CalvinBackup/apple_device-management
1
0
Fork 0
mirror of https://github.com/apple/device-management.git synced 2026-02-12 21:03:12 +00:00
Code Issues Packages Projects Releases Wiki Activity

Release-v26.0

Browse Source
This commit is contained in:
Cyrus Daboo
2025-09-09 21:43:42 -04:00
parent 7d4ba1a2bd
commit 8d9958d9b5
308 changed files with 6989 additions and 3838 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
README.md
View File

@@ -8,11 +8,11 @@ This release corresponds to the following OS versions
| OS | Version |
|----------|---------|
| iOS | 18.4 |
| macOS | 15.4 |
| tvOS | 18.4 |
| visionOS | 2.4 |
| watchOS | 11.4 |
| iOS | 26.0 |
| macOS | 26.0 |
| tvOS | 26.0 |
| visionOS | 26.0 |
| watchOS | 26.0 |
## Important Release Notes

6
declarative/declarations/activations/simple.yaml
View File

@@ -1,5 +1,5 @@
title: Activation:Simple
description: An activation used to install a set of configurations.
description: The declaration to activate a set of configurations.
payload:
declarationtype: com.apple.activation.simple
supportedOS:
@@ -26,6 +26,6 @@ payloadkeys:
- key: Predicate
type: <string>
presence: optional
content: A predicate format string as Apple's Predicate Programming <https://developer.apple.com/library/archive/documentation/Cocoa/Conceptual/Predicates/AdditionalChapters/Introduction.html>
describes. The activation only installs when the predicate evaluates to 'true'
content: A predicate format string as [Apple's Predicate Programming](https://developer.apple.com/library/archive/documentation/Cocoa/Conceptual/Predicates/AdditionalChapters/Introduction.html)
describes. The activation only installs when the predicate evaluates to `true`
or isn't present.

35
declarative/declarations/assets/credential.acme.yaml
View File

@@ -21,29 +21,33 @@ payloadkeys:
presence: required
content: |-
The external reference. Ensure that the asset data:
* Is a JSON document that represents the 'com.apple.credential.acme' credential type
* Uses a media type of 'application/json', and if it includes a 'ContentType' sub-key, that sub-key media type is also 'application/json'
- Is a JSON document that represents the `com.apple.credential.acme` credential type
- Uses a media type of `application/json`, and if it includes a `ContentType` sub-key, that sub-key media type is also `application/json`
subkeys:
- key: DataURL
type: <string>
presence: required
content: The URL that hosts the credential data. The URL must start with 'https://'.
content: The URL to retrieve data, which needs to start with `https://`.
- key: ContentType
type: <string>
presence: optional
content: The media type that describes the data.
content: The media type that describes the data. If present, the system checks
the actual media type of the downloaded data, and an error occurs if the values
don't match.
- key: Size
type: <integer>
presence: optional
content: The size of the data at the 'DataURL'. Use this value to verify that
the returned data is the expected data. Use this value to detect when the data
changes.
content: The size of the data. Set the size to `0` if there's no expectation of
a response body. If present, the system checks the actual size of the downloaded
data, and an error occurs if the values don't match.
- key: Hash-SHA-256
type: <string>
presence: optional
content: |-
A SHA-256 hash of the data at the 'DataURL'. Use this value to verify that the returned data is the expected data. Use this value to detect when the data changes.
If 'Size' is '0', clients need to ignore this value or set it to an empty string.
content: A SHA-256 hash of the data stored at the `DataURL`. Don't set this value
if `Size` is `0` as the client ignores it. However, if present, the system checks
the actual hash of the downloaded data, and an error occurs if the values don't
match.
- key: Authentication
type: <dictionary>
presence: optional
@@ -56,9 +60,9 @@ payloadkeys:
- MDM
- None
content: |-
Type of authentication:
* MDM - a request using MDM semantics (includes the device identity certificate, and any user authentication). Equivalent to an MDM request made to the CheckInURL or ServerURL. This option can only be used when using declarative device management.
* None - a standard GET request is carried out.
The type of authentication, which has these allowed values:
- `MDM`: A request that uses MDM semantics, which includes the device-identity certificate, and any user authentication. This is equivalent to an MDM request made to the `CheckInURL` or `ServerURL`. This option is only available through declarative device management.
- `None`: A standard GET request.
- key: Accessible
type: <string>
presence: optional
@@ -68,5 +72,6 @@ payloadkeys:
default: Default
content: |-
The keychain accessibility that determines when the keychain item is available for use, which has these allowed values:
* 'Default': The most restrictive accessibility that still satisfies all uses of the asset by configurations that reference it.
* 'AfterFirstUnlock': The keychain item is only available after the first unlock of the device.
- `Default`: The most restrictive accessibility that still satisfies all uses of the asset by configurations that reference it.
- `AfterFirstUnlock`: The keychain item is only available after the first unlock of the device.

29
declarative/declarations/assets/credential.certificate.yaml
View File

@@ -21,30 +21,33 @@ payloadkeys:
- application/pem
presence: required
content: The external reference. Ensure that the asset data uses a media type of
'application/pkcs1' or 'application/pem' to correctly identify the type of encoded
certificate. If the asset data includes a 'ContentType' sub-key, set it to the
`application/pkcs1` or `application/pem` to correctly identify the type of encoded
certificate. If the asset data includes a `ContentType` sub-key, set it to the
corresponding media type.
subkeys:
- key: DataURL
type: <string>
presence: required
content: The URL that hosts the credential data. The URL must start with 'https://'.
content: The URL to retrieve data, which needs to start with `https://`.
- key: ContentType
type: <string>
presence: optional
content: The media type that describes the data.
content: The media type that describes the data. If present, the system checks
the actual media type of the downloaded data, and an error occurs if the values
don't match.
- key: Size
type: <integer>
presence: optional
content: The size of the data at the 'DataURL'. Use this value to verify that
the returned data is the expected data. Use this value to detect when the data
changes.
content: The size of the data. Set the size to `0` if there's no expectation of
a response body. If present, the system checks the actual size of the downloaded
data, and an error occurs if the values don't match.
- key: Hash-SHA-256
type: <string>
presence: optional
content: |-
A SHA-256 hash of the data at the 'DataURL'. Use this value to verify that the returned data is the expected data. Use this value to detect when the data changes.
If 'Size' is '0', clients need to ignore this value or set it to an empty string.
content: A SHA-256 hash of the data stored at the `DataURL`. Don't set this value
if `Size` is `0` as the client ignores it. However, if present, the system checks
the actual hash of the downloaded data, and an error occurs if the values don't
match.
- key: Authentication
type: <dictionary>
presence: optional
@@ -57,6 +60,6 @@ payloadkeys:
- MDM
- None
content: |-
Type of authentication:
* MDM - a request using MDM semantics (includes the device identity certificate, and any user authentication). Equivalent to an MDM request made to the CheckInURL or ServerURL. This option can only be used when using declarative device management.
* None - a standard GET request is carried out.
The type of authentication, which has these allowed values:
- `MDM`: A request that uses MDM semantics, which includes the device-identity certificate, and any user authentication. This is equivalent to an MDM request made to the `CheckInURL` or `ServerURL`. This option is only available through declarative device management.
- `None`: A standard GET request.

35
declarative/declarations/assets/credential.identity.yaml
View File

@@ -21,29 +21,33 @@ payloadkeys:
presence: required
content: |-
The external reference. Ensure that the asset data:
* Is a JSON document that represents the 'com.apple.credential.identity' credential type
* Uses a media type of 'application/json', and if it includes a 'ContentType' sub-key, that sub-key media type is also 'application/json'
- Is a JSON document that represents the `com.apple.credential.identity` credential type
- Uses a media type of `application/json`, and if it includes a `ContentType` sub-key, that sub-key media type is also `application/json`
subkeys:
- key: DataURL
type: <string>
presence: required
content: The URL that hosts the credential data. The URL must start with 'https://'.
content: The URL to retrieve data, which needs to start with `https://`.
- key: ContentType
type: <string>
presence: optional
content: The media type that describes the data.
content: The media type that describes the data. If present, the system checks
the actual media type of the downloaded data, and an error occurs if the values
don't match.
- key: Size
type: <integer>
presence: optional
content: The size of the data at the 'DataURL'. Use this value to verify that
the returned data is the expected data. Use this value to detect when the data
changes.
content: The size of the data. Set the size to `0` if there's no expectation of
a response body. If present, the system checks the actual size of the downloaded
data, and an error occurs if the values don't match.
- key: Hash-SHA-256
type: <string>
presence: optional
content: |-
A SHA-256 hash of the data at the 'DataURL'. Use this value to verify that the returned data is the expected data. Use this value to detect when the data changes.
If 'Size' is '0', clients need to ignore this value or set it to an empty string.
content: A SHA-256 hash of the data stored at the `DataURL`. Don't set this value
if `Size` is `0` as the client ignores it. However, if present, the system checks
the actual hash of the downloaded data, and an error occurs if the values don't
match.
- key: Authentication
type: <dictionary>
presence: optional
@@ -56,9 +60,9 @@ payloadkeys:
- MDM
- None
content: |-
Type of authentication:
* MDM - a request using MDM semantics (includes the device identity certificate, and any user authentication). Equivalent to an MDM request made to the CheckInURL or ServerURL. This option can only be used when using declarative device management.
* None - a standard GET request is carried out.
The type of authentication, which has these allowed values:
- `MDM`: A request that uses MDM semantics, which includes the device-identity certificate, and any user authentication. This is equivalent to an MDM request made to the `CheckInURL` or `ServerURL`. This option is only available through declarative device management.
- `None`: A standard GET request.
- key: Accessible
type: <string>
presence: optional
@@ -68,5 +72,6 @@ payloadkeys:
default: Default
content: |-
The keychain accessibility that determines when the keychain item is available for use, which has these allowed values:
* 'Default': The most restrictive accessibility that still satisfies all uses of the asset by configurations that reference it.
* 'AfterFirstUnlock': The keychain item is only available after the first unlock of the device.
- `Default`: The most restrictive accessibility that still satisfies all uses of the asset by configurations that reference it.
- `AfterFirstUnlock`: The keychain item is only available after the first unlock of the device.

35
declarative/declarations/assets/credential.scep.yaml
View File

@@ -21,29 +21,33 @@ payloadkeys:
presence: required
content: |-
The external reference. Ensure that the asset data:
* Is a JSON document that represents the 'com.apple.credential.scep' credential type
* Uses a media type of 'application/json', and if it includes a 'ContentType' sub-key, that sub-key media type is also 'application/json'
- Is a JSON document that represents the `com.apple.credential.scep` credential type
- Uses a media type of `application/json`, and if it includes a `ContentType` sub-key, that sub-key media type is also `application/json`
subkeys:
- key: DataURL
type: <string>
presence: required
content: The URL that hosts the credential data. The URL must start with 'https://'.
content: The URL to retrieve data, which needs to start with `https://`.
- key: ContentType
type: <string>
presence: optional
content: The media type that describes the data.
content: The media type that describes the data. If present, the system checks
the actual media type of the downloaded data, and an error occurs if the values
don't match.
- key: Size
type: <integer>
presence: optional
content: The size of the data at the 'DataURL'. Use this value to verify that
the returned data is the expected data. Use this value to detect when the data
changes.
content: The size of the data. Set the size to `0` if there's no expectation of
a response body. If present, the system checks the actual size of the downloaded
data, and an error occurs if the values don't match.
- key: Hash-SHA-256
type: <string>
presence: optional
content: |-
A SHA-256 hash of the data at the 'DataURL'. Use this value to verify that the returned data is the expected data. Use this value to detect when the data changes.
If 'Size' is '0', clients need to ignore this value or set it to an empty string.
content: A SHA-256 hash of the data stored at the `DataURL`. Don't set this value
if `Size` is `0` as the client ignores it. However, if present, the system checks
the actual hash of the downloaded data, and an error occurs if the values don't
match.
- key: Authentication
type: <dictionary>
presence: optional
@@ -56,9 +60,9 @@ payloadkeys:
- MDM
- None
content: |-
Type of authentication:
* MDM - a request using MDM semantics (includes the device identity certificate, and any user authentication). Equivalent to an MDM request made to the CheckInURL or ServerURL. This option can only be used when using declarative device management.
* None - a standard GET request is carried out.
The type of authentication, which has these allowed values:
- `MDM`: A request that uses MDM semantics, which includes the device-identity certificate, and any user authentication. This is equivalent to an MDM request made to the `CheckInURL` or `ServerURL`. This option is only available through declarative device management.
- `None`: A standard GET request.
- key: Accessible
type: <string>
presence: optional
@@ -68,5 +72,6 @@ payloadkeys:
default: Default
content: |-
The keychain accessibility that determines when the keychain item is available for use, which has these allowed values:
* 'Default': The most restrictive accessibility that still satisfies all uses of the asset by configurations that reference it.
* 'AfterFirstUnlock': The keychain item is only available after the first unlock of the device.
- `Default`: The most restrictive accessibility that still satisfies all uses of the asset by configurations that reference it.
- `AfterFirstUnlock`: The keychain item is only available after the first unlock of the device.

34
declarative/declarations/assets/credential.userpassword.yaml
View File

@@ -1,6 +1,6 @@
title: Asset:Credential User Name and Password
description: A reference to data describing a credential representing a user name
and password.
description: A reference to data that describes a credential that represents a user
name and password.
payload:
declarationtype: com.apple.asset.credential.userpassword
supportedOS:
@@ -22,29 +22,33 @@ payloadkeys:
presence: required
content: |-
The external reference. Ensure that the asset data:
* Is a JSON document that represents the 'com.apple.credential.usernameandpassword' credential type
* Uses a media type of 'application/json', and if it includes a 'ContentType' sub-key, that sub-key media type is also 'application/json'
- Is a JSON document that represents the `com.apple.credential.usernameandpassword` credential type
- Uses a media type of `application/json`, and if it includes a `ContentType` sub-key, that sub-key media type is also `application/json`
subkeys:
- key: DataURL
type: <string>
presence: required
content: The URL that hosts the credential data. The URL must start with 'https://'.
content: The URL to retrieve data, which needs to start with `https://`.
- key: ContentType
type: <string>
presence: optional
content: The media type that describes the data.
content: The media type that describes the data. If present, the system checks
the actual media type of the downloaded data, and an error occurs if the values
don't match.
- key: Size
type: <integer>
presence: optional
content: The size of the data at the 'DataURL'. Use this value to verify that
the returned data is the expected data. Use this value to detect when the data
changes.
content: The size of the data. Set the size to `0` if there's no expectation of
a response body. If present, the system checks the actual size of the downloaded
data, and an error occurs if the values don't match.
- key: Hash-SHA-256
type: <string>
presence: optional
content: |-
A SHA-256 hash of the data at the 'DataURL'. Use this value to verify that the returned data is the expected data. Use this value to detect when the data changes.
If 'Size' is '0', clients need to ignore this value or set it to an empty string.
content: A SHA-256 hash of the data stored at the `DataURL`. Don't set this value
if `Size` is `0` as the client ignores it. However, if present, the system checks
the actual hash of the downloaded data, and an error occurs if the values don't
match.
- key: Authentication
supportedOS:
iOS:
@@ -66,6 +70,6 @@ payloadkeys:
- MDM
- None
content: |-
Type of authentication:
* MDM - a request using MDM semantics (includes the device identity certificate, and any user authentication). Equivalent to an MDM request made to the CheckInURL or ServerURL. This option can only be used when using declarative device management.
* None - a standard GET request is carried out.
The type of authentication, which has these allowed values:
- `MDM`: A request that uses MDM semantics, which includes the device-identity certificate, and any user authentication. This is equivalent to an MDM request made to the `CheckInURL` or `ServerURL`. This option is only available through declarative device management.
- `None`: A standard GET request.

59
declarative/declarations/assets/credentials/acme.yaml
View File

@@ -1,5 +1,5 @@
title: ACME Credential
description: An ACME identity that should be generated by the device.
description: An ACME identity that the device generates.
payload:
credentialtype: com.apple.credential.acme
supportedOS:
@@ -18,7 +18,7 @@ payloadkeys:
title: ACME directory URL
type: <string>
presence: required
content: Specifies the directory URL of the ACME server. Use the 'https' scheme
content: Specifies the directory URL of the ACME server. Use the `https` scheme
for the URL.
- key: ClientIdentifier
title: Client identifier
@@ -34,7 +34,7 @@ payloadkeys:
title: Key Size
type: <integer>
presence: required
content: The valid values for 'KeySize' depend on the values of 'KeyType' and 'HardwareBound'.
content: The valid values for `KeySize` depend on the values of `KeyType` and `HardwareBound`.
See those keys for specific requirements.
- key: KeyType
title: Key Type
@@ -45,27 +45,37 @@ payloadkeys:
- ECSECPrimeRandom
content: |-
Specifies the type of key pair to generate.
'RSA' specifies an RSA key pair. If you set this value to 'RSA', set 'KeySize' in the range '[1024..4096]' inclusive and a multiple of '8', and set 'HardwareBound' to 'false'.
'ECSECPrimeRandom' specifies a key pair on the P-256, P-384 or P-521 curves as defined in FIPS Pub 186-4, and 'KeySize' determines the specific curve. If you set this value to 'ECSECPrimeRandom', set 'KeySize' to '256', '384', or '521'. The system only supports '256' and '384' for hardware bound keys.
The key size is '521', not '512', even though the other key sizes are multiples of '64'.
`RSA` specifies an RSA key pair. If you set this value to `RSA`, set `KeySize` in the range `[1024..4096]` inclusive and a multiple of `8`, and set `HardwareBound` to `false`.
`ECSECPrimeRandom` specifies a key pair on the P-256, P-384 or P-521 curves as defined in FIPS Pub 186-4, and `KeySize` determines the specific curve. If you set this value to `ECSECPrimeRandom`, set `KeySize` to `256`, `384`, or `521`. The system only supports `256` and `384` for hardware bound keys.
> Note:
> The key size is `521`, not `512`, even though the other key sizes are multiples of `64`.
- key: HardwareBound
title: Hardware Bound
type: <boolean>
presence: required
content: |-
If 'false', the private key isn't bound to the device.
If 'true', the private key is bound to the device. The Secure Enclave generates the key pair, and the private key is cryptographically entangled with a system key. This protects the private key from being exported.
If 'true', 'KeyType' needs to be 'ECSECPrimeRandom' and 'KeySize' needs to be '256' or '384'.
On macOS, this is a required key. Set the value to 'false'.
If `false`, the private key isn't bound to the device.
If `true`, the private key is bound to the device. The Secure Enclave generates the key pair, and the private key is cryptographically entangled with a system key. This protects the private key from being exported.
If `true`, `KeyType` needs to be `ECSECPrimeRandom` and `KeySize` needs to be `256` or `384`.
On macOS, this is a required key. Set the value to `false`.
- key: Subject
title: Subject
type: <array>
presence: required
content: |-
The device requests this subject for the certificate that the ACME server issues. The ACME server may override or ignore this field in the certificate it issues.
The representation of an X.500 name is an array of OID and value. For example, '/C=US/O=Apple Inc./CN=foo/1.2.5.3=bar' corresponds to:
'[ [ [”C”, “US”] ], [ [”O”, “Apple Inc.”] ], [ [ “CN”, “foo”] ], [ [ “1.2.5.3”, “bar” ] ] ]'
You can represent OIDs as dotted numbers or use shortcuts for country ('C'), locality ('L'), state ('ST'), organization ('O'), organizational unit ('OU'), and common name ('CN').
The representation of an X.500 name is an array of OID and value. For example, `/C=US/O=Apple Inc./CN=foo/1.2.5.3=bar` corresponds to:
`[ [ ["C", "US"] ], [ ["O", "Apple Inc."] ], [ [ "CN", "foo"] ], [ [ "1.2.5.3", "bar" ] ] ]`
You can represent OIDs as dotted numbers or use shortcuts for country (`C`), locality (`L`), state (`ST`), organization (`O`), organizational unit (`OU`), and common name (`CN`).
subkeys:
- key: ACMESubjectArrayInnerArray
title: Array Inside ACME Subject Array
@@ -109,21 +119,23 @@ payloadkeys:
title: NT Principal Name
type: <string>
presence: optional
content: The NT principal name.
content: The NT principal name. Use an other name OID set to `1.3.6.1.4.1.311.20.2.3`.
- key: UsageFlags
title: Key Usage
type: <integer>
presence: optional
content: |-
The device requests this key usage for the certificate that the ACME server issues. The ACME server may override or ignore this field in the certificate it issues.
The value is a bit field. Bit '0x01' indicates digital signature, and bit '0x04' indicates key encipherment.
The value is a bit field. Bit `0x01` indicates digital signature, and bit `0x04` indicates key encipherment.
- key: ExtendedKeyUsage
title: Extended Key Usage
type: <array>
presence: optional
content: |-
The device requests this extended key usage for the certificate that the ACME server issues. The ACME server may override or ignore this field in the certificate it issues.
The value is an array of strings. Each string is an OID in dotted notation. For example, '[”1.3.6.1.5.5.7.3.2”, “1.3.6.1.5.5.7.3.4”]' indicates client authentication and email protection.
The value is an array of strings. Each string is an OID in dotted notation. For example, `["1.3.6.1.5.5.7.3.2", "1.3.6.1.5.5.7.3.4"]` indicates client authentication and email protection.
subkeys:
- key: OID
type: <string>
@@ -133,14 +145,21 @@ payloadkeys:
type: <boolean>
presence: optional
default: false
content: If 'true', the device provides attestations that describe the device and
content: If `true`, the device provides attestations that describe the device and
the generated key to the ACME server. The server can use the attestations as strong
evidence that the key is bound to the device, and that the device has properties
listed in the attestation. The server can use that as part of a trust score to
decide whether to issue the requested certificate. When 'Attest' is 'true', set
'HardwareBound' to 'true'. See the ACME attestation hardware support note for
hardware requirements.
decide whether to issue the requested certificate. When `Attest` is `true`, set
`HardwareBound` to `true`. On macOS, set this key, if present, to `false`. The
hardware requirements for attestation are described below.
notes:
- title: ''
content: |-
This schema specifies how the device requests a client certificate from an Automated Certificate Management Environment (ACME) server. Use this to create a JSON document that the device downloads when resolving an asset.
When the device resolves the asset, first it generates an asymmetric key pair based upon the `KeyType`, `KeySize`, and `HardwareBound` fields. Then the device communicates with the ACME server. It requests a new order using the `ClientIdentifier` as the `permanent-identifier`. The ACME server responds with a challenge type of `device-attest-01`. If `Attest` is `true` the device requests an attestation of the key and device properties. Then it replies to the challenge with a WebAuthn attestation statement, and this contains the attestation if the device obtained one. The device submits a certificate signing request matching the key and containing the `ClientIdentifier`, `Subject`, `SubjectAltName`, `UsageFlags`, and `ExtendedKeyUsage` fields. The ACME server issues a certificate, and the device stores the resulting identity.
For details on the content of the attestation provided to the ACME server, see the documentation of the `DevicePropertiesAttestation` key in the `QueryResponses` response. In the attestation certificate the value of the freshness code OID is the SHA-256 hash of the `token` from the `device-attest-01` challenge.
- title: ACME attestation hardware support
content: |-
The following table indicates which System on Chips (SoCs) support ACME attestation.

2
declarative/declarations/assets/credentials/identity.yaml
View File

@@ -1,5 +1,5 @@
title: Identity Credential
description: 'Data for a PKCS #12 password-protected identity.'
description: 'The data for a PKCS #12 password-protected identity.'
payload:
credentialtype: com.apple.credential.identity
supportedOS:

27
declarative/declarations/assets/credentials/scep.yaml
View File

@@ -1,5 +1,5 @@
title: SCEP Credential
description: A SCEP identity that should be generated by the device.
description: A SCEP identity that the device generates.
payload:
credentialtype: com.apple.credential.scep
supportedOS:
@@ -24,16 +24,18 @@ payloadkeys:
type: <string>
presence: optional
content: Any string that the SCEP server recognizes. For example, it could be a
domain name such as 'example.org'. If a certificate authority has multiple CA
domain name such as `example.org`. If a certificate authority has multiple CA
certificates, you can use this field to specify the required certificate.
- key: Subject
title: Subject
type: <array>
presence: optional
content: |-
The representation of an X.500 name is an array of OID and value. For example, '/C=US/O=Apple Inc./CN=foo/1.2.5.3=bar' corresponds to:
'[ [ [”C”, “US”] ], [ [”O”, “Apple Inc.”] ], [ [ “CN”, “foo”] ], [ [ “1.2.5.3”, “bar” ] ] ]'
You can represent OIDs as dotted numbers or use shortcuts for country ('C'), locality ('L'), state ('ST'), organization ('O'), organizational unit ('OU'), and common name ('CN').
The representation of an X.500 name is an array of OID and value. For example, `/C=US/O=Apple Inc./CN=foo/1.2.5.3=bar` corresponds to:
`[ [ ["C", "US"] ], [ ["O", "Apple Inc."] ], [ [ "CN", "foo"] ], [ [ "1.2.5.3", "bar" ] ] ]`
You can represent OIDs as dotted numbers or use shortcuts for country (`C`), locality (`L`), state (`ST`), organization (`O`), organizational unit (`OU`), and common name (`CN`).
subkeys:
- key: SCEPSubjectArrayInnerArray
title: Array Inside SCEP Subject Array
@@ -64,22 +66,21 @@ payloadkeys:
- 2048
- 4096
default: 1024
content: The key size in bits, either '1024', '2048', or '4096'.
content: The key size in bits, either `1024`, `2048`, or `4096`.
- key: Key Type
title: Key Type
type: <string>
presence: optional
default: RSA
content: The key type, which always has the value 'RSA'.
content: The key type, which always has the value `RSA`.
- key: Key Usage
title: Key Usage
type: <integer>
presence: optional
default: 0
content: 'A bitmask that specifies the use of the key: ''1'' is signing, ''4'' is
encryption, and ''5'' is both signing and encryption. Some certificate authorities,
such as Windows CA, support only encryption or signing, but not both at the same
time.'
content: 'A bitmask that specifies the use of the key: `1` is signing, `4` is encryption,
and `5` is both signing and encryption. Some certificate authorities, such as
Windows CA, support only encryption or signing, but not both at the same time.'
- key: CAFingerprint
title: Fingerprint
type: <data>
@@ -90,7 +91,7 @@ payloadkeys:
type: <integer>
presence: optional
default: 3
content: The number of times the device should retry if the server sends a 'PENDING'
content: The number of times the device should retry if the server sends a `PENDING`
response.
- key: RetryDelay
title: Retry Delay
@@ -124,4 +125,4 @@ payloadkeys:
title: NT Principal Name
type: <string>
presence: optional
content: The NT principal name.
content: The NT principal name. Use an other name OID set to `1.3.6.1.4.1.311.20.2.3`.

2
declarative/declarations/assets/credentials/usernameandpassword.yaml
View File

@@ -1,5 +1,5 @@
title: User Name and Password Credential
description: Data describing a credential representing a user name and password.
description: Data that describes a credential that represents a user name and password.
payload:
credentialtype: com.apple.credential.usernameandpassword
supportedOS:

25
declarative/declarations/assets/data.yaml
View File

@@ -22,23 +22,26 @@ payloadkeys:
- key: DataURL
type: <string>
presence: required
content: The URL that hosts the credential data. The URL must start with 'https://'.
content: The URL to retrieve data, which needs to start with `https://`.
- key: ContentType
type: <string>
presence: optional
content: The media type that describes the data.
content: The media type that describes the data. If present, the system checks
the actual media type of the downloaded data, and an error occurs if the values
don't match.
- key: Size
type: <integer>
presence: optional
content: The size of the data at the 'DataURL'. Use this value to verify that
the returned data is the expected data. Use this value to detect when the data
changes.
content: The size of the data. Set the size to `0` if there's no expectation of
a response body. If present, the system checks the actual size of the downloaded
data, and an error occurs if the values don't match.
- key: Hash-SHA-256
type: <string>
presence: optional
content: |-
A SHA-256 hash of the data at the 'DataURL'. Use this value to verify that the returned data is the expected data. Use this value to detect when the data changes.
If 'Size' is '0', clients need to ignore this value or set it to an empty string.
content: A SHA-256 hash of the data stored at the `DataURL`. Don't set this value
if `Size` is `0` as the client ignores it. However, if present, the system checks
the actual hash of the downloaded data, and an error occurs if the values don't
match.
- key: Authentication
type: <dictionary>
presence: optional
@@ -51,6 +54,6 @@ payloadkeys:
- MDM
- None
content: |-
Type of authentication:
* MDM - a request using MDM semantics (includes the device identity certificate, and any user authentication). Equivalent to an MDM request made to the CheckInURL or ServerURL. This option can only be used when using declarative device management.
* None - a standard GET request is carried out.
The type of authentication, which has these allowed values:
- `MDM`: A request that uses MDM semantics, which includes the device-identity certificate, and any user authentication. This is equivalent to an MDM request made to the `CheckInURL` or `ServerURL`. This option is only available through declarative device management.
- `None`: A standard GET request.

2
declarative/declarations/assets/useridentity.yaml
View File

@@ -1,5 +1,5 @@
title: Asset:User Identity
description: User identity data.
description: The user-identity data.
payload:
declarationtype: com.apple.asset.useridentity
supportedOS:

4
declarative/declarations/configurations/account.caldav.yaml
View File

@@ -1,5 +1,5 @@
title: Account:CalDAV
description: Use this configuration to define settings for access to CalDAV servers.
description: The declaration to configure a Calendar account.
payload:
declarationtype: com.apple.configuration.account.caldav
supportedOS:
@@ -68,7 +68,7 @@ payloadkeys:
- com.apple.asset.credential.userpassword
presence: optional
content: The identifier of an asset declaration that contains the credentials for
this account. Set the corresponding asset type to 'CredentialUserNameAndPassword'.
this account. Set the corresponding asset type to `CredentialUserNameAndPassword`.
related-status-items:
- status-items:
- account.list.caldav

4
declarative/declarations/configurations/account.carddav.yaml
View File

@@ -1,5 +1,5 @@
title: Account:CardDAV
description: Use this configuration to define settings for access to CardDAV servers.
description: The declaration to configure a Contacts account.
payload:
declarationtype: com.apple.configuration.account.carddav
supportedOS:
@@ -67,7 +67,7 @@ payloadkeys:
- com.apple.asset.credential.userpassword
presence: optional
content: The identifier of an asset declaration that contains the credentials for
this account. Set the corresponding asset type to 'CredentialUserNameAndPassword'.
this account. Set the corresponding asset type to `CredentialUserNameAndPassword`.
related-status-items:
- status-items:
- account.list.carddav

68
declarative/declarations/configurations/account.exchange.yaml
View File

@@ -1,6 +1,5 @@
title: Account:Exchange
description: Use this configuration to define settings for access to Exchange ActiveSync
and Web Services servers.
description: The declaration to configure an Exchange account.
payload:
declarationtype: com.apple.configuration.account.exchange
supportedOS:
@@ -52,9 +51,12 @@ payloadkeys:
presence: required
content: |-
The set of protocol types to enable on the Exchange server, in order of preference. This is an array of unique strings with possible values:
* 'EAS:' Exchange ActiveSync
* 'EWS:' Exchange Web Services (EWS)
- `EAS:` Exchange ActiveSync
- `EWS:` Exchange Web Services
If the device supports one or more of the listed protocol types, it sets up an account for the first supported type.
If the device doesn't support any of the listed protocol types, it doesn't set up an account and the system reports an error.
subkeys:
- key: EnabledProtocolTypesItem
@@ -70,12 +72,12 @@ payloadkeys:
- com.apple.asset.useridentity
presence: optional
content: The identifier of an asset declaration that contains the user identity
for this account. The corresponding asset must be of type 'UserIdentity'.
for this account. The corresponding asset must be of type `UserIdentity`.
- key: HostName
title: Server Host Name
type: <string>
presence: optional
content: Specifies the Exchange server host name (or IP address).
content: The IP address or fully qualified domain name (FQDN) of the Exchange host.
- key: Port
title: Server Port
supportedOS:
@@ -86,7 +88,7 @@ payloadkeys:
type: <integer>
presence: optional
content: The port number of the EWS server. The system uses this only when this
declaration has a 'HostName' value.
declaration has a `HostName` value.
- key: Path
title: Server Path
supportedOS:
@@ -97,7 +99,7 @@ payloadkeys:
type: <string>
presence: optional
content: The path of the EWS server. The system uses this only when this declaration
has a 'HostName' value.
has a `HostName` value.
- key: ExternalHostName
title: Server External Host Name
supportedOS:
@@ -118,7 +120,7 @@ payloadkeys:
type: <integer>
presence: optional
content: The external port number of the EWS server. The system uses this only when
this declaration has a 'ExternalHostName' value.
this declaration has a `ExternalHostName` value.
- key: External Path
title: Server External Path
supportedOS:
@@ -129,7 +131,7 @@ payloadkeys:
type: <string>
presence: optional
content: The external path of the EWS server. The system uses this only when this
declaration has a 'ExternalHostName' value.
declaration has a `ExternalHostName` value.
- key: OAuth
title: Controls use of OAuth
type: <dictionary>
@@ -140,14 +142,14 @@ payloadkeys:
title: Use OAuth
type: <boolean>
presence: required
content: If 'true', enables OAuth for this account.
content: If `true`, enables OAuth for this account.
- key: SignInURL
type: <string>
presence: optional
content: The URL that this account uses for signing in with OAuth. The system
ignores this value unless 'Enabled' is 'true'. The system doesn't use autodiscovery
ignores this value unless `Enabled` is `true`. The system doesn't use autodiscovery
when a declaration contains this URL, so the declaration must also contain a
'HostName'.
`HostName`.
- key: TokenRequestURL
supportedOS:
macOS:
@@ -155,7 +157,7 @@ payloadkeys:
type: <string>
presence: optional
content: The URL that this account uses for token requests with OAuth. The system
ignores this value unless 'Enabled' is 'true'.
ignores this value unless `Enabled` is `true`.
- key: AuthenticationCredentialsAssetReference
title: Authentication Credentials Asset Reference
type: <string>
@@ -164,7 +166,7 @@ payloadkeys:
presence: optional
content: The identifier of an asset declaration that contains the credentials for
this account to authenticate with an Exchange server. Set the corresponding asset
type to 'CredentialUserNameAndPassword'.
type to `CredentialUserNameAndPassword`.
- key: AuthenticationIdentityAssetReference
title: Authentication Identity Asset Reference
type: <string>
@@ -196,7 +198,7 @@ payloadkeys:
title: Signing Enabled
type: <boolean>
presence: required
content: If 'true', the system enables S/MIME signing.
content: If `true`, the system enables S/MIME signing.
- key: IdentityAssetReference
title: S/MIME Signing Identity Asset Reference
type: <string>
@@ -212,13 +214,13 @@ payloadkeys:
type: <boolean>
presence: optional
default: false
content: If 'true', the user can turn S/MIME signing on or off in Settings.
content: If `true`, the user can turn S/MIME signing on or off in Settings.
- key: IdentityUserOverrideable
title: Signing Identity User Overrideable
type: <boolean>
presence: optional
default: false
content: If 'true', the user can select an S/MIME signing identity in Settings.
content: If `true`, the user can select an S/MIME signing identity in Settings.
- key: Encryption
title: S/MIME Encryption Settings
type: <dictionary>
@@ -229,8 +231,8 @@ payloadkeys:
title: Encryption By Default Enabled
type: <boolean>
presence: required
content: If 'true', the system enables S/MIME encryption by default, which the
user can't override if 'PerMessageSwitchEnabled' is 'false'.
content: If `true`, the system enables S/MIME encryption by default, which the
user can't override if `PerMessageSwitchEnabled` is `false`.
- key: IdentityAssetReference
title: S/MIME Encryption Identity Asset Reference
type: <string>
@@ -249,26 +251,26 @@ payloadkeys:
type: <boolean>
presence: optional
default: false
content: If 'true', the user can turn S/MIME encryption by default on or off
content: If `true`, the user can turn S/MIME encryption by default on or off
in Settings.
- key: IdentityUserOverrideable
title: Encryption Identity User Overrideable
type: <boolean>
presence: optional
default: false
content: If 'true', the user can select an S/MIME signing identity in Settings.
content: If `true`, the user can select an S/MIME signing identity in Settings.
- key: PerMessageSwitchEnabled
title: Per Message Switch Enabled
type: <boolean>
presence: optional
default: false
content: If 'true', the system enables the per-message encryption switch in
content: If `true`, the system enables the per-message encryption switch in
the compose view.
- key: MailServiceActive
type: <boolean>
presence: optional
default: true
content: If 'true', the system activates the mail service for this account.
content: If `true`, the system activates the mail service for this account.
- key: LockMailService
supportedOS:
macOS:
@@ -276,13 +278,13 @@ payloadkeys:
type: <boolean>
presence: optional
default: false
content: If 'true', the system prevents the user from changing the status of the
content: If `true`, the system prevents the user from changing the status of the
mail service for this account.
- key: ContactsServiceActive
type: <boolean>
presence: optional
default: true
content: If 'true', activates the address book service for this account.
content: If `true`, activates the address book service for this account.
- key: LockContactsService
supportedOS:
macOS:
@@ -290,13 +292,13 @@ payloadkeys:
type: <boolean>
presence: optional
default: false
content: If 'true', the system prevents the user from changing the status of the
content: If `true`, the system prevents the user from changing the status of the
address book service for this account.
- key: CalendarServiceActive
type: <boolean>
presence: optional
default: true
content: If 'true', activates the calendar service for this account.
content: If `true`, activates the calendar service for this account.
- key: LockCalendarService
supportedOS:
macOS:
@@ -304,13 +306,13 @@ payloadkeys:
type: <boolean>
presence: optional
default: false
content: If 'true', the system prevents the user from changing the status of the
content: If `true`, the system prevents the user from changing the status of the
calendar service for this account.
- key: RemindersServiceActive
type: <boolean>
presence: optional
default: true
content: If 'true', the system activates the reminders service for this account.
content: If `true`, the system activates the reminders service for this account.
- key: LockRemindersService
supportedOS:
macOS:
@@ -318,13 +320,13 @@ payloadkeys:
type: <boolean>
presence: optional
default: false
content: If 'true', the system prevents the user from changing the status of the
content: If `true`, the system prevents the user from changing the status of the
reminders service for this account.
- key: NotesServiceActive
type: <boolean>
presence: optional
default: true
content: If 'true', the system activates the notes service for this account.
content: If `true`, the system activates the notes service for this account.
- key: LockNotesService
supportedOS:
macOS:
@@ -332,7 +334,7 @@ payloadkeys:
type: <boolean>
presence: optional
default: false
content: If 'true', the system prevents the user from changing the status of the
content: If `true`, the system prevents the user from changing the status of the
notes service for this account.
related-status-items:
- status-items:

6
declarative/declarations/configurations/account.google.yaml
View File

@@ -1,5 +1,5 @@
title: Account:Google
description: Use this configuration to define settings for access to Google services.
description: The declaration to configure a Google account.
payload:
declarationtype: com.apple.configuration.account.google
supportedOS:
@@ -54,8 +54,8 @@ payloadkeys:
- com.apple.asset.useridentity
presence: required
content: The identifier of an asset declaration that contains the user identity
for this Google account. Set the corresponding asset type to 'UserIdentity' and
ensure that it contains an 'EmailAddress' key that specifies the full Google email
for this Google account. Set the corresponding asset type to `UserIdentity` and
ensure that it contains an `EmailAddress` key that specifies the full Google email
address for the account.
related-status-items:
- status-items:

18
declarative/declarations/configurations/account.ldap.yaml
View File

@@ -1,5 +1,6 @@
title: Account:LDAP
description: Use this configuration to define settings for access to LDAP servers.
description: The declaration to configure a Lightweight Directory Access Protocol
(LDAP) account.
payload:
declarationtype: com.apple.configuration.account.ldap
supportedOS:
@@ -62,7 +63,7 @@ payloadkeys:
- com.apple.asset.credential.userpassword
presence: optional
content: The identifier of an asset declaration that contains the credentials for
this account. Set the corresponding asset type to 'CredentialUserNameAndPassword'.
this account. Set the corresponding asset type to `CredentialUserNameAndPassword`.
- key: SearchSettings
title: Search Settings
type: <array>
@@ -85,8 +86,8 @@ payloadkeys:
title: Search Base
type: <string>
presence: required
content: The path to the node where a search starts. For example, 'ou=people,o=example
corp'.
content: The path to the node where a search starts. For example, `ou=people,o=example
corp`.
- key: Scope
title: Scope
type: <string>
@@ -97,10 +98,11 @@ payloadkeys:
- Subtree
default: Subtree
content: |-
The type of recursion to use in the search.
* 'Base': Only the 'SearchBase' node.
* 'OneLevel': The 'SearchBase' node and its immediate children.
* 'Subtree': The 'SearchBase' node and all its children, regardless of depth.
The type of recursion to use in the search:
- `Base`: The search uses only the `SearchBase` node.
- `OneLevel`: The search uses the `SearchBase` node and its immediate children.
- `Subtree`: The search uses the `SearchBase` node and all its children, regardless of depth.
related-status-items:
- status-items:
- account.list.ldap

34
declarative/declarations/configurations/account.mail.yaml
View File

@@ -1,5 +1,5 @@
title: Account:Mail
description: Use this configuration to define settings for access to email servers.
description: The declaration to configure a Mail account.
payload:
declarationtype: com.apple.configuration.account.mail
supportedOS:
@@ -52,7 +52,7 @@ payloadkeys:
- com.apple.asset.useridentity
presence: optional
content: The identifier of an asset declaration that contains the user identity
for this account. Set the corresponding asset type to 'UserIdentity'.
for this account. Set the corresponding asset type to `UserIdentity`.
- key: IncomingServer
title: Incoming Server Settings
type: <dictionary>
@@ -95,14 +95,15 @@ payloadkeys:
- com.apple.asset.credential.userpassword
presence: optional
content: |-
The identifier of an asset declaration that contains the credentials for this account to authenticate with an incoming mail server. The corresponding asset must be of type 'CredentialUserNameAndPassword'.
If the 'AuthenticationMethod' is 'None', this field must be blank. Otherwise, the declaration must contain this field.
The identifier of an asset declaration that contains the credentials for this account to authenticate with an incoming mail server. The corresponding asset must be of type `CredentialUserNameAndPassword`.
If the `AuthenticationMethod` is `None`, this field must be blank. Otherwise, the declaration must contain this field.
- key: IMAPPathPrefix
title: IMAP Path Prefix
type: <string>
presence: optional
content: The path prefix for the IMAP server. The system uses this only when 'ServerType'
is 'IMAP'.
content: The path prefix for the IMAP server. The system uses this only when `ServerType`
is `IMAP`.
- key: OutgoingServer
title: Outgoing Server Settings
type: <dictionary>
@@ -137,8 +138,9 @@ payloadkeys:
- com.apple.asset.credential.userpassword
presence: optional
content: |-
The identifier of an asset declaration that contains the credentials for this account to authenticate with an outgoing mail server. The corresponding asset must be of type 'CredentialUserNameAndPassword'.
If the 'AuthenticationMethod' is 'None', this field must be blank. Otherwise, the declaration must contain this field.
The identifier of an asset declaration that contains the credentials for this account to authenticate with an outgoing mail server. The corresponding asset must be of type `CredentialUserNameAndPassword`.
If the `AuthenticationMethod` is `None`, this field must be blank. Otherwise, the declaration must contain this field.
- key: SMIME
title: S/MIME Settings
supportedOS:
@@ -160,7 +162,7 @@ payloadkeys:
title: Signing Enabled
type: <boolean>
presence: required
content: If 'true', the system enables S/MIME signing.
content: If `true`, the system enables S/MIME signing.
- key: IdentityAssetReference
title: S/MIME Signing Identity Asset Reference
type: <string>
@@ -176,13 +178,13 @@ payloadkeys:
type: <boolean>
presence: optional
default: false
content: If 'true', the user can turn S/MIME signing on or off in Settings.
content: If `true`, the user can turn S/MIME signing on or off in Settings.
- key: IdentityUserOverrideable
title: Signing Identity User Overrideable
type: <boolean>
presence: optional
default: false
content: If 'true', the user can select an S/MIME signing identity in Settings.
content: If `true`, the user can select an S/MIME signing identity in Settings.
- key: Encryption
title: S/MIME Encryption Settings
type: <dictionary>
@@ -193,8 +195,8 @@ payloadkeys:
title: Encryption By Default Enabled
type: <boolean>
presence: required
content: If 'true', the system enables S/MIME encryption by default, which the
user can't override if 'PerMessageSwitchEnabled' is 'false'.
content: If `true`, the system enables S/MIME encryption by default, which the
user can't override if `PerMessageSwitchEnabled` is `false`.
- key: IdentityAssetReference
title: S/MIME Encryption Identity Asset Reference
type: <string>
@@ -213,20 +215,20 @@ payloadkeys:
type: <boolean>
presence: optional
default: false
content: If 'true', the user can set the default value for S/MIME encryption
content: If `true`, the user can set the default value for S/MIME encryption
to on or off in Settings.
- key: IdentityUserOverrideable
title: Encryption Identity User Overrideable
type: <boolean>
presence: optional
default: false
content: If 'true', the user can select an S/MIME signing identity in Settings.
content: If `true`, the user can select an S/MIME signing identity in Settings.
- key: PerMessageSwitchEnabled
title: Per Message Switch Enabled
type: <boolean>
presence: optional
default: false
content: If 'true', the system enables the per-message encryption switch in
content: If `true`, the system enables the per-message encryption switch in
the compose view.
related-status-items:
- status-items:

6
declarative/declarations/configurations/account.subscribed-calendar.yaml
View File

@@ -1,5 +1,5 @@
title: Account:Subscribed Calendar
description: Use this configuration to define settings for a subscribed calendar.
description: The declaration to configure a subscribed calendar.
payload:
declarationtype: com.apple.configuration.account.subscribed-calendar
supportedOS:
@@ -50,7 +50,7 @@ payloadkeys:
title: Calendar URL
type: <string>
presence: required
content: The URL of the subscribed calendar, which needs to start with 'https://'.
content: The URL of the subscribed calendar, which needs to start with `https://`.
- key: AuthenticationCredentialsAssetReference
title: Authentication Credentials Asset Reference
type: <string>
@@ -59,7 +59,7 @@ payloadkeys:
presence: optional
content: The identifier of an asset declaration that contains the credentials for
this account to authenticate with a calendar server. Set the corresponding asset
type to 'CredentialUserNameAndPassword'.
type to `CredentialUserNameAndPassword`.
related-status-items:
- status-items:
- account.list.subscribed-calendar

295
declarative/declarations/configurations/app.managed.yaml
View File

@@ -1,5 +1,5 @@
title: App:Managed
description: Use this configuration to define settings for a managed app.
description: The declaration to configure a managed app.
payload:
declarationtype: com.apple.configuration.app.managed
supportedOS:
@@ -15,7 +15,13 @@ payload:
allowed-scopes:
- system
macOS:
introduced: n/a
introduced: '26.0'
allowed-enrollments:
- supervised
- user
allowed-scopes:
- system
- user
tvOS:
introduced: n/a
visionOS:
@@ -34,21 +40,71 @@ payloadkeys:
title: App Store ID
type: <string>
presence: optional
content: The App Store ID of the managed app that is downloaded from the App Store.
One and only one of 'AppStoreID', 'BundleID', or 'ManifestURL' must be present.
content: |-
The App Store ID of the managed app that is downloaded from the App Store.
Only one of `AppStoreID`, `BundleID`, `ManifestURL`, or `AppComposedIdentifier` needs to be present.
- key: BundleID
title: Bundle ID
type: <string>
presence: optional
content: The bundle ID of the managed app that is downloaded from the App Store.
One and only one of 'AppStoreID', 'BundleID', or 'ManifestURL' must be present.
content: |-
The bundle ID of the managed app that is downloaded from the App Store.
Only one of `AppStoreID`, `BundleID`, `ManifestURL`, or `AppComposedIdentifier` needs to be present.
- key: ManifestURL
title: Manifest URL
supportedOS:
macOS:
introduced: n/a
type: <string>
presence: optional
content: The URL of the manifest for the managed app that is downloaded from a web
site. The manifest is returned as a property list. One and only one of 'AppStoreID',
'BundleID', or 'ManifestURL' must be present.
content: |-
The URL of the manifest for the managed app that the device downloads from a web site. The manifest is returned as a `ManifestURL` property list.
Only one of `AppStoreID`, `BundleID`, `ManifestURL`, or `AppComposedIdentifier` needs to be present.
Available only in iOS and visionOS.
- key: AppComposedIdentifier
title: App Composed Identifier
supportedOS:
iOS:
introduced: n/a
macOS:
introduced: '26.0'
visionOS:
introduced: n/a
type: <string>
presence: optional
content: |-
A string that specifies the composed identifier of an existing app that needs to be managed. The device uses this to take over management of an app installed by some other process, for example installed manually by the user, or via a package configuration. If the app isn't present when the device applies the configuration, the device takes over management of it when it does install.
The following rules apply when the device takes over management:
- If the `InstallBehavior.Install` key is set to `Required`, the device takes over management of the app.
- If the `InstallBehavior.Install` key is set to `Optional`, the device takes over management of the app when the user "installs" it using an MDM management app.
The format of the composed identifier is either "Bundle-ID (Team-ID)" or "Bundle-ID {Designated-Requirement}". For example, `com.example.app (ABCD1234)` for the team ID format, or `com.example.app {anchor apple generic}` for the designated requirement format. Management of the app occurs only if its code signature matches the composed identifier.
In macOS, only one of `AppStoreID`, `BundleID`, or `AppComposedIdentifier` needs to be present.
Available only in macOS.
- key: iOSApp
title: iOS App
supportedOS:
iOS:
introduced: n/a
macOS:
introduced: '26.0'
visionOS:
introduced: n/a
type: <boolean>
presence: optional
default: false
content: |-
If `true`, the device installs an iOS or iPadOS app that runs on a Mac with Apple Silicon. This is only used when the app is an App Store app.
Available only in macOS.
- key: InstallBehavior
title: Install Behavior
type: <dictionary>
@@ -66,8 +122,8 @@ payloadkeys:
content: |-
A string that specifies if the app needs to remain on the device at all times or if the user can freely install and remove it, which is one of the following values:
* Optional: The user can install and remove the app after the system activates the configuration.
* Required: The system installs the app after it activates the configuration. The user can't remove the app.
- `Optional`: The user can install and remove the app after the system activates the configuration.
- `Required`: The system installs the app after it activates the configuration. The user can't remove the app.
The system automatically installs apps on supervised devices. Otherwise, the device prompts the user to approve installation of the app.
- key: License
@@ -84,17 +140,19 @@ payloadkeys:
- Device
- User
content: |-
Indicates what type of license to use when an App Store app is installed:
* Device - the license is assigned to the device.
* User - the license is assigned to the user.
This key must be present for App Store apps, when either 'AppStoreID' or 'BundleID' are present in the configuration.
The type of license that the app uses for installation through the App Store, which is one of the following values:
- `Device`: The app has a device license.
- `User`: The app has a user license.
This key needs to be present for App Store apps, when either `AppStoreID` or `BundleID` are present in the configuration.
- key: VPPType
title: VPP Type
supportedOS:
iOS:
removed: '18.0'
macOS:
removed: '15.0'
introduced: n/a
visionOS:
introduced: n/a
type: <string>
@@ -105,16 +163,109 @@ payloadkeys:
content: |-
The type of VPP license that the app uses for installation through the App Store, which is one of the following values:
* Device: The app has a VPP device license.
* User: The app has a VPP user license.
- `Device`: The app has a VPP device license.
- `User`: The app has a VPP user license.
This key needs to be present to install an app through the App Store.
- key: Version
title: Version
supportedOS:
iOS:
introduced: '26.0'
macOS:
introduced: '26.0'
visionOS:
introduced: '26.0'
type: <integer>
presence: optional
content: |-
The App Store external version identifier (EVID) of the version of the app the device installs. You can retrieve this value from the App Store. For more information, see `Apps and Books for Organizations`. This key is ignored if the app isn't an App Store app.
The following rules apply when the device applies or updates the configuration:
- If this key isn't present:
- If the app isn't present, the device installs the latest version.
- If the app is present, if allowed the device takes over management of the current version of the app.
- If this key is present:
- If the app isn't present, the device installs the app with the specified version.
- If an app with the same version is present, if allowed the device takes over management of that app.
- If an app with an older version is present, if allowed the device updates the app to the specified version and takes over management of it.
- If an app with a newer version is present, the device doesn't take over management of the app. The device reports an app status failure.
> Note:
> The device never installs an older version of the app over a newer version.
- key: AllowDownloadsOverCellular
title: Allow Downloads Over Cellular
supportedOS:
iOS:
introduced: '26.0'
allowed-enrollments:
- supervised
macOS:
introduced: n/a
visionOS:
introduced: n/a
type: <string>
presence: optional
rangelist:
- AlwaysOn
- AlwaysOff
- StoreSettings
default: StoreSettings
content: |-
Indicates how the device uses a cellular network when it downloads the app for automatic install or update operations:
- `AlwaysOn`: The device downloads apps of any size using a cellular network.
- `AlwaysOff`: The device doesn't download apps using a cellular network. The device pauses the automatic install or update operation until a different network is active.
- `StoreSettings`: The device uses the settings for the corresponding store when downloading apps.
The device always uses the store settings to download apps when the install or update operation is user initiated.
Available only in iOS.
- key: UpdateBehavior
title: Update Behavior
supportedOS:
iOS:
introduced: '26.0'
macOS:
introduced: '26.0'
visionOS:
introduced: '26.0'
type: <dictionary>
presence: optional
content: A dictionary that specifies how the device updates apps.
subkeys:
- key: AutomaticAppUpdates
title: Automatic App Updates
type: <string>
presence: required
rangelist:
- AlwaysOn
- AlwaysOff
- StoreSettings
content: |-
Specifies whether the device automatically updates the app:
- `AlwaysOn`: The device automatically updates the app to the latest version. For App Store apps, the device periodically checks the store for updates. For Enterprise apps, the device periodically downloads the manifest file and compares it to the previous manifest file. If the device detects a change to the bundle version in the manifest, it downloads and updates the app.
- `AlwaysOff`: The device never automatically updates the app.
- `StoreSettings`: The device uses the settings for the corresponding store to determine when to automatically update the app. For Enterprise apps, this setting behaves the same as `AlwaysOff`.
When the `InstallBehavior.Version` key is specified, the device ignores this key and Automatic App Updates are disabled.
In macOS, the device ignores this setting if the `AppComposedIdentifier` key is set in the configuration.
- key: IncludeInBackup
title: Include in Backup
supportedOS:
macOS:
introduced: n/a
type: <boolean>
presence: optional
default: true
content: If 'true', backups contain the app and its data.
content: |-
If `true`, backups contain the app and its data.
Available only in iOS and visionOS.
- key: Attributes
title: App Attributes
supportedOS:
@@ -122,7 +273,10 @@ payloadkeys:
introduced: n/a
type: <dictionary>
presence: optional
content: A dictionary of values to associate with the app.
content: |-
A dictionary of values to associate with the app.
Available only in iOS and visionOS.
subkeys:
- key: AssociatedDomains
title: Associated Domains
@@ -140,7 +294,7 @@ payloadkeys:
type: <boolean>
presence: optional
default: false
content: If 'true', the system enables direct downloads for the 'AssociatedDomains'.
content: If `true`, the system enables direct downloads for the `AssociatedDomains`.
- key: CellularSliceUUID
title: Cellular Slice UUID
supportedOS:
@@ -149,9 +303,9 @@ payloadkeys:
type: <string>
presence: optional
content: The cellular slice identifier, which can be the data network name (DNN)
or app category. For DNN, encode the value as DNN:name, where name is the
carrier-provided DNN name. For app category, encode the value as AppCategory:category,
where category is a carrier-provided string such as Enterprise1.
or app category. For DNN, encode the value as "DNN:name", where "name" is the
carrier-provided DNN name. For app category, encode the value as "AppCategory:category",
where "category" is a carrier-provided string such as "Enterprise1".
- key: ContentFilterUUID
title: Content Filter UUID
type: <string>
@@ -172,8 +326,9 @@ payloadkeys:
type: <boolean>
presence: optional
default: true
content: If `false`, the user cannot hide the app. It does not affect the user's
ability to leave it in the App Library, while removing it from the home screen.
content: If `false`, the system prevents the user from hiding the app. It doesn't
affect the user's ability to leave it in the App Library, while removing it
from the Home Screen.
- key: Lockable
title: Lockable
supportedOS:
@@ -184,9 +339,8 @@ payloadkeys:
type: <boolean>
presence: optional
default: true
content: If `false`, the user cannot lock or hide the app. Because hiding an app
also requires locking it, disallowing the user from locking the app will also
prevent the user from hiding it.
content: If `false`, the system prevents the user from locking the app. This also
prevents the user from hiding the app.
- key: RelayUUID
title: Relay UUID
type: <string>
@@ -200,8 +354,8 @@ payloadkeys:
type: <boolean>
presence: optional
default: false
content: If 'true', the device automatically locks after every transaction that
requires a customer's card PIN. If 'false', the user can choose the behavior.
content: If `true`, the device automatically locks after every transaction that
requires a customer's card PIN. If `false`, the user can choose the behavior.
- key: VPNUUID
title: VPN UUID
type: <string>
@@ -216,7 +370,10 @@ payloadkeys:
introduced: n/a
type: <dictionary>
presence: optional
content: A dictionary of app config data and credentials.
content: |-
A dictionary of app config data and credentials.
Available only in iOS and visionOS.
subkeytype: AppConfigDictionary
subkeys: &id001
- key: DataAssetReference
@@ -231,58 +388,60 @@ payloadkeys:
- text/xml
presence: optional
content: Specifies the identifier of an asset declaration containing a reference
to the app/extension config data. The corresponding asset must be of type "com.apple.asset.data".
The referenced data must be a property list file, and the asset's "ContentType"
value should be set to match the data type.
to the app or extension config data. The corresponding asset needs to be of
type `com.apple.asset.data`. The referenced data needs to be a property list
file, and the asset's "ContentType" value set to match the data type.
- key: Passwords
title: Password App/Extension Configs.
type: <array>
presence: optional
content: Provides passwords to the managed app/extension. Each element in the
array contains a password asset reference and an associated identifier, which
the app/extension may use to look up the password.
content: Provides passwords to the managed app or extension. Each element in the
array contains a password asset reference and an associated identifier which
the app or extension uses to look up the password.
subkeytype: CredentialConfig
subkeys:
- key: PasswordAppConfigItem
type: <dictionary>
presence: required
content: A dictionary of values associated with a credential config.
subkeys:
- key: Identifier
title: Password Identifier
type: <string>
presence: required
content: The app/extension uses this identifier to fetch the corresponding
password using the ManagedApp framework. App developers will define what
values can be used for these identifiers.
content: The app or extension uses this identifier to fetch the corresponding
password using the `ManagedApp` framework. App developers define the values
for these identifiers.
- key: AssetReference
title: Asset Reference
type: <string>
assettypes:
- com.apple.asset.credential.userpassword
presence: required
content: Specifies the identifier of an asset declaration containing a user
name and password. The password is made available to the managed app/extension.
The user name is ignored.
content: Specifies the identifier of an asset declaration containing a username
and password. The `ManagedApp` framework makes the password available to
the app or extension. The `ManagedApp` framework ignores the username.
- key: Identities
title: Identity App/Extension Configs.
type: <array>
presence: optional
content: Provides identities to the managed app/extension. Each element in the
array contains an identity asset reference and an associated identifier, which
the app/extension may use to look up the identity.
content: Provides identities to the managed app or extension. Each element in
the array contains an identity asset reference and an associated identifier
which the app or extension uses to look up the identity.
subkeytype: CredentialConfig
subkeys:
- key: IdentityAppConfigItem
type: <dictionary>
presence: required
content: A dictionary of values associated with a credential config.
subkeys:
- key: Identifier
title: Identity Identifier
type: <string>
presence: required
content: The app/extension uses this identifier to fetch the corresponding
identity using the ManagedApp framework. App developers will define what
values can be used for these identifiers.
content: The app or extension uses this identifier to fetch the corresponding
identity using the `ManagedApp` framework. App developers define the values
for these identifiers.
- key: AssetReference
title: Asset Reference
type: <string>
@@ -291,36 +450,35 @@ payloadkeys:
- com.apple.asset.credential.scep
- com.apple.asset.credential.acme
presence: required
content: Specifies the identifier of an asset declaration containing an identity
that is made available to the managed app/extension.
content: Specifies the identifier of an asset declaration containing an identity.
- key: Certificates
title: Certificate App/Extension Configs.
type: <array>
presence: optional
content: Provides certificates to the managed app/extension. Each element in the
array contains a certificate asset reference and an associated identifier, which
the app/extension may use to look up the certificate.
content: Provides certificates to the managed app or extension. Each element in
the array contains a certificate asset reference and an associated identifier
which the app or extension uses to look up the certificate.
subkeytype: CredentialConfig
subkeys:
- key: CertificateAppConfigItem
type: <dictionary>
presence: required
content: A dictionary of values associated with a credential config.
subkeys:
- key: Identifier
title: Certificate Identifier
type: <string>
presence: required
content: The app/extension uses this identifier to fetch the corresponding
certificate using the ManagedApp framework. App developers will define what
values can be used for these identifiers.
content: The app or extension uses this identifier to fetch the corresponding
certificate using the `ManagedApp` framework. App developers define the
values for these identifiers.
- key: AssetReference
title: Asset Reference
type: <string>
assettypes:
- com.apple.asset.credential.certificate
presence: required
content: Specifies the identifier of an asset declaration containing a certificate
that is made available to the managed app/extension.
content: Specifies the identifier of an asset declaration containing a certificate.
- key: ExtensionConfigs
title: Extension Configs
supportedOS:
@@ -330,7 +488,10 @@ payloadkeys:
introduced: n/a
type: <dictionary>
presence: optional
content: A dictionary of extension config data and credentials.
content: |-
A dictionary of extension config data and credentials.
Available only in iOS and visionOS.
subkeys:
- key: ANY
title: Extension Composed Identifier
@@ -356,12 +517,12 @@ payloadkeys:
- application/xml
- text/xml
presence: optional
content: Specifies the identifier of an asset declaration containing a reference
to the app config data. This app config data is applied and made available to
the app using the traditional MDMv1 behavior. The corresponding asset must be
of type "com.apple.asset.data". The referenced data must be a property list file,
and the asset's "ContentType" value should be set to match the data type.
content: |-
The identifier of an asset declaration containing a reference to the app config data. The device provides the app config data to the app using the MDMv1 behavior. The corresponding asset needs to be of type `com.apple.asset.data`. The referenced data needs to be a property list file, and the asset's "ContentType"
value set to match the data type.
Available only in iOS and visionOS.
related-status-items:
- status-items:
- app.managed.list
note: Each configuration will have a corresponding status item.
note: Each configuration has a corresponding status item.

83
declarative/declarations/configurations/audio-accessory.settings.yaml Normal file
View File

@@ -0,0 +1,83 @@
title: Audio Accessory:Settings
description: The declaration to configure audio accessory settings.
payload:
declarationtype: com.apple.configuration.audio-accessory.settings
supportedOS:
iOS:
introduced: '26.0'
allowed-enrollments:
- supervised
allowed-scopes:
- system
sharedipad:
allowed-scopes:
- system
macOS:
introduced: n/a
tvOS:
introduced: n/a
visionOS:
introduced: n/a
watchOS:
introduced: n/a
apply: combined
payloadkeys:
- key: TemporaryPairing
title: Temporary Pairing
type: <dictionary>
presence: optional
content: A dictionary that describes audio accessory temporary pairing behavior.
The device enables temporary pairing when this key is present and the `Disabled`
key isn't `false`. The device doesn't synchronize pairing information with iCloud
when temporary pairing is active.
subkeys:
- key: Disabled
title: Temporary Pairing Disabled
type: <boolean>
presence: optional
default: false
combinetype: boolean-or
content: If `true`, temporary pairing of audio accessories is disabled.
- key: Configuration
title: Temporary Pairing Configuration
type: <dictionary>
presence: optional
combinetype: first
content: A dictionary providing configuration for temporary pairing. Required
if `Disabled` isn't present or is `false`.
subkeys:
- key: UnpairingTime
title: Temporary Pairing Unpairing Time
type: <dictionary>
presence: required
content: A dictionary that describes when the device automatically unpairs temporarily
paired audio accessories.
subkeys:
- key: Policy
title: Unpairing Policy
type: <string>
presence: required
rangelist:
- None
- Hour
content: |-
A string that specifies the device's unpairing policy.
- `None`: The device doesn't automatically unpair. Use this only with a return to service device that you erase and reenroll when assigning it from one user to another.
- `Hour`: The device automatically unpairs temporarily paired audio accessories at the local time that the `Hour` key specifies.
- key: Hour
title: Hour of Unpairing
type: <integer>
presence: optional
range:
min: 0
max: 23
content: The local time hour (24-hour clock) when the device automatically
unpairs temporarily paired audio accessories. Required when setting the
`Policy` key to `Hour`.
notes:
- title: ''
content: |-
Setting `TemporaryPairing` to `false` disables only the temporary pairing feature, without impacting any other use of audio accessories, so users can still:
- Pair and use audio accessories - the device records the pairing and synchronizes it to their iCloud account.
- Use the audio accessory AirPods Sharing feature.

16
declarative/declarations/configurations/diskmanagement.settings.yaml
View File

@@ -1,5 +1,5 @@
title: Disk Management:Settings
description: Use this configuration to install disk management settings on the device.
description: The declaration to configure disk management settings on the device.
payload:
declarationtype: com.apple.configuration.diskmanagement.settings
supportedOS:
@@ -36,9 +36,10 @@ payloadkeys:
combinetype: enum-last
content: |-
Specifies the mount policy for external storage:
* 'Allowed': the system can mount external storage that is read-write or read-only.
* 'ReadOnly': the system can only mount read-only external storage. Note that external storage that is read-write will not be mounted read-only.
* 'Disallowed': The system can't mount any external storage.
- `Allowed`: The system can mount external storage that is read-write or read-only.
- `ReadOnly`: The system can only mount read-only external storage. Note that external storage that is read-write will not be mounted read-only.
- `Disallowed`: The system can't mount any external storage.
- key: NetworkStorage
title: Network Storage
type: <string>
@@ -50,6 +51,7 @@ payloadkeys:
combinetype: enum-last
content: |-
Specifies the mount policy for network storage:
* 'Allowed': the system can mount network storage that is read-write or read-only.
* 'ReadOnly': the system can only mount read-only network storage. Note that network storage that is read-write will not be mounted read-only.
* 'Disallowed': The system can't mount any network storage.
- `Allowed`: The system can mount network storage that is read-write or read-only.
- `ReadOnly`: The system can only mount read-only network storage. Note that network storage that is read-write will not be mounted read-only.
- `Disallowed`: The system can't mount any network storage.

17
declarative/declarations/configurations/legacy.interactive.yaml
View File

@@ -1,6 +1,5 @@
title: Legacy Interactive Profile
description: Specifies an MDMv1 profile to present to the user who may choose to download
and install it
description: The declaration to configure an interactive legacy profile.
payload:
declarationtype: com.apple.configuration.legacy.interactive
supportedOS:
@@ -46,11 +45,21 @@ payloadkeys:
type: <string>
presence: required
content: |-
The URL of the profile to download and install, which needs to start with 'https://', and must be hosted by the MDM server.
If a user enrollment triggers this configuration, the system silently ignores any MDM 1 payloads in macOS where the User Enrollment Mode setting is 'forbidden'. In iOS, the system rejects the entire profile.
The URL of the profile to download and install, which needs to start with `https://`, and must be hosted by the MDM server.
If a user enrollment triggers this configuration, the system silently ignores any MDMv1 payloads in macOS that are forbidden with user enrollment. In iOS, the system rejects the entire profile.
- key: VisibleName
title: Configuration Visible Name
type: <string>
presence: required
content: The visible name of the configuration. This name needs to indicate the
nature of the profile.
notes:
- title: ''
content: |-
This declaration specifies an MDMv1 profile to present to the user, who may choose to download and install the profile.
The profile may contain any payload type other than the following:
- `com.apple.mdm`
- `com.apple.declarations`

16
declarative/declarations/configurations/legacy.yaml
View File

@@ -1,5 +1,5 @@
title: Legacy Profile
description: Specifies an MDMv1 profile to download and install
description: The declaration to configure a legacy profile.
payload:
declarationtype: com.apple.configuration.legacy
supportedOS:
@@ -56,5 +56,15 @@ payloadkeys:
type: <string>
presence: required
content: |-
The URL of the profile to download and install, which needs to start with 'https://', and must be hosted by the MDM server.
If a user enrollment triggers this configuration, the system silently ignores any MDM 1 payloads in macOS where the User Enrollment Mode setting is 'forbidden'. In iOS and tvOS, the system rejects the entire profile.
The URL of the profile to download and install, which needs to start with `https://`, and must be hosted by the MDM server.
If a user enrollment triggers this configuration, the system silently ignores any MDMv1 payloads in macOS where the User Enrollment Mode setting is `forbidden`. In iOS, the system rejects the entire profile.
notes:
- title: ''
content: |-
This declaration specifies an MDMv1 profile for the device to download and install.
The profile may contain any payload type other than the following:
- `com.apple.mdm`
- `com.apple.declarations`

4
declarative/declarations/configurations/management.status-subscriptions.yaml
View File

@@ -1,6 +1,5 @@
title: Management:Status Subscriptions
description: Use this configuration to define the status subscriptions that cause
status to be reported by the client.
description: The declaration to configure status subscriptions.
payload:
declarationtype: com.apple.configuration.management.status-subscriptions
supportedOS:
@@ -56,6 +55,7 @@ payloadkeys:
subkeys:
- key: StatusItem
type: <dictionary>
content: The declaration for configuring a specific status subscription.
subkeys:
- key: Name
type: <string>

4
declarative/declarations/configurations/management.test.yaml
View File

@@ -1,5 +1,5 @@
title: Management:Test
description: A configuration used for testing only
description: The declaration to test declarative device management.
payload:
declarationtype: com.apple.configuration.management.test
supportedOS:
@@ -81,4 +81,4 @@ payloadkeys:
- Unlocked
default: Installed
content: The status the system reports back when the device implements the configuration.
Use this to override the normal 'success' result.
Use this to override the normal `success` result.

3
declarative/declarations/configurations/math.settings.yaml
View File

@@ -1,5 +1,5 @@
title: Math Settings
description: Use this configuration to configure math-related settings
description: The declaration to configure the math and calculator apps.
payload:
declarationtype: com.apple.configuration.math.settings
supportedOS:
@@ -11,7 +11,6 @@ payload:
- system
sharedipad:
allowed-scopes:
- system
- user
macOS:
introduced: '15.0'

52
declarative/declarations/configurations/package.yaml Normal file
View File

@@ -0,0 +1,52 @@
title: Package
description: The declaration to install a package.
payload:
declarationtype: com.apple.configuration.package
supportedOS:
iOS:
introduced: n/a
macOS:
introduced: '26.0'
allowed-enrollments:
- supervised
allowed-scopes:
- system
tvOS:
introduced: n/a
visionOS:
introduced: n/a
watchOS:
introduced: n/a
apply: multiple
payloadkeys:
- key: ManifestURL
title: Manifest URL
type: <string>
presence: required
content: The URL of the manifest document for the package that the device downloads.
The manifest is returned as a `ManifestURL` property list. The `url` property
of the manifest must point to the package (.pkg) file to install.
- key: InstallBehavior
title: Install Behavior
type: <dictionary>
presence: optional
content: A dictionary that describes how and when to install the package.
subkeys:
- key: Install
title: Install
type: <string>
presence: optional
rangelist:
- Optional
- Required
default: Optional
content: |-
A string that specifies when the system installs the package:
- `Optional`: The user can install the package after the system activates the configuration.
- `Required`: The system installs the package after it activates the configuration.
notes:
- title: ''
content: This declaration installs a package on a device. Packages can contain apps,
fonts, documents, and other items. Apps that a package installs aren't automatically
managed; you can manage them using the `AppManaged` declaration.

38
declarative/declarations/configurations/passcode.settings.yaml
View File

@@ -1,5 +1,5 @@
title: Passcode:Settings
description: Use this configuration to define passcode policy settings
description: The declaration to configure passcode policy settings.
payload:
declarationtype: com.apple.configuration.passcode.settings
supportedOS:
@@ -48,7 +48,7 @@ payloadkeys:
presence: optional
default: false
combinetype: boolean-or
content: If 'true', the system requires the user to set a passcode without any requirements
content: If `true`, the system requires the user to set a passcode without any requirements
about the length or quality of the passcode. The presence of any other keys implicitly
requires a passcode, and overrides this key's value.
- key: RequireAlphanumericPasscode
@@ -64,7 +64,7 @@ payloadkeys:
presence: optional
default: false
combinetype: boolean-or
content: If 'true', the passcode needs to consist of at least one alphabetic character
content: If `true`, the passcode needs to consist of at least one alphabetic character
and at least one number.
- key: RequireComplexPasscode
title: Require Complex Passcode
@@ -72,7 +72,7 @@ payloadkeys:
presence: optional
default: false
combinetype: boolean-or
content: If 'true', the system requires a complex passcode. A complex passcode is
content: If `true`, the system requires a complex passcode. A complex passcode is
one that doesn't contain repeated characters or increasing or decreasing characters
(such as 123 or CBA).
- key: MinimumLength
@@ -102,8 +102,8 @@ payloadkeys:
default: 0
combinetype: number-max
content: Specifies the minimum number of complex characters in the password. A complex
character is a character other than a number or a letter, such as '&', '%', '$',
and '#'.
character is a character other than a number or a letter, such as `&`, `%`, `$`,
and `#`.
- key: MaximumFailedAttempts
title: Maximum Number of Failed Attempts
type: <integer>
@@ -114,8 +114,9 @@ payloadkeys:
default: 11
combinetype: number-min
content: |-
The number of failed passcode attempts that the system allows the user before iOS erases the device or macOS locks the device. If you don't change this setting, after six failed attempts, the device imposes a time delay before the user can enter a passcode again. The time delay increases with each failed attempt.
After the final failed attempt, the system securely erases all data and settings from the iOS device. A macOS device locks after the final attempt. The passcode time delay begins after the sixth attempt, so if this value is six or lower, the system has no time delay and triggers the erase or lock as soon as the user exceeds the limit.
The number of failed passcode attempts that the system allows the user before it erases or locks the device. After six failed attempts, the device imposes a time delay before the user can enter a passcode again. The time delay increases with each failed attempt. On macOS, set `FailedAttemptsResetInMinutes` to define the time delay. The time delay begins after the sixth attempt, so if `MaximumFailedAttempts` is six or lower, the system has no time delay and triggers the erase or lock as soon as the user exceeds the limit.
After the final failed attempt, the system locks a macOS device, or securely erases all data and settings from an iOS, visionOS, or watchOS device.
- key: FailedAttemptsResetInMinutes
title: Failed Attempts Reset
supportedOS:
@@ -131,7 +132,7 @@ payloadkeys:
presence: optional
combinetype: number-min
content: The number of minutes before the login is reset after the maximum number
of failed attempts. Also set the 'MaximumFailedAttempts' key for this to take
of failed attempts. Also set the `MaximumFailedAttempts` key for this to take
effect.
- key: MaximumGracePeriodInMinutes
title: Maximum Grace Period
@@ -139,7 +140,7 @@ payloadkeys:
presence: optional
combinetype: number-min
content: The maximum period that a user can select, during which the user can unlock
the device without a passcode. A value of '0' means no grace period, and the device
the device without a passcode. A value of `0` means no grace period, and the device
requires a passcode immediately. In the absence of this key, the user can select
any period. In macOS, the system translates this to screensaver settings.
- key: MaximumInactivityInMinutes
@@ -198,7 +199,7 @@ payloadkeys:
presence: optional
default: false
combinetype: boolean-or
content: If 'true', the system forces a password reset the next time the user tries
content: If `true`, the system forces a password reset the next time the user tries
to authenticate. If you set this key in a configuration in the system scope (device
channel), the setting takes effect for all users, and admin authentication may
fail until the admin user password is also reset.
@@ -229,9 +230,9 @@ payloadkeys:
- key: Description
type: <dictionary>
presence: optional
content: A dictionary with supported OS language IDs for the keys (such as 'en-US'),
content: A dictionary with supported OS language IDs for the keys (such as `en-US`),
and values that represent a localized description of the policy that the regular
expression enforces. Use the special 'default' key for languages that the dictionary
expression enforces. Use the special `default` key for languages that the dictionary
doesn't contain.
subkeys:
- key: ANY
@@ -243,3 +244,14 @@ related-status-items:
- passcode.is-compliant
- passcode.is-present
note: This configuration may affect the corresponding status items.
notes:
- title: ''
content: |-
The presence of this configuration type causes the device to present the user with a passcode entry mechanism. The configuration controls the complexity of the passcode.
For user enrollments, the system allows this configuration type, but ignores most of the keys. Instead, the presence of the configuration forces only these settings:
- `RequirePasscode`: always set to `true`
- `RequireComplexPasscode`: always set to `true`
- `MinimumLength`: always set to `6`
- `MaximumInactivityInMinutes`: if this key is present its value is ignored, but the `never` option is removed in the Settings UI.

103
declarative/declarations/configurations/safari.bookmarks.yaml Normal file
View File

@@ -0,0 +1,103 @@
title: Safari:Bookmarks
description: The declaration to configure managed bookmarks in Safari.
payload:
declarationtype: com.apple.configuration.safari.bookmarks
supportedOS:
iOS:
introduced: '26.0'
allowed-enrollments:
- supervised
- device
allowed-scopes:
- system
sharedipad:
allowed-scopes:
- user
macOS:
introduced: '26.0'
allowed-enrollments:
- supervised
allowed-scopes:
- user
tvOS:
introduced: n/a
visionOS:
introduced: '26.0'
allowed-enrollments:
- supervised
- device
allowed-scopes:
- system
watchOS:
introduced: n/a
apply: combined
payloadkeys:
- key: ManagedBookmarks
title: Managed Bookmarks
type: <array>
presence: optional
content: A dictionary that specifies a set of managed bookmarks.
subkeys:
- key: BookmarkGroup
type: <dictionary>
presence: required
content: A group of managed bookmarks.
subkeys:
- key: GroupIdentifier
type: <string>
presence: required
content: A string that specifies the unique identifier for this group of managed
bookmarks. Safari displays a separate managed bookmarks item for each set
of unique managed bookmarks based on the value of this key. If multiple active
configurations use the same value for this key, Safari displays a single group
formed by merging the list of `Bookmarks` from each group.
- key: Title
title: The name of the bookmarks folder.
type: <string>
presence: required
content: The name of the bookmarks folder. Safari uses this as the title for
the top-level managed bookmarks item.
- key: Bookmarks
title: Bookmarks
type: <array>
presence: required
combinetype: array-append
content: A list of bookmarks. Either a `URL` or `Folder` key must be present
in each item.
subkeytype: BookmarksItem
subkeys:
- key: bookmarks-item
type: <dictionary>
presence: required
content: A bookmark that specifies a title, and either a URL for the bookmark,
or a nested folder of bookmarks.
subkeys: &id001
- key: Title
title: Title
type: <string>
presence: required
content: The title of the bookmark shown in Safari.
- key: URL
title: URL
type: <string>
presence: optional
content: |-
The URL for the bookmark item.
Only one of `URL` or `Folder` must be present.
- key: Folder
title: Folder
type: <array>
presence: optional
content: |-
An array of bookmarks for each bookmark in the folder. Folders can include bookmark items and bookmark folders.
Only one of `URL` or `Folder` must be present.
subkeytype: BookmarksItem
subkeys:
- key: folder-item
type: <dictionary>
presence: required
content: A bookmark that specifies a title, and either a URL for the bookmark,
or a nested folder of bookmarks.
subkeys: *id001

85
declarative/declarations/configurations/safari.extensions.settings.yaml
View File

@@ -1,5 +1,5 @@
title: Safari:Extension Settings
description: Use this configuration to manage Safari Extensions.
description: The declaration to configure Safari Extensions.
payload:
declarationtype: com.apple.configuration.safari.extensions.settings
supportedOS:
@@ -21,7 +21,11 @@ payload:
tvOS:
introduced: n/a
visionOS:
introduced: n/a
introduced: '26.0'
allowed-enrollments:
- supervised
allowed-scopes:
- system
watchOS:
introduced: n/a
apply: combined
@@ -30,15 +34,17 @@ payloadkeys:
title: Managed Extensions
type: <dictionary>
presence: optional
content: The dictionary of managed extensions settings.
content: |-
The dictionary of managed extensions settings. Each key in the dictionary represents a composed identifier for a specific managed extension, or you can specify a single "*" character to match any extension. The dictionary values represent the settings that Safari applies to each extension that matches the key. In order for the extension to be managed, its host app needs to be present on the device.
The composed identifier of a managed extension uses the format "Identifier (TeamIdentifier)", for example "com.example.app (ABCD1234)". Use `codesign -dv <path_to_appex>` to show the information you need to generate this string on macOS, using the path to the extension bundle located in the "PlugIns" folder inside the app bundle. For other platforms, request this information from the app developer.
subkeys:
- key: ANY
type: <dictionary>
presence: optional
content: |-
The composed identifier of the managed extension, or “*” for all extensions. In order for the extension to be managed, its host app must be present on the device.
To generate this string use 'codesign -dv <path_to_appex>'. The browser extension is located in the PlugIns folder inside the app bundle. The expected format is “Identifier (TeamIdentifier)”.
For extensions that aren't also available on macOS the app developer needs to provide this information.
content: The dictionary that defines the settings for a managed extension. Each
key represents a specific managed extension, or you can specify a single "*"
character to match any extension.
subkeytype: ExtensionDictionary
subkeys:
- key: State
@@ -52,9 +58,9 @@ payloadkeys:
combinetype: enum-last
content: |-
Controls whether an extension is allowed.
* 'Allowed' - The user is allowed to turn the extension on or off.
* 'AlwaysOn' - The extension will always be on.
* 'AlwaysOff' - The extension will always be off.
* `Allowed` - The user is allowed to turn the extension on or off.
* `AlwaysOn` - The extension will always be on.
* `AlwaysOff` - The extension will always be off.
- key: PrivateBrowsing
title: Private Browsing state
type: <string>
@@ -66,18 +72,16 @@ payloadkeys:
combinetype: enum-last
content: |-
Controls whether an extension is allowed in Private Browsing.
* 'Allowed' - The user is allowed to turn the extension on or off in Private Browsing.
* 'AlwaysOn' - The extension will always be on in Private Browsing if the extension is on outside of Private Browsing.
* 'AlwaysOff' - The extension will never be on in Private Browsing.
* `Allowed` - The user is allowed to turn the extension on or off in Private Browsing.
* `AlwaysOn` - The extension will always be on in Private Browsing if the extension is on outside of Private Browsing.
* `AlwaysOff` - The extension will never be on in Private Browsing.
- key: AllowedDomains
title: Allowed domains
type: <array>
presence: optional
combinetype: set-union
content: Controls the domains and sub-domains the extension is granted access
to. Any non-prefixed domains take precedence over prefixed domains, and 'DeniedDomains'
takes precedence over 'AllowedDomains'. Any domains not specified in 'AllowedDomains'
or 'DeniedDomains' are configurable by the user.
to.
subkeys:
- key: Domain
title: Domain
@@ -89,11 +93,54 @@ payloadkeys:
presence: optional
combinetype: set-union
content: Controls the domains and sub-domains the extension isn't allowed to
access. Any non-prefixed domains take precedence over prefixed domains, and
'DeniedDomains' takes precedence over 'AllowedDomains'. Any domains not specified
in 'AllowedDomains' or 'DeniedDomains' are configurable by the user.
access.
subkeys:
- key: Domain
title: Domain
type: <string>
content: A domain or set of sub-domains where the extension is not allowed
notes:
- title: ''
content: |-
Safari supports the following values for `AllowedDomains` and `DeniedDomains`:
- A specific domain such as "example.com" or "www.example.com".
- A wildcard domain that uses a single "\*" character as a prefix for the domain, such as "\*example.com". This matches both the exact domain "example.com", and any sub-domains such as "www.example.com". It won't match other domains with a similar string suffix such as "myexample.com".
- A global wildcard specified as a single "\*" character that matches any domain.
Safari determines whether a domain is allowed or denied using the following precedence rules:
1. A specific domain takes precedence over the global wildcard or a wildcard domain.
2. A wildcard domain takes precedence over the global wildcard.
If the same value appears in both `AllowedDomains` and `DeniedDomains`, Safari denies use of a matching domain.
The user can configure any domains not matched by the values in `AllowedDomains` or `DeniedDomains`.
- title: Examples
content: |-
Give an extension access to only "example.com" and its sub-domains, and deny access to everywhere else.
``` json
"AllowedDomains": ["*example.com"],
"DeniedDomains": ["*"]
```
Give an extension access to "example.com" and its sub-domains, without deny anywhere else. The user can make their own choice for other domains.
``` json
"AllowedDomains": ["*example.com"]
```
Give an extension access to "example.com" and its sub-domains, but deny access to "private.example.com" or anywhere else.
``` json
"AllowedDomains": ["*example.com"],
"DeniedDomains": ["private.example.com", "*"]
```
Give an extension access to "public.example.com", but deny access to "example.com" or any other of its sub-domains. The user can make their own choice for other domains.
``` json
"AllowedDomains": ["public.example.com"],
"DeniedDomains": ["*example.com"]
```

179
declarative/declarations/configurations/safari.settings.yaml Normal file
View File

@@ -0,0 +1,179 @@
title: Safari:Settings
description: The declaration to configure Safari settings.
payload:
declarationtype: com.apple.configuration.safari.settings
supportedOS:
iOS:
introduced: '26.0'
allowed-enrollments:
- supervised
- device
allowed-scopes:
- system
sharedipad:
allowed-scopes:
- user
macOS:
introduced: '26.0'
allowed-enrollments:
- supervised
allowed-scopes:
- user
tvOS:
introduced: n/a
visionOS:
introduced: '26.0'
allowed-enrollments:
- supervised
- device
allowed-scopes:
- system
watchOS:
introduced: n/a
apply: combined
payloadkeys:
- key: AcceptCookies
title: Accept Cookies
supportedOS:
iOS:
allowed-enrollments:
- supervised
macOS:
introduced: n/a
visionOS:
introduced: n/a
type: <string>
presence: optional
rangelist:
- Never
- CurrentWebsite
- VisitedWebsites
- Always
default: Always
combinetype: enum-first
content: |-
The policy Safari uses for managing cookies:
- `Never`: Safari always blocks cookies.
- `CurrentWebsite`: Safari allows cookies only from the current website.
- `VisitedWebsites`: Safari allows cookies only from visited websites.
- `Always`: Safari always allows cookies.
- key: AllowDisablingFraudWarning
title: Allow Disabling Fraud Warning
supportedOS:
iOS:
allowed-enrollments:
- supervised
macOS:
introduced: n/a
visionOS:
introduced: n/a
type: <boolean>
presence: optional
default: true
combinetype: boolean-and
content: If `false`, the system forces fraud warnings on in Safari.
- key: AllowHistoryClearing
title: Allow History Clearing
supportedOS:
iOS:
allowed-enrollments:
- supervised
visionOS:
allowed-enrollments:
- supervised
type: <boolean>
presence: optional
default: true
combinetype: boolean-and
content: If `false`, the system disables clearing history in Safari.
- key: AllowJavaScript
title: Allow JavaScript
supportedOS:
iOS:
allowed-enrollments:
- supervised
macOS:
introduced: n/a
visionOS:
introduced: n/a
type: <boolean>
presence: optional
default: true
combinetype: boolean-and
content: If `false`, the system disables JavaScript in Safari.
- key: AllowPrivateBrowsing
title: Allow Private Browsing
supportedOS:
iOS:
allowed-enrollments:
- supervised
visionOS:
allowed-enrollments:
- supervised
type: <boolean>
presence: optional
default: true
combinetype: boolean-and
content: If `false`, the system disables private browsing in Safari.
- key: AllowPopups
title: Allow Popups
supportedOS:
iOS:
allowed-enrollments:
- supervised
macOS:
introduced: n/a
visionOS:
introduced: n/a
type: <boolean>
presence: optional
default: true
combinetype: boolean-and
content: If `false`, the system disables popups in Safari.
- key: AllowSummary
title: Allow Summary
supportedOS:
iOS:
allowed-enrollments:
- supervised
visionOS:
allowed-enrollments:
- supervised
type: <boolean>
presence: optional
default: true
combinetype: boolean-and
content: If `false`, the system disables summarization of content in Safari.
- key: NewTabStartPage
title: New Tab Start Page
type: <dictionary>
presence: optional
content: Sets the start page for new tabs in Safari.
subkeys:
- key: PageType
type: <string>
presence: required
rangelist:
- Start
- Home
- Extension
content: |-
Sets the start page type in Safari:
- `Start` - Safari uses the default start page. Safari disables the Homepage.
- `Home` - Safari uses the page specified by `HomepageURL`, and Safari also sets that as the Homepage.
- `Extension` - Safari uses the page specified by the Safari extension whose identifier is `ExtensionIdentifier`. Safari disables the Homepage.
- key: HomepageURL
title: The homepage URL.
type: <string>
presence: optional
content: The URL of the homepage which needs to start with `https://` or `http://`.
Required when setting `PageType` to `Home`.
- key: ExtensionIdentifier
title: The extension identifier.
type: <string>
presence: optional
content: The composed identifier of the extension that provides the start page.
The required format is "Identifier (TeamIdentifier)", for example "com.example.app
(ABCD1234)". Required when setting `PageType` to `Extension`.

12
declarative/declarations/configurations/screensharing.connection.group.yaml
View File

@@ -1,5 +1,5 @@
title: Screen Sharing:Connection Group
description: Use this configuration to define a group of Screen Sharing connections.
description: The declaration to configure a group of screen-sharing connections.
payload:
declarationtype: com.apple.configuration.screensharing.connection.group
supportedOS:
@@ -26,20 +26,18 @@ payloadkeys:
title: Unique Identifier
type: <string>
presence: required
content: A string which uniquely identifies this connection group.
content: A unique identifier for this connection group.
- key: GroupName
title: Group Name
type: <string>
presence: required
content: The name of the Connection Group.
content: The name of the connection group.
- key: Members
title: Group Members
type: <array>
presence: required
content: |-
Array of ConnectionUUIDs (matching a connection declared in a
com.apple.configuration.screensharing.connection configuration) of the Connections
that should be members of this group.
content: An array of `ConnectionUUID`s that represent connections declared in `ScreenSharingConnection`
configurations that are members of this group.
subkeys:
- key: ConnectionUUID
type: <string>

8
declarative/declarations/configurations/screensharing.connection.yaml
View File

@@ -1,5 +1,5 @@
title: Screen Sharing:Connection
description: Use this configuration to define a connection to a Screen Sharing host.
description: The declaration to configure a connection to a screen-sharing host.
payload:
declarationtype: com.apple.configuration.screensharing.connection
supportedOS:
@@ -57,8 +57,8 @@ payloadkeys:
content: |-
The type of display for the connection, which has these allowed values:
* 'Virtual1': Create one virtual display.
* 'Virtual2': Create two virtual displays.
- `Virtual1`: Create one virtual display.
- `Virtual2`: Create two virtual displays.
- key: AuthenticationCredentialsAssetReference
title: Authentication Credentials Asset Reference
type: <string>
@@ -67,4 +67,4 @@ payloadkeys:
presence: optional
content: The identifier of an asset declaration that contains the required credentials
for this connection to authenticate with the screen-sharing server. Set the corresponding
asset type to 'com.apple.asset.credential.userpassword'.
asset type to `com.apple.asset.credential.userpassword`.

21
declarative/declarations/configurations/screensharing.host.settings.yaml
View File

@@ -1,5 +1,5 @@
title: Screen Sharing:Host Settings
description: Use this configuration to define Screen Sharing host settings and restrictions.
description: The declaration to configure screen-sharing host settings and restrictions.
payload:
declarationtype: com.apple.configuration.screensharing.host.settings
supportedOS:
@@ -27,7 +27,7 @@ payloadkeys:
range:
min: 0
max: 2
content: Sets the maximum number of Virtual Displays to make available to clients.
content: The maximum number of virtual displays to make available to clients.
- key: PortBase
title: UDP Port base
type: <integer>
@@ -35,27 +35,28 @@ payloadkeys:
range:
min: 1024
max: 65535
content: |-
Specifies the initial UDP port number for connecting to the host. Screen Sharing needs multiple connections
so additional connections will increment this base port number by 1 for each needed connection. This does not
change the port number used to initially establish a connection with a host, which is always TCP port 5900.
content: The initial UDP port number to connect to the host. Screen sharing requires
multiple connections, so the system increments this value by 1 for each additional
connection. This doesn't change the port number that the system uses to initially
establish a connection with a host, which is always TCP port 5900.
- key: PreventCopyFilesFromHost
title: Prevent copying files from host
type: <boolean>
presence: optional
default: false
content: Set to true to prevent users from copying files from the Screen Sharing
content: If `true`, the system prevents users from copying files from the screen-sharing
host.
- key: PreventCopyFilesToHost
title: Prevent copying files to host
type: <boolean>
presence: optional
default: false
content: Set to true to prevent users from copying files to the Screen Sharing host.
content: If `true`, the system prevents users from copying files to the screen-sharing
host.
- key: PreventHighPerformanceConnections
title: Prevent High Performance connections
type: <boolean>
presence: optional
default: false
content: Set to true to prevent clients from establishing High Performance connections
to the host.
content: If `true`, the system prevents clients from establishing high-performance
connections to the host.

2
declarative/declarations/configurations/security.certificate.yaml
View File

@@ -1,5 +1,5 @@
title: Security:Certificate
description: Use this configuration to add a certificate to the device.
description: The declaration to add a certificate to the device.
payload:
declarationtype: com.apple.configuration.security.certificate
supportedOS:

6
declarative/declarations/configurations/security.identity.yaml
View File

@@ -1,5 +1,5 @@
title: Security:Identity
description: Use this configuration to install an identity on the device.
description: The declaration to install an identity on the device.
payload:
declarationtype: com.apple.configuration.security.identity
supportedOS:
@@ -74,7 +74,7 @@ payloadkeys:
type: <boolean>
presence: optional
default: false
content: If 'true', apps can access the private key.
content: If `true`, apps can access the private key.
- key: KeyIsExtractable
title: Key is extractable
supportedOS:
@@ -89,7 +89,7 @@ payloadkeys:
type: <boolean>
presence: optional
default: true
content: If 'true', the private key is extractable in the keychain.
content: If `true`, the private key is extractable in the keychain.
related-status-items:
- status-items:
- security.certificate.list

6
declarative/declarations/configurations/security.passkey.attestation.yaml
View File

@@ -1,6 +1,6 @@
title: Security:Passkey:Attestation
description: Configures the device to allow WebAuthn enterprise attestation for certain
passkeys.
description: The declaration to configure the device to allow WebAuthn enterprise
attestation for certain passkeys.
payload:
declarationtype: com.apple.configuration.security.passkey.attestation
supportedOS:
@@ -45,7 +45,7 @@ payloadkeys:
type: <boolean>
presence: optional
default: true
content: If 'true', the private key for the attestation identity is extractable
content: If `true`, the private key for the attestation identity is extractable
in the keychain.
- key: RelyingParties
title: Relying parties

28
declarative/declarations/configurations/services.background-tasks.yaml
View File

@@ -1,5 +1,5 @@
title: Services Background Tasks
description: Specifies management of a background tasks
description: The declaration to configure background tasks.
payload:
declarationtype: com.apple.configuration.services.background-tasks
supportedOS:
@@ -40,18 +40,21 @@ payloadkeys:
- application/zip
presence: optional
content: |-
Specifies the identifier of an asset declaration containing a reference to the files to be used for the background task configuration. The corresponding asset must be of type “'com.apple.asset.data'”.
The referenced data must be a zip archive of an entire directory, that will be expanded and stored in a well known location for the background task. The asset's “ContentType” and “Hash-SHA-256” keys in the “Reference” key are required.
This file should contain background task executables, scripts, and configuration files, but not the 'launchd' configuration files.
Specifies the identifier of an asset declaration containing a reference to the files to be used for the background task configuration. The corresponding asset must be of type `com.apple.asset.data`.
The referenced data must be a zip archive of an entire directory, that will be expanded and stored in a well known location for the background task. The asset's "ContentType" and "Hash-SHA-256" keys in the "Reference" key are required.
This file should contain background task executables, scripts, and configuration files, but not the `launchd` configuration files.
- key: LaunchdConfigurations
title: Launchd Configurations
type: <array>
presence: optional
content: An array of 'launchd' configuration files used to run the background tasks.
content: An array of `launchd` configuration files used to run the background tasks.
subkeys:
- key: launchd-item
type: <dictionary>
presence: required
content: A dictionary of launchd configurations.
subkeys:
- key: FileAssetReference
title: File Asset Reference
@@ -67,7 +70,7 @@ payloadkeys:
content: Specifies the identifier of an asset declaration containing a reference
to the launchd configuration file for the background task. The referenced
data must be a property list file conforming to the launchd.plist format.
The asset's ContentType and Hash-SHA-256 keys in the Reference key are
The asset's "ContentType" and "Hash-SHA-256" keys in the "Reference" key are
required.
- key: Context
title: Launchd Context
@@ -83,3 +86,16 @@ related-status-items:
- services.background-task
note: Each service managed by a configuration will have a corresponding status item
that will contain a reference to the configuration.
notes:
- title: ''
content: |-
One or both of `ExecutableAssetReference` or `LaunchdConfigurations` needs to be present.
If `ExecutableAssetReference` is present, the POSIX permissions of the files in the zip archive need to be set correctly. For example, executables must have the "x" bit set.
If `LaunchdConfigurations` is present, the device stores the launchd configuration files in a secure location and loads them into launchd. When the device updates a launchd configuration, it kills and restarts any associated running tasks.
If both `ExecutableAssetReference` and `LaunchdConfigurations` are present, and the device changes just the executable data, it kills and restarts any running tasks associated with the launchd configurations.
> Note:
> If an executable is an app, the system can't manage the app as it can only manage apps installed in `/Applications`. Also, the system can't use system extensions in the app as it only loads them from apps installed in `/Applications`.

25
declarative/declarations/configurations/services.configuration-files.yaml
View File

@@ -1,5 +1,5 @@
title: Services Configuration Files
description: Specifies managed configuration files for services
description: The managed configuration files for services.
payload:
declarationtype: com.apple.configuration.services.configuration-files
supportedOS:
@@ -24,14 +24,15 @@ payloadkeys:
type: <string>
presence: required
content: |-
The identifier of the system service with managed configuration files. Use a reverse DNS style for this identifier. However, the system reserves 'com.apple.' prefix for built-in services. The available built-in services are:
* 'com.apple.sshd' configures sshd
* 'com.apple.sudo' configures sudo
* 'com.apple.pam' configures PAM
* 'com.apple.cups' configures CUPS
* 'com.apple.apache.httpd' configures Apache httpd
* 'com.apple.bash' configures bash
* 'com.apple.zsh' configures zsh
The identifier of the system service with managed configuration files. Use a reverse DNS style for this identifier. However, the system reserves `com.apple.` prefix for built-in services. The available built-in services are:
- `com.apple.sshd` configures sshd
- `com.apple.sudo` configures sudo
- `com.apple.pam` configures PAM
- `com.apple.cups` configures CUPS
- `com.apple.apache.httpd` configures Apache httpd
- `com.apple.bash` configures bash
- `com.apple.zsh` configures zsh
- key: DataAssetReference
title: Data Asset Reference
type: <string>
@@ -43,8 +44,8 @@ payloadkeys:
content: |-
The identifier of an asset declaration that contains a reference to the files to use for system service configuration. Ensure that the corresponding asset:
* Is of type 'com.apple.asset.data'
* Is a zip archive of an entire directory
* Has a 'Reference' key that includes the 'ContentType' and 'Hash-SHA-256' keys, which the system requires
- Is of type `com.apple.asset.data`
- Is a zip archive of an entire directory
- Has a `Reference` key that includes the `ContentType` and `Hash-SHA-256` keys, which the system requires
The system expands the zip archive and stores the data in a well-known location for the service.

34
declarative/declarations/configurations/softwareupdate.enforcement.specific.yaml
View File

@@ -1,5 +1,5 @@
title: Software Update:Enforcement:Specific
description: A software update enforcement policy for a specific OS release
description: A software update enforcement policy for a specific OS release.
payload:
declarationtype: com.apple.configuration.softwareupdate.enforcement.specific
supportedOS:
@@ -27,7 +27,12 @@ payload:
allowed-scopes:
- system
visionOS:
introduced: n/a
introduced: '26.0'
allowed-enrollments:
- supervised
- device
allowed-scopes:
- system
watchOS:
introduced: n/a
apply: multiple
@@ -37,22 +42,21 @@ payloadkeys:
type: <string>
presence: required
content: The target OS version to update the device to by the appropriate time.
This is the OS version number, for example, '16.1'.
This is the OS version number, for example, `16.1`.
- key: TargetBuildVersion
title: Target Build Version
type: <string>
presence: optional
content: The target build version to update the device to by the appropriate time,
for example, '20A242'. The system uses the build version for testing during seeding
periods. The build version can include a supplemental version identifier, for
example, '20A242a'. If the build version isn't consistent with the target OS version
specified in the 'TargetOSVersion' key, the target OS version takes precedence.
for example, `20A242`. Use the build version for testing during seeding periods.
The build version can include a supplemental version identifier, for example,
`20A242a`.
- key: TargetLocalDateTime
title: Target Local Date Time
type: <string>
presence: required
content: The local date time value that specifies when to force install the software
update. Use the format 'yyyy-mm-ddThh:mm:ss', which is derived from RFC3339 but
update. Use the format `yyyy-mm-ddThh:mm:ss`, which is derived from RFC3339 but
doesn't include a time zone offset. If the user doesn't trigger the software update
before this time, the device force installs it.
- key: DetailsURL
@@ -60,7 +64,7 @@ payloadkeys:
type: <string>
presence: optional
content: The URL of a web page that shows details that the organization provides
about the enforced update.
about the enforced software update.
related-status-items:
- status-items:
- softwareupdate.failure-reason
@@ -68,3 +72,15 @@ related-status-items:
- softwareupdate.install-state
- softwareupdate.pending-version
note: This configuration may affect the corresponding status items.
notes:
- title: ''
content: |-
If the `TargetOSVersion` and optional `TargetBuildVersion` values don't match an available software update, the device keeps the configuration active, but won't be able to update. If a software update that matches these keys becomes available later, the device will process the update.
To determine available software updates to show to an admin, a device management service uses the Apple GDMF service via `https://gdmf.apple.com/v2/pmv`. Configurations only enforce a software update if GDMF has the corresponding OS version or build available. So device management services need to regularly check available versions, and adjust the list shown to admins, and also remove any deployed configurations that use OS versions or builds that are no longer available. Device management services should check GDMF no more than once a day.
If the `TargetOSVersion` is an OS version that includes both a minor and patch version, the system installs that specific version, for example, `16.1.1`. If the minor version doesn't include a patch version, the system installs the latest available patch version. For example, if the `TargetOSVersion` is `16.1` and a `.1` patch is available, the system installs `16.1.1`.
The system can only install a supplemental software update on a device that already has the base OS version installed. For example, the system can only install a `16.1`(a) update on a device that currently has `16.1` installed, but it can't install that update on a device that has only `16.0` installed. To update to a supplemental version from an older base version, use two configurations. Use the first configuration to update to the new base version, and the second configuration to update the new base version to its supplemental version.
If the device isn't running at the target date-time, the system enforces the software update 1 hour after restarting, or when the device meets all required conditions, such as minimum battery level.

96
declarative/declarations/configurations/softwareupdate.settings.yaml
View File

@@ -1,5 +1,5 @@
title: Software Update:Settings
description: Software update settings
description: The declaration to configure software updates.
payload:
declarationtype: com.apple.configuration.softwareupdate.settings
supportedOS:
@@ -27,7 +27,12 @@ payload:
allowed-scopes:
- system
visionOS:
introduced: n/a
introduced: '26.0'
allowed-enrollments:
- supervised
- device
allowed-scopes:
- system
watchOS:
introduced: n/a
apply: combined
@@ -39,8 +44,9 @@ payloadkeys:
default: true
combinetype: boolean-and
content: |-
If set to 'true', the device shows all software update enforcement notifications.
If set to 'false', the device only shows notifications triggered one hour before the enforcement deadline, and the restart countdown notification.
If set to `true`, the device shows all software update enforcement notifications.
If set to `false`, the device only shows notifications triggered one hour before the enforcement deadline, and the restart countdown notification.
- key: Deferrals
title: Software Update Deferrals
supportedOS:
@@ -50,10 +56,13 @@ payloadkeys:
tvOS:
allowed-enrollments:
- supervised
visionOS:
allowed-enrollments:
- supervised
type: <dictionary>
presence: optional
content: This object configures the deferral of software updates. Rapid Security
Responses aren't considered within 'Major', 'Minor', or 'System' deferral mechanism.
Responses aren't considered in `Major`, `Minor`, or `System` deferral mechanism.
subkeys:
- key: CombinedPeriodInDays
title: Combined Major/Minor Update Deferral Period
@@ -76,6 +85,8 @@ payloadkeys:
introduced: n/a
tvOS:
introduced: n/a
visionOS:
introduced: n/a
type: <integer>
presence: optional
range:
@@ -92,6 +103,8 @@ payloadkeys:
introduced: n/a
tvOS:
introduced: n/a
visionOS:
introduced: n/a
type: <integer>
presence: optional
range:
@@ -109,6 +122,8 @@ payloadkeys:
introduced: n/a
tvOS:
introduced: n/a
visionOS:
introduced: n/a
type: <integer>
presence: optional
range:
@@ -134,9 +149,10 @@ payloadkeys:
combinetype: enum-last
content: |-
This string specifies how the device shows software updates to the user. When more than one update is available update, the device behaves as follows:
* 'All' - Shows all software update versions.
* 'Oldest' - Shows only the oldest (lower numbered) software update version.
* 'Newest' - Shows only the newest (highest numbered) software update version.
- `All` - Shows all software update versions.
- `Oldest` - Shows only the oldest (lower numbered) software update version.
- `Newest` - Shows only the newest (highest numbered) software update version.
- key: AutomaticActions
title: Automatic Software Update Settings
supportedOS:
@@ -146,6 +162,9 @@ payloadkeys:
tvOS:
allowed-enrollments:
- supervised
visionOS:
allowed-enrollments:
- supervised
type: <dictionary>
presence: optional
content: This object configures various automatic Software Update functionality.
@@ -165,9 +184,10 @@ payloadkeys:
combinetype: enum-last
content: |-
Specifies whether the user can control automatic downloads of available updates:
* 'Allowed' - the user can enable or disable automatic downloads.
* 'AlwaysOn' - automatic downloads are always enabled.
* 'AlwaysOff' - automatic downloads are always disabled.
- `Allowed` - the user can enable or disable automatic downloads.
- `AlwaysOn` - automatic downloads are always enabled.
- `AlwaysOff` - automatic downloads are always disabled.
- key: InstallOSUpdates
title: Automatic installs of OS updates.
type: <string>
@@ -180,14 +200,13 @@ payloadkeys:
combinetype: enum-last
content: |-
Specifies whether the user can control automatic installation of available updates:
* 'Allowed' - the user can enable or disable automatic installation.
* 'AlwaysOn' - automatic installations are always enabled.
* 'AlwaysOff' - automatic installations are always disabled.
- `Allowed` - the user can enable or disable automatic installation.
- `AlwaysOn` - automatic installations are always enabled.
- `AlwaysOff` - automatic installations are always disabled.
- key: InstallSecurityUpdate
title: Automatic installs of available security updates.
supportedOS:
iOS:
introduced: n/a
tvOS:
introduced: n/a
type: <string>
@@ -200,9 +219,10 @@ payloadkeys:
combinetype: enum-last
content: |-
Specifies whether the user can control automatic installation of available security updates:
* 'Allowed' - the user can enable or disable automatic installation.
* 'AlwaysOn' - automatic installations are always enabled.
* 'AlwaysOff' - automatic installations are always disabled.
- `Allowed` - the user can enable or disable automatic installation.
- `AlwaysOn` - automatic installations are always enabled.
- `AlwaysOff` - automatic installations are always disabled.
- key: RapidSecurityResponse
title: Rapid Security Response Settings
supportedOS:
@@ -211,6 +231,8 @@ payloadkeys:
- supervised
tvOS:
introduced: n/a
visionOS:
introduced: n/a
type: <dictionary>
presence: optional
content: These configurations set user access to interacting with Rapid Security
@@ -223,8 +245,9 @@ payloadkeys:
default: true
combinetype: boolean-and
content: |-
If set to 'false', Rapid Security Responses aren't offered for user installation. The system can still install Rapid Security Responses with 'com.apple.configuration.softwareupdate.enforcement.specific' configurations.
If set to 'true', the system offers Rapid Security Responses to the user.
If set to `false`, Rapid Security Responses aren't offered for user installation. The system can still install Rapid Security Responses with `com.apple.configuration.softwareupdate.enforcement.specific` configurations.
If set to `true`, the system offers Rapid Security Responses to the user.
- key: EnableRollback
title: Enable Rapid Security Response Rollbacks
type: <boolean>
@@ -232,8 +255,9 @@ payloadkeys:
default: true
combinetype: boolean-and
content: |-
If set to 'false', the system doesn't offer Rapid Security Response rollbacks to the user.
If set to 'true', the system offers Rapid Security Response rollbacks to the user.
If set to `false`, the system doesn't offer Rapid Security Response rollbacks to the user.
If set to `true`, the system offers Rapid Security Response rollbacks to the user.
- key: AllowStandardUserOSUpdates
title: Allow Standard User OS Updates
supportedOS:
@@ -241,13 +265,16 @@ payloadkeys:
introduced: n/a
tvOS:
introduced: n/a
visionOS:
introduced: n/a
type: <boolean>
presence: optional
default: true
combinetype: boolean-and
content: |-
If set to 'true', a standard user can perform Major and Minor Software Updates.
If set to 'false', only administrators can perform Major and Minor Software Updates.
If set to `true`, a standard user can perform Major and Minor Software Updates.
If set to `false`, only administrators can perform Major and Minor Software Updates.
- key: Beta
supportedOS:
macOS:
@@ -258,6 +285,8 @@ payloadkeys:
- system
tvOS:
introduced: n/a
visionOS:
introduced: n/a
type: <dictionary>
presence: optional
content: This object configures the beta program settings for a device.
@@ -277,18 +306,19 @@ payloadkeys:
combinetype: enum-last
content: |-
Specifies whether the user can control beta program enrollment in the software update settings UI:
* 'Allowed' - the user can enroll in any applicable beta programs associated with their logged in Apple Account. If the 'OfferPrograms' key is present, then the programs listed in that key are also presented to the user.
* 'AlwaysOn' - the beta programs specified by the organization are used, and the user isn't able to enroll in a beta program using their logged in Apple Account. The device is automatically enrolled into the beta program specified by the 'RequireProgram' key if it's present. Otherwise, the system presents the programs listed in the 'OfferPrograms' key to the user to choose which to enroll with.
* 'AlwaysOff' - The device isn't allowed to enroll in any beta programs. The system removes the device from any beta programs, if already enrolled.
- `Allowed` - the user can enroll in any applicable beta programs associated with their logged in Apple Account. If the `OfferPrograms` key is present, then the programs listed in that key are also presented to the user.
- `AlwaysOn` - the beta programs specified by the organization are used, and the user isn't able to enroll in a beta program using their logged in Apple Account. The device is automatically enrolled into the beta program specified by the `RequireProgram` key if it's present. Otherwise, the system presents the programs listed in the `OfferPrograms` key to the user to choose which to enroll with.
- `AlwaysOff` - The device isn't allowed to enroll in any beta programs. The system removes the device from any beta programs, if already enrolled.
- key: OfferPrograms
type: <array>
presence: optional
combinetype: set-union
content: An array of beta programs allowed on the device. This key must only be
present if the 'ProgramEnrollment' key is set to 'Allowed' or 'AlwaysOn'. This
key must not be present if the 'RequireProgram' key is present. This key can
be present on unsupervised devices where the 'ProgramEnrollment' key isn't supported
but is implicitly set to 'Allowed'.
present if the `ProgramEnrollment` key is set to `Allowed` or `AlwaysOn`. This
key must not be present if the `RequireProgram` key is present. This key can
be present on unsupervised devices where the `ProgramEnrollment` key isn't supported
but is implicitly set to `Allowed`.
subkeys:
- key: Program
type: <dictionary>
@@ -314,7 +344,7 @@ payloadkeys:
presence: optional
combinetype: first
content: The device automatically enrolls in this beta program. This key must
only be present if the 'ProgramEnrollment' key is set to 'AlwaysOn'. The 'OfferPrograms'
only be present if the `ProgramEnrollment` key is set to `AlwaysOn`. The `OfferPrograms`
key must not be present if this key is present.
subkeys:
- key: Description

12
declarative/declarations/configurations/watch.enrollment.yaml
View File

@@ -1,5 +1,5 @@
title: Watch:Enrollment
description: Specifies an MDMv1 Apple Watch enrollment profile
description: The declaration to configure an MDMv1 profile for Apple Watch enrollment.
payload:
declarationtype: com.apple.configuration.watch.enrollment
supportedOS:
@@ -27,7 +27,7 @@ payloadkeys:
presence: required
content: The URL of the profile that the Apple Watch downloads and installs if the
user opts in to management during the pairing process, which needs to start with
'https://'. Successful enrollment requires that the pairing iPhone is supervised
`https://`. Successful enrollment requires that the pairing iPhone is supervised
and the profile contains an MDM payload. Apple Watch attempts to install each
payload that the profile contains.
- key: AnchorCertificateAssetReferences
@@ -37,9 +37,11 @@ payloadkeys:
- com.apple.asset.credential.certificate
presence: optional
content: |-
An array of identifiers of asset declarations that contain anchor certificates to use to evaluate the trust of the enrollment profile server. Set the type of the corresponding assets to 'com.apple.asset.credential.certificate'.
These certificates are pinned, meaning that the server specified by the 'EnrollmentProfileURL' must use a certificate that chains to one of the certs in this array.
If it chains to one of the built-in trusted root certificates but not one of the 'AnchorCertificateAssetReferences' certs, the connection will fail.
An array of identifiers of asset declarations that contain anchor certificates to use to evaluate the trust of the enrollment profile server. Set the type of the corresponding assets to `com.apple.asset.credential.certificate`.
These certificates are pinned, meaning that the server specified by the `EnrollmentProfileURL` must use a certificate that chains to one of the certs in this array.
If it chains to one of the built-in trusted root certificates but not one of the `AnchorCertificateAssetReferences` certs, the connection will fail.
subkeys:
- key: AnchorCertificateAssetReferenceItem
type: <string>

12
declarative/declarations/declarationbase.yaml
View File

@@ -205,6 +205,12 @@ reasons:
- key: Code
type: <string>
description: NSError's code.
- value: Error.UnknownDeclarationType
description: The declaration type is not known.
details:
- key: UnknownDeclarationType
type: <string>
description: The `Type` of the declaration.
- value: Error.UnknownPayloadKeys
description: A declaration contains unknown payloads keys.
details:
@@ -241,3 +247,9 @@ reasons:
- key: Predicate
type: <string>
description: The predicate description of the predicate that is false.
- value: Info.UnsupportedSettings
description: Unsupported settings in a configuration.
details:
- key: Settings
type: <array>
description: Array of strings containing each unsupported setting key-path.

3
declarative/declarations/management/organization-info.yaml
View File

@@ -1,6 +1,5 @@
title: Management:Organization Information
description: Use this declaration to tell the client about the server's organization
information.
description: The declaration to configure the managing organization's contact information.
payload:
declarationtype: com.apple.management.organization-info
supportedOS:

2
declarative/declarations/management/properties.yaml
View File

@@ -1,5 +1,5 @@
title: Management:Properties
description: Use this declaration to set properties on the device.
description: The declaration to configure the properties on the device.
payload:
declarationtype: com.apple.management.properties
supportedOS:

5
declarative/declarations/management/server-capabilities.yaml
View File

@@ -1,5 +1,5 @@
title: Management:Server Capabilities
description: Use this declaration to tell the client about the server's capabilities.
description: The declaration to configure the server's feature set.
payload:
declarationtype: com.apple.management.server-capabilities
supportedOS:
@@ -25,7 +25,8 @@ payloadkeys:
presence: required
content: |-
A dictionary that contains the server's optional protocol features.
Each dictionary item uses the key name to represent a feature, and the value to hold the feature's associated parameters. This protocol reserves keys with a prefix of “'com.apple.'”, which appear as subkeys in this dictionary.
Each dictionary item uses the key name to represent a feature, and the value to hold the feature's associated parameters. This protocol reserves keys with a prefix of `com.apple.`, which appear as subkeys in this dictionary.
subkeys:
- key: ANY
type: <any>

13
declarative/protocol/statusreport.yaml
View File

@@ -75,9 +75,10 @@ payloadkeys:
type: <boolean>
presence: optional
default: false
content: When set to "true", this indicates that the status report contains the
full set of current status, and is not an incremental report. This will include
the full set of items in any status array item (not just the changes). Servers
can use this to replace their entire set of status for the device, rather than
do incremental update processing. Devices will set this to "true" when sending
a "safety sync" status report, which is typically sent every 24 hours or so.
content: The system sets this to `true` to indicate that the status report contains
the full set of current status, and is not an incremental report. A full status
report includes the full set of items in any status array item, not just the changes.
Servers use this to replace their entire status for the device, rather than do
an incremental update to the existing status. The system sets this to `true` when
sending a "safety sync" status report, which is typically sent every 24 hours
or so.

13
declarative/status/account.list.caldav.yaml
View File

@@ -1,5 +1,5 @@
title: Status Account List CalDAV
description: The client's CalDAV accounts.
description: A status report of the client's Calendar accounts.
payload:
statusitemtype: account.list.caldav
supportedOS:
@@ -41,11 +41,12 @@ payloadkeys:
title: Status item value.
type: <array>
presence: required
content: A list of status values for the CalDAV accounts.
content: A list of status values for the Calendar accounts.
subkeytype: Account
subkeys:
- key: status_value
type: <dictionary>
content: A status report of the client's Calendar account details.
subkeys:
- key: identifier
title: Unique identifier of the account.
@@ -57,8 +58,8 @@ payloadkeys:
type: <boolean>
presence: optional
default: false
content: If 'true', the account is removed and the status item object only contains
this key and the 'identifier' key.
content: If `true`, the account is removed and the status item object only contains
this key and the `identifier` key.
- key: declaration-identifier
title: Identifier of the declaration that installed the account.
type: <string>
@@ -89,10 +90,10 @@ payloadkeys:
title: Are calendars enabled
type: <boolean>
presence: optional
content: If 'true', the Calendar app is displaying calendars and events for
content: If `true`, the Calendar app is displaying calendars and events for
the account.
- key: are-reminders-enabled
title: Are reminders enabled
type: <boolean>
presence: optional
content: If 'true', the Reminders app is displaying reminders for the account.
content: If `true`, the Reminders app is displaying reminders for the account.

9
declarative/status/account.list.carddav.yaml
View File

@@ -1,5 +1,5 @@
title: Status Account List CardDAV
description: The client's CardDAV accounts.
description: A status report of the client's Contacts accounts.
payload:
statusitemtype: account.list.carddav
supportedOS:
@@ -41,11 +41,12 @@ payloadkeys:
title: Status item value.
type: <array>
presence: required
content: A list of status values for the CardDAV accounts.
content: A list of status values for the Contacts accounts.
subkeytype: Account
subkeys:
- key: status_value
type: <dictionary>
content: A status report of the client's Contacts account details.
subkeys:
- key: identifier
title: Unique identifier of the account.
@@ -57,8 +58,8 @@ payloadkeys:
type: <boolean>
presence: optional
default: false
content: If 'true', the account is removed and the status item object only contains
this key and the 'identifier' key.
content: If `true`, the account is removed and the status item object only contains
this key and the `identifier` key.
- key: declaration-identifier
title: Identifier of the declaration that installed the account.
type: <string>

9
declarative/status/account.list.exchange.yaml
View File

@@ -1,5 +1,5 @@
title: Status Account List Exchange
description: The client's exchange accounts.
description: A status report of the client's Exchange accounts.
payload:
statusitemtype: account.list.exchange
supportedOS:
@@ -41,11 +41,12 @@ payloadkeys:
title: Status item value.
type: <array>
presence: required
content: A list of status values for the exchange accounts.
content: A list of status values for the Exchange accounts.
subkeytype: Account
subkeys:
- key: status_value
type: <dictionary>
content: A status report of the client's Exchange account details.
subkeys:
- key: identifier
title: Unique identifier of the account.
@@ -57,8 +58,8 @@ payloadkeys:
type: <boolean>
presence: optional
default: false
content: If 'true', the account is removed and the status item object only contains
this key and the 'identifier' key.
content: If `true`, the account is removed and the status item object only contains
this key and the `identifier` key.
- key: declaration-identifier
title: Identifier of the declaration that installed the account.
type: <string>

7
declarative/status/account.list.google.yaml
View File

@@ -1,5 +1,5 @@
title: Status Account List Google
description: The client's Google accounts.
description: A status report of the client's Google accounts.
payload:
statusitemtype: account.list.google
supportedOS:
@@ -46,6 +46,7 @@ payloadkeys:
subkeys:
- key: status_value
type: <dictionary>
content: A status report of the client's Google account details.
subkeys:
- key: identifier
title: Unique identifier of the account.
@@ -57,8 +58,8 @@ payloadkeys:
type: <boolean>
presence: optional
default: false
content: If 'true', the account is removed and the status item object only contains
this key and the 'identifier' key.
content: If `true`, the account is removed and the status item object only contains
this key and the `identifier` key.
- key: declaration-identifier
title: Identifier of the declaration that installed the account.
type: <string>

8
declarative/status/account.list.ldap.yaml
View File

@@ -1,5 +1,6 @@
title: Status Account List LDAP
description: The client's LDAP accounts.
description: A status report of the client's Lightweight Directory Access Protocol
(LDAP) accounts.
payload:
statusitemtype: account.list.ldap
supportedOS:
@@ -46,6 +47,7 @@ payloadkeys:
subkeys:
- key: status_value
type: <dictionary>
content: A status report of the client's LDAP account details.
subkeys:
- key: identifier
title: Unique identifier of the account.
@@ -57,8 +59,8 @@ payloadkeys:
type: <boolean>
presence: optional
default: false
content: If 'true', the account is removed and the status item object only contains
this key and the 'identifier' key.
content: If `true`, the account is removed and the status item object only contains
this key and the `identifier` key.
- key: declaration-identifier
title: Identifier of the declaration that installed the account.
type: <string>

9
declarative/status/account.list.mail.incoming.yaml
View File

@@ -1,5 +1,5 @@
title: Status Account List Mail Incoming
description: The client's incoming mail accounts.
description: A status report of the client's incoming Mail accounts.
payload:
statusitemtype: account.list.mail.incoming
supportedOS:
@@ -41,11 +41,12 @@ payloadkeys:
title: Status item value.
type: <array>
presence: required
content: A list of status values for the incoming mail accounts.
content: A list of status values for the incoming Mail accounts.
subkeytype: Account
subkeys:
- key: status_value
type: <dictionary>
content: A status report of the client's incoming Mail account details.
subkeys:
- key: identifier
title: Unique identifier of the account.
@@ -57,8 +58,8 @@ payloadkeys:
type: <boolean>
presence: optional
default: false
content: If 'true', the account is removed and the status item object only contains
this key and the 'identifier' key.
content: If `true`, the account is removed and the status item object only contains
this key and the `identifier` key.
- key: declaration-identifier
title: Identifier of the declaration that installed the account.
type: <string>

9
declarative/status/account.list.mail.outgoing.yaml
View File

@@ -1,5 +1,5 @@
title: Status Account List Mail Outgoing
description: The client's outgoing mail accounts.
description: A status report of the client's outgoing Mail accounts.
payload:
statusitemtype: account.list.mail.outgoing
supportedOS:
@@ -41,11 +41,12 @@ payloadkeys:
title: Status item value.
type: <array>
presence: required
content: A list of status values for the outgoing mail accounts.
content: A list of status values for the outgoing Mail accounts.
subkeytype: Account
subkeys:
- key: status_value
type: <dictionary>
content: A status report of the client's outgoing Mail account details.
subkeys:
- key: identifier
title: Unique identifier of the account.
@@ -57,8 +58,8 @@ payloadkeys:
type: <boolean>
presence: optional
default: false
content: If 'true', the account is removed and the status item object only contains
this key and the 'identifier' key.
content: If `true`, the account is removed and the status item object only contains
this key and the `identifier` key.
- key: declaration-identifier
title: Identifier of the declaration that installed the account.
type: <string>

33
declarative/status/account.list.subscribed-calendar.yaml
View File

@@ -1,5 +1,5 @@
title: Status Account List Subscribed Calendar
description: The client's subscribed calendar accounts.
description: A status report of the client's subscribed calendars.
payload:
statusitemtype: account.list.subscribed-calendar
supportedOS:
@@ -41,48 +41,49 @@ payloadkeys:
title: Status item value.
type: <array>
presence: required
content: A list of status values for the calendar accounts.
content: A list of status values for the subscribed calendars.
subkeytype: Account
subkeys:
- key: status_value
type: <dictionary>
content: A status report of the client's subscribed calendar details.
subkeys:
- key: identifier
title: Unique identifier of the account.
title: Unique identifier of the subscribed calendar.
type: <string>
presence: required
content: The unique identifier for the account.
content: The unique identifier for the subscribed calendar.
- key: _removed
title: Indicates removal of the account.
title: Indicates removal of the subscribed calendar.
type: <boolean>
presence: optional
default: false
content: If 'true', the account is removed and the status item object only contains
this key and the 'identifier' key.
content: If `true`, the subscribed calendar is removed and the status item object
only contains this key and the `identifier` key.
- key: declaration-identifier
title: Identifier of the declaration that installed the account.
title: Identifier of the declaration that installed the subscribed calendar.
type: <string>
presence: optional
content: The identifier of the declaration that installed the account. Only
present if a declaration installed the account.
content: The identifier of the declaration that installed the subscribed calendar.
Only present if a declaration installed the subscribed calendar.
- key: visible-name
title: Account name
title: Subscribed calendar name
type: <string>
presence: optional
content: The name of the account.
content: The name of the subscribed calendar.
- key: calendar-url
title: Account calendar URL
title: Subscribed calendar URL
type: <string>
presence: optional
content: The URL of the subscribed calendar.
- key: username
title: Account username
title: Subscribed calendar username
type: <string>
presence: optional
content: The user name for the account.
content: The user name for authenticating with the subscribed calendar.
- key: is-enabled
title: Is the calendar enabled
type: <boolean>
presence: optional
content: A Boolean value that indicates whether the Calendar app displays this
calendar.
subscribed calendar.

68
declarative/status/app.managed.list.yaml
View File

@@ -1,5 +1,5 @@
title: Status App Managed List
description: The client's declarative managed apps.
description: The device's declarative managed apps.
payload:
statusitemtype: app.managed.list
supportedOS:
@@ -15,7 +15,13 @@ payload:
allowed-scopes:
- system
macOS:
introduced: n/a
introduced: '26.0'
allowed-enrollments:
- supervised
- user
allowed-scopes:
- system
- user
tvOS:
introduced: n/a
visionOS:
@@ -39,6 +45,7 @@ payloadkeys:
subkeys:
- key: status_value
type: <dictionary>
content: A dictionary that describes a declarative managed app.
subkeys:
- key: identifier
title: Unique identifier of the app.
@@ -50,9 +57,8 @@ payloadkeys:
type: <boolean>
presence: optional
default: false
content: To indicate removal of an app, this key's value is set to true, and
only this key and the "identifier" key will be present in the status item
object.
content: If `true`, the system removed the app and only this key and the `identifier`
key are present in the status item object.
- key: declaration-identifier
title: Identifier of the declaration that controls the app.
type: <string>
@@ -64,12 +70,13 @@ payloadkeys:
presence: optional
content: The name of the app.
- key: external-version-id
title: External version id
title: External version identifier
type: <integer>
presence: optional
content: |-
The app's external version ID. You can also retrieve this value from the store through the contentMetadataLookupUrl <https://developer.apple.com/library/archive/documentation/Miscellaneous/Reference/MobileDeviceManagementProtocolRef/5-Web_Service_Protocol_VPP/webservice.html#//apple_ref/doc/uid/TP40017387-CH8-SW209> of VPPServiceConfigSrv <https://developer.apple.com/library/archive/documentation/Miscellaneous/Reference/MobileDeviceManagementProtocolRef/5-Web_Service_Protocol_VPP/webservice.html#//apple_ref/doc/uid/TP40017387-CH8-SW15>.
In the response from 'uclient-api.itunes.apple.com' URL, there's an 'externalId' at the path 'results.<adamId>.offers[0].version.externalId'. If the current external version identifier of an app on the store doesn't match the external version identifier reported by the device, there may be an app update available for the device.
The app's external version identifier. You can also retrieve this value from the App Store. For more information, see `Apps and Books for Organizations`.
If the current external version identifier of an app on the App Store doesn't match the external version identifier reported by the device, there may be an app update available for the device.
- key: version
title: Version
type: <string>
@@ -87,6 +94,7 @@ payloadkeys:
rangelist:
- optional
- queued
- not-present
- prompting-for-consent
- prompting-for-login
- prompting-for-management
@@ -98,16 +106,17 @@ payloadkeys:
content: |-
The status of the app, which has the following possible values:
* 'optional': The app is optional and the user has to trigger its installation.
* 'queued': Installation of the app started.
* 'prompting-for-consent': The system is displaying a prompt to the user to proceed with app installation.
* 'prompting-for-login': The system is displaying an App Store sign-in prompt to the user to allow app installation.
* 'prompting-for-management': The system is displaying a prompt to the user to allow changing the installed app to a managed app.
* 'downloading': The system is downloading an app update.
* 'installing': The system is installing an app update.
* 'managed': The app is installed and managed.
* 'managed-but-uninstalled': The app is managed, but the user removed it. The app remains managed if the system installs it again.
* 'failed': An app update failed.
- `optional`: The app is optional and the user has to trigger its installation.
- `queued`: The system has started installation of the app.
- `not-present`: Management of the app occurs after it is installed.
- `prompting-for-consent`: The system is displaying a prompt to the user to proceed with app installation.
- `prompting-for-login`: The system is displaying an App Store sign-in prompt to the user to allow app installation.
- `prompting-for-management`: The system is displaying a prompt to the user to allow changing the installed app to a managed app.
- `downloading`: The system is downloading the app.
- `installing`: The system is installing the app.
- `managed`: The app is installed and managed.
- `managed-but-uninstalled`: The app is required, but the system hasn't installed it. The app becomes managed if the system installs it again. If the user removes an optional app, its state is `optional`, not `managed-but-uninstalled`.
- `failed`: The app install failed.
- key: update-state
title: Managed application update status
type: <string>
@@ -121,12 +130,14 @@ payloadkeys:
content: |-
The update status of the app, which has the following possible values:
* 'available': An update is available for the app.
* 'prompting-for-update': The system is displaying a prompt to the user to proceed with app installation.
* 'prompting-for-update-login': The system is displaying an App Store sign-in prompt to the user to allow app installation.
* 'updating': The app is updating.
* 'failed': The app update failed.
This key is only present if 'state' is 'managed' and an update is available.
- `available`: An update is available for the app.
- `prompting-for-update`: The system is displaying a prompt to the user to proceed with app installation.
- `prompting-for-update-login`: The system is displaying an App Store sign-in prompt to the user to allow app installation.
- `updating`: The app is updating.
- `failed`: The app update failed.
> Note:
> This key is only present if `state` is `managed` and an update is available.
- key: config-state
title: Managed application configuration status
supportedOS:
@@ -159,9 +170,9 @@ payloadkeys:
- valid
content: |-
The managed configuration status.
* 'unknown' - the managed configuration has not been read
* 'invalid' - the managed configuration was read and deemed to be invalid
* 'valid' - the managed configuration was read and deemed to be valid
- `unknown`: The managed configuration has not been read
- `invalid`: The managed configuration was read and deemed to be invalid
- `valid`: The managed configuration was read and deemed to be valid
- key: extension-config-state
title: Extensions managed configuration status
type: <dictionary>
@@ -230,6 +241,9 @@ reasons:
description: The RFC 3339 timestamp of the last install failure.
- value: Error.InvalidAppID
description: The app id could not be found.
- value: Error.InvalidCodeSignature
description: The code signature of the app does not match the composed identifier,
and the app cannot be managed.
- value: Error.IsSystemApp
description: The app is a system app that cannot be managed.
- value: Error.LicenseNotFound

2
declarative/status/device.identifier.serial-number.yaml
View File

@@ -1,5 +1,5 @@
title: Status Device Serial Number
description: The device's serial number.
description: A status report of the device's serial number.
payload:
statusitemtype: device.identifier.serial-number
supportedOS:

2
declarative/status/device.identifier.udid.yaml
View File

@@ -1,5 +1,5 @@
title: Status Device UDID
description: The device's UDID.
description: A status report of the device's UDID.
payload:
statusitemtype: device.identifier.udid
supportedOS:

4
declarative/status/device.model.family.yaml
View File

@@ -1,5 +1,5 @@
title: Status Device Model Family
description: The device's hardware family.
description: A status report of the device's hardware family.
payload:
statusitemtype: device.model.family
supportedOS:
@@ -54,4 +54,4 @@ payloadkeys:
title: Status item value.
type: <string>
presence: required
content: The hardware family of the device, such as 'Mac', 'iPhone', or 'iPad'.
content: The hardware family of the device, such as `Mac`, `iPhone`, or `iPad`.

6
declarative/status/device.model.identifier.yaml
View File

@@ -1,5 +1,5 @@
title: Status Device Model Identifier
description: The device's hardware identifier.
description: A status report of the device's hardware identifier.
payload:
statusitemtype: device.model.identifier
supportedOS:
@@ -57,5 +57,5 @@ payloadkeys:
content: A two-part string that specifies the device's model. The first part specifies
device's model family, and the second part specifies the model's version. The
model's version is a comma-separated number where the first part of the number
is the version, and the second part is a variant, such as 'MacBookPro15,1' or
'iPhone13,2'.
is the version, and the second part is a variant, such as `MacBookPro15,1` or
`iPhone13,2`.

4
declarative/status/device.model.marketing-name.yaml
View File

@@ -1,5 +1,5 @@
title: Status Device Model Marketing Name
description: The device's hardware marketing name.
description: A status report of the device's marketing name.
payload:
statusitemtype: device.model.marketing-name
supportedOS:
@@ -54,5 +54,5 @@ payloadkeys:
title: Status item value.
type: <string>
presence: required
content: The device's marketing name, such as 'iPhone 12'. This value may not always
content: The device's marketing name, such as `iPhone 12`. This value may not always
be available.

2
declarative/status/device.model.number.yaml
View File

@@ -1,5 +1,5 @@
title: Status Device Model Number
description: The device's hardware number.
description: A status report of the device's hardware number.
payload:
statusitemtype: device.model.number
supportedOS:

4
declarative/status/device.operating-system.build-version.yaml
View File

@@ -1,5 +1,5 @@
title: Status Device Operating System Build Version
description: The device's operating system build version.
description: A status report of the device's software build identifier.
payload:
statusitemtype: device.operating-system.build-version
supportedOS:
@@ -54,4 +54,4 @@ payloadkeys:
title: Status item value.
type: <string>
presence: required
content: The operating system's build version on the device, such as '18F132'.
content: The operating system's build version on the device, such as `18F132`.

4
declarative/status/device.operating-system.family.yaml
View File

@@ -1,5 +1,5 @@
title: Status Device Operating System Family
description: The device's operating system family.
description: A status report of the device's operating system family.
payload:
statusitemtype: device.operating-system.family
supportedOS:
@@ -54,4 +54,4 @@ payloadkeys:
title: Status item value.
type: <string>
presence: required
content: The operating system family in use on the device, such as 'macOS' or 'iOS'.
content: The operating system family in use on the device, such as `macOS` or `iOS`.

4
declarative/status/device.operating-system.marketing-name.yaml
View File

@@ -1,5 +1,5 @@
title: Status Device Operating System Marketing Name
description: The device's operating system marketing name.
description: A status report of the device's operating system marketing name.
payload:
statusitemtype: device.operating-system.marketing-name
supportedOS:
@@ -54,4 +54,4 @@ payloadkeys:
title: Status item value.
type: <string>
presence: required
content: The operating system's marketing name in use on the device, such as 'Catalina'.
content: The operating system's marketing name in use on the device, such as `Catalina`.

4
declarative/status/device.operating-system.supplemental.build-version.yaml
View File

@@ -1,5 +1,5 @@
title: Status Device Operating System Supplemental Build Version
description: The device's operating system supplemental build version.
description: A status report of the device's operating system supplemental build identifier.
payload:
statusitemtype: device.operating-system.supplemental.build-version
supportedOS:
@@ -55,4 +55,4 @@ payloadkeys:
type: <string>
presence: required
content: The operating system's build and rapid security response versions in use
on the device, for example, '20A123a' or '20B27c'.
on the device, for example, `20A123a` or `20B27c`.

5
declarative/status/device.operating-system.supplemental.extra-version.yaml
View File

@@ -1,5 +1,6 @@
title: Status Device Operating System Supplemental Extra Version
description: The device's operating system rapid security response version.
description: A status report of the device's operating system's rapid security response
identifier.
payload:
statusitemtype: device.operating-system.supplemental.extra-version
supportedOS:
@@ -55,4 +56,4 @@ payloadkeys:
type: <string>
presence: required
content: The operating system's rapid security response version in use on the device,
for example, 'a'.
for example, `a`.

4
declarative/status/device.operating-system.version.yaml
View File

@@ -1,5 +1,5 @@
title: Status Device Operating System Version
description: The device's operating system version.
description: A status report of the device's operating system version.
payload:
statusitemtype: device.operating-system.version
supportedOS:
@@ -54,4 +54,4 @@ payloadkeys:
title: Status item value.
type: <string>
presence: required
content: The operating system's version in use on the device, such as '15.0'.
content: The operating system's version in use on the device, such as `15.0`.

22
declarative/status/device.power.battery-health.yaml
View File

@@ -1,5 +1,5 @@
title: Status Device Battery Health
description: The health of the battery.
description: The device's battery health.
payload:
statusitemtype: device.power.battery-health
supportedOS:
@@ -41,10 +41,18 @@ payloadkeys:
content: |-
The battery health status, which has the following values:
* 'non-genuine': The battery isn't a genuine Apple battery.
* 'normal': The battery is operating normally.
* 'service-recommended': The system recommends battery service.
* 'unknown': The system couldn't determine battery health information.
* 'unsupported': The device doesn't support battery health reporting.
- `non-genuine`: The battery isn't a genuine Apple battery.
- `normal`: The battery is operating normally.
- `service-recommended`: The system recommends battery service.
- `unknown`: The system couldn't determine battery health information.
- `unsupported`: The device doesn't support battery health reporting.
Available in iOS 17 and later on iPhone, iPadOS 18.4 and later on supported iPad models, and macOS 14.4 and later on Apple silicon Mac computers.
Available in iOS 17 and later on iPhone, iPadOS 18.4 and later on supported iPad models, and macOS 14.4 and later on a Mac with Apple silicon.
notes:
- title: ''
content: |-
For more information about battery health, see the following support articles:
- [iPhone devices](https://support.apple.com/101575)
- [iPad devices](https://support.apple.com/117759)
- [macOS devices](https://support.apple.com/108376)

2
declarative/status/management.client-capabilities.yaml
View File

@@ -1,5 +1,5 @@
title: Status Management Client Capabilities
description: The client's protocol capabilities.
description: A status report of the client's protocol capabilities.
payload:
statusitemtype: management.client-capabilities
supportedOS:

15
declarative/status/management.declarations.yaml
View File

@@ -1,5 +1,5 @@
title: Status Management Declarations
description: State of declarations processed by the client.
description: A status report of the client's processed declarations.
payload:
statusitemtype: management.declarations
supportedOS:
@@ -70,17 +70,17 @@ payloadkeys:
title: Identifier
type: <string>
presence: required
content: The 'identifier' of the declaration this status report refers to.
content: The `identifier` of the declaration this status report refers to.
- key: server-token
title: Server-Token
type: <string>
presence: required
content: The 'ServerToken' of the declaration this status report refers to.
content: The `ServerToken` of the declaration this status report refers to.
- key: active
title: Declaration's Active State
type: <boolean>
presence: required
content: If 'true', the declaration is active on the device.
content: If `true`, the declaration is active on the device.
- key: valid
title: Declaration's Valid State
type: <string>
@@ -89,8 +89,8 @@ payloadkeys:
- unknown
- invalid
- valid
content: This string defines the validity of the declaration. If it's 'invalid',
the 'reasons' property contains more details.
content: This string defines the validity of the declaration. If it's `invalid`,
the `reasons` property contains more details.
- key: reasons
title: Status Reasons
type: <array>
@@ -165,3 +165,6 @@ payloadkeys:
content: Status for a declaration processed by the client.
subkeytype: Declaration
subkeys: *id001
notes:
- title: ''
content: The name of the declaration status item is `management.declarations`.

27
declarative/status/mdm.app.yaml
View File

@@ -1,5 +1,5 @@
title: Status MDM App
description: The client's MDM installed apps.
description: A status report of the client's MDM-installed apps.
payload:
statusitemtype: mdm.app
supportedOS:
@@ -43,12 +43,13 @@ payloadkeys:
title: Status item value.
type: <array>
presence: required
content: The list of apps. The response will not include apps that are managed by
content: The list of apps. The response doesn't include apps that are managed by
Declarative Device Management.
subkeytype: App
subkeys:
- key: status_value
type: <dictionary>
content: A status report that contains details about an MDM-installed app.
subkeys:
- key: identifier
title: Unique identifier of the app.
@@ -60,25 +61,23 @@ payloadkeys:
type: <boolean>
presence: optional
default: false
content: To indicate removal of an app, this key's value is set to true, and
only this key and the "identifier" key will be present in the status item
object. An MDM installed app will be reported as removed if management of
the app has been transferred to declarative device management.
content: If `true`, the system removed the app and only this key and the `identifier`
key are present in the status item object. The device reports an MDM-installed
app as removed if management of the app has been transferred to Declarative
Device Management.
- key: name
title: App name
type: <string>
presence: optional
content: The name of the app.
- key: external-version-id
title: External version id
title: External version identifier
type: <string>
presence: optional
content: The application's external version ID. Use Service Config to get the
'contentMetadataLookupUrl' endpoint. In the response from that URL, find a
key named 'externalId' at the path 'results.<adamId>.offers[0].version.externalId'.
If the current external version identifier of an app on the store doesn't
match the external version identifier reported by the device, there may be
an app update available for the device.
content: |-
The app's external version identifier. You can also retrieve this value from the App Store. For more information, see `Apps and Books for Organizations`.
If the current external version identifier of an app on the App Store doesn't match the external version identifier reported by the device, there may be an app update available for the device.
- key: version
title: Version
type: <string>
@@ -114,4 +113,4 @@ payloadkeys:
- update-rejected
- management-rejected
- failed
content: The status of the app that ManagedApplicationListCommand reports.
content: The status of the app that `ManagedApplicationListCommand` reports.

129
declarative/status/package.list.yaml Normal file
View File

@@ -0,0 +1,129 @@
title: Status Package List
description: The client's declarative packages.
payload:
statusitemtype: package.list
supportedOS:
iOS:
introduced: n/a
macOS:
introduced: '26.0'
allowed-enrollments:
- supervised
allowed-scopes:
- system
tvOS:
introduced: n/a
visionOS:
introduced: n/a
watchOS:
introduced: n/a
payloadkeys:
- key: package.list
title: Status item value.
type: <array>
presence: required
content: An array of dictionaries that describe the device's declarative packages.
subkeytype: Package
subkeys:
- key: status_value
type: <dictionary>
content: A dictionary that describes a declarative package.
subkeys:
- key: identifier
title: Unique identifier of the package.
type: <string>
presence: required
content: The package's unique identifier. This is the package identifier value
of the package file.
- key: _removed
title: Indicates removal of the package.
type: <boolean>
presence: optional
default: false
content: If `true`, the system removed the package and only this key and the
`identifier` key are present in the status item object.
- key: declaration-identifier
title: Identifier of the declaration that controls the package.
type: <string>
presence: optional
content: The identifier of the declaration that controls the package.
- key: name
title: Package name
type: <string>
presence: optional
content: The name of the package.
- key: version
title: Version
type: <string>
presence: optional
content: The version of the package. This will be the package version value
of the package file.
- key: state
title: Package status
type: <string>
presence: optional
rangelist:
- optional
- queued
- prompting-for-consent
- downloading
- installing
- installed
- failed
content: |-
The status of the package, which has the following possible values:
- `optional`: The package is optional and the user has to trigger its installation.
- `queued`: Installation of the package has started.
- `prompting-for-consent`: The system is displaying a prompt to the user to proceed with package installation.
- `downloading`: The system is downloading the package.
- `installing`: The system is installing the package.
- `installed`: The package is installed.
- `failed`: The package install failed.
- key: reasons
title: Status Reasons
type: <array>
presence: optional
content: An array that contains additional details about the package state,
including errors.
subkeytype: StatusReason
subkeys:
- key: _reasons
title: Status Reason
type: <dictionary>
content: Information about a status error.
subkeytype: StatusReason
subkeys:
- key: code
title: Error Code
type: <string>
presence: required
content: A code for the state.
- key: description
title: Error Description
type: <string>
presence: optional
content: A description of the state.
- key: details
title: Error Details
type: <dictionary>
presence: optional
content: A dictionary that contains additional details about the state.
subkeys:
- key: ANY
type: <any>
presence: optional
content: Additional keys may be present.
reasons:
- value: Error.DownloadFailed
description: The package download failed.
details:
- key: Timestamp
type: <string>
description: The RFC 3339 timestamp of the last download failure.
- value: Error.InstallFailed
description: The package install failed.
details:
- key: Timestamp
type: <string>
description: The RFC 3339 timestamp of the last install failure.

8
declarative/status/passcode.is-compliant.yaml
View File

@@ -1,5 +1,5 @@
title: Status Passcode Compliance
description: The state of passcode compliance.
description: A status report of passcode compliance.
payload:
statusitemtype: passcode.is-compliant
supportedOS:
@@ -41,7 +41,7 @@ payloadkeys:
title: Status item value.
type: <boolean>
presence: required
content: If 'true', the passcode is in compliance with all passcode policies set
on the device. If 'false', the passcode isn't in compliance with one or more passcode
content: If `true`, the passcode is in compliance with all passcode policies set
on the device. If `false`, the passcode isn't in compliance with one or more passcode
policies set on the device. When there are no passcode policies on the device,
this value 'true'.
this value `true`.

6
declarative/status/passcode.is-present.yaml
View File

@@ -1,5 +1,5 @@
title: Status Passcode Is Present
description: Whether a passcode is present ot not.
description: A status report of the passcode on the device.
payload:
statusitemtype: passcode.is-present
supportedOS:
@@ -41,8 +41,8 @@ payloadkeys:
title: Status item value.
type: <boolean>
presence: required
content: If 'true', a passcode is present on the device. If 'false', a passcode
content: If `true`, a passcode is present on the device. If `false`, a passcode
isn't present on the device. When a passcode is present, the specific attributes
of the passcode, such as length or number of complex characters, aren't reported.
Instead, use the 'passcode.is-compliant' status item to verify that the passcode
Instead, use the `passcode.is-compliant` status item to verify that the passcode
complies with all passcode policies set on the device.

14
declarative/status/screensharing.connection.group.unresolved-connection.yaml
View File

@@ -1,6 +1,6 @@
title: Status Screen Sharing Connection Group Unresolved Connections
description: Information about connection groups which have member connection references
which could not be resolved.
description: Information about connection groups with member connection references
that the system couldn't resolve.
payload:
statusitemtype: screensharing.connection.group.unresolved-connection
supportedOS:
@@ -31,25 +31,25 @@ payloadkeys:
subkeys:
- key: unresolved_group
type: <dictionary>
content: A status item that contains an unresolved connection group.
subkeys:
- key: identifier
title: Unique identifier of the connection group.
type: <string>
presence: required
content: The unique 'ConnectionGroupUUID' identifier of the connection group.
content: The unique `ConnectionGroupUUID` identifier of the connection group.
- key: _removed
title: Indicates removal of the unresolved connection group.
type: <boolean>
presence: optional
default: false
content: To indicate removal of an unresolved connection group, this key's value
is set to true, and only this key and the "identifier" key will be present
in the status item object.
content: If `true`, the system removed the unresolved connection group and only
this key and the `identifier` key are present in the status item object.
- key: unresolved_connections
title: Unique identifiers of unresolved connections.
type: <array>
presence: optional
content: An array of 'ConnectionUUID' values specified in the 'Members' key
content: An array of `ConnectionUUID` values specified in the `Members` key
in the group's declaration for the unresolved connections.
subkeys:
- key: ConnectionUUID

10
declarative/status/security.certificate.list.yaml
View File

@@ -1,5 +1,5 @@
title: Status Security Certificate List
description: The client's managed certificates.
description: A status report of the client's managed certificates.
payload:
statusitemtype: security.certificate.list
supportedOS:
@@ -59,6 +59,7 @@ payloadkeys:
subkeys:
- key: status_value
type: <dictionary>
content: A status report of a security certificate.
subkeys:
- key: identifier
title: Unique identifier of the certificate.
@@ -71,9 +72,8 @@ payloadkeys:
type: <boolean>
presence: optional
default: false
content: To indicate removal of a certificate, this key's value is set to true,
and only this key and the "identifier" key will be present in the status item
object.
content: If `true`, the system removed the app and only this key and the `identifier`
key are present in the status item object.
- key: declaration-identifier
title: Asset declaration identifier.
type: <string>
@@ -89,7 +89,7 @@ payloadkeys:
title: Is Identity
type: <boolean>
presence: required
content: If 'true', the certificate is an identity certificate.
content: If `true`, the certificate is an identity certificate.
- key: data
title: Certificate Data
type: <data>

41
declarative/status/services.background-task.yaml
View File

@@ -1,5 +1,5 @@
title: Status Services Background Task
description: The client's background task details.
description: A status report of the device's background task details.
payload:
statusitemtype: services.background-task
supportedOS:
@@ -28,6 +28,7 @@ payloadkeys:
subkeys:
- key: status_value
type: <dictionary>
content: A status report of a background task.
subkeys:
- key: identifier
title: Identifier
@@ -39,13 +40,13 @@ payloadkeys:
type: <boolean>
presence: optional
default: false
content: If 'true', the background task is removed and the status item object
only contains this key and the 'identifier' key.
content: If `true`, the background task is removed and the status item object
only contains this key and the `identifier` key.
- key: code-signature
title: Code signature
type: <string>
presence: optional
content: For types other than 'agent' or 'daemon', this is the code signature
content: For types other than `agent` or `daemon`, this is the code signature
designated requirement of the item, if available.
- key: uid
title: Numeric user identifier
@@ -56,7 +57,7 @@ payloadkeys:
title: Path
type: <string>
presence: required
content: For an 'agent' or 'daemon', the path to the 'launchd' 'plist' file.
content: For an `agent` or `daemon`, the path to the `launchd` `plist` file.
For other types, the path to the app or the document.
- key: state
title: Background task state
@@ -67,7 +68,7 @@ payloadkeys:
- enabled
- requires-approval
- not-found
content: The SMAppService.Status enumeration.
content: The `SMAppService.Status` enumeration.
- key: type
title: Background task type
type: <string>
@@ -83,24 +84,24 @@ payloadkeys:
title: Launchd background task
type: <dictionary>
presence: optional
content: Details about a 'launchd'-based background task, which is only present
when the type is 'daemon' or 'agent'.
content: Details about a `launchd`-based background task, which is only present
when the type is `daemon` or `agent`.
subkeys:
- key: label
title: Label
type: <string>
presence: required
content: The label of the 'launchd'-based background task.
content: The label of the `launchd`-based background task.
- key: program
title: Program
type: <string>
presence: required
content: The program that the 'launchd' 'plist' file specifies.
content: The program that the `launchd` `plist` file specifies.
- key: program-arguments
title: Program arguments
type: <array>
presence: optional
content: The program arguments that the 'launchd' 'plist' file specifies.
content: The program arguments that the `launchd` `plist` file specifies.
subkeys:
- key: program-arguments-item
title: Program argument
@@ -109,7 +110,7 @@ payloadkeys:
title: The hash value of the launchd plist.
type: <string>
presence: required
content: The hash value of the 'launchd' 'plist' file.
content: The hash value of the `launchd` `plist` file.
- key: device-management
title: Device Management
supportedOS:
@@ -117,26 +118,26 @@ payloadkeys:
introduced: '15.0'
type: <dictionary>
presence: optional
content: If present, indicates this background task was created by a 'services.background-tasks'
configuration. This dictionary contains properties that identify the configuration
and specific version of the declaration asset that provided the launchd
plist for the task.
content: A dictionary that indicates a `ServicesBackgroundTasks` configuration
created this background task. The dictionary contains properties that identify
the configuration and the declaration asset that provided the launchd plist
for the task.
subkeys:
- key: configuration-identifier
title: Configuration Identifier
type: <string>
presence: required
content: The identifier of the 'services.background-tasks' configuration
that created this task.
content: The identifier of the `ServicesBackgroundTasks` configuration that
created this task.
- key: asset-identifier
title: Asset Identifier
type: <string>
presence: required
content: The identifier of the declaration asset that provided the launchd
content: The `Identifier` of the declaration asset that provided the launchd
plist for this task.
- key: asset-server-token
title: Asset Server Token
type: <string>
presence: required
content: The server token of the declaration asset that provided the launchd
content: The `ServerToken` of the declaration asset that provided the launchd
plist for this task.

2
declarative/status/softwareupdate.beta-enrollment.yaml
View File

@@ -1,5 +1,5 @@
title: Status Software Update Beta Enrollment
description: The device's enrolled beta program.
description: A status report of the device's enrolled beta program.
payload:
statusitemtype: softwareupdate.beta-enrollment
supportedOS:

11
declarative/status/softwareupdate.device-id.yaml
View File

@@ -1,5 +1,5 @@
title: Status Software Update Device ID
description: The device's software update device ID.
description: A status report of the device's update device ID.
payload:
statusitemtype: softwareupdate.device-id
supportedOS:
@@ -27,7 +27,12 @@ payload:
allowed-scopes:
- system
visionOS:
introduced: n/a
introduced: '26.0'
allowed-enrollments:
- supervised
- device
allowed-scopes:
- system
watchOS:
introduced: n/a
payloadkeys:
@@ -36,4 +41,4 @@ payloadkeys:
type: <string>
presence: required
content: The device identifier to use when looking up available software updates
via 'https://gdmf.apple.com/v2/pmv'.
via `https://gdmf.apple.com/v2/pmv`.

11
declarative/status/softwareupdate.failure-reason.yaml
View File

@@ -1,5 +1,5 @@
title: Status Software Update Failure Reason
description: The software update failure reason state.
description: A status report of a software update failure reason.
payload:
statusitemtype: softwareupdate.failure-reason
supportedOS:
@@ -27,7 +27,12 @@ payload:
allowed-scopes:
- system
visionOS:
introduced: n/a
introduced: '26.0'
allowed-enrollments:
- supervised
- device
allowed-scopes:
- system
watchOS:
introduced: n/a
payloadkeys:
@@ -43,7 +48,7 @@ payloadkeys:
type: <integer>
presence: required
content: The number of times the current software update failed. If there are
no failures, or no pending software update, this is '0'.
no failures, or no pending software update, this is `0`.
- key: reason
title: The reason for the software update failure.
type: <string>

11
declarative/status/softwareupdate.install-reason.yaml
View File

@@ -1,5 +1,5 @@
title: Status Software Update Install Reason
description: The software update install reason state.
description: A status report of the reason for a pending software update on the device.
payload:
statusitemtype: softwareupdate.install-reason
supportedOS:
@@ -27,7 +27,12 @@ payload:
allowed-scopes:
- system
visionOS:
introduced: n/a
introduced: '26.0'
allowed-enrollments:
- supervised
- device
allowed-scopes:
- system
watchOS:
introduced: n/a
payloadkeys:
@@ -73,5 +78,5 @@ payloadkeys:
type: <string>
presence: optional
content: The identifier of the declaration that caused the software update to
occur. This key is present only if the 'reason' array contains the 'declaration'
occur. This key is present only if the `reason` array contains the `declaration`
value.

21
declarative/status/softwareupdate.install-state.yaml
View File

@@ -1,5 +1,5 @@
title: Status Software Update Install State
description: The software update install state.
description: A status report of the software update install state.
payload:
statusitemtype: softwareupdate.install-state
supportedOS:
@@ -27,7 +27,12 @@ payload:
allowed-scopes:
- system
visionOS:
introduced: n/a
introduced: '26.0'
allowed-enrollments:
- supervised
- device
allowed-scopes:
- system
watchOS:
introduced: n/a
payloadkeys:
@@ -44,9 +49,9 @@ payloadkeys:
content: |-
The software update install status, which has the following values:
* 'none': There's no software update pending, and any previous software update succeeded.
* 'waiting': A software update is waiting to start.
* 'downloading': The system is downloading data for a software update.
* 'prepared': The system prepared the software update and it's ready for installation.
* 'installing': The system is installing the software update.
* 'failed': The software update failed.
- `none`: There's no software update pending, and any previous software update succeeded.
- `waiting': A software update is waiting to start.
- `downloading`: The system is downloading data for a software update.
- `prepared`: The system prepared the software update and it's ready for installation.
- `installing`: The system is installing the software update.
- `failed`: The software update failed.

15
declarative/status/softwareupdate.pending-version.yaml
View File

@@ -1,5 +1,5 @@
title: Status Software Update Pending Version
description: The pending software update version.
description: A status report of the pending software update version.
payload:
statusitemtype: softwareupdate.pending-version
supportedOS:
@@ -27,7 +27,12 @@ payload:
allowed-scopes:
- system
visionOS:
introduced: n/a
introduced: '26.0'
allowed-enrollments:
- supervised
- device
allowed-scopes:
- system
watchOS:
introduced: n/a
payloadkeys:
@@ -55,6 +60,6 @@ payloadkeys:
title: The target local date-time
type: <string>
presence: optional
content: The local date time value for when the pending software update will be
installed. This key is only present when the pending software update is being
enforced.
content: The local date time value that indicates when the pending software update
will be installed. This key is only present when the pending software update
is being enforced.

8
declarative/status/statusreason.yaml
View File

@@ -1,5 +1,5 @@
title: Status Reason
description: Information about a status error.
description: Provides details about an error for an item in a status report.
payload:
declarationtype: status-reason
supportedOS:
@@ -28,4 +28,8 @@ payloadkeys:
title: Error Details
type: <dictionary>
presence: optional
content: An arbitrary object containing details specific to this error.
content: A dictionary that contains additional details about the error.
notes:
- title: ''
content: Each status item defines its own set of `code`, `description`, and `details`
values.

3
declarative/status/test.array-value.yaml
View File

@@ -1,5 +1,5 @@
title: Status Test Array Value
description: A test status item array.
description: A test status item for an array.
payload:
statusitemtype: test.array-value
supportedOS:
@@ -59,6 +59,7 @@ payloadkeys:
subkeys:
- key: status_value
type: <dictionary>
content: A status value for the test status item array.
subkeys:
- key: key1
title: First Key Value

2
declarative/status/test.boolean-value.yaml
View File

@@ -1,5 +1,5 @@
title: Status Test Boolean Value
description: A test status item boolean.
description: A test status item for a Boolean value.
payload:
statusitemtype: test.boolean-value
supportedOS:

2
declarative/status/test.dictionary-value.yaml
View File

@@ -1,5 +1,5 @@
title: Status Test Dictionary Value
description: A test status item dictionary.
description: A test status item for a dictionary.
payload:
statusitemtype: test.dictionary-value
supportedOS:

2
declarative/status/test.error-value.yaml
View File

@@ -1,5 +1,5 @@
title: Status Test Error Value
description: A test status item for errors.
description: A test status item for an error.
payload:
statusitemtype: test.error-value
supportedOS:

2
declarative/status/test.integer-value.yaml
View File

@@ -1,5 +1,5 @@
title: Status Test Integer Value
description: A test status item integer.
description: A test status item for an integer.
payload:
statusitemtype: test.integer-value
supportedOS:

2
declarative/status/test.real-value.yaml
View File

@@ -1,5 +1,5 @@
title: Status Test Real Value
description: A test status item real.
description: A test status item for a real value.
payload:
statusitemtype: test.real-value
supportedOS:

2
declarative/status/test.string-value.yaml
View File

@@ -1,5 +1,5 @@
title: Status Test String Value
description: A test status item string.
description: A test status item for a string.
payload:
statusitemtype: test.string-value
supportedOS:

31
docs/errata.md
View File

@@ -2,6 +2,33 @@
This document lists errata for the YAML schema. This is used when older versions of the schema are incorrect, and a fix was made in later schema to correct the problem.
## iOS 26.0
### mdm/profiles/com.apple.airplay.yaml
The DeviceName key in the Passwords dictionary was marked as required, changed to optional. On iOS
it is required but on macOS is not.
### mdm/profiles/com.apple.cellularprivatenetwork.managed.yaml
This payload was previously marked as supported on user enrollment, changed to forbidden.
## visionOS 26.0
### mdm/profiles/com.apple.applicationaccess.yaml
allowDefaultBrowserModification was incorrectly marked as supported on visionOS
## iOS 26.0 / macOS 26.0 / tvOS 26.0 / visionOS 26.0
### mdm/profiles/com.apple.relay.managed.yaml
The `ExcludedFQDNs` key was incorrectly documented as `Excluded FQDNs`. This has been corrected
to note that there is no space in the key name.
## macOS 15.4
The Associated Domains payload is only able to be installed via MDM.
## iOS 18.4 / macOS 15.4
@@ -51,9 +78,9 @@ iOS 17 also mistakenly forbade multiple private network payloads in a single pro
### mdm/checkin/authenticate.yaml
Starting in iOS 13 and macOS 10.15 UDID is optional because User Enrollments do not return UUIDs.
Starting in iOS 13 and macOS 10.15 UDID is optional because user enrollments do not return UUIDs.
Starting is iOS 13 and macOS 10.15 Enrollment ID is optional because Device Enrollments only return UUIDs.
Starting is iOS 13 and macOS 10.15 Enrollment ID is optional because device enrollments only return UUIDs.
## iOS 17 / macOS 14

25
mdm/checkin/authenticate.yaml
View File

@@ -1,5 +1,5 @@
title: Authenticate
description: Check-in protocol authenticate request keys.
description: Authenticates a user during MDM payload installation.
payload:
requesttype: Authenticate
supportedOS:
@@ -79,11 +79,11 @@ payloadkeys:
presence: required
rangelist:
- Authenticate
content: The message type, which must have a value of 'Authenticate'.
content: The message type, which requires a value of `Authenticate`.
- key: Topic
type: <string>
presence: required
content: The topic to which the device subscribes.
content: The topic that the device subscribes to.
- key: UDID
supportedOS:
iOS:
@@ -97,8 +97,8 @@ payloadkeys:
mode: forbidden
type: <string>
presence: optional
content: The device's UDID (Unique Device ID). The system requires this value if
the enrollment type isn't user enrollment.
content: The device's UDID (unique device identifier). The system requires this
value if the enrollment type is a device enrollment.
- key: EnrollmentID
supportedOS:
iOS:
@@ -119,8 +119,9 @@ payloadkeys:
type: <string>
presence: optional
content: |-
The per-enrollment identifier for the device. The system requires this value if the enrollment type is user enrollment.
Available in macOS 10.15 and iOS 13.0 and later.
The per-enrollment identifier for the device. The system requires this value if the enrollment type is a user enrollment.
Available in iOS 13 and later, macOS 10.15 and later, and visionOS 2 and later.
- key: OSVersion
supportedOS:
iOS:
@@ -159,7 +160,7 @@ payloadkeys:
accessrights: AllowQueryDeviceInformation
type: <string>
presence: optional
content: The device's product name ('iPhone3,1').
content: The device's product name (such as `iPhone17,2`).
- key: SerialNumber
supportedOS:
iOS:
@@ -201,7 +202,7 @@ payloadkeys:
accessrights: AllowQueryDeviceInformation
type: <string>
presence: optional
content: The device's IMEI (International Mobile Station Equipment Identity).
content: The device's IMEI (International Mobile Equipment Identity).
- key: MEID
supportedOS:
iOS:
@@ -223,3 +224,9 @@ payloadkeys:
type: <string>
presence: optional
content: The device's MEID (Mobile Equipment Identifier).
notes:
- title: ''
content: On success, the server needs to respond with a `200 OK` status. Don't assume
that the device has installed the MDM payload at this time because other payloads
in the profile may still fail to install. When the device successfully installs
the MDM payload, it sends a `Token-Update` message.

21
mdm/checkin/checkout.yaml
View File

@@ -1,5 +1,5 @@
title: Check Out
description: Check-in protocol check out request keys.
description: Responds to the removal of the MDM enrollment profile from a device.
payload:
requesttype: CheckOut
supportedOS:
@@ -40,11 +40,11 @@ payloadkeys:
presence: required
rangelist:
- CheckOut
content: The message type, which must have a value of 'CheckOut'.
content: The message type, which requires a value of `CheckOut`.
- key: Topic
type: <string>
presence: required
content: The topic to which the device subscribed.
content: The topic the device subscribes to.
- key: UDID
supportedOS:
iOS:
@@ -55,7 +55,8 @@ payloadkeys:
mode: forbidden
type: <string>
presence: required
content: The device's UDID (Unique Device ID).
content: The device's UDID (unique device identifier). The system requires this
value if the enrollment type is a device enrollment.
- key: EnrollmentID
supportedOS:
iOS:
@@ -75,5 +76,13 @@ payloadkeys:
introduced: n/a
type: <string>
presence: required
content: The per-enrollment identifier for the device. Available in macOS 10.15
and iOS 13.0 and later.
content: |-
The per-enrollment identifier for the device. The system requires this value if the enrollment type is a user enrollment.
Available in iOS 13 and later, macOS 10.15 and later, and visionOS 2 and later.
notes:
- title: ''
content: |-
The system sends this message on a best-effort basis. If the system can't send the message while removing the MDM profile, it removes the profile and doesn't resend the message.
On success, the server needs to respond with a `200 OK` status.

53
mdm/checkin/declarativemanagement.yaml
View File

@@ -1,5 +1,5 @@
title: Declarative Management
description: Declarative Management request keys.
description: Sends declarative management requests to the server.
payload:
requesttype: DeclarativeManagement
supportedOS:
@@ -42,20 +42,21 @@ payloadkeys:
presence: required
rangelist:
- DeclarativeManagement
content: The message type, which must have a value of 'DeclarativeManagement'.
content: The message type, which requires a value of `DeclarativeManagement`.
- key: Endpoint
type: <string>
presence: required
content: |-
The type of operation the declaration is requesting. This key must be one of these values:
* 'tokens': For fetching synchronization tokens from the server
* 'declaration-items': For fetching the declaration manifest from the server
* 'status': For sending a status report to the server
* 'declaration/…/…': For fetching a specific declaration from the server. Include the declaration type and identifier separated by forward slashes ('/)'.
The type of operation the declaration is requesting. This key needs to be one of these values:
- `tokens`: For fetching synchronization tokens from the server
- `declaration-items`: For fetching the declaration manifest from the server
- `status`: For sending a status report to the server
- `declaration/…/…`: For fetching a specific declaration from the server. Include the declaration type and identifier separated by slash characters (`/`).
- key: Data
type: <data>
presence: optional
content: A Base64-encoded JSON object using the SynchronizationTokens schema.
content: A Base64-encoded JSON object using the `SynchronizationTokens` schema.
- key: UDID
supportedOS:
iOS:
@@ -69,7 +70,8 @@ payloadkeys:
mode: forbidden
type: <string>
presence: required
content: The device's UDID.
content: The device's UDID (unique device identifier). The system requires this
value if the enrollment type is a device enrollment.
- key: EnrollmentID
supportedOS:
iOS:
@@ -87,7 +89,8 @@ payloadkeys:
introduced: n/a
type: <string>
presence: required
content: The per-enrollment identifier for the device.
content: The per-enrollment identifier for the device. The system requires this
value if the enrollment type is a user enrollment.
- key: EnrollmentUserID
supportedOS:
iOS:
@@ -104,7 +107,8 @@ payloadkeys:
introduced: n/a
type: <string>
presence: required
content: A per-enrollment identifier that identifies the user for user enrollments.
content: The per-enrollment identifier for the user. The system requires this value
if the enrollment type is a user enrollment on the user channel.
- key: UserShortName
supportedOS:
iOS:
@@ -120,9 +124,10 @@ payloadkeys:
introduced: n/a
type: <string>
presence: optional
content: On Shared iPad, this value returns the Managed Apple Account of the user.
When present indicates that the token is for the user channel. On macOS, this
value always returns the short name of the user.
content: |-
For macOS, this value is the short name of the user.
For Shared iPad, this value is the Managed Apple Account identifier of the user on Shared iPad. It indicates that the token is for the user channel.
- key: UserID
supportedOS:
iOS:
@@ -138,9 +143,10 @@ payloadkeys:
introduced: n/a
type: <string>
presence: optional
content: On macOS, this value always returns the ID of the user. On Shared iPad,
this value is always set to FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFF to indicate that
no authentication will occur.
content: |-
For macOS, this value is the ID of the user.
For Shared iPad, this value is `FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFF` to indicate that authentication doesn't occur.
- key: UserLongName
supportedOS:
iOS:
@@ -156,3 +162,16 @@ payloadkeys:
type: <string>
presence: required
content: The full name of the user.
notes:
- title: ''
content: |-
The `Data` field is optional, depending on the `Endpoint` value, as described below:
- `tokens`: The client uses the `tokens` endpoint to request the current synchronization tokens from the server. It doesn't use the `Data` field. A successful response to this request is a `200 OK` HTTP status, with a response body that's a JSON object conforming to the `TokensResponse` schema.
- `declaration-items`: The client uses the `declaration-items` endpoint to request the current declaration manifest from the server. It doesn't use the `Data` field. A successful response to this request is a `200 OK` HTTP status, with a response body that's a JSON object conforming to the `DeclarationItemsResponse` schema.
- `declaration/…/…` : The client uses the `declaration/…/…` endpoint to request a specific declaration from the server. It doesn't use the `Data` field.
The endpoint value is a path with three segments separated by a slash character (`/`). The first segment is always `declaration`. The second segment indicates the declaration type and is one of `activation`, `asset`, `configuration`, or `management`. The third segment is the `Identifier` of the declaration to fetch.
A successful response to this request is a `200 OK` HTTP status, with a response body that's a JSON object representing the requested declaration. If the declaration isn't present on the server, it needs to return a `404 Not Found` HTTP status response to the device. That causes the device to remove any corresponding declaration that is present on it.
- `status`: The client uses the `status` endpoint to send a status report to the server. The `Data` field needs to be present and set to a Base64-encoded JSON object conforming to the `StatusReport` schema. A successful response to this request is a `200 OK` HTTP status, with an empty response body.

30
mdm/checkin/getbootstraptoken.yaml
View File

@@ -1,10 +1,14 @@
title: Get Bootstrap Token
description: Check-in protocol get bootstrap token data.
description: Gets the bootstrap token from the server.
payload:
requesttype: GetBootstrapToken
supportedOS:
iOS:
introduced: n/a
introduced: '26.0'
supervised: true
requiresdep: true
userenrollment:
mode: forbidden
macOS:
introduced: '10.15'
devicechannel: true
@@ -16,7 +20,11 @@ payload:
tvOS:
introduced: n/a
visionOS:
introduced: n/a
introduced: '26.0'
supervised: true
requiresdep: true
userenrollment:
mode: forbidden
watchOS:
introduced: n/a
content: Check-in protocol get bootstrap token data request and response.
@@ -26,15 +34,25 @@ payloadkeys:
presence: required
rangelist:
- GetBootstrapToken
content: The message type, which must have a value of 'GetBootstrapToken'.
content: The message type, which requires a value of `GetBootstrapToken`.
- key: AwaitingConfiguration
type: <boolean>
presence: optional
default: false
content: If 'true', the device is awaiting a DeviceConfigured MDM command before
proceeding through Setup Assistant.
content: If `true`, the device is awaiting a `Device-Configured-Command` command
before proceeding through Setup Assistant.
responsekeys:
- key: BootstrapToken
type: <data>
presence: optional
content: The current bootstrap token data for the device.
notes:
- title: ''
content: |-
A server that supports this request needs to include a `com.apple.mdm.bootstraptoken` value in the `ServerCapabilities` key of the MDM profile payload to enroll the device.
This request returns the device's bootstrap token data that the server stores.
If a bootstrap token isn't available, the server returns a success response with either a zero-length value for the `BootstrapToken` key or omits the key.
Requires a device enrolled using Automated Device Enrollment.

64
mdm/checkin/gettoken.yaml
View File

@@ -1,5 +1,5 @@
title: Get Token
description: Check-in protocol get token data.
description: Gets a token from the server.
payload:
requesttype: GetToken
supportedOS:
@@ -38,7 +38,7 @@ payloadkeys:
presence: required
rangelist:
- GetToken
content: A string that specifies this is a get-token request.
content: The message type, which requires a value of `GetToken`.
- key: TokenServiceType
type: <string>
presence: required
@@ -65,7 +65,7 @@ payloadkeys:
introduced: n/a
type: <string>
presence: optional
content: A security token to generate the server token. Required by the 'com.apple.watch.pairing'
content: A security token to generate the server token. Required by the `com.apple.watch.pairing`
service type.
- key: PhoneUDID
title: Phone Identifier
@@ -81,7 +81,7 @@ payloadkeys:
introduced: n/a
type: <string>
presence: optional
content: The identifier of the phone paired to the watch. Required by the 'com.apple.watch.pairing'
content: The identifier of the phone paired to the watch. Required by the `com.apple.watch.pairing`
service type.
- key: WatchUDID
title: Watch Identifier
@@ -97,7 +97,7 @@ payloadkeys:
introduced: n/a
type: <string>
presence: optional
content: The identifier of the watch paired to the phone. Required by the 'com.apple.watch.pairing'
content: The identifier of the watch paired to the phone. Required by the `com.apple.watch.pairing`
service type.
- key: UDID
supportedOS:
@@ -112,7 +112,8 @@ payloadkeys:
mode: forbidden
type: <string>
presence: required
content: The device's UDID.
content: The device's UDID (unique device identifier). The system requires this
value if the enrollment type is a device enrollment.
- key: EnrollmentID
supportedOS:
iOS:
@@ -126,7 +127,8 @@ payloadkeys:
mode: required
type: <string>
presence: required
content: A per-enrollment identifier that identifies the device for user enrollments.
content: The per-enrollment identifier for the device. The system requires this
value if the enrollment type is a user enrollment.
- key: EnrollmentUserID
supportedOS:
iOS:
@@ -139,7 +141,8 @@ payloadkeys:
introduced: n/a
type: <string>
presence: required
content: A per-enrollment identifier that identifies the user for user enrollments.
content: The per-enrollment identifier for the user. The system requires this value
if the enrollment type is a user enrollment on the user channel.
- key: UserShortName
supportedOS:
iOS:
@@ -151,9 +154,10 @@ payloadkeys:
introduced: n/a
type: <string>
presence: optional
content: On Shared iPad, this value returns the Managed Apple Account identifier
of the user. When present, it indicates that the token is for the user channel.
In macOS, this value returns the short name of the user.
content: |-
For macOS, this value is the short name of the user.
For Shared iPad, this value is the Managed Apple Account identifier of the user. When present, it indicates that the token is for the user channel.
- key: UserID
supportedOS:
iOS:
@@ -165,8 +169,10 @@ payloadkeys:
introduced: n/a
type: <string>
presence: optional
content: In macOS, this value returns the ID of the user. On Shared iPad, this value
is 'FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFF' to indicate that no authentication occurs.
content: |-
For macOS, this value is the ID of the user.
For Shared iPad, this value is `FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFF` to indicate that authentication doesn't occur.
- key: UserLongName
supportedOS:
iOS:
@@ -182,5 +188,33 @@ responsekeys:
- key: TokenData
type: <data>
presence: required
content: The token represented as data. If the token is a string value, this will
be the UTF-8 encoded string data.
content: The token data. If the token is a string value, it needs to be a UTF-8-encoded
string.
notes:
- title: ''
content: |-
A server that supports this request needs to include a `com.apple.mdm.token` value in the `ServerCapabilities` key of the MDM profile payload to enroll the device.
This request allows devices to fetch security-related tokens from the server and to retrieve different types of tokens for the various services that need them. Each service has a unique identifier, and can pass a specific set of parameters for the server to use when generating the token. If the server doesn't recognize the service type, it needs to return a `400` HTTP response status.
> Note:
> The `GetBootstrapToken` request is a separate request specifically for the bootstrap token.
- title: Support access management for Managed Apple Accounts
content: |-
For the service type `com.apple.maid`, the Apple Identity Service requests this token when a Managed Apple Account is signing in, and then uses it to verify that the Managed Apple Account belongs to the same organization as the MDM server that enrolled the device. The token is a JSON Web Token (JWT) per RFC 7519 with the following claims:
- `iss`: A `String`, per RFC 7519 section 4.1.1, that the server sets to the system-generated server identifier (`server_uuid`) that `AccountDetail` returns.
- `iat`: A `NumericDate`, per RFC 7519 section 4.1.6, that the server sets to the timestamp of the token generation. The Apple Identity Service uses this value to limit the time that the token is valid.
- `jti`: A `String`, per RFC 7519 section 4.1.7, that the server sets to a unique identifier (a random UUID) for the JWT. The Apple Identity Service uses this value to ensure that it only uses the token once.
- `service_type`: A `String` that the server sets to the value of the `TokenServiceType` key in the `CheckIn` request, which needs to be `com.apple.maid`.
Sign the JWT using the server's private key that corresponds to the RFC 3280 public key certificate that's registered with Apple Business Manager or Apple School Manager.
- title: Support Apple Watch pairing
content: For the service type `com.apple.watch.pairing`, the MDM server requests
this token to enroll an Apple Watch, with the request coming from the phone that's
paired to the watch. The format of the token is implementation-defined, but the
phone and watch MDM servers need to use the same format. The purpose of this token
is to confirm the pairing relationship of the watch to the phone, and to ensure
that the phone is already enrolled in an MDM server that belongs to the same organization
as the watch MDM server. Ensure that the token is cryptographically protected
against tampering, spoofing, and replay attacks.

Some files were not shown because too many files have changed in this diff Show More