced: n/a type: + presence: optional content: The key to get the list of domains that the device suggests on the Shared iPad login screen. Available in iOS 16 and later. - key: OnlineAuthenticationGracePeriod @@ -1044,6 +1098,7 @@ payloadkeys: watchOS: introduced: n/a type: + presence: optional content: The key to get the grace period for Shared iPad online authentication (in days). Available in iOS 16 and later. - key: SkipLanguageAndLocaleSetupForNewUsers @@ -1068,6 +1123,7 @@ payloadkeys: watchOS: introduced: n/a type: + presence: optional content: The key to determine whether the system skips the language and country/region panes for new users on Shared iPad. - key: PushToken @@ -1088,6 +1144,7 @@ payloadkeys: watchOS: introduced: n/a type: + presence: optional content: The key to get the push token for the current user-channel connection. The MDM server ignores this query for the device channel. Requires the Device Information access right. Available in iOS 9.3 and later, and macOS 10.12 @@ -1106,6 +1163,7 @@ payloadkeys: watchOS: accessrights: AllowQueryDeviceInformation type: + presence: optional content: The key to determine whether the system enabled the diagnostic submission setting on the device. Requires the Device Information access right. Available in iOS 9.3 and later. @@ -1123,6 +1181,7 @@ payloadkeys: watchOS: accessrights: AllowQueryDeviceInformation type: + presence: optional content: The key to determine whether the device is sharing app analytics. Requires the Device Information access right. Available in iOS 4 and later, and macOS 10.7 and later. @@ -1137,10 +1196,12 @@ payloadkeys: introduced: '14.0' accessrights: AllowQueryDeviceInformation visionOS: + introduced: '2.0' accessrights: AllowQueryDeviceInformation watchOS: accessrights: AllowQueryDeviceInformation type: + presence: optional content: The key to get the current Internet Assigned Numbers Authority (IANA) time zone database name. Requires the Device Information access right. Available in iOS 14 and later, and tvOS 14 and later. @@ -1160,6 +1221,7 @@ payloadkeys: watchOS: introduced: n/a type: + presence: optional content: The key to get the integrated circuit card (ICC) identifier for the installed SIM card. Requires the Network Information access right. Available as of iOS 4 and deprecated in iOS 16. @@ -1182,6 +1244,7 @@ payloadkeys: watchOS: introduced: n/a type: + presence: optional content: The key to get the Bluetooth media access control (MAC) address. Requires the Network Information access right. - key: WiFiMAC @@ -1203,6 +1266,7 @@ payloadkeys: watchOS: accessrights: AllowQueryNetworkInformation type: + presence: optional content: The key to get the Wi-Fi MAC address. Requires the Network Information access right. - key: EthernetMAC @@ -1220,6 +1284,7 @@ payloadkeys: watchOS: introduced: n/a type: + presence: optional content: The key to get the primary Ethernet MAC address. Requires the Network Information access right. Available in macOS 10.7 and later. - key: CurrentCarrierNetwork @@ -1238,6 +1303,7 @@ payloadkeys: watchOS: introduced: n/a type: + presence: optional content: The key to get the name of the current carrier network. Requires the Network Information access right. Available as of iOS 4 and deprecated in iOS 16. @@ -1257,6 +1323,7 @@ payloadkeys: watchOS: introduced: n/a type: + presence: optional content: Apple no longer supports this query. Use 'SubscriberCarrierNetwork' instead. - key: SubscriberCarrierNetwork @@ -1276,6 +1343,7 @@ payloadkeys: watchOS: introduced: n/a type: + presence: optional content: The key to get the home carrier network. Requires the Network Information access right. Available as of iOS 5 and deprecated in iOS 16. - key: CarrierSettingsVersion @@ -1294,6 +1362,7 @@ payloadkeys: watchOS: introduced: n/a type: + presence: optional content: The key to get the version of the carrier settings. Requires the Network Information access right. Available as of iOS 4 and deprecated in iOS 16. - key: PhoneNumber @@ -1312,6 +1381,7 @@ payloadkeys: watchOS: introduced: n/a type: + presence: optional content: The key to get the raw phone number, without punctuation, and including the country code. Requires the Network Information access right. Available as of iOS 4 and deprecated in iOS 16. @@ -1331,6 +1401,7 @@ payloadkeys: watchOS: introduced: n/a type: + presence: optional content: The key to determine whether the system enabled data roaming on the device. Requires the Network Information access right. Available in iOS 5 and later. @@ -1351,6 +1422,7 @@ payloadkeys: watchOS: introduced: n/a type: + presence: optional content: The key to determine whether the system enabled voice roaming on the device, which isn't available for all carriers. Requires the Network Information access right. Available as of iOS 5 and deprecated in iOS 16. @@ -1370,6 +1442,7 @@ payloadkeys: watchOS: introduced: n/a type: + presence: optional content: The key to determine whether the system enabled Personal Hotspot on the device, which isn't available for all carriers. Requires the Network Information access right. Available in iOS 7 and later. @@ -1387,6 +1460,7 @@ payloadkeys: watchOS: introduced: n/a type: + presence: optional content: The key to determine whether the device is network-tethered. Requires the Network Information access right. Available in iOS 10.3 and later. - key: IsRoaming @@ -1405,6 +1479,7 @@ payloadkeys: watchOS: introduced: n/a type: + presence: optional content: The key to determine whether the device is roaming. Requires the Network Information access right. Available in iOS 4.2 and later. - key: SubscriberMCC @@ -1424,6 +1499,7 @@ payloadkeys: watchOS: introduced: n/a type: + presence: optional content: The key to get the home mobile country code. Requires the Network Information access right. Available as of iOS 4.2.6 and deprecated in iOS 16. - key: SubscriberMNC @@ -1443,6 +1519,7 @@ payloadkeys: watchOS: introduced: n/a type: + presence: optional content: The key to get the home mobile network code. Requires the Network Information access right. Available as of iOS 4.2.6 and deprecated in iOS 16. - key: CurrentMCC @@ -1461,6 +1538,7 @@ payloadkeys: watchOS: introduced: n/a type: + presence: optional content: The key to get the current mobile country code (MCC). Requires the Network Information access right. It's available as of iOS 4 and deprecated in iOS 16. @@ -1480,6 +1558,7 @@ payloadkeys: watchOS: introduced: n/a type: + presence: optional content: The key to get the current mobile network code (MNC). Requires the Network Information access right. Available as of iOS 4 and deprecated in iOS 16. @@ -1499,6 +1578,7 @@ payloadkeys: watchOS: introduced: n/a type: + presence: optional content: The key to get the contents of DeviceInformationResponse.QueryResponses.ServiceSubscriptionProperty. Requires the Network Information access right. - key: PINRequiredForEraseDevice @@ -1514,7 +1594,10 @@ payloadkeys: introduced: n/a visionOS: introduced: n/a + watchOS: + introduced: n/a type: + presence: optional content: The key to determine whether the EraseDeviceCommand requires a PIN. Available in macOS 11 and later. - key: PINRequiredForDeviceLock @@ -1533,6 +1616,7 @@ payloadkeys: watchOS: introduced: n/a type: + presence: optional content: The key to determine whether the DeviceLockCommand requires a PIN. Available in macOS 11 and later. - key: SupportsiOSAppInstalls @@ -1549,6 +1633,7 @@ payloadkeys: watchOS: introduced: n/a type: + presence: optional content: The key to determine whether the macOS device supports iOS or iPadOS app installs. Available in macOS 11 and later. - key: SoftwareUpdateDeviceID @@ -1569,6 +1654,7 @@ payloadkeys: watchOS: introduced: n/a type: + presence: optional content: The key to get the device identifier that you use to look up available OS updates through . Available in iOS 15 and later, and macOS 12 and later. @@ -1587,6 +1673,7 @@ payloadkeys: watchOS: introduced: n/a type: + presence: optional content: The key to get the device settings that control which updates appear in the Software Update pane in Settings. Available in iOS 14.5 and later. - key: AccessibilitySettings @@ -1608,6 +1695,7 @@ payloadkeys: watchOS: supervised: true type: + presence: optional content: The key to get the current state of settable accessibility settings. Available in iOS 16 and later. - key: DevicePropertiesAttestation @@ -1624,9 +1712,11 @@ payloadkeys: userenrollment: mode: allowed type: - content: The key to get an attestation of the device's properties. Available + presence: optional + content: The key to request an attestation of the device's properties. Available in iOS 16 and later, macOS 14 and later, tvOS 16 and later, and watchOS 10 - and later. + and later. See the DeviceInformation attestation hardware support note for + hardware requirements. - key: EACSPreflight supportedOS: iOS: @@ -1644,6 +1734,7 @@ payloadkeys: watchOS: introduced: n/a type: + presence: optional content: The key to determine whether the device can perform an EraseDeviceCommand using Erase All Content and Settings (EACS). - key: DeviceAttestationNonce @@ -1662,8 +1753,9 @@ payloadkeys: type: presence: optional content: |- - This value can contain up to 32 bytes of data. If specified, queries need to contain 'DevicePropertiesAttestation'. If omitted or if the value matches the cached attestation, the system returns the cached attestation. Otherwise, the system requests and returns a new attestation that contains the new nonce. - The nonce appears in the resulting attestation to ensure it was recently generated. To request a new attestation, provide a new nonce. The system caches the most recently generated attestation on the device. Requests for new attestations are rate limited. If it has been fewer than 7 days since the system generated an attestation, the device returns the cached attestation rather than generating a new one. + This specifies a freshness code which appears in the resulting attestation. The value can contain up to 32 bytes of data. If specified, 'Queries' needs to contain 'DevicePropertiesAttestation'. + The MDM server can use this to prove that an attestation was recently generated. The system caches the most recently generated attestation on the device. If omitted or if the value matches the cached attestation, the system returns the cached attestation. To request a new attestation, provide a new freshness code. Requests for new attestations are rate limited. If it has been fewer than 7 days since the system generated an attestation, the device returns the cached attestation rather than generating a new one. + Available in iOS 16 and later, macOS 14 and later, tvOS 16 and later, and watchOS 10 and later. See the DeviceInformation attestation hardware support note for hardware requirements. responsekeys: - key: QueryResponses type: @@ -1812,7 +1904,7 @@ responsekeys: tvOS: introduced: '10.2' visionOS: - introduced: n/a + introduced: '2.0' type: content: |- If 'true' on the device channel, the device is still waiting for a DeviceConfiguredCommand to continue through Setup Assistant. @@ -2132,7 +2224,7 @@ responsekeys: macOS: introduced: n/a tvOS: - introduced: '6.0' + introduced: '9.0' visionOS: introduced: n/a watchOS: @@ -2204,6 +2296,7 @@ responsekeys: subkeys: - key: CatalogURL type: + presence: optional content: The URL to the software update catalog the client is using. This value is available in macOS 10.11 and later. - key: IsDefaultCatalog @@ -2215,9 +2308,15 @@ responsekeys: content: The date of the last software update scan. This value is available in macOS 10.11 and later. - key: PreviousScanResult + supportedOS: + macOS: + deprecated: '11.0' + removed: '15.0' type: + presence: optional content: The result code of last software update scan; '”0”' = success. This - value is available in macOS 10.11 and later. + value is available in macOS 10.11 and later. This key was removed in macOS + 15 as it has been unsupported since macOS 11. - key: PerformPeriodicCheck type: content: If 'true', start a new scan. This value is available in macOS 10.11 @@ -3091,9 +3190,25 @@ responsekeys: userenrollment: mode: allowed type: - content: The key to get an attestation of the device's properties. Available in + content: |- + The key to get an attestation of the device's properties. Available in iOS 16 and later, macOS 14 and later, tvOS 16 and later, and watchOS 10 and - later. + later. See the DeviceInformation attestation hardware support note for hardware + requirements. + The value is an array of certificates in DER form that forms a certificate chain. The chain is rooted with the Apple CA 'Apple Enterprise Attestation Root CA'. The first array item is the leaf certificate. The leaf certificate contains custom OIDs describing a device. Which OIDs are present in the certificate depend on the OS version of the device and the type of enrollment. If Apple's attestation servers are unable to verify a device property it will provide a blank value, omit the OID entirely, or refuse to issue an attestation certificate. + The following OIDs were introduced in iOS 16, iPadOS 16, tvOS 16, watchOS 9.l0, visionOS 1.0 and macOS 14.0: + * 1.2.840.113635.100.8.9.1 serial number -- This is the serial number of the device. It is omitted if the enrollment is a User Enrollment. + * 1.2.840.113635.100.8.9.2 UDID -- For a Mac this has the same value as the ProvisioningUDID key in the DeviceInformation response, and does not match the UDID used elsewhere in the MDM protocol. It is omitted if the enrollment is a User Enrollment. + * 1.2.840.113635.100.8.10.2 sepOS version -- This is the version of the operating system running on the Secure Enclave at the time the attestation is generated. In most cases this matches the version of the main operating system. + * 1.2.840.113635.100.8.11.1 Freshness code -- This is the freshness code. For an explanation of the expected value, see the DeviceAttestationNonce key in the DeviceInformation request. This may not match the requested freshness code if a cached attestation was returned. + The following OIDs were introduced in iOS 17.2, iPadOS 17.2, tvOS 17.2, watchOS 10.2, visionOS 1.l0, and macOS 14.2: + * 1.2.840.113635.100.8.9.4 Software Update Device ID -- This is an identifier of the device model. It is expected to match the SoftwareUpdateDeviceID in the DeviceInformation response. This is the device identifier to use when looking up available OS updates through https://gdmf.apple.com/v2/pmv. + * 1.2.840.113635.100.8.10.1 OS Version -- This is the version of iOS, iPadOS or tvOS running on the device at the time the attestation is generated. + * 1.2.840.113635.100.8.10.3 LLB Version -- This is the version of the Low Level Bootloader firmware running on the device at the time the attestation is generated. For more information about the boot process, see the documentation of the boot process in the Apple Platform Security guide. + The following OIDs were introduced in macOS 14.2: + * 1.2.840.113635.100.8.13.1 System Integrity Protection (SIP) status -- This indicates whether SIP is enabled or disabled at the time the attestation is generated. 0 indicates enabled, 1 indicates disabled. + * 1.2.840.113635.100.8.13.2 Secure boot status -- This describes part of the configuration of the LocalPolicy at the time the attestation is generated. The possible values are 'Full Security', 'Reduced Security', or 'Permissive Security'. For a description of these values see the Apple Platform Security guide. + * 1.2.840.113635.100.8.13.3 Third party kernel extensions allowed -- This indicates whether third party kernel extensions are allowed. A value of 0 indicates third party kernel extensions are not allowed. Any other value means that some kinds of third party kernel extensions are allowed. subkeys: - key: AttestationCertificate type: @@ -3119,3 +3234,13 @@ responsekeys: * 'not supported': The device is too old to support EACS. * 'unknown failure': A problem occurred for which there isn't a more specific error message. * '(other string)': A reason why the device can't perform EACS, such as “System is not sealed” +notes: +- title: DeviceInformation attestation hardware support + content: |- + The following table indicates which System on Chips (SoCs) support DeviceInformation attestation. + Unsupported devices ignore the DevicePropertiesAttestation and DeviceAttestationNonce keys. + + | Support status | iPhone, iPad | Mac | Apple TV | Apple Watch | Vision Pro | + |----------------|--------------------------------------|---------------|-------------------------|----------------|------------| + | Unsupported | A10x Fusion and earlier | Intel | A10x Fusion and earlier | S3 and earlier | none | + | Supported | A11 Bionic and later
All M series | Apple Silicon | A12 Bionic and later | S4 and later | All | diff --git a/mdm/commands/information.security.yaml b/mdm/commands/information.security.yaml index 836a140..77081b7 100644 --- a/mdm/commands/information.security.yaml +++ b/mdm/commands/information.security.yaml @@ -1,4 +1,4 @@ -title: Security Information Command +title: Security Info Command description: This command queries the device for security-related information. Queries are available if the MDM host has the Security Query right. payload: @@ -24,7 +24,7 @@ payload: userenrollment: mode: allowed tvOS: - introduced: '6.0' + introduced: '9.0' accessrights: AllowQuerySecurity supervised: false visionOS: diff --git a/mdm/commands/managed.application.attributes.yaml b/mdm/commands/managed.application.attributes.yaml index 15ab8f1..abc8aae 100644 --- a/mdm/commands/managed.application.attributes.yaml +++ b/mdm/commands/managed.application.attributes.yaml @@ -1,4 +1,4 @@ -title: App Attributes Command +title: Managed Application Attributes Command description: Queries managed application attributes. Attributes can be set on managed apps. These attributes can be changed over time. payload: diff --git a/mdm/commands/managed.application.configuration.yaml b/mdm/commands/managed.application.configuration.yaml index 6d5ef19..123ef22 100644 --- a/mdm/commands/managed.application.configuration.yaml +++ b/mdm/commands/managed.application.configuration.yaml @@ -1,4 +1,4 @@ -title: App Configuration Command +title: Managed Application Configuration Command description: This command queries the device for the current configuration of managed applications. This command requires the App Management right. macOS supports this command as of 10.15, on the device channel and for User Enrollments only, because diff --git a/mdm/commands/managed.application.feedback.yaml b/mdm/commands/managed.application.feedback.yaml index 6334be6..1c76165 100644 --- a/mdm/commands/managed.application.feedback.yaml +++ b/mdm/commands/managed.application.feedback.yaml @@ -1,4 +1,4 @@ -title: App Feedback Command +title: Managed Application Feedback Command description: This command queries the device for application feedback information. This command requires the App Management right. payload: diff --git a/mdm/commands/profile.install.yaml b/mdm/commands/profile.install.yaml index 4bef89f..1fbaea3 100644 --- a/mdm/commands/profile.install.yaml +++ b/mdm/commands/profile.install.yaml @@ -26,7 +26,7 @@ payload: userenrollment: mode: allowed tvOS: - introduced: '6.0' + introduced: '9.0' accessrights: AllowInstallationRemoval supervised: false visionOS: diff --git a/mdm/commands/profile.list.yaml b/mdm/commands/profile.list.yaml index f4f7ac0..2a81027 100644 --- a/mdm/commands/profile.list.yaml +++ b/mdm/commands/profile.list.yaml @@ -25,7 +25,7 @@ payload: userenrollment: mode: allowed tvOS: - introduced: '6.0' + introduced: '9.0' accessrights: AllowInspection supervised: false visionOS: @@ -128,6 +128,22 @@ responsekeys: content: If 'true', the current MDM service installed the profile. MDM doesn't return this value for supervised devices, and can remove or replace all profiles on supervised devices. + - key: Source + supportedOS: + iOS: + introduced: '18.0' + macOS: + introduced: '15.0' + tvOS: + introduced: '18.0' + visionOS: + introduced: '2.0' + watchOS: + introduced: '11.0' + type: + presence: optional + content: Source of the profile. This value will be set to "Declarative Device + Management" when the profile is managed by Declarative Device Management. - key: PayloadContent type: presence: optional diff --git a/mdm/commands/profile.remove.yaml b/mdm/commands/profile.remove.yaml index 8aca7a9..16f38d6 100644 --- a/mdm/commands/profile.remove.yaml +++ b/mdm/commands/profile.remove.yaml @@ -24,7 +24,7 @@ payload: userenrollment: mode: allowed tvOS: - introduced: '6.0' + introduced: '9.0' accessrights: AllowInstallationRemoval supervised: false visionOS: diff --git a/mdm/commands/remotedesktop.disable.yaml b/mdm/commands/remotedesktop.disable.yaml index 2fd99fe..88f2d92 100644 --- a/mdm/commands/remotedesktop.disable.yaml +++ b/mdm/commands/remotedesktop.disable.yaml @@ -1,4 +1,4 @@ -title: Remote Desktop Disable Command +title: Disable Remote Desktop Command description: Disable Remote Desktop on the device. payload: requesttype: DisableRemoteDesktop diff --git a/mdm/commands/remotedesktop.enable.yaml b/mdm/commands/remotedesktop.enable.yaml index 4014b91..af0e850 100644 --- a/mdm/commands/remotedesktop.enable.yaml +++ b/mdm/commands/remotedesktop.enable.yaml @@ -1,4 +1,4 @@ -title: Remote Desktop Enable Command +title: Enable Remote Desktop Command description: Enable Remote Desktop on the device. payload: requesttype: EnableRemoteDesktop diff --git a/mdm/commands/settings.yaml b/mdm/commands/settings.yaml index 12f40ba..9b5bd38 100644 --- a/mdm/commands/settings.yaml +++ b/mdm/commands/settings.yaml @@ -23,7 +23,7 @@ payload: userenrollment: mode: allowed tvOS: - introduced: '6.0' + introduced: '9.0' accessrights: AllowSettings supervised: false visionOS: @@ -457,7 +457,10 @@ payloadkeys: userenrollment: mode: forbidden visionOS: - introduced: n/a + introduced: '2.0' + supervised: true + userenrollment: + mode: forbidden watchOS: introduced: n/a type: @@ -584,7 +587,7 @@ payloadkeys: tvOS: introduced: n/a visionOS: - introduced: n/a + introduced: '2.0' watchOS: introduced: n/a type: @@ -624,6 +627,8 @@ payloadkeys: introduced: n/a visionOS: introduced: n/a + watchOS: + introduced: n/a type: presence: optional default: false @@ -638,6 +643,8 @@ payloadkeys: introduced: n/a visionOS: introduced: n/a + watchOS: + introduced: n/a type: presence: optional default: false @@ -756,7 +763,7 @@ payloadkeys: default: false content: |- If 'true', the user only sees the Guest Welcome pane and can only log in as a guest user. - If 'false', the user can sign in with a managed Apple ID (the existing behavior). + If 'false', the user can sign in with a Managed Apple Account (the existing behavior). Available in iOS 14.5 and later. - key: ManagedAppleIDDefaultDomains supportedOS: @@ -765,7 +772,7 @@ payloadkeys: type: presence: optional content: |- - A list of domains that the Shared iPad login screen displays. The user can pick a domain from the list to complete their Managed Apple ID. + A list of domains that the Shared iPad login screen displays. The user can pick a domain from the list for their Managed Apple Account. If this list contains more than 3 domains, the system picks 3 at random for display. Available in iOS 16 and later. subkeys: - key: AppleID domain @@ -969,7 +976,10 @@ payloadkeys: introduced: '14.0' supervised: true visionOS: - introduced: n/a + introduced: '2.0' + supervised: true + userenrollment: + mode: forbidden watchOS: introduced: n/a type: @@ -1126,6 +1136,8 @@ payloadkeys: supportedOS: iOS: introduced: n/a + watchOS: + introduced: n/a type: presence: optional default: false diff --git a/mdm/commands/system.update.available.yaml b/mdm/commands/system.update.available.yaml index e775fdc..e23a12f 100644 --- a/mdm/commands/system.update.available.yaml +++ b/mdm/commands/system.update.available.yaml @@ -41,7 +41,7 @@ responsekeys: presence: required content: |- An array of dictionaries that contains only the most recent available updates in iOS and tvOS, and possibly multiple available updates in macOS. Follow the instructions in the Managed Apps and Updates section of the Apple Software Lookup Service to find a complete catalog of iOS and tvOS updates. - In macOS 14 and later, 'AvailableOSUpdates' doesn't include InstallAssistant-based, full-replacement installers. It only contains over-the-air (OTA) updates. OTA updates can update or upgrade the OS and support all 'InstallAction' options. + In macOS 14 and later, 'AvailableOSUpdates' doesn't include InstallAssistant-based, full-replacement installers. It only contains over-the-air (OTA) updates. OTA updates can update or upgrade the OS and support all 'InstallAction' options. If a Software Update is actively managed via a Declarative Device Management Specific Enforcement configuration this command is ignored as it pertains to the actively managed update. This command may return information around unmanaged updates such as System Applications and Configuration Data. For actively available updates in conjunction with a declarative configuration, please reference the Apple Software Lookup Service. subkeys: - key: AvailableOSUpdatesItem type: diff --git a/mdm/commands/system.update.schedule.yaml b/mdm/commands/system.update.schedule.yaml index 32166c2..c3a3912 100644 --- a/mdm/commands/system.update.schedule.yaml +++ b/mdm/commands/system.update.schedule.yaml @@ -40,7 +40,10 @@ payloadkeys: presence: required content: An array of dictionaries specifying the updates to download or install. If this value is missing, the device applies the default behavior for handling - updates. + updates. This command is ignored and an informational error is returned if a Software + Update is actively managed via a Declarative Device Management 'Software Update + Enforcement Policy' configuration, as the Declarative Device Management configuration + takes precedence. subkeys: - key: UpdatesItem type: diff --git a/mdm/commands/system.update.status.yaml b/mdm/commands/system.update.status.yaml index 3ae9709..c8bc79f 100644 --- a/mdm/commands/system.update.status.yaml +++ b/mdm/commands/system.update.status.yaml @@ -39,7 +39,9 @@ responsekeys: type: presence: required content: An array of dictionaries that describes the statuses of software updates. - The array is empty if there are no software updates currently in progress. + This command only returns the status for System Applications and Configuration + Data updates if a Software Update is actively managed via a Declarative Device + Management 'Software Update Enforcement Policy' configuration. subkeys: - key: OSUpdateStatusItem type: diff --git a/mdm/errors/softwareupdate.required.yaml b/mdm/errors/softwareupdate.required.yaml index c475f03..2bec0e7 100644 --- a/mdm/errors/softwareupdate.required.yaml +++ b/mdm/errors/softwareupdate.required.yaml @@ -74,6 +74,6 @@ payloadkeys: - key: Token type: presence: required - content: The AxM seeding service token for the AxM organization the MDM server - is part of. This token is used to enroll the device in the corresponding beta - program. + content: The Apple Business Manager or Apple School Manager seeding service + token for the organization the MDM server is part of. This token is used to + enroll the device in the corresponding beta program. diff --git a/mdm/profiles/CommonPayloadKeys.yaml b/mdm/profiles/CommonPayloadKeys.yaml index 0928cb7..55be3c2 100644 --- a/mdm/profiles/CommonPayloadKeys.yaml +++ b/mdm/profiles/CommonPayloadKeys.yaml @@ -25,7 +25,7 @@ payload: userenrollment: mode: allowed tvOS: - introduced: '5.0' + introduced: '9.0' multiple: false supervised: false allowmanualinstall: true diff --git a/mdm/profiles/TopLevel.yaml b/mdm/profiles/TopLevel.yaml index 1c5b02c..16629fd 100644 --- a/mdm/profiles/TopLevel.yaml +++ b/mdm/profiles/TopLevel.yaml @@ -25,7 +25,7 @@ payload: userenrollment: mode: allowed tvOS: - introduced: '5.0' + introduced: '9.0' multiple: false supervised: false allowmanualinstall: true diff --git a/mdm/profiles/com.apple.MCX.FileVault2.yaml b/mdm/profiles/com.apple.MCX.FileVault2.yaml index 71db915..53f42e5 100644 --- a/mdm/profiles/com.apple.MCX.FileVault2.yaml +++ b/mdm/profiles/com.apple.MCX.FileVault2.yaml @@ -68,7 +68,8 @@ payloadkeys: - key: Certificate type: presence: optional - content: The DER-encoded certificate data if 'UseRecoveryKey' is 'true'. + content: DER-encoded certificate data if an institutional recovery key will be added. + This key is not supported on Macs with Apple silicon. - key: PayloadCertificateUUID type: presence: optional @@ -119,5 +120,6 @@ payloadkeys: presence: optional default: false content: |- - If 'true', and installation of this payload occurs after enrolling with MDM in Setup Assistant, the system requests Setup Assistant to enable FileVault at setup time. In this case, the system also ignores all other keys in this payload, except for 'ShowRecoveryKey'. - To use this, enable the Await Device Configured DEP configuration option and send this profile with this key set, before sending the DeviceConfiguredCommand. An admin SecureToken user is required, otherwise the FileVault pane does not appear. + If 'true', and installation of this payload occurs after enrolling with MDM in Setup Assistant, the system requests Setup Assistant to enable FileVault at setup time. + To use this, enable the Await Device Configured DEP configuration option and send this profile with this key set, before sending the DeviceConfiguredCommand. + An admin SecureToken user is required, otherwise the FileVault pane does not appear. diff --git a/mdm/profiles/com.apple.ManagedClient.preferences.yaml b/mdm/profiles/com.apple.ManagedClient.preferences.yaml index 97cf462..6143c17 100644 --- a/mdm/profiles/com.apple.ManagedClient.preferences.yaml +++ b/mdm/profiles/com.apple.ManagedClient.preferences.yaml @@ -22,31 +22,40 @@ payload: watchOS: introduced: n/a payloadkeys: -- key: PreferenceDomain +- key: PayloadContent type: presence: required - content: The dictionary containing app preference domains. + content: Dictionary containing app preference domains. The key names correspond + to application preference domain identifiers (e.g., 'com.example.my-app'), or + the string '.GlobalPreferences' for the global domain. The values specify the + corresponding forced and set-once preferences. subkeys: - - key: Forced - type: + - key: ANY + type: presence: required - content: The dictionary of forced settings. - subkeys: &id001 - - key: Settings - type: - presence: required - subkeys: - - key: mcx_preference_settings + content: The dictionary containing app preference domains. + subkeytype: PreferenceDomain + subkeys: + - key: Forced + type: + presence: optional + content: The dictionary of forced settings. + subkeys: &id001 + - key: Settings type: presence: required - content: The dictionary of settings. subkeys: - - key: ANY - type: - presence: optional - content: The setting/value pairs. - - key: Set-Once - type: - presence: required - content: The dictionary of one-time settings. - subkeys: *id001 + - key: mcx_preference_settings + type: + presence: required + content: The dictionary of settings. + subkeys: + - key: ANY + type: + presence: optional + content: The setting/value pairs. + - key: Set-Once + type: + presence: optional + content: The dictionary of one-time settings. + subkeys: *id001 diff --git a/mdm/profiles/com.apple.SetupAssistant.managed.yaml b/mdm/profiles/com.apple.SetupAssistant.managed.yaml index b1c34f9..630dcaf 100644 --- a/mdm/profiles/com.apple.SetupAssistant.managed.yaml +++ b/mdm/profiles/com.apple.SetupAssistant.managed.yaml @@ -37,14 +37,18 @@ payloadkeys: supportedOS: iOS: introduced: n/a + macOS: + deprecated: '15.0' type: presence: optional default: false - content: If 'true', the system skips the Apple ID setup pane. + content: If 'true', the system skips the Apple Account setup pane. - key: SkipSiriSetup supportedOS: iOS: introduced: n/a + macOS: + deprecated: '15.0' type: presence: optional default: false @@ -55,6 +59,7 @@ payloadkeys: introduced: n/a macOS: introduced: 10.13.4 + deprecated: '15.0' type: presence: optional default: false @@ -65,6 +70,7 @@ payloadkeys: introduced: n/a macOS: introduced: 10.13.4 + deprecated: '15.0' type: presence: optional default: false @@ -75,6 +81,7 @@ payloadkeys: introduced: n/a macOS: introduced: 10.13.6 + deprecated: '15.0' type: presence: optional default: false @@ -85,6 +92,7 @@ payloadkeys: introduced: n/a macOS: introduced: '10.14' + deprecated: '15.0' type: presence: optional default: false @@ -95,6 +103,7 @@ payloadkeys: introduced: n/a macOS: introduced: '10.15' + deprecated: '15.0' type: presence: optional default: false @@ -105,6 +114,7 @@ payloadkeys: introduced: n/a macOS: introduced: '10.15' + deprecated: '15.0' type: presence: optional default: false @@ -115,6 +125,7 @@ payloadkeys: introduced: n/a macOS: introduced: '11.0' + deprecated: '15.0' type: presence: optional default: false @@ -124,11 +135,12 @@ payloadkeys: iOS: introduced: '14.0' macOS: - introduced: n/a + introduced: '15.0' type: presence: optional content: An array strings that describe the setup items to skip. SkipKeys provides - a list of valid strings and their meanings. Available in iOS 14 and later. + a list of valid strings and their meanings. Available in iOS 14, macOS 15 and + later. subkeys: - key: SkipSetupItems type: @@ -138,6 +150,7 @@ payloadkeys: introduced: n/a macOS: introduced: '12.0' + deprecated: '15.0' type: presence: optional default: false @@ -148,6 +161,7 @@ payloadkeys: introduced: n/a macOS: introduced: '14.1' + deprecated: '15.0' type: presence: optional default: false diff --git a/mdm/profiles/com.apple.airplay.yaml b/mdm/profiles/com.apple.airplay.yaml index db543fb..b9fff45 100644 --- a/mdm/profiles/com.apple.airplay.yaml +++ b/mdm/profiles/com.apple.airplay.yaml @@ -67,11 +67,31 @@ payloadkeys: subkeys: - key: DeviceID title: Device ID + supportedOS: + iOS: + deprecated: '18.0' + macOS: + deprecated: '15.0' type: - presence: required + presence: optional format: ^([0-9A-Fa-f]{2}:){5}([0-9A-Fa-f]{2})$ - content: The device ID of the AirPlay destination in the format 'xx:xx:xx:xx:xx:xx'. - This field isn't case-sensitive. + content: |- + The device ID of the AirPlay destination in the format 'xx:xx:xx:xx:xx:xx'. This field isn't case-sensitive. + The list of visible AirPlay destinations will be limited to devices that are present in the `AllowList` field of all installed AirPlay payloads. + Specifying the same MACAddress more than once, whether in the same payload across different payloads, will result in undefined behavior. + As of iOS 18 and macOS 15, `DeviceID` isn't supported, as tvOS 18 AirPlay destinations do not support it. + - key: DeviceName + title: Device Name + supportedOS: + iOS: + introduced: '18.0' + macOS: + introduced: '15.0' + type: + presence: optional + content: |- + The name of the AirPlay device. + The list of visible AirPlay destinations will be limited to devices that are present in the AllowList field of all installed AirPlay payloads. - key: Passwords title: Passwords type: @@ -89,10 +109,11 @@ payloadkeys: title: Device Name supportedOS: macOS: - introduced: n/a + introduced: '15.0' type: presence: required - content: The name of the AirPlay destination; used in iOS. + content: The name of the AirPlay destination; used in iOS, and available in + macOS 15 and later. - key: Password title: Password type: @@ -102,9 +123,13 @@ payloadkeys: supportedOS: iOS: introduced: n/a + macOS: + deprecated: '15.0' type: - presence: required - content: The device ID of the AirPlay destination; used in macOS. + presence: optional + content: |- + The device ID of the AirPlay destination; used in macOS. + In macOS 15 and later, 'DeviceID' is deprecated as tvOS 18 AirPlay destinations do not support it; use 'DeviceName' instead. - key: Whitelist title: Whitelist supportedOS: diff --git a/mdm/profiles/com.apple.airprint.yaml b/mdm/profiles/com.apple.airprint.yaml index 094eb16..768ae37 100644 --- a/mdm/profiles/com.apple.airprint.yaml +++ b/mdm/profiles/com.apple.airprint.yaml @@ -27,7 +27,12 @@ payload: tvOS: introduced: n/a visionOS: - introduced: n/a + introduced: '2.0' + multiple: true + supervised: false + allowmanualinstall: true + userenrollment: + mode: allowed watchOS: introduced: n/a payloadkeys: diff --git a/mdm/profiles/com.apple.applicationaccess.new.yaml b/mdm/profiles/com.apple.applicationaccess.new.yaml index 22dfc4f..90b98fe 100644 --- a/mdm/profiles/com.apple.applicationaccess.new.yaml +++ b/mdm/profiles/com.apple.applicationaccess.new.yaml @@ -53,7 +53,7 @@ payloadkeys: type: presence: required content: The identifier of the app. Obtain this value from the Security framework - using SecCodeCopyDesignatedRequirement. + using SecCodeCopyDesignatedRequirement(_:_:_:). - key: detachedSignature type: presence: optional diff --git a/mdm/profiles/com.apple.applicationaccess.yaml b/mdm/profiles/com.apple.applicationaccess.yaml index d739d03..5505238 100644 --- a/mdm/profiles/com.apple.applicationaccess.yaml +++ b/mdm/profiles/com.apple.applicationaccess.yaml @@ -25,7 +25,7 @@ payload: userenrollment: mode: allowed tvOS: - introduced: '6.1' + introduced: '9.0' multiple: true supervised: false allowmanualinstall: true @@ -56,14 +56,17 @@ payloadkeys: tvOS: introduced: n/a visionOS: - introduced: n/a + introduced: '2.0' + supervised: true + userenrollment: + mode: forbidden watchOS: supervised: true type: presence: optional default: true content: If 'false', the system disables modification of accounts such as Apple - IDs and Internet-based accounts such as Mail, Contacts, and Calendar. Available + Accounts and Internet-based accounts such as Mail, Contacts, and Calendar. Available in iOS 7 and later, macOS 14 and later, and watchOS 10 and later. Requires a supervised device in iOS and watchOS. - key: allowActivityContinuation @@ -80,7 +83,9 @@ payloadkeys: tvOS: introduced: n/a visionOS: - introduced: n/a + introduced: '2.0' + userenrollment: + mode: forbidden watchOS: introduced: n/a type: @@ -88,8 +93,9 @@ payloadkeys: default: true content: If 'false', the system disables activity continuation. Available in iOS 8 and later, and macOS 10.15 and later. Support for this restriction on unsupervised - devices and with managed Apple IDs is deprecated. In a future release, this restriction - will begin requiring supervision and will apply to personal Apple IDs only. + devices and with Managed Apple Accounts is deprecated. In a future release, this + restriction will begin requiring supervision and will apply to personal Apple + Accounts only. - key: allowAddingGameCenterFriends title: Allow Adding Game Center Friends supportedOS: @@ -128,7 +134,10 @@ payloadkeys: tvOS: introduced: n/a visionOS: - introduced: n/a + introduced: '2.0' + supervised: true + userenrollment: + mode: forbidden watchOS: introduced: n/a type: @@ -278,7 +287,10 @@ payloadkeys: tvOS: introduced: n/a visionOS: - introduced: n/a + introduced: '2.0' + supervised: true + userenrollment: + mode: forbidden watchOS: supervised: true type: @@ -300,7 +312,9 @@ payloadkeys: tvOS: introduced: n/a visionOS: - introduced: n/a + introduced: '2.0' + userenrollment: + mode: forbidden watchOS: introduced: n/a type: @@ -362,7 +376,7 @@ payloadkeys: tvOS: introduced: n/a visionOS: - introduced: n/a + introduced: '2.0' watchOS: introduced: n/a type: @@ -448,7 +462,8 @@ payloadkeys: type: presence: optional default: true - content: If set to false, disables auto dim on iPads with OLED displays. + content: If 'false', disables auto dim on iPads with OLED displays. Requires a supervised + device in iOS. Available in iOS 17.4 and later. - key: allowAutomaticAppDownloads title: Allow Automatic App Downloads supportedOS: @@ -602,7 +617,6 @@ payloadkeys: supportedOS: iOS: introduced: '4.0' - supervised: false userenrollment: mode: forbidden macOS: @@ -611,9 +625,10 @@ payloadkeys: mode: forbidden tvOS: introduced: '17.0' - supervised: false visionOS: - introduced: n/a + introduced: '2.0' + userenrollment: + mode: forbidden watchOS: introduced: n/a type: @@ -690,7 +705,6 @@ payloadkeys: supportedOS: iOS: introduced: '5.0' - supervised: false userenrollment: mode: forbidden macOS: @@ -698,7 +712,9 @@ payloadkeys: tvOS: introduced: n/a visionOS: - introduced: n/a + introduced: '2.0' + userenrollment: + mode: forbidden watchOS: introduced: n/a type: @@ -780,7 +796,10 @@ payloadkeys: tvOS: introduced: n/a visionOS: - introduced: n/a + introduced: '2.0' + supervised: true + userenrollment: + mode: forbidden watchOS: introduced: n/a type: @@ -789,7 +808,7 @@ payloadkeys: content: If 'false', the system disables document and key-value syncing to iCloud. Available in iOS 5 and later, and macOS 10.11 and later. Requires a supervised device in iOS 13 and later, and Shared iPad doesn't support it. Support for this - restriction on unsupervised devices and with managed Apple IDs is deprecated. + restriction on unsupervised devices and with Managed Apple Accounts is deprecated. - key: allowCloudFreeform supportedOS: iOS: @@ -813,7 +832,6 @@ payloadkeys: supportedOS: iOS: introduced: '7.0' - supervised: false userenrollment: mode: forbidden macOS: @@ -823,7 +841,9 @@ payloadkeys: tvOS: introduced: n/a visionOS: - introduced: n/a + introduced: '2.0' + userenrollment: + mode: forbidden watchOS: introduced: n/a type: @@ -831,7 +851,7 @@ payloadkeys: default: true content: If 'false', the system disables iCloud keychain synchronization. Available in iOS 7 and later, and macOS 10.12 and later. Support for this restriction on - unsupervised devices and with managed Apple IDs is deprecated. + unsupervised devices and with Managed Apple Accounts is deprecated. - key: allowCloudMail supportedOS: iOS: @@ -884,7 +904,9 @@ payloadkeys: tvOS: introduced: n/a visionOS: - introduced: n/a + introduced: '2.0' + userenrollment: + mode: forbidden watchOS: introduced: n/a type: @@ -893,7 +915,8 @@ payloadkeys: content: If 'false', the system disables iCloud Photo Library. The system removes any photos from local storage that aren't fully downloaded from iCloud Photo Library to the device. Available in iOS 9 and later, and macOS 10.12 and later. Support - for this restriction on unsupervised devices and with managed Apple IDs is deprecated. + for this restriction on unsupervised devices and with Managed Apple Accounts is + deprecated. - key: allowCloudPrivateRelay supportedOS: iOS: @@ -908,7 +931,8 @@ payloadkeys: tvOS: introduced: n/a visionOS: - introduced: n/a + introduced: '2.0' + supervised: true watchOS: introduced: n/a type: @@ -916,7 +940,7 @@ payloadkeys: default: true content: If 'false', the system disables iCloud Private Relay. Available in iOS 15 and later, and in macOS 12 and later. Requires a supervised device in iOS. - Support for this restriction on unsupervised devices and with managed Apple IDs + Support for this restriction on unsupervised devices and with Managed Apple Accounts is deprecated. - key: allowCloudReminders supportedOS: @@ -1017,7 +1041,10 @@ payloadkeys: introduced: '11.0' supervised: true visionOS: - introduced: n/a + introduced: '2.0' + supervised: true + userenrollment: + mode: forbidden watchOS: introduced: n/a type: @@ -1055,7 +1082,7 @@ payloadkeys: tvOS: introduced: n/a visionOS: - introduced: n/a + introduced: '2.0' type: presence: optional default: true @@ -1075,7 +1102,10 @@ payloadkeys: tvOS: introduced: n/a visionOS: - introduced: n/a + introduced: '2.0' + supervised: true + userenrollment: + mode: forbidden watchOS: introduced: n/a type: @@ -1120,7 +1150,10 @@ payloadkeys: tvOS: introduced: n/a visionOS: - introduced: n/a + introduced: '2.0' + supervised: true + userenrollment: + mode: forbidden watchOS: introduced: n/a type: @@ -1142,7 +1175,9 @@ payloadkeys: tvOS: introduced: n/a visionOS: - introduced: n/a + introduced: '2.0' + userenrollment: + mode: forbidden watchOS: introduced: n/a type: @@ -1205,7 +1240,10 @@ payloadkeys: tvOS: introduced: n/a visionOS: - introduced: n/a + introduced: '2.0' + supervised: true + userenrollment: + mode: forbidden watchOS: introduced: n/a type: @@ -1235,6 +1273,27 @@ payloadkeys: default: true content: If 'false', the system disables modifications of eSIMs. Requires a supervised device. Available in iOS 12.1 and later. +- key: allowESIMOutgoingTransfers + title: Allow eSIM Outgoing Transfers + supportedOS: + iOS: + introduced: '18.0' + supervised: true + userenrollment: + mode: forbidden + macOS: + introduced: n/a + tvOS: + introduced: n/a + visionOS: + introduced: n/a + watchOS: + introduced: n/a + type: + presence: optional + default: true + content: If 'false', prevents the transfer of an eSIM from the device on which the + restriction is installed to a different device. Available in iOS 18 and later. - key: allowExplicitContent title: Allow Explicit Content supportedOS: @@ -1291,7 +1350,10 @@ payloadkeys: tvOS: introduced: n/a visionOS: - introduced: n/a + introduced: '2.0' + supervised: true + userenrollment: + mode: forbidden watchOS: introduced: n/a type: @@ -1397,7 +1459,9 @@ payloadkeys: tvOS: introduced: n/a visionOS: - introduced: n/a + introduced: '2.0' + userenrollment: + mode: forbidden watchOS: introduced: n/a type: @@ -1421,7 +1485,10 @@ payloadkeys: tvOS: introduced: n/a visionOS: - introduced: n/a + introduced: '2.0' + supervised: true + userenrollment: + mode: forbidden watchOS: introduced: n/a type: @@ -1454,6 +1521,30 @@ payloadkeys: content: If 'false', the system disables Game Center, and the system removes its icon from the Home screen. Available in iOS 6 and later, and macOS 10.13 and later. Requires a supervised device in iOS. +- key: allowGenmoji + title: Allow Genmoji + supportedOS: + iOS: + introduced: '18.0' + supervised: true + sharedipad: + mode: forbidden + userenrollment: + mode: forbidden + macOS: + introduced: '15.0' + userenrollment: + mode: forbidden + tvOS: + introduced: n/a + visionOS: + introduced: n/a + watchOS: + introduced: n/a + type: + presence: optional + default: true + content: If 'false', prohibits creating new Genmoji. Available in iOS 18 and later. - key: allowGlobalBackgroundFetchWhenRoaming title: Allow Automatic Sync While Roaming supportedOS: @@ -1498,6 +1589,53 @@ payloadkeys: disables all pairing. Host pairing lets the administrator control if an iOS device can pair with a host Mac or PC. Requires a supervised device. Available in iOS 7 and later. +- key: allowImagePlayground + title: Allow Image Playground + supportedOS: + iOS: + introduced: '18.0' + supervised: true + sharedipad: + mode: forbidden + userenrollment: + mode: forbidden + macOS: + introduced: '15.0' + userenrollment: + mode: forbidden + tvOS: + introduced: n/a + visionOS: + introduced: n/a + watchOS: + introduced: n/a + type: + presence: optional + default: true + content: If 'false', prohibits the use of image generation. Available in iOS 18 + and later and macOS 15 and later. +- key: allowImageWand + title: Allow Image Wand + supportedOS: + iOS: + introduced: '18.0' + supervised: true + sharedipad: + mode: forbidden + userenrollment: + mode: forbidden + macOS: + introduced: n/a + tvOS: + introduced: n/a + visionOS: + introduced: n/a + watchOS: + introduced: n/a + type: + presence: optional + default: true + content: If 'false', prohibits the use of Image Wand. Available in iOS 18 and later. - key: allowInAppPurchases title: Allow In App Purchases supportedOS: @@ -1538,6 +1676,31 @@ payloadkeys: default: true content: If 'false', the system prevents modifying the Internet Sharing setting in System Settings. Available in macOS 14 and later. +- key: allowiPhoneMirroring + title: Allow iPhone mirroring + supportedOS: + iOS: + introduced: '18.0' + supervised: true + userenrollment: + mode: forbidden + macOS: + introduced: '15.0' + userenrollment: + mode: forbidden + tvOS: + introduced: n/a + visionOS: + introduced: n/a + watchOS: + introduced: n/a + type: + presence: optional + default: true + content: If 'false', prohibits the use of iPhone Mirroring. When used on macOS, + this prevents the Mac from mirroring any iPhone. When used on iOS, this prevents + the iPhone from mirroring to any Mac. Available in iOS 18 and later and macOS + 15 and later. - key: allowiPhoneWidgetsOnMac title: Allow iPhone widget on Mac supportedOS: @@ -1560,8 +1723,8 @@ payloadkeys: presence: optional default: true content: If 'false', the system disallows iPhone widgets on a Mac that has signed - in the same Apple ID for iCloud. Requires a supervised device. Available on iOS - 17 and later. + in the same Apple Account for iCloud. Requires a supervised device. Available + on iOS 17 and later. - key: allowiTunes title: Allow use of iTunes supportedOS: @@ -1775,7 +1938,7 @@ payloadkeys: tvOS: introduced: n/a visionOS: - introduced: n/a + introduced: '2.0' watchOS: introduced: n/a type: @@ -1796,7 +1959,10 @@ payloadkeys: tvOS: introduced: n/a visionOS: - introduced: n/a + introduced: '2.0' + allowmanualinstall: false + userenrollment: + mode: forbidden watchOS: introduced: n/a type: @@ -1928,7 +2094,10 @@ payloadkeys: tvOS: introduced: n/a visionOS: - introduced: n/a + introduced: '2.0' + supervised: true + userenrollment: + mode: forbidden watchOS: introduced: n/a type: @@ -1946,7 +2115,7 @@ payloadkeys: tvOS: introduced: n/a visionOS: - introduced: n/a + introduced: '2.0' watchOS: introduced: n/a type: @@ -1964,7 +2133,7 @@ payloadkeys: tvOS: introduced: n/a visionOS: - introduced: n/a + introduced: '2.0' watchOS: introduced: n/a type: @@ -2050,7 +2219,10 @@ payloadkeys: tvOS: introduced: n/a visionOS: - introduced: n/a + introduced: '2.0' + supervised: true + userenrollment: + mode: forbidden watchOS: introduced: n/a type: @@ -2073,7 +2245,10 @@ payloadkeys: tvOS: introduced: n/a visionOS: - introduced: n/a + introduced: '2.0' + supervised: true + userenrollment: + mode: forbidden watchOS: introduced: n/a type: @@ -2125,7 +2300,10 @@ payloadkeys: tvOS: introduced: n/a visionOS: - introduced: n/a + introduced: '2.0' + supervised: true + userenrollment: + mode: forbidden watchOS: introduced: n/a type: @@ -2155,6 +2333,27 @@ payloadkeys: default: true content: If 'false', the system disables modifications of the personal hotspot setting. Requires a supervised device. Available in iOS 12.2 and later. +- key: allowPersonalizedHandwritingResults + title: Allow personalized handwriting results + supportedOS: + iOS: + introduced: '18.0' + supervised: true + userenrollment: + mode: forbidden + macOS: + introduced: n/a + tvOS: + introduced: n/a + visionOS: + introduced: n/a + watchOS: + introduced: n/a + type: + presence: optional + default: true + content: If false, prevents the system from generating text in the user's handwriting. + Available in iOS 18 and later. - key: allowPhotoStream title: Allow Photo Stream supportedOS: @@ -2417,7 +2616,7 @@ payloadkeys: tvOS: introduced: n/a visionOS: - introduced: n/a + introduced: '2.0' type: presence: optional default: true @@ -2541,7 +2740,10 @@ payloadkeys: tvOS: introduced: n/a visionOS: - introduced: n/a + introduced: '2.0' + supervised: true + userenrollment: + mode: forbidden watchOS: introduced: n/a type: @@ -2582,7 +2784,10 @@ payloadkeys: tvOS: introduced: n/a visionOS: - introduced: n/a + introduced: '2.0' + supervised: true + userenrollment: + mode: forbidden watchOS: supervised: true type: @@ -2606,7 +2811,10 @@ payloadkeys: tvOS: introduced: n/a visionOS: - introduced: n/a + introduced: '2.0' + supervised: true + userenrollment: + mode: forbidden watchOS: introduced: n/a type: @@ -2646,7 +2854,8 @@ payloadkeys: tvOS: introduced: n/a visionOS: - introduced: n/a + introduced: '2.0' + allowmanualinstall: false watchOS: introduced: n/a type: @@ -2734,7 +2943,10 @@ payloadkeys: tvOS: introduced: n/a visionOS: - introduced: n/a + introduced: '2.0' + supervised: true + userenrollment: + mode: forbidden watchOS: introduced: n/a type: @@ -2776,7 +2988,10 @@ payloadkeys: tvOS: introduced: n/a visionOS: - introduced: n/a + introduced: '2.0' + supervised: true + userenrollment: + mode: forbidden watchOS: introduced: n/a type: @@ -2826,8 +3041,33 @@ payloadkeys: type: presence: optional default: true - content: When 'false', the device prevents installation of apps directly from the - web. + content: If 'false', the device prevents installation of apps directly from the + web. Available in iOS 17.5 and later. +- key: allowWritingTools + title: Allow writing tools + supportedOS: + iOS: + introduced: '18.0' + supervised: true + sharedipad: + mode: forbidden + userenrollment: + mode: forbidden + macOS: + introduced: '15.0' + userenrollment: + mode: forbidden + tvOS: + introduced: n/a + visionOS: + introduced: n/a + watchOS: + introduced: n/a + type: + presence: optional + default: true + content: If 'false', disables Apple Intelligence writing tools. Available in iOS + 18 and later and macOS 15 and later. - key: autonomousSingleAppModePermittedAppIDs supportedOS: iOS: @@ -3039,7 +3279,7 @@ payloadkeys: tvOS: introduced: n/a visionOS: - introduced: n/a + introduced: '2.0' watchOS: introduced: n/a type: @@ -3054,7 +3294,7 @@ payloadkeys: macOS: introduced: n/a tvOS: - introduced: '6.2' + introduced: '9.0' visionOS: introduced: n/a watchOS: @@ -3140,7 +3380,10 @@ payloadkeys: tvOS: introduced: n/a visionOS: - introduced: n/a + introduced: '2.0' + supervised: true + userenrollment: + mode: forbidden watchOS: introduced: n/a type: @@ -3164,7 +3407,10 @@ payloadkeys: introduced: '12.2' supervised: true visionOS: - introduced: n/a + introduced: '2.0' + supervised: true + userenrollment: + mode: forbidden watchOS: introduced: n/a type: @@ -3407,7 +3653,7 @@ payloadkeys: tvOS: introduced: n/a visionOS: - introduced: n/a + introduced: '2.0' type: presence: optional default: false @@ -3502,7 +3748,10 @@ payloadkeys: tvOS: introduced: n/a visionOS: - introduced: n/a + introduced: '2.0' + supervised: true + userenrollment: + mode: forbidden watchOS: introduced: n/a type: @@ -3658,7 +3907,7 @@ payloadkeys: tvOS: introduced: n/a visionOS: - introduced: n/a + introduced: '2.0' watchOS: introduced: n/a type: @@ -3710,7 +3959,10 @@ payloadkeys: tvOS: introduced: n/a visionOS: - introduced: n/a + introduced: '2.0' + supervised: true + userenrollment: + mode: forbidden watchOS: introduced: n/a type: diff --git a/mdm/profiles/com.apple.cellularprivatenetwork.managed.yaml b/mdm/profiles/com.apple.cellularprivatenetwork.managed.yaml index ccdb1ab..4a8ac68 100644 --- a/mdm/profiles/com.apple.cellularprivatenetwork.managed.yaml +++ b/mdm/profiles/com.apple.cellularprivatenetwork.managed.yaml @@ -5,7 +5,7 @@ payload: supportedOS: iOS: introduced: '17.0' - multiple: false + multiple: true supervised: false allowmanualinstall: true sharedipad: @@ -24,7 +24,7 @@ payload: introduced: n/a content: Payload can be used to provide device info on private network deployments including geographical location, preference over wifi, and network deployment - type. + type. Only five Cellular Private Networks can be configured simultaneously. payloadkeys: - key: Geofences type: @@ -79,3 +79,23 @@ payloadkeys: presence: optional default: false content: Set to 'true' if this private network is NR Standalone. +- key: NetworkIdentifier + supportedOS: + iOS: + introduced: '18.0' + type: + presence: optional + content: String formatted in accordance with the definition of a "Coordinated NID" + (option 1 or option 2) in 3GPP 31.102 §12.7.1. Used to match this profile to a + SIM present on the device. All combinations of NetworkIdentifier and CsgNetworkIdentifier + must be unique between profiles installed on the device. +- key: CsgNetworkIdentifier + supportedOS: + iOS: + introduced: '18.0' + type: + presence: optional + content: String formatted in accordance with the definition of "CSG_ID" in 3GPP + 23.003 §4.7. Used to match this profile to a SIM present on the device. All combinations + of NetworkIdentifier and CsgNetworkIdentifier must be unique between profiles + installed on the device. diff --git a/mdm/profiles/com.apple.dnsProxy.managed.yaml b/mdm/profiles/com.apple.dnsProxy.managed.yaml index 74e8a3f..0c24b40 100644 --- a/mdm/profiles/com.apple.dnsProxy.managed.yaml +++ b/mdm/profiles/com.apple.dnsProxy.managed.yaml @@ -72,4 +72,4 @@ payloadkeys: presence: optional content: A globally-unique identifier for this DNS proxy configuration. Managed apps with the same 'DNSProxyUUID' in their app attributes have their DNS lookups - traffic processed by the proxy. + traffic processed by the proxy. This key is required for user enrollments. diff --git a/mdm/profiles/com.apple.dnsSettings.managed.yaml b/mdm/profiles/com.apple.dnsSettings.managed.yaml index 3b6e60a..4f43df4 100644 --- a/mdm/profiles/com.apple.dnsSettings.managed.yaml +++ b/mdm/profiles/com.apple.dnsSettings.managed.yaml @@ -119,8 +119,8 @@ payloadkeys: title: Action Parameters type: presence: optional - content: An array of dictionaries that provides per-connection rules. The system - uses this array only for settings where the 'Action' value is'EvaluateConnection'. + content: An array of dictionaries that provide per-connection rules. The system + uses this array only for settings where the 'Action' value is 'EvaluateConnection'. subkeys: - key: ActionParameter title: Action Parameter diff --git a/mdm/profiles/com.apple.domains.yaml b/mdm/profiles/com.apple.domains.yaml index da8bb83..7a894dd 100644 --- a/mdm/profiles/com.apple.domains.yaml +++ b/mdm/profiles/com.apple.domains.yaml @@ -27,13 +27,21 @@ payload: tvOS: introduced: n/a visionOS: - introduced: n/a + introduced: '2.0' + multiple: false + supervised: false + allowmanualinstall: true + userenrollment: + mode: forbidden watchOS: introduced: n/a content: This payload defines web domains that are under an enterprise's management. payloadkeys: - key: EmailDomains title: Email Domains + supportedOS: + visionOS: + introduced: n/a type: presence: optional content: |- @@ -77,7 +85,7 @@ payloadkeys: - key: SafariPasswordAutoFillDomainsItem type: - key: CrossSiteTrackingPreventionRelaxedDomains - title: Cross-Site Tracking Prevention RelaxedDomains + title: Cross-Site Tracking Prevention Relaxed Domains supportedOS: iOS: introduced: '16.2' diff --git a/mdm/profiles/com.apple.education.yaml b/mdm/profiles/com.apple.education.yaml index d16c7e2..e928205 100644 --- a/mdm/profiles/com.apple.education.yaml +++ b/mdm/profiles/com.apple.education.yaml @@ -126,7 +126,7 @@ payloadkeys: - key: BeaconID type: presence: required - content: The group's unique beacon ID. + content: An unsigned 16 bit integer specifying this group's unique beacon ID. - key: Name type: presence: required @@ -138,7 +138,7 @@ payloadkeys: - key: ImageURL supportedOS: iOS: - deprecated: 9.3.2 + deprecated: 9.3.1 macOS: introduced: n/a type: @@ -226,9 +226,9 @@ payloadkeys: - key: FullScreenImageURL supportedOS: iOS: - deprecated: 9.3.2 + deprecated: 9.3.1 macOS: - deprecated: n/a + introduced: n/a type: presence: optional content: Deprecated in iOS 9.3.1 and later. The URL pointing to an image of @@ -239,7 +239,7 @@ payloadkeys: type: presence: optional content: |- - The managed Apple ID for this user. + The Managed Apple Account for this user. Not required to configure Classroom, but if set the system uses it. Required to configure the Shared iPad login screen. - key: PasscodeType diff --git a/mdm/profiles/com.apple.extensiblesso(kerberos).yaml b/mdm/profiles/com.apple.extensiblesso(kerberos).yaml index 9d890f4..18bdb31 100644 --- a/mdm/profiles/com.apple.extensiblesso(kerberos).yaml +++ b/mdm/profiles/com.apple.extensiblesso(kerberos).yaml @@ -27,7 +27,12 @@ payload: tvOS: introduced: n/a visionOS: - introduced: n/a + introduced: '1.1' + multiple: true + supervised: false + allowmanualinstall: false + userenrollment: + mode: allowed watchOS: introduced: n/a content: Configures the included Kerberos extension that performs SSO on behalf @@ -117,6 +122,8 @@ payloadkeys: introduced: n/a macOS: introduced: '12.0' + visionOS: + introduced: n/a type: presence: optional default: false @@ -172,6 +179,8 @@ payloadkeys: supportedOS: iOS: introduced: n/a + visionOS: + introduced: n/a type: presence: optional default: true @@ -194,6 +203,8 @@ payloadkeys: introduced: n/a macOS: deprecated: '12.0' + visionOS: + introduced: n/a type: presence: optional content: The number of days that the system allows using passwords on this domain. @@ -203,6 +214,8 @@ payloadkeys: supportedOS: iOS: introduced: n/a + visionOS: + introduced: n/a type: presence: optional default: 15 @@ -213,6 +226,8 @@ payloadkeys: supportedOS: iOS: introduced: n/a + visionOS: + introduced: n/a type: presence: optional content: The minimum length of passwords on the domain.Available in macOS 10.15 @@ -221,6 +236,8 @@ payloadkeys: supportedOS: iOS: introduced: n/a + visionOS: + introduced: n/a type: presence: optional default: false @@ -230,6 +247,8 @@ payloadkeys: supportedOS: iOS: introduced: n/a + visionOS: + introduced: n/a type: presence: optional content: The minimum age of passwords before the system allows changing them on @@ -238,6 +257,8 @@ payloadkeys: supportedOS: iOS: introduced: n/a + visionOS: + introduced: n/a type: presence: optional content: The number of prior passwords that the system disallows reuse on this @@ -246,15 +267,32 @@ payloadkeys: supportedOS: iOS: introduced: n/a + visionOS: + introduced: n/a type: presence: optional content: The text version of the domain's password requirements. Only for use if 'pwReqComplexity' or 'pwReqLength' aren't specified. Available in macOS 10.15 and later. + - key: pwReqRTFData + supportedOS: + iOS: + introduced: n/a + macOS: + introduced: '15.0' + visionOS: + introduced: n/a + type: + presence: optional + content: The RTF file formatted version of the domain's password requirements. + Only for use if 'pwReqComplexity' or 'pwReqLength' aren't specified. Available + in macOS 15 and later. - key: pwChangeURL supportedOS: iOS: introduced: n/a + visionOS: + introduced: n/a type: presence: optional content: This URL will launch in the user's default web browser when they initiate @@ -263,6 +301,8 @@ payloadkeys: supportedOS: iOS: introduced: n/a + visionOS: + introduced: n/a type: presence: optional default: false @@ -276,6 +316,8 @@ payloadkeys: macOS: introduced: '11.0' deprecated: '12.0' + visionOS: + introduced: n/a type: presence: optional default: 900 @@ -288,6 +330,8 @@ payloadkeys: introduced: n/a macOS: introduced: '11.0' + visionOS: + introduced: n/a type: presence: optional default: false @@ -300,6 +344,8 @@ payloadkeys: introduced: n/a macOS: introduced: '11.0' + visionOS: + introduced: n/a type: presence: optional default: true @@ -361,6 +407,8 @@ payloadkeys: introduced: n/a macOS: introduced: '13.0' + visionOS: + introduced: n/a type: presence: optional default: false @@ -372,6 +420,8 @@ payloadkeys: introduced: n/a macOS: introduced: '13.0' + visionOS: + introduced: n/a type: presence: optional default: true @@ -390,6 +440,59 @@ payloadkeys: doesn't check for password expiration, show the password expiration in the menu, check for external password changes, perform password sync, or retrieve the home directory. Available in macOS 13 and later. + - key: identityIssuerAutoSelectFilter + supportedOS: + iOS: + introduced: n/a + macOS: + introduced: '15.0' + visionOS: + introduced: n/a + type: + presence: optional + content: A string with wildcards that can use used to filter the list of available + SmartCards by issuer. e.g “*My CA2*”. If there is one remaining, it will be + auto-selected. If there more than one remaining, then the list is shorter. Available + in macOS 15 and later. + - key: allowSmartCard + supportedOS: + iOS: + introduced: n/a + macOS: + introduced: '15.0' + visionOS: + introduced: n/a + type: + presence: optional + default: true + content: If 'true', allow the user to switch the user interface to SmartCard mode. + Available in macOS 15 and later. + - key: allowPassword + supportedOS: + iOS: + introduced: n/a + macOS: + introduced: '15.0' + visionOS: + introduced: n/a + type: + presence: optional + default: true + content: If 'true', allow the user to switch the user interface to Password mode. + Available in macOS 15 and later. + - key: startInSmartCardMode + supportedOS: + iOS: + introduced: n/a + macOS: + introduced: '15.0' + visionOS: + introduced: n/a + type: + presence: optional + default: false + content: If 'true', the user interface will start in SmartCard mode. Available + in macOS 15 and later. - key: Hosts type: presence: optional diff --git a/mdm/profiles/com.apple.extensiblesso.yaml b/mdm/profiles/com.apple.extensiblesso.yaml index f4bdedd..8680a11 100644 --- a/mdm/profiles/com.apple.extensiblesso.yaml +++ b/mdm/profiles/com.apple.extensiblesso.yaml @@ -47,6 +47,8 @@ payloadkeys: supportedOS: iOS: introduced: n/a + visionOS: + introduced: n/a type: presence: optional content: The team identifier of the app extension. This key is required on macOS @@ -142,6 +144,8 @@ payloadkeys: macOS: introduced: '13.0' deprecated: '14.0' + visionOS: + introduced: n/a type: presence: optional rangelist: @@ -156,6 +160,8 @@ payloadkeys: introduced: n/a macOS: introduced: '13.0' + visionOS: + introduced: n/a type: presence: optional content: The token this device uses for registration with Platform SSO. Use it for @@ -167,6 +173,8 @@ payloadkeys: introduced: n/a macOS: introduced: '14.0' + visionOS: + introduced: n/a type: presence: optional content: The dictionary to configure Platform SSO. @@ -286,3 +294,148 @@ payloadkeys: presence: optional content: The key is an access right value, the value is the group to be associated with that access right. + - key: FileVaultPolicy + supportedOS: + macOS: + introduced: '15.0' + type: + presence: optional + content: The policy to apply when using Platform SSO at FileVault unlock on Apple + Silicon Macs. Applies when 'AuthenticationMethod' is 'Password'. Available in + macOS 15 and later. + subkeys: + - key: policy + type: + presence: required + rangelist: + - AttemptAuthentication + - RequireAuthentication + - AllowOfflineGracePeriod + - AllowAuthenticationGracePeriod + content: |- + * AttemptAuthentication + Platform SSO authentication is attempted before proceeding. If offline, unlock will continue + if the local account password matches. If online and the credential is incorrect, then a + successful Platform SSO authentication is required to proceed, even if taken offline. + * RequireAuthentication + Platform SSO authentication is required before proceeding. If the device is offline and + `AllowOfflineGracePeriod` is enabled, then the offline `OfflineGracePeriod` is used to determine + if the user can proceed or not. If online and the credential is incorrect, then a valid Platform + SSO authentication is required to proceed regardless of the `OfflineGracePeriod`. If the account + is not registered for Platform SSO and `AllowAuthenticationGracePeriod` is enabled, then the + `AuthenticationGracePeriod` is used to determine if the user can proceed or not. + * AllowOfflineGracePeriod + Allow the use of the `OfflineGracePeriod` when `RequireAuthentication` is enabled. If + `AllowOfflineGracePeriod` is not set, then offline access is denied. + * AllowAuthenticationGracePeriod + Allow the use of the `AuthenticationGracePeriod` for other local accounts when `RequireAuthentication` + is enabled. The `AuthenticationGracePeriod` starts when any of the policies have been updated. If + `AllowAuthenticationGracePeriod` is not set, then unregistered account access is denied. + - key: LoginPolicy + supportedOS: + macOS: + introduced: '15.0' + type: + presence: optional + content: The policy to apply when using Platform SSO at the login window. Applies + when 'AuthenticationMethod' is 'Password'. Available in macOS 15 and later. + subkeys: + - key: policy + type: + presence: required + rangelist: + - AttemptAuthentication + - RequireAuthentication + - AllowOfflineGracePeriod + - AllowAuthenticationGracePeriod + content: |- + * AttemptAuthentication + Platform SSO authentication is attempted before proceeding. If offline, unlock will continue + if the local account password matches. If online and the credential is incorrect, then a + successful Platform SSO authentication is required to proceed, even if taken offline. + * RequireAuthentication + Platform SSO authentication is required before proceeding. If the device is offline and + `AllowOfflineGracePeriod` is enabled, then the offline `OfflineGracePeriod` is used to determine + if the user can proceed or not. If online and the credential is incorrect, then a valid Platform + SSO authentication is required to proceed regardless of the `OfflineGracePeriod`. If the account + is not registered for Platform SSO and `AllowAuthenticationGracePeriod` is enabled, then the + `AuthenticationGracePeriod` is used to determine if the user can proceed or not. + * AllowOfflineGracePeriod + Allow the use of the `OfflineGracePeriod` when `RequireAuthentication` is enabled. If + `AllowOfflineGracePeriod` is not set, then offline access is denied. + * AllowAuthenticationGracePeriod + Allow the use of the `AuthenticationGracePeriod` for other local accounts when `RequireAuthentication` + is enabled. The `AuthenticationGracePeriod` starts when any of the policies have been updated. If + `AllowAuthenticationGracePeriod` is not set, then unregistered account access is denied. + - key: UnlockPolicy + supportedOS: + macOS: + introduced: '15.0' + type: + presence: optional + content: The policy to apply when using Platform SSO at screensaver unlock. Applies + when 'AuthenticationMethod' is 'Password'. Available in macOS 15 and later. + subkeys: + - key: policy + type: + presence: required + rangelist: + - AttemptAuthentication + - RequireAuthentication + - AllowOfflineGracePeriod + - AllowAuthenticationGracePeriod + - AllowTouchIDOrWatchForUnlock + content: |- + * AttemptAuthentication + Platform SSO authentication is attempted before proceeding. If offline, unlock will continue + if the local account password matches. If online and the credential is incorrect, then a + successful Platform SSO authentication is required to proceed, even if taken offline. + * RequireAuthentication + Platform SSO authentication is required before proceeding. If the device is offline and + `AllowOfflineGracePeriod` is enabled, then the offline `OfflineGracePeriod` is used to determine + if the user can proceed or not. If online and the credential is incorrect, then a valid Platform + SSO authentication is required to proceed regardless of the `OfflineGracePeriod`. If the account + is not registered for Platform SSO and `AllowAuthenticationGracePeriod` is enabled, then the + `AuthenticationGracePeriod` is used to determine if the user can proceed or not. + * AllowOfflineGracePeriod + Allow the use of the `OfflineGracePeriod` when `RequireAuthentication` is enabled. If + `AllowOfflineGracePeriod` is not set, then offline access is denied. + * AllowAuthenticationGracePeriod + Allow the use of the `AuthenticationGracePeriod` for other local accounts when `RequireAuthentication` + is enabled. The `AuthenticationGracePeriod` starts when any of the policies have been updated. If + `AllowAuthenticationGracePeriod` is not set, then unregistered account access is denied. + * AllowTouchIDOrWatchForUnlock + Allow TouchID or Watch to unlock the screensaver instead of Platform SSO authentication when + `RequireAuthentication` is enabled. + - key: OfflineGracePeriod + supportedOS: + macOS: + introduced: '15.0' + type: + presence: optional + content: The amount of time after the last successful Platform SSO login a local + account password can be used offline. Required when 'AllowOfflineGracePeriod' + is set. Available in macOS 15 and later. + - key: AuthenticationGracePeriod + supportedOS: + macOS: + introduced: '15.0' + type: + presence: optional + content: The amount of time after a 'FileVaultPolicy', 'LoginPolicy', or 'UnlockPolicy' + is received or updated that unregistered local accounts can be used. Required + when 'AllowAuthenticationGracePeriod' is set. Available in macOS 15 and later. + - key: NonPlatformSSOAccounts + supportedOS: + macOS: + introduced: '15.0' + type: + presence: optional + content: The list of local accounts that aren't subject to the 'FileVaultPolicy', + 'LoginPolicy', or 'UnlockPolicy'. The accounts aren't prompted to register for + Platform SSO. Available in macOS 15 and later. + subkeys: + - key: username + type: + presence: required + content: A local account username. diff --git a/mdm/profiles/com.apple.font.yaml b/mdm/profiles/com.apple.font.yaml index 0c92a8f..f76fe87 100644 --- a/mdm/profiles/com.apple.font.yaml +++ b/mdm/profiles/com.apple.font.yaml @@ -9,7 +9,9 @@ payload: supervised: false allowmanualinstall: true sharedipad: - mode: forbidden + mode: allowed + devicechannel: false + userchannel: true userenrollment: mode: allowed macOS: @@ -25,12 +27,18 @@ payload: tvOS: introduced: n/a visionOS: - introduced: n/a + introduced: '2.0' + multiple: true + supervised: false + allowmanualinstall: true + userenrollment: + mode: allowed watchOS: introduced: n/a content: |- Each payload may contain one font file. Font files may be in TrueType (.ttf) or OpenType (.otf) file format. Collection types (.ttc or .otc) formats are not supported. Fonts are uniquely identified internally by their embedded PostScript name. Two fonts with the same PostScript name will be considered the same font, even if their contents differ. Installing two different fonts with the same PostScript name is not supported, and it is undefined which font will remain installed. + Supported on the Shared iPad user channel as of iPadOS 18.0. Earlier versions of iPadOS erroneously accepted the Font payload on the device channel but installed it for the currently logged in user. payloadkeys: - key: Name title: Font Name diff --git a/mdm/profiles/com.apple.loginwindow.yaml b/mdm/profiles/com.apple.loginwindow.yaml index 71e03eb..867d93e 100644 --- a/mdm/profiles/com.apple.loginwindow.yaml +++ b/mdm/profiles/com.apple.loginwindow.yaml @@ -173,7 +173,7 @@ payloadkeys: allowmanualinstall: false type: presence: optional - content: The user short name to set up auto login. + content: The user short name for an existing user to set up auto login. - key: AutologinPassword supportedOS: macOS: @@ -181,6 +181,5 @@ payloadkeys: allowmanualinstall: false type: presence: optional - content: An optional user password to set up auto login. If this key doesn't exist - but a user name does exist, the system sets up auto login the next time the user - logs in to the client. + content: A user password to set up auto login, must match the "AutologinUsername" + user's current password. diff --git a/mdm/profiles/com.apple.mdm.yaml b/mdm/profiles/com.apple.mdm.yaml index b3ff5c8..a645774 100644 --- a/mdm/profiles/com.apple.mdm.yaml +++ b/mdm/profiles/com.apple.mdm.yaml @@ -25,7 +25,7 @@ payload: userenrollment: mode: allowed tvOS: - introduced: '6.0' + introduced: '9.0' multiple: false supervised: false allowmanualinstall: true @@ -53,25 +53,25 @@ payloadkeys: title: Topic type: presence: required - content: The topic that MDM listens to for push notifications. The certificate that - the server uses to send push notifications must have the same topic in its subject. - The topic must begin with the 'com.apple.mgmt.' prefix. + content: |- + The topic that MDM listens to for push notifications. The certificate that the server uses to send push notifications must have the same topic in its subject. The topic must begin with the 'com.apple.mgmt.' prefix. + When updating the payload, the value of this key must not change. Any change is an error, and the update rejected. - key: ServerURL title: Server URL type: presence: required format: ^https://.*$ - content: The URL that the device contacts to retrieve device management instructions. - The URL must begin with the 'https://' URL scheme, and may contain a port number - (':1234', for example). + content: |- + The URL that the device contacts to retrieve device management instructions. The URL must begin with the 'https://' URL scheme, and may contain a port number (':1234', for example). + When updating the payload, the value of this key must not change. Any change is an error, and the update rejected. - key: CheckInURL title: Check In URL type: presence: optional format: ^https://.*$ - content: The URL that the device should use to check in during installation. The - URL must begin with the 'https://' URL scheme and may contain a port number (':1234', - for example). If not set, the system uses 'ServerURL'. + content: |- + The URL that the device should use to check in during installation. The URL must begin with the 'https://' URL scheme and may contain a port number (':1234', for example). If not set, the system uses 'ServerURL'. + When updating the payload, the value of this key must not change. Any change is an error, and the update rejected. - key: SignMessage title: Sign Message type: @@ -111,6 +111,8 @@ payloadkeys: * '4096': Allow app management. Don't set to '0'. Specify '1' if you specify '2'. Specify '64' if you specify '128'. Ignored if you set a value for 'ManagedAppleID'. + + When updating the payload, the addition of any access right is an error, and the update rejected. - key: UseDevelopmentAPNS title: Use Development APNS type: @@ -120,16 +122,18 @@ payloadkeys: If 'true', the device uses the development APNS servers. Otherwise, the device uses the production servers. Set to 'false' if your Apple Push Notification Service certificate was issued by the Apple Push Certificate Portal ('https://identity.apple.com/pushcert'). That portal only issues certificates for the production push environment. - key: ManagedAppleID - title: Managed Apple ID + title: Managed Apple Account supportedOS: iOS: introduced: '13.1' deprecated: '17.0' + removed: '18.0' userenrollment: mode: required macOS: introduced: '10.15' deprecated: '14.0' + removed: '15.0' userenrollment: mode: required tvOS: @@ -140,12 +144,11 @@ payloadkeys: introduced: n/a type: presence: optional - content: The Managed Apple ID of the user. Required for profile-driven user enrollment. - Don't set for account-driven enrollment. Available in iOS 13.1 and later, and - macOS 10.15 and later. As of iOS 17 and macOS 14, profile-driven user enrollment - is deprecated and will be removed in a future release. + content: |- + The Managed Apple Account of the user. Previously required for profile-driven user enrollment. + Removed as of iOS 18 and macOS 15. - key: AssignedManagedAppleID - title: Assigned Managed Apple ID + title: Assigned Managed Apple Account supportedOS: iOS: introduced: '15.0' @@ -157,9 +160,10 @@ payloadkeys: introduced: n/a type: presence: optional - content: The Managed Apple ID pre-assigned to the authenticated user. The system - only uses this value with account-driven enrollment. Don't set this value for - profile-driven user enrollment. Available in iOS 15 and later. + content: |- + The Managed Apple Account pre-assigned to the authenticated user. The system only uses this value with account-driven enrollment. + When updating the payload, the value of this key must not change. Any change is an error, and the update rejected. + Available in iOS 15 and later. - key: EnrollmentMode title: Enrollment Mode supportedOS: @@ -176,9 +180,10 @@ payloadkeys: rangelist: - BYOD - ADDE - content: The enrollment mode the server indicates to use when enrolling. Required - for account-driven enrollment. Don't set for profile-driven user enrollment. Available - in iOS 15 and macOS 14, and later. + content: |- + The enrollment mode the server indicates to use when enrolling. Required for account-driven enrollment. + When updating the payload, the value of this key must not change. Any change is an error, and the update rejected. + Available in iOS 15 and macOS 14, and later. - key: ServerURLPinningCertificateUUIDs supportedOS: iOS: @@ -231,9 +236,13 @@ payloadkeys: type: presence: optional content: |- - A unique array of strings indicating server capabilities. If the server manages macOS devices or a Shared iPad, this field is mandatory and must contain the value 'com.apple.mdm.per-user-connections', which indicates that the server supports both device and user connections. - Starting with macOS 11, it's also recommended that macOS device enrollment profiles contain the value 'com.apple.mdm.bootstraptoken' to ensure the Bootstrap Token is created and escrowed with the MDM server at enrollment time. - If the server supports the "GetToken" CheckIn message type, then this key must be present and must include "com.apple.mdm.token" as one of its values. + A unique array of strings indicating server capabilities. + + * com.apple.mdm.per-user-connections - used to indicate that the server supports both device and user connections. This must be present when managing Shared iPad or macOS devices. + * com.apple.mdm.bootstraptoken - used to indicate that the server supports escrowing the Bootstrap Token. This must be present to have the device create a Bootstrap Token and send it to the server. Available as of macOS 11.0. + * com.apple.mdm.token - used to indicate that the server supports the "GetToken" CheckIn message type. This must be present to have the device use "GetToken" CheckIn message requests when appropriate. + + When updating the payload, the "com.apple.mdm.per-user-connections" capability must not be added or removed. Any such change is an error, and the update rejected. subkeys: - key: ServerCapabilitiesItems type: @@ -262,6 +271,7 @@ payloadkeys: content: |- This property specifies an iTunes Store ID for an app the system can install with the InstallApplicationCommand, without any approval from the user. The MDM vendor or managing organization generally provides this app, which enhances the management experience for the user. The device shows the user details about this app in the account-driven enrollment process prior to installing the MDM profile. Use this property with account-driven MDM enrollment that normally requires user approval for app installs through MDM. Only account-driven enrollment supports this property and other enrollment types ignore it. + When updating the payload, the value of this key must not change. Any change is an error, and the update rejected. Available in iOS 15.1 and later. - key: PromptUserToAllowBootstrapTokenForAuthentication supportedOS: diff --git a/mdm/profiles/com.apple.mobiledevice.passwordpolicy.yaml b/mdm/profiles/com.apple.mobiledevice.passwordpolicy.yaml index 2093af4..98c4777 100644 --- a/mdm/profiles/com.apple.mobiledevice.passwordpolicy.yaml +++ b/mdm/profiles/com.apple.mobiledevice.passwordpolicy.yaml @@ -25,7 +25,12 @@ payload: tvOS: introduced: n/a visionOS: - introduced: n/a + introduced: '2.0' + multiple: true + supervised: false + allowmanualinstall: true + userenrollment: + mode: allowed watchOS: introduced: '10.0' multiple: true @@ -38,6 +43,9 @@ payloadkeys: iOS: userenrollment: mode: ignored + visionOS: + userenrollment: + mode: ignored type: presence: optional default: true @@ -50,6 +58,9 @@ payloadkeys: iOS: userenrollment: mode: ignored + visionOS: + userenrollment: + mode: ignored type: presence: optional default: false @@ -60,6 +71,9 @@ payloadkeys: iOS: userenrollment: mode: ignored + visionOS: + userenrollment: + mode: ignored type: presence: optional range: @@ -67,7 +81,7 @@ payloadkeys: max: 11 default: 11 content: The number of allowed failed attempts to enter the passcode at the device's - lock screen. After six failed attempts, the system imposes a time delay before + lock screen. After four failed attempts, the system imposes a time delay before a passcode can be entered again. The delay increases with each attempt. In macOS, set 'minutesUntilFailedLoginReset' to define a delay before the next passcode can be entered. When this number is exceeded in macOS, the system locks the device; @@ -78,6 +92,9 @@ payloadkeys: iOS: userenrollment: mode: ignored + visionOS: + userenrollment: + mode: ignored type: presence: optional range: @@ -93,6 +110,9 @@ payloadkeys: iOS: userenrollment: mode: ignored + visionOS: + userenrollment: + mode: ignored type: presence: optional range: @@ -107,6 +127,9 @@ payloadkeys: iOS: userenrollment: mode: ignored + visionOS: + userenrollment: + mode: ignored watchOS: introduced: n/a type: @@ -124,6 +147,9 @@ payloadkeys: iOS: userenrollment: mode: ignored + visionOS: + userenrollment: + mode: ignored type: presence: optional range: @@ -138,6 +164,9 @@ payloadkeys: iOS: userenrollment: mode: ignored + visionOS: + userenrollment: + mode: ignored watchOS: introduced: n/a type: @@ -151,6 +180,9 @@ payloadkeys: iOS: userenrollment: mode: ignored + visionOS: + userenrollment: + mode: ignored type: presence: optional range: @@ -164,6 +196,9 @@ payloadkeys: iOS: userenrollment: mode: ignored + visionOS: + userenrollment: + mode: ignored type: presence: optional default: 0 @@ -179,6 +214,8 @@ payloadkeys: introduced: '10.10' userenrollment: mode: ignored + visionOS: + introduced: n/a watchOS: introduced: n/a type: @@ -194,6 +231,8 @@ payloadkeys: introduced: '10.13' userenrollment: mode: ignored + visionOS: + introduced: n/a watchOS: introduced: n/a type: @@ -209,6 +248,8 @@ payloadkeys: introduced: n/a macOS: introduced: '14.0' + visionOS: + introduced: n/a watchOS: introduced: n/a type: diff --git a/mdm/profiles/com.apple.proxy.http.global.yaml b/mdm/profiles/com.apple.proxy.http.global.yaml index 38aad22..a786757 100644 --- a/mdm/profiles/com.apple.proxy.http.global.yaml +++ b/mdm/profiles/com.apple.proxy.http.global.yaml @@ -25,12 +25,17 @@ payload: userenrollment: mode: forbidden tvOS: - introduced: '6.0' + introduced: '9.0' multiple: false supervised: true allowmanualinstall: true visionOS: - introduced: n/a + introduced: '2.0' + multiple: false + supervised: true + allowmanualinstall: true + userenrollment: + mode: forbidden watchOS: introduced: n/a content: PEM-encoded cer diff --git a/mdm/profiles/com.apple.relay.managed.yaml b/mdm/profiles/com.apple.relay.managed.yaml index f23a9b3..91894a3 100644 --- a/mdm/profiles/com.apple.relay.managed.yaml +++ b/mdm/profiles/com.apple.relay.managed.yaml @@ -13,7 +13,7 @@ payload: devicechannel: true userchannel: false userenrollment: - mode: forbidden + mode: allowed macOS: introduced: '14.0' multiple: true @@ -25,14 +25,17 @@ payload: userenrollment: mode: forbidden tvOS: - introduced: n/a + introduced: '17.0' + multiple: true + supervised: false + allowmanualinstall: true visionOS: introduced: '1.0' multiple: true supervised: false allowmanualinstall: true userenrollment: - mode: forbidden + mode: allowed watchOS: introduced: n/a payloadkeys: @@ -86,7 +89,7 @@ payloadkeys: type: presence: optional content: |- - An array of raw public keys that the system uses to authenticate the server during a TLS handshake. The server needs to use one of the keys in the handshake to authenticate. + An array of DER-encoded public keys that the system uses to authenticate the server during a TLS handshake. The server needs to use one of the keys in the handshake to authenticate. If this array is empty, the system uses the default TLS trust evaluation. subkeys: - key: RawPublicKeysElement @@ -119,4 +122,5 @@ payloadkeys: type: presence: optional content: A globally-unique identifier for this relay configuration. The system uses - this UUID to route managed apps through the servers in 'Relays'. + this UUID to route managed apps through the servers in 'Relays'. This key is required + for user enrollments. diff --git a/mdm/profiles/com.apple.security.acme.yaml b/mdm/profiles/com.apple.security.acme.yaml index 176d6ae..1149792 100644 --- a/mdm/profiles/com.apple.security.acme.yaml +++ b/mdm/profiles/com.apple.security.acme.yaml @@ -53,7 +53,8 @@ payload: client identity by the payload's PayloadUUID. For details on the content of the attestation provided to the ACME server, see the documentation of the DevicePropertiesAttestation key in the DeviceInformation response. In the attestation certificate the value - of the nonce OID matches the nonce specified by the ACME server via the ACME protocol. + of the freshness code OID matches the nonce specified by the ACME server via the + ACME protocol. payloadkeys: - key: DirectoryURL title: ACME directory URL @@ -65,11 +66,11 @@ payloadkeys: type: presence: required content: A unique string identifying a specific device. The server may use this - as a nonce to prevent issuing multiple certificates. This identifier also indicates - to the ACME server that the device has access to a valid client identifier issued - by the enterprise infrastructure. This can help the ACME server determine whether - to trust the device. Though this is a relatively weak indication because of the - risk that an attacker can intercept the client identifier. + as an anti-replay code to prevent issuing multiple certificates. This identifier + also indicates to the ACME server that the device has access to a valid client + identifier issued by the enterprise infrastructure. This can help the ACME server + determine whether to trust the device. Though this is a relatively weak indication + because of the risk that an attacker can intercept the client identifier. - key: KeySize title: Key Size type: @@ -181,7 +182,7 @@ payloadkeys: content: |- If 'true', the device provides attestations that describe the device and the generated key to the ACME server. The server can use the attestations as strong evidence that the key is bound to the device, and that the device has properties listed in the attestation. The server can use that as part of a trust score to decide whether to issue the requested certificate. When 'Attest' is 'true', 'HardwareBound' also needs to be 'true'. - Setting this key to 'true' is supported as of macOS 14 on Apple Silicon and Intel devices that have a T2 chip. Older macOS versions or other Mac devices require this key but it must have a value of 'false'. + Setting this key to 'true' is supported as of macOS 14. Older macOS versions require this key but it must have a value of 'false'.\nSee the ACME attestation hardware support note for hardware requirements. - key: KeyIsExtractable supportedOS: iOS: @@ -212,3 +213,14 @@ payloadkeys: presence: optional default: false content: If 'true', all apps have access to the private key. +notes: +- title: ACME attestation hardware support + content: |- + The following table indicates which System on Chips (SoCs) support ACME attestation. + If the Attest key is false or ignored, the ACME server does not receive an attestation. + + | Attest key support | iPhone, iPad | Mac | Apple TV | Apple Watch | Vision Pro | + |--------------------|--------------------------------------|----------------|-------------------------|----------------|------------| + | Must be false | none | T1 and earlier | none | none | none | + | Ignored | A10x Fusion and earlier | T2 | A10x Fusion and earlier | S3 and earlier | none | + | Supported | A11 Bionic and later
All M series | Apple Silicon | A12 Bionic and later | S4 and later | All | diff --git a/mdm/profiles/com.apple.security.firewall.yaml b/mdm/profiles/com.apple.security.firewall.yaml index 57101d5..279633e 100644 --- a/mdm/profiles/com.apple.security.firewall.yaml +++ b/mdm/profiles/com.apple.security.firewall.yaml @@ -62,20 +62,26 @@ payloadkeys: supportedOS: macOS: introduced: '12.0' + deprecated: '15.0' + removed: '15.0' type: presence: optional content: If 'true', the system enables logging. Available in macOS 12 and later. + Removed in macOS 15. - key: LoggingOption supportedOS: macOS: introduced: '12.0' + deprecated: '15.0' + removed: '15.0' type: presence: optional rangelist: - throttled - brief - detail - content: The type of logging. Available in macOS 12 and later. + content: The type of logging. Available in macOS 12 and later. Removed in macOS + 15. - key: AllowSigned supportedOS: macOS: diff --git a/mdm/profiles/com.apple.security.pem.yaml b/mdm/profiles/com.apple.security.pem.yaml index 7e1610f..7aeb218 100644 --- a/mdm/profiles/com.apple.security.pem.yaml +++ b/mdm/profiles/com.apple.security.pem.yaml @@ -25,7 +25,7 @@ payload: userenrollment: mode: allowed tvOS: - introduced: '5.0' + introduced: '9.0' multiple: true supervised: false allowmanualinstall: true @@ -48,7 +48,7 @@ payloadkeys: presence: optional content: The file name of the enclosed certificate. - key: PayloadContent - title: Payload Certificate Filename + title: Payload Certificate Data type: presence: required content: The binary representation of the payload, encoded in Base64. diff --git a/mdm/profiles/com.apple.security.pkcs1.yaml b/mdm/profiles/com.apple.security.pkcs1.yaml index 51d8eed..7157ad0 100644 --- a/mdm/profiles/com.apple.security.pkcs1.yaml +++ b/mdm/profiles/com.apple.security.pkcs1.yaml @@ -25,7 +25,7 @@ payload: userenrollment: mode: allowed tvOS: - introduced: '5.0' + introduced: '9.0' multiple: true supervised: false allowmanualinstall: true @@ -48,7 +48,7 @@ payloadkeys: presence: optional content: The file name of the enclosed certificate. - key: PayloadContent - title: Payload Certificate Filename + title: Payload Certificate Data type: presence: required content: The binary representation of the payload, encoded in Base64. diff --git a/mdm/profiles/com.apple.security.pkcs12.yaml b/mdm/profiles/com.apple.security.pkcs12.yaml index 053fcce..ec4a5ce 100644 --- a/mdm/profiles/com.apple.security.pkcs12.yaml +++ b/mdm/profiles/com.apple.security.pkcs12.yaml @@ -25,7 +25,7 @@ payload: userenrollment: mode: allowed tvOS: - introduced: '5.0' + introduced: '9.0' multiple: true supervised: false allowmanualinstall: true @@ -48,7 +48,7 @@ payloadkeys: presence: optional content: The file name of the enclosed certificate. - key: PayloadContent - title: Payload Certificate Filename + title: Payload Certificate Data type: presence: required content: The binary representation of the payload, encoded in Base64. diff --git a/mdm/profiles/com.apple.security.root.yaml b/mdm/profiles/com.apple.security.root.yaml index 4ad4136..723c4e1 100644 --- a/mdm/profiles/com.apple.security.root.yaml +++ b/mdm/profiles/com.apple.security.root.yaml @@ -25,7 +25,7 @@ payload: userenrollment: mode: allowed tvOS: - introduced: '5.0' + introduced: '9.0' multiple: true supervised: false allowmanualinstall: true @@ -48,7 +48,7 @@ payloadkeys: presence: optional content: The file name of the enclosed certificate. - key: PayloadContent - title: Payload Certificate Filename + title: Payload Certificate Data type: presence: required content: The binary representation of the payload encoded in base64. diff --git a/mdm/profiles/com.apple.security.scep.yaml b/mdm/profiles/com.apple.security.scep.yaml index 2db4c6a..8c28717 100644 --- a/mdm/profiles/com.apple.security.scep.yaml +++ b/mdm/profiles/com.apple.security.scep.yaml @@ -26,7 +26,7 @@ payload: userenrollment: mode: allowed tvOS: - introduced: '6.0' + introduced: '9.0' multiple: true supervised: false allowmanualinstall: true @@ -47,8 +47,7 @@ payloadkeys: title: Payload Content type: presence: required - content: An array of payload dictionaries. This array isn't present if 'IsEncrypted' - is 'true'. + content: A dictionary containing the SCEP information. subkeys: - key: URL title: URL diff --git a/mdm/profiles/com.apple.system-extension-policy.yaml b/mdm/profiles/com.apple.system-extension-policy.yaml index 1cf0e7e..91477e5 100644 --- a/mdm/profiles/com.apple.system-extension-policy.yaml +++ b/mdm/profiles/com.apple.system-extension-policy.yaml @@ -103,3 +103,46 @@ payloadkeys: type: presence: required content: Removed system extension bundle ID +- key: NonRemovableSystemExtensions + supportedOS: + macOS: + introduced: '15.0' + type: + presence: optional + content: A dictionary of system extensions on the computer. The dictionary maps + the team identifiers (keys) to arrays of bundle identifiers, where the bundle + identifier defines the system extension which cannot be disabled or uninstalled + when SIP is enabled. It's an error for the same mapping to appear in the dictionary + values corresponding to 'RemovableSystemExtensions' and 'NonRemovableSystemExtensions' + keys. + subkeys: + - key: ANY + type: + presence: optional + content: System extension bundle identifiers + subkeys: + - key: NonRemovableSystemExtensionsItems + type: + presence: required + content: Non Removable system extension bundle ID +- key: NonRemovableFromUISystemExtensions + supportedOS: + macOS: + introduced: '15.0' + type: + presence: optional + content: A dictionary of system extensions on the computer. The dictionary maps + the team identifiers (keys) to arrays of bundle identifiers, where the bundle + identifier defines the system extension which cannot be disabled or uninstalled + from System Settings or Finder. The set of system extensions between 'RemovableSystemExtensions' + and 'NonRemovableFromUISystemExtensions' are allowed to overlap. + subkeys: + - key: ANY + type: + presence: optional + content: System extension bundle identifiers + subkeys: + - key: NonRemovableFromUISystemExtensionsItems + type: + presence: required + content: Non Removable from UI system extension bundle ID diff --git a/mdm/profiles/com.apple.systempolicy.control.yaml b/mdm/profiles/com.apple.systempolicy.control.yaml index 0a30e65..2cef1cc 100644 --- a/mdm/profiles/com.apple.systempolicy.control.yaml +++ b/mdm/profiles/com.apple.systempolicy.control.yaml @@ -35,3 +35,11 @@ payloadkeys: If 'true', enables Gatekeeper's 'Mac App Store and identified developers' option. If 'false', enables Gatekeeper's 'Mac App Store' option. If the value of 'EnableAssessment' isn't set to 'true', this key has no effect. +- key: EnableXProtectMalwareUpload + supportedOS: + macOS: + introduced: '15.0' + type: + presence: optional + content: If 'false', prevents Gatekeeper from prompting the user to upload blocked + malware to Apple for purposes of improving malware detection. diff --git a/mdm/profiles/com.apple.vpn.managed.applayer.yaml b/mdm/profiles/com.apple.vpn.managed.applayer.yaml index 489b0dc..3b9ba17 100644 --- a/mdm/profiles/com.apple.vpn.managed.applayer.yaml +++ b/mdm/profiles/com.apple.vpn.managed.applayer.yaml @@ -45,6 +45,22 @@ payloadkeys: type: presence: required content: A globally unique identifier for this VPN configuration. +- key: CellularSliceUUID + title: Cellular Slice UUID + supportedOS: + iOS: + introduced: '18.0' + macOS: + introduced: n/a + tvOS: + introduced: n/a + visionOS: + introduced: n/a + type: + presence: optional + content: The data network name (DNN) or app category identifying a Cellular Slice + for the VPN. The presence of this key will scope the VPN tunnel onto the specified + Cellular Slice. - key: SafariDomains supportedOS: watchOS: diff --git a/mdm/profiles/com.apple.vpn.managed.yaml b/mdm/profiles/com.apple.vpn.managed.yaml index 3157165..2ce81d7 100644 --- a/mdm/profiles/com.apple.vpn.managed.yaml +++ b/mdm/profiles/com.apple.vpn.managed.yaml @@ -1248,6 +1248,64 @@ payloadkeys: default: 1 content: If 1 and IncludeAllNetworks is 1, then network traffic used for communicating with devices connected via USB or Wi-Fi is excluded from the tunnel. + - key: PPK + title: Post-quantum Pre-shared Key + supportedOS: + iOS: + introduced: '18.0' + macOS: + introduced: '15.0' + tvOS: + introduced: '18.0' + visionOS: + introduced: '2.0' + watchOS: + introduced: '11.0' + type: + presence: optional + content: The Post-quantum Pre-shared key (PPK) used for this VPN. This key is + meant to be used with VPN servers that support RFC 8784. If this key is present + PPKIdentifier must also be present. + - key: PPKIdentifier + title: Post-quantum Pre-shared Key Identifier + supportedOS: + iOS: + introduced: '18.0' + macOS: + introduced: '15.0' + tvOS: + introduced: '18.0' + visionOS: + introduced: '2.0' + watchOS: + introduced: '11.0' + type: + presence: optional + content: The identifier for the Post-quantum Pre-shared key (PPK) used for this + VPN. This key is meant to be used with VPN servers that support RFC 8784. If + this key is present PPK must also be present. + - key: PPKMandatory + title: Post-quantum Pre-shared Key Mandatory + supportedOS: + iOS: + introduced: '18.0' + macOS: + introduced: '15.0' + tvOS: + introduced: '18.0' + visionOS: + introduced: '2.0' + watchOS: + introduced: '11.0' + type: + presence: optional + rangelist: + - 0 + - 1 + default: 1 + content: This key has no effect if PPK and PPKIdentifier are not present. If the + value of this key is 1, the VPN will fail to establish if the server does not + support RFC 8784 or does not accept the PPK identifier specified in PPKIdentifier. - key: IKESecurityAssociationParameters title: IKESecurityAssociationParameters type: diff --git a/mdm/profiles/com.apple.webcontent-filter.yaml b/mdm/profiles/com.apple.webcontent-filter.yaml index 1bee61a..9e6613a 100644 --- a/mdm/profiles/com.apple.webcontent-filter.yaml +++ b/mdm/profiles/com.apple.webcontent-filter.yaml @@ -107,6 +107,20 @@ payloadkeys: - key: DenyListURLItems title: Denylisted url items type: +- key: HideDenyListURLs + title: HideDenyListURLs + supportedOS: + iOS: + introduced: '18.0' + macOS: + introduced: n/a + visionOS: + introduced: '2.0' + type: + presence: optional + default: false + content: Hide the DenyListURLs in profiles UI in Settings > General > VPN & Device + Management > profiles details. - key: WhitelistedBookmarks title: White list supportedOS: diff --git a/mdm/profiles/com.apple.wifi.managed.yaml b/mdm/profiles/com.apple.wifi.managed.yaml index fd2d323..68093ad 100644 --- a/mdm/profiles/com.apple.wifi.managed.yaml +++ b/mdm/profiles/com.apple.wifi.managed.yaml @@ -25,7 +25,7 @@ payload: userenrollment: mode: allowed tvOS: - introduced: '5.1' + introduced: '9.0' multiple: true supervised: false allowmanualinstall: true @@ -343,7 +343,7 @@ payloadkeys: macOS: introduced: '10.8' tvOS: - introduced: '7.0' + introduced: '9.0' type: presence: optional default: false @@ -618,7 +618,7 @@ payloadkeys: presence: optional content: The password used to authenticate to the proxy server. - key: ProxyPACURL - title: Proxy Username + title: Proxy PAC URL supportedOS: iOS: userenrollment: @@ -657,7 +657,9 @@ payloadkeys: userenrollment: mode: forbidden macOS: - introduced: n/a + introduced: '15.0' + userenrollment: + mode: forbidden tvOS: introduced: n/a visionOS: @@ -670,5 +672,5 @@ payloadkeys: default: false content: |- If 'true,' disables MAC address randomization for a Wi-Fi network while associated with that network. This feature also shows a privacy warning in Settings indicating that the network has reduced privacy protections. - If 'false', then the system enables MAC address randomization. - This value is only locked when MDM installs the profile. If the profile is manually installed, the system sets the value but the user can change it. Available in iOS 14 and later, and watchOS 7 and later. + If 'false', then the system enables MAC address randomization on iOS, watchOS, and visionOS. + This value is only locked when MDM installs the profile. If the profile is manually installed, the system sets the value but the user can change it. Available in iOS 14 and later, watchOS 7 and later, macOS 15 and later, and visionOS. diff --git a/other/manifesturl.yaml b/other/manifesturl.yaml index 748ed25..0e1aad2 100644 --- a/other/manifesturl.yaml +++ b/other/manifesturl.yaml @@ -1,6 +1,7 @@ title: ManifestURL -description: The definition of the ManifestURL that specifies where package is to - be downloaded from and provides hashes to verify the integrity of the package +description: The definition of the ManifestURL property list that specifies where + a package is to be downloaded from, and provides hashes to verify the integrity + of the package payload: payloadtype: ManifestURL supportedOS: diff --git a/other/skipkeys.yaml b/other/skipkeys.yaml index 96db4bf..b861f20 100644 --- a/other/skipkeys.yaml +++ b/other/skipkeys.yaml @@ -72,11 +72,11 @@ payloadkeys: content: The key to skip the Choose Your Look screen. This key is available in iOS 13+ and macOS 10.14 and later. - key: AppleID - title: Disables signing in to Apple ID and iCloud + title: Disables signing in to an Apple Account and iCloud type: presence: optional - content: The key to skip Apple ID setup. This key is available in iOS 7.0+, tvOS - 10.2 and later, and macOS 10.9 and later. + content: The key to skip Apple Account setup. This key is available in iOS 7.0+, + tvOS 10.2 and later, and macOS 10.9 and later. - key: AppStore title: Skips AppStore information pane supportedOS: @@ -148,7 +148,7 @@ payloadkeys: introduced: n/a type: presence: optional - content: The key to skip the Lockdown Mode pane if an Apple ID is set up. Available + content: The key to skip the Lockdown Mode pane if an Apple Account is set up. Available in macOS 14 and later, and iOS 17.1 and later. - key: FileVault title: Skip configuration of FileVault @@ -217,6 +217,34 @@ payloadkeys: presence: optional content: The key to skip the iMessage and FaceTime screen in iOS. This key is available in iOS 12 and later. +- key: Intelligence + title: Skip Intelligence setup pane + supportedOS: + iOS: + introduced: '18.0' + macOS: + introduced: '15.0' + tvOS: + introduced: n/a + type: + presence: optional + content: The key to skip the Intelligence pane. This key is available in iOS 18 + and later and macOS 15 and later. +- key: Keyboard + title: Skip Keyboard pane + supportedOS: + iOS: + introduced: '13.0' + always-skippable: false + macOS: + introduced: n/a + tvOS: + introduced: n/a + type: + presence: optional + content: If the key is included in the SkipSetup array the Keyboard pane will be + skipped. This pane isn't always skippable because it appears before the device + retrieves the Cloud Configuration from the server. - key: Location title: Disables Location Services supportedOS: @@ -382,6 +410,21 @@ payloadkeys: presence: optional content: The key to skip the mandatory software update screen in iOS. This key is available in iOS 12 and later. +- key: SpokenLanguage + title: Skip Dictation pane + supportedOS: + iOS: + introduced: '13.0' + always-skippable: false + macOS: + introduced: n/a + tvOS: + introduced: n/a + type: + presence: optional + content: If the key is included in the SkipSetup array the Dictation pane will be + skipped. This pane isn't always skippable because it appears before the device + retrieves the Cloud Configuration from the server. - key: TapToSetup title: Skips simplified tap setup supportedOS: @@ -393,8 +436,8 @@ payloadkeys: always-skippable: false type: presence: optional - content: The key to skip the Tap To Set Up option in AppleTV about using an iOS - device to set up your AppleTV. This key is available in tvOS 10.2 and later. + content: The key to skip the Tap To Set Up option in Apple TV related to using an + iOS device to set up your Apple TV. This key is available in tvOS 10.2 and later. - key: TermsOfAddress title: Skips Terms of Address supportedOS: @@ -467,7 +510,7 @@ payloadkeys: introduced: n/a type: presence: optional - content: The key to skip the Software Update Complete pane. This field is available + content: The key to skip the Software Update Complete pane. This key is available in iOS 14 and later. - key: Wallpaper title: Skips Wallpaper selection @@ -502,7 +545,7 @@ payloadkeys: iOS: introduced: '13.0' macOS: - introduced: n/a + introduced: '15.0' tvOS: introduced: n/a type: