mirror of
https://github.com/apple/device-management.git
synced 2026-07-10 21:13:42 +02:00
Seed1
This commit is contained in:
+151
@@ -0,0 +1,151 @@
|
||||
# Changes
|
||||
|
||||
Significant changes in this release.
|
||||
|
||||
---
|
||||
|
||||
## declarative/declarations/configurations
|
||||
|
||||
### New Objects
|
||||
|
||||
- New: declarative/declarations/configurations/app.settings.yaml
|
||||
- New: declarative/declarations/configurations/content-cache.settings.yaml
|
||||
- New: declarative/declarations/configurations/extensible-sso.yaml
|
||||
- New: declarative/declarations/configurations/network.dns-proxy.yaml
|
||||
- New: declarative/declarations/configurations/network.dns-settings.yaml
|
||||
- New: declarative/declarations/configurations/network.relay.yaml
|
||||
- New: declarative/declarations/configurations/network.vpn.always-on.yaml
|
||||
- New: declarative/declarations/configurations/network.vpn.ikev2.yaml
|
||||
- New: declarative/declarations/configurations/network.vpn.ipsec.yaml
|
||||
- New: declarative/declarations/configurations/network.vpn.vpn-plugin.yaml
|
||||
- New: declarative/declarations/configurations/webcontent-filter.plugin.yaml
|
||||
|
||||
### New Payload Keys
|
||||
|
||||
- New: declarative/declarations/configurations/intelligence.settings.yaml/Apps/Calendar
|
||||
- New: declarative/declarations/configurations/legacy.interactive.yaml/ProfileAssetReference
|
||||
- New: declarative/declarations/configurations/legacy.yaml/ProfileAssetReference
|
||||
- New: declarative/declarations/configurations/package.yaml/UninstallBehavior
|
||||
- New: declarative/declarations/configurations/safari.settings.yaml/Privacy
|
||||
|
||||
### Objects with New OS Support
|
||||
|
||||
- Changed: declarative/declarations/configurations/siri.settings.yaml [tvOS 27.0]
|
||||
|
||||
### Payload Keys with New OS Support
|
||||
|
||||
- Changed: declarative/declarations/configurations/app.managed.yaml/AppConfig [macOS 27.0]
|
||||
- Changed: declarative/declarations/configurations/app.managed.yaml/ExtensionConfigs [macOS 27.0]
|
||||
- Changed: declarative/declarations/configurations/app.managed.yaml/LegacyAppConfigAssetReference [macOS 27.0]
|
||||
|
||||
---
|
||||
|
||||
## declarative/status
|
||||
|
||||
### New Objects
|
||||
|
||||
- New: declarative/status/content-cache.info.yaml
|
||||
- New: declarative/status/content-cache.parents.yaml
|
||||
- New: declarative/status/content-cache.peers.yaml
|
||||
- New: declarative/status/content-cache.status.yaml
|
||||
- New: declarative/status/device.system.health.yaml
|
||||
- New: declarative/status/enhanced-logging.applecare-token.yaml
|
||||
- New: declarative/status/enhanced-logging.status.yaml
|
||||
- New: declarative/status/enhanced-logging.timestamp.yaml
|
||||
- New: declarative/status/mdm.enrollment-type.yaml
|
||||
- New: declarative/status/mdm.is-awaiting-configuration.yaml
|
||||
- New: declarative/status/mdm.is-return-to-service.yaml
|
||||
- New: declarative/status/mdm.is-shared-ipad.yaml
|
||||
- New: declarative/status/mdm.push-magic.yaml
|
||||
- New: declarative/status/mdm.push-token.yaml
|
||||
- New: declarative/status/security.lockdown-mode.yaml
|
||||
|
||||
### Payload Keys with New OS Support
|
||||
|
||||
- Changed: declarative/status/app.managed.list.yaml/app.managed.list/status_value/config-state [macOS 27.0]
|
||||
|
||||
---
|
||||
|
||||
## mdm/checkin
|
||||
|
||||
### New Payload Keys
|
||||
|
||||
- New: mdm/checkin/returntoservice.yaml/ReturnToService/ShouldRetryEnrollment
|
||||
|
||||
---
|
||||
|
||||
## mdm/commands
|
||||
|
||||
### New Objects
|
||||
|
||||
- New: mdm/commands/cancel.enhanced.log.collection.yaml
|
||||
- New: mdm/commands/trigger.enhanced.log.collection.yaml
|
||||
|
||||
### New Payload Keys
|
||||
|
||||
- New: mdm/commands/device.erase.yaml/ReturnToService/ShouldRetryEnrollment
|
||||
|
||||
### Removed Objects
|
||||
|
||||
- Removed: mdm/commands/system.update.available.yaml
|
||||
- Removed: mdm/commands/system.update.scan.yaml
|
||||
- Removed: mdm/commands/system.update.schedule.yaml
|
||||
- Removed: mdm/commands/system.update.status.yaml
|
||||
|
||||
### Removed Payload Keys
|
||||
|
||||
- Removed: mdm/commands/information.device.yaml/Queries/OSUpdateSettings
|
||||
- Removed: mdm/commands/information.device.yaml/Queries/SoftwareUpdateDeviceID
|
||||
- Removed: mdm/commands/information.device.yaml/Queries/SoftwareUpdateSettings
|
||||
- Removed: mdm/commands/information.device.yaml/QueryResponses/SoftwareUpdateDeviceID
|
||||
- Removed: mdm/commands/information.device.yaml/QueryResponses/SoftwareUpdateSettings
|
||||
- Removed: mdm/commands/settings.yaml/Settings/SoftwareUpdateSettings
|
||||
|
||||
---
|
||||
|
||||
## mdm/profiles
|
||||
|
||||
### New Payload Keys
|
||||
|
||||
- New: mdm/profiles/com.apple.applicationaccess.yaml/ForceCaptivePortalConnectionFromLockScreen
|
||||
- New: mdm/profiles/com.apple.applicationaccess.yaml/ForceWifiConfigurationOnLockScreen
|
||||
- New: mdm/profiles/com.apple.extensiblesso.yaml/PlatformSSO/AllowWebLoginPasswordSync
|
||||
- New: mdm/profiles/com.apple.extensiblesso.yaml/PlatformSSO/WebLoginURLAllowList
|
||||
|
||||
### Payload Keys with New OS Support
|
||||
|
||||
- Changed: mdm/profiles/com.apple.applicationaccess.yaml/allowAutomaticAppDownloads [visionOS 27.0]
|
||||
- Changed: mdm/profiles/com.apple.applicationaccess.yaml/allowCamera [visionOS 27.0]
|
||||
- Changed: mdm/profiles/com.apple.applicationaccess.yaml/allowListedAppBundleIDs [visionOS 27.0]
|
||||
- Changed: mdm/profiles/com.apple.applicationaccess.yaml/blockedAppBundleIDs [visionOS 27.0]
|
||||
|
||||
### Removed Objects
|
||||
|
||||
- Removed: mdm/profiles/com.apple.SoftwareUpdate.yaml
|
||||
|
||||
### Removed Payload Keys
|
||||
|
||||
- Removed: mdm/profiles/com.apple.applicationaccess.yaml/allowRapidSecurityResponseInstallation
|
||||
- Removed: mdm/profiles/com.apple.applicationaccess.yaml/allowRapidSecurityResponseRemoval
|
||||
- Removed: mdm/profiles/com.apple.applicationaccess.yaml/enforcedSoftwareUpdateDelay
|
||||
- Removed: mdm/profiles/com.apple.applicationaccess.yaml/enforcedSoftwareUpdateMajorOSDeferredInstallDelay
|
||||
- Removed: mdm/profiles/com.apple.applicationaccess.yaml/enforcedSoftwareUpdateMinorOSDeferredInstallDelay
|
||||
- Removed: mdm/profiles/com.apple.applicationaccess.yaml/enforcedSoftwareUpdateNonOSDeferredInstallDelay
|
||||
- Removed: mdm/profiles/com.apple.applicationaccess.yaml/forceDelayedAppSoftwareUpdates
|
||||
- Removed: mdm/profiles/com.apple.applicationaccess.yaml/forceDelayedMajorSoftwareUpdates
|
||||
- Removed: mdm/profiles/com.apple.applicationaccess.yaml/forceDelayedSoftwareUpdates
|
||||
|
||||
---
|
||||
|
||||
## mdm/errors
|
||||
|
||||
No changes.
|
||||
|
||||
---
|
||||
|
||||
## other
|
||||
|
||||
### New Payload Keys
|
||||
|
||||
- New: other/skipkeys.yaml/AccessibilityAppearance
|
||||
- New: other/skipkeys.yaml/LiquidGlass
|
||||
@@ -8,11 +8,13 @@ This release corresponds to the following OS versions
|
||||
|
||||
| OS | Version |
|
||||
|----------|---------|
|
||||
| iOS | 26.4 |
|
||||
| macOS | 26.4 |
|
||||
| tvOS | 26.4 |
|
||||
| visionOS | 26.4 |
|
||||
| watchOS | 26.4 |
|
||||
| iOS | 27.0 |
|
||||
| macOS | 27.0 |
|
||||
| tvOS | 27.0 |
|
||||
| visionOS | 27.0 |
|
||||
| watchOS | 27.0 |
|
||||
|
||||
See [Changes](CHANGES.md) for the significant changes in this release.
|
||||
|
||||
## What's Available
|
||||
|
||||
@@ -29,6 +31,12 @@ The following schema items are available:
|
||||
|
||||
* Other device management data formats
|
||||
|
||||
* Examples for schema items - `examples`
|
||||
* This directory contains `declarative`, `mdm`, and `other` directories.
|
||||
* Each sub-directory contains directories and files that mirror the structure of the corresponding schema directories.
|
||||
* Each schema item has its own directory containing the example files for the schema object.
|
||||
* Each YAML schema file contains an `examples` key that includes relative file paths to its example files.
|
||||
|
||||
## YAML Schema Definition
|
||||
|
||||
See [YAML Schema](docs/schema.md).
|
||||
|
||||
@@ -15,6 +15,7 @@ payload:
|
||||
introduced: '10.0'
|
||||
payloadkeys:
|
||||
- key: StandardConfigurations
|
||||
title: Standard configurations
|
||||
type: <array>
|
||||
presence: required
|
||||
content: An array of strings that specify the identifiers of configurations to install.
|
||||
@@ -22,10 +23,22 @@ payloadkeys:
|
||||
from installing.
|
||||
subkeys:
|
||||
- key: StandardConfigurationsItems
|
||||
title: Standard configurations items
|
||||
type: <string>
|
||||
- key: Predicate
|
||||
title: Predicate
|
||||
type: <string>
|
||||
presence: optional
|
||||
content: A predicate format string as [Apple's Predicate Programming](https://developer.apple.com/library/archive/documentation/Cocoa/Conceptual/Predicates/AdditionalChapters/Introduction.html)
|
||||
describes. The activation only installs when the predicate evaluates to `true`
|
||||
or isn't present.
|
||||
examples:
|
||||
title: Activation examples
|
||||
files:
|
||||
- tab: One configuration
|
||||
description: This activation applies one configuration.
|
||||
file: examples/declarative/declarations/activations/simple/example1.json
|
||||
- tab: Predicate
|
||||
description: This activation applies two configurations and uses a predicate to
|
||||
limit those to only apply on an Apple TV device.
|
||||
file: examples/declarative/declarations/activations/simple/example2.json
|
||||
|
||||
@@ -15,6 +15,7 @@ payload:
|
||||
introduced: '10.0'
|
||||
payloadkeys:
|
||||
- key: Reference
|
||||
title: External reference
|
||||
type: <dictionary>
|
||||
asset-content-types:
|
||||
- application/json
|
||||
@@ -26,22 +27,26 @@ payloadkeys:
|
||||
- Uses a media type of `application/json`, and if it includes a `ContentType` sub-key, that sub-key media type is also `application/json`
|
||||
subkeys:
|
||||
- key: DataURL
|
||||
title: Data URL
|
||||
type: <string>
|
||||
presence: required
|
||||
content: The URL to retrieve data, which needs to start with `https://`.
|
||||
- key: ContentType
|
||||
title: Content type
|
||||
type: <string>
|
||||
presence: optional
|
||||
content: The media type that describes the data. If present, the system checks
|
||||
the actual media type of the downloaded data, and an error occurs if the values
|
||||
don't match.
|
||||
- key: Size
|
||||
title: Size
|
||||
type: <integer>
|
||||
presence: optional
|
||||
content: The size of the data. Set the size to `0` if there's no expectation of
|
||||
a response body. If present, the system checks the actual size of the downloaded
|
||||
data, and an error occurs if the values don't match.
|
||||
- key: Hash-SHA-256
|
||||
title: SHA-256 hash
|
||||
type: <string>
|
||||
presence: optional
|
||||
content: A SHA-256 hash of the data stored at the `DataURL`. Don't set this value
|
||||
@@ -49,11 +54,14 @@ payloadkeys:
|
||||
the actual hash of the downloaded data, and an error occurs if the values don't
|
||||
match.
|
||||
- key: Authentication
|
||||
title: Server authentication
|
||||
type: <dictionary>
|
||||
presence: optional
|
||||
content: The server authentication details.
|
||||
content: The server authentication details. If this key is absent, the default authentication
|
||||
type is MDM.
|
||||
subkeys:
|
||||
- key: Type
|
||||
title: Authentication type
|
||||
type: <string>
|
||||
presence: required
|
||||
rangelist:
|
||||
@@ -63,7 +71,10 @@ payloadkeys:
|
||||
The type of authentication, which has these allowed values:
|
||||
- `MDM`: A request that uses MDM semantics, which includes the device-identity certificate, and any user authentication. This is equivalent to an MDM request made to the `CheckInURL` or `ServerURL`. This option is only available through declarative device management.
|
||||
- `None`: A standard GET request.
|
||||
|
||||
If the `Authentication` dictionary is absent, the default authentication type is MDM.
|
||||
- key: Accessible
|
||||
title: Accessible
|
||||
type: <string>
|
||||
presence: optional
|
||||
rangelist:
|
||||
@@ -75,3 +86,7 @@ payloadkeys:
|
||||
|
||||
- `Default`: The most restrictive accessibility that still satisfies all uses of the asset by configurations that reference it.
|
||||
- `AfterFirstUnlock`: The keychain item is only available after the first unlock of the device.
|
||||
examples:
|
||||
title: Asset example
|
||||
files:
|
||||
- file: examples/declarative/declarations/assets/credential.acme/example1.json
|
||||
|
||||
@@ -15,6 +15,7 @@ payload:
|
||||
introduced: '10.0'
|
||||
payloadkeys:
|
||||
- key: Reference
|
||||
title: External reference
|
||||
type: <dictionary>
|
||||
asset-content-types:
|
||||
- application/pkcs1
|
||||
@@ -26,22 +27,26 @@ payloadkeys:
|
||||
corresponding media type.
|
||||
subkeys:
|
||||
- key: DataURL
|
||||
title: Data URL
|
||||
type: <string>
|
||||
presence: required
|
||||
content: The URL to retrieve data, which needs to start with `https://`.
|
||||
- key: ContentType
|
||||
title: Content type
|
||||
type: <string>
|
||||
presence: optional
|
||||
content: The media type that describes the data. If present, the system checks
|
||||
the actual media type of the downloaded data, and an error occurs if the values
|
||||
don't match.
|
||||
- key: Size
|
||||
title: Size
|
||||
type: <integer>
|
||||
presence: optional
|
||||
content: The size of the data. Set the size to `0` if there's no expectation of
|
||||
a response body. If present, the system checks the actual size of the downloaded
|
||||
data, and an error occurs if the values don't match.
|
||||
- key: Hash-SHA-256
|
||||
title: SHA-256 hash
|
||||
type: <string>
|
||||
presence: optional
|
||||
content: A SHA-256 hash of the data stored at the `DataURL`. Don't set this value
|
||||
@@ -49,11 +54,14 @@ payloadkeys:
|
||||
the actual hash of the downloaded data, and an error occurs if the values don't
|
||||
match.
|
||||
- key: Authentication
|
||||
title: Server authentication
|
||||
type: <dictionary>
|
||||
presence: optional
|
||||
content: The server authentication details.
|
||||
content: The server authentication details. If this key is absent, the default authentication
|
||||
type is MDM.
|
||||
subkeys:
|
||||
- key: Type
|
||||
title: Authentication type
|
||||
type: <string>
|
||||
presence: required
|
||||
rangelist:
|
||||
@@ -63,3 +71,9 @@ payloadkeys:
|
||||
The type of authentication, which has these allowed values:
|
||||
- `MDM`: A request that uses MDM semantics, which includes the device-identity certificate, and any user authentication. This is equivalent to an MDM request made to the `CheckInURL` or `ServerURL`. This option is only available through declarative device management.
|
||||
- `None`: A standard GET request.
|
||||
|
||||
If the `Authentication` dictionary is absent, the default authentication type is MDM.
|
||||
examples:
|
||||
title: Asset example
|
||||
files:
|
||||
- file: examples/declarative/declarations/assets/credential.certificate/example1.json
|
||||
|
||||
@@ -15,6 +15,7 @@ payload:
|
||||
introduced: '10.0'
|
||||
payloadkeys:
|
||||
- key: Reference
|
||||
title: External reference
|
||||
type: <dictionary>
|
||||
asset-content-types:
|
||||
- application/json
|
||||
@@ -26,22 +27,26 @@ payloadkeys:
|
||||
- Uses a media type of `application/json`, and if it includes a `ContentType` sub-key, that sub-key media type is also `application/json`
|
||||
subkeys:
|
||||
- key: DataURL
|
||||
title: Data URL
|
||||
type: <string>
|
||||
presence: required
|
||||
content: The URL to retrieve data, which needs to start with `https://`.
|
||||
- key: ContentType
|
||||
title: Content type
|
||||
type: <string>
|
||||
presence: optional
|
||||
content: The media type that describes the data. If present, the system checks
|
||||
the actual media type of the downloaded data, and an error occurs if the values
|
||||
don't match.
|
||||
- key: Size
|
||||
title: Size
|
||||
type: <integer>
|
||||
presence: optional
|
||||
content: The size of the data. Set the size to `0` if there's no expectation of
|
||||
a response body. If present, the system checks the actual size of the downloaded
|
||||
data, and an error occurs if the values don't match.
|
||||
- key: Hash-SHA-256
|
||||
title: SHA-256 hash
|
||||
type: <string>
|
||||
presence: optional
|
||||
content: A SHA-256 hash of the data stored at the `DataURL`. Don't set this value
|
||||
@@ -49,11 +54,14 @@ payloadkeys:
|
||||
the actual hash of the downloaded data, and an error occurs if the values don't
|
||||
match.
|
||||
- key: Authentication
|
||||
title: Server authentication
|
||||
type: <dictionary>
|
||||
presence: optional
|
||||
content: The server authentication details.
|
||||
content: The server authentication details. If this key is absent, the default authentication
|
||||
type is MDM.
|
||||
subkeys:
|
||||
- key: Type
|
||||
title: Authentication type
|
||||
type: <string>
|
||||
presence: required
|
||||
rangelist:
|
||||
@@ -63,7 +71,10 @@ payloadkeys:
|
||||
The type of authentication, which has these allowed values:
|
||||
- `MDM`: A request that uses MDM semantics, which includes the device-identity certificate, and any user authentication. This is equivalent to an MDM request made to the `CheckInURL` or `ServerURL`. This option is only available through declarative device management.
|
||||
- `None`: A standard GET request.
|
||||
|
||||
If the `Authentication` dictionary is absent, the default authentication type is MDM.
|
||||
- key: Accessible
|
||||
title: Accessible
|
||||
type: <string>
|
||||
presence: optional
|
||||
rangelist:
|
||||
@@ -75,3 +86,7 @@ payloadkeys:
|
||||
|
||||
- `Default`: The most restrictive accessibility that still satisfies all uses of the asset by configurations that reference it.
|
||||
- `AfterFirstUnlock`: The keychain item is only available after the first unlock of the device.
|
||||
examples:
|
||||
title: Asset example
|
||||
files:
|
||||
- file: examples/declarative/declarations/assets/credential.identity/example1.json
|
||||
|
||||
@@ -15,6 +15,7 @@ payload:
|
||||
introduced: '10.0'
|
||||
payloadkeys:
|
||||
- key: Reference
|
||||
title: External reference
|
||||
type: <dictionary>
|
||||
asset-content-types:
|
||||
- application/json
|
||||
@@ -26,22 +27,26 @@ payloadkeys:
|
||||
- Uses a media type of `application/json`, and if it includes a `ContentType` sub-key, that sub-key media type is also `application/json`
|
||||
subkeys:
|
||||
- key: DataURL
|
||||
title: Data URL
|
||||
type: <string>
|
||||
presence: required
|
||||
content: The URL to retrieve data, which needs to start with `https://`.
|
||||
- key: ContentType
|
||||
title: Content type
|
||||
type: <string>
|
||||
presence: optional
|
||||
content: The media type that describes the data. If present, the system checks
|
||||
the actual media type of the downloaded data, and an error occurs if the values
|
||||
don't match.
|
||||
- key: Size
|
||||
title: Size
|
||||
type: <integer>
|
||||
presence: optional
|
||||
content: The size of the data. Set the size to `0` if there's no expectation of
|
||||
a response body. If present, the system checks the actual size of the downloaded
|
||||
data, and an error occurs if the values don't match.
|
||||
- key: Hash-SHA-256
|
||||
title: SHA-256 hash
|
||||
type: <string>
|
||||
presence: optional
|
||||
content: A SHA-256 hash of the data stored at the `DataURL`. Don't set this value
|
||||
@@ -49,11 +54,14 @@ payloadkeys:
|
||||
the actual hash of the downloaded data, and an error occurs if the values don't
|
||||
match.
|
||||
- key: Authentication
|
||||
title: Server authentication
|
||||
type: <dictionary>
|
||||
presence: optional
|
||||
content: The server authentication details.
|
||||
content: The server authentication details. If this key is absent, the default authentication
|
||||
type is MDM.
|
||||
subkeys:
|
||||
- key: Type
|
||||
title: Authentication type
|
||||
type: <string>
|
||||
presence: required
|
||||
rangelist:
|
||||
@@ -63,7 +71,10 @@ payloadkeys:
|
||||
The type of authentication, which has these allowed values:
|
||||
- `MDM`: A request that uses MDM semantics, which includes the device-identity certificate, and any user authentication. This is equivalent to an MDM request made to the `CheckInURL` or `ServerURL`. This option is only available through declarative device management.
|
||||
- `None`: A standard GET request.
|
||||
|
||||
If the `Authentication` dictionary is absent, the default authentication type is MDM.
|
||||
- key: Accessible
|
||||
title: Accessible
|
||||
type: <string>
|
||||
presence: optional
|
||||
rangelist:
|
||||
@@ -75,3 +86,7 @@ payloadkeys:
|
||||
|
||||
- `Default`: The most restrictive accessibility that still satisfies all uses of the asset by configurations that reference it.
|
||||
- `AfterFirstUnlock`: The keychain item is only available after the first unlock of the device.
|
||||
examples:
|
||||
title: Asset example
|
||||
files:
|
||||
- file: examples/declarative/declarations/assets/credential.scep/example1.json
|
||||
|
||||
@@ -16,6 +16,7 @@ payload:
|
||||
introduced: '10.0'
|
||||
payloadkeys:
|
||||
- key: Reference
|
||||
title: External reference
|
||||
type: <dictionary>
|
||||
asset-content-types:
|
||||
- application/json
|
||||
@@ -27,22 +28,26 @@ payloadkeys:
|
||||
- Uses a media type of `application/json`, and if it includes a `ContentType` sub-key, that sub-key media type is also `application/json`
|
||||
subkeys:
|
||||
- key: DataURL
|
||||
title: Data URL
|
||||
type: <string>
|
||||
presence: required
|
||||
content: The URL to retrieve data, which needs to start with `https://`.
|
||||
- key: ContentType
|
||||
title: Content type
|
||||
type: <string>
|
||||
presence: optional
|
||||
content: The media type that describes the data. If present, the system checks
|
||||
the actual media type of the downloaded data, and an error occurs if the values
|
||||
don't match.
|
||||
- key: Size
|
||||
title: Size
|
||||
type: <integer>
|
||||
presence: optional
|
||||
content: The size of the data. Set the size to `0` if there's no expectation of
|
||||
a response body. If present, the system checks the actual size of the downloaded
|
||||
data, and an error occurs if the values don't match.
|
||||
- key: Hash-SHA-256
|
||||
title: SHA-256 hash
|
||||
type: <string>
|
||||
presence: optional
|
||||
content: A SHA-256 hash of the data stored at the `DataURL`. Don't set this value
|
||||
@@ -50,6 +55,7 @@ payloadkeys:
|
||||
the actual hash of the downloaded data, and an error occurs if the values don't
|
||||
match.
|
||||
- key: Authentication
|
||||
title: Server authentication
|
||||
supportedOS:
|
||||
iOS:
|
||||
introduced: '17.0'
|
||||
@@ -61,9 +67,11 @@ payloadkeys:
|
||||
introduced: '10.0'
|
||||
type: <dictionary>
|
||||
presence: optional
|
||||
content: The server authentication details.
|
||||
content: The server authentication details. If this key is absent, the default authentication
|
||||
type is MDM.
|
||||
subkeys:
|
||||
- key: Type
|
||||
title: Authentication type
|
||||
type: <string>
|
||||
presence: required
|
||||
rangelist:
|
||||
@@ -73,3 +81,9 @@ payloadkeys:
|
||||
The type of authentication, which has these allowed values:
|
||||
- `MDM`: A request that uses MDM semantics, which includes the device-identity certificate, and any user authentication. This is equivalent to an MDM request made to the `CheckInURL` or `ServerURL`. This option is only available through declarative device management.
|
||||
- `None`: A standard GET request.
|
||||
|
||||
If the `Authentication` dictionary is absent, the default authentication type is MDM.
|
||||
examples:
|
||||
title: Asset example
|
||||
files:
|
||||
- file: examples/declarative/declarations/assets/credential.userpassword/example1.json
|
||||
|
||||
@@ -31,13 +31,13 @@ payloadkeys:
|
||||
relatively weak indication because of the risk that an attacker may intercept
|
||||
and duplicate the client identifier.
|
||||
- key: KeySize
|
||||
title: Key Size
|
||||
title: Key size
|
||||
type: <integer>
|
||||
presence: required
|
||||
content: The valid values for `KeySize` depend on the values of `KeyType` and `HardwareBound`.
|
||||
See those keys for specific requirements.
|
||||
- key: KeyType
|
||||
title: Key Type
|
||||
title: Key type
|
||||
type: <string>
|
||||
presence: required
|
||||
rangelist:
|
||||
@@ -53,7 +53,7 @@ payloadkeys:
|
||||
> Note:
|
||||
> The key size is `521`, not `512`, even though the other key sizes are multiples of `64`.
|
||||
- key: HardwareBound
|
||||
title: Hardware Bound
|
||||
title: Hardware bound
|
||||
type: <boolean>
|
||||
presence: required
|
||||
content: |-
|
||||
@@ -78,22 +78,22 @@ payloadkeys:
|
||||
You can represent OIDs as dotted numbers or use shortcuts for country (`C`), locality (`L`), state (`ST`), organization (`O`), organizational unit (`OU`), and common name (`CN`).
|
||||
subkeys:
|
||||
- key: ACMESubjectArrayInnerArray
|
||||
title: Array Inside ACME Subject Array
|
||||
title: Array inside ACME subject array
|
||||
type: <array>
|
||||
subkeys:
|
||||
- key: ACMESubjectArrayPair
|
||||
title: Subject Array Pair
|
||||
title: Subject array pair
|
||||
type: <array>
|
||||
subkeys:
|
||||
- key: ACMESubjectArrayPairItem
|
||||
title: ACME Subject Array Pair Item
|
||||
title: ACME subject array pair item
|
||||
type: <string>
|
||||
repetition:
|
||||
min: 2
|
||||
max: 2
|
||||
content: One item in the array representing a pair of OID and value
|
||||
- key: SubjectAltName
|
||||
title: Subject Alt Name
|
||||
title: Subject alt name
|
||||
type: <dictionary>
|
||||
presence: optional
|
||||
content: Specifies the subject's alternative name that the device requests for the
|
||||
@@ -101,12 +101,12 @@ payloadkeys:
|
||||
this field in the certificate it issues.
|
||||
subkeys:
|
||||
- key: rfc822Name
|
||||
title: RFC 822 Name
|
||||
title: RFC 822 name
|
||||
type: <string>
|
||||
presence: optional
|
||||
content: The RFC 822 email address.
|
||||
- key: dNSName
|
||||
title: DNS Name
|
||||
title: DNS name
|
||||
type: <string>
|
||||
presence: optional
|
||||
content: The DNS name.
|
||||
@@ -116,12 +116,12 @@ payloadkeys:
|
||||
presence: optional
|
||||
content: The uniform resource identifier.
|
||||
- key: ntPrincipalName
|
||||
title: NT Principal Name
|
||||
title: NT principal name
|
||||
type: <string>
|
||||
presence: optional
|
||||
content: The NT principal name. Use an other name OID set to `1.3.6.1.4.1.311.20.2.3`.
|
||||
- key: UsageFlags
|
||||
title: Key Usage
|
||||
title: Key usage
|
||||
type: <integer>
|
||||
presence: optional
|
||||
content: |-
|
||||
@@ -129,7 +129,7 @@ payloadkeys:
|
||||
|
||||
The value is a bit field. Bit `0x01` indicates digital signature, and bit `0x04` indicates key encipherment.
|
||||
- key: ExtendedKeyUsage
|
||||
title: Extended Key Usage
|
||||
title: Extended key usage
|
||||
type: <array>
|
||||
presence: optional
|
||||
content: |-
|
||||
@@ -168,4 +168,8 @@ notes:
|
||||
| Attest key support | iPhone, iPad | Mac | Apple TV | Apple Watch | Vision Pro |
|
||||
|--------------------|--------------------------------------|----------------|-------------------------|----------------|------------|
|
||||
| Ignored | A10x Fusion and earlier | Intel | A10x Fusion and earlier | S3 and earlier | none |
|
||||
| Supported | A11 Bionic and later<br>All M series | Apple Silicon | A12 Bionic and later | S4 and later | All |
|
||||
| Supported | A11 Bionic and later<br>All M series | Apple silicon | A12 Bionic and later | S4 and later | All |
|
||||
examples:
|
||||
title: Credential example
|
||||
files:
|
||||
- file: examples/declarative/declarations/assets/credentials/acme/example1.json
|
||||
|
||||
@@ -15,10 +15,16 @@ payload:
|
||||
introduced: '10.0'
|
||||
payloadkeys:
|
||||
- key: Password
|
||||
title: Password
|
||||
type: <string>
|
||||
presence: required
|
||||
content: 'The password required to decrypt the PKCS #12 identity data.'
|
||||
- key: Identity
|
||||
title: Identity
|
||||
type: <data>
|
||||
presence: required
|
||||
content: 'The PKCS #12 identity data.'
|
||||
examples:
|
||||
title: Credential example
|
||||
files:
|
||||
- file: examples/declarative/declarations/assets/credentials/identity/example1.json
|
||||
|
||||
@@ -38,15 +38,15 @@ payloadkeys:
|
||||
You can represent OIDs as dotted numbers or use shortcuts for country (`C`), locality (`L`), state (`ST`), organization (`O`), organizational unit (`OU`), and common name (`CN`).
|
||||
subkeys:
|
||||
- key: SCEPSubjectArrayInnerArray
|
||||
title: Array Inside SCEP Subject Array
|
||||
title: Array inside SCEP subject array
|
||||
type: <array>
|
||||
subkeys:
|
||||
- key: SCEPSubjectArrayPair
|
||||
title: Subject Array Pair
|
||||
title: Subject array pair
|
||||
type: <array>
|
||||
subkeys:
|
||||
- key: SCEPSubjectArrayPairItem
|
||||
title: SCEP Subject Array Pair Item
|
||||
title: SCEP subject array pair item
|
||||
type: <string>
|
||||
repetition:
|
||||
min: 2
|
||||
@@ -58,7 +58,7 @@ payloadkeys:
|
||||
presence: optional
|
||||
content: A preshared secret.
|
||||
- key: Keysize
|
||||
title: Key Size
|
||||
title: Key size
|
||||
type: <integer>
|
||||
presence: optional
|
||||
rangelist:
|
||||
@@ -68,13 +68,13 @@ payloadkeys:
|
||||
default: 1024
|
||||
content: The key size in bits, either `1024`, `2048`, or `4096`.
|
||||
- key: Key Type
|
||||
title: Key Type
|
||||
title: Key type
|
||||
type: <string>
|
||||
presence: optional
|
||||
default: RSA
|
||||
content: The key type, which always has the value `RSA`.
|
||||
- key: Key Usage
|
||||
title: Key Usage
|
||||
title: Key usage
|
||||
type: <integer>
|
||||
presence: optional
|
||||
default: 0
|
||||
@@ -94,25 +94,25 @@ payloadkeys:
|
||||
content: The number of times the device should retry if the server sends a `PENDING`
|
||||
response.
|
||||
- key: RetryDelay
|
||||
title: Retry Delay
|
||||
title: Retry delay
|
||||
type: <integer>
|
||||
presence: optional
|
||||
default: 10
|
||||
content: The number of seconds to wait between subsequent retries. The system makes
|
||||
the first retry without this delay.
|
||||
- key: SubjectAltName
|
||||
title: Subject Alt Name
|
||||
title: Subject alt name
|
||||
type: <dictionary>
|
||||
presence: optional
|
||||
content: The subject's alternative name for the certificate.
|
||||
subkeys:
|
||||
- key: rfc822Name
|
||||
title: RFC 822 Name
|
||||
title: RFC 822 name
|
||||
type: <string>
|
||||
presence: optional
|
||||
content: The RFC 822 email address.
|
||||
- key: dNSName
|
||||
title: DNS Name
|
||||
title: DNS name
|
||||
type: <string>
|
||||
presence: optional
|
||||
content: The DNS name.
|
||||
@@ -122,7 +122,11 @@ payloadkeys:
|
||||
presence: optional
|
||||
content: The uniform resource identifier.
|
||||
- key: ntPrincipalName
|
||||
title: NT Principal Name
|
||||
title: NT principal name
|
||||
type: <string>
|
||||
presence: optional
|
||||
content: The NT principal name. Use an other name OID set to `1.3.6.1.4.1.311.20.2.3`.
|
||||
examples:
|
||||
title: Credential example
|
||||
files:
|
||||
- file: examples/declarative/declarations/assets/credentials/scep/example1.json
|
||||
|
||||
@@ -15,10 +15,16 @@ payload:
|
||||
introduced: '10.0'
|
||||
payloadkeys:
|
||||
- key: UserName
|
||||
title: User name
|
||||
type: <string>
|
||||
presence: required
|
||||
content: The user name for this credential.
|
||||
- key: Password
|
||||
title: Password
|
||||
type: <string>
|
||||
presence: optional
|
||||
content: The password for this credential.
|
||||
examples:
|
||||
title: Credential example
|
||||
files:
|
||||
- file: examples/declarative/declarations/assets/credentials/usernameandpassword/example1.json
|
||||
|
||||
@@ -15,27 +15,32 @@ payload:
|
||||
introduced: '10.0'
|
||||
payloadkeys:
|
||||
- key: Reference
|
||||
title: External reference
|
||||
type: <dictionary>
|
||||
presence: required
|
||||
content: The external reference.
|
||||
subkeys:
|
||||
- key: DataURL
|
||||
title: Data URL
|
||||
type: <string>
|
||||
presence: required
|
||||
content: The URL to retrieve data, which needs to start with `https://`.
|
||||
- key: ContentType
|
||||
title: Content type
|
||||
type: <string>
|
||||
presence: optional
|
||||
content: The media type that describes the data. If present, the system checks
|
||||
the actual media type of the downloaded data, and an error occurs if the values
|
||||
don't match.
|
||||
- key: Size
|
||||
title: Size
|
||||
type: <integer>
|
||||
presence: optional
|
||||
content: The size of the data. Set the size to `0` if there's no expectation of
|
||||
a response body. If present, the system checks the actual size of the downloaded
|
||||
data, and an error occurs if the values don't match.
|
||||
- key: Hash-SHA-256
|
||||
title: SHA-256 hash
|
||||
type: <string>
|
||||
presence: optional
|
||||
content: A SHA-256 hash of the data stored at the `DataURL`. Don't set this value
|
||||
@@ -43,11 +48,14 @@ payloadkeys:
|
||||
the actual hash of the downloaded data, and an error occurs if the values don't
|
||||
match.
|
||||
- key: Authentication
|
||||
title: Server authentication
|
||||
type: <dictionary>
|
||||
presence: optional
|
||||
content: The server authentication details.
|
||||
content: The server authentication details. If this key is absent, the default authentication
|
||||
type is MDM.
|
||||
subkeys:
|
||||
- key: Type
|
||||
title: Authentication type
|
||||
type: <string>
|
||||
presence: required
|
||||
rangelist:
|
||||
@@ -57,3 +65,9 @@ payloadkeys:
|
||||
The type of authentication, which has these allowed values:
|
||||
- `MDM`: A request that uses MDM semantics, which includes the device-identity certificate, and any user authentication. This is equivalent to an MDM request made to the `CheckInURL` or `ServerURL`. This option is only available through declarative device management.
|
||||
- `None`: A standard GET request.
|
||||
|
||||
If the `Authentication` dictionary is absent, the default authentication type is MDM.
|
||||
examples:
|
||||
title: Asset example
|
||||
files:
|
||||
- file: examples/declarative/declarations/assets/data/example1.json
|
||||
|
||||
@@ -15,12 +15,16 @@ payload:
|
||||
introduced: '10.0'
|
||||
payloadkeys:
|
||||
- key: FullName
|
||||
title: Full Name
|
||||
title: Full name
|
||||
type: <string>
|
||||
presence: optional
|
||||
content: The user's full name.
|
||||
- key: EmailAddress
|
||||
title: Email Address
|
||||
title: Email address
|
||||
type: <string>
|
||||
presence: optional
|
||||
content: The email address of the user.
|
||||
examples:
|
||||
title: Asset example
|
||||
files:
|
||||
- file: examples/declarative/declarations/assets/useridentity/example1.json
|
||||
|
||||
@@ -37,32 +37,30 @@ payload:
|
||||
watchOS:
|
||||
introduced: n/a
|
||||
apply: multiple
|
||||
content: A CalDAV configuration defines a CalDAV calendar and reminders account
|
||||
for a user.
|
||||
payloadkeys:
|
||||
- key: VisibleName
|
||||
title: Account Name
|
||||
title: Account name
|
||||
type: <string>
|
||||
presence: optional
|
||||
content: The name that apps show to the user for this calendar account. If not present,
|
||||
the system generates a suitable default.
|
||||
- key: HostName
|
||||
title: Server Host Name
|
||||
title: Server host name
|
||||
type: <string>
|
||||
presence: required
|
||||
content: The hostname or IP address of the CalDAV server.
|
||||
- key: Port
|
||||
title: Server Port
|
||||
title: Server port
|
||||
type: <integer>
|
||||
presence: optional
|
||||
content: The port number for the CalDAV server.
|
||||
- key: Path
|
||||
title: Server Path
|
||||
title: Server path
|
||||
type: <string>
|
||||
presence: optional
|
||||
content: The path for the CalDAV server.
|
||||
- key: AuthenticationCredentialsAssetReference
|
||||
title: Authentication Credentials Asset Reference
|
||||
title: Authentication credentials asset reference
|
||||
type: <string>
|
||||
assettypes:
|
||||
- com.apple.asset.credential.userpassword
|
||||
@@ -73,3 +71,8 @@ related-status-items:
|
||||
- status-items:
|
||||
- account.list.caldav
|
||||
note: Each configuration will have a corresponding status item.
|
||||
examples:
|
||||
title: Configuration example
|
||||
files:
|
||||
- description: This configuration sets up a CalDAV account for calendars.
|
||||
file: examples/declarative/declarations/configurations/account.caldav/example1.json
|
||||
|
||||
@@ -37,31 +37,30 @@ payload:
|
||||
watchOS:
|
||||
introduced: n/a
|
||||
apply: multiple
|
||||
content: A CardDAV configuration defines a CardDAV contacts account for a user.
|
||||
payloadkeys:
|
||||
- key: VisibleName
|
||||
title: Account Name
|
||||
title: Account name
|
||||
type: <string>
|
||||
presence: optional
|
||||
content: The name that apps show to the user for this address book account. If not
|
||||
present, the system generates a suitable default.
|
||||
- key: HostName
|
||||
title: Server Host Name
|
||||
title: Server host name
|
||||
type: <string>
|
||||
presence: required
|
||||
content: The hostname or IP address of the CardDAV server.
|
||||
- key: Port
|
||||
title: Server Port
|
||||
title: Server port
|
||||
type: <integer>
|
||||
presence: optional
|
||||
content: The port number for the CardDAV server.
|
||||
- key: Path
|
||||
title: Server Path
|
||||
title: Server path
|
||||
type: <string>
|
||||
presence: optional
|
||||
content: The path for the CardDAV server.
|
||||
- key: AuthenticationCredentialsAssetReference
|
||||
title: Authentication Credentials Asset Reference
|
||||
title: Authentication credentials asset reference
|
||||
type: <string>
|
||||
assettypes:
|
||||
- com.apple.asset.credential.userpassword
|
||||
@@ -72,3 +71,8 @@ related-status-items:
|
||||
- status-items:
|
||||
- account.list.carddav
|
||||
note: Each configuration will have a corresponding status item.
|
||||
examples:
|
||||
title: Configuration example
|
||||
files:
|
||||
- description: This configuration sets up a CardDAV account for contacts.
|
||||
file: examples/declarative/declarations/configurations/account.carddav/example1.json
|
||||
|
||||
@@ -37,16 +37,15 @@ payload:
|
||||
watchOS:
|
||||
introduced: n/a
|
||||
apply: multiple
|
||||
content: This payload configures an Exchange ActiveSync account on an iOS device.
|
||||
payloadkeys:
|
||||
- key: VisibleName
|
||||
title: Account Name
|
||||
title: Account name
|
||||
type: <string>
|
||||
presence: optional
|
||||
content: The name that apps show to the user for this Exchange account. If not present,
|
||||
the system generates a suitable default.
|
||||
- key: EnabledProtocolTypes
|
||||
title: Enabled Protocol Types
|
||||
title: Enabled protocol types
|
||||
type: <array>
|
||||
presence: required
|
||||
content: |-
|
||||
@@ -66,7 +65,7 @@ payloadkeys:
|
||||
- EAS
|
||||
- EWS
|
||||
- key: UserIdentityAssetReference
|
||||
title: User Identity Asset Reference
|
||||
title: User identity asset reference
|
||||
type: <string>
|
||||
assettypes:
|
||||
- com.apple.asset.useridentity
|
||||
@@ -74,12 +73,12 @@ payloadkeys:
|
||||
content: The identifier of an asset declaration that contains the user identity
|
||||
for this account. The corresponding asset must be of type `UserIdentity`.
|
||||
- key: HostName
|
||||
title: Server Host Name
|
||||
title: Server host name
|
||||
type: <string>
|
||||
presence: optional
|
||||
content: The IP address or fully qualified domain name (FQDN) of the Exchange host.
|
||||
- key: Port
|
||||
title: Server Port
|
||||
title: Server port
|
||||
supportedOS:
|
||||
iOS:
|
||||
introduced: n/a
|
||||
@@ -90,7 +89,7 @@ payloadkeys:
|
||||
content: The port number of the EWS server. The system uses this only when this
|
||||
declaration has a `HostName` value.
|
||||
- key: Path
|
||||
title: Server Path
|
||||
title: Server path
|
||||
supportedOS:
|
||||
iOS:
|
||||
introduced: n/a
|
||||
@@ -101,7 +100,7 @@ payloadkeys:
|
||||
content: The path of the EWS server. The system uses this only when this declaration
|
||||
has a `HostName` value.
|
||||
- key: ExternalHostName
|
||||
title: Server External Host Name
|
||||
title: Server external host name
|
||||
supportedOS:
|
||||
iOS:
|
||||
introduced: n/a
|
||||
@@ -111,7 +110,7 @@ payloadkeys:
|
||||
presence: optional
|
||||
content: The external hostname of the EWS server (or IP address).
|
||||
- key: ExternalPort
|
||||
title: Server External Port
|
||||
title: Server external port
|
||||
supportedOS:
|
||||
iOS:
|
||||
introduced: n/a
|
||||
@@ -122,7 +121,7 @@ payloadkeys:
|
||||
content: The external port number of the EWS server. The system uses this only when
|
||||
this declaration has a `ExternalHostName` value.
|
||||
- key: External Path
|
||||
title: Server External Path
|
||||
title: Server external path
|
||||
supportedOS:
|
||||
iOS:
|
||||
introduced: n/a
|
||||
@@ -144,6 +143,7 @@ payloadkeys:
|
||||
presence: required
|
||||
content: If `true`, enables OAuth for this account.
|
||||
- key: SignInURL
|
||||
title: Sign in URL
|
||||
type: <string>
|
||||
presence: optional
|
||||
content: The URL that this account uses for signing in with OAuth. The system
|
||||
@@ -151,6 +151,7 @@ payloadkeys:
|
||||
when a declaration contains this URL, so the declaration must also contain a
|
||||
`HostName`.
|
||||
- key: TokenRequestURL
|
||||
title: Token request URL
|
||||
supportedOS:
|
||||
macOS:
|
||||
introduced: n/a
|
||||
@@ -159,7 +160,7 @@ payloadkeys:
|
||||
content: The URL that this account uses for token requests with OAuth. The system
|
||||
ignores this value unless `Enabled` is `true`.
|
||||
- key: AuthenticationCredentialsAssetReference
|
||||
title: Authentication Credentials Asset Reference
|
||||
title: Authentication credentials asset reference
|
||||
type: <string>
|
||||
assettypes:
|
||||
- com.apple.asset.credential.userpassword
|
||||
@@ -168,7 +169,7 @@ payloadkeys:
|
||||
this account to authenticate with an Exchange server. Set the corresponding asset
|
||||
type to `CredentialUserNameAndPassword`.
|
||||
- key: AuthenticationIdentityAssetReference
|
||||
title: Authentication Identity Asset Reference
|
||||
title: Authentication identity asset reference
|
||||
type: <string>
|
||||
assettypes:
|
||||
- com.apple.asset.credential.acme
|
||||
@@ -178,7 +179,7 @@ payloadkeys:
|
||||
content: The identifier of a credential asset declaration that contains the identity
|
||||
that this account requires to authenticate with the Exchange server.
|
||||
- key: SMIME
|
||||
title: S/MIME Settings
|
||||
title: S/MIME settings
|
||||
supportedOS:
|
||||
iOS:
|
||||
introduced: '17.0'
|
||||
@@ -189,18 +190,18 @@ payloadkeys:
|
||||
content: Settings for S/MIME.
|
||||
subkeys:
|
||||
- key: Signing
|
||||
title: S/MIME Signing Settings
|
||||
title: S/MIME signing settings
|
||||
type: <dictionary>
|
||||
presence: optional
|
||||
content: Settings for S/MIME signing.
|
||||
subkeys:
|
||||
- key: Enabled
|
||||
title: Signing Enabled
|
||||
title: Signing enabled
|
||||
type: <boolean>
|
||||
presence: required
|
||||
content: If `true`, the system enables S/MIME signing.
|
||||
- key: IdentityAssetReference
|
||||
title: S/MIME Signing Identity Asset Reference
|
||||
title: S/MIME signing identity asset reference
|
||||
type: <string>
|
||||
assettypes:
|
||||
- com.apple.asset.credential.acme
|
||||
@@ -210,31 +211,31 @@ payloadkeys:
|
||||
content: Specifies the identifier of an asset declaration containing the identity
|
||||
required for S/MIME signing of messages sent from this account.
|
||||
- key: UserOverrideable
|
||||
title: Signing User Overrideable
|
||||
title: Signing user overrideable
|
||||
type: <boolean>
|
||||
presence: optional
|
||||
default: false
|
||||
content: If `true`, the user can turn S/MIME signing on or off in Settings.
|
||||
- key: IdentityUserOverrideable
|
||||
title: Signing Identity User Overrideable
|
||||
title: Signing identity user overrideable
|
||||
type: <boolean>
|
||||
presence: optional
|
||||
default: false
|
||||
content: If `true`, the user can select an S/MIME signing identity in Settings.
|
||||
- key: Encryption
|
||||
title: S/MIME Encryption Settings
|
||||
title: S/MIME encryption settings
|
||||
type: <dictionary>
|
||||
presence: optional
|
||||
content: Settings for S/MIME encryption.
|
||||
subkeys:
|
||||
- key: Enabled
|
||||
title: Encryption By Default Enabled
|
||||
title: Encryption by default enabled
|
||||
type: <boolean>
|
||||
presence: required
|
||||
content: If `true`, the system enables S/MIME encryption by default, which the
|
||||
user can't override if `PerMessageSwitchEnabled` is `false`.
|
||||
- key: IdentityAssetReference
|
||||
title: S/MIME Encryption Identity Asset Reference
|
||||
title: S/MIME encryption identity asset reference
|
||||
type: <string>
|
||||
assettypes:
|
||||
- com.apple.asset.credential.acme
|
||||
@@ -247,31 +248,33 @@ payloadkeys:
|
||||
sends encrypted mail, the system uses the public certificate to encrypt the
|
||||
copy of the mail in their Sent mailbox.
|
||||
- key: UserOverrideable
|
||||
title: Encryption By Default User Overrideable
|
||||
title: Encryption by default user overrideable
|
||||
type: <boolean>
|
||||
presence: optional
|
||||
default: false
|
||||
content: If `true`, the user can turn S/MIME encryption by default on or off
|
||||
in Settings.
|
||||
- key: IdentityUserOverrideable
|
||||
title: Encryption Identity User Overrideable
|
||||
title: Encryption identity user overrideable
|
||||
type: <boolean>
|
||||
presence: optional
|
||||
default: false
|
||||
content: If `true`, the user can select an S/MIME signing identity in Settings.
|
||||
- key: PerMessageSwitchEnabled
|
||||
title: Per Message Switch Enabled
|
||||
title: Per message switch enabled
|
||||
type: <boolean>
|
||||
presence: optional
|
||||
default: false
|
||||
content: If `true`, the system enables the per-message encryption switch in
|
||||
the compose view.
|
||||
- key: MailServiceActive
|
||||
title: Mail service active
|
||||
type: <boolean>
|
||||
presence: optional
|
||||
default: true
|
||||
content: If `true`, the system activates the mail service for this account.
|
||||
- key: LockMailService
|
||||
title: Lock mail service
|
||||
supportedOS:
|
||||
macOS:
|
||||
introduced: n/a
|
||||
@@ -281,11 +284,13 @@ payloadkeys:
|
||||
content: If `true`, the system prevents the user from changing the status of the
|
||||
mail service for this account.
|
||||
- key: ContactsServiceActive
|
||||
title: Contacts service active
|
||||
type: <boolean>
|
||||
presence: optional
|
||||
default: true
|
||||
content: If `true`, activates the address book service for this account.
|
||||
- key: LockContactsService
|
||||
title: Lock contacts service
|
||||
supportedOS:
|
||||
macOS:
|
||||
introduced: n/a
|
||||
@@ -295,11 +300,13 @@ payloadkeys:
|
||||
content: If `true`, the system prevents the user from changing the status of the
|
||||
address book service for this account.
|
||||
- key: CalendarServiceActive
|
||||
title: Calendar service active
|
||||
type: <boolean>
|
||||
presence: optional
|
||||
default: true
|
||||
content: If `true`, activates the calendar service for this account.
|
||||
- key: LockCalendarService
|
||||
title: Lock calendar service
|
||||
supportedOS:
|
||||
macOS:
|
||||
introduced: n/a
|
||||
@@ -309,11 +316,13 @@ payloadkeys:
|
||||
content: If `true`, the system prevents the user from changing the status of the
|
||||
calendar service for this account.
|
||||
- key: RemindersServiceActive
|
||||
title: Reminders service active
|
||||
type: <boolean>
|
||||
presence: optional
|
||||
default: true
|
||||
content: If `true`, the system activates the reminders service for this account.
|
||||
- key: LockRemindersService
|
||||
title: Lock reminders service
|
||||
supportedOS:
|
||||
macOS:
|
||||
introduced: n/a
|
||||
@@ -323,11 +332,13 @@ payloadkeys:
|
||||
content: If `true`, the system prevents the user from changing the status of the
|
||||
reminders service for this account.
|
||||
- key: NotesServiceActive
|
||||
title: Notes service active
|
||||
type: <boolean>
|
||||
presence: optional
|
||||
default: true
|
||||
content: If `true`, the system activates the notes service for this account.
|
||||
- key: LockNotesService
|
||||
title: Lock notes service
|
||||
supportedOS:
|
||||
macOS:
|
||||
introduced: n/a
|
||||
@@ -340,3 +351,8 @@ related-status-items:
|
||||
- status-items:
|
||||
- account.list.exchange
|
||||
note: Each configuration will have a corresponding status item.
|
||||
examples:
|
||||
title: Configuration example
|
||||
files:
|
||||
- description: This configuration sets up a Microsoft Exchange account.
|
||||
file: examples/declarative/declarations/configurations/account.exchange/example1.json
|
||||
|
||||
@@ -37,18 +37,15 @@ payload:
|
||||
watchOS:
|
||||
introduced: n/a
|
||||
apply: multiple
|
||||
content: A Google configuration defines a Google account for a user. The user will
|
||||
be prompted to enter their credentials shortly after the configuration successfully
|
||||
installs.
|
||||
payloadkeys:
|
||||
- key: VisibleName
|
||||
title: Account Name
|
||||
title: Account name
|
||||
type: <string>
|
||||
presence: optional
|
||||
content: The name that apps show to the user for this Google account. If not present,
|
||||
the system generates a suitable default.
|
||||
- key: UserIdentityAssetReference
|
||||
title: User Identity Asset Reference
|
||||
title: User identity asset reference
|
||||
type: <string>
|
||||
assettypes:
|
||||
- com.apple.asset.useridentity
|
||||
@@ -61,3 +58,8 @@ related-status-items:
|
||||
- status-items:
|
||||
- account.list.google
|
||||
note: Each configuration will have a corresponding status item.
|
||||
examples:
|
||||
title: Configuration example
|
||||
files:
|
||||
- description: This configuration sets up a Google account.
|
||||
file: examples/declarative/declarations/configurations/account.google/example1.json
|
||||
|
||||
@@ -38,26 +38,25 @@ payload:
|
||||
watchOS:
|
||||
introduced: n/a
|
||||
apply: multiple
|
||||
content: An LDAP configuration defines an LDAP directory account for a user.
|
||||
payloadkeys:
|
||||
- key: VisibleName
|
||||
title: Account Name
|
||||
title: Account name
|
||||
type: <string>
|
||||
presence: optional
|
||||
content: The name that apps show to the user for this LDAP account. If not present,
|
||||
the system generates a suitable default.
|
||||
- key: HostName
|
||||
title: Server Host Name
|
||||
title: Server host name
|
||||
type: <string>
|
||||
presence: required
|
||||
content: The hostname or IP address of the LDAP server.
|
||||
- key: Port
|
||||
title: Server Port
|
||||
title: Server port
|
||||
type: <integer>
|
||||
presence: optional
|
||||
content: The port number or IP address of the LDAP server.
|
||||
- key: AuthenticationCredentialsAssetReference
|
||||
title: Authentication Credentials Asset Reference
|
||||
title: Authentication credentials asset reference
|
||||
type: <string>
|
||||
assettypes:
|
||||
- com.apple.asset.credential.userpassword
|
||||
@@ -65,7 +64,7 @@ payloadkeys:
|
||||
content: The identifier of an asset declaration that contains the credentials for
|
||||
this account. Set the corresponding asset type to `CredentialUserNameAndPassword`.
|
||||
- key: SearchSettings
|
||||
title: Search Settings
|
||||
title: Search settings
|
||||
type: <array>
|
||||
presence: optional
|
||||
content: The array of nodes to start LDAP searches from. There must be at least
|
||||
@@ -73,17 +72,17 @@ payloadkeys:
|
||||
other items in the array.
|
||||
subkeys:
|
||||
- key: SearchSettingsItem
|
||||
title: An LDAP Search Setting
|
||||
title: An LDAP search setting
|
||||
type: <dictionary>
|
||||
subkeys:
|
||||
- key: VisibleDescription
|
||||
title: Visible Description
|
||||
title: Visible description
|
||||
type: <string>
|
||||
presence: optional
|
||||
content: The description of this search setting in the Contacts and Settings
|
||||
apps. If not present, the apps display no name.
|
||||
- key: SearchBase
|
||||
title: Search Base
|
||||
title: Search base
|
||||
type: <string>
|
||||
presence: required
|
||||
content: The path to the node where a search starts. For example, `ou=people,o=example
|
||||
@@ -107,3 +106,8 @@ related-status-items:
|
||||
- status-items:
|
||||
- account.list.ldap
|
||||
note: Each configuration will have a corresponding status item.
|
||||
examples:
|
||||
title: Configuration example
|
||||
files:
|
||||
- description: This configuration sets up an LDAP directory account.
|
||||
file: examples/declarative/declarations/configurations/account.ldap/example1.json
|
||||
|
||||
@@ -37,16 +37,15 @@ payload:
|
||||
watchOS:
|
||||
introduced: n/a
|
||||
apply: multiple
|
||||
content: An email configuration defines an email account for a user.
|
||||
payloadkeys:
|
||||
- key: VisibleName
|
||||
title: Account Name
|
||||
title: Account name
|
||||
type: <string>
|
||||
presence: optional
|
||||
content: The name that apps show to the user for this mail account. If not present,
|
||||
the system generates a suitable default.
|
||||
- key: UserIdentityAssetReference
|
||||
title: User Identity Asset Reference
|
||||
title: User identity asset reference
|
||||
type: <string>
|
||||
assettypes:
|
||||
- com.apple.asset.useridentity
|
||||
@@ -54,13 +53,13 @@ payloadkeys:
|
||||
content: The identifier of an asset declaration that contains the user identity
|
||||
for this account. Set the corresponding asset type to `UserIdentity`.
|
||||
- key: IncomingServer
|
||||
title: Incoming Server Settings
|
||||
title: Incoming server settings
|
||||
type: <dictionary>
|
||||
presence: required
|
||||
content: The settings for the incoming mail server for this account.
|
||||
subkeys:
|
||||
- key: ServerType
|
||||
title: Server Type
|
||||
title: Server type
|
||||
type: <string>
|
||||
presence: required
|
||||
rangelist:
|
||||
@@ -68,17 +67,17 @@ payloadkeys:
|
||||
- POP
|
||||
content: The mail protocol this account uses.
|
||||
- key: HostName
|
||||
title: Server Host Name
|
||||
title: Server host name
|
||||
type: <string>
|
||||
presence: required
|
||||
content: The host name for the incoming mail server.
|
||||
- key: Port
|
||||
title: Server Port
|
||||
title: Server port
|
||||
type: <integer>
|
||||
presence: optional
|
||||
content: The port number for the incoming mail server.
|
||||
- key: AuthenticationMethod
|
||||
title: Server Authentication Method
|
||||
title: Server authentication method
|
||||
type: <string>
|
||||
presence: required
|
||||
rangelist:
|
||||
@@ -89,7 +88,7 @@ payloadkeys:
|
||||
- HTTPMD5
|
||||
content: The authentication method for the incoming mail server.
|
||||
- key: AuthenticationCredentialsAssetReference
|
||||
title: Authentication Credentials Asset Reference
|
||||
title: Authentication credentials asset reference
|
||||
type: <string>
|
||||
assettypes:
|
||||
- com.apple.asset.credential.userpassword
|
||||
@@ -99,29 +98,29 @@ payloadkeys:
|
||||
|
||||
If the `AuthenticationMethod` is `None`, this field must be blank. Otherwise, the declaration must contain this field.
|
||||
- key: IMAPPathPrefix
|
||||
title: IMAP Path Prefix
|
||||
title: IMAP path prefix
|
||||
type: <string>
|
||||
presence: optional
|
||||
content: The path prefix for the IMAP server. The system uses this only when `ServerType`
|
||||
is `IMAP`.
|
||||
- key: OutgoingServer
|
||||
title: Outgoing Server Settings
|
||||
title: Outgoing server settings
|
||||
type: <dictionary>
|
||||
presence: required
|
||||
content: The settings for the outgoing mail server for this account.
|
||||
subkeys:
|
||||
- key: HostName
|
||||
title: Server Host Name
|
||||
title: Server host name
|
||||
type: <string>
|
||||
presence: required
|
||||
content: The host name for the outgoing mail server.
|
||||
- key: Port
|
||||
title: Server Port
|
||||
title: Server port
|
||||
type: <integer>
|
||||
presence: optional
|
||||
content: The port number for the outgoing mail server.
|
||||
- key: AuthenticationMethod
|
||||
title: Server Authentication Method
|
||||
title: Server authentication method
|
||||
type: <string>
|
||||
presence: required
|
||||
rangelist:
|
||||
@@ -132,7 +131,7 @@ payloadkeys:
|
||||
- HTTPMD5
|
||||
content: The authentication method for the outgoing mail server.
|
||||
- key: AuthenticationCredentialsAssetReference
|
||||
title: Authentication Credentials Asset Reference
|
||||
title: Authentication credentials asset reference
|
||||
type: <string>
|
||||
assettypes:
|
||||
- com.apple.asset.credential.userpassword
|
||||
@@ -142,7 +141,7 @@ payloadkeys:
|
||||
|
||||
If the `AuthenticationMethod` is `None`, this field must be blank. Otherwise, the declaration must contain this field.
|
||||
- key: SMIME
|
||||
title: S/MIME Settings
|
||||
title: S/MIME settings
|
||||
supportedOS:
|
||||
iOS:
|
||||
introduced: '17.0'
|
||||
@@ -153,18 +152,18 @@ payloadkeys:
|
||||
content: Settings for S/MIME.
|
||||
subkeys:
|
||||
- key: Signing
|
||||
title: S/MIME Signing Settings
|
||||
title: S/MIME signing settings
|
||||
type: <dictionary>
|
||||
presence: optional
|
||||
content: Settings for S/MIME signing.
|
||||
subkeys:
|
||||
- key: Enabled
|
||||
title: Signing Enabled
|
||||
title: Signing enabled
|
||||
type: <boolean>
|
||||
presence: required
|
||||
content: If `true`, the system enables S/MIME signing.
|
||||
- key: IdentityAssetReference
|
||||
title: S/MIME Signing Identity Asset Reference
|
||||
title: S/MIME signing identity asset reference
|
||||
type: <string>
|
||||
assettypes:
|
||||
- com.apple.asset.credential.acme
|
||||
@@ -174,31 +173,31 @@ payloadkeys:
|
||||
content: Specifies the identifier of an asset declaration containing the identity
|
||||
required for S/MIME signing of messages sent from this account.
|
||||
- key: UserOverrideable
|
||||
title: Signing User Overrideable
|
||||
title: Signing user overrideable
|
||||
type: <boolean>
|
||||
presence: optional
|
||||
default: false
|
||||
content: If `true`, the user can turn S/MIME signing on or off in Settings.
|
||||
- key: IdentityUserOverrideable
|
||||
title: Signing Identity User Overrideable
|
||||
title: Signing identity user overrideable
|
||||
type: <boolean>
|
||||
presence: optional
|
||||
default: false
|
||||
content: If `true`, the user can select an S/MIME signing identity in Settings.
|
||||
- key: Encryption
|
||||
title: S/MIME Encryption Settings
|
||||
title: S/MIME encryption settings
|
||||
type: <dictionary>
|
||||
presence: optional
|
||||
content: Settings for S/MIME encryption.
|
||||
subkeys:
|
||||
- key: Enabled
|
||||
title: Encryption By Default Enabled
|
||||
title: Encryption by default enabled
|
||||
type: <boolean>
|
||||
presence: required
|
||||
content: If `true`, the system enables S/MIME encryption by default, which the
|
||||
user can't override if `PerMessageSwitchEnabled` is `false`.
|
||||
- key: IdentityAssetReference
|
||||
title: S/MIME Encryption Identity Asset Reference
|
||||
title: S/MIME encryption identity asset reference
|
||||
type: <string>
|
||||
assettypes:
|
||||
- com.apple.asset.credential.acme
|
||||
@@ -211,20 +210,20 @@ payloadkeys:
|
||||
sends encrypted mail, the system uses the public certificate to encrypt the
|
||||
copy of the mail in their Sent mailbox.
|
||||
- key: UserOverrideable
|
||||
title: Encryption By Default User Overrideable
|
||||
title: Encryption by default user overrideable
|
||||
type: <boolean>
|
||||
presence: optional
|
||||
default: false
|
||||
content: If `true`, the user can set the default value for S/MIME encryption
|
||||
to on or off in Settings.
|
||||
- key: IdentityUserOverrideable
|
||||
title: Encryption Identity User Overrideable
|
||||
title: Encryption identity user overrideable
|
||||
type: <boolean>
|
||||
presence: optional
|
||||
default: false
|
||||
content: If `true`, the user can select an S/MIME signing identity in Settings.
|
||||
- key: PerMessageSwitchEnabled
|
||||
title: Per Message Switch Enabled
|
||||
title: Per message switch enabled
|
||||
type: <boolean>
|
||||
presence: optional
|
||||
default: false
|
||||
@@ -236,3 +235,9 @@ related-status-items:
|
||||
- account.list.mail.outgoing
|
||||
note: Each configuration will have a corresponding status item for incoming and
|
||||
outgoing accounts.
|
||||
examples:
|
||||
title: Configuration example
|
||||
files:
|
||||
- description: This configuration sets up an IMAP email account with SMTP outgoing
|
||||
mail.
|
||||
file: examples/declarative/declarations/configurations/account.mail/example1.json
|
||||
|
||||
@@ -37,11 +37,9 @@ payload:
|
||||
watchOS:
|
||||
introduced: n/a
|
||||
apply: multiple
|
||||
content: A subscribed calendar configuration defines a subscribed calendar for a
|
||||
user.
|
||||
payloadkeys:
|
||||
- key: VisibleName
|
||||
title: Account Name
|
||||
title: Account name
|
||||
type: <string>
|
||||
presence: optional
|
||||
content: The name that apps show to the user for this calendar account. If not present,
|
||||
@@ -52,7 +50,7 @@ payloadkeys:
|
||||
presence: required
|
||||
content: The URL of the subscribed calendar, which needs to start with `https://`.
|
||||
- key: AuthenticationCredentialsAssetReference
|
||||
title: Authentication Credentials Asset Reference
|
||||
title: Authentication credentials asset reference
|
||||
type: <string>
|
||||
assettypes:
|
||||
- com.apple.asset.credential.userpassword
|
||||
@@ -64,3 +62,8 @@ related-status-items:
|
||||
- status-items:
|
||||
- account.list.subscribed-calendar
|
||||
note: Each configuration will have a corresponding status item.
|
||||
examples:
|
||||
title: Configuration example
|
||||
files:
|
||||
- description: This configuration subscribes to a calendar feed.
|
||||
file: examples/declarative/declarations/configurations/account.subscribed-calendar/example1.json
|
||||
|
||||
@@ -41,7 +41,7 @@ payloadkeys:
|
||||
type: <string>
|
||||
presence: optional
|
||||
content: |-
|
||||
The App Store ID of the managed app that is downloaded from the App Store.
|
||||
The App Store ID of the managed app that's downloaded from the App Store.
|
||||
|
||||
Only one of `AppStoreID`, `BundleID`, `ManifestURL`, or `AppComposedIdentifier` needs to be present.
|
||||
- key: BundleID
|
||||
@@ -49,7 +49,7 @@ payloadkeys:
|
||||
type: <string>
|
||||
presence: optional
|
||||
content: |-
|
||||
The bundle ID of the managed app that is downloaded from the App Store.
|
||||
The bundle ID of the managed app that's downloaded from the App Store.
|
||||
|
||||
Only one of `AppStoreID`, `BundleID`, `ManifestURL`, or `AppComposedIdentifier` needs to be present.
|
||||
- key: ManifestURL
|
||||
@@ -60,13 +60,11 @@ payloadkeys:
|
||||
type: <string>
|
||||
presence: optional
|
||||
content: |-
|
||||
The URL of the manifest for the managed app that the device downloads from a web site. The manifest is returned as a `ManifestURL` property list.
|
||||
The URL of the manifest for the managed app that the device downloads from a web site. The manifest is a `ManifestURL` property list.
|
||||
|
||||
Only one of `AppStoreID`, `BundleID`, `ManifestURL`, or `AppComposedIdentifier` needs to be present.
|
||||
|
||||
Available only in iOS and visionOS.
|
||||
- key: AppComposedIdentifier
|
||||
title: App Composed Identifier
|
||||
title: App composed identifier
|
||||
supportedOS:
|
||||
iOS:
|
||||
introduced: n/a
|
||||
@@ -77,20 +75,18 @@ payloadkeys:
|
||||
type: <string>
|
||||
presence: optional
|
||||
content: |-
|
||||
A string that specifies the composed identifier of an existing app that needs to be managed. The device uses this to take over management of an app installed by some other process, for example installed manually by the user, or via a package configuration. If the app isn't present when the device applies the configuration, the device takes over management of it when it does install.
|
||||
A string that specifies the composed identifier of an existing app that needs to be managed. The device uses this to take over management of an app installed by some other process, for example installed manually by the user, or via a package configuration. If the app isn't present when the device applies the configuration, the device takes over management of it when it does install. Management of the app occurs only if its code signature matches the composed identifier.
|
||||
|
||||
The following rules apply when the device takes over management:
|
||||
|
||||
- If the `InstallBehavior.Install` key is set to `Required`, the device takes over management of the app.
|
||||
- If the `InstallBehavior.Install` key is set to `Optional`, the device takes over management of the app when the user "installs" it using an MDM management app.
|
||||
|
||||
The format of the composed identifier is either "Bundle-ID (Team-ID)" or "Bundle-ID {Designated-Requirement}". For example, `com.example.app (ABCD1234)` for the team ID format, or `com.example.app {anchor apple generic}` for the designated requirement format. Management of the app occurs only if its code signature matches the composed identifier.
|
||||
The format of the composed identifier is either "Bundle-ID" or "Bundle-ID (Team-ID)". "Bundle-ID" is the bundle identifier string of the provider. "Team-ID" is the team identifier from the provider's code signature. For example, "com.example.app" for the bundle ID format, or "com.example.app (ABCD1234)" for the team ID format.
|
||||
|
||||
In macOS, only one of `AppStoreID`, `BundleID`, or `AppComposedIdentifier` needs to be present.
|
||||
|
||||
Available only in macOS.
|
||||
- key: iOSApp
|
||||
title: iOS App
|
||||
title: iOS app
|
||||
supportedOS:
|
||||
iOS:
|
||||
introduced: n/a
|
||||
@@ -101,12 +97,10 @@ payloadkeys:
|
||||
type: <boolean>
|
||||
presence: optional
|
||||
default: false
|
||||
content: |-
|
||||
If `true`, the device installs an iOS or iPadOS app that runs on a Mac with Apple Silicon. This is only used when the app is an App Store app.
|
||||
|
||||
Available only in macOS.
|
||||
content: If `true`, the device installs an iOS or iPadOS app that runs on a Mac
|
||||
with Apple silicon. This is only used when the app is an App Store app.
|
||||
- key: InstallBehavior
|
||||
title: Install Behavior
|
||||
title: Install behavior
|
||||
type: <dictionary>
|
||||
presence: optional
|
||||
content: A dictionary that describes how and when to install the app.
|
||||
@@ -147,7 +141,7 @@ payloadkeys:
|
||||
|
||||
This key needs to be present for App Store apps, when either `AppStoreID` or `BundleID` are present in the configuration.
|
||||
- key: VPPType
|
||||
title: VPP Type
|
||||
title: VPP type
|
||||
supportedOS:
|
||||
iOS:
|
||||
removed: '18.0'
|
||||
@@ -179,7 +173,7 @@ payloadkeys:
|
||||
type: <integer>
|
||||
presence: optional
|
||||
content: |-
|
||||
The App Store external version identifier (EVID) of the version of the app the device installs. You can retrieve this value from the App Store. For more information, see `Apps and Books for Organizations`. This key is ignored if the app isn't an App Store app.
|
||||
The App Store external version identifier (EVID) of the version of the app the device installs. You can retrieve this value from the App Store. For more information, see `Apps and books metadata for organizations`. This key is ignored if the app isn't an App Store app.
|
||||
|
||||
The following rules apply when the device applies or updates the configuration:
|
||||
|
||||
@@ -196,7 +190,7 @@ payloadkeys:
|
||||
> Note:
|
||||
> The device never installs an older version of the app over a newer version.
|
||||
- key: AllowDownloadsOverCellular
|
||||
title: Allow Downloads Over Cellular
|
||||
title: Allow downloads over cellular
|
||||
supportedOS:
|
||||
iOS:
|
||||
introduced: '26.0'
|
||||
@@ -221,10 +215,8 @@ payloadkeys:
|
||||
- `StoreSettings`: The device uses the settings for the corresponding store when downloading apps.
|
||||
|
||||
The device always uses the store settings to download apps when the install or update operation is user initiated.
|
||||
|
||||
Available only in iOS.
|
||||
- key: UpdateBehavior
|
||||
title: Update Behavior
|
||||
title: Update behavior
|
||||
supportedOS:
|
||||
iOS:
|
||||
introduced: '26.0'
|
||||
@@ -237,7 +229,7 @@ payloadkeys:
|
||||
content: A dictionary that specifies how the device updates apps.
|
||||
subkeys:
|
||||
- key: AutomaticAppUpdates
|
||||
title: Automatic App Updates
|
||||
title: Automatic app updates
|
||||
type: <string>
|
||||
presence: required
|
||||
rangelist:
|
||||
@@ -251,35 +243,29 @@ payloadkeys:
|
||||
- `AlwaysOff`: The device never automatically updates the app.
|
||||
- `StoreSettings`: The device uses the settings for the corresponding store to determine when to automatically update the app. For Enterprise apps, this setting behaves the same as `AlwaysOff`.
|
||||
|
||||
When the `InstallBehavior.Version` key is specified, the device ignores this key and Automatic App Updates are disabled.
|
||||
When you specify the `InstallBehavior.Version` key, the device ignores this key and Automatic App Updates are disabled.
|
||||
|
||||
In macOS, the device ignores this setting if the `AppComposedIdentifier` key is set in the configuration.
|
||||
- key: IncludeInBackup
|
||||
title: Include in Backup
|
||||
title: Include in backup
|
||||
supportedOS:
|
||||
macOS:
|
||||
introduced: n/a
|
||||
type: <boolean>
|
||||
presence: optional
|
||||
default: true
|
||||
content: |-
|
||||
If `true`, backups contain the app and its data.
|
||||
|
||||
Available only in iOS and visionOS.
|
||||
content: If `true`, backups contain the app and its data.
|
||||
- key: Attributes
|
||||
title: App Attributes
|
||||
title: App attributes
|
||||
supportedOS:
|
||||
macOS:
|
||||
introduced: n/a
|
||||
type: <dictionary>
|
||||
presence: optional
|
||||
content: |-
|
||||
A dictionary of values to associate with the app.
|
||||
|
||||
Available only in iOS and visionOS.
|
||||
content: A dictionary of values to associate with the app.
|
||||
subkeys:
|
||||
- key: AssociatedDomains
|
||||
title: Associated Domains
|
||||
title: Associated domains
|
||||
type: <array>
|
||||
presence: optional
|
||||
content: An array of domain names to associate with the app.
|
||||
@@ -290,13 +276,13 @@ payloadkeys:
|
||||
presence: required
|
||||
content: A domain to be associated with the app.
|
||||
- key: AssociatedDomainsEnableDirectDownloads
|
||||
title: Associated Domains Enable Direct Downloads
|
||||
title: Associated domains enable direct downloads
|
||||
type: <boolean>
|
||||
presence: optional
|
||||
default: false
|
||||
content: If `true`, the system enables direct downloads for the `AssociatedDomains`.
|
||||
- key: CellularSliceUUID
|
||||
title: Cellular Slice UUID
|
||||
title: Cellular slice UUID
|
||||
supportedOS:
|
||||
visionOS:
|
||||
introduced: n/a
|
||||
@@ -307,12 +293,12 @@ payloadkeys:
|
||||
carrier-provided DNN name. For app category, encode the value as "AppCategory:category",
|
||||
where "category" is a carrier-provided string such as "Enterprise1".
|
||||
- key: ContentFilterUUID
|
||||
title: Content Filter UUID
|
||||
title: Content filter UUID
|
||||
type: <string>
|
||||
presence: optional
|
||||
content: The UUID of the content filter to associate with the app.
|
||||
- key: DNSProxyUUID
|
||||
title: DNS Proxy UUID
|
||||
title: DNS proxy UUID
|
||||
type: <string>
|
||||
presence: optional
|
||||
content: The UUID of the DNS proxy to associate with the app.
|
||||
@@ -347,7 +333,7 @@ payloadkeys:
|
||||
presence: optional
|
||||
content: The UUID of the relay to associate with the app.
|
||||
- key: TapToPayScreenLock
|
||||
title: Tap to Pay Screen Lock
|
||||
title: Tap to pay screen lock
|
||||
supportedOS:
|
||||
visionOS:
|
||||
introduced: n/a
|
||||
@@ -362,22 +348,19 @@ payloadkeys:
|
||||
presence: optional
|
||||
content: The UUID of the VPN to associate with the app.
|
||||
- key: AppConfig
|
||||
title: App Config
|
||||
title: App config
|
||||
supportedOS:
|
||||
iOS:
|
||||
introduced: '18.4'
|
||||
macOS:
|
||||
introduced: n/a
|
||||
introduced: '27.0'
|
||||
type: <dictionary>
|
||||
presence: optional
|
||||
content: |-
|
||||
A dictionary of app config data and credentials.
|
||||
|
||||
Available only in iOS and visionOS.
|
||||
content: A dictionary of app config data and credentials.
|
||||
subkeytype: AppConfigDictionary
|
||||
subkeys: &id001
|
||||
- key: DataAssetReference
|
||||
title: App/Extension Config Data Asset Reference
|
||||
title: App/Extension config data asset reference
|
||||
type: <string>
|
||||
assettypes:
|
||||
- com.apple.asset.data
|
||||
@@ -392,7 +375,7 @@ payloadkeys:
|
||||
type `com.apple.asset.data`. The referenced data needs to be a property list
|
||||
file, and the asset's "ContentType" value set to match the data type.
|
||||
- key: Passwords
|
||||
title: Password App/Extension Configs.
|
||||
title: Password App/Extension configs.
|
||||
type: <array>
|
||||
presence: optional
|
||||
content: Provides passwords to the managed app or extension. Each element in the
|
||||
@@ -401,19 +384,20 @@ payloadkeys:
|
||||
subkeytype: CredentialConfig
|
||||
subkeys:
|
||||
- key: PasswordAppConfigItem
|
||||
title: Password app config item
|
||||
type: <dictionary>
|
||||
presence: required
|
||||
content: A dictionary of values associated with a credential config.
|
||||
subkeys:
|
||||
- key: Identifier
|
||||
title: Password Identifier
|
||||
title: Password identifier
|
||||
type: <string>
|
||||
presence: required
|
||||
content: The app or extension uses this identifier to fetch the corresponding
|
||||
password using the `ManagedApp` framework. App developers define the values
|
||||
for these identifiers.
|
||||
- key: AssetReference
|
||||
title: Asset Reference
|
||||
title: Asset reference
|
||||
type: <string>
|
||||
assettypes:
|
||||
- com.apple.asset.credential.userpassword
|
||||
@@ -422,7 +406,7 @@ payloadkeys:
|
||||
and password. The `ManagedApp` framework makes the password available to
|
||||
the app or extension. The `ManagedApp` framework ignores the username.
|
||||
- key: Identities
|
||||
title: Identity App/Extension Configs.
|
||||
title: Identity App/Extension configs.
|
||||
type: <array>
|
||||
presence: optional
|
||||
content: Provides identities to the managed app or extension. Each element in
|
||||
@@ -431,19 +415,20 @@ payloadkeys:
|
||||
subkeytype: CredentialConfig
|
||||
subkeys:
|
||||
- key: IdentityAppConfigItem
|
||||
title: Identity app config item
|
||||
type: <dictionary>
|
||||
presence: required
|
||||
content: A dictionary of values associated with a credential config.
|
||||
subkeys:
|
||||
- key: Identifier
|
||||
title: Identity Identifier
|
||||
title: Identity identifier
|
||||
type: <string>
|
||||
presence: required
|
||||
content: The app or extension uses this identifier to fetch the corresponding
|
||||
identity using the `ManagedApp` framework. App developers define the values
|
||||
for these identifiers.
|
||||
- key: AssetReference
|
||||
title: Asset Reference
|
||||
title: Asset reference
|
||||
type: <string>
|
||||
assettypes:
|
||||
- com.apple.asset.credential.identity
|
||||
@@ -452,7 +437,7 @@ payloadkeys:
|
||||
presence: required
|
||||
content: Specifies the identifier of an asset declaration containing an identity.
|
||||
- key: Certificates
|
||||
title: Certificate App/Extension Configs.
|
||||
title: Certificate App/Extension configs.
|
||||
type: <array>
|
||||
presence: optional
|
||||
content: Provides certificates to the managed app or extension. Each element in
|
||||
@@ -461,53 +446,53 @@ payloadkeys:
|
||||
subkeytype: CredentialConfig
|
||||
subkeys:
|
||||
- key: CertificateAppConfigItem
|
||||
title: Certificate app config item
|
||||
type: <dictionary>
|
||||
presence: required
|
||||
content: A dictionary of values associated with a credential config.
|
||||
subkeys:
|
||||
- key: Identifier
|
||||
title: Certificate Identifier
|
||||
title: Certificate identifier
|
||||
type: <string>
|
||||
presence: required
|
||||
content: The app or extension uses this identifier to fetch the corresponding
|
||||
certificate using the `ManagedApp` framework. App developers define the
|
||||
values for these identifiers.
|
||||
- key: AssetReference
|
||||
title: Asset Reference
|
||||
title: Asset reference
|
||||
type: <string>
|
||||
assettypes:
|
||||
- com.apple.asset.credential.certificate
|
||||
presence: required
|
||||
content: Specifies the identifier of an asset declaration containing a certificate.
|
||||
- key: ExtensionConfigs
|
||||
title: Extension Configs
|
||||
title: Extension configs
|
||||
supportedOS:
|
||||
iOS:
|
||||
introduced: '18.4'
|
||||
macOS:
|
||||
introduced: n/a
|
||||
introduced: '27.0'
|
||||
type: <dictionary>
|
||||
presence: optional
|
||||
content: |-
|
||||
A dictionary of extension config data and credentials.
|
||||
|
||||
Available only in iOS and visionOS.
|
||||
content: A dictionary of extension config data and credentials.
|
||||
subkeys:
|
||||
- key: ANY
|
||||
title: Extension Composed Identifier
|
||||
title: Extension composed identifier
|
||||
type: <dictionary>
|
||||
presence: optional
|
||||
content: A dictionary mapping extension composed identifiers to the extension
|
||||
config data and credentials. The expected format is "Identifier (TeamIdentifier)".
|
||||
content: |-
|
||||
A dictionary mapping extension composed identifiers to the extension config data and credentials.
|
||||
|
||||
The format of the composed identifier is either "Bundle-ID" or "Bundle-ID (Team-ID)". "Bundle-ID" is the bundle identifier string of the provider. "Team-ID" is the team identifier from the provider's code signature. For example, "com.example.app" for the bundle ID format, or "com.example.app (ABCD1234)" for the team ID format.
|
||||
subkeytype: AppConfigDictionary
|
||||
subkeys: *id001
|
||||
- key: LegacyAppConfigAssetReference
|
||||
title: App Config MDMv1 Asset Reference
|
||||
title: App config MDMv1 asset reference
|
||||
supportedOS:
|
||||
iOS:
|
||||
introduced: '18.4'
|
||||
macOS:
|
||||
introduced: n/a
|
||||
introduced: '27.0'
|
||||
type: <string>
|
||||
assettypes:
|
||||
- com.apple.asset.data
|
||||
@@ -520,9 +505,26 @@ payloadkeys:
|
||||
content: |-
|
||||
The identifier of an asset declaration containing a reference to the app config data. The device provides the app config data to the app using the MDMv1 behavior. The corresponding asset needs to be of type `com.apple.asset.data`. The referenced data needs to be a property list file, and the asset's "ContentType"
|
||||
value set to match the data type.
|
||||
|
||||
Available only in iOS and visionOS.
|
||||
related-status-items:
|
||||
- status-items:
|
||||
- app.managed.list
|
||||
note: Each configuration has a corresponding status item.
|
||||
examples:
|
||||
title: Configuration examples
|
||||
files:
|
||||
- tab: App Store
|
||||
description: This configuration installs an App Store app with `Required` install
|
||||
behavior and a device license.
|
||||
file: examples/declarative/declarations/configurations/app.managed/example1.json
|
||||
- tab: Enterprise
|
||||
description: This configuration installs an enterprise app with app attributes,
|
||||
cellular downloads disallowed, and an update policy.
|
||||
file: examples/declarative/declarations/configurations/app.managed/example2.json
|
||||
- tab: Packaged
|
||||
description: This configuration manages an app installed by a package using a
|
||||
composed identifier to identify the app.
|
||||
file: examples/declarative/declarations/configurations/app.managed/example3.json
|
||||
- tab: Configuration
|
||||
description: This configuration installs an enterprise app with declarative app
|
||||
configuration for the app and an extension.
|
||||
file: examples/declarative/declarations/configurations/app.managed/example4.json
|
||||
|
||||
@@ -0,0 +1,361 @@
|
||||
title: App:Settings
|
||||
description: The declaration to configure app settings.
|
||||
payload:
|
||||
declarationtype: com.apple.configuration.app.settings
|
||||
supportedOS:
|
||||
iOS:
|
||||
introduced: '27.0'
|
||||
allowed-enrollments:
|
||||
- supervised
|
||||
allowed-scopes:
|
||||
- system
|
||||
sharedipad:
|
||||
allowed-scopes:
|
||||
- user
|
||||
macOS:
|
||||
introduced: '27.0'
|
||||
allowed-enrollments:
|
||||
- supervised
|
||||
allowed-scopes:
|
||||
- system
|
||||
- user
|
||||
tvOS:
|
||||
introduced: '27.0'
|
||||
allowed-enrollments:
|
||||
- supervised
|
||||
allowed-scopes:
|
||||
- system
|
||||
visionOS:
|
||||
introduced: '27.0'
|
||||
allowed-enrollments:
|
||||
- supervised
|
||||
allowed-scopes:
|
||||
- system
|
||||
watchOS:
|
||||
introduced: n/a
|
||||
apply: combined
|
||||
payloadkeys:
|
||||
- key: Allowed
|
||||
title: Allowed apps
|
||||
type: <dictionary>
|
||||
presence: optional
|
||||
content: The dictionary of allowed app settings.
|
||||
subkeys:
|
||||
- key: AllowedApps
|
||||
title: Allowed apps
|
||||
supportedOS:
|
||||
macOS:
|
||||
introduced: n/a
|
||||
type: <array>
|
||||
presence: optional
|
||||
combinetype: set-intersection
|
||||
content: If present, the device only shows or launches apps with bundle IDs in
|
||||
the array. Include the value `com.apple.webapp` to allow all webclips. This
|
||||
applies to App Store apps, marketplace apps, and locally installed apps (using
|
||||
Configurator, Xcode, and so forth).
|
||||
subkeys: &id001
|
||||
- key: AppIdentifier
|
||||
type: <string>
|
||||
presence: required
|
||||
content: String containing an identifier to match an app.
|
||||
- key: DeniedApps
|
||||
title: Denied apps
|
||||
supportedOS:
|
||||
macOS:
|
||||
introduced: n/a
|
||||
type: <array>
|
||||
presence: optional
|
||||
combinetype: set-union
|
||||
content: |-
|
||||
If present, the device prevents showing or launching apps with bundle IDs in the
|
||||
array. Include the value `com.apple.webapp` to restrict all webclips. This applies to
|
||||
App Store apps, marketplace apps, and locally installed apps (using Configurator,
|
||||
Xcode, and so forth).
|
||||
> Note:
|
||||
> Denying system apps may disable other functionality. For example, denying the App
|
||||
Store app may prevent users from accepting the terms and conditions for the user-based
|
||||
Volume Purchase Program (VPP).
|
||||
subkeys: *id001
|
||||
- key: AllowedBinaries
|
||||
title: Allowed binaries
|
||||
supportedOS:
|
||||
iOS:
|
||||
introduced: n/a
|
||||
macOS:
|
||||
allowed-scopes:
|
||||
- system
|
||||
tvOS:
|
||||
introduced: n/a
|
||||
visionOS:
|
||||
introduced: n/a
|
||||
watchOS:
|
||||
introduced: n/a
|
||||
type: <array>
|
||||
presence: optional
|
||||
combinetype: set-intersection
|
||||
content: If present, the device only allows binaries that match the binary identifier
|
||||
properties to run. A binary only matches when all the binary identifiers match.
|
||||
The device always runs system critical processes. Use "codesign -dvvv <path_to_binary>"
|
||||
to show the information you need to generate these values.
|
||||
subkeys: &id002
|
||||
- key: BinaryIdentifier
|
||||
title: Binary identifier
|
||||
type: <dictionary>
|
||||
presence: required
|
||||
content: Dictionary containing one or more identifier fields to match a binary.
|
||||
subkeys:
|
||||
- key: CDHash
|
||||
title: Code directory hash
|
||||
type: <string>
|
||||
presence: optional
|
||||
content: The code signature code directory hash of the binary.
|
||||
- key: SigningID
|
||||
title: Signing ID
|
||||
type: <string>
|
||||
presence: optional
|
||||
content: The code signature signing identifier of the binary.
|
||||
- key: TeamID
|
||||
title: Team ID
|
||||
type: <string>
|
||||
presence: optional
|
||||
content: The code signature team identifier of the binary. Use the value "*APPLE*"
|
||||
instead of an empty string for Apple binaries with an empty team identifier.
|
||||
- key: PathPrefix
|
||||
title: Path prefix
|
||||
type: <string>
|
||||
presence: optional
|
||||
content: The file system path prefix to match binaries.
|
||||
- key: SigningState
|
||||
title: Signing state
|
||||
type: <string>
|
||||
presence: optional
|
||||
rangelist:
|
||||
- All
|
||||
- TestFlight
|
||||
- DeveloperID
|
||||
- Enterprise
|
||||
- AppStore
|
||||
- Apple
|
||||
default: All
|
||||
combinetype: enum-last
|
||||
content: The code signing state to match binaries.
|
||||
- key: DeniedBinaries
|
||||
title: Denied binaries
|
||||
supportedOS:
|
||||
iOS:
|
||||
introduced: n/a
|
||||
macOS:
|
||||
allowed-scopes:
|
||||
- system
|
||||
tvOS:
|
||||
introduced: n/a
|
||||
visionOS:
|
||||
introduced: n/a
|
||||
watchOS:
|
||||
introduced: n/a
|
||||
type: <array>
|
||||
presence: optional
|
||||
combinetype: set-union
|
||||
content: If present, the device doesn't allow binaries that match the binary identifier
|
||||
properties to run. A binary only matches when all the binary identifiers match.
|
||||
subkeys: *id002
|
||||
- key: AlwaysAllowManagedApps
|
||||
title: Always allow managed apps
|
||||
supportedOS:
|
||||
iOS:
|
||||
introduced: n/a
|
||||
macOS:
|
||||
allowed-scopes:
|
||||
- system
|
||||
tvOS:
|
||||
introduced: n/a
|
||||
visionOS:
|
||||
introduced: n/a
|
||||
type: <boolean>
|
||||
presence: optional
|
||||
default: false
|
||||
combinetype: boolean-or
|
||||
content: If `true`, the device implicitly includes managed apps in the effective
|
||||
allow list when `AllowedApps` or `AllowedBinaries` is present.
|
||||
- key: Privacy
|
||||
title: App privacy
|
||||
supportedOS:
|
||||
macOS:
|
||||
allowed-scopes:
|
||||
- user
|
||||
tvOS:
|
||||
introduced: n/a
|
||||
visionOS:
|
||||
introduced: n/a
|
||||
watchOS:
|
||||
introduced: n/a
|
||||
type: <dictionary>
|
||||
presence: optional
|
||||
content: The dictionary of app settings.
|
||||
subkeys:
|
||||
- key: PermissionDefaults
|
||||
title: App privacy permission defaults
|
||||
type: <dictionary>
|
||||
presence: optional
|
||||
content: |-
|
||||
The dictionary of app privacy permission defaults. Each key in the dictionary is an app identifier. The dictionary values represent the permission defaults that the device applies for each matching app.
|
||||
|
||||
In iOS, the app identifier is a bundle ID, for example, "com.example.app".
|
||||
|
||||
In macOS, the app identifier is a composed identifier. The format of the composed identifier is either "Bundle-ID", "Bundle-ID (Team-ID)", or "Bundle-ID {Designated-Requirement}". "Bundle-ID" is the bundle identifier string of the app. "Team-ID" is the team identifier from the app's code signature. "Designated-Requirement" is the designated requirement string from the code signature of the app. For example, "com.example.app" for the bundle ID format, "com.example.app (ABCD1234)" for the team ID format, or "com.example.app {anchor apple generic}" for the designated requirement format. The device only applies defaults for an app if its code signature matches the composed identifier.
|
||||
subkeys:
|
||||
- key: ANY
|
||||
type: <dictionary>
|
||||
presence: optional
|
||||
content: The dictionary that defines the app privacy permission defaults. Each
|
||||
key is an app identifier.
|
||||
subkeytype: AppDictionary
|
||||
subkeys:
|
||||
- key: OrganizationJustification
|
||||
title: Organization justification
|
||||
type: <string>
|
||||
presence: required
|
||||
content: Text you provide that clearly explains to the user the reason why
|
||||
the organization requires these app permission defaults. The device includes
|
||||
this text in the permission consent prompt it displays when it launches
|
||||
the app.
|
||||
- key: Accessibility
|
||||
title: Accessibility permission
|
||||
supportedOS:
|
||||
iOS:
|
||||
introduced: n/a
|
||||
type: <string>
|
||||
presence: optional
|
||||
rangelist:
|
||||
- None
|
||||
- Allow
|
||||
combinetype: enum-last
|
||||
content: |-
|
||||
Controls whether an app privacy permission default is set.
|
||||
* `None`: No app privacy permission default is set for use of accessibility.
|
||||
* `Allow`: The app privacy permission default is set to allow use of accessibility.
|
||||
- key: Bluetooth
|
||||
title: Bluetooth permission
|
||||
type: <string>
|
||||
presence: optional
|
||||
rangelist:
|
||||
- None
|
||||
- Allow
|
||||
combinetype: enum-last
|
||||
content: |-
|
||||
Controls whether an app privacy permission default is set.
|
||||
* `None`: No app privacy permission default is set for use of Bluetooth.
|
||||
* `Allow`: The app privacy permission default is set to allow use of Bluetooth.
|
||||
- key: Camera
|
||||
title: Camera permission
|
||||
type: <string>
|
||||
presence: optional
|
||||
rangelist:
|
||||
- None
|
||||
- Allow
|
||||
combinetype: enum-last
|
||||
content: |-
|
||||
Controls whether an app privacy permission default is set.
|
||||
* `None`: No app privacy permission default is set for use of the camera.
|
||||
* `Allow`: The app privacy permission default is set to allow use of the camera.
|
||||
- key: Dictation
|
||||
title: Dictation permission
|
||||
type: <string>
|
||||
presence: optional
|
||||
rangelist:
|
||||
- None
|
||||
- Allow
|
||||
combinetype: enum-last
|
||||
content: |-
|
||||
Controls whether an app privacy permission default is set.
|
||||
* `None`: No app privacy permission default is set for use of dictation.
|
||||
* `Allow`: The app privacy permission default is set to allow use of dictation.
|
||||
- key: LocalNetwork
|
||||
title: Local network permission
|
||||
type: <string>
|
||||
presence: optional
|
||||
rangelist:
|
||||
- None
|
||||
- Allow
|
||||
combinetype: enum-last
|
||||
content: |-
|
||||
Controls whether an app privacy permission default is set.
|
||||
* `None`: No app privacy permission default is set for use of the local network.
|
||||
* `Allow`: The app privacy permission default is set to allow use of the local network.
|
||||
- key: Location
|
||||
title: Location permission
|
||||
type: <string>
|
||||
presence: optional
|
||||
rangelist:
|
||||
- None
|
||||
- WhileUsing
|
||||
- Always
|
||||
combinetype: enum-last
|
||||
content: |-
|
||||
Controls whether an app privacy permission default is set.
|
||||
* `None`: No app privacy permission default is set for access to location.
|
||||
* `WhileUsing`: The app privacy permission default is set to allow access to location only while the user is using the app In macOS, this is equivalent to `Always`.
|
||||
* `Always`: The app privacy permission default is set to allow access to location always.
|
||||
- key: LocationAccuracy
|
||||
title: Location accuracy permission
|
||||
supportedOS:
|
||||
macOS:
|
||||
introduced: n/a
|
||||
type: <string>
|
||||
presence: optional
|
||||
rangelist:
|
||||
- None
|
||||
- Approximate
|
||||
- Precise
|
||||
combinetype: enum-last
|
||||
content: |-
|
||||
Controls whether an app privacy permission default is set.
|
||||
* `None`: No app privacy permission default is set for access to precise location.
|
||||
* `Approximate`: The app privacy permission default is set to allow approximate access to location.
|
||||
* `Precise`: The app privacy permission default is set to allow precise access to location.
|
||||
- key: Microphone
|
||||
title: Microphone permission
|
||||
type: <string>
|
||||
presence: optional
|
||||
rangelist:
|
||||
- None
|
||||
- Allow
|
||||
combinetype: enum-last
|
||||
content: |-
|
||||
Controls whether an app privacy permission default is set.
|
||||
* `None`: No app privacy permission default is set for use of the microphone.
|
||||
* `Allow`: The app privacy permission default is set to allow use of the microphone.
|
||||
notes:
|
||||
- title: Binary identifier rules
|
||||
content: |-
|
||||
The following combinations of binary identifiers are supported for each key:
|
||||
|
||||
* `AllowedBinaries`:
|
||||
* Either `CDHash` or `TeamID` needs to be present.
|
||||
* `SigningID`, `PathPrefix`, or `SigningState` may be present.
|
||||
* `DeniedBinaries`:
|
||||
* Either `CDHash` or `TeamID` or `SigningID` needs to be present.
|
||||
* `PathPrefix` or `SigningState` may be present.
|
||||
- title: Privacy permission defaults
|
||||
content: |-
|
||||
Privacy permission defaults allow an organization to suggest a set of privacy permissions for use with an app. When set, the app displays a consent prompt listing all the configured defaults. If the user accepts, the device applies those defaults for the app. If the user declines, no defaults are set and the device prompts the user in the normal way when the app requires permission.
|
||||
|
||||
The consent prompt only shows permissions that the user hasn't previously seen, and won't appear if the user has seen all permissions. The user can choose from one of two options in the prompt:
|
||||
|
||||
* `Allow`: this option sets the app privacy permissions for the specified sub-systems (camera, microphone, and so on) to "Allow". The device doesn't prompt the user when the app uses the sub-system.
|
||||
* `Not Now`: this option ignores the app privacy permission defaults for the specified sub-systems (camera, microphone, and so on). The device prompts the user in the normal way when the app uses the sub-system.
|
||||
|
||||
The user can change the app permission privacy settings in Settings.app if they choose.
|
||||
|
||||
Only AppKit-based apps on macOS support this feature.
|
||||
examples:
|
||||
title: Configuration examples
|
||||
files:
|
||||
- tab: Allow various permission defaults for several apps in iOS
|
||||
description: This configuration sets various privacy permission defaults for several
|
||||
apps.
|
||||
file: examples/declarative/declarations/configurations/app.settings/example1.json
|
||||
- tab: Allow various permission defaults for several apps in macOS
|
||||
description: This configuration sets various privacy permission defaults for several
|
||||
apps.
|
||||
file: examples/declarative/declarations/configurations/app.settings/example2.json
|
||||
@@ -23,7 +23,7 @@ payload:
|
||||
apply: combined
|
||||
payloadkeys:
|
||||
- key: TemporaryPairing
|
||||
title: Temporary Pairing
|
||||
title: Temporary pairing
|
||||
type: <dictionary>
|
||||
presence: optional
|
||||
content: A dictionary that describes audio accessory temporary pairing behavior.
|
||||
@@ -32,14 +32,14 @@ payloadkeys:
|
||||
when temporary pairing is active.
|
||||
subkeys:
|
||||
- key: Disabled
|
||||
title: Temporary Pairing Disabled
|
||||
title: Temporary pairing disabled
|
||||
type: <boolean>
|
||||
presence: optional
|
||||
default: false
|
||||
combinetype: boolean-or
|
||||
content: If `true`, temporary pairing of audio accessories is disabled.
|
||||
- key: Configuration
|
||||
title: Temporary Pairing Configuration
|
||||
title: Temporary pairing configuration
|
||||
type: <dictionary>
|
||||
presence: optional
|
||||
combinetype: first
|
||||
@@ -47,14 +47,14 @@ payloadkeys:
|
||||
if `Disabled` isn't present or is `false`.
|
||||
subkeys:
|
||||
- key: UnpairingTime
|
||||
title: Temporary Pairing Unpairing Time
|
||||
title: Temporary pairing unpairing time
|
||||
type: <dictionary>
|
||||
presence: required
|
||||
content: A dictionary that describes when the device automatically unpairs temporarily
|
||||
paired audio accessories.
|
||||
subkeys:
|
||||
- key: Policy
|
||||
title: Unpairing Policy
|
||||
title: Unpairing policy
|
||||
type: <string>
|
||||
presence: required
|
||||
rangelist:
|
||||
@@ -65,7 +65,7 @@ payloadkeys:
|
||||
- `None`: The device doesn't automatically unpair. Use this only with a return to service device that you erase and reenroll when assigning it from one user to another.
|
||||
- `Hour`: The device automatically unpairs temporarily paired audio accessories at the local time that the `Hour` key specifies.
|
||||
- key: Hour
|
||||
title: Hour of Unpairing
|
||||
title: Hour of unpairing
|
||||
type: <integer>
|
||||
presence: optional
|
||||
range:
|
||||
@@ -81,3 +81,9 @@ notes:
|
||||
|
||||
- Pair and use audio accessories - the device records the pairing and synchronizes it to their iCloud account.
|
||||
- Use the audio accessory AirPods Sharing feature.
|
||||
examples:
|
||||
title: Configuration example
|
||||
files:
|
||||
- description: This configuration enables temporary pairing and sets an unpairing
|
||||
time of 6 pm.
|
||||
file: examples/declarative/declarations/configurations/audio-accessory.settings/example1.json
|
||||
|
||||
@@ -0,0 +1,328 @@
|
||||
title: Content Caching
|
||||
description: The declaration to configure the Content Caching service.
|
||||
payload:
|
||||
declarationtype: com.apple.configuration.content-cache.settings
|
||||
supportedOS:
|
||||
iOS:
|
||||
introduced: n/a
|
||||
macOS:
|
||||
introduced: '27.0'
|
||||
allowed-enrollments:
|
||||
- supervised
|
||||
- local
|
||||
allowed-scopes:
|
||||
- system
|
||||
tvOS:
|
||||
introduced: n/a
|
||||
visionOS:
|
||||
introduced: n/a
|
||||
watchOS:
|
||||
introduced: n/a
|
||||
apply: single
|
||||
payloadkeys:
|
||||
- key: AllowCacheDelete
|
||||
title: Allow cache delete
|
||||
type: <boolean>
|
||||
presence: optional
|
||||
default: true
|
||||
content: If `true`, the system purges content from the cache automatically when
|
||||
it needs disk space for other apps when free disk space runs low on the computer.
|
||||
Set to `false` to maximize effectiveness of Content Caching.
|
||||
- key: AllowPersonalCaching
|
||||
title: Allow personal caching
|
||||
type: <boolean>
|
||||
presence: optional
|
||||
default: true
|
||||
content: |-
|
||||
If `true`, the system caches the user's iCloud data. Changes to this value don't have an immediate effect. Clients may take some time to react to changes.
|
||||
|
||||
> Note:
|
||||
> At least one of the `AllowPersonalCaching` or `AllowSharedCaching` keys need to be `true`.
|
||||
- key: AllowSharedCaching
|
||||
title: Allow shared caching
|
||||
type: <boolean>
|
||||
presence: optional
|
||||
default: true
|
||||
content: |-
|
||||
If `true`, the system caches non-iCloud content, such as apps and software updates. Changes to this value don't have an immediate effect. Clients may take some time to react to changes.
|
||||
|
||||
> Note:
|
||||
> At least one of the `AllowPersonalCaching` or `AllowSharedCaching` keys need to be `true`.
|
||||
- key: AutoActivation
|
||||
title: Auto activation
|
||||
type: <boolean>
|
||||
presence: optional
|
||||
default: false
|
||||
content: |-
|
||||
If `true`, the system automatically activates the content cache when possible and prevents disabling it. If `allowContentCaching` is `false`, `AutoActivation` is also `false`.
|
||||
|
||||
Removing a profile that set `AutoActivation` to `true` doesn't deactivate the Content Cache.
|
||||
- key: AutoEnableTetheredCaching
|
||||
title: Auto enable tethered caching
|
||||
type: <boolean>
|
||||
presence: optional
|
||||
default: false
|
||||
content: If `true`, the system automatically enables Internet connection sharing
|
||||
when possible and prevent disabling Internet connection sharing. `DenyTetheredCaching`
|
||||
overrides `AutoEnableTetheredCaching`. Tethered caching requires Content Caching.
|
||||
- key: CacheLimit
|
||||
title: Cache limit
|
||||
type: <integer>
|
||||
presence: optional
|
||||
default: 0
|
||||
content: The maximum number of bytes of disk space to use for the content cache.
|
||||
Set to `0` for unlimited disk space. Also serves as the upper bound to the `PersonalCacheLimit`.
|
||||
- key: DataPath
|
||||
title: Data path
|
||||
type: <string>
|
||||
presence: optional
|
||||
default: /Library/Application Support/Apple/AssetCache/Data
|
||||
content: |-
|
||||
The path to the directory used to store cached content. Changing this setting manually doesn't automatically move cached content from the old location to the new one. To move content automatically, use the Sharing preference's Content Caching pane. The value must be (or end with) `/Library/Application Support/Apple/AssetCache/Data`.
|
||||
|
||||
The system creates a directory and its intermediates for the given data path if it doesn't already exist. The directory is owned by `_assetcache:_assetcache` and has mode 0750. Its immediate parent directory (`.../Library/Application Support/Apple/AssetCache`) is owned by `_assetcache:_assetcache` and has mode `0755`.
|
||||
- key: DenyActivation
|
||||
title: Deny activation
|
||||
type: <boolean>
|
||||
presence: optional
|
||||
default: false
|
||||
content: If `true`, the system disables Content Caching. This is the inverse of
|
||||
the `allowContentCaching` restriction in MDM. It overrides the `AutoActivation`
|
||||
key. Use this key to prevent launching the Content Caching service.
|
||||
- key: DenyTetheredCaching
|
||||
title: Deny tethered caching
|
||||
type: <boolean>
|
||||
presence: optional
|
||||
default: false
|
||||
content: If `true`, the system disables tethered caching.
|
||||
- key: DeclarativeStatusInterval
|
||||
title: Declarative status interval
|
||||
type: <integer>
|
||||
presence: optional
|
||||
range:
|
||||
min: 300
|
||||
max: 86400
|
||||
default: 0
|
||||
content: The time interval in seconds the system uses to update the `StatusContentCacheInfo`
|
||||
declarative status item. The reporting interval can't be less than 60 (1 per minute)
|
||||
or larger than 86400 (1 per day), defaults to 0 (off)
|
||||
- key: DisplayAlerts
|
||||
title: Display alerts
|
||||
type: <boolean>
|
||||
presence: optional
|
||||
default: false
|
||||
content: If `true`, Content Caching displays exceptional conditions (alerts) as
|
||||
system notifications in the upper corner of the screen.
|
||||
- key: KeepAwake
|
||||
title: Keep awake
|
||||
type: <boolean>
|
||||
presence: optional
|
||||
default: false
|
||||
content: If `true`, the system prevents the computer from sleeping as long as Content
|
||||
Caching is on (System Preferences > Sharing > Content Caching is on). Customers
|
||||
who want Content Caching to be as available as much as possible should turn this
|
||||
setting on.
|
||||
- key: ListenRanges
|
||||
title: Listen ranges
|
||||
type: <array>
|
||||
presence: optional
|
||||
content: An array of dictionaries that describe a range of client IP addresses to
|
||||
serve.
|
||||
subkeytype: RangesItem
|
||||
subkeys: &id001
|
||||
- key: RangesItem
|
||||
title: Ranges item
|
||||
type: <dictionary>
|
||||
content: A range of IP addresses to cache.
|
||||
subkeys:
|
||||
- key: type
|
||||
title: Type
|
||||
type: <string>
|
||||
presence: optional
|
||||
rangelist:
|
||||
- IPv4
|
||||
- IPv6
|
||||
default: IPv4
|
||||
content: The IP address type.
|
||||
- key: first
|
||||
title: First
|
||||
type: <string>
|
||||
presence: required
|
||||
content: The first IP address in the range.
|
||||
- key: last
|
||||
title: Last
|
||||
type: <string>
|
||||
presence: required
|
||||
content: The last IP address in the range.
|
||||
- key: ListenRangesOnly
|
||||
title: Listen ranges only
|
||||
type: <boolean>
|
||||
presence: optional
|
||||
default: false
|
||||
content: If `true`, the content cache provides content to the clients in the `ListenRanges`.
|
||||
- key: ListenWithPeersAndParents
|
||||
title: Listen with peers and parents
|
||||
type: <boolean>
|
||||
presence: optional
|
||||
default: true
|
||||
content: If `true`, the content cache provides content to the clients in the union
|
||||
of the `ListenRanges`, `PeerListenRanges` and `Parents`.
|
||||
- key: LocalSubnetsOnly
|
||||
title: Local subnets only
|
||||
type: <boolean>
|
||||
presence: optional
|
||||
default: true
|
||||
content: If `true`, the content cache offers content to clients only on the same
|
||||
immediate local network only. The content cache offers no content to clients on
|
||||
other networks reachable by the content cache. If `LocalSubnetsOnly` is `true`,
|
||||
the system ignores `ListenRanges`.
|
||||
- key: LogClientIdentity
|
||||
title: Log client identity
|
||||
type: <boolean>
|
||||
presence: optional
|
||||
default: false
|
||||
content: If `true`, the Content Cache logs the IP address and port number of the
|
||||
clients that request content.
|
||||
- key: Parents
|
||||
title: Parents
|
||||
type: <array>
|
||||
presence: optional
|
||||
content: An array of the local IP addresses of other content caches that this cache
|
||||
should download from or upload to, instead of downloading from or uploading to
|
||||
Apple directly. The system ignores invalid addresses and addresses of computers
|
||||
that aren't content caches. The system skips Parent caches that become unavailable.
|
||||
If all parent content caches become unavailable, the content cache downloads from
|
||||
or uploads to Apple directly, until a parent content cache becomes available again.
|
||||
subkeys:
|
||||
- key: ParentsItem
|
||||
type: <string>
|
||||
presence: required
|
||||
content: An IP address.
|
||||
- key: ParentSelectionPolicy
|
||||
title: Parent selection policy
|
||||
type: <string>
|
||||
presence: optional
|
||||
rangelist:
|
||||
- first-available
|
||||
- url-path-hash
|
||||
- random
|
||||
- round-robin
|
||||
- sticky-available
|
||||
default: round-robin
|
||||
content: |-
|
||||
The policy to implement when choosing among more than one configured parent content cache. With every policy, the system skips parent caches that are temporarily unavailable. Allowed values:
|
||||
|
||||
- `first-available`: Always use the first available parent in the Parents list. Use this policy to designate permanent primary, secondary, and subsequent parents.
|
||||
- `url-path-hash`: Hash the path part of the requested URL so that the same parent is always used for the same URL. This is useful for maximizing the size of the combined caches of the parents.
|
||||
- `random`: Choose a parent at random. Use this policy for load balancing.
|
||||
- `round-robin`: Rotate through the parents in order. Use this policy for load balancing.
|
||||
- `sticky-available`: Use the first available parent in the Parents list until it becomes unavailable, then advance to the next one. Use this policy for designating floating primary, secondary, and subsequent parents.
|
||||
- key: PeerFilterRanges
|
||||
title: Peer filter ranges
|
||||
type: <array>
|
||||
presence: optional
|
||||
content: An array of dictionaries describing a range of peer IP addresses that the
|
||||
content cache uses to filter its list of peers to query for content. The content
|
||||
cache only queries peers in `PeerFilterRanges`. When `PeerFilterRanges` is an
|
||||
empty array, the content cache doesn't query any peers.
|
||||
subkeytype: RangesItem
|
||||
subkeys: *id001
|
||||
- key: PeerListenRanges
|
||||
title: Peer listen ranges
|
||||
type: <array>
|
||||
presence: optional
|
||||
content: An array of dictionaries describing a range of peer IP addresses the content
|
||||
cache responds to. When `PeerListenRanges` is an empty array, the content cache
|
||||
responds with an error to all cache queries.
|
||||
subkeytype: RangesItem
|
||||
subkeys: *id001
|
||||
- key: PeerLocalSubnetsOnly
|
||||
title: Peer local subnets only
|
||||
type: <boolean>
|
||||
presence: optional
|
||||
default: true
|
||||
content: If `true`, the content cache only peers with other content caches on the
|
||||
same immediate local network, rather than with content caches that use the same
|
||||
public IP address as the device. When `PeerLocalSubnetsOnly` is `true`, it overrides
|
||||
the configuration of `PeerFilterRanges` and `PeerListenRanges`. If the network
|
||||
changes, the local network peering restrictions update appropriately. If `false`,
|
||||
the content cache defers to `PeerFilterRanges` and `PeerListenRanges` for configuring
|
||||
the peering restrictions.
|
||||
- key: PersonalCacheLimit
|
||||
title: Personal cache limit
|
||||
type: <integer>
|
||||
presence: optional
|
||||
default: 0
|
||||
content: The maximum number of bytes of disk space to use for the personal content
|
||||
cache. The content cache limits the maximum value to the `CacheLimit` value. Set
|
||||
to `0` to use the overall `CacheLimit`.
|
||||
- key: Port
|
||||
title: Port
|
||||
type: <integer>
|
||||
presence: optional
|
||||
default: 0
|
||||
content: The TCP port number on which the content cache accepts requests for uploads
|
||||
or downloads. Set to `0` to pick a random, available port.
|
||||
- key: PublicRanges
|
||||
title: Public ranges
|
||||
type: <array>
|
||||
presence: optional
|
||||
content: An array of dictionaries describing a range of public IP addresses that
|
||||
the cloud servers should use for matching clients to content caches.
|
||||
subkeytype: RangesItem
|
||||
subkeys: *id001
|
||||
- key: ManagementStatusTarget
|
||||
title: Management status target
|
||||
type: <string>
|
||||
presence: optional
|
||||
content: The target URL the system uses to send management statistics using an HTTP
|
||||
PUT request with a json dictionary as the payload. If the URL is an https URL
|
||||
(recommended) the `ManagementSecurityConfig` defines how the system secures the
|
||||
connection. The system sends the management statistics report to the target URL
|
||||
at an interval set by the `ManagementReportingInterval` value.
|
||||
- key: ManagementSecurityConfig
|
||||
title: Management security config
|
||||
type: <string>
|
||||
presence: optional
|
||||
rangelist:
|
||||
- no-cert
|
||||
- signedByCACert
|
||||
- specificServerCert
|
||||
default: no-cert
|
||||
content: |-
|
||||
If the `ManagementStatusTarget` is an https URL, the system uses this field to determine how the connection is secured.
|
||||
|
||||
- `no-cert`: The system uses regular https processing using the built-in anchor certificates.
|
||||
- `signedByCACert`: The system requires the https connection's certificate to be signed by the certificate provided in the `ManagementStatusCertificateReference` field. If your organization has a CA infrastructure this is the best choice.
|
||||
- `specificServerCert`: The system requires the https connection's certificate to match the certificate provided in the `ManagementStatusCertificateReference` field.
|
||||
- key: ManagementReportingInterval
|
||||
title: Management reporting interval
|
||||
type: <integer>
|
||||
presence: optional
|
||||
range:
|
||||
min: 60
|
||||
max: 86400
|
||||
default: 300
|
||||
content: The reporting interval in seconds the system uses when `ManagementStatusTarget`
|
||||
is present. The reporting interval can't be less than 60 (1 per minute) or larger
|
||||
than 86400 (1 per day), and defaults to 300 (1 per 5 min).
|
||||
- key: ManagementStatusCertificateReference
|
||||
title: Management status certificate reference
|
||||
type: <string>
|
||||
assettypes:
|
||||
- com.apple.asset.credential.certificate
|
||||
presence: optional
|
||||
content: The identifier of an asset declaration that contains the certificate the
|
||||
system uses to verify the security of the status reporting https connection. Required
|
||||
when `ManagementSecurityConfig` is set to `signedByCACert` or `specificServerCert`.
|
||||
examples:
|
||||
title: Configuration examples
|
||||
files:
|
||||
- tab: Basic caching
|
||||
description: This configuration enables content caching for both personal and
|
||||
shared content with automatic activation.
|
||||
file: examples/declarative/declarations/configurations/content-cache.settings/example1.json
|
||||
- tab: Advanced caching
|
||||
description: This configuration sets up content caching with a parent cache server,
|
||||
a restricted listen range, and a fixed port.
|
||||
file: examples/declarative/declarations/configurations/content-cache.settings/example2.json
|
||||
@@ -21,12 +21,13 @@ payload:
|
||||
apply: combined
|
||||
payloadkeys:
|
||||
- key: Restrictions
|
||||
title: Restrictions
|
||||
type: <dictionary>
|
||||
presence: optional
|
||||
content: The restrictions for the disk.
|
||||
subkeys:
|
||||
- key: ExternalStorage
|
||||
title: External Storage
|
||||
title: External storage
|
||||
type: <string>
|
||||
presence: optional
|
||||
rangelist:
|
||||
@@ -37,11 +38,11 @@ payloadkeys:
|
||||
content: |-
|
||||
Specifies the mount policy for external storage:
|
||||
|
||||
- `Allowed`: The system can mount external storage that is read-write or read-only.
|
||||
- `ReadOnly`: The system can only mount read-only external storage. Note that external storage that is read-write will not be mounted read-only.
|
||||
- `Allowed`: The system can mount external storage that's read-write or read-only.
|
||||
- `ReadOnly`: The system can only mount read-only external storage. Note that external storage that's read-write won't be mounted read-only.
|
||||
- `Disallowed`: The system can't mount any external storage.
|
||||
- key: NetworkStorage
|
||||
title: Network Storage
|
||||
title: Network storage
|
||||
type: <string>
|
||||
presence: optional
|
||||
rangelist:
|
||||
@@ -52,6 +53,12 @@ payloadkeys:
|
||||
content: |-
|
||||
Specifies the mount policy for network storage:
|
||||
|
||||
- `Allowed`: The system can mount network storage that is read-write or read-only.
|
||||
- `ReadOnly`: The system can only mount read-only network storage. Note that network storage that is read-write will not be mounted read-only.
|
||||
- `Allowed`: The system can mount network storage that's read-write or read-only.
|
||||
- `ReadOnly`: The system can only mount read-only network storage. Note that network storage that's read-write won't be mounted read-only.
|
||||
- `Disallowed`: The system can't mount any network storage.
|
||||
examples:
|
||||
title: Configuration example
|
||||
files:
|
||||
- description: This configuration prevents the use of external and network storage
|
||||
devices.
|
||||
file: examples/declarative/declarations/configurations/diskmanagement.settings/example1.json
|
||||
|
||||
@@ -0,0 +1,570 @@
|
||||
title: Extensible SSO
|
||||
description: The declaration to configure Extensible Single Sign-On.
|
||||
payload:
|
||||
declarationtype: com.apple.configuration.extensible-sso
|
||||
supportedOS:
|
||||
iOS:
|
||||
introduced: '27.0'
|
||||
allowed-enrollments:
|
||||
- supervised
|
||||
- device
|
||||
- user
|
||||
allowed-scopes:
|
||||
- system
|
||||
sharedipad:
|
||||
allowed-scopes:
|
||||
- user
|
||||
macOS:
|
||||
introduced: '27.0'
|
||||
allowed-enrollments:
|
||||
- supervised
|
||||
- user
|
||||
allowed-scopes:
|
||||
- system
|
||||
- user
|
||||
tvOS:
|
||||
introduced: n/a
|
||||
visionOS:
|
||||
introduced: '27.0'
|
||||
allowed-enrollments:
|
||||
- supervised
|
||||
- device
|
||||
- user
|
||||
allowed-scopes:
|
||||
- system
|
||||
watchOS:
|
||||
introduced: n/a
|
||||
apply: multiple
|
||||
payloadkeys:
|
||||
- key: ExtensionComposedIdentifier
|
||||
title: Extension composed identifier
|
||||
type: <string>
|
||||
presence: required
|
||||
content: |-
|
||||
The identifier of the provider to use for this configuration. Useful for apps that contain more than one DNS proxy extension.
|
||||
|
||||
In iOS and visionOS, the identifier is a bundle ID, for example, "com.example.app.sso-extension".
|
||||
|
||||
In macOS, the identifier is a composed identifier. The format of the composed identifier is "Bundle-ID (Team-ID)". "Bundle-ID" is the bundle identifier string of the app extension. "Team-ID" is the team identifier from the app extension's code signature. For example, "com.example.app.sso-extension (ABCD1234)".
|
||||
- key: Type
|
||||
title: Type
|
||||
type: <string>
|
||||
presence: required
|
||||
rangelist:
|
||||
- Credential
|
||||
- Redirect
|
||||
content: The type of SSO.
|
||||
- key: Realm
|
||||
title: Realm
|
||||
type: <string>
|
||||
presence: optional
|
||||
content: The realm name for `Credential` payloads. Use proper capitalization for
|
||||
this value. Ignored for `Redirect` payloads.
|
||||
- key: ExtensionData
|
||||
title: Extension data
|
||||
type: <dictionary>
|
||||
presence: optional
|
||||
content: A dictionary of arbitrary data passed through to the app extension.
|
||||
subkeys:
|
||||
- key: ANY
|
||||
type: <any>
|
||||
presence: optional
|
||||
content: Keys and values to pass to the app extension.
|
||||
- key: URLs
|
||||
title: URLs
|
||||
type: <array>
|
||||
presence: optional
|
||||
content: |-
|
||||
An array of URL prefixes of identity providers where the app extension performs SSO.
|
||||
|
||||
Required for `Redirect` payloads. Ignored for `Credential` payloads.
|
||||
|
||||
The URLs need to begin with `http://` or `https://`.
|
||||
|
||||
The system:
|
||||
|
||||
- Matches scheme and host name case-insensitively
|
||||
- Doesn't allow query parameters and URL fragments
|
||||
- Requires that the URLs of all installed Extensible SSO payloads are unique
|
||||
subkeys:
|
||||
- key: URL
|
||||
type: <string>
|
||||
presence: required
|
||||
content: An http or https URL prefix.
|
||||
- key: Hosts
|
||||
title: Hosts
|
||||
type: <array>
|
||||
presence: optional
|
||||
content: |-
|
||||
An array of host or domain names that apps can authenticate through the app extension.
|
||||
|
||||
Required for `Credential` payloads. Ignored for `Redirect` payloads.
|
||||
|
||||
The system:
|
||||
|
||||
- Matches host or domain names case-insensitively
|
||||
- Requires that all the host and domain names of all installed Extensible SSO payloads are unique
|
||||
|
||||
> Note:
|
||||
> Host names that begin with a "." are wildcard suffixes that match all subdomains; otherwise the host name needs be an exact match.
|
||||
subkeys:
|
||||
- key: hostname
|
||||
type: <string>
|
||||
presence: required
|
||||
content: A host or domain name, with or without a leading dot.
|
||||
- key: DeniedBundleIdentifiers
|
||||
title: Denied bundle identifiers
|
||||
type: <array>
|
||||
presence: optional
|
||||
content: An array of bundle identifiers of apps that don't use SSO provided by this
|
||||
extension.
|
||||
subkeys:
|
||||
- key: bundleIdentifier
|
||||
type: <string>
|
||||
presence: required
|
||||
content: The bundle identifier of the app.
|
||||
- key: ScreenLockedBehavior
|
||||
title: Screen locked behavior
|
||||
type: <string>
|
||||
presence: optional
|
||||
rangelist:
|
||||
- Cancel
|
||||
- DoNotHandle
|
||||
default: Cancel
|
||||
content: If set to `Cancel`, the system cancels authentication requests when the
|
||||
screen is locked. If set to `DoNotHandle`, the request continues without SSO instead.
|
||||
This doesn't apply to requests where `userInterfaceEnabled` is `false`, or for
|
||||
background `URLSession` requests.
|
||||
- key: PlatformSSO
|
||||
title: Platform SSO
|
||||
supportedOS:
|
||||
iOS:
|
||||
introduced: n/a
|
||||
visionOS:
|
||||
introduced: n/a
|
||||
type: <dictionary>
|
||||
presence: optional
|
||||
content: The dictionary to configure Platform SSO.
|
||||
subkeys:
|
||||
- key: AuthenticationMethod
|
||||
title: Authentication method
|
||||
type: <string>
|
||||
presence: optional
|
||||
rangelist:
|
||||
- Password
|
||||
- UserSecureEnclaveKey
|
||||
- SmartCard
|
||||
- OpenID
|
||||
content: The Platform SSO authentication method to use with the extension. Requires
|
||||
that the SSO Extension also support the method.
|
||||
- key: RegistrationToken
|
||||
title: Registration token
|
||||
supportedOS:
|
||||
iOS:
|
||||
introduced: n/a
|
||||
visionOS:
|
||||
introduced: n/a
|
||||
type: <string>
|
||||
presence: optional
|
||||
content: The token this device uses for registration with Platform SSO. Use it
|
||||
for silent registration with the Identity Provider. Requires that `AuthenticationMethod`
|
||||
in `PlatformSSO` isn't empty.
|
||||
- key: UseSharedDeviceKeys
|
||||
title: Use shared device keys
|
||||
supportedOS:
|
||||
macOS:
|
||||
allowed-scopes:
|
||||
- system
|
||||
type: <boolean>
|
||||
presence: optional
|
||||
default: false
|
||||
content: If `true`, the system uses the same signing and encryption keys for all
|
||||
users.
|
||||
- key: LoginFrequency
|
||||
title: Login frequency
|
||||
type: <integer>
|
||||
presence: optional
|
||||
range:
|
||||
min: 3600
|
||||
default: 64800
|
||||
content: The duration, in seconds, until the system requires a full login instead
|
||||
of a refresh. The default value is 64,800 (18 hours). The minimum value is 3600
|
||||
(1 hour).
|
||||
- key: AllowDeviceIdentifiersInAttestation
|
||||
title: Allow device identifiers in attestation
|
||||
type: <boolean>
|
||||
presence: optional
|
||||
default: false
|
||||
content: If `true`, the system includes the device UDID and serial number in Platform
|
||||
SSO attestations.
|
||||
- key: Account
|
||||
title: Account
|
||||
type: <dictionary>
|
||||
presence: optional
|
||||
content: Account display and profile settings.
|
||||
subkeys:
|
||||
- key: DisplayName
|
||||
title: Display name
|
||||
type: <string>
|
||||
presence: optional
|
||||
content: The display name for the account in notifications and authentication
|
||||
requests.
|
||||
- key: SynchronizeProfilePicture
|
||||
title: Synchronize profile picture
|
||||
type: <boolean>
|
||||
presence: optional
|
||||
default: false
|
||||
content: If `true`, the system requests the user's profile picture from the
|
||||
SSO extension.
|
||||
- key: UserCreation
|
||||
title: User creation
|
||||
type: <dictionary>
|
||||
presence: optional
|
||||
content: Settings for creating new users via Platform SSO.
|
||||
subkeys:
|
||||
- key: EnableAtLogin
|
||||
title: Enable at login
|
||||
type: <boolean>
|
||||
presence: optional
|
||||
default: false
|
||||
content: Enables creating users at the Login Window with an `AuthenticationMethod`
|
||||
of either `Password` or `SmartCard`. Requires that `UseSharedDeviceKeys` is
|
||||
`true`.
|
||||
- key: EnableFirstUserDuringSetup
|
||||
title: Enable first user during setup
|
||||
type: <boolean>
|
||||
presence: optional
|
||||
default: true
|
||||
content: If `true`, the device uses Platform SSO to create the first user account
|
||||
on the Mac during `Setup Assistant`.
|
||||
- key: EnableRegistrationDuringSetup
|
||||
title: Enable registration during setup
|
||||
type: <boolean>
|
||||
presence: optional
|
||||
default: false
|
||||
content: If `true`, the system enables the PlatformSSO registration process
|
||||
during Setup Assistant on devices running macOS 26 and later. Set this key
|
||||
to `true` when configuring PlatformSSO before enrollment using the `com.apple.psso.required`
|
||||
error response.
|
||||
- key: NewUserAuthenticationMethods
|
||||
title: New user authentication methods
|
||||
type: <array>
|
||||
presence: optional
|
||||
content: The set of authentication methods to use for newly created accounts
|
||||
at login or during `Setup Assistant`. The system uses `Password` and `SmartCard`
|
||||
if this key isn't present.
|
||||
subkeys:
|
||||
- key: NewUserAuthenticationMethod
|
||||
type: <string>
|
||||
presence: optional
|
||||
rangelist:
|
||||
- Password
|
||||
- SmartCard
|
||||
- AccessKey
|
||||
- OpenID
|
||||
content: |-
|
||||
An authentication method to use for newly created accounts at login or during `Setup Assistant`. Allowed values:
|
||||
|
||||
* `Password`: The account uses a password for authentication.
|
||||
* `SmartCard`: The account uses a smart card for authentication.
|
||||
* `AccessKey`: The account uses an access key for authentication.
|
||||
* `OpenID`: The account uses OpenID for authentication.
|
||||
- key: NewUserAuthorizationMode
|
||||
title: New user authorization mode
|
||||
type: <string>
|
||||
presence: optional
|
||||
rangelist:
|
||||
- Standard
|
||||
- Admin
|
||||
- Groups
|
||||
- Temporary
|
||||
content: |-
|
||||
The permission to apply to newly created accounts at login. Allowed values:
|
||||
|
||||
* `Standard`: The account is a standard user.
|
||||
* `Admin`: The system adds the account to the local administrators group.
|
||||
* `Groups`: The system assigns groups to the account using `Authorization.AdministratorGroups`, `Authorization.AdditionalGroups`, or `Authorization.AuthorizationGroups`.
|
||||
* `Temporary`: The system uses a temporary session configuration for newly created accounts at login.
|
||||
- key: TokenToUserMapping
|
||||
title: Token to user mapping
|
||||
type: <dictionary>
|
||||
presence: optional
|
||||
content: The attribute mapping to use when creating users, or for authorization.
|
||||
subkeys:
|
||||
- key: AccountName
|
||||
title: Account name
|
||||
type: <string>
|
||||
presence: optional
|
||||
content: The claim name to use for the user's account name.
|
||||
- key: FullName
|
||||
title: Full name
|
||||
type: <string>
|
||||
presence: optional
|
||||
content: The claim name to use for the user's full name.
|
||||
- key: TemporarySessionQuickLogin
|
||||
title: Temporary session quick login
|
||||
type: <boolean>
|
||||
presence: optional
|
||||
default: false
|
||||
content: If `true`, the system uses a quicker Authenticated Guest Mode login
|
||||
to Mac behavior. The system erases user data from only select locations in
|
||||
the user home directory after each session completes. Once every eight hours
|
||||
the system erases the full user home directory after a session completes.
|
||||
Turn this on for shared environments that have a high frequency of short sessions.
|
||||
- key: Authorization
|
||||
title: Authorization
|
||||
type: <dictionary>
|
||||
presence: optional
|
||||
content: Settings for authorization prompts and group management.
|
||||
subkeys:
|
||||
- key: EnableIdentityProviderAccounts
|
||||
title: Enable identity provider accounts
|
||||
type: <boolean>
|
||||
presence: optional
|
||||
default: false
|
||||
content: Enables using identity provider accounts at authorization prompts.
|
||||
Requires that `UseSharedDeviceKeys` is `true`. The system assigns groups using
|
||||
`AdministratorGroups`, `AdditionalGroups`, or `AuthorizationGroups`.
|
||||
- key: UserAuthorizationMode
|
||||
title: User authorization mode
|
||||
type: <string>
|
||||
presence: optional
|
||||
rangelist:
|
||||
- Standard
|
||||
- Admin
|
||||
- Groups
|
||||
content: |-
|
||||
The permission to apply to an account each time the user authenticates. Allowed values:
|
||||
|
||||
* `Standard`: The account is a standard user.
|
||||
* `Admin`: The system adds the account to the local administrators group.
|
||||
* `Groups`: The system assigns group to the account using `AdministratorGroups`, `AdditionalGroups`, or `AuthorizationGroups`.
|
||||
- key: AdministratorGroups
|
||||
title: Administrator groups
|
||||
type: <array>
|
||||
presence: optional
|
||||
content: The list of groups to use for administrator access. The system requests
|
||||
membership during authentication.
|
||||
subkeys:
|
||||
- key: Group
|
||||
type: <string>
|
||||
presence: optional
|
||||
content: The group name.
|
||||
- key: AdditionalGroups
|
||||
title: Additional groups
|
||||
type: <array>
|
||||
presence: optional
|
||||
content: The list of created groups that don't have administrator access.
|
||||
subkeys:
|
||||
- key: Group
|
||||
type: <string>
|
||||
presence: optional
|
||||
content: The group name.
|
||||
- key: AuthorizationGroups
|
||||
title: Authorization groups
|
||||
type: <dictionary>
|
||||
presence: optional
|
||||
content: The pairing of Authorization Rights to group names. When using this,
|
||||
the system updates the Authorization Right to use the group.
|
||||
subkeys:
|
||||
- key: ANY
|
||||
type: <string>
|
||||
presence: optional
|
||||
content: The key is an access right value, the value is the group to be associated
|
||||
with that access right.
|
||||
- key: AccessKey
|
||||
title: Access key
|
||||
type: <dictionary>
|
||||
presence: optional
|
||||
content: Settings for Access Key authentication.
|
||||
subkeys:
|
||||
- key: ReaderGroupIdentifier
|
||||
title: Reader group identifier
|
||||
type: <data>
|
||||
presence: optional
|
||||
content: The reader group identifier for use with the `AccessKey`. The value
|
||||
needs to match the configured access key. Required if `UserCreation.AuthenticationMethods`
|
||||
contains `AccessKey`.
|
||||
- key: TerminalIdentityAssetReference
|
||||
title: Terminal identity asset reference
|
||||
type: <string>
|
||||
assettypes:
|
||||
- com.apple.asset.credential.identity
|
||||
- com.apple.asset.credential.scep
|
||||
- com.apple.asset.credential.acme
|
||||
presence: optional
|
||||
content: The identifier of an asset declaration that contains the identity to
|
||||
use as the Terminal identity of the Access Key. The Access Key needs to trust
|
||||
the identity. Required if `UserCreation.AuthenticationMethods` includes `AccessKey`.
|
||||
- key: ReaderIssuerCertificateAssetReference
|
||||
title: Reader issuer certificate asset reference
|
||||
type: <string>
|
||||
assettypes:
|
||||
- com.apple.asset.credential.certificate
|
||||
presence: optional
|
||||
content: The identifier of an asset declaration that contains the certificate
|
||||
for the issuer certificate of the `Terminal` identity of the access key. Other
|
||||
specifications refer to the key as the "Reader CA Public Key". The key must
|
||||
be an elliptic curve key. Required if `UserCreation.AuthenticationMethods`
|
||||
includes `AccessKey`. The issuer of the Terminal identity of the access key
|
||||
needs to match this certificate, otherwise the device fails the authentication.
|
||||
- key: AllowExpressMode
|
||||
title: Allow express mode
|
||||
type: <boolean>
|
||||
presence: optional
|
||||
default: false
|
||||
content: If `true`, the system uses the access key in express mode, and doesn't
|
||||
require authentication before use.
|
||||
- key: Policies
|
||||
title: Policies
|
||||
type: <dictionary>
|
||||
presence: optional
|
||||
content: Policies for login, unlock, and FileVault behavior.
|
||||
subkeys:
|
||||
- key: FileVault
|
||||
title: FileVault
|
||||
type: <array>
|
||||
presence: optional
|
||||
content: |-
|
||||
The policy to apply when using Platform SSO at FileVault unlock on a Mac with Apple silicon. Applies when `AuthenticationMethod` is `Password`.
|
||||
|
||||
* `AttemptAuthentication`: The device attempts Platform SSO authentication before proceeding. If offline, unlock continues if the local account password matches. If online and the credential is incorrect, then the device requires a successful Platform SSO authentication is required, even if taken offline.
|
||||
* `RequireAuthentication`: The device requires Platform SSO authentication before proceeding. If the device is offline and `AllowOfflineGracePeriod` is enabled, then the device uses the offline `OfflineGracePeriod` to determine if the user can proceed or not. If online and the credential is incorrect, then the device requires a valid Platform SSO authentication to proceed, regardless of the `OfflineGracePeriod`. If the account isn't registered for Platform SSO and `AllowAuthenticationGracePeriod` is enabled, then the device uses `AuthenticationGracePeriod` to determine if the user can proceed or not.
|
||||
* `AllowOfflineGracePeriod`: The device allows the use of the `OfflineGracePeriod` when `RequireAuthentication` is enabled. If `AllowOfflineGracePeriod` isn't set, then the device denies offline access.
|
||||
* `AllowAuthenticationGracePeriod`: The device allows the use of the `AuthenticationGracePeriod` for other local accounts when `RequireAuthentication` is enabled. The `AuthenticationGracePeriod` starts when any of the policies are updated. If `AllowAuthenticationGracePeriod` isn't set, then the device denies unregistered account access.
|
||||
* `RequireTouchID`: The device requires the use of Touch ID (and not Apple Watch) for File Vault unlock.
|
||||
* `RequireTouchIDOrWatch`: The device requires the use of Touch ID or Apple Watch for File Vault unlock.
|
||||
* `AllowOpenIDForTouchIDFallback`: The device allows web login as a fallback if touchID fails or isn't available.
|
||||
subkeys:
|
||||
- key: policy
|
||||
type: <string>
|
||||
presence: required
|
||||
rangelist:
|
||||
- AttemptAuthentication
|
||||
- RequireAuthentication
|
||||
- AllowOfflineGracePeriod
|
||||
- AllowAuthenticationGracePeriod
|
||||
- RequireTouchID
|
||||
- RequireTouchIDOrWatch
|
||||
- AllowOpenIDForTouchIDFallback
|
||||
content: The policy to apply.
|
||||
- key: Login
|
||||
title: Login
|
||||
type: <array>
|
||||
presence: optional
|
||||
content: |-
|
||||
The policy to apply when using Platform SSO at the Login Window. Applies when `AuthenticationMethod` is `Password`.
|
||||
|
||||
* `AttemptAuthentication`: The device attempts Platform SSO authentication before proceeding. If offline, login continues if the local account password matches. If online and the credential is incorrect, then the device requires a successful Platform SSO authentication to proceed, even if taken offline.
|
||||
* `RequireAuthentication`: The device requires Platform SSO authentication before proceeding. If the device is offline and `AllowOfflineGracePeriod` is enabled, then the device uses the offline `OfflineGracePeriod` to determine if the user can proceed or not. If online and the credential is incorrect, then the device requires a valid Platform SSO authentication to proceed, regardless of the `OfflineGracePeriod`. If the account isn't registered for Platform SSO and `AllowAuthenticationGracePeriod` is enabled, then the device uses the `AuthenticationGracePeriod` to determine if the user can proceed or not.
|
||||
* `AllowOfflineGracePeriod`: The device allows the use of the `OfflineGracePeriod` when `RequireAuthentication` is enabled. If `AllowOfflineGracePeriod` isn't set, then the device denies offline access. Applies to web login and all offline passwords.
|
||||
* `AllowAuthenticationGracePeriod`: The device allows the use of the `AuthenticationGracePeriod` for other local accounts when `RequireAuthentication` is enabled. The `AuthenticationGracePeriod` starts when any of the policies have been updated. If `AllowAuthenticationGracePeriod` isn't set, then the device denies unregistered account access.
|
||||
* `RequireTouchID`: The device requires the use of Touch ID (and not Apple Watch) for login.
|
||||
* `RequireTouchIDOrWatch`: The device requires the use of Touch ID or Apple Watch for login.
|
||||
* `AllowOpenIDForTouchIDFallback`: The device allows web login as fallback if touchID fails or isn't available.
|
||||
subkeys:
|
||||
- key: policy
|
||||
type: <string>
|
||||
presence: required
|
||||
rangelist:
|
||||
- AttemptAuthentication
|
||||
- RequireAuthentication
|
||||
- AllowOfflineGracePeriod
|
||||
- AllowAuthenticationGracePeriod
|
||||
- RequireTouchID
|
||||
- RequireTouchIDOrWatch
|
||||
- AllowOpenIDForTouchIDFallback
|
||||
content: The policy to apply.
|
||||
- key: Unlock
|
||||
title: Unlock
|
||||
type: <array>
|
||||
presence: optional
|
||||
content: |-
|
||||
The policy to apply when using Platform SSO at screensaver unlock. Applies when `AuthenticationMethod` is `Password`. later.
|
||||
|
||||
* `AttemptAuthentication`: The device attempts Platform SSO authentication before proceeding. If offline, unlock will continue if the local account password matches. If online and the credential is incorrect, then the device requires a successful Platform SSO authentication to proceed, even if taken offline.
|
||||
* `RequireAuthentication`: The device requires Platform SSO authentication before proceeding. If the device is offline and `AllowOfflineGracePeriod` is enabled, then the offline `OfflineGracePeriod` is used to determine if the user can proceed or not. If online and the credential is incorrect, then the device requires a valid Platform SSO authentication to proceed regardless of the `OfflineGracePeriod`. If the account isn't registered for Platform SSO and `AllowAuthenticationGracePeriod` is enabled, then the device uses `AuthenticationGracePeriod` to determine if the user can proceed or not.
|
||||
* `AllowOfflineGracePeriod`: The device allows the use of the `OfflineGracePeriod` when `RequireAuthentication` is enabled. If `AllowOfflineGracePeriod` isn't set, then the device denies offline access.
|
||||
* `AllowAuthenticationGracePeriod`: The device allows the use of the `AuthenticationGracePeriod` for other local accounts when `RequireAuthentication` is enabled. The `AuthenticationGracePeriod` starts when any of the policies have been updated. If `AllowAuthenticationGracePeriod` isn't set, then the device denies the unregistered account access.
|
||||
* `AllowTouchIDOrWatchForUnlock`: The device allows TouchID or Watch to unlock the screensaver instead of Platform SSO authentication when `RequireAuthentication` is enabled.
|
||||
* `RequireTouchID`: The device requires the use of Touch ID (and not Apple Watch) for unlock.
|
||||
* `RequireTouchIDOrWatch`: RThe device requires the use of Touch ID or Apple Watch for unlock.
|
||||
* `AllowOpenIDForTouchIDFallback`: The device allows web login as fallback if touchID fails or isn't available.
|
||||
subkeys:
|
||||
- key: policy
|
||||
type: <string>
|
||||
presence: required
|
||||
rangelist:
|
||||
- AttemptAuthentication
|
||||
- RequireAuthentication
|
||||
- AllowOfflineGracePeriod
|
||||
- AllowAuthenticationGracePeriod
|
||||
- AllowTouchIDOrWatchForUnlock
|
||||
- RequireTouchID
|
||||
- RequireTouchIDOrWatch
|
||||
- AllowOpenIDForTouchIDFallback
|
||||
content: The policy to apply.
|
||||
- key: OfflineGracePeriod
|
||||
title: Offline grace period
|
||||
type: <integer>
|
||||
presence: optional
|
||||
content: The amount of time after the last successful Platform SSO login for
|
||||
using a local account password offline. Required when setting `AllowOfflineGracePeriod`.
|
||||
- key: AuthenticationGracePeriod
|
||||
title: Authentication grace period
|
||||
type: <integer>
|
||||
presence: optional
|
||||
content: The amount of time after receiving or updating a `Policies.FileVault`,
|
||||
`Policies.Login`, or `Policies.Unlock` that the system can use unregistered
|
||||
local accounts. Required when `AllowAuthenticationGracePeriod` is set.
|
||||
- key: NonPlatformSSOAccounts
|
||||
title: Non-platform SSO accounts
|
||||
type: <array>
|
||||
presence: optional
|
||||
content: The list of local accounts that aren't subject to the `Policies.FileVault`,
|
||||
`Policies.Login`, or `Policies.Unlock` policies. The accounts don't receive
|
||||
a prompt to register for Platform SSO.
|
||||
subkeys:
|
||||
- key: username
|
||||
type: <string>
|
||||
presence: required
|
||||
content: A local account username.
|
||||
- key: WebAuthentication
|
||||
title: Web authentication
|
||||
supportedOS:
|
||||
macOS:
|
||||
introduced: '27.0'
|
||||
type: <dictionary>
|
||||
presence: optional
|
||||
content: Settings for web authentication behavior.
|
||||
subkeys:
|
||||
- key: URLAllowList
|
||||
title: URL allow list
|
||||
type: <array>
|
||||
presence: optional
|
||||
content: The set of allowed hosts that the system can load in the PSSO web view.
|
||||
Required if `AuthenticationMethod` is set to `OpenID`, or `UserCreation.AuthenticationMethods`
|
||||
contains `OpenID`.
|
||||
subkeys:
|
||||
- key: Hosts
|
||||
type: <string>
|
||||
presence: optional
|
||||
content: A host or host prefix.
|
||||
- key: AllowPasswordSync
|
||||
title: Allow password sync
|
||||
type: <boolean>
|
||||
presence: optional
|
||||
default: false
|
||||
content: If `true`, the system detects the password during web authentication
|
||||
and synchronizes it to the local account password for the user.
|
||||
examples:
|
||||
title: Configuration examples
|
||||
files:
|
||||
- tab: Credential
|
||||
description: This configuration sets up a Credential-type SSO extension that handles
|
||||
authentication for hosts in the example.com domain.
|
||||
file: examples/declarative/declarations/configurations/extensiblesso/example1.json
|
||||
- tab: Redirect
|
||||
description: This configuration sets up a Redirect-type SSO extension that intercepts
|
||||
authentication requests to specific login URLs.
|
||||
file: examples/declarative/declarations/configurations/extensiblesso/example2.json
|
||||
@@ -29,24 +29,23 @@ payload:
|
||||
watchOS:
|
||||
introduced: n/a
|
||||
apply: combined
|
||||
content: Configures External Intelligence Integrations settings.
|
||||
payloadkeys:
|
||||
- key: Enabled
|
||||
title: Allow External Intelligence Integrations
|
||||
title: Allow external intelligence integrations
|
||||
type: <boolean>
|
||||
presence: optional
|
||||
default: true
|
||||
combinetype: boolean-and
|
||||
content: If `false`, disables external intelligence integrations.
|
||||
- key: AllowSignIn
|
||||
title: Allow External Intelligence Integrations Sign In
|
||||
title: Allow external intelligence integrations sign in
|
||||
type: <boolean>
|
||||
presence: optional
|
||||
default: true
|
||||
combinetype: boolean-and
|
||||
content: If `false`, disables sign-in for external intelligence integrations.
|
||||
- key: AllowedWorkspaceIDs
|
||||
title: Allowed External Intelligence Workspace IDs
|
||||
title: Allowed external intelligence workspace IDs
|
||||
type: <array>
|
||||
presence: optional
|
||||
combinetype: set-intersection
|
||||
@@ -57,5 +56,11 @@ payloadkeys:
|
||||
operation.
|
||||
subkeys:
|
||||
- key: workspaceID
|
||||
title: Allowed Workspace ID
|
||||
title: Allowed workspace ID
|
||||
type: <string>
|
||||
examples:
|
||||
title: Configuration examples
|
||||
files:
|
||||
- tab: External Intelligence Restrictions
|
||||
description: This configuration restricts external intelligence integrations.
|
||||
file: examples/declarative/declarations/configurations/external-intelligence.settings/example1.json
|
||||
|
||||
@@ -29,7 +29,6 @@ payload:
|
||||
watchOS:
|
||||
introduced: n/a
|
||||
apply: combined
|
||||
content: Configures Apple Intelligence settings.
|
||||
payloadkeys:
|
||||
- key: AllowAppleIntelligenceReport
|
||||
title: Allow Apple Intelligence Report
|
||||
@@ -99,6 +98,26 @@ payloadkeys:
|
||||
presence: optional
|
||||
content: If present, configures app-specific Intelligence features.
|
||||
subkeys:
|
||||
- key: Calendar
|
||||
title: Calendar
|
||||
supportedOS:
|
||||
iOS:
|
||||
introduced: '27.0'
|
||||
macOS:
|
||||
introduced: '27.0'
|
||||
visionOS:
|
||||
introduced: '27.0'
|
||||
type: <dictionary>
|
||||
presence: optional
|
||||
content: If present, configures Calendar and Reminders Intelligence features.
|
||||
subkeys:
|
||||
- key: AllowNaturalLanguageEditing
|
||||
title: Allow Natural Language Editing
|
||||
type: <boolean>
|
||||
presence: optional
|
||||
default: true
|
||||
combinetype: boolean-and
|
||||
content: If `false`, disables Natural Language Editing in Calendar and Reminders.
|
||||
- key: Mail
|
||||
title: Mail
|
||||
type: <dictionary>
|
||||
@@ -177,3 +196,9 @@ payloadkeys:
|
||||
default: false
|
||||
combinetype: boolean-or
|
||||
content: If `true`, forces On-Device Only Translation.
|
||||
examples:
|
||||
title: Configuration examples
|
||||
files:
|
||||
- tab: Intelligence Restrictions
|
||||
description: This configuration restricts several Apple Intelligence features.
|
||||
file: examples/declarative/declarations/configurations/intelligence.settings/example1.json
|
||||
|
||||
@@ -26,10 +26,9 @@ payload:
|
||||
watchOS:
|
||||
introduced: n/a
|
||||
apply: combined
|
||||
content: Configures keyboard settings.
|
||||
payloadkeys:
|
||||
- key: AllowAutoCorrection
|
||||
title: Allow Auto-Correction
|
||||
title: Allow auto-correction
|
||||
supportedOS:
|
||||
macOS:
|
||||
introduced: n/a
|
||||
@@ -39,21 +38,21 @@ payloadkeys:
|
||||
combinetype: boolean-and
|
||||
content: If `false`, disables auto-correction.
|
||||
- key: AllowDefinitionLookup
|
||||
title: Allow Definition Lookup
|
||||
title: Allow definition lookup
|
||||
type: <boolean>
|
||||
presence: optional
|
||||
default: true
|
||||
combinetype: boolean-and
|
||||
content: If `false`, disables definition lookup.
|
||||
- key: AllowDictation
|
||||
title: Allow Dictation
|
||||
title: Allow dictation
|
||||
type: <boolean>
|
||||
presence: optional
|
||||
default: true
|
||||
combinetype: boolean-and
|
||||
content: If `false`, disables dictation.
|
||||
- key: AllowMathKeyboardSuggestions
|
||||
title: Allow Math Keyboard Suggestions
|
||||
title: Allow math keyboard suggestions
|
||||
type: <boolean>
|
||||
presence: optional
|
||||
default: true
|
||||
@@ -61,7 +60,7 @@ payloadkeys:
|
||||
content: If `false`, disables keyboard suggestions that include math solutions.
|
||||
This key is also supported by the math.settings configuration.
|
||||
- key: AllowPredictiveText
|
||||
title: Allow Predictive Text
|
||||
title: Allow predictive text
|
||||
supportedOS:
|
||||
macOS:
|
||||
introduced: n/a
|
||||
@@ -71,7 +70,7 @@ payloadkeys:
|
||||
combinetype: boolean-and
|
||||
content: If `false`, disables predictive text.
|
||||
- key: AllowSlideToType
|
||||
title: Allow Slide to Type
|
||||
title: Allow slide to type
|
||||
supportedOS:
|
||||
macOS:
|
||||
introduced: n/a
|
||||
@@ -81,7 +80,7 @@ payloadkeys:
|
||||
combinetype: boolean-and
|
||||
content: If `false`, disables slide to type.
|
||||
- key: AllowSpellCheck
|
||||
title: Allow Spell Check
|
||||
title: Allow spell check
|
||||
supportedOS:
|
||||
macOS:
|
||||
introduced: n/a
|
||||
@@ -91,7 +90,7 @@ payloadkeys:
|
||||
combinetype: boolean-and
|
||||
content: If `false`, disables spell check.
|
||||
- key: AllowTextReplacement
|
||||
title: Allow Text Replacement
|
||||
title: Allow text replacement
|
||||
supportedOS:
|
||||
macOS:
|
||||
introduced: n/a
|
||||
@@ -100,3 +99,9 @@ payloadkeys:
|
||||
default: true
|
||||
combinetype: boolean-and
|
||||
content: If `false`, disables text replacement.
|
||||
examples:
|
||||
title: Configuration examples
|
||||
files:
|
||||
- tab: Keyboard Restrictions
|
||||
description: This configuration restricts keyboard features.
|
||||
file: examples/declarative/declarations/configurations/keyboard.settings/example1.json
|
||||
|
||||
@@ -43,13 +43,37 @@ payloadkeys:
|
||||
- key: ProfileURL
|
||||
title: Profile's URL.
|
||||
type: <string>
|
||||
presence: required
|
||||
presence: optional
|
||||
content: |-
|
||||
The URL of the profile to download and install, which needs to start with `https://`, and must be hosted by the MDM server.
|
||||
The URL of the profile to download and install, which needs to start with `https://`. The request uses MDM semantics, which includes the device-identity certificate, and any user authentication. This is equivalent to an MDM request made to the `CheckInURL` or `ServerURL`.
|
||||
|
||||
If a user enrollment triggers this configuration, the system silently ignores any MDMv1 payloads in macOS that are forbidden with user enrollment. In iOS, the system rejects the entire profile.
|
||||
One of `ProfileURL` or `ProfileAssetReference` needs to be present.
|
||||
- key: ProfileAssetReference
|
||||
title: Profile asset reference
|
||||
supportedOS:
|
||||
iOS:
|
||||
introduced: '27.0'
|
||||
macOS:
|
||||
introduced: '27.0'
|
||||
tvOS:
|
||||
introduced: '27.0'
|
||||
visionOS:
|
||||
introduced: '27.0'
|
||||
type: <string>
|
||||
assettypes:
|
||||
- com.apple.asset.data
|
||||
asset-content-types:
|
||||
- application/plist
|
||||
- application/x-plist
|
||||
- application/xml
|
||||
- text/xml
|
||||
presence: optional
|
||||
content: |-
|
||||
The identifier of an asset declaration containing a reference to the profile data. The corresponding asset needs to be of type `com.apple.asset.data`. The referenced data needs to be a property list file, and the asset's "ContentType" value set to match the data type.
|
||||
|
||||
One of `ProfileURL` or `ProfileAssetReference` needs to be present.
|
||||
- key: VisibleName
|
||||
title: Configuration Visible Name
|
||||
title: Configuration visible name
|
||||
type: <string>
|
||||
presence: required
|
||||
content: The visible name of the configuration. This name needs to indicate the
|
||||
@@ -63,3 +87,14 @@ notes:
|
||||
|
||||
- `com.apple.mdm`
|
||||
- `com.apple.declarations`
|
||||
|
||||
If a user enrollment triggers this configuration: in macOS the system silently ignores any MDMv1 payloads in macOS where the User Enrollment Mode setting is `forbidden`; in iOS, tvOS, watchOS and visionOS, the system rejects the entire profile if any MDMv1 payload has its User Enrollment Mode setting set to `forbidden`.
|
||||
examples:
|
||||
title: Configuration examples
|
||||
files:
|
||||
- tab: URL
|
||||
description: Downloads the profile from a URL on the MDM server.
|
||||
file: examples/declarative/declarations/configurations/legacy.interactive/example1.json
|
||||
- tab: Asset
|
||||
description: Downloads the profile using an asset.
|
||||
file: examples/declarative/declarations/configurations/legacy.interactive/example2.json
|
||||
|
||||
@@ -54,11 +54,37 @@ payloadkeys:
|
||||
- key: ProfileURL
|
||||
title: Profile's URL.
|
||||
type: <string>
|
||||
presence: required
|
||||
presence: optional
|
||||
content: |-
|
||||
The URL of the profile to download and install, which needs to start with `https://`, and must be hosted by the MDM server.
|
||||
The URL of the profile to download and install, which needs to start with `https://`. The request uses MDM semantics, which includes the device-identity certificate, and any user authentication. This is equivalent to an MDM request made to the `CheckInURL` or `ServerURL`.
|
||||
|
||||
If a user enrollment triggers this configuration, the system silently ignores any MDMv1 payloads in macOS where the User Enrollment Mode setting is `forbidden`. In iOS, the system rejects the entire profile.
|
||||
One of `ProfileURL` or `ProfileAssetReference` needs to be present.
|
||||
- key: ProfileAssetReference
|
||||
title: Profile asset reference
|
||||
supportedOS:
|
||||
iOS:
|
||||
introduced: '27.0'
|
||||
macOS:
|
||||
introduced: '27.0'
|
||||
tvOS:
|
||||
introduced: '27.0'
|
||||
visionOS:
|
||||
introduced: '27.0'
|
||||
watchOS:
|
||||
introduced: '27.0'
|
||||
type: <string>
|
||||
assettypes:
|
||||
- com.apple.asset.data
|
||||
asset-content-types:
|
||||
- application/plist
|
||||
- application/x-plist
|
||||
- application/xml
|
||||
- text/xml
|
||||
presence: optional
|
||||
content: |-
|
||||
The identifier of an asset declaration containing a reference to the profile data. The corresponding asset needs to be of type `com.apple.asset.data`. The referenced data needs to be a property list file, and the asset's "ContentType" value set to match the data type.
|
||||
|
||||
One of `ProfileURL` or `ProfileAssetReference` needs to be present.
|
||||
notes:
|
||||
- title: ''
|
||||
content: |-
|
||||
@@ -68,3 +94,35 @@ notes:
|
||||
|
||||
- `com.apple.mdm`
|
||||
- `com.apple.declarations`
|
||||
|
||||
If a user enrollment triggers this configuration: in macOS the system silently ignores any MDMv1 payloads in macOS where the User Enrollment Mode setting is `forbidden`; in iOS, tvOS, watchOS and visionOS, the system rejects the entire profile if any MDMv1 payload has its User Enrollment Mode setting set to `forbidden`.
|
||||
- title: Transition profiles from MDM
|
||||
content: |-
|
||||
A declarative device management (DDM) legacy profile can take control of profiles installed via MDM. This avoids the need to first remove the MDM profile, before installing the DDM equivalent. DDM cannot take over control of non-MDM-installed profiles.
|
||||
|
||||
The rules for transitioning profiles are:
|
||||
|
||||
1. An existing MDM-installed profile is present (installed by MDM using the `Install-Profile-Command`).
|
||||
2. DDM is enabled on the device.
|
||||
3. The server sends a legacy profile configuration to the device and ensures it is "activated".
|
||||
1. The DDM profile that the configuration applies needs to conform to the following requirements:
|
||||
1. The DDM profile's `PayloadIdentifier` and `PayloadUUID` need to match that of the MDM profile.
|
||||
2. The DDM profile needs to have the same number of payloads as the MDM profile.
|
||||
3. The DDM profile payloads needs to have the same `PayloadType`, `PayloadIdentifier`, and `PayloadUUID`, in the same order as the profile payloads in the MDM profile.
|
||||
2. If the DDM profile doesn't conform to the above requirements, the configuration isn't applied and its `valid` status is set to `invalid`.
|
||||
3. The `Profile-List-Command` can be used to determine the "structure" of existing MDM profiles to satisfy the above requirements.
|
||||
|
||||
When DDM takes control of the MDM profile, the following occurs:
|
||||
|
||||
1. The system doesn't reinstall the profile. Instead, the MDM profile's existing system state remains unchanged. Thus system state won't include any differences between the MDM and DDM profiles (other than the structural items outlined above that must match).
|
||||
2. Any attempt to install, update, or remove the profile using MDM commands fails (using the usual identifier and UUID matching rules). This holds true while the DDM profile is active.
|
||||
3. Updates to the DDM configuration result in the system reapplying the profile which updates the system state with any new or changed settings.
|
||||
examples:
|
||||
title: Configuration examples
|
||||
files:
|
||||
- tab: URL
|
||||
description: Downloads the profile from a URL on the MDM server.
|
||||
file: examples/declarative/declarations/configurations/legacy/example1.json
|
||||
- tab: Asset
|
||||
description: Downloads the profile using an asset.
|
||||
file: examples/declarative/declarations/configurations/legacy/example2.json
|
||||
|
||||
@@ -47,17 +47,24 @@ payload:
|
||||
apply: combined
|
||||
payloadkeys:
|
||||
- key: StatusItems
|
||||
title: Status Items
|
||||
title: Status items
|
||||
type: <array>
|
||||
presence: required
|
||||
combinetype: set-union
|
||||
content: An array of status items that the device notifies subscribers about.
|
||||
subkeys:
|
||||
- key: StatusItem
|
||||
title: Status item
|
||||
type: <dictionary>
|
||||
content: The declaration for configuring a specific status subscription.
|
||||
subkeys:
|
||||
- key: Name
|
||||
title: Name
|
||||
type: <string>
|
||||
presence: required
|
||||
content: The name of the status item to send to subscribers.
|
||||
examples:
|
||||
title: Configuration example
|
||||
files:
|
||||
- description: This configuration subscribes to a set of device status items.
|
||||
file: examples/declarative/declarations/configurations/management.status-subscriptions/example1.json
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
title: Management:Test
|
||||
description: The declaration to test declarative device management.
|
||||
description: The declaration to configure a declarative device management test.
|
||||
payload:
|
||||
declarationtype: com.apple.configuration.management.test
|
||||
supportedOS:
|
||||
@@ -52,12 +52,12 @@ payload:
|
||||
apply: multiple
|
||||
payloadkeys:
|
||||
- key: Echo
|
||||
title: Status Echo
|
||||
title: Status echo
|
||||
type: <string>
|
||||
presence: required
|
||||
content: The string to echo back in a status response reason.
|
||||
- key: EchoDataAssetReference
|
||||
title: Status Echo from Asset
|
||||
title: Status echo from asset
|
||||
supportedOS:
|
||||
iOS:
|
||||
introduced: '17.0'
|
||||
@@ -72,7 +72,7 @@ payloadkeys:
|
||||
content: The string to read from a data asset to echo back in status response reason
|
||||
description.
|
||||
- key: ReturnStatus
|
||||
title: Status to Return
|
||||
title: Status to return
|
||||
type: <string>
|
||||
presence: optional
|
||||
rangelist:
|
||||
@@ -82,3 +82,9 @@ payloadkeys:
|
||||
default: Installed
|
||||
content: The status the system reports back when the device implements the configuration.
|
||||
Use this to override the normal `success` result.
|
||||
examples:
|
||||
title: Configuration example
|
||||
files:
|
||||
- description: This configuration tests the management framework with a custom status
|
||||
result.
|
||||
file: examples/declarative/declarations/configurations/management.test/example1.json
|
||||
|
||||
@@ -25,20 +25,22 @@ payload:
|
||||
watchOS:
|
||||
introduced: n/a
|
||||
apply: combined
|
||||
content: Configures the built-in math and calculator app settings.
|
||||
payloadkeys:
|
||||
- key: Calculator
|
||||
title: Calculator
|
||||
type: <dictionary>
|
||||
presence: optional
|
||||
content: If present, configures the built-in Calculator app.
|
||||
subkeys:
|
||||
- key: BasicMode
|
||||
title: Basic mode
|
||||
type: <dictionary>
|
||||
presence: optional
|
||||
content: If present, configures the basic mode of the calculator. Basic mode is
|
||||
always enabled.
|
||||
subkeys:
|
||||
- key: AddSquareRoot
|
||||
title: Add square root
|
||||
type: <boolean>
|
||||
presence: required
|
||||
combinetype: boolean-or
|
||||
@@ -46,17 +48,20 @@ payloadkeys:
|
||||
+/- button. Normally, the square root button is available in scientific mode,
|
||||
so this key can be used to make it available when the scientific mode is restricted.
|
||||
- key: ScientificMode
|
||||
title: Scientific mode
|
||||
type: <dictionary>
|
||||
presence: optional
|
||||
content: If present, configures the scientific mode of the calculator. If not
|
||||
present, scientific mode is enabled.
|
||||
subkeys:
|
||||
- key: Enabled
|
||||
title: Enabled
|
||||
type: <boolean>
|
||||
presence: required
|
||||
combinetype: boolean-and
|
||||
content: Controls whether the mode is enabled.
|
||||
- key: ProgrammerMode
|
||||
title: Programmer mode
|
||||
supportedOS:
|
||||
iOS:
|
||||
introduced: n/a
|
||||
@@ -66,33 +71,39 @@ payloadkeys:
|
||||
present, programmer mode is enabled.
|
||||
subkeys:
|
||||
- key: Enabled
|
||||
title: Enabled
|
||||
type: <boolean>
|
||||
presence: required
|
||||
combinetype: boolean-and
|
||||
content: Controls whether the mode is enabled.
|
||||
- key: MathNotesMode
|
||||
title: Math notes mode
|
||||
type: <dictionary>
|
||||
presence: optional
|
||||
content: If present, configures the Math Notes mode of the calculator. If not
|
||||
present, Math Notes mode is enabled.
|
||||
subkeys:
|
||||
- key: Enabled
|
||||
title: Enabled
|
||||
type: <boolean>
|
||||
presence: required
|
||||
combinetype: boolean-and
|
||||
content: Controls whether the mode is enabled.
|
||||
- key: InputModes
|
||||
title: Input modes
|
||||
type: <dictionary>
|
||||
presence: optional
|
||||
content: If present, controls global input options of the calculator. If not present,
|
||||
all input modes are enabled.
|
||||
subkeys:
|
||||
- key: UnitConversion
|
||||
title: Unit conversion
|
||||
type: <boolean>
|
||||
presence: required
|
||||
combinetype: boolean-and
|
||||
content: Configures whether unit conversions are enabled.
|
||||
- key: RPN
|
||||
title: RPN
|
||||
supportedOS:
|
||||
iOS:
|
||||
introduced: n/a
|
||||
@@ -101,18 +112,27 @@ payloadkeys:
|
||||
combinetype: boolean-and
|
||||
content: Configures whether RPN input is enabled.
|
||||
- key: SystemBehavior
|
||||
title: System behavior
|
||||
type: <dictionary>
|
||||
presence: optional
|
||||
content: If present, configures math behavior in the system.
|
||||
subkeys:
|
||||
- key: KeyboardSuggestions
|
||||
title: Keyboard suggestions
|
||||
type: <boolean>
|
||||
presence: required
|
||||
combinetype: boolean-and
|
||||
content: Controls whether keyboard suggestions include math solutions. This key
|
||||
is also supported by the keyboard.settings configuration.
|
||||
- key: MathNotes
|
||||
title: Math notes
|
||||
type: <boolean>
|
||||
presence: required
|
||||
combinetype: boolean-and
|
||||
content: Controls whether Math Notes is allowed in other apps such as Notes.
|
||||
examples:
|
||||
title: Configuration example
|
||||
files:
|
||||
- description: This configuration prevents the use of scientific and programmer
|
||||
modes in calculator app.
|
||||
file: examples/declarative/declarations/configurations/math.settings/example1.json
|
||||
|
||||
@@ -18,14 +18,15 @@ payload:
|
||||
watchOS:
|
||||
introduced: n/a
|
||||
apply: combined
|
||||
content: Configures the managed migration functions of Migration Assistant.
|
||||
payloadkeys:
|
||||
- key: ShouldDoManagedMigration
|
||||
title: Should do managed migration
|
||||
type: <boolean>
|
||||
presence: required
|
||||
combinetype: boolean-or
|
||||
content: If `true`, the device manages Migration Assistant.
|
||||
- key: ExcludedAccounts
|
||||
title: Excluded accounts
|
||||
type: <array>
|
||||
presence: optional
|
||||
combinetype: set-union
|
||||
@@ -35,6 +36,7 @@ payloadkeys:
|
||||
- key: _Accounts
|
||||
type: <string>
|
||||
- key: ExcludedPaths
|
||||
title: Excluded paths
|
||||
type: <array>
|
||||
presence: optional
|
||||
combinetype: set-union
|
||||
@@ -46,6 +48,7 @@ payloadkeys:
|
||||
- key: _ExcludedPaths
|
||||
type: <string>
|
||||
- key: RequiredPaths
|
||||
title: Required paths
|
||||
type: <array>
|
||||
presence: optional
|
||||
combinetype: set-union
|
||||
@@ -57,6 +60,7 @@ payloadkeys:
|
||||
- key: _RequiredPaths
|
||||
type: <string>
|
||||
- key: ShouldMigrateSecurityPrivacySettings
|
||||
title: Should migrate security privacy settings
|
||||
type: <boolean>
|
||||
presence: required
|
||||
combinetype: boolean-or
|
||||
@@ -69,3 +73,8 @@ notes:
|
||||
Configure the device to use the `AwaitingConfiguration` state after it enrolls with the server. The server needs to send the configuration and verify the configuration as both active and valid using the Declarative Device Management status, before it sends the `DeviceConfiguredCommand` command to exit that state.
|
||||
|
||||
The device reports Migration Assistant progress using the `StatusMigrationAssistantState` status item, and provides a report when migration completes using the `StatusMigrationAssistantReport` status item.
|
||||
examples:
|
||||
title: Configuration example
|
||||
files:
|
||||
- description: This configuration provides settings for a Mac to Mac migration.
|
||||
file: examples/declarative/declarations/configurations/migration-assistant.settings/example1.json
|
||||
|
||||
@@ -0,0 +1,84 @@
|
||||
title: Network:DNS Proxy
|
||||
description: The declaration to configure DNS proxy settings.
|
||||
payload:
|
||||
declarationtype: com.apple.configuration.network.dns-proxy
|
||||
supportedOS:
|
||||
iOS:
|
||||
introduced: '27.0'
|
||||
allowed-enrollments:
|
||||
- supervised
|
||||
- device
|
||||
- user
|
||||
allowed-scopes:
|
||||
- system
|
||||
sharedipad:
|
||||
allowed-scopes:
|
||||
- system
|
||||
macOS:
|
||||
introduced: '27.0'
|
||||
allowed-enrollments:
|
||||
- supervised
|
||||
- local
|
||||
allowed-scopes:
|
||||
- system
|
||||
tvOS:
|
||||
introduced: n/a
|
||||
visionOS:
|
||||
introduced: '27.0'
|
||||
allowed-enrollments:
|
||||
- supervised
|
||||
- device
|
||||
- user
|
||||
allowed-scopes:
|
||||
- system
|
||||
watchOS:
|
||||
introduced: n/a
|
||||
apply: multiple
|
||||
payloadkeys:
|
||||
- key: VisibleName
|
||||
title: Visible name
|
||||
type: <string>
|
||||
presence: required
|
||||
content: The name of the DNS proxy configuration that the system displays on the
|
||||
device.
|
||||
- key: AppBundleIdentifier
|
||||
title: App bundle identifier
|
||||
type: <string>
|
||||
presence: required
|
||||
content: The bundle identifier of the app containing the DNS proxy network extension.
|
||||
- key: ProviderComposedIdentifier
|
||||
title: Provider composed identifier
|
||||
type: <string>
|
||||
presence: optional
|
||||
content: |-
|
||||
The identifier of the provider to use for this configuration. Useful for apps that contain more than one DNS proxy extension.
|
||||
|
||||
In iOS and visionOS, the identifier is a bundle ID, for example, "com.example.app".
|
||||
|
||||
In macOS, the identifier is a composed identifier. The format of the composed identifier is either "Bundle-ID" or "Bundle-ID {Designated-Requirement}". "Bundle-ID" is the bundle identifier string of the provider. "Designated-Requirement" is the designated requirement string from the code signature of the provider. For example, "com.example.app" for the bundle ID format, or "com.example.app {anchor apple generic}" for the designated requirement format.
|
||||
- key: ProviderConfiguration
|
||||
title: Provider configuration
|
||||
type: <dictionary>
|
||||
presence: optional
|
||||
content: The dictionary of vendor-specific configuration items.
|
||||
subkeys:
|
||||
- key: ANY
|
||||
type: <any>
|
||||
presence: optional
|
||||
content: Key/value pairs.
|
||||
- key: DNSProxyUUID
|
||||
title: DNS proxy UUID
|
||||
supportedOS:
|
||||
macOS:
|
||||
introduced: n/a
|
||||
type: <string>
|
||||
presence: optional
|
||||
content: A globally unique identifier for this DNS proxy configuration. The proxy
|
||||
processes DNS lookups traffic for managed apps with the same `DNSProxyUUID` in
|
||||
their app attributes. This key is required for user enrollment.
|
||||
examples:
|
||||
title: Configuration example
|
||||
files:
|
||||
- description: This configuration sets up a DNS proxy using a Network Extension
|
||||
app.
|
||||
file: examples/declarative/declarations/configurations/network.dns-proxy/example1.json
|
||||
@@ -0,0 +1,254 @@
|
||||
title: Network:DNS Settings
|
||||
description: The declaration to configure encrypted DNS settings.
|
||||
payload:
|
||||
declarationtype: com.apple.configuration.network.dns-settings
|
||||
supportedOS:
|
||||
iOS:
|
||||
introduced: '27.0'
|
||||
allowed-enrollments:
|
||||
- supervised
|
||||
- device
|
||||
- local
|
||||
allowed-scopes:
|
||||
- system
|
||||
sharedipad:
|
||||
allowed-scopes:
|
||||
- system
|
||||
macOS:
|
||||
introduced: '27.0'
|
||||
allowed-enrollments:
|
||||
- supervised
|
||||
- local
|
||||
allowed-scopes:
|
||||
- system
|
||||
tvOS:
|
||||
introduced: n/a
|
||||
visionOS:
|
||||
introduced: '27.0'
|
||||
allowed-enrollments:
|
||||
- supervised
|
||||
- device
|
||||
- local
|
||||
allowed-scopes:
|
||||
- system
|
||||
watchOS:
|
||||
introduced: n/a
|
||||
apply: multiple
|
||||
payloadkeys:
|
||||
- key: VisibleName
|
||||
title: Visible name
|
||||
type: <string>
|
||||
presence: required
|
||||
content: The name of the DNS settings that the system displays on the device.
|
||||
- key: DNSSettings
|
||||
title: DNS settings
|
||||
type: <dictionary>
|
||||
presence: required
|
||||
content: A dictionary that defines a configuration for an encrypted DNS server.
|
||||
subkeys:
|
||||
- key: DNSProtocol
|
||||
title: DNS protocol
|
||||
type: <string>
|
||||
presence: required
|
||||
rangelist:
|
||||
- HTTPS
|
||||
- TLS
|
||||
content: The encrypted transport protocol used to communicate with the DNS server.
|
||||
- key: ServerURL
|
||||
title: Server URL
|
||||
type: <string>
|
||||
presence: optional
|
||||
content: The URI template of a DNS-over-HTTPS server, as defined in RFC 8484.
|
||||
This URL needs to use the `https://` scheme, and the system uses the hostname
|
||||
or address in the URL to validate the server certificate. If no `ServerAddresses`
|
||||
are provided, the system uses the hostname or address in the URL to determine
|
||||
the server addresses. Required if `DNSProtocol` is `HTTPS`.
|
||||
- key: ServerName
|
||||
title: Server name
|
||||
type: <string>
|
||||
presence: optional
|
||||
content: The hostname of a DNS-over-TLS server used to validate the server certificate,
|
||||
as defined in RFC 7858. If no `ServerAddresses` are provided, the system uses
|
||||
the hostname to determine the server addresses. This key must be present only
|
||||
if the DNSProtocol is `TLS`.
|
||||
- key: ServerAddresses
|
||||
title: DNS server addresses
|
||||
type: <array>
|
||||
presence: optional
|
||||
content: An unordered list of DNS server IP address strings. These IP addresses
|
||||
can be a mixture of IPv4 and IPv6 addresses.
|
||||
subkeys:
|
||||
- key: ServerAddressesElement
|
||||
title: Server address element
|
||||
type: <string>
|
||||
- key: AllowFailover
|
||||
title: Allow failover
|
||||
type: <boolean>
|
||||
presence: optional
|
||||
default: false
|
||||
content: If `true`, the device allows failover to the default system DNS resolver.
|
||||
- key: IdentityAssetReference
|
||||
title: Certificate identity asset reference
|
||||
type: <string>
|
||||
assettypes:
|
||||
- com.apple.asset.credential.identity
|
||||
- com.apple.asset.credential.scep
|
||||
- com.apple.asset.credential.acme
|
||||
presence: optional
|
||||
content: Specifies the identifier of an asset declaration containing an identity
|
||||
that the system uses to authenticate the user to the DNS resolver.
|
||||
- key: SupplementalMatchDomains
|
||||
title: Supplemental match domains
|
||||
type: <array>
|
||||
presence: optional
|
||||
content: |-
|
||||
A list of domain strings used to determine which DNS queries use the DNS server. If not set, all domains use the DNS server.
|
||||
|
||||
The system supports a single wildcard (`*`) prefix, but it's not required. For example, both `*.example.com` and `example.com` match against `mydomain.example.com` and `your.domain.example.com`, but don't match against `mydomain-example.com`.
|
||||
subkeys:
|
||||
- key: SupplementalMatchDomainsElement
|
||||
title: Supplemental match domains element
|
||||
type: <string>
|
||||
- key: OnDemandRules
|
||||
title: On demand rules
|
||||
type: <array>
|
||||
presence: optional
|
||||
content: An array of rules that define the DNS settings. If not set, the system
|
||||
always applies the DNS settings. These rules are identical to the `OnDemandRules`
|
||||
array in VPN payloads.
|
||||
subkeytype: OnDemandRulesElement
|
||||
subkeys:
|
||||
- key: OnDemandRulesElement
|
||||
title: On demand rules element
|
||||
type: <dictionary>
|
||||
subkeys:
|
||||
- key: Action
|
||||
title: On demand action
|
||||
type: <string>
|
||||
presence: required
|
||||
rangelist:
|
||||
- Connect
|
||||
- Disconnect
|
||||
- EvaluateConnection
|
||||
content: |-
|
||||
The action to take if this dictionary matches the current network. Allowed values:
|
||||
|
||||
- `Connect`: Apply DNS Settings when the dictionary matches.
|
||||
- `Disconnect`: Don't apply DNS Settings when the dictionary matches.
|
||||
- `EvaluateConnection`: Apply DNS Settings with per-domain exceptions when the dictionary matches.
|
||||
- key: ActionParameters
|
||||
title: Action parameters
|
||||
type: <array>
|
||||
presence: optional
|
||||
content: An array of dictionaries that provide per-connection rules. The system
|
||||
uses this array only for settings where the `Action` value is `EvaluateConnection`.
|
||||
subkeys:
|
||||
- key: ActionParameter
|
||||
title: Action parameter
|
||||
type: <dictionary>
|
||||
presence: optional
|
||||
content: |-
|
||||
A dictionary that provides per-connection rules.
|
||||
The keys allowed in each dictionary are described below. Note: This array is only for dictionaries in which `EvaluateConnection` is the `Action` value.
|
||||
subkeys:
|
||||
- key: Domains
|
||||
title: Domains
|
||||
type: <array>
|
||||
presence: required
|
||||
content: The domains for which this evaluation applies.
|
||||
subkeys:
|
||||
- key: DomainsElement
|
||||
title: Domains element
|
||||
type: <string>
|
||||
- key: DomainAction
|
||||
title: Domain action
|
||||
type: <string>
|
||||
presence: required
|
||||
rangelist:
|
||||
- NeverConnect
|
||||
- ConnectIfNeeded
|
||||
content: |-
|
||||
The DNS settings behavior for the specified domains. Allowed values:
|
||||
|
||||
* 'NeverConnect': Don't use the DNS Settings for the specified domains.
|
||||
* 'ConnectIfNeeded': Allow using the DNS Settings for the specified domains.
|
||||
- key: DNSDomainMatch
|
||||
title: DNS domain match
|
||||
type: <array>
|
||||
presence: optional
|
||||
content: |-
|
||||
An array of domain names. This rule matches if any of the domain names in the specified list matches any domain in the device's search domains list.
|
||||
|
||||
The system supports a single wildcard (`*`) prefix, but it's not required. For example, both `*.example.com` and `example.com` match against `mydomain.example.com` and `your.domain.example.com`, but don't match against `mydomain-example.com`.
|
||||
subkeys:
|
||||
- key: DNSDomainMatchElement
|
||||
title: DNS domain match element
|
||||
type: <string>
|
||||
- key: DNSServerAddressMatch
|
||||
title: DNS server address match
|
||||
type: <array>
|
||||
presence: optional
|
||||
content: |-
|
||||
An array of IP addresses. This rule matches if any of the network's specified DNS servers match any entry in the array.
|
||||
|
||||
The system supports matching with a single wildcard. For example, `17.*` matches any DNS server in the 17.0.0.0/8 subnet.
|
||||
subkeys:
|
||||
- key: DNSServerAddressMatchElement
|
||||
title: DNS server address match element
|
||||
type: <string>
|
||||
- key: InterfaceTypeMatch
|
||||
title: Interface type match
|
||||
type: <string>
|
||||
presence: optional
|
||||
rangelist:
|
||||
- Ethernet
|
||||
- WiFi
|
||||
- Cellular
|
||||
content: An interface type. If specified, this rule matches only if the primary
|
||||
network interface hardware matches the specified type.
|
||||
- key: SSIDMatch
|
||||
title: SSID match
|
||||
type: <array>
|
||||
presence: optional
|
||||
content: An array of SSIDs to match against the current network. If the network
|
||||
isn't a Wi-Fi network or if the SSID doesn't appear in this array, the match
|
||||
fails. Omit this key and the corresponding array to match against any SSID.
|
||||
subkeys:
|
||||
- key: SSIDMatchElement
|
||||
title: SSID match element
|
||||
type: <string>
|
||||
- key: URLStringProbe
|
||||
title: URL string probe
|
||||
type: <string>
|
||||
presence: optional
|
||||
content: A URL to probe. This rule matches if this URL is successfully fetched
|
||||
and returns a 200 HTTP status code without redirection.
|
||||
- key: ProhibitDisablement
|
||||
title: Prohibit disablement
|
||||
supportedOS:
|
||||
iOS:
|
||||
allowed-enrollments:
|
||||
- supervised
|
||||
macOS:
|
||||
allowed-enrollments:
|
||||
- supervised
|
||||
visionOS:
|
||||
allowed-enrollments:
|
||||
- supervised
|
||||
type: <boolean>
|
||||
presence: optional
|
||||
default: false
|
||||
content: If `true`, the system prohibits users from disabling DNS settings.
|
||||
notes:
|
||||
- title: ''
|
||||
content: |-
|
||||
The following rules determine which networks the settings apply to:
|
||||
|
||||
* For supervised enrollments, the settings apply to all networks.
|
||||
* For device enrollments, the settings are limited to only managed networks.
|
||||
* For local installs, the settings apply to all networks.
|
||||
examples:
|
||||
title: Configuration example
|
||||
files:
|
||||
- description: This configuration sets up encrypted DNS using DNS-over-HTTPS.
|
||||
file: examples/declarative/declarations/configurations/network.dns-settings/example1.json
|
||||
@@ -0,0 +1,190 @@
|
||||
title: Network:Relay
|
||||
description: The declaration to configure Network Relay settings.
|
||||
payload:
|
||||
declarationtype: com.apple.configuration.network.relay
|
||||
supportedOS:
|
||||
iOS:
|
||||
introduced: '27.0'
|
||||
allowed-enrollments:
|
||||
- supervised
|
||||
- device
|
||||
- user
|
||||
allowed-scopes:
|
||||
- system
|
||||
sharedipad:
|
||||
allowed-scopes:
|
||||
- user
|
||||
macOS:
|
||||
introduced: '27.0'
|
||||
allowed-enrollments:
|
||||
- supervised
|
||||
- user
|
||||
allowed-scopes:
|
||||
- system
|
||||
tvOS:
|
||||
introduced: n/a
|
||||
visionOS:
|
||||
introduced: '27.0'
|
||||
allowed-enrollments:
|
||||
- supervised
|
||||
- device
|
||||
- user
|
||||
allowed-scopes:
|
||||
- system
|
||||
watchOS:
|
||||
introduced: n/a
|
||||
apply: multiple
|
||||
payloadkeys:
|
||||
- key: VisibleName
|
||||
title: Visible name
|
||||
type: <string>
|
||||
presence: required
|
||||
content: The name of the network relays that the system displays on the device.
|
||||
- key: Relays
|
||||
title: Relays
|
||||
type: <array>
|
||||
presence: required
|
||||
content: An array of dictionaries that describe one or more relay servers that the
|
||||
system can chain together.
|
||||
subkeys:
|
||||
- key: Relay
|
||||
title: Network relay
|
||||
type: <dictionary>
|
||||
subkeys:
|
||||
- key: HTTP3RelayURL
|
||||
title: HTTP/3 relay URL
|
||||
type: <string>
|
||||
presence: optional
|
||||
content: |-
|
||||
The URL or URI template, as defined in RFC 9298, of a relay server that's reachable using HTTP/3 and supports proxying TCP and UDP using the CONNECT method.
|
||||
|
||||
Each relay needs to include either `HTTP2RelayURL` or `HTTP3RelayURL`, or it can include both.
|
||||
- key: HTTP2RelayURL
|
||||
title: HTTP/2 relay URL
|
||||
type: <string>
|
||||
presence: optional
|
||||
content: |-
|
||||
The URL or URI template, as defined in RFC 9298, of a relay server that's reachable using HTTP/2 and supports proxying TCP and UDP using the CONNECT method.
|
||||
|
||||
Each relay needs to include either `HTTP2RelayURL` or `HTTP3RelayURL`, or it can include both.
|
||||
- key: AdditionalHTTPHeaderFields
|
||||
title: Additional HTTP header fields
|
||||
type: <dictionary>
|
||||
presence: optional
|
||||
content: A dictionary that contains custom HTTP header keys and values to add
|
||||
to each request. The dictionary key name represents the HTTP header field
|
||||
name to use, and the dictionary value is the string to use as the HTTP header
|
||||
field value.
|
||||
subkeys:
|
||||
- key: ANY
|
||||
type: <string>
|
||||
presence: required
|
||||
content: The HTTP header field value for the corresponding header field name.
|
||||
- key: CredentialAssetReference
|
||||
title: Credential asset reference
|
||||
type: <string>
|
||||
assettypes:
|
||||
- com.apple.asset.credential.identity
|
||||
- com.apple.asset.credential.scep
|
||||
- com.apple.asset.credential.acme
|
||||
presence: optional
|
||||
content: The identifier of an asset declaration that contains the identity to
|
||||
install.
|
||||
- key: PublicKeyData
|
||||
title: Public keys
|
||||
type: <array>
|
||||
assettypes:
|
||||
- com.apple.asset.data
|
||||
presence: optional
|
||||
content: |-
|
||||
An array of references to data assets containing DER-encoded public key data that the system uses to authenticate the server during a TLS handshake. The server needs to use one of the keys in the handshake to authenticate.
|
||||
If this array is empty, the system uses the default TLS trust evaluation.
|
||||
subkeys:
|
||||
- key: PublicKeyDataAssetReference
|
||||
title: Public key asset reference
|
||||
type: <string>
|
||||
- key: MatchDomains
|
||||
title: Match domains
|
||||
type: <array>
|
||||
presence: optional
|
||||
content: |-
|
||||
A list of domain strings that the system uses to determine which connection to route through the servers in `Relays`.
|
||||
|
||||
Any connection that matches a domain in the list exactly or is a subdomain of the listed domain uses the relay servers, unless it matches a domain in `ExcludedDomains`.
|
||||
|
||||
If this list and `MatchFQDNs` are empty, the system routes traffic to all domains to the relay servers, except those that match an excluded domain or excluded FQDN.
|
||||
subkeys:
|
||||
- key: MatchDomainsElement
|
||||
title: Match domains element
|
||||
type: <string>
|
||||
- key: ExcludedDomains
|
||||
title: Excluded domains
|
||||
type: <array>
|
||||
presence: optional
|
||||
content: A list of domain strings to exclude from routing through the servers in
|
||||
`Relays`. Any connection that matches a domain in the list exactly or is a subdomain
|
||||
of the listed domain won't use the relay server.
|
||||
subkeys:
|
||||
- key: ExcludedDomainsElement
|
||||
title: Excluded domains element
|
||||
type: <string>
|
||||
- key: MatchFQDNs
|
||||
title: Match FQDNs
|
||||
type: <array>
|
||||
presence: optional
|
||||
content: A list of Fully Qualified Domain Names (FQDNs) to route through the servers
|
||||
contained in `Relays`. Any connection that matches an FQDN in the list exactly
|
||||
uses the relay servers. If this list and `MatchDomains` are empty, the system
|
||||
routes traffic to all domains to the relay servers, except those that match an
|
||||
excluded domain or excluded FQDN.
|
||||
subkeys:
|
||||
- key: MatchFQDNsElement
|
||||
title: Match FQDNs element
|
||||
type: <string>
|
||||
- key: ExcludedFQDNs
|
||||
title: Excluded FQDNs
|
||||
type: <array>
|
||||
presence: optional
|
||||
content: A list of Fully Qualified Domain Names (FQDNs) to exclude from routing
|
||||
through the servers contained in `Relays`. Any connection that matches an FQDN
|
||||
in the list exactly won't use the relay server. When `MatchDomains` is also present,
|
||||
any FQDN listed in the list should be a subdomain of at least one `MatchDomain`
|
||||
value, otherwise it won't have any effect.
|
||||
subkeys:
|
||||
- key: ExcludedFQDNsElement
|
||||
title: Excluded FQDNs element
|
||||
type: <string>
|
||||
- key: RelayUUID
|
||||
title: Relay UUID
|
||||
supportedOS:
|
||||
macOS:
|
||||
introduced: n/a
|
||||
type: <string>
|
||||
presence: optional
|
||||
content: A globally unique identifier for this relay configuration. The system uses
|
||||
this UUID to route managed apps through the servers in `Relays`. This key is required
|
||||
for user enrollment.
|
||||
- key: UIToggleEnabled
|
||||
title: UI toggle enabled
|
||||
type: <boolean>
|
||||
presence: optional
|
||||
default: true
|
||||
content: If `true`, the device allows the user to disable this network relay configuration.
|
||||
- key: AllowDNSFailover
|
||||
title: Allow DNS failover
|
||||
type: <boolean>
|
||||
presence: optional
|
||||
default: false
|
||||
content: If `true`, the device allows the relay to failover to the default system
|
||||
DNS resolver.
|
||||
examples:
|
||||
title: Configuration examples
|
||||
files:
|
||||
- tab: Single relay
|
||||
description: This configuration routes traffic to two domains through a single
|
||||
HTTP/2 relay with a custom authorization header.
|
||||
file: examples/declarative/declarations/configurations/network.relay/example1.json
|
||||
- tab: Chained relays
|
||||
description: This configuration routes specific hostnames through two chained
|
||||
relay hops supporting both HTTP/2 and HTTP/3.
|
||||
file: examples/declarative/declarations/configurations/network.relay/example2.json
|
||||
@@ -0,0 +1,975 @@
|
||||
title: Network:VPN:AlwaysOn
|
||||
description: The declaration to configure a VPN using the Always On sub-type.
|
||||
payload:
|
||||
declarationtype: com.apple.configuration.network.vpn.always-on
|
||||
supportedOS:
|
||||
iOS:
|
||||
introduced: '27.0'
|
||||
allowed-enrollments:
|
||||
- supervised
|
||||
- device
|
||||
- local
|
||||
allowed-scopes:
|
||||
- system
|
||||
sharedipad:
|
||||
allowed-scopes:
|
||||
- system
|
||||
macOS:
|
||||
introduced: n/a
|
||||
tvOS:
|
||||
introduced: n/a
|
||||
visionOS:
|
||||
introduced: '27.0'
|
||||
allowed-enrollments:
|
||||
- supervised
|
||||
- device
|
||||
- local
|
||||
allowed-scopes:
|
||||
- system
|
||||
watchOS:
|
||||
introduced: n/a
|
||||
apply: single
|
||||
payloadkeys:
|
||||
- key: VisibleName
|
||||
title: Visible name
|
||||
type: <string>
|
||||
presence: required
|
||||
content: The name of the VPN connection that the system displays on the device.
|
||||
- key: UIToggleEnabled
|
||||
title: UI toggle enabled
|
||||
type: <boolean>
|
||||
presence: optional
|
||||
default: false
|
||||
content: If `true`, allows the user to disable the VPN configuration.
|
||||
- key: TunnelConfigurations
|
||||
title: Tunnel configurations
|
||||
type: <array>
|
||||
presence: required
|
||||
content: An array that contains an arbitrary number of tunnel configurations.
|
||||
subkeys:
|
||||
- key: TunnelConfigurationElement
|
||||
title: A tunnel configuration element
|
||||
type: <dictionary>
|
||||
subkeys:
|
||||
- key: ProtocolType
|
||||
title: Protocol type
|
||||
type: <string>
|
||||
presence: required
|
||||
rangelist:
|
||||
- IKEv2
|
||||
content: The type of connection, which needs to be `IKEv2`.
|
||||
- key: Interfaces
|
||||
title: Interfaces
|
||||
type: <array>
|
||||
presence: optional
|
||||
content: The interfaces to apply this configuration to.
|
||||
subkeys:
|
||||
- key: InterfacesElement
|
||||
title: Interfaces element
|
||||
type: <string>
|
||||
rangelist:
|
||||
- Cellular
|
||||
- WiFi
|
||||
- key: IKEV2
|
||||
title: IKEv2 configuration
|
||||
type: <dictionary>
|
||||
presence: optional
|
||||
content: The IKEv2 configuration for this tunnel.
|
||||
subkeys:
|
||||
- key: HostName
|
||||
title: Host name
|
||||
type: <string>
|
||||
presence: required
|
||||
content: The IP address or hostname of the VPN server.
|
||||
- key: LocalIdentifier
|
||||
title: Local identifier
|
||||
type: <string>
|
||||
presence: required
|
||||
content: Identifier of the IKEv2 client.
|
||||
- key: RemoteIdentifier
|
||||
title: Remote identifier
|
||||
type: <string>
|
||||
presence: required
|
||||
content: The remote identifier.
|
||||
- key: Authentication
|
||||
title: Authentication details
|
||||
type: <dictionary>
|
||||
presence: required
|
||||
content: Settings that control authentication.
|
||||
subkeys:
|
||||
- key: Method
|
||||
title: Authentication method
|
||||
type: <string>
|
||||
presence: required
|
||||
rangelist:
|
||||
- None
|
||||
- SharedSecret
|
||||
- Certificate
|
||||
content: |-
|
||||
The type of authentication method for the VPN.
|
||||
|
||||
To enable EAP-only authentication, set this to `None` and `ExtendedAuthEnabled` to `true`. If this is `None` and the `ExtendedAuthEnabled` key isn't set, the authentication configuration defaults to `SharedSecret`.
|
||||
- key: CredentialsAssetReference
|
||||
title: Credentials asset reference
|
||||
type: <string>
|
||||
assettypes:
|
||||
- com.apple.asset.credential.userpassword
|
||||
presence: optional
|
||||
content: The identifier of an asset declaration that contains the credentials
|
||||
(password) to authenticate with the VPN server. Required when `Authentication.Method`
|
||||
is set to `SharedSecret`.
|
||||
- key: IdentityCertificateType
|
||||
title: Certificate type
|
||||
type: <string>
|
||||
presence: optional
|
||||
rangelist:
|
||||
- RSA
|
||||
- ECDSA256
|
||||
- ECDSA384
|
||||
- ECDSA521
|
||||
- RSA-PSS
|
||||
default: RSA
|
||||
content: The type of key used by the identity set in the `IdentityAssetReference`
|
||||
to use for IKEv2 machine authentication. If this key is included, the
|
||||
system requires a value for `ServerCertificateIssuerCommonName`.
|
||||
- key: IdentityAssetReference
|
||||
title: Identity asset reference
|
||||
type: <string>
|
||||
assettypes:
|
||||
- com.apple.asset.credential.acme
|
||||
- com.apple.asset.credential.identity
|
||||
- com.apple.asset.credential.scep
|
||||
presence: optional
|
||||
content: The identifier of a credential asset declaration that contains
|
||||
the identity that this account requires to authenticate with the VPN server.
|
||||
If the value of `AuthenticationMethod` is `Certificate`, the system sends
|
||||
this certificate out for IKEv2 machine authentication. If extended authentication
|
||||
(EAP) is used, the system sends this certificate out for EAP-TLS authentication.
|
||||
Required when `Authentication.Method` is set to `Certificate`.
|
||||
- key: ExtendedAuth
|
||||
title: Extended authentication (EAP)
|
||||
type: <dictionary>
|
||||
presence: optional
|
||||
content: Specifies details about how the VPN routes different types of network
|
||||
traffic.
|
||||
subkeys:
|
||||
- key: Enabled
|
||||
title: Enabled
|
||||
type: <boolean>
|
||||
presence: optional
|
||||
default: false
|
||||
content: If `true`, enables EAP-only authentication.
|
||||
- key: CredentialsAssetReference
|
||||
title: Credentials asset reference
|
||||
type: <string>
|
||||
assettypes:
|
||||
- com.apple.asset.credential.userpassword
|
||||
presence: optional
|
||||
content: The identifier of an asset declaration that contains the credentials
|
||||
(user name and password) to authenticate with the VPN server. Required
|
||||
when `Enabled` is set to `true`. Implies the use of EAP-MSCHAPv2.
|
||||
- key: ServerCertificateIssuerCommonName
|
||||
title: Server certificate issuer common name
|
||||
type: <string>
|
||||
presence: optional
|
||||
content: Common Name of the server certificate issuer. If set, this field
|
||||
causes IKE to send a certificate request based on this certificate issuer
|
||||
to the server. This key is required if the `IdentityCertificateType`
|
||||
key is included and the `ExtendedAuth.Enabled` key is `true`.
|
||||
- key: ServerCertificateCommonName
|
||||
title: Server certificate common name
|
||||
type: <string>
|
||||
presence: optional
|
||||
content: The common name of the server certificate. The system uses this
|
||||
name to validate the certificate sent by the IKE server. If not set,
|
||||
the system uses the remote identifier to validate the certificate.
|
||||
- key: TLSMinimumVersion
|
||||
title: TLS minimum version
|
||||
type: <string>
|
||||
presence: optional
|
||||
rangelist:
|
||||
- '1.0'
|
||||
- '1.1'
|
||||
- '1.2'
|
||||
- '1.3'
|
||||
default: '1.0'
|
||||
content: The minimum TLS version to use with EAP-TLS authentication.
|
||||
- key: TLSMaximumVersion
|
||||
title: TLS maximum version
|
||||
type: <string>
|
||||
presence: optional
|
||||
rangelist:
|
||||
- '1.0'
|
||||
- '1.1'
|
||||
- '1.2'
|
||||
- '1.3'
|
||||
default: '1.2'
|
||||
content: The maximum TLS version to use with EAP-TLS authentication.
|
||||
- key: Provider
|
||||
title: Provider details
|
||||
type: <dictionary>
|
||||
presence: optional
|
||||
content: Specifies details about the provider.
|
||||
subkeys:
|
||||
- key: Type
|
||||
title: Type
|
||||
type: <string>
|
||||
presence: optional
|
||||
rangelist:
|
||||
- packet-tunnel
|
||||
- app-proxy
|
||||
default: packet-tunnel
|
||||
content: The type of VPN service. If the value is `app-proxy`, the service
|
||||
tunnels traffic at the app level. If the value is `packet-tunnel`, the
|
||||
service tunnels traffic at the IP layer.
|
||||
- key: ComposedIdentifier
|
||||
title: Composed identifier
|
||||
type: <string>
|
||||
presence: optional
|
||||
content: |-
|
||||
In iOS, tvOS, and visionOS, the identifier is a bundle ID, for example, "com.example.app".
|
||||
|
||||
In macOS, the identifier is a composed identifier. The format of the composed identifier is either "Bundle-ID", "Bundle-ID (Team-ID)", or "Bundle-ID {Designated-Requirement}". "Bundle-ID" is the bundle identifier string of the provider. "Team-ID" is the team identifier from the provider's code signature. "Designated-Requirement" is the designated requirement string from the code signature of the provider. For example, "com.example.app" for the bundle ID format, "com.example.app (ABCD1234)" for the team ID format, or "com.example.app {anchor apple generic}" for the designated requirement format.
|
||||
- key: NetworkRouting
|
||||
title: Network routing details
|
||||
supportedOS:
|
||||
tvOS:
|
||||
introduced: n/a
|
||||
type: <dictionary>
|
||||
presence: optional
|
||||
content: Specifies details about how the VPN routes different types of network
|
||||
traffic.
|
||||
subkeys:
|
||||
- key: EnforceRoutes
|
||||
title: Enforce routes
|
||||
type: <boolean>
|
||||
presence: optional
|
||||
default: false
|
||||
content: |-
|
||||
If `true`, all the VPN's non-default routes take precedence over any locally defined routes.
|
||||
|
||||
If `IncludeAllNetworks` is `true`, the system ignores the value of `EnforceRoutes`.
|
||||
- key: IncludeAllNetworks
|
||||
title: Include all networks
|
||||
type: <boolean>
|
||||
presence: optional
|
||||
default: false
|
||||
content: |-
|
||||
If `true`, routes all traffic through the VPN, with some exclusions. Several of the exclusions can be controlled with the `ExcludeLocalNetworks`, `ExcludeCellularServices`, `ExcludeAPNs` and `ExcludeDeviceCommunication` properties. The following traffic is always excluded from the tunnel:
|
||||
|
||||
- Traffic necessary for connecting and maintaining the device's network connection, such as DHCP.
|
||||
- Traffic necessary for connecting to captive networks.
|
||||
- Certain cellular services traffic that's not routable over the internet and is instead directly routed to the cellular network. See the ExcludeCellularServices property for more details.
|
||||
- Network communication with a companion device such as a watchOS device.
|
||||
- key: ExcludeLocalNetworks
|
||||
title: Exclude local networks
|
||||
type: <boolean>
|
||||
presence: optional
|
||||
content: If `true` and `IncludeAllNetworks` is `true`, routes all local
|
||||
network traffic outside the VPN.
|
||||
- key: ExcludeCellularServices
|
||||
title: Exclude cellular services
|
||||
type: <boolean>
|
||||
presence: optional
|
||||
default: true
|
||||
content: If `true` and `IncludeAllNetworks` is `true`, then the system excludes
|
||||
internet-routable network traffic for cellular services (VoLTE, Wi-Fi
|
||||
Calling, IMS, MMS, Visual Voicemail, etc.) from the tunnel. Note that
|
||||
some cellular carriers route cellular services traffic directly to the
|
||||
carrier network, bypassing the internet. The device always excludes such
|
||||
cellular services traffic from the tunnel.
|
||||
- key: ExcludeAPNs
|
||||
title: Exclude APNs
|
||||
type: <boolean>
|
||||
presence: optional
|
||||
default: true
|
||||
content: If `true` and `IncludeAllNetworks` is `true`, then the system excludes
|
||||
the network traffic for the Apple Push Notification service (APNs) from
|
||||
the tunnel.
|
||||
- key: ExcludeDeviceCommunication
|
||||
title: Exclude device communication
|
||||
type: <boolean>
|
||||
presence: optional
|
||||
default: true
|
||||
content: If set to `true` and `IncludeAllNetworks` is set to `true`, the
|
||||
device excludes network traffic used for communicating with devices connected
|
||||
via USB or Wi-Fi from the tunnel.
|
||||
- key: Idle
|
||||
title: Disconnect on idle settings.
|
||||
type: <dictionary>
|
||||
presence: optional
|
||||
content: Specifies details about how the system handles idle VPN connections.
|
||||
subkeys:
|
||||
- key: Disconnect
|
||||
title: Enable disconnect on idle
|
||||
type: <boolean>
|
||||
presence: optional
|
||||
default: false
|
||||
content: If `true`, disconnects after an on-demand connection idles.
|
||||
- key: Timer
|
||||
title: Disconnect on idle time
|
||||
type: <integer>
|
||||
presence: optional
|
||||
content: The length of time to wait, in seconds, before disconnecting an
|
||||
on-demand connection.
|
||||
- key: DeadPeerDetectionRate
|
||||
title: Dead peer detection rate
|
||||
type: <string>
|
||||
presence: optional
|
||||
rangelist:
|
||||
- None
|
||||
- Low
|
||||
- Medium
|
||||
- High
|
||||
default: Medium
|
||||
content: |-
|
||||
One of the following:
|
||||
|
||||
- `None`: No keepalive.
|
||||
- `Low`: Send keepalive every 30 minutes.
|
||||
- `Medium`: Send keepalive every 10 minutes.
|
||||
- `High`: Send keepalive every 1 minute.
|
||||
- key: OnDemand
|
||||
title: On demand details
|
||||
type: <dictionary>
|
||||
presence: optional
|
||||
content: Specifies details about how the system controls on-demand VPN.
|
||||
subkeys:
|
||||
- key: Enabled
|
||||
title: Enable VPN on demand
|
||||
type: <boolean>
|
||||
presence: optional
|
||||
default: false
|
||||
content: If `true`, enables VPN On Demand.
|
||||
- key: DisableUserOverride
|
||||
title: Prevent users from toggling VPN on demand
|
||||
supportedOS:
|
||||
macOS:
|
||||
introduced: n/a
|
||||
type: <boolean>
|
||||
presence: optional
|
||||
default: false
|
||||
content: If `true`, the Connect On Demand toggle in Settings is disabled
|
||||
for this configuration.
|
||||
- key: Rules
|
||||
title: On demand rules
|
||||
type: <array>
|
||||
presence: optional
|
||||
content: An array of dictionaries defining On Demand Rules.
|
||||
subkeytype: RulesElement
|
||||
subkeys:
|
||||
- key: RulesElement
|
||||
title: Rules element
|
||||
type: <dictionary>
|
||||
subkeys:
|
||||
- key: Action
|
||||
title: On demand action
|
||||
type: <string>
|
||||
presence: required
|
||||
rangelist:
|
||||
- Allow
|
||||
- Connect
|
||||
- Disconnect
|
||||
- EvaluateConnection
|
||||
- Ignore
|
||||
content: |-
|
||||
The action to take if this dictionary matches the current network. Possible values are:
|
||||
- `Allow`: Deprecated. Allow VPN On Demand to connect if triggered.
|
||||
- `Connect`: Unconditionally initiate a VPN connection on the next network attempt.
|
||||
- `Disconnect`: Tear down the VPN connection and don't reconnect on demand as long as this dictionary matches.
|
||||
- `EvaluateConnection`: Evaluate the ActionParameters array for each connection attempt.
|
||||
- `Ignore`: Leave any existing VPN connection up, but don't reconnect on demand as long as this dictionary matches.
|
||||
- key: ActionParameters
|
||||
title: Action parameters
|
||||
type: <array>
|
||||
presence: optional
|
||||
content: An array of dictionaries that provides rules similar to the
|
||||
`OnDemandRules` dictionary, but evaluated on each connection instead
|
||||
of when the network changes. This value is only for use with dictionaries
|
||||
in which the `Action` value is `EvaluateConnection`. The system evaluates
|
||||
these dictionaries in order and the first dictionary that matches
|
||||
determines the behavior.
|
||||
subkeys:
|
||||
- key: ActionParameter
|
||||
title: Action parameter
|
||||
type: <dictionary>
|
||||
presence: optional
|
||||
content: |-
|
||||
A dictionary that provides rules similar to the OnDemandRules dictionary, but evaluated on each connection instead of when the network changes. These dictionaries are evaluated in order, and the behavior is determined by the first dictionary that matches.
|
||||
The keys allowed in each dictionary are described below. Note: This array is used only for dictionaries in which EvaluateConnection is the Action value.
|
||||
subkeys:
|
||||
- key: Domains
|
||||
title: Domains
|
||||
type: <array>
|
||||
presence: required
|
||||
content: The domains to apply this evaluation.
|
||||
subkeys:
|
||||
- key: DomainsElement
|
||||
title: Domains element
|
||||
type: <string>
|
||||
- key: DomainAction
|
||||
title: Domain action
|
||||
type: <string>
|
||||
presence: required
|
||||
rangelist:
|
||||
- ConnectIfNeeded
|
||||
- NeverConnect
|
||||
content: |-
|
||||
Defines the VPN behavior for the specified domains. Allowed values are:
|
||||
* 'ConnectIfNeeded': The specified domains should trigger a VPN connection attempt if domain name resolution fails, such as when the DNS server indicates that it can't resolve the domain, responds with a redirection to a different server, or fails to respond (timeout).
|
||||
* 'NeverConnect': The specified domains should never trigger a VPN connection attempt.
|
||||
- key: RequiredDNSServers
|
||||
title: Required DNS servers
|
||||
type: <array>
|
||||
presence: optional
|
||||
content: |-
|
||||
An array of IP addresses of DNS servers to use for resolving the specified domains. These servers don't need to be part of the device's current network configuration. If these DNS servers aren't reachable, the system establishes a VPN connection. These DNS servers need to be either internal DNS servers or trusted external DNS servers.
|
||||
This key is valid only if the value of 'DomainAction' is 'ConnectIfNeeded'.
|
||||
subkeys:
|
||||
- key: RequiredDNSServersElement
|
||||
title: Required DNS servers element
|
||||
type: <string>
|
||||
- key: RequiredURLStringProbe
|
||||
title: Required URL string probe
|
||||
type: <string>
|
||||
presence: optional
|
||||
content: |-
|
||||
An HTTP or HTTPS (preferred) URL to probe, using a GET request. If the URL's hostname can't be resolved, if the server is unreachable, or if the server doesn't respond with a 200 HTTP status code, a VPN connection is established in response.
|
||||
This key is valid only if the value of 'DomainAction' is 'ConnectIfNeeded'.
|
||||
- key: DNSDomainMatch
|
||||
title: DNS domain match
|
||||
type: <array>
|
||||
presence: optional
|
||||
content: |-
|
||||
An array of domain names. This rule matches if any of the domain names in the specified list matches any domain in the device's search domains list.
|
||||
The system supports a wildcard (`*`) prefix. For example, `*.example.com` matches against either `mydomain.example.com` or `yourdomain.example.com`.
|
||||
subkeys:
|
||||
- key: DNSDomainMatchElement
|
||||
title: DNS domain match element
|
||||
type: <string>
|
||||
- key: DNSServerAddressMatch
|
||||
title: DNS server address match
|
||||
type: <array>
|
||||
presence: optional
|
||||
content: |-
|
||||
An array of IP addresses. This rule matches if any of the network's specified DNS servers match any entry in the array.
|
||||
The system supports matching with a single wildcard. For example, `17.*` matches any DNS server in the `17.0.0.0/8` subnet.
|
||||
subkeys:
|
||||
- key: DNSServerAddressMatchElement
|
||||
title: DNS server address match element
|
||||
type: <string>
|
||||
- key: InterfaceTypeMatch
|
||||
title: Interface type match
|
||||
type: <string>
|
||||
presence: optional
|
||||
rangelist:
|
||||
- Ethernet
|
||||
- WiFi
|
||||
- Cellular
|
||||
content: An interface type. If specified, this rule matches only if
|
||||
the primary network interface hardware matches the specified type.
|
||||
- key: SSIDMatch
|
||||
title: SSID match
|
||||
type: <array>
|
||||
presence: optional
|
||||
content: |-
|
||||
An array of SSIDs to match against the current network. If the network isn't a Wi-Fi network or if the SSID doesn't appear in this array, the match fails.
|
||||
Omit this key and the corresponding array to match against any SSID.
|
||||
subkeys:
|
||||
- key: SSIDMatchElement
|
||||
title: SSID match element
|
||||
type: <string>
|
||||
- key: URLStringProbe
|
||||
title: URL string probe
|
||||
type: <string>
|
||||
presence: optional
|
||||
content: A URL to probe. This rule matches when this URL is successfully
|
||||
fetched (returns a `200` HTTP status code) without redirection.
|
||||
- key: UseConfigurationAttributeInternalIPSubnet
|
||||
title: Use IPv4 / IPv6 internal subnet attributes
|
||||
type: <boolean>
|
||||
presence: optional
|
||||
default: false
|
||||
content: If `true`, negotiations should use IKEv2 Configuration Attribute
|
||||
`INTERNAL_IP4_SUBNET` and `INTERNAL_IP6_SUBNET`.
|
||||
- key: DisableMOBIKE
|
||||
title: Disable mobility and multihoming
|
||||
type: <boolean>
|
||||
presence: optional
|
||||
default: false
|
||||
content: If `true`, the system disables MOBIKE.
|
||||
- key: DisableRedirect
|
||||
title: Disable redirect
|
||||
type: <boolean>
|
||||
presence: optional
|
||||
default: false
|
||||
content: If `true`, the system disables IKEv2 redirect. If not set, the system
|
||||
redirects an IKEv2 connection when it receives a redirect request from the
|
||||
server.
|
||||
- key: EnableNATKeepAliveOffload
|
||||
title: Enable NAT keep alive offload
|
||||
type: <boolean>
|
||||
presence: optional
|
||||
default: true
|
||||
content: |-
|
||||
If `true`, enables NAT keepalive offload for Always On VPN IKEv2 connections. The device sends keepalive packets to maintain NAT mappings for IKEv2 connections that have a NAT on the path. It sends keepalive packets at regular intervals when the device is awake. If `NATKeepAliveOffloadEnable` is `true`, the system offloads keepalive packets to hardware while the device is asleep.
|
||||
|
||||
NAT keepalive offload has an impact on the battery life due to the extra workload during sleep. The default interval for the keepalive offload packets is 20 seconds over Wi-Fi and 110 seconds over Cellular interface. The default NAT keepalive works well on networks with small NAT mapping timeouts but imposes a potential battery impact. If a network has larger NAT mapping timeouts, larger keepalive intervals may be safely used to minimize battery impact. Modify the keepalive interval through the `NATKeepAliveInterval` key.
|
||||
- key: NATKeepAliveInterval
|
||||
title: NAT keepalive interval
|
||||
type: <integer>
|
||||
presence: optional
|
||||
default: 20
|
||||
content: The NAT Keepalive interval for Always On VPN IKEv2 connections. This
|
||||
value controls the interval that the device sends keepalive offload packets.
|
||||
The minimum value is 20 seconds. If no key is specified, the default is
|
||||
20 seconds over Wi-Fi and 110 seconds over a cellular interface.
|
||||
- key: EnablePFS
|
||||
title: Enable perfect forward secrecy
|
||||
type: <boolean>
|
||||
presence: optional
|
||||
default: false
|
||||
content: If `true`, enables Perfect Forward Secrecy (PFS) for IKEv2 Connections.
|
||||
- key: EnableCertificateRevocationCheck
|
||||
title: Enable certificate revocation check
|
||||
type: <boolean>
|
||||
presence: optional
|
||||
default: false
|
||||
content: If `true`, the system performs a certificate revocation check for
|
||||
IKEv2 connections. This is a best-effort revocation check and server response
|
||||
timeouts won't cause it to fail.
|
||||
- key: EnableFallback
|
||||
title: Enable fallback
|
||||
supportedOS:
|
||||
macOS:
|
||||
introduced: n/a
|
||||
type: <boolean>
|
||||
presence: optional
|
||||
default: false
|
||||
content: |-
|
||||
If `true`, the system enables a tunnel over cellular data to carry traffic that's eligible for Wi-Fi Assist and also requires VPN.
|
||||
|
||||
Enabling fallback requires that the server support multiple tunnels for a single user.
|
||||
- key: MTU
|
||||
title: Maximum transmission unit
|
||||
type: <integer>
|
||||
presence: optional
|
||||
range:
|
||||
min: 1280
|
||||
max: 1400
|
||||
default: 1280
|
||||
content: The Maximum Transmission Unit (MTU) specifies the maximum size in
|
||||
bytes of each packet that the system sends over the IKEv2 VPN interface.
|
||||
- key: EnforceStrictAlgorithmSelection
|
||||
title: Enforce strict algorithm selection
|
||||
type: <boolean>
|
||||
presence: optional
|
||||
default: false
|
||||
content: If set to `true`, the device doesn't allow DES, 3DES, and Diffie-Hellman
|
||||
groups less than 14. Also the device requires the encryption algorithm specified
|
||||
in `IKESecurityAssociationParameters` to be at least as cryptographically
|
||||
strong as the algorithm specified in `ChildSecurityAssociationParameters`.
|
||||
The device rejects this configuration if these requirements aren't met.
|
||||
- key: PostQuantumKeyExchange
|
||||
title: Post quantum key exchange
|
||||
type: <dictionary>
|
||||
presence: optional
|
||||
content: Post Quantum Key Exchange settings.
|
||||
subkeys:
|
||||
- key: PPK
|
||||
title: Post-quantum pre-shared key
|
||||
type: <data>
|
||||
presence: optional
|
||||
content: The Post-quantum Pre-shared key (PPK) the device uses for this
|
||||
VPN. This key is is used with VPN servers that support RFC 8784. If this
|
||||
key is present `PPKIdentifier` must also be present.
|
||||
- key: PPKIdentifier
|
||||
title: Post-quantum pre-shared key identifier
|
||||
type: <string>
|
||||
presence: optional
|
||||
content: The identifier for the Post-quantum Pre-shared key (PPK) the device
|
||||
uses for this VPN. This key is is used with VPN servers that support RFC
|
||||
8784. If this key is present `PPK` must also be present.
|
||||
- key: PPKMandatory
|
||||
title: Post-quantum pre-shared key mandatory
|
||||
type: <boolean>
|
||||
presence: optional
|
||||
default: true
|
||||
content: If set to `true`, the VPN doesn't establish a connection if the
|
||||
server doesn't support RFC 8784 or doesn't accept the PPK identifier specified
|
||||
in `PPKIdentifier`. The device ignores this key if `PPK` and `PPKIdentifier`
|
||||
aren't present.
|
||||
- key: AllowFallback
|
||||
title: Allow post-quantum key exchange fallback
|
||||
type: <boolean>
|
||||
presence: optional
|
||||
default: false
|
||||
content: If set to `false`, the VPN doesn't establish a connection if the
|
||||
server doesn't support or doesn't allow post-quantum key exchanges. Thd
|
||||
device ignores this key if `PostQuantumKeyExchangeMethods` isn't present
|
||||
in `IKESecurityAssociationParameters` or `ChildSecurityAssociationParameters`.
|
||||
- key: IKESecurityAssociationParameters
|
||||
title: IKE security association parameters
|
||||
type: <dictionary>
|
||||
presence: optional
|
||||
content: These parameters apply to Child Security Association unless `ChildSecurityAssociationParameters`
|
||||
is specified.
|
||||
subkeytype: SecurityAssociationParameters
|
||||
subkeys: &id001
|
||||
- key: EncryptionAlgorithm
|
||||
title: Encryption algorithm
|
||||
type: <string>
|
||||
presence: optional
|
||||
rangelist:
|
||||
- AES-128
|
||||
- AES-256
|
||||
- AES-128-GCM
|
||||
- AES-256-GCM
|
||||
- ChaCha20Poly1305
|
||||
default: AES-256
|
||||
content: |-
|
||||
The encryption algorithm.
|
||||
|
||||
In tvOS the default value is `AES-256-GCM`.
|
||||
- key: IntegrityAlgorithm
|
||||
title: Integrity algorithm
|
||||
type: <string>
|
||||
presence: optional
|
||||
rangelist:
|
||||
- SHA2-256
|
||||
- SHA2-384
|
||||
- SHA2-512
|
||||
default: SHA2-256
|
||||
content: The integrity algorithm.
|
||||
- key: DiffieHellmanGroup
|
||||
title: Diffie hellman group
|
||||
type: <integer>
|
||||
presence: optional
|
||||
rangelist:
|
||||
- 14
|
||||
- 15
|
||||
- 16
|
||||
- 17
|
||||
- 18
|
||||
- 19
|
||||
- 20
|
||||
- 21
|
||||
- 31
|
||||
- 32
|
||||
default: 14
|
||||
content: |-
|
||||
The Diffie-Hellman group.
|
||||
|
||||
For `AlwaysOn` VPN, the minimum allowed value is `14`.
|
||||
- key: PostQuantumKeyExchangeMethods
|
||||
title: Post-quantum key exchange methods
|
||||
type: <array>
|
||||
presence: optional
|
||||
content: An array of integers representing postquantum key exchange methods
|
||||
the device uses during SA establishment and rekey. You can specify up
|
||||
to seven items, which correspond to ADDKE1 - ADDKE7 from RFC 9370.
|
||||
subkeys:
|
||||
- key: PostQuantumKeyExchangeMethod
|
||||
title: Post-quantum key exchange method
|
||||
type: <integer>
|
||||
rangelist:
|
||||
- 0
|
||||
- 36
|
||||
- 37
|
||||
- key: LifeTimeInMinutes
|
||||
title: Life time in minutes
|
||||
type: <integer>
|
||||
presence: optional
|
||||
range:
|
||||
min: 10
|
||||
max: 1440
|
||||
default: 1440
|
||||
content: The SA lifetime (rekey interval) in minutes.
|
||||
- key: ChildSecurityAssociationParameters
|
||||
title: Child security association parameters
|
||||
type: <dictionary>
|
||||
presence: optional
|
||||
content: The `ChildSecurityAssociationParameters` dictionaries.
|
||||
subkeytype: SecurityAssociationParameters
|
||||
subkeys: *id001
|
||||
- key: ServiceExceptions
|
||||
title: Service exceptions
|
||||
type: <array>
|
||||
presence: optional
|
||||
content: An array that contains an arbitrary number of service exceptions.
|
||||
subkeys:
|
||||
- key: ServiceExceptionElement
|
||||
title: A service exception element
|
||||
type: <dictionary>
|
||||
subkeys:
|
||||
- key: ServiceName
|
||||
title: Service name
|
||||
type: <string>
|
||||
presence: required
|
||||
rangelist:
|
||||
- VoiceMail
|
||||
- AirPrint
|
||||
- CellularServices
|
||||
- DeviceCommunication
|
||||
content: |-
|
||||
The name of a service that's exempt from Always On VPN.
|
||||
|
||||
`CellularServices` exempts `VoLTE`, `IMS`, `MMS`, and Wi-Fi calling.
|
||||
|
||||
`DeviceCommunication` exempts network traffic used for communicating with devices connected via USB or Wi-Fi.
|
||||
- key: Action
|
||||
title: Action
|
||||
type: <string>
|
||||
presence: required
|
||||
rangelist:
|
||||
- Allow
|
||||
- Drop
|
||||
content: The action to take with network connections from the named service.
|
||||
- key: ApplicationExceptions
|
||||
title: Application exceptions
|
||||
type: <array>
|
||||
presence: optional
|
||||
content: An array that contains an arbitrary number of apps whose connections occur
|
||||
outside the VPN.
|
||||
subkeys:
|
||||
- key: ApplicationExceptionElement
|
||||
title: A application exception element
|
||||
type: <dictionary>
|
||||
subkeys:
|
||||
- key: BundleIdentifier
|
||||
title: Bundle identifier
|
||||
type: <string>
|
||||
presence: required
|
||||
content: The app's bundle identifier.
|
||||
- key: LimitToProtocols
|
||||
title: Limit to protocols
|
||||
type: <array>
|
||||
presence: optional
|
||||
content: Limit the exception to only the specified list of protocols, with support
|
||||
for `UDP` only.
|
||||
subkeys:
|
||||
- key: LimitToProtocolElement
|
||||
title: Limit to protocol element
|
||||
type: <string>
|
||||
rangelist:
|
||||
- UDP
|
||||
- key: AllowCaptiveWebSheet
|
||||
title: Allow captive web sheet
|
||||
type: <boolean>
|
||||
presence: optional
|
||||
default: false
|
||||
content: If `true`, allows traffic from Captive Web Sheet outside the VPN tunnel.
|
||||
- key: AllowAllCaptiveNetworkPlugins
|
||||
title: Allow all captive network plugins
|
||||
type: <boolean>
|
||||
presence: optional
|
||||
default: false
|
||||
content: If `true`, allows traffic from all captive networking apps outside the
|
||||
VPN tunnel to perform captive network handling.
|
||||
- key: AllowedCaptiveNetworkPlugins
|
||||
title: Allowed captive network plugins
|
||||
type: <array>
|
||||
presence: optional
|
||||
content: The array of captive networking apps whose traffic is allowed outside the
|
||||
VPN tunnel, to perform captive network handling. Used only when `AllowAllCaptiveNetworkPlugins`
|
||||
is `false`.
|
||||
subkeys:
|
||||
- key: AllowedCaptiveNetworkPluginElement
|
||||
title: An allowed captive network plugin element
|
||||
type: <dictionary>
|
||||
subkeys:
|
||||
- key: BundleIdentifier
|
||||
title: Bundle identifier
|
||||
type: <string>
|
||||
presence: required
|
||||
content: The bundle identifier for the app that's allowed on the captive network.
|
||||
- key: DNS
|
||||
title: DNS
|
||||
type: <dictionary>
|
||||
presence: optional
|
||||
content: A dictionary to use for all VPN types.
|
||||
subkeys:
|
||||
- key: Protocol
|
||||
title: DNS protocol
|
||||
type: <string>
|
||||
presence: required
|
||||
rangelist:
|
||||
- Cleartext
|
||||
- HTTPS
|
||||
- TLS
|
||||
content: The transport protocol to communicate with the DNS server.
|
||||
- key: ServerURL
|
||||
title: Server URL
|
||||
type: <string>
|
||||
presence: optional
|
||||
content: The URI template of a DNS-over-HTTPS server, as defined in RFC 8484,
|
||||
which needs to use the `https://` scheme. The system uses the hostname or address
|
||||
in the URL to validate the server certificate. If `ServerAddresses` isn't specified,
|
||||
the system uses the hostname or address in the URL to determine the server addresses.
|
||||
This key is required if the `DNSProtocol` is `HTTPS`.
|
||||
- key: ServerName
|
||||
title: Server name
|
||||
type: <string>
|
||||
presence: optional
|
||||
content: The hostname of a DNS-over-TLS server to validate the server certificate,
|
||||
as defined in RFC 7858. If `ServerAddresses` isn't specified, the system uses
|
||||
the hostname to determine the server addresses. This key is required if the
|
||||
`DNSProtocol` is `TLS`.
|
||||
- key: ServerAddresses
|
||||
title: DNS server addresses
|
||||
type: <array>
|
||||
presence: required
|
||||
content: The array of DNS server IP address strings. These IP addresses can be
|
||||
a mixture of IPv4 and IPv6 addresses.
|
||||
subkeys:
|
||||
- key: ServerAddressesElement
|
||||
title: Server address element
|
||||
type: <string>
|
||||
- key: SearchDomains
|
||||
title: DNS search domains
|
||||
type: <array>
|
||||
presence: optional
|
||||
content: The list of domain strings used to fully qualify single-label host names.
|
||||
subkeys:
|
||||
- key: SearchDomainsElement
|
||||
title: Search domains element
|
||||
type: <string>
|
||||
- key: DomainName
|
||||
title: Domain name
|
||||
type: <string>
|
||||
presence: optional
|
||||
content: The primary domain of the tunnel.
|
||||
- key: SupplementalMatchDomains
|
||||
title: Supplemental match domains
|
||||
type: <array>
|
||||
presence: optional
|
||||
content: |-
|
||||
The list of domain strings used to determine which DNS queries use the DNS resolver settings in `ServerAddresses`. The system uses this key to create a split DNS configuration where it resolves only hosts in certain domains using the tunnel's DNS resolver. The system uses the default resolver for hosts that aren't in one of the domains in this list.
|
||||
|
||||
If `SupplementalMatchDomains` contains the empty string it becomes the default domain.
|
||||
|
||||
Split-tunnel configurations can direct all DNS queries to the VPN DNS servers before the primary DNS servers. If the VPN tunnel becomes the network's default route, the servers listed in `ServerAddresses` become the default resolver and the system ignores the `SupplementalMatchDomains` list.
|
||||
subkeys: &id002
|
||||
- key: SupplementalMatchDomainsElement
|
||||
title: Supplemental match domains element
|
||||
type: <string>
|
||||
- key: SupplementalMatchDomainsNoSearch
|
||||
title: Supplemental match domains no search
|
||||
type: <boolean>
|
||||
presence: optional
|
||||
default: false
|
||||
content: If `true`, don't append the domains in the `SupplementalMatchDomains`
|
||||
list to the resolver's list of search domains.
|
||||
- key: IdentityAssetReference
|
||||
title: Identity asset reference
|
||||
type: <string>
|
||||
assettypes:
|
||||
- com.apple.asset.credential.acme
|
||||
- com.apple.asset.credential.identity
|
||||
- com.apple.asset.credential.scep
|
||||
presence: optional
|
||||
content: The identifier of a credential asset declaration that contains the identity
|
||||
that the system uses to authenticate the user to the DNS resolver.
|
||||
- key: Proxies
|
||||
title: Proxies
|
||||
type: <dictionary>
|
||||
presence: optional
|
||||
content: The dictionary to use to configure `Proxies` for use with `VPN`.
|
||||
subkeys:
|
||||
- key: AutoConfigEnable
|
||||
title: Proxy auto config enable
|
||||
type: <boolean>
|
||||
presence: optional
|
||||
default: false
|
||||
content: If `true`, enables automatic proxy configuration.
|
||||
- key: AutoDiscoveryEnable
|
||||
title: Proxy auto discovery enable
|
||||
type: <boolean>
|
||||
presence: optional
|
||||
default: true
|
||||
content: If `true`, enables proxy auto discovery.
|
||||
- key: AutoConfigURLString
|
||||
title: Proxy server URL
|
||||
type: <string>
|
||||
presence: optional
|
||||
content: The URL to the location of the proxy auto-configuration file. Used only
|
||||
when `ProxyAutoConfigEnable` is `true`.
|
||||
- key: SupplementalMatchDomains
|
||||
title: Supplemental match domains
|
||||
type: <array>
|
||||
presence: optional
|
||||
content: An array of domains that defines which hosts use proxy settings for hosts.
|
||||
subkeys: *id002
|
||||
- key: Protocol
|
||||
title: Protocol
|
||||
type: <dictionary>
|
||||
presence: optional
|
||||
content: The dictionary to use to configure HTTP servers for `Proxies` for use
|
||||
with `VPN`.
|
||||
subkeys:
|
||||
- key: HTTP
|
||||
title: HTTP protocol
|
||||
type: <dictionary>
|
||||
presence: optional
|
||||
content: The dictionary to use to configure the HTTP (non-TLS) server.
|
||||
subkeys:
|
||||
- key: Enable
|
||||
title: Enable HTTP
|
||||
type: <boolean>
|
||||
presence: optional
|
||||
default: false
|
||||
content: If `true`, enables proxy for HTTP traffic.
|
||||
- key: HostName
|
||||
title: HTTP host name
|
||||
type: <string>
|
||||
presence: optional
|
||||
content: The host name of the HTTP proxy.
|
||||
- key: Port
|
||||
title: HTTP port
|
||||
type: <integer>
|
||||
presence: optional
|
||||
range:
|
||||
min: 0
|
||||
max: 65535
|
||||
content: The port number of the HTTP proxy. This field is required if `HostName`
|
||||
is specified.
|
||||
- key: HTTPS
|
||||
title: HTTPS protocol
|
||||
type: <dictionary>
|
||||
presence: optional
|
||||
content: The dictionary to use to configure the HTTPS (TLS) server.
|
||||
subkeys:
|
||||
- key: Enable
|
||||
title: Enable HTTPS
|
||||
type: <boolean>
|
||||
presence: optional
|
||||
default: false
|
||||
content: If `true`, enables proxy for HTTPS traffic.
|
||||
- key: HostName
|
||||
title: HTTPS host name
|
||||
type: <string>
|
||||
presence: optional
|
||||
content: The host name of the HTTPS proxy.
|
||||
- key: Port
|
||||
title: HTTPS port
|
||||
type: <integer>
|
||||
presence: optional
|
||||
range:
|
||||
min: 0
|
||||
max: 65535
|
||||
content: The port number of the HTTPS proxy. This field is required if `HostName`
|
||||
is specified.
|
||||
- key: CredentialsAssetReference
|
||||
title: Credentials asset reference
|
||||
type: <string>
|
||||
assettypes:
|
||||
- com.apple.asset.credential.userpassword
|
||||
presence: optional
|
||||
content: The identifier of an asset declaration that contains the credentials
|
||||
(user name and password) to authenticate with the proxy server.
|
||||
examples:
|
||||
title: Configuration example
|
||||
files:
|
||||
- description: This configuration sets up an always-on IKEv2 VPN for both Cellular
|
||||
and Wi-Fi interfaces using certificate authentication.
|
||||
file: examples/declarative/declarations/configurations/network.vpn.always-on/example1.json
|
||||
@@ -0,0 +1,854 @@
|
||||
title: Network:VPN:IKEV2
|
||||
description: The declaration to configure a VPN using the IKEv2 sub-type.
|
||||
payload:
|
||||
declarationtype: com.apple.configuration.network.vpn.ikev2
|
||||
supportedOS:
|
||||
iOS:
|
||||
introduced: '27.0'
|
||||
allowed-enrollments:
|
||||
- supervised
|
||||
- device
|
||||
- local
|
||||
allowed-scopes:
|
||||
- system
|
||||
sharedipad:
|
||||
allowed-scopes:
|
||||
- system
|
||||
macOS:
|
||||
introduced: '27.0'
|
||||
allowed-enrollments:
|
||||
- supervised
|
||||
- local
|
||||
allowed-scopes:
|
||||
- system
|
||||
- user
|
||||
tvOS:
|
||||
introduced: '27.0'
|
||||
allowed-enrollments:
|
||||
- supervised
|
||||
- device
|
||||
- local
|
||||
allowed-scopes:
|
||||
- system
|
||||
visionOS:
|
||||
introduced: '27.0'
|
||||
allowed-enrollments:
|
||||
- supervised
|
||||
- device
|
||||
- local
|
||||
allowed-scopes:
|
||||
- system
|
||||
watchOS:
|
||||
introduced: n/a
|
||||
apply: multiple
|
||||
payloadkeys:
|
||||
- key: VisibleName
|
||||
title: Visible name
|
||||
type: <string>
|
||||
presence: required
|
||||
content: The name of the VPN connection that the system displays on the device.
|
||||
- key: HostName
|
||||
title: Host name
|
||||
type: <string>
|
||||
presence: required
|
||||
content: The IP address or hostname of the VPN server.
|
||||
- key: LocalIdentifier
|
||||
title: Local identifier
|
||||
type: <string>
|
||||
presence: required
|
||||
content: Identifier of the IKEv2 client.
|
||||
- key: RemoteIdentifier
|
||||
title: Remote identifier
|
||||
type: <string>
|
||||
presence: required
|
||||
content: The remote identifier.
|
||||
- key: Authentication
|
||||
title: Authentication details
|
||||
type: <dictionary>
|
||||
presence: required
|
||||
content: Settings that control authentication.
|
||||
subkeys:
|
||||
- key: Method
|
||||
title: Authentication method
|
||||
type: <string>
|
||||
presence: required
|
||||
rangelist:
|
||||
- None
|
||||
- SharedSecret
|
||||
- Certificate
|
||||
content: |-
|
||||
The type of authentication method for the VPN.
|
||||
|
||||
To enable EAP-only authentication, set this to `None` and `ExtendedAuthEnabled` to `true`. If this is `None` and the `ExtendedAuthEnabled` key isn't set, the authentication configuration defaults to `SharedSecret`.
|
||||
- key: CredentialsAssetReference
|
||||
title: Credentials asset reference
|
||||
type: <string>
|
||||
assettypes:
|
||||
- com.apple.asset.credential.userpassword
|
||||
presence: optional
|
||||
content: The identifier of an asset declaration that contains the credentials
|
||||
(password) to authenticate with the VPN server. Required when `Authentication.Method`
|
||||
is set to `SharedSecret`.
|
||||
- key: IdentityCertificateType
|
||||
title: Certificate type
|
||||
type: <string>
|
||||
presence: optional
|
||||
rangelist:
|
||||
- RSA
|
||||
- ECDSA256
|
||||
- ECDSA384
|
||||
- ECDSA521
|
||||
- RSA-PSS
|
||||
default: RSA
|
||||
content: The type of key used by the identity set in the `IdentityAssetReference`
|
||||
to use for IKEv2 machine authentication. If this key is included, the system
|
||||
requires a value for `ServerCertificateIssuerCommonName`.
|
||||
- key: IdentityAssetReference
|
||||
title: Identity asset reference
|
||||
type: <string>
|
||||
assettypes:
|
||||
- com.apple.asset.credential.acme
|
||||
- com.apple.asset.credential.identity
|
||||
- com.apple.asset.credential.scep
|
||||
presence: optional
|
||||
content: The identifier of a credential asset declaration that contains the identity
|
||||
that this account requires to authenticate with the VPN server. If the value
|
||||
of `AuthenticationMethod` is `Certificate`, the system sends this certificate
|
||||
out for IKEv2 machine authentication. If extended authentication (EAP) is used,
|
||||
the system sends this certificate out for EAP-TLS authentication. Required when
|
||||
`Authentication.Method` is set to `Certificate`.
|
||||
- key: ExtendedAuth
|
||||
title: Extended authentication (EAP)
|
||||
type: <dictionary>
|
||||
presence: optional
|
||||
content: Specifies details about how the VPN routes different types of network
|
||||
traffic.
|
||||
subkeys:
|
||||
- key: Enabled
|
||||
title: Enabled
|
||||
type: <boolean>
|
||||
presence: optional
|
||||
default: false
|
||||
content: If `true`, enables EAP-only authentication.
|
||||
- key: CredentialsAssetReference
|
||||
title: Credentials asset reference
|
||||
type: <string>
|
||||
assettypes:
|
||||
- com.apple.asset.credential.userpassword
|
||||
presence: optional
|
||||
content: The identifier of an asset declaration that contains the credentials
|
||||
(user name and password) to authenticate with the VPN server. Required when
|
||||
`Enabled` is set to `true`. Implies the use of EAP-MSCHAPv2.
|
||||
- key: ServerCertificateIssuerCommonName
|
||||
title: Server certificate issuer common name
|
||||
type: <string>
|
||||
presence: optional
|
||||
content: Common Name of the server certificate issuer. If set, this field causes
|
||||
IKE to send a certificate request based on this certificate issuer to the
|
||||
server. This key is required if the `IdentityCertificateType` key is included
|
||||
and the `ExtendedAuth.Enabled` key is `true`.
|
||||
- key: ServerCertificateCommonName
|
||||
title: Server certificate common name
|
||||
type: <string>
|
||||
presence: optional
|
||||
content: The common name of the server certificate. The system uses this name
|
||||
to validate the certificate sent by the IKE server. If not set, the system
|
||||
uses the remote identifier to validate the certificate.
|
||||
- key: TLSMinimumVersion
|
||||
title: TLS minimum version
|
||||
type: <string>
|
||||
presence: optional
|
||||
rangelist:
|
||||
- '1.0'
|
||||
- '1.1'
|
||||
- '1.2'
|
||||
- '1.3'
|
||||
default: '1.0'
|
||||
content: The minimum TLS version to use with EAP-TLS authentication.
|
||||
- key: TLSMaximumVersion
|
||||
title: TLS maximum version
|
||||
type: <string>
|
||||
presence: optional
|
||||
rangelist:
|
||||
- '1.0'
|
||||
- '1.1'
|
||||
- '1.2'
|
||||
- '1.3'
|
||||
default: '1.2'
|
||||
content: The maximum TLS version to use with EAP-TLS authentication.
|
||||
- key: Provider
|
||||
title: Provider details
|
||||
type: <dictionary>
|
||||
presence: optional
|
||||
content: Specifies details about the provider.
|
||||
subkeys:
|
||||
- key: Type
|
||||
title: Type
|
||||
type: <string>
|
||||
presence: optional
|
||||
rangelist:
|
||||
- packet-tunnel
|
||||
- app-proxy
|
||||
default: packet-tunnel
|
||||
content: The type of VPN service. If the value is `app-proxy`, the service tunnels
|
||||
traffic at the app level. If the value is `packet-tunnel`, the service tunnels
|
||||
traffic at the IP layer.
|
||||
- key: ComposedIdentifier
|
||||
title: Composed identifier
|
||||
type: <string>
|
||||
presence: optional
|
||||
content: |-
|
||||
In iOS, tvOS, and visionOS, the identifier is a bundle ID, for example, "com.example.app".
|
||||
|
||||
In macOS, the identifier is a composed identifier. The format of the composed identifier is either "Bundle-ID" or "Bundle-ID {Designated-Requirement}". "Bundle-ID" is the bundle identifier string of the provider. "Designated-Requirement" is the designated requirement string from the code signature of the provider. For example, "com.example.app" for the bundle ID format, or "com.example.app {anchor apple generic}" for the designated requirement format.
|
||||
- key: NetworkRouting
|
||||
title: Network routing details
|
||||
supportedOS:
|
||||
tvOS:
|
||||
introduced: n/a
|
||||
type: <dictionary>
|
||||
presence: optional
|
||||
content: Specifies details about how the VPN routes different types of network traffic.
|
||||
subkeys:
|
||||
- key: EnforceRoutes
|
||||
title: Enforce routes
|
||||
type: <boolean>
|
||||
presence: optional
|
||||
default: false
|
||||
content: |-
|
||||
If `true`, all the VPN's non-default routes take precedence over any locally defined routes.
|
||||
|
||||
If `IncludeAllNetworks` is `true`, the system ignores the value of `EnforceRoutes`.
|
||||
- key: IncludeAllNetworks
|
||||
title: Include all networks
|
||||
type: <boolean>
|
||||
presence: optional
|
||||
default: false
|
||||
content: |-
|
||||
If `true`, routes all traffic through the VPN, with some exclusions. Several of the exclusions can be controlled with the `ExcludeLocalNetworks`, `ExcludeCellularServices`, `ExcludeAPNs` and `ExcludeDeviceCommunication` properties. The following traffic is always excluded from the tunnel:
|
||||
|
||||
- Traffic necessary for connecting and maintaining the device's network connection, such as DHCP.
|
||||
- Traffic necessary for connecting to captive networks.
|
||||
- Certain cellular services traffic that's not routable over the internet and is instead directly routed to the cellular network. See the ExcludeCellularServices property for more details.
|
||||
- key: ExcludeLocalNetworks
|
||||
title: Exclude local networks
|
||||
type: <boolean>
|
||||
presence: optional
|
||||
content: If `true` and `IncludeAllNetworks` is `true`, routes all local network
|
||||
traffic outside the VPN.
|
||||
- key: ExcludeCellularServices
|
||||
title: Exclude cellular services
|
||||
type: <boolean>
|
||||
presence: optional
|
||||
default: true
|
||||
content: If `true` and `IncludeAllNetworks` is `true`, then the system excludes
|
||||
internet-routable network traffic for cellular services (VoLTE, Wi-Fi Calling,
|
||||
IMS, MMS, Visual Voicemail, etc.) from the tunnel. Note that some cellular carriers
|
||||
route cellular services traffic directly to the carrier network, bypassing the
|
||||
internet. Such cellular services traffic is always excluded from the tunnel.
|
||||
- key: ExcludeAPNs
|
||||
title: Exclude APNs
|
||||
type: <boolean>
|
||||
presence: optional
|
||||
default: true
|
||||
content: If `true` and `IncludeAllNetworks` is `true`, then the system excludes
|
||||
the network traffic for the Apple Push Notification service (APNs) from the
|
||||
tunnel.
|
||||
- key: ExcludeDeviceCommunication
|
||||
title: Exclude device communication
|
||||
type: <boolean>
|
||||
presence: optional
|
||||
default: true
|
||||
content: If set to `true` and `IncludeAllNetworks` is set to `true`, the device
|
||||
excludes network traffic used for communicating with devices connected via USB
|
||||
or Wi-Fi from the tunnel.
|
||||
- key: Idle
|
||||
title: Disconnect on idle settings.
|
||||
type: <dictionary>
|
||||
presence: optional
|
||||
content: Specifies details about how the system handles idle VPN connections.
|
||||
subkeys:
|
||||
- key: Disconnect
|
||||
title: Enable disconnect on idle
|
||||
type: <boolean>
|
||||
presence: optional
|
||||
default: false
|
||||
content: If `true`, disconnects after an on-demand connection idles.
|
||||
- key: Timer
|
||||
title: Disconnect on idle time
|
||||
type: <integer>
|
||||
presence: optional
|
||||
content: The length of time to wait, in seconds, before disconnecting an on-demand
|
||||
connection.
|
||||
- key: DeadPeerDetectionRate
|
||||
title: Dead peer detection rate
|
||||
type: <string>
|
||||
presence: optional
|
||||
rangelist:
|
||||
- None
|
||||
- Low
|
||||
- Medium
|
||||
- High
|
||||
default: Medium
|
||||
content: |-
|
||||
One of the following:
|
||||
|
||||
- `None`: No keepalive.
|
||||
- `Low`: Send keepalive every 30 minutes.
|
||||
- `Medium`: Send keepalive every 10 minutes.
|
||||
- `High`: Send keepalive every 1 minute.
|
||||
- key: OnDemand
|
||||
title: On demand details
|
||||
type: <dictionary>
|
||||
presence: optional
|
||||
content: Specifies details about how the system controls on-demand VPN.
|
||||
subkeys:
|
||||
- key: Enabled
|
||||
title: Enable VPN on demand
|
||||
type: <boolean>
|
||||
presence: optional
|
||||
default: false
|
||||
content: If `true`, enables VPN On Demand.
|
||||
- key: DisableUserOverride
|
||||
title: Prevent users from toggling VPN on demand
|
||||
supportedOS:
|
||||
macOS:
|
||||
introduced: n/a
|
||||
type: <boolean>
|
||||
presence: optional
|
||||
default: false
|
||||
content: If `true`, the device disables the Connect On Demand toggle in Settings
|
||||
for this configuration.
|
||||
- key: Rules
|
||||
title: On demand rules
|
||||
type: <array>
|
||||
presence: optional
|
||||
content: An array of dictionaries defining On Demand Rules.
|
||||
subkeytype: RulesElement
|
||||
subkeys:
|
||||
- key: RulesElement
|
||||
title: Rules element
|
||||
type: <dictionary>
|
||||
subkeys:
|
||||
- key: Action
|
||||
title: On demand action
|
||||
type: <string>
|
||||
presence: required
|
||||
rangelist:
|
||||
- Allow
|
||||
- Connect
|
||||
- Disconnect
|
||||
- EvaluateConnection
|
||||
- Ignore
|
||||
content: |-
|
||||
The action to take if this dictionary matches the current network. Possible values are:
|
||||
- `Allow`: Deprecated. Allow VPN On Demand to connect if triggered.
|
||||
- `Connect`: Unconditionally initiate a VPN connection on the next network attempt.
|
||||
- `Disconnect`: Tear down the VPN connection and don't reconnect on demand as long as this dictionary matches.
|
||||
- `EvaluateConnection`: Evaluate the ActionParameters array for each connection attempt.
|
||||
- `Ignore`: Leave any existing VPN connection up, but don't reconnect on demand as long as this dictionary matches.
|
||||
- key: ActionParameters
|
||||
title: Action parameters
|
||||
type: <array>
|
||||
presence: optional
|
||||
content: An array of dictionaries that provides rules similar to the `OnDemandRules`
|
||||
dictionary, but evaluated on each connection instead of when the network
|
||||
changes. This value is only for use with dictionaries in which the `Action`
|
||||
value is `EvaluateConnection`. The system evaluates these dictionaries in
|
||||
order and the first dictionary that matches determines the behavior.
|
||||
subkeys:
|
||||
- key: ActionParameter
|
||||
title: Action parameter
|
||||
type: <dictionary>
|
||||
presence: optional
|
||||
content: |-
|
||||
A dictionary that provides rules similar to the OnDemandRules dictionary, but evaluated on each connection instead of when the network changes. These dictionaries are evaluated in order, and the behavior is determined by the first dictionary that matches.
|
||||
The keys allowed in each dictionary are described below. Note: This array is used only for dictionaries in which EvaluateConnection is the Action value.
|
||||
subkeys:
|
||||
- key: Domains
|
||||
title: Domains
|
||||
type: <array>
|
||||
presence: required
|
||||
content: The domains to apply this evaluation.
|
||||
subkeys:
|
||||
- key: DomainsElement
|
||||
title: Domains element
|
||||
type: <string>
|
||||
- key: DomainAction
|
||||
title: Domain action
|
||||
type: <string>
|
||||
presence: required
|
||||
rangelist:
|
||||
- ConnectIfNeeded
|
||||
- NeverConnect
|
||||
content: |-
|
||||
Defines the VPN behavior for the specified domains. Allowed values are:
|
||||
* 'ConnectIfNeeded': The specified domains should trigger a VPN connection attempt if domain name resolution fails, such as when the DNS server indicates that it can't resolve the domain, responds with a redirection to a different server, or fails to respond (timeout).
|
||||
* 'NeverConnect': The specified domains should never trigger a VPN connection attempt.
|
||||
- key: RequiredDNSServers
|
||||
title: Required DNS servers
|
||||
type: <array>
|
||||
presence: optional
|
||||
content: |-
|
||||
An array of IP addresses of DNS servers to use for resolving the specified domains. These servers don't need to be part of the device's current network configuration. If these DNS servers aren't reachable, the system establishes a VPN connection. These DNS servers need to be either internal DNS servers or trusted external DNS servers.
|
||||
This key is valid only if the value of 'DomainAction' is 'ConnectIfNeeded'.
|
||||
subkeys:
|
||||
- key: RequiredDNSServersElement
|
||||
title: Required DNS servers element
|
||||
type: <string>
|
||||
- key: RequiredURLStringProbe
|
||||
title: Required URL string probe
|
||||
type: <string>
|
||||
presence: optional
|
||||
content: |-
|
||||
An HTTP or HTTPS (preferred) URL to probe, using a GET request. If the URL's hostname can't be resolved, if the server is unreachable, or if the server doesn't respond with a 200 HTTP status code, a VPN connection is established in response.
|
||||
This key is valid only if the value of 'DomainAction' is 'ConnectIfNeeded'.
|
||||
- key: DNSDomainMatch
|
||||
title: DNS domain match
|
||||
type: <array>
|
||||
presence: optional
|
||||
content: |-
|
||||
An array of domain names. This rule matches if any of the domain names in the specified list matches any domain in the device's search domains list.
|
||||
The system supports a wildcard (`*`) prefix. For example, `*.example.com` matches against either `mydomain.example.com` or `yourdomain.example.com`.
|
||||
subkeys:
|
||||
- key: DNSDomainMatchElement
|
||||
title: DNS domain match element
|
||||
type: <string>
|
||||
- key: DNSServerAddressMatch
|
||||
title: DNS server address match
|
||||
type: <array>
|
||||
presence: optional
|
||||
content: |-
|
||||
An array of IP addresses. This rule matches if any of the network's specified DNS servers match any entry in the array.
|
||||
The system supports matching with a single wildcard. For example, `17.*` matches any DNS server in the `17.0.0.0/8` subnet.
|
||||
subkeys:
|
||||
- key: DNSServerAddressMatchElement
|
||||
title: DNS server address match element
|
||||
type: <string>
|
||||
- key: InterfaceTypeMatch
|
||||
title: Interface type match
|
||||
type: <string>
|
||||
presence: optional
|
||||
rangelist:
|
||||
- Ethernet
|
||||
- WiFi
|
||||
- Cellular
|
||||
content: An interface type. If specified, this rule matches only if the primary
|
||||
network interface hardware matches the specified type.
|
||||
- key: SSIDMatch
|
||||
title: SSID match
|
||||
type: <array>
|
||||
presence: optional
|
||||
content: |-
|
||||
An array of SSIDs to match against the current network. If the network isn't a Wi-Fi network or if the SSID doesn't appear in this array, the match fails.
|
||||
Omit this key and the corresponding array to match against any SSID.
|
||||
subkeys:
|
||||
- key: SSIDMatchElement
|
||||
title: SSID match element
|
||||
type: <string>
|
||||
- key: URLStringProbe
|
||||
title: URL string probe
|
||||
type: <string>
|
||||
presence: optional
|
||||
content: A URL to probe. This rule matches when this URL is successfully fetched
|
||||
(returns a `200` HTTP status code) without redirection.
|
||||
- key: UseConfigurationAttributeInternalIPSubnet
|
||||
title: Use IPv4 / IPv6 internal subnet attributes
|
||||
type: <boolean>
|
||||
presence: optional
|
||||
default: false
|
||||
content: If `true`, negotiations should use IKEv2 Configuration Attribute `INTERNAL_IP4_SUBNET`
|
||||
and `INTERNAL_IP6_SUBNET`.
|
||||
- key: DisableMOBIKE
|
||||
title: Disable mobility and multihoming
|
||||
type: <boolean>
|
||||
presence: optional
|
||||
default: false
|
||||
content: If `true`, the system disables MOBIKE.
|
||||
- key: DisableRedirect
|
||||
title: Disable redirect
|
||||
type: <boolean>
|
||||
presence: optional
|
||||
default: false
|
||||
content: If `true`, the system disables IKEv2 redirect. If not set, the system redirects
|
||||
an IKEv2 connection when it receives a redirect request from the server.
|
||||
- key: EnableNATKeepAliveOffload
|
||||
title: Enable NAT keep alive offload
|
||||
type: <boolean>
|
||||
presence: optional
|
||||
default: true
|
||||
content: |-
|
||||
If `true`, enables NAT keepalive offload for Always On VPN IKEv2 connections. The device sends keepalive packets to maintain NAT mappings for IKEv2 connections that have a NAT on the path. It sends keepalive packets at regular intervals when the device is awake. If `NATKeepAliveOffloadEnable` is `true`, the system offloads keepalive packets to hardware while the device is asleep.
|
||||
|
||||
NAT keepalive offload has an impact on the battery life due to the extra workload during sleep. The default interval for the keepalive offload packets is 20 seconds over Wi-Fi and 110 seconds over Cellular interface. The default NAT keepalive works well on networks with small NAT mapping timeouts but imposes a potential battery impact. If a network has larger NAT mapping timeouts, larger keepalive intervals may be safely used to minimize battery impact. Modify the keepalive interval through the `NATKeepAliveInterval` key.
|
||||
- key: NATKeepAliveInterval
|
||||
title: NAT keepalive interval
|
||||
type: <integer>
|
||||
presence: optional
|
||||
default: 20
|
||||
content: The NAT Keepalive interval for Always On VPN IKEv2 connections. This value
|
||||
controls the interval that the device sends keepalive offload packets. The minimum
|
||||
value is 20 seconds. If no key is specified, the default is 20 seconds over Wi-Fi
|
||||
and 110 seconds over a cellular interface.
|
||||
- key: EnablePFS
|
||||
title: Enable perfect forward secrecy
|
||||
type: <boolean>
|
||||
presence: optional
|
||||
default: false
|
||||
content: If `true`, enables Perfect Forward Secrecy (PFS) for IKEv2 Connections.
|
||||
- key: EnableCertificateRevocationCheck
|
||||
title: Enable certificate revocation check
|
||||
type: <boolean>
|
||||
presence: optional
|
||||
default: false
|
||||
content: If `true`, the system performs a certificate revocation check for IKEv2
|
||||
connections. This is a best-effort revocation check and server response timeouts
|
||||
won't cause it to fail.
|
||||
- key: EnableFallback
|
||||
title: Enable fallback
|
||||
supportedOS:
|
||||
macOS:
|
||||
introduced: n/a
|
||||
type: <boolean>
|
||||
presence: optional
|
||||
default: false
|
||||
content: |-
|
||||
If `true`, the system enables a tunnel over cellular data to carry traffic that's eligible for Wi-Fi Assist and also requires VPN.
|
||||
|
||||
Enabling fallback requires that the server support multiple tunnels for a single user.
|
||||
- key: MTU
|
||||
title: Maximum transmission unit
|
||||
type: <integer>
|
||||
presence: optional
|
||||
range:
|
||||
min: 1280
|
||||
max: 1400
|
||||
default: 1280
|
||||
content: The Maximum Transmission Unit (MTU) specifies the maximum size in bytes
|
||||
of each packet that the system sends over the IKEv2 VPN interface.
|
||||
- key: EnforceStrictAlgorithmSelection
|
||||
title: Enforce strict algorithm selection
|
||||
type: <boolean>
|
||||
presence: optional
|
||||
default: false
|
||||
content: If set to `true`, the device doesn't allow DES, 3DES, and Diffie-Hellman
|
||||
groups less than 14. Also the device requires the encryption algorithm specified
|
||||
in `IKESecurityAssociationParameters` to be at least as cryptographically strong
|
||||
as the algorithm specified in `ChildSecurityAssociationParameters`. The device
|
||||
rejects this configuration if these requirements aren't met.
|
||||
- key: PostQuantumKeyExchange
|
||||
title: Post quantum key exchange
|
||||
type: <dictionary>
|
||||
presence: optional
|
||||
content: Post Quantum Key Exchange settings.
|
||||
subkeys:
|
||||
- key: PPK
|
||||
title: Post-quantum pre-shared key
|
||||
type: <data>
|
||||
presence: optional
|
||||
content: The Post-quantum Pre-shared key (PPK) the device uses for this VPN. This
|
||||
key is is used with VPN servers that support RFC 8784. If this key is present
|
||||
`PPKIdentifier` must also be present.
|
||||
- key: PPKIdentifier
|
||||
title: Post-quantum pre-shared key identifier
|
||||
type: <string>
|
||||
presence: optional
|
||||
content: The identifier for the Post-quantum Pre-shared key (PPK) the device uses
|
||||
for this VPN. This key is is used with VPN servers that support RFC 8784. If
|
||||
this key is present `PPK` must also be present.
|
||||
- key: PPKMandatory
|
||||
title: Post-quantum pre-shared key mandatory
|
||||
type: <boolean>
|
||||
presence: optional
|
||||
default: true
|
||||
content: If set to `true`, the VPN doesn't establish a connection if the server
|
||||
doesn't support RFC 8784 or doesn't accept the PPK identifier specified in `PPKIdentifier`.
|
||||
The device ignores this key if `PPK` and `PPKIdentifier` aren't present.
|
||||
- key: AllowFallback
|
||||
title: Allow post-quantum key exchange fallback
|
||||
type: <boolean>
|
||||
presence: optional
|
||||
default: false
|
||||
content: If set to `false`, the VPN doesn't establish a connection if the server
|
||||
doesn't support or doesn't allow post-quantum key exchanges. Thd device ignores
|
||||
this key if `PostQuantumKeyExchangeMethods` isn't present in `IKESecurityAssociationParameters`
|
||||
or `ChildSecurityAssociationParameters`.
|
||||
- key: IKESecurityAssociationParameters
|
||||
title: IKE security association parameters
|
||||
type: <dictionary>
|
||||
presence: optional
|
||||
content: These parameters apply to Child Security Association unless `ChildSecurityAssociationParameters`
|
||||
is specified.
|
||||
subkeytype: SecurityAssociationParameters
|
||||
subkeys: &id001
|
||||
- key: EncryptionAlgorithm
|
||||
title: Encryption algorithm
|
||||
type: <string>
|
||||
presence: optional
|
||||
rangelist:
|
||||
- AES-128
|
||||
- AES-256
|
||||
- AES-128-GCM
|
||||
- AES-256-GCM
|
||||
- ChaCha20Poly1305
|
||||
default: AES-256
|
||||
content: |-
|
||||
The encryption algorithm.
|
||||
|
||||
On tvOS, the default value is `AES-256-GCM`.
|
||||
- key: IntegrityAlgorithm
|
||||
title: Integrity algorithm
|
||||
type: <string>
|
||||
presence: optional
|
||||
rangelist:
|
||||
- SHA2-256
|
||||
- SHA2-384
|
||||
- SHA2-512
|
||||
default: SHA2-256
|
||||
content: The integrity algorithm.
|
||||
- key: DiffieHellmanGroup
|
||||
title: Diffie hellman group
|
||||
type: <integer>
|
||||
presence: optional
|
||||
rangelist:
|
||||
- 14
|
||||
- 15
|
||||
- 16
|
||||
- 17
|
||||
- 18
|
||||
- 19
|
||||
- 20
|
||||
- 21
|
||||
- 31
|
||||
- 32
|
||||
default: 14
|
||||
content: |-
|
||||
The Diffie-Hellman group.
|
||||
|
||||
For `AlwaysOn` VPN, the minimum allowed value is `14`.
|
||||
- key: PostQuantumKeyExchangeMethods
|
||||
title: Post-quantum key exchange methods
|
||||
type: <array>
|
||||
presence: optional
|
||||
content: An array of integers representing postquantum key exchange methods the
|
||||
device uses during SA establishment and rekey. You can specify up to seven items,
|
||||
which correspond to ADDKE1 - ADDKE7 from RFC 9370.
|
||||
subkeys:
|
||||
- key: PostQuantumKeyExchangeMethod
|
||||
title: Post-quantum key exchange method
|
||||
type: <integer>
|
||||
rangelist:
|
||||
- 0
|
||||
- 36
|
||||
- 37
|
||||
- key: LifeTimeInMinutes
|
||||
title: Life time in minutes
|
||||
type: <integer>
|
||||
presence: optional
|
||||
range:
|
||||
min: 10
|
||||
max: 1440
|
||||
default: 1440
|
||||
content: The SA lifetime (rekey interval) in minutes.
|
||||
- key: ChildSecurityAssociationParameters
|
||||
title: Child security association parameters
|
||||
type: <dictionary>
|
||||
presence: optional
|
||||
content: The `ChildSecurityAssociationParameters` dictionaries.
|
||||
subkeytype: SecurityAssociationParameters
|
||||
subkeys: *id001
|
||||
- key: DNS
|
||||
title: DNS
|
||||
type: <dictionary>
|
||||
presence: optional
|
||||
content: A dictionary to use for all VPN types.
|
||||
subkeys:
|
||||
- key: Protocol
|
||||
title: DNS protocol
|
||||
type: <string>
|
||||
presence: required
|
||||
rangelist:
|
||||
- Cleartext
|
||||
- HTTPS
|
||||
- TLS
|
||||
content: The transport protocol to communicate with the DNS server.
|
||||
- key: ServerURL
|
||||
title: Server URL
|
||||
type: <string>
|
||||
presence: optional
|
||||
content: The URI template of a DNS-over-HTTPS server, as defined in RFC 8484,
|
||||
which needs to use the `https://` scheme. The system uses the hostname or address
|
||||
in the URL to validate the server certificate. If `ServerAddresses` isn't specified,
|
||||
the system uses the hostname or address in the URL to determine the server addresses.
|
||||
This key is required if the `DNSProtocol` is `HTTPS`.
|
||||
- key: ServerName
|
||||
title: Server name
|
||||
type: <string>
|
||||
presence: optional
|
||||
content: The hostname of a DNS-over-TLS server to validate the server certificate,
|
||||
as defined in RFC 7858. If `ServerAddresses` isn't specified, the system uses
|
||||
the hostname to determine the server addresses. This key is required if the
|
||||
`DNSProtocol` is `TLS`.
|
||||
- key: ServerAddresses
|
||||
title: DNS server addresses
|
||||
type: <array>
|
||||
presence: required
|
||||
content: The array of DNS server IP address strings. These IP addresses can be
|
||||
a mixture of IPv4 and IPv6 addresses.
|
||||
subkeys:
|
||||
- key: ServerAddressesElement
|
||||
title: Server address element
|
||||
type: <string>
|
||||
- key: SearchDomains
|
||||
title: DNS search domains
|
||||
type: <array>
|
||||
presence: optional
|
||||
content: The list of domain strings used to fully qualify single-label host names.
|
||||
subkeys:
|
||||
- key: SearchDomainsElement
|
||||
title: Search domains element
|
||||
type: <string>
|
||||
- key: DomainName
|
||||
title: Domain name
|
||||
type: <string>
|
||||
presence: optional
|
||||
content: The primary domain of the tunnel.
|
||||
- key: SupplementalMatchDomains
|
||||
title: Supplemental match domains
|
||||
type: <array>
|
||||
presence: optional
|
||||
content: |-
|
||||
The list of domain strings used to determine which DNS queries use the DNS resolver settings in `ServerAddresses`. The system uses this key to create a split DNS configuration where it resolves only hosts in certain domains using the tunnel's DNS resolver. The system uses the default resolver for hosts that aren't in one of the domains in this list.
|
||||
|
||||
If `SupplementalMatchDomains` contains the empty string it becomes the default domain.
|
||||
|
||||
Split-tunnel configurations can direct all DNS queries to the VPN DNS servers before the primary DNS servers. If the VPN tunnel becomes the network's default route, the servers listed in `ServerAddresses` become the default resolver and the system ignores the `SupplementalMatchDomains` list.
|
||||
subkeys: &id002
|
||||
- key: SupplementalMatchDomainsElement
|
||||
title: Supplemental match domains element
|
||||
type: <string>
|
||||
- key: SupplementalMatchDomainsNoSearch
|
||||
title: Supplemental match domains no search
|
||||
type: <boolean>
|
||||
presence: optional
|
||||
default: false
|
||||
content: If `true`, don't append the domains in the `SupplementalMatchDomains`
|
||||
list to the resolver's list of search domains.
|
||||
- key: IdentityAssetReference
|
||||
title: Identity asset reference
|
||||
type: <string>
|
||||
assettypes:
|
||||
- com.apple.asset.credential.acme
|
||||
- com.apple.asset.credential.identity
|
||||
- com.apple.asset.credential.scep
|
||||
presence: optional
|
||||
content: The identifier of a credential asset declaration that contains the identity
|
||||
that the system uses to authenticate the user to the DNS resolver.
|
||||
- key: Proxies
|
||||
title: Proxies
|
||||
type: <dictionary>
|
||||
presence: optional
|
||||
content: The dictionary to use to configure `Proxies` for use with `VPN`.
|
||||
subkeys:
|
||||
- key: AutoConfigEnable
|
||||
title: Proxy auto config enable
|
||||
type: <boolean>
|
||||
presence: optional
|
||||
default: false
|
||||
content: If `true`, enables automatic proxy configuration.
|
||||
- key: AutoDiscoveryEnable
|
||||
title: Proxy auto discovery enable
|
||||
type: <boolean>
|
||||
presence: optional
|
||||
default: true
|
||||
content: If `true`, enables proxy auto discovery.
|
||||
- key: AutoConfigURLString
|
||||
title: Proxy server URL
|
||||
type: <string>
|
||||
presence: optional
|
||||
content: The URL to the location of the proxy auto-configuration file. Used only
|
||||
when `ProxyAutoConfigEnable` is `true`.
|
||||
- key: SupplementalMatchDomains
|
||||
title: Supplemental match domains
|
||||
type: <array>
|
||||
presence: optional
|
||||
content: An array of domains that defines which hosts use proxy settings for hosts.
|
||||
subkeys: *id002
|
||||
- key: Protocol
|
||||
title: Protocol
|
||||
type: <dictionary>
|
||||
presence: optional
|
||||
content: The dictionary to use to configure HTTP servers for `Proxies` for use
|
||||
with `VPN`.
|
||||
subkeys:
|
||||
- key: HTTP
|
||||
title: HTTP protocol
|
||||
type: <dictionary>
|
||||
presence: optional
|
||||
content: The dictionary to use to configure the HTTP (non-TLS) server.
|
||||
subkeys:
|
||||
- key: Enable
|
||||
title: Enable HTTP
|
||||
type: <boolean>
|
||||
presence: optional
|
||||
default: false
|
||||
content: If `true`, enables proxy for HTTP traffic.
|
||||
- key: HostName
|
||||
title: HTTP host name
|
||||
type: <string>
|
||||
presence: optional
|
||||
content: The host name of the HTTP proxy.
|
||||
- key: Port
|
||||
title: HTTP port
|
||||
type: <integer>
|
||||
presence: optional
|
||||
range:
|
||||
min: 0
|
||||
max: 65535
|
||||
content: The port number of the HTTP proxy. This field is required if `HostName`
|
||||
is specified.
|
||||
- key: HTTPS
|
||||
title: HTTPS protocol
|
||||
type: <dictionary>
|
||||
presence: optional
|
||||
content: The dictionary to use to configure the HTTPS (TLS) server.
|
||||
subkeys:
|
||||
- key: Enable
|
||||
title: Enable HTTPS
|
||||
type: <boolean>
|
||||
presence: optional
|
||||
default: false
|
||||
content: If `true`, enables proxy for HTTPS traffic.
|
||||
- key: HostName
|
||||
title: HTTPS host name
|
||||
type: <string>
|
||||
presence: optional
|
||||
content: The host name of the HTTPS proxy.
|
||||
- key: Port
|
||||
title: HTTPS port
|
||||
type: <integer>
|
||||
presence: optional
|
||||
range:
|
||||
min: 0
|
||||
max: 65535
|
||||
content: The port number of the HTTPS proxy. This field is required if `HostName`
|
||||
is specified.
|
||||
- key: CredentialsAssetReference
|
||||
title: Credentials asset reference
|
||||
type: <string>
|
||||
assettypes:
|
||||
- com.apple.asset.credential.userpassword
|
||||
presence: optional
|
||||
content: The identifier of an asset declaration that contains the credentials
|
||||
(user name and password) to authenticate with the proxy server.
|
||||
examples:
|
||||
title: Configuration examples
|
||||
files:
|
||||
- tab: Shared secret
|
||||
description: This configuration sets up an IKEv2 VPN using a shared-secret credential
|
||||
asset for authentication.
|
||||
file: examples/declarative/declarations/configurations/network.vpn.ikev2/example1.json
|
||||
- tab: Certificate
|
||||
description: This configuration sets up an IKEv2 VPN using certificate-based machine
|
||||
authentication and EAP-MSCHAPv2 for extended user authentication.
|
||||
file: examples/declarative/declarations/configurations/network.vpn.ikev2/example2.json
|
||||
@@ -0,0 +1,509 @@
|
||||
title: Network:VPN:IPSec
|
||||
description: The declaration to configure a VPN using the IPSec sub-type.
|
||||
payload:
|
||||
declarationtype: com.apple.configuration.network.vpn.ipsec
|
||||
supportedOS:
|
||||
iOS:
|
||||
introduced: '27.0'
|
||||
allowed-enrollments:
|
||||
- supervised
|
||||
- device
|
||||
- local
|
||||
allowed-scopes:
|
||||
- system
|
||||
sharedipad:
|
||||
allowed-scopes:
|
||||
- system
|
||||
macOS:
|
||||
introduced: '27.0'
|
||||
allowed-enrollments:
|
||||
- supervised
|
||||
- local
|
||||
allowed-scopes:
|
||||
- system
|
||||
tvOS:
|
||||
introduced: n/a
|
||||
visionOS:
|
||||
introduced: '27.0'
|
||||
allowed-enrollments:
|
||||
- supervised
|
||||
- device
|
||||
- local
|
||||
allowed-scopes:
|
||||
- system
|
||||
watchOS:
|
||||
introduced: n/a
|
||||
apply: multiple
|
||||
payloadkeys:
|
||||
- key: VisibleName
|
||||
title: Visible name
|
||||
type: <string>
|
||||
presence: required
|
||||
content: The name of the VPN connection that the system displays on the device.
|
||||
- key: HostName
|
||||
title: Host name
|
||||
type: <string>
|
||||
presence: required
|
||||
content: The IP address or hostname of the VPN server.
|
||||
- key: OverridePrimary
|
||||
title: Override primary connection
|
||||
type: <boolean>
|
||||
presence: optional
|
||||
default: false
|
||||
content: If `true`, the system sends all network traffic over VPN.
|
||||
- key: Authentication
|
||||
title: Authentication details
|
||||
type: <dictionary>
|
||||
presence: required
|
||||
content: Settings that control authentication.
|
||||
subkeys:
|
||||
- key: Method
|
||||
title: Authentication method
|
||||
type: <string>
|
||||
presence: required
|
||||
rangelist:
|
||||
- SharedSecret
|
||||
- Certificate
|
||||
content: The authentication method to use.
|
||||
- key: CredentialsAssetReference
|
||||
title: Credentials asset reference
|
||||
type: <string>
|
||||
assettypes:
|
||||
- com.apple.asset.credential.userpassword
|
||||
presence: optional
|
||||
content: |-
|
||||
The identifier of an asset declaration that contains the credentials
|
||||
(password) to authenticate with the VPN servers.
|
||||
|
||||
Only use this with Cisco IPSec VPNs and if the `Authentication.Method` key is to `SharedSecret`.
|
||||
- key: IdentityAssetReference
|
||||
title: Identity asset reference
|
||||
type: <string>
|
||||
assettypes:
|
||||
- com.apple.asset.credential.acme
|
||||
- com.apple.asset.credential.identity
|
||||
- com.apple.asset.credential.scep
|
||||
presence: optional
|
||||
content: |-
|
||||
The identifier of a credential asset declaration that contains the identity
|
||||
that this account requires to authenticate with the VPN servers.
|
||||
|
||||
Only use this with Cisco IPSec VPNs and if the `Authentication.Method` key is to `Certificate`.
|
||||
- key: LocalIdentifier
|
||||
title: Local identifier
|
||||
type: <string>
|
||||
presence: optional
|
||||
content: |-
|
||||
The name of the group. For hybrid authentication, the string needs to end with "hybrid".
|
||||
|
||||
Present only for Cisco IPSec if `Authentication.Method` is `SharedSecret`.
|
||||
- key: LocalIdentifierType
|
||||
title: Local identifier type
|
||||
type: <string>
|
||||
presence: optional
|
||||
rangelist:
|
||||
- KeyID
|
||||
default: KeyID
|
||||
content: Present only if `Authentication.Method` is `SharedSecret`. The value
|
||||
is `KeyID`. The system uses this value for Cisco IPSec VPNs.
|
||||
- key: PromptForVPNPIN
|
||||
title: Prompt for PIN
|
||||
type: <boolean>
|
||||
presence: optional
|
||||
default: false
|
||||
content: If `true`, prompts for a PIN when connecting to Cisco IPSec VPNs.
|
||||
- key: XAuth
|
||||
title: XAuth details
|
||||
type: <dictionary>
|
||||
presence: optional
|
||||
content: Settings that control XAuth.
|
||||
subkeys:
|
||||
- key: Enabled
|
||||
title: XAuth enabled
|
||||
type: <boolean>
|
||||
presence: required
|
||||
content: If `true`, enables Xauth for Cisco IPSec VPNs.
|
||||
- key: CredentialsAssetReference
|
||||
title: Credentials asset reference
|
||||
type: <string>
|
||||
assettypes:
|
||||
- com.apple.asset.credential.userpassword
|
||||
presence: optional
|
||||
content: The identifier of an asset declaration that contains the credentials
|
||||
(user name and password) required for XAuth. Required when `Enabled` key is
|
||||
set to `true`.
|
||||
- key: PasswordEncryption
|
||||
title: XAuth password encryption
|
||||
type: <string>
|
||||
presence: optional
|
||||
rangelist:
|
||||
- Prompt
|
||||
content: A string that either has the value `Prompt` or isn't present.
|
||||
- key: Idle
|
||||
title: Disconnect on idle settings.
|
||||
type: <dictionary>
|
||||
presence: optional
|
||||
content: Specifies details about how the system handles idle VPN connections.
|
||||
subkeys:
|
||||
- key: Disconnect
|
||||
title: Enable disconnect on idle
|
||||
type: <boolean>
|
||||
presence: optional
|
||||
default: false
|
||||
content: If `true`, disconnects after an on-demand connection idles.
|
||||
- key: Timer
|
||||
title: Disconnect on idle time
|
||||
type: <integer>
|
||||
presence: optional
|
||||
content: The length of time to wait, in seconds, before disconnecting an on-demand
|
||||
connection.
|
||||
- key: OnDemand
|
||||
title: On demand details
|
||||
type: <dictionary>
|
||||
presence: optional
|
||||
content: Specifies details about how the system controls on-demand VPN.
|
||||
subkeys:
|
||||
- key: Enabled
|
||||
title: Enable VPN on demand
|
||||
type: <boolean>
|
||||
presence: optional
|
||||
default: false
|
||||
content: If `true`, enables VPN On Demand.
|
||||
- key: DisableUserOverride
|
||||
title: Prevent users from toggling VPN on demand
|
||||
supportedOS:
|
||||
macOS:
|
||||
introduced: n/a
|
||||
type: <boolean>
|
||||
presence: optional
|
||||
default: false
|
||||
content: If `true`, the device disables the Connect On Demand toggle in Settings
|
||||
for this configuration.
|
||||
- key: Rules
|
||||
title: On demand rules
|
||||
type: <array>
|
||||
presence: optional
|
||||
content: An array of dictionaries defining On Demand Rules.
|
||||
subkeytype: RulesElement
|
||||
subkeys:
|
||||
- key: RulesElement
|
||||
title: Rules element
|
||||
type: <dictionary>
|
||||
subkeys:
|
||||
- key: Action
|
||||
title: On demand action
|
||||
type: <string>
|
||||
presence: required
|
||||
rangelist:
|
||||
- Allow
|
||||
- Connect
|
||||
- Disconnect
|
||||
- EvaluateConnection
|
||||
- Ignore
|
||||
content: |-
|
||||
The action to take if this dictionary matches the current network. Possible values are:
|
||||
- `Allow`: Deprecated. Allow VPN On Demand to connect if triggered.
|
||||
- `Connect`: Unconditionally initiate a VPN connection on the next network attempt.
|
||||
- `Disconnect`: Tear down the VPN connection and don't reconnect on demand as long as this dictionary matches.
|
||||
- `EvaluateConnection`: Evaluate the ActionParameters array for each connection attempt.
|
||||
- `Ignore`: Leave any existing VPN connection up, but don't reconnect on demand as long as this dictionary matches.
|
||||
- key: ActionParameters
|
||||
title: Action parameters
|
||||
type: <array>
|
||||
presence: optional
|
||||
content: An array of dictionaries that provides rules similar to the `OnDemandRules`
|
||||
dictionary, but evaluated on each connection instead of when the network
|
||||
changes. This value is only for use with dictionaries in which the `Action`
|
||||
value is `EvaluateConnection`. The system evaluates these dictionaries in
|
||||
order and the first dictionary that matches determines the behavior.
|
||||
subkeys:
|
||||
- key: ActionParameter
|
||||
title: Action parameter
|
||||
type: <dictionary>
|
||||
presence: optional
|
||||
content: |-
|
||||
A dictionary that provides rules similar to the OnDemandRules dictionary, but evaluated on each connection instead of when the network changes. These dictionaries are evaluated in order, and the behavior is determined by the first dictionary that matches.
|
||||
The keys allowed in each dictionary are described below. Note: This array is used only for dictionaries in which EvaluateConnection is the Action value.
|
||||
subkeys:
|
||||
- key: Domains
|
||||
title: Domains
|
||||
type: <array>
|
||||
presence: required
|
||||
content: The domains to apply this evaluation.
|
||||
subkeys:
|
||||
- key: DomainsElement
|
||||
title: Domains element
|
||||
type: <string>
|
||||
- key: DomainAction
|
||||
title: Domain action
|
||||
type: <string>
|
||||
presence: required
|
||||
rangelist:
|
||||
- ConnectIfNeeded
|
||||
- NeverConnect
|
||||
content: |-
|
||||
Defines the VPN behavior for the specified domains. Allowed values are:
|
||||
* 'ConnectIfNeeded': The specified domains should trigger a VPN connection attempt if domain name resolution fails, such as when the DNS server indicates that it can't resolve the domain, responds with a redirection to a different server, or fails to respond (timeout).
|
||||
* 'NeverConnect': The specified domains should never trigger a VPN connection attempt.
|
||||
- key: RequiredDNSServers
|
||||
title: Required DNS servers
|
||||
type: <array>
|
||||
presence: optional
|
||||
content: |-
|
||||
An array of IP addresses of DNS servers to use for resolving the specified domains. These servers don't need to be part of the device's current network configuration. If these DNS servers aren't reachable, the system establishes a VPN connection. These DNS servers need to be either internal DNS servers or trusted external DNS servers.
|
||||
This key is valid only if the value of 'DomainAction' is 'ConnectIfNeeded'.
|
||||
subkeys:
|
||||
- key: RequiredDNSServersElement
|
||||
title: Required DNS servers element
|
||||
type: <string>
|
||||
- key: RequiredURLStringProbe
|
||||
title: Required URL string probe
|
||||
type: <string>
|
||||
presence: optional
|
||||
content: |-
|
||||
An HTTP or HTTPS (preferred) URL to probe, using a GET request. If the URL's hostname can't be resolved, if the server is unreachable, or if the server doesn't respond with a 200 HTTP status code, a VPN connection is established in response.
|
||||
This key is valid only if the value of 'DomainAction' is 'ConnectIfNeeded'.
|
||||
- key: DNSDomainMatch
|
||||
title: DNS domain match
|
||||
type: <array>
|
||||
presence: optional
|
||||
content: |-
|
||||
An array of domain names. This rule matches if any of the domain names in the specified list matches any domain in the device's search domains list.
|
||||
The system supports a wildcard (`*`) prefix. For example, `*.example.com` matches against either `mydomain.example.com` or `yourdomain.example.com`.
|
||||
subkeys:
|
||||
- key: DNSDomainMatchElement
|
||||
title: DNS domain match element
|
||||
type: <string>
|
||||
- key: DNSServerAddressMatch
|
||||
title: DNS server address match
|
||||
type: <array>
|
||||
presence: optional
|
||||
content: |-
|
||||
An array of IP addresses. This rule matches if any of the network's specified DNS servers match any entry in the array.
|
||||
The system supports matching with a single wildcard. For example, `17.*` matches any DNS server in the `17.0.0.0/8` subnet.
|
||||
subkeys:
|
||||
- key: DNSServerAddressMatchElement
|
||||
title: DNS server address match element
|
||||
type: <string>
|
||||
- key: InterfaceTypeMatch
|
||||
title: Interface type match
|
||||
type: <string>
|
||||
presence: optional
|
||||
rangelist:
|
||||
- Ethernet
|
||||
- WiFi
|
||||
- Cellular
|
||||
content: An interface type. If specified, this rule matches only if the primary
|
||||
network interface hardware matches the specified type.
|
||||
- key: SSIDMatch
|
||||
title: SSID match
|
||||
type: <array>
|
||||
presence: optional
|
||||
content: |-
|
||||
An array of SSIDs to match against the current network. If the network isn't a Wi-Fi network or if the SSID doesn't appear in this array, the match fails.
|
||||
Omit this key and the corresponding array to match against any SSID.
|
||||
subkeys:
|
||||
- key: SSIDMatchElement
|
||||
title: SSID match element
|
||||
type: <string>
|
||||
- key: URLStringProbe
|
||||
title: URL string probe
|
||||
type: <string>
|
||||
presence: optional
|
||||
content: A URL to probe. This rule matches when this URL is successfully fetched
|
||||
(returns a `200` HTTP status code) without redirection.
|
||||
- key: DNS
|
||||
title: DNS
|
||||
type: <dictionary>
|
||||
presence: optional
|
||||
content: A dictionary to use for all VPN types.
|
||||
subkeys:
|
||||
- key: Protocol
|
||||
title: DNS protocol
|
||||
type: <string>
|
||||
presence: required
|
||||
rangelist:
|
||||
- Cleartext
|
||||
- HTTPS
|
||||
- TLS
|
||||
content: The transport protocol to communicate with the DNS server.
|
||||
- key: ServerURL
|
||||
title: Server URL
|
||||
type: <string>
|
||||
presence: optional
|
||||
content: The URI template of a DNS-over-HTTPS server, as defined in RFC 8484,
|
||||
which needs to use the `https://` scheme. The system uses the hostname or address
|
||||
in the URL to validate the server certificate. If `ServerAddresses` isn't specified,
|
||||
the system uses the hostname or address in the URL to determine the server addresses.
|
||||
This key is required if the `DNSProtocol` is `HTTPS`.
|
||||
- key: ServerName
|
||||
title: Server name
|
||||
type: <string>
|
||||
presence: optional
|
||||
content: The hostname of a DNS-over-TLS server to validate the server certificate,
|
||||
as defined in RFC 7858. If `ServerAddresses` isn't specified, the system uses
|
||||
the hostname to determine the server addresses. This key is required if the
|
||||
`DNSProtocol` is `TLS`.
|
||||
- key: ServerAddresses
|
||||
title: DNS server addresses
|
||||
type: <array>
|
||||
presence: required
|
||||
content: The array of DNS server IP address strings. These IP addresses can be
|
||||
a mixture of IPv4 and IPv6 addresses.
|
||||
subkeys:
|
||||
- key: ServerAddressesElement
|
||||
title: Server address element
|
||||
type: <string>
|
||||
- key: SearchDomains
|
||||
title: DNS search domains
|
||||
type: <array>
|
||||
presence: optional
|
||||
content: The list of domain strings used to fully qualify single-label host names.
|
||||
subkeys:
|
||||
- key: SearchDomainsElement
|
||||
title: Search domains element
|
||||
type: <string>
|
||||
- key: DomainName
|
||||
title: Domain name
|
||||
type: <string>
|
||||
presence: optional
|
||||
content: The primary domain of the tunnel.
|
||||
- key: SupplementalMatchDomains
|
||||
title: Supplemental match domains
|
||||
type: <array>
|
||||
presence: optional
|
||||
content: |-
|
||||
The list of domain strings used to determine which DNS queries use the DNS resolver settings in `ServerAddresses`. The system uses this key to create a split DNS configuration where it resolves only hosts in certain domains using the tunnel's DNS resolver. The system uses the default resolver for hosts that aren't in one of the domains in this list.
|
||||
|
||||
If `SupplementalMatchDomains` contains the empty string it becomes the default domain.
|
||||
|
||||
Split-tunnel configurations can direct all DNS queries to the VPN DNS servers before the primary DNS servers. If the VPN tunnel becomes the network's default route, the servers listed in `ServerAddresses` become the default resolver and the system ignores the `SupplementalMatchDomains` list.
|
||||
subkeys: &id001
|
||||
- key: SupplementalMatchDomainsElement
|
||||
title: Supplemental match domains element
|
||||
type: <string>
|
||||
- key: SupplementalMatchDomainsNoSearch
|
||||
title: Supplemental match domains no search
|
||||
type: <boolean>
|
||||
presence: optional
|
||||
default: false
|
||||
content: If `true`, don't append the domains in the `SupplementalMatchDomains`
|
||||
list to the resolver's list of search domains.
|
||||
- key: IdentityAssetReference
|
||||
title: Identity asset reference
|
||||
type: <string>
|
||||
assettypes:
|
||||
- com.apple.asset.credential.acme
|
||||
- com.apple.asset.credential.identity
|
||||
- com.apple.asset.credential.scep
|
||||
presence: optional
|
||||
content: The identifier of a credential asset declaration that contains the identity
|
||||
that the system uses to authenticate the user to the DNS resolver.
|
||||
- key: Proxies
|
||||
title: Proxies
|
||||
type: <dictionary>
|
||||
presence: optional
|
||||
content: The dictionary to use to configure `Proxies` for use with `VPN`.
|
||||
subkeys:
|
||||
- key: AutoConfigEnable
|
||||
title: Proxy auto config enable
|
||||
type: <boolean>
|
||||
presence: optional
|
||||
default: false
|
||||
content: If `true`, enables automatic proxy configuration.
|
||||
- key: AutoDiscoveryEnable
|
||||
title: Proxy auto discovery enable
|
||||
type: <boolean>
|
||||
presence: optional
|
||||
default: true
|
||||
content: If `true`, enables proxy auto discovery.
|
||||
- key: AutoConfigURLString
|
||||
title: Proxy server URL
|
||||
type: <string>
|
||||
presence: optional
|
||||
content: The URL to the location of the proxy auto-configuration file. Used only
|
||||
when `ProxyAutoConfigEnable` is `true`.
|
||||
- key: SupplementalMatchDomains
|
||||
title: Supplemental match domains
|
||||
type: <array>
|
||||
presence: optional
|
||||
content: An array of domains that defines which hosts use proxy settings for hosts.
|
||||
subkeys: *id001
|
||||
- key: Protocol
|
||||
title: Protocol
|
||||
type: <dictionary>
|
||||
presence: optional
|
||||
content: The dictionary to use to configure HTTP servers for `Proxies` for use
|
||||
with `VPN`.
|
||||
subkeys:
|
||||
- key: HTTP
|
||||
title: HTTP protocol
|
||||
type: <dictionary>
|
||||
presence: optional
|
||||
content: The dictionary to use to configure the HTTP (non-TLS) server.
|
||||
subkeys:
|
||||
- key: Enable
|
||||
title: Enable HTTP
|
||||
type: <boolean>
|
||||
presence: optional
|
||||
default: false
|
||||
content: If `true`, enables proxy for HTTP traffic.
|
||||
- key: HostName
|
||||
title: HTTP host name
|
||||
type: <string>
|
||||
presence: optional
|
||||
content: The host name of the HTTP proxy.
|
||||
- key: Port
|
||||
title: HTTP port
|
||||
type: <integer>
|
||||
presence: optional
|
||||
range:
|
||||
min: 0
|
||||
max: 65535
|
||||
content: The port number of the HTTP proxy. This field is required if `HostName`
|
||||
is specified.
|
||||
- key: HTTPS
|
||||
title: HTTPS protocol
|
||||
type: <dictionary>
|
||||
presence: optional
|
||||
content: The dictionary to use to configure the HTTPS (TLS) server.
|
||||
subkeys:
|
||||
- key: Enable
|
||||
title: Enable HTTPS
|
||||
type: <boolean>
|
||||
presence: optional
|
||||
default: false
|
||||
content: If `true`, enables proxy for HTTPS traffic.
|
||||
- key: HostName
|
||||
title: HTTPS host name
|
||||
type: <string>
|
||||
presence: optional
|
||||
content: The host name of the HTTPS proxy.
|
||||
- key: Port
|
||||
title: HTTPS port
|
||||
type: <integer>
|
||||
presence: optional
|
||||
range:
|
||||
min: 0
|
||||
max: 65535
|
||||
content: The port number of the HTTPS proxy. This field is required if `HostName`
|
||||
is specified.
|
||||
- key: CredentialsAssetReference
|
||||
title: Credentials asset reference
|
||||
type: <string>
|
||||
assettypes:
|
||||
- com.apple.asset.credential.userpassword
|
||||
presence: optional
|
||||
content: The identifier of an asset declaration that contains the credentials
|
||||
(user name and password) to authenticate with the proxy server.
|
||||
examples:
|
||||
title: Configuration examples
|
||||
files:
|
||||
- tab: Shared secret
|
||||
description: This configuration sets up an IPSec VPN using a shared secret and
|
||||
group name for authentication.
|
||||
file: examples/declarative/declarations/configurations/network.vpn.ipsec/example1.json
|
||||
- tab: Certificate
|
||||
description: This configuration sets up an IPSec VPN using a certificate identity
|
||||
asset for authentication.
|
||||
file: examples/declarative/declarations/configurations/network.vpn.ipsec/example2.json
|
||||
@@ -0,0 +1,590 @@
|
||||
title: Network:VPN:VPN Plugin
|
||||
description: The declaration to configure a VPN using the VPN plugin sub-type.
|
||||
payload:
|
||||
declarationtype: com.apple.configuration.network.vpn.vpn-plugin
|
||||
supportedOS:
|
||||
iOS:
|
||||
introduced: '27.0'
|
||||
allowed-enrollments:
|
||||
- supervised
|
||||
- device
|
||||
- local
|
||||
allowed-scopes:
|
||||
- system
|
||||
sharedipad:
|
||||
allowed-scopes:
|
||||
- system
|
||||
macOS:
|
||||
introduced: '27.0'
|
||||
allowed-enrollments:
|
||||
- supervised
|
||||
- local
|
||||
allowed-scopes:
|
||||
- system
|
||||
tvOS:
|
||||
introduced: '27.0'
|
||||
allowed-enrollments:
|
||||
- supervised
|
||||
- device
|
||||
- local
|
||||
allowed-scopes:
|
||||
- system
|
||||
visionOS:
|
||||
introduced: '27.0'
|
||||
allowed-enrollments:
|
||||
- supervised
|
||||
- device
|
||||
- local
|
||||
allowed-scopes:
|
||||
- system
|
||||
watchOS:
|
||||
introduced: n/a
|
||||
apply: multiple
|
||||
payloadkeys:
|
||||
- key: VisibleName
|
||||
title: Visible name
|
||||
type: <string>
|
||||
presence: required
|
||||
content: The name of the VPN connection that the system displays on the device.
|
||||
- key: HostName
|
||||
title: Host name
|
||||
type: <string>
|
||||
presence: required
|
||||
content: The IP address or hostname of the VPN server.
|
||||
- key: SubType
|
||||
title: VPN subtype
|
||||
type: <string>
|
||||
presence: required
|
||||
content: |-
|
||||
An identifier for a vendor-specified configuration dictionary.
|
||||
|
||||
If the configuration targets a VPN solution that uses a VPN plugin, then this field contains the bundle identifier of the plugin. Here are some examples:
|
||||
|
||||
- Cisco AnyConnect: `com.cisco.anyconnect.applevpn.plugin`
|
||||
- Juniper SSL: `net.juniper.sslvpn`
|
||||
- F5 SSL: `com.f5.F5-Edge-Client.vpnplugin`
|
||||
- SonicWALL Mobile Connect: `com.sonicwall.SonicWALL-SSLVPN.vpnplugin`
|
||||
- ``Aruba VIA: `com.arubanetworks.aruba-via.vpnplugin`
|
||||
|
||||
If the configuration targets a VPN solution that uses a network extension provider, then this field contains the bundle identifier of the app that contains the provider. Contact the VPN solution vendor for the value of the identifier.
|
||||
- key: VendorConfig
|
||||
title: Vendor configuration dictionary
|
||||
type: <dictionary>
|
||||
presence: optional
|
||||
content: The vendor-specific configuration dictionary, which the system reads only
|
||||
when `SubType` has a value.
|
||||
subkeys:
|
||||
- key: Realm
|
||||
title: Realm
|
||||
type: <string>
|
||||
presence: optional
|
||||
content: The Kerberos realm name, which needs to be properly capitalized. Valid
|
||||
only for Juniper SSL and Pulse Secure.
|
||||
- key: Role
|
||||
title: Role
|
||||
type: <string>
|
||||
presence: optional
|
||||
content: The role to select when connecting to the server. Valid only for Juniper
|
||||
SSL and Pulse Secure.
|
||||
- key: Group
|
||||
title: Group
|
||||
type: <string>
|
||||
presence: optional
|
||||
content: The group to connect to on the head end. Valid for Cisco AnyConnect and
|
||||
Cisco Legacy AnyConnect.
|
||||
- key: LoginGroupOrDomain
|
||||
title: Login group or domain
|
||||
type: <string>
|
||||
presence: optional
|
||||
content: The login group or domain. Valid only for SonicWALL Mobile Connect.
|
||||
- key: Authentication
|
||||
title: Authentication details
|
||||
type: <dictionary>
|
||||
presence: required
|
||||
content: Settings that control authentication.
|
||||
subkeys:
|
||||
- key: Method
|
||||
title: Authentication method
|
||||
type: <string>
|
||||
presence: required
|
||||
rangelist:
|
||||
- Password
|
||||
- Certificate
|
||||
- Password+Certificate
|
||||
content: The authentication method to use.
|
||||
- key: CredentialsAssetReference
|
||||
title: Credentials asset reference
|
||||
type: <string>
|
||||
assettypes:
|
||||
- com.apple.asset.credential.userpassword
|
||||
presence: optional
|
||||
content: The identifier of an asset declaration that contains the credentials
|
||||
(user name and password) to authenticate with the VPN server. Required when
|
||||
`Authentication.Method` is set to `Password`.
|
||||
- key: IdentityAssetReference
|
||||
title: Identity asset reference
|
||||
type: <string>
|
||||
assettypes:
|
||||
- com.apple.asset.credential.acme
|
||||
- com.apple.asset.credential.identity
|
||||
- com.apple.asset.credential.scep
|
||||
presence: optional
|
||||
content: The identifier of a credential asset declaration that contains the identity
|
||||
that this account requires to authenticate with the VPN server. Required when
|
||||
`Authentication.Method` is set to `Certificate`.
|
||||
- key: Provider
|
||||
title: Provider details
|
||||
type: <dictionary>
|
||||
presence: optional
|
||||
content: Specifies details about the provider.
|
||||
subkeys:
|
||||
- key: Type
|
||||
title: Type
|
||||
type: <string>
|
||||
presence: optional
|
||||
rangelist:
|
||||
- packet-tunnel
|
||||
- app-proxy
|
||||
default: packet-tunnel
|
||||
content: The type of VPN service. If the value is `app-proxy`, the service tunnels
|
||||
traffic at the app level. If the value is `packet-tunnel`, the service tunnels
|
||||
traffic at the IP layer.
|
||||
- key: ComposedIdentifier
|
||||
title: Composed identifier
|
||||
type: <string>
|
||||
presence: optional
|
||||
content: |-
|
||||
If the `SubType` field contains the bundle identifier of an app that contains multiple VPN providers of the same type (app-proxy or packet-tunnel), then the system uses this field to choose which provider to use for this configuration. If the VPN provider is implemented as a System Extension, then this field is required.
|
||||
|
||||
In iOS, tvOS, and visionOS, the identifier is a bundle ID, for example, "com.example.app".
|
||||
|
||||
In macOS, the identifier is a composed identifier. The format of the composed identifier is either "Bundle-ID" or "Bundle-ID {Designated-Requirement}". "Bundle-ID" is the bundle identifier string of the provider. "Designated-Requirement" is the designated requirement string from the code signature of the provider. For example, "com.example.app" for the bundle ID format, or "com.example.app {anchor apple generic}" for the designated requirement format.
|
||||
- key: NetworkRouting
|
||||
title: Network routing details
|
||||
supportedOS:
|
||||
tvOS:
|
||||
introduced: n/a
|
||||
type: <dictionary>
|
||||
presence: optional
|
||||
content: Specifies details about how the VPN routes different types of network traffic.
|
||||
subkeys:
|
||||
- key: EnforceRoutes
|
||||
title: Enforce routes
|
||||
type: <boolean>
|
||||
presence: optional
|
||||
default: false
|
||||
content: |-
|
||||
If `true`, all the VPN's non-default routes take precedence over any locally defined routes.
|
||||
|
||||
If `IncludeAllNetworks` is `true`, the system ignores the value of `EnforceRoutes`.
|
||||
- key: IncludeAllNetworks
|
||||
title: Include all networks
|
||||
type: <boolean>
|
||||
presence: optional
|
||||
default: false
|
||||
content: |-
|
||||
If `true`, routes all traffic through the VPN, with some exclusions. Several of the exclusions can be controlled with the `ExcludeLocalNetworks`, `ExcludeCellularServices`, `ExcludeAPNs` and `ExcludeDeviceCommunication` properties. The following traffic is always excluded from the tunnel:
|
||||
|
||||
- Traffic necessary for connecting and maintaining the device's network connection, such as DHCP.
|
||||
- Traffic necessary for connecting to captive networks.
|
||||
- Certain cellular services traffic that's not routable over the internet and is instead directly routed to the cellular network. See the ExcludeCellularServices property for more details.
|
||||
- key: ExcludeLocalNetworks
|
||||
title: Exclude local networks
|
||||
type: <boolean>
|
||||
presence: optional
|
||||
content: If `true` and `IncludeAllNetworks` is `true`, routes all local network
|
||||
traffic outside the VPN.
|
||||
- key: ExcludeCellularServices
|
||||
title: Exclude cellular services
|
||||
type: <boolean>
|
||||
presence: optional
|
||||
default: true
|
||||
content: If `true` and `IncludeAllNetworks` is `true`, then the system excludes
|
||||
internet-routable network traffic for cellular services (VoLTE, Wi-Fi Calling,
|
||||
IMS, MMS, Visual Voicemail, etc.) from the tunnel. Note that some cellular carriers
|
||||
route cellular services traffic directly to the carrier network, bypassing the
|
||||
internet. Such cellular services traffic is always excluded from the tunnel.
|
||||
- key: ExcludeAPNs
|
||||
title: Exclude APNs
|
||||
type: <boolean>
|
||||
presence: optional
|
||||
default: true
|
||||
content: If `true` and `IncludeAllNetworks` is `true`, then the system excludes
|
||||
the network traffic for the Apple Push Notification service (APNs) from the
|
||||
tunnel.
|
||||
- key: ExcludeDeviceCommunication
|
||||
title: Exclude device communication
|
||||
type: <boolean>
|
||||
presence: optional
|
||||
default: true
|
||||
content: If set to `true` and `IncludeAllNetworks` is set to `true`, the device
|
||||
excludes network traffic used for communicating with devices connected via USB
|
||||
or Wi-Fi from the tunnel.
|
||||
- key: Idle
|
||||
title: Disconnect on idle settings.
|
||||
type: <dictionary>
|
||||
presence: optional
|
||||
content: Specifies details about how the system handles idle VPN connections.
|
||||
subkeys:
|
||||
- key: Disconnect
|
||||
title: Enable disconnect on idle
|
||||
type: <boolean>
|
||||
presence: optional
|
||||
default: false
|
||||
content: If `true`, disconnects after an on-demand connection idles.
|
||||
- key: Timer
|
||||
title: Disconnect on idle time
|
||||
type: <integer>
|
||||
presence: optional
|
||||
content: The length of time to wait, in seconds, before disconnecting an on-demand
|
||||
connection.
|
||||
- key: OnDemand
|
||||
title: On demand details
|
||||
type: <dictionary>
|
||||
presence: optional
|
||||
content: Specifies details about how the system controls on-demand VPN.
|
||||
subkeys:
|
||||
- key: Enabled
|
||||
title: Enable VPN on demand
|
||||
type: <boolean>
|
||||
presence: optional
|
||||
default: false
|
||||
content: If `true`, enables VPN On Demand.
|
||||
- key: DisableUserOverride
|
||||
title: Prevent users from toggling VPN on demand
|
||||
supportedOS:
|
||||
macOS:
|
||||
introduced: n/a
|
||||
type: <boolean>
|
||||
presence: optional
|
||||
default: false
|
||||
content: If `true`, the device disables the Connect On Demand toggle in Settings
|
||||
for this configuration.
|
||||
- key: Rules
|
||||
title: On demand rules
|
||||
type: <array>
|
||||
presence: optional
|
||||
content: An array of dictionaries defining On Demand Rules.
|
||||
subkeytype: RulesElement
|
||||
subkeys:
|
||||
- key: RulesElement
|
||||
title: Rules element
|
||||
type: <dictionary>
|
||||
subkeys:
|
||||
- key: Action
|
||||
title: On demand action
|
||||
type: <string>
|
||||
presence: required
|
||||
rangelist:
|
||||
- Allow
|
||||
- Connect
|
||||
- Disconnect
|
||||
- EvaluateConnection
|
||||
- Ignore
|
||||
content: |-
|
||||
The action to take if this dictionary matches the current network. Possible values are:
|
||||
- `Allow`: Deprecated. Allow VPN On Demand to connect if triggered.
|
||||
- `Connect`: Unconditionally initiate a VPN connection on the next network attempt.
|
||||
- `Disconnect`: Tear down the VPN connection and don't reconnect on demand as long as this dictionary matches.
|
||||
- `EvaluateConnection`: Evaluate the ActionParameters array for each connection attempt.
|
||||
- `Ignore`: Leave any existing VPN connection up, but don't reconnect on demand as long as this dictionary matches.
|
||||
- key: ActionParameters
|
||||
title: Action parameters
|
||||
type: <array>
|
||||
presence: optional
|
||||
content: An array of dictionaries that provides rules similar to the `OnDemandRules`
|
||||
dictionary, but evaluated on each connection instead of when the network
|
||||
changes. This value is only for use with dictionaries in which the `Action`
|
||||
value is `EvaluateConnection`. The system evaluates these dictionaries in
|
||||
order and the first dictionary that matches determines the behavior.
|
||||
subkeys:
|
||||
- key: ActionParameter
|
||||
title: Action parameter
|
||||
type: <dictionary>
|
||||
presence: optional
|
||||
content: |-
|
||||
A dictionary that provides rules similar to the OnDemandRules dictionary, but evaluated on each connection instead of when the network changes. These dictionaries are evaluated in order, and the behavior is determined by the first dictionary that matches.
|
||||
The keys allowed in each dictionary are described below. Note: This array is used only for dictionaries in which EvaluateConnection is the Action value.
|
||||
subkeys:
|
||||
- key: Domains
|
||||
title: Domains
|
||||
type: <array>
|
||||
presence: required
|
||||
content: The domains to apply this evaluation.
|
||||
subkeys:
|
||||
- key: DomainsElement
|
||||
title: Domains element
|
||||
type: <string>
|
||||
- key: DomainAction
|
||||
title: Domain action
|
||||
type: <string>
|
||||
presence: required
|
||||
rangelist:
|
||||
- ConnectIfNeeded
|
||||
- NeverConnect
|
||||
content: |-
|
||||
Defines the VPN behavior for the specified domains. Allowed values are:
|
||||
* 'ConnectIfNeeded': The specified domains should trigger a VPN connection attempt if domain name resolution fails, such as when the DNS server indicates that it can't resolve the domain, responds with a redirection to a different server, or fails to respond (timeout).
|
||||
* 'NeverConnect': The specified domains should never trigger a VPN connection attempt.
|
||||
- key: RequiredDNSServers
|
||||
title: Required DNS servers
|
||||
type: <array>
|
||||
presence: optional
|
||||
content: |-
|
||||
An array of IP addresses of DNS servers to use for resolving the specified domains. These servers don't need to be part of the device's current network configuration. If these DNS servers aren't reachable, the system establishes a VPN connection. These DNS servers need to be either internal DNS servers or trusted external DNS servers.
|
||||
This key is valid only if the value of 'DomainAction' is 'ConnectIfNeeded'.
|
||||
subkeys:
|
||||
- key: RequiredDNSServersElement
|
||||
title: Required DNS servers element
|
||||
type: <string>
|
||||
- key: RequiredURLStringProbe
|
||||
title: Required URL string probe
|
||||
type: <string>
|
||||
presence: optional
|
||||
content: |-
|
||||
An HTTP or HTTPS (preferred) URL to probe, using a GET request. If the URL's hostname can't be resolved, if the server is unreachable, or if the server doesn't respond with a 200 HTTP status code, a VPN connection is established in response.
|
||||
This key is valid only if the value of 'DomainAction' is 'ConnectIfNeeded'.
|
||||
- key: DNSDomainMatch
|
||||
title: DNS domain match
|
||||
type: <array>
|
||||
presence: optional
|
||||
content: |-
|
||||
An array of domain names. This rule matches if any of the domain names in the specified list matches any domain in the device's search domains list.
|
||||
The system supports a wildcard (`*`) prefix. For example, `*.example.com` matches against either `mydomain.example.com` or `yourdomain.example.com`.
|
||||
subkeys:
|
||||
- key: DNSDomainMatchElement
|
||||
title: DNS domain match element
|
||||
type: <string>
|
||||
- key: DNSServerAddressMatch
|
||||
title: DNS server address match
|
||||
type: <array>
|
||||
presence: optional
|
||||
content: |-
|
||||
An array of IP addresses. This rule matches if any of the network's specified DNS servers match any entry in the array.
|
||||
The system supports matching with a single wildcard. For example, `17.*` matches any DNS server in the `17.0.0.0/8` subnet.
|
||||
subkeys:
|
||||
- key: DNSServerAddressMatchElement
|
||||
title: DNS server address match element
|
||||
type: <string>
|
||||
- key: InterfaceTypeMatch
|
||||
title: Interface type match
|
||||
type: <string>
|
||||
presence: optional
|
||||
rangelist:
|
||||
- Ethernet
|
||||
- WiFi
|
||||
- Cellular
|
||||
content: An interface type. If specified, this rule matches only if the primary
|
||||
network interface hardware matches the specified type.
|
||||
- key: SSIDMatch
|
||||
title: SSID match
|
||||
type: <array>
|
||||
presence: optional
|
||||
content: |-
|
||||
An array of SSIDs to match against the current network. If the network isn't a Wi-Fi network or if the SSID doesn't appear in this array, the match fails.
|
||||
Omit this key and the corresponding array to match against any SSID.
|
||||
subkeys:
|
||||
- key: SSIDMatchElement
|
||||
title: SSID match element
|
||||
type: <string>
|
||||
- key: URLStringProbe
|
||||
title: URL string probe
|
||||
type: <string>
|
||||
presence: optional
|
||||
content: A URL to probe. This rule matches when this URL is successfully fetched
|
||||
(returns a `200` HTTP status code) without redirection.
|
||||
- key: DNS
|
||||
title: DNS
|
||||
type: <dictionary>
|
||||
presence: optional
|
||||
content: A dictionary to use for all VPN types.
|
||||
subkeys:
|
||||
- key: Protocol
|
||||
title: DNS protocol
|
||||
type: <string>
|
||||
presence: required
|
||||
rangelist:
|
||||
- Cleartext
|
||||
- HTTPS
|
||||
- TLS
|
||||
content: The transport protocol to communicate with the DNS server.
|
||||
- key: ServerURL
|
||||
title: Server URL
|
||||
type: <string>
|
||||
presence: optional
|
||||
content: The URI template of a DNS-over-HTTPS server, as defined in RFC 8484,
|
||||
which needs to use the `https://` scheme. The system uses the hostname or address
|
||||
in the URL to validate the server certificate. If `ServerAddresses` isn't specified,
|
||||
the system uses the hostname or address in the URL to determine the server addresses.
|
||||
This key is required if the `DNSProtocol` is `HTTPS`.
|
||||
- key: ServerName
|
||||
title: Server name
|
||||
type: <string>
|
||||
presence: optional
|
||||
content: The hostname of a DNS-over-TLS server to validate the server certificate,
|
||||
as defined in RFC 7858. If `ServerAddresses` isn't specified, the system uses
|
||||
the hostname to determine the server addresses. This key is required if the
|
||||
`DNSProtocol` is `TLS`.
|
||||
- key: ServerAddresses
|
||||
title: DNS server addresses
|
||||
type: <array>
|
||||
presence: required
|
||||
content: The array of DNS server IP address strings. These IP addresses can be
|
||||
a mixture of IPv4 and IPv6 addresses.
|
||||
subkeys:
|
||||
- key: ServerAddressesElement
|
||||
title: Server address element
|
||||
type: <string>
|
||||
- key: SearchDomains
|
||||
title: DNS search domains
|
||||
type: <array>
|
||||
presence: optional
|
||||
content: The list of domain strings used to fully qualify single-label host names.
|
||||
subkeys:
|
||||
- key: SearchDomainsElement
|
||||
title: Search domains element
|
||||
type: <string>
|
||||
- key: DomainName
|
||||
title: Domain name
|
||||
type: <string>
|
||||
presence: optional
|
||||
content: The primary domain of the tunnel.
|
||||
- key: SupplementalMatchDomains
|
||||
title: Supplemental match domains
|
||||
type: <array>
|
||||
presence: optional
|
||||
content: |-
|
||||
The list of domain strings used to determine which DNS queries use the DNS resolver settings in `ServerAddresses`. The system uses this key to create a split DNS configuration where it resolves only hosts in certain domains using the tunnel's DNS resolver. The system uses the default resolver for hosts that aren't in one of the domains in this list.
|
||||
|
||||
If `SupplementalMatchDomains` contains the empty string it becomes the default domain.
|
||||
|
||||
Split-tunnel configurations can direct all DNS queries to the VPN DNS servers before the primary DNS servers. If the VPN tunnel becomes the network's default route, the servers listed in `ServerAddresses` become the default resolver and the system ignores the `SupplementalMatchDomains` list.
|
||||
subkeys: &id001
|
||||
- key: SupplementalMatchDomainsElement
|
||||
title: Supplemental match domains element
|
||||
type: <string>
|
||||
- key: SupplementalMatchDomainsNoSearch
|
||||
title: Supplemental match domains no search
|
||||
type: <boolean>
|
||||
presence: optional
|
||||
default: false
|
||||
content: If `true`, don't append the domains in the `SupplementalMatchDomains`
|
||||
list to the resolver's list of search domains.
|
||||
- key: IdentityAssetReference
|
||||
title: Identity asset reference
|
||||
type: <string>
|
||||
assettypes:
|
||||
- com.apple.asset.credential.acme
|
||||
- com.apple.asset.credential.identity
|
||||
- com.apple.asset.credential.scep
|
||||
presence: optional
|
||||
content: The identifier of a credential asset declaration that contains the identity
|
||||
that the system uses to authenticate the user to the DNS resolver.
|
||||
- key: Proxies
|
||||
title: Proxies
|
||||
type: <dictionary>
|
||||
presence: optional
|
||||
content: The dictionary to use to configure `Proxies` for use with `VPN`.
|
||||
subkeys:
|
||||
- key: AutoConfigEnable
|
||||
title: Proxy auto config enable
|
||||
type: <boolean>
|
||||
presence: optional
|
||||
default: false
|
||||
content: If `true`, enables automatic proxy configuration.
|
||||
- key: AutoDiscoveryEnable
|
||||
title: Proxy auto discovery enable
|
||||
type: <boolean>
|
||||
presence: optional
|
||||
default: true
|
||||
content: If `true`, enables proxy auto discovery.
|
||||
- key: AutoConfigURLString
|
||||
title: Proxy server URL
|
||||
type: <string>
|
||||
presence: optional
|
||||
content: The URL to the location of the proxy auto-configuration file. Used only
|
||||
when `ProxyAutoConfigEnable` is `true`.
|
||||
- key: SupplementalMatchDomains
|
||||
title: Supplemental match domains
|
||||
type: <array>
|
||||
presence: optional
|
||||
content: An array of domains that defines which hosts use proxy settings for hosts.
|
||||
subkeys: *id001
|
||||
- key: Protocol
|
||||
title: Protocol
|
||||
type: <dictionary>
|
||||
presence: optional
|
||||
content: The dictionary to use to configure HTTP servers for `Proxies` for use
|
||||
with `VPN`.
|
||||
subkeys:
|
||||
- key: HTTP
|
||||
title: HTTP protocol
|
||||
type: <dictionary>
|
||||
presence: optional
|
||||
content: The dictionary to use to configure the HTTP (non-TLS) server.
|
||||
subkeys:
|
||||
- key: Enable
|
||||
title: Enable HTTP
|
||||
type: <boolean>
|
||||
presence: optional
|
||||
default: false
|
||||
content: If `true`, enables proxy for HTTP traffic.
|
||||
- key: HostName
|
||||
title: HTTP host name
|
||||
type: <string>
|
||||
presence: optional
|
||||
content: The host name of the HTTP proxy.
|
||||
- key: Port
|
||||
title: HTTP port
|
||||
type: <integer>
|
||||
presence: optional
|
||||
range:
|
||||
min: 0
|
||||
max: 65535
|
||||
content: The port number of the HTTP proxy. This field is required if `HostName`
|
||||
is specified.
|
||||
- key: HTTPS
|
||||
title: HTTPS protocol
|
||||
type: <dictionary>
|
||||
presence: optional
|
||||
content: The dictionary to use to configure the HTTPS (TLS) server.
|
||||
subkeys:
|
||||
- key: Enable
|
||||
title: Enable HTTPS
|
||||
type: <boolean>
|
||||
presence: optional
|
||||
default: false
|
||||
content: If `true`, enables proxy for HTTPS traffic.
|
||||
- key: HostName
|
||||
title: HTTPS host name
|
||||
type: <string>
|
||||
presence: optional
|
||||
content: The host name of the HTTPS proxy.
|
||||
- key: Port
|
||||
title: HTTPS port
|
||||
type: <integer>
|
||||
presence: optional
|
||||
range:
|
||||
min: 0
|
||||
max: 65535
|
||||
content: The port number of the HTTPS proxy. This field is required if `HostName`
|
||||
is specified.
|
||||
- key: CredentialsAssetReference
|
||||
title: Credentials asset reference
|
||||
type: <string>
|
||||
assettypes:
|
||||
- com.apple.asset.credential.userpassword
|
||||
presence: optional
|
||||
content: The identifier of an asset declaration that contains the credentials
|
||||
(user name and password) to authenticate with the proxy server.
|
||||
examples:
|
||||
title: Configuration examples
|
||||
files:
|
||||
- tab: Password
|
||||
description: This configuration sets up a VPN plugin using username and password
|
||||
credentials from an asset.
|
||||
file: examples/declarative/declarations/configurations/network.vpn.vpn-plugin/example1.json
|
||||
- tab: Certificate
|
||||
description: This configuration sets up a VPN plugin using a certificate identity
|
||||
asset for authentication.
|
||||
file: examples/declarative/declarations/configurations/network.vpn.vpn-plugin/example2.json
|
||||
@@ -1,5 +1,5 @@
|
||||
title: Package
|
||||
description: The declaration to install a package.
|
||||
description: The declaration to configure a package.
|
||||
payload:
|
||||
declarationtype: com.apple.configuration.package
|
||||
supportedOS:
|
||||
@@ -27,7 +27,7 @@ payloadkeys:
|
||||
The manifest is returned as a `ManifestURL` property list. The `url` property
|
||||
of the manifest must point to the package (.pkg) file to install.
|
||||
- key: InstallBehavior
|
||||
title: Install Behavior
|
||||
title: Install behavior
|
||||
type: <dictionary>
|
||||
presence: optional
|
||||
content: A dictionary that describes how and when to install the package.
|
||||
@@ -45,8 +45,29 @@ payloadkeys:
|
||||
|
||||
- `Optional`: The user can install the package after the system activates the configuration.
|
||||
- `Required`: The system installs the package after it activates the configuration.
|
||||
- key: UninstallBehavior
|
||||
title: Uninstall behavior
|
||||
supportedOS:
|
||||
macOS:
|
||||
introduced: '27.0'
|
||||
type: <dictionary>
|
||||
presence: optional
|
||||
content: A dictionary that describes how to uninstall the package.
|
||||
subkeys:
|
||||
- key: Remove
|
||||
title: Remove
|
||||
type: <boolean>
|
||||
presence: optional
|
||||
default: false
|
||||
content: If `true`, the system removes the files that the package installs when
|
||||
removing the configuration.
|
||||
notes:
|
||||
- title: ''
|
||||
content: This declaration installs a package on a device. Packages can contain apps,
|
||||
fonts, documents, and other items. Apps that a package installs aren't automatically
|
||||
managed; you can manage them using the `AppManaged` declaration.
|
||||
examples:
|
||||
title: Configuration example
|
||||
files:
|
||||
- description: This configuration installs a required package.
|
||||
file: examples/declarative/declarations/configurations/package/example1.json
|
||||
|
||||
@@ -43,7 +43,7 @@ payload:
|
||||
apply: combined
|
||||
payloadkeys:
|
||||
- key: RequirePasscode
|
||||
title: Require Passcode on Device
|
||||
title: Require passcode on device
|
||||
type: <boolean>
|
||||
presence: optional
|
||||
default: false
|
||||
@@ -52,7 +52,7 @@ payloadkeys:
|
||||
about the length or quality of the passcode. The presence of any other keys implicitly
|
||||
requires a passcode, and overrides this key's value.
|
||||
- key: RequireAlphanumericPasscode
|
||||
title: Require Alphanumeric Passcode
|
||||
title: Require alphanumeric passcode
|
||||
supportedOS:
|
||||
iOS:
|
||||
introduced: '16.2'
|
||||
@@ -67,7 +67,7 @@ payloadkeys:
|
||||
content: If `true`, the passcode needs to consist of at least one alphabetic character
|
||||
and at least one number.
|
||||
- key: RequireComplexPasscode
|
||||
title: Require Complex Passcode
|
||||
title: Require complex passcode
|
||||
type: <boolean>
|
||||
presence: optional
|
||||
default: false
|
||||
@@ -76,7 +76,7 @@ payloadkeys:
|
||||
one that doesn't contain repeated characters or increasing or decreasing characters
|
||||
(such as 123 or CBA).
|
||||
- key: MinimumLength
|
||||
title: Minimum Passcode Length
|
||||
title: Minimum passcode length
|
||||
type: <integer>
|
||||
presence: optional
|
||||
range:
|
||||
@@ -86,7 +86,7 @@ payloadkeys:
|
||||
combinetype: number-max
|
||||
content: The minimum number of characters a passcode can contain.
|
||||
- key: MinimumComplexCharacters
|
||||
title: Minimum Complex Characters
|
||||
title: Minimum complex characters
|
||||
supportedOS:
|
||||
iOS:
|
||||
introduced: '16.2'
|
||||
@@ -105,7 +105,7 @@ payloadkeys:
|
||||
character is a character other than a number or a letter, such as `&`, `%`, `$`,
|
||||
and `#`.
|
||||
- key: MaximumFailedAttempts
|
||||
title: Maximum Number of Failed Attempts
|
||||
title: Maximum number of failed attempts
|
||||
type: <integer>
|
||||
presence: optional
|
||||
range:
|
||||
@@ -118,7 +118,7 @@ payloadkeys:
|
||||
|
||||
After the final failed attempt, the system locks a macOS device, or securely erases all data and settings from an iOS, visionOS, or watchOS device.
|
||||
- key: FailedAttemptsResetInMinutes
|
||||
title: Failed Attempts Reset
|
||||
title: Failed attempts reset
|
||||
supportedOS:
|
||||
iOS:
|
||||
introduced: n/a
|
||||
@@ -135,7 +135,7 @@ payloadkeys:
|
||||
of failed attempts. Also set the `MaximumFailedAttempts` key for this to take
|
||||
effect.
|
||||
- key: MaximumGracePeriodInMinutes
|
||||
title: Maximum Grace Period
|
||||
title: Maximum grace period
|
||||
type: <integer>
|
||||
presence: optional
|
||||
combinetype: number-min
|
||||
@@ -144,7 +144,7 @@ payloadkeys:
|
||||
requires a passcode immediately. In the absence of this key, the user can select
|
||||
any period. In macOS, the system translates this to screensaver settings.
|
||||
- key: MaximumInactivityInMinutes
|
||||
title: Automatic Device Lock
|
||||
title: Automatic device lock
|
||||
type: <integer>
|
||||
presence: optional
|
||||
range:
|
||||
@@ -157,7 +157,7 @@ payloadkeys:
|
||||
the absence of this key, the user can select any period. In macOS, the system
|
||||
translates this to screensaver settings.
|
||||
- key: MaximumPasscodeAgeInDays
|
||||
title: Maximum Passcode Age
|
||||
title: Maximum passcode age
|
||||
supportedOS:
|
||||
iOS:
|
||||
introduced: '16.2'
|
||||
@@ -173,7 +173,7 @@ payloadkeys:
|
||||
After this number of days, the system forces the user to change the passcode before
|
||||
it unlocks the device.
|
||||
- key: PasscodeReuseLimit
|
||||
title: Passcode Reuse Limit
|
||||
title: Passcode reuse limit
|
||||
type: <integer>
|
||||
presence: optional
|
||||
range:
|
||||
@@ -185,7 +185,7 @@ payloadkeys:
|
||||
passcode within the specified passcode history range. In the absence of this key,
|
||||
the system performs no historical check.
|
||||
- key: ChangeAtNextAuth
|
||||
title: Change At Next Auth
|
||||
title: Change at next auth
|
||||
supportedOS:
|
||||
iOS:
|
||||
introduced: n/a
|
||||
@@ -204,6 +204,7 @@ payloadkeys:
|
||||
channel), the setting takes effect for all users, and admin authentication may
|
||||
fail until the admin user password is also reset.
|
||||
- key: CustomRegex
|
||||
title: Custom regex
|
||||
supportedOS:
|
||||
iOS:
|
||||
introduced: n/a
|
||||
@@ -228,6 +229,7 @@ payloadkeys:
|
||||
whether it complies with a policy. The regular expression uses the ICU syntax.
|
||||
The string can't exceed 2048 characters in length.
|
||||
- key: Description
|
||||
title: Description
|
||||
type: <dictionary>
|
||||
presence: optional
|
||||
content: A dictionary with supported OS language IDs for the keys (such as `en-US`),
|
||||
@@ -255,3 +257,12 @@ notes:
|
||||
- `RequireComplexPasscode`: always set to `true`
|
||||
- `MinimumLength`: always set to `6`
|
||||
- `MaximumInactivityInMinutes`: if this key is present its value is ignored, but the `never` option is removed in the Settings UI.
|
||||
examples:
|
||||
title: Configuration examples
|
||||
files:
|
||||
- tab: Complex
|
||||
description: This configuration applies a complex passcode policy.
|
||||
file: examples/declarative/declarations/configurations/passcode.settings/example1.json
|
||||
- tab: Regular expression
|
||||
description: This configuration applies a passcode policy using a regular expression.
|
||||
file: examples/declarative/declarations/configurations/passcode.settings/example2.json
|
||||
|
||||
@@ -33,12 +33,13 @@ payload:
|
||||
apply: combined
|
||||
payloadkeys:
|
||||
- key: ManagedBookmarks
|
||||
title: Managed Bookmarks
|
||||
title: Managed bookmarks
|
||||
type: <array>
|
||||
presence: optional
|
||||
content: A dictionary that specifies a set of managed bookmarks.
|
||||
subkeys:
|
||||
- key: BookmarkGroup
|
||||
title: Bookmark group
|
||||
type: <dictionary>
|
||||
presence: required
|
||||
content: A group of managed bookmarks.
|
||||
@@ -67,6 +68,7 @@ payloadkeys:
|
||||
subkeytype: BookmarksItem
|
||||
subkeys:
|
||||
- key: bookmarks-item
|
||||
title: Bookmarks item
|
||||
type: <dictionary>
|
||||
presence: required
|
||||
content: A bookmark that specifies a title, and either a URL for the bookmark,
|
||||
@@ -96,8 +98,15 @@ payloadkeys:
|
||||
subkeytype: BookmarksItem
|
||||
subkeys:
|
||||
- key: folder-item
|
||||
title: Folder item
|
||||
type: <dictionary>
|
||||
presence: required
|
||||
content: A bookmark that specifies a title, and either a URL for the bookmark,
|
||||
or a nested folder of bookmarks.
|
||||
subkeys: *id001
|
||||
examples:
|
||||
title: Configuration example
|
||||
files:
|
||||
- description: 'This configuration applies a set of managed bookmarks: two bookmarks
|
||||
and one bookmarks folder, which contains two more bookmarks.'
|
||||
file: examples/declarative/declarations/configurations/safari.bookmarks/example1.json
|
||||
|
||||
@@ -31,7 +31,7 @@ payload:
|
||||
apply: combined
|
||||
payloadkeys:
|
||||
- key: ManagedExtensions
|
||||
title: Managed Extensions
|
||||
title: Managed extensions
|
||||
type: <dictionary>
|
||||
presence: optional
|
||||
content: |-
|
||||
@@ -57,12 +57,12 @@ payloadkeys:
|
||||
- AlwaysOff
|
||||
combinetype: enum-last
|
||||
content: |-
|
||||
Controls whether an extension is allowed.
|
||||
Controls whether an extension is allowed. The device uses this key when the extension identifier is a composed identifier or a single "*" character.
|
||||
* `Allowed` - The user is allowed to turn the extension on or off.
|
||||
* `AlwaysOn` - The extension will always be on.
|
||||
* `AlwaysOff` - The extension will always be off.
|
||||
- key: PrivateBrowsing
|
||||
title: Private Browsing state
|
||||
title: Private browsing state
|
||||
type: <string>
|
||||
presence: optional
|
||||
rangelist:
|
||||
@@ -71,7 +71,7 @@ payloadkeys:
|
||||
- AlwaysOff
|
||||
combinetype: enum-last
|
||||
content: |-
|
||||
Controls whether an extension is allowed in Private Browsing.
|
||||
Controls whether an extension is allowed in Private Browsing. The device uses this key when the extension identifier is a composed identifier or a single "*" character.
|
||||
* `Allowed` - The user is allowed to turn the extension on or off in Private Browsing.
|
||||
* `AlwaysOn` - The extension will always be on in Private Browsing if the extension is on outside of Private Browsing.
|
||||
* `AlwaysOff` - The extension will never be on in Private Browsing.
|
||||
@@ -80,8 +80,8 @@ payloadkeys:
|
||||
type: <array>
|
||||
presence: optional
|
||||
combinetype: set-union
|
||||
content: Controls the domains and sub-domains the extension is granted access
|
||||
to.
|
||||
content: Controls the domains and sub-domains the extension can access. The
|
||||
device ignores this key when the extension identifier is a single "*" character.
|
||||
subkeys:
|
||||
- key: Domain
|
||||
title: Domain
|
||||
@@ -93,7 +93,8 @@ payloadkeys:
|
||||
presence: optional
|
||||
combinetype: set-union
|
||||
content: Controls the domains and sub-domains the extension isn't allowed to
|
||||
access.
|
||||
access. The device uses this key when the extension identifier is a composed
|
||||
identifier or a single "*" character.
|
||||
subkeys:
|
||||
- key: Domain
|
||||
title: Domain
|
||||
@@ -144,3 +145,21 @@ notes:
|
||||
"AllowedDomains": ["public.example.com"],
|
||||
"DeniedDomains": ["*example.com"]
|
||||
```
|
||||
examples:
|
||||
title: Configuration examples
|
||||
files:
|
||||
- tab: Disallow all
|
||||
description: This configuration disables all Safari extensions.
|
||||
file: examples/declarative/declarations/configurations/safari.extensions.settings/example1.json
|
||||
- tab: Allow one
|
||||
description: This configuration disables all Safari extensions, except for one
|
||||
that it requires.
|
||||
file: examples/declarative/declarations/configurations/safari.extensions.settings/example2.json
|
||||
- tab: Disallow private browsing
|
||||
description: This configuration allows all Safari extensions, but one isn't allowed
|
||||
in private browsing.
|
||||
file: examples/declarative/declarations/configurations/safari.extensions.settings/example3.json
|
||||
- tab: Disallow domain
|
||||
description: This configuration allows all Safari extensions, but one isn't allowed
|
||||
for use with a domain and its sub-domains.
|
||||
file: examples/declarative/declarations/configurations/safari.extensions.settings/example4.json
|
||||
|
||||
@@ -33,7 +33,7 @@ payload:
|
||||
apply: combined
|
||||
payloadkeys:
|
||||
- key: AcceptCookies
|
||||
title: Accept Cookies
|
||||
title: Accept cookies
|
||||
supportedOS:
|
||||
iOS:
|
||||
allowed-enrollments:
|
||||
@@ -59,7 +59,7 @@ payloadkeys:
|
||||
- `VisitedWebsites`: Safari allows cookies only from visited websites.
|
||||
- `Always`: Safari always allows cookies.
|
||||
- key: AllowDisablingFraudWarning
|
||||
title: Allow Disabling Fraud Warning
|
||||
title: Allow disabling fraud warning
|
||||
supportedOS:
|
||||
iOS:
|
||||
allowed-enrollments:
|
||||
@@ -74,7 +74,7 @@ payloadkeys:
|
||||
combinetype: boolean-and
|
||||
content: If `false`, the system forces fraud warnings on in Safari.
|
||||
- key: AllowHistoryClearing
|
||||
title: Allow History Clearing
|
||||
title: Allow history clearing
|
||||
supportedOS:
|
||||
iOS:
|
||||
allowed-enrollments:
|
||||
@@ -103,7 +103,7 @@ payloadkeys:
|
||||
combinetype: boolean-and
|
||||
content: If `false`, the system disables JavaScript in Safari.
|
||||
- key: AllowPrivateBrowsing
|
||||
title: Allow Private Browsing
|
||||
title: Allow private browsing
|
||||
supportedOS:
|
||||
iOS:
|
||||
allowed-enrollments:
|
||||
@@ -117,7 +117,7 @@ payloadkeys:
|
||||
combinetype: boolean-and
|
||||
content: If `false`, the system disables private browsing in Safari.
|
||||
- key: AllowPopups
|
||||
title: Allow Popups
|
||||
title: Allow popups
|
||||
supportedOS:
|
||||
iOS:
|
||||
allowed-enrollments:
|
||||
@@ -132,7 +132,7 @@ payloadkeys:
|
||||
combinetype: boolean-and
|
||||
content: If `false`, the system disables popups in Safari.
|
||||
- key: AllowSummary
|
||||
title: Allow Summary
|
||||
title: Allow summary
|
||||
supportedOS:
|
||||
iOS:
|
||||
allowed-enrollments:
|
||||
@@ -146,12 +146,13 @@ payloadkeys:
|
||||
combinetype: boolean-and
|
||||
content: If `false`, the system disables summarization of content in Safari.
|
||||
- key: NewTabStartPage
|
||||
title: New Tab Start Page
|
||||
title: New tab start page
|
||||
type: <dictionary>
|
||||
presence: optional
|
||||
content: Sets the start page for new tabs in Safari.
|
||||
subkeys:
|
||||
- key: PageType
|
||||
title: Page type
|
||||
type: <string>
|
||||
presence: required
|
||||
rangelist:
|
||||
@@ -177,3 +178,109 @@ payloadkeys:
|
||||
content: The composed identifier of the extension that provides the start page.
|
||||
The required format is "Identifier (TeamIdentifier)", for example "com.example.app
|
||||
(ABCD1234)". Required when setting `PageType` to `Extension`.
|
||||
- key: Privacy
|
||||
title: Website privacy
|
||||
supportedOS:
|
||||
iOS:
|
||||
introduced: '27.0'
|
||||
allowed-enrollments:
|
||||
- supervised
|
||||
allowed-scopes:
|
||||
- system
|
||||
sharedipad:
|
||||
allowed-scopes:
|
||||
- user
|
||||
macOS:
|
||||
introduced: '27.0'
|
||||
allowed-enrollments:
|
||||
- supervised
|
||||
allowed-scopes:
|
||||
- user
|
||||
visionOS:
|
||||
introduced: n/a
|
||||
type: <dictionary>
|
||||
presence: optional
|
||||
content: The dictionary of website privacy settings.
|
||||
subkeys:
|
||||
- key: PermissionDefaults
|
||||
title: Website privacy permission defaults
|
||||
type: <dictionary>
|
||||
presence: optional
|
||||
content: |-
|
||||
The dictionary of website permission defaults. Each key in the dictionary represents a single website, or a website and its sub-domains. The dictionary values represent the permission defaults that Safari applies for each website that matches the key.
|
||||
|
||||
Safari supports the following patterns for the website key:
|
||||
|
||||
- A specific domain such as "example.com" or "www.example.com". The permission defaults apply to that website only.
|
||||
- A wildcard domain that uses a single "\*" character as a prefix for the domain, such as "\*example.com". The permission defaults apply to both the exact domain "example.com", and any sub-domains such as "www.example.com". It won't match other domains with a similar string suffix such as "myexample.com".
|
||||
|
||||
When multiple patterns match a website, Safari uses the most precise pattern. For example, for the website "www.example.com", if rules "www.example.com" and "*example.com" match, Safari uses the former.
|
||||
subkeys:
|
||||
- key: ANY
|
||||
type: <dictionary>
|
||||
presence: optional
|
||||
content: The dictionary that defines the website privacy permission defaults.
|
||||
Each key represents a website.
|
||||
subkeytype: WebsiteDictionary
|
||||
subkeys:
|
||||
- key: OrganizationJustification
|
||||
title: Organization justification
|
||||
type: <string>
|
||||
presence: required
|
||||
content: Text that clearly explains to the Safari user the reason why the
|
||||
organization requires these website privacy permission defaults. Safari
|
||||
includes this text in the permission consent prompt it displays when it
|
||||
first displays the website.
|
||||
- key: Camera
|
||||
title: Camera permission
|
||||
type: <string>
|
||||
presence: optional
|
||||
rangelist:
|
||||
- None
|
||||
- Allow
|
||||
combinetype: enum-last
|
||||
content: |-
|
||||
Controls whether a website privacy permission default is set.
|
||||
* `None`: Safari sets no website privacy permission default for use of the camera.
|
||||
* `Allow`: Safari sets the website privacy permission default to allow use of the camera.
|
||||
- key: Microphone
|
||||
title: Microphone permission
|
||||
type: <string>
|
||||
presence: optional
|
||||
rangelist:
|
||||
- None
|
||||
- Allow
|
||||
combinetype: enum-last
|
||||
content: |-
|
||||
Controls whether a website privacy permission default is set.
|
||||
* `None`: Safari sets no website privacy permission default for use of the microphone.
|
||||
* `Allow`: Safari sets the website privacy permission default to allow use of the microphone.
|
||||
notes:
|
||||
- title: Privacy permission defaults
|
||||
content: |-
|
||||
Privacy permission defaults allow an organization to suggest a set of privacy permissions for use on a website. When set, Safari displays a consent prompt listing all the configured defaults. If the user accepts, the system applies those defaults for the website. If the user declines, no defaults are set and Safari prompts the user in the normal way when the website requires permission.
|
||||
|
||||
The consent prompt only shows permissions that the user hasn't previously seen, and won't appear if the user has seen all permissions. The user can choose from one of two options in the prompt:
|
||||
|
||||
* `Allow`: this option sets the website privacy permissions for the specified sub-systems (camera or microphone) to "Allow". Safari doesn't prompt the user when the website uses the sub-system.
|
||||
* `Not Now`: this option ignores the website privacy permission defaults for the specified sub-systems (camera or microphone). Safari prompts the user in the normal way when the website uses the sub-system.
|
||||
|
||||
The user can change the website privacy permission settings in Safari settings if they choose.
|
||||
examples:
|
||||
title: Configuration examples
|
||||
files:
|
||||
- tab: Start page
|
||||
description: This configuration sets the Safari start page to show a specific
|
||||
website.
|
||||
file: examples/declarative/declarations/configurations/safari.settings/example1.json
|
||||
- tab: Restrictions
|
||||
description: This configuration restricts several Safari features.
|
||||
file: examples/declarative/declarations/configurations/safari.settings/example2.json
|
||||
- tab: Website privacy (1)
|
||||
description: This configuration sets the camera permission default in Safari for
|
||||
one specific website.
|
||||
file: examples/declarative/declarations/configurations/safari.settings/example3.json
|
||||
- tab: Website privacy (2)
|
||||
description: This configuration sets the camera and microphone permission defaults
|
||||
in Safari for a specific website and its child websites.
|
||||
file: examples/declarative/declarations/configurations/safari.settings/example4.json
|
||||
|
||||
@@ -23,26 +23,32 @@ payload:
|
||||
apply: multiple
|
||||
payloadkeys:
|
||||
- key: ConnectionGroupUUID
|
||||
title: Unique Identifier
|
||||
title: Unique identifier
|
||||
type: <string>
|
||||
presence: required
|
||||
content: A unique identifier for this connection group.
|
||||
- key: GroupName
|
||||
title: Group Name
|
||||
title: Group name
|
||||
type: <string>
|
||||
presence: required
|
||||
content: The name of the connection group.
|
||||
- key: Members
|
||||
title: Group Members
|
||||
title: Group members
|
||||
type: <array>
|
||||
presence: required
|
||||
content: An array of `ConnectionUUID`s that represent connections declared in `ScreenSharingConnection`
|
||||
configurations that are members of this group.
|
||||
subkeys:
|
||||
- key: ConnectionUUID
|
||||
title: Connection UUID
|
||||
type: <string>
|
||||
related-status-items:
|
||||
- status-items:
|
||||
- screensharing.connection.group.unresolved-connection
|
||||
note: Any unresolved connection groups in the configuration will appear in the corresponding
|
||||
status item.
|
||||
examples:
|
||||
title: Configuration example
|
||||
files:
|
||||
- description: This configuration defines a group of screen-sharing connections.
|
||||
file: examples/declarative/declarations/configurations/screensharing.connection.group/example1.json
|
||||
|
||||
@@ -23,7 +23,7 @@ payload:
|
||||
apply: multiple
|
||||
payloadkeys:
|
||||
- key: ConnectionUUID
|
||||
title: Unique Identifier
|
||||
title: Unique identifier
|
||||
type: <string>
|
||||
presence: required
|
||||
content: A unique identifier for this connection when it's in a connection group.
|
||||
@@ -33,22 +33,23 @@ payloadkeys:
|
||||
presence: required
|
||||
content: The name of the connection.
|
||||
- key: HostName
|
||||
title: Host Name
|
||||
title: Host name
|
||||
type: <string>
|
||||
presence: required
|
||||
content: The host name or IP address of the Mac that hosts the screen-sharing connection.
|
||||
- key: Port
|
||||
title: TCP Port
|
||||
title: TCP port
|
||||
type: <integer>
|
||||
presence: optional
|
||||
content: The TCP port number on the host to initiate the connection.
|
||||
- key: DisplayConfiguration
|
||||
title: Display Configuration
|
||||
title: Display configuration
|
||||
type: <dictionary>
|
||||
presence: required
|
||||
content: The display configuration for this connection.
|
||||
subkeys:
|
||||
- key: DisplayType
|
||||
title: Display type
|
||||
type: <string>
|
||||
presence: required
|
||||
rangelist:
|
||||
@@ -60,7 +61,7 @@ payloadkeys:
|
||||
- `Virtual1`: Create one virtual display.
|
||||
- `Virtual2`: Create two virtual displays.
|
||||
- key: AuthenticationCredentialsAssetReference
|
||||
title: Authentication Credentials Asset Reference
|
||||
title: Authentication credentials asset reference
|
||||
type: <string>
|
||||
assettypes:
|
||||
- com.apple.asset.credential.userpassword
|
||||
@@ -68,3 +69,9 @@ payloadkeys:
|
||||
content: The identifier of an asset declaration that contains the required credentials
|
||||
for this connection to authenticate with the screen-sharing server. Set the corresponding
|
||||
asset type to `com.apple.asset.credential.userpassword`.
|
||||
examples:
|
||||
title: Configuration example
|
||||
files:
|
||||
- description: This configuration sets up a screen-sharing connection to a remote
|
||||
Mac.
|
||||
file: examples/declarative/declarations/configurations/screensharing.connection/example1.json
|
||||
|
||||
@@ -21,7 +21,7 @@ payload:
|
||||
apply: single
|
||||
payloadkeys:
|
||||
- key: MaximumVirtualDisplays
|
||||
title: Maximum number of Virtual Displays
|
||||
title: Maximum number of virtual displays
|
||||
type: <integer>
|
||||
presence: optional
|
||||
range:
|
||||
@@ -29,7 +29,7 @@ payloadkeys:
|
||||
max: 2
|
||||
content: The maximum number of virtual displays to make available to clients.
|
||||
- key: PortBase
|
||||
title: UDP Port base
|
||||
title: UDP port base
|
||||
type: <integer>
|
||||
presence: optional
|
||||
range:
|
||||
@@ -54,9 +54,14 @@ payloadkeys:
|
||||
content: If `true`, the system prevents users from copying files to the screen-sharing
|
||||
host.
|
||||
- key: PreventHighPerformanceConnections
|
||||
title: Prevent High Performance connections
|
||||
title: Prevent high performance connections
|
||||
type: <boolean>
|
||||
presence: optional
|
||||
default: false
|
||||
content: If `true`, the system prevents clients from establishing high-performance
|
||||
connections to the host.
|
||||
examples:
|
||||
title: Configuration example
|
||||
files:
|
||||
- description: This configuration manages screen-sharing host settings and restrictions.
|
||||
file: examples/declarative/declarations/configurations/screensharing.host.settings/example1.json
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
title: Security:Certificate
|
||||
description: The declaration to add a certificate to the device.
|
||||
description: The declaration to configure a certificate.
|
||||
payload:
|
||||
declarationtype: com.apple.configuration.security.certificate
|
||||
supportedOS:
|
||||
@@ -63,3 +63,8 @@ related-status-items:
|
||||
- status-items:
|
||||
- security.certificate.list
|
||||
note: Each configuration will have a corresponding status item.
|
||||
examples:
|
||||
title: Configuration example
|
||||
files:
|
||||
- description: This configuration installs a certificate on the device.
|
||||
file: examples/declarative/declarations/configurations/security.certificate/example1.json
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
title: Security:Identity
|
||||
description: The declaration to install an identity on the device.
|
||||
description: The declaration to configure an identity.
|
||||
payload:
|
||||
declarationtype: com.apple.configuration.security.identity
|
||||
supportedOS:
|
||||
@@ -94,3 +94,8 @@ related-status-items:
|
||||
- status-items:
|
||||
- security.certificate.list
|
||||
note: Each configuration will have a corresponding status item.
|
||||
examples:
|
||||
title: Configuration example
|
||||
files:
|
||||
- description: This configuration installs a certificate identity on the device.
|
||||
file: examples/declarative/declarations/configurations/security.identity/example1.json
|
||||
|
||||
@@ -56,3 +56,9 @@ payloadkeys:
|
||||
- key: RelyingParty
|
||||
title: Relying party
|
||||
type: <string>
|
||||
examples:
|
||||
title: Configuration example
|
||||
files:
|
||||
- description: This configuration enables enterprise passkey attestation for a relying
|
||||
party.
|
||||
file: examples/declarative/declarations/configurations/security.passkey.attestation/example1.json
|
||||
|
||||
@@ -20,19 +20,19 @@ payload:
|
||||
apply: multiple
|
||||
payloadkeys:
|
||||
- key: TaskType
|
||||
title: Task Type
|
||||
title: Task type
|
||||
type: <string>
|
||||
presence: required
|
||||
content: The unique identifier of the set of background tasks managed with this
|
||||
configuration. This should be a reverse DNS style identifier. The system uses
|
||||
this identifier to differentiate between tasks in different configurations.
|
||||
- key: TaskDescription
|
||||
title: Task Description
|
||||
title: Task description
|
||||
type: <string>
|
||||
presence: optional
|
||||
content: A description of the set of background tasks managed by this configuration.
|
||||
- key: ExecutableAssetReference
|
||||
title: Executable Asset Reference
|
||||
title: Executable asset reference
|
||||
type: <string>
|
||||
assettypes:
|
||||
- com.apple.asset.data
|
||||
@@ -46,18 +46,19 @@ payloadkeys:
|
||||
|
||||
This file should contain background task executables, scripts, and configuration files, but not the `launchd` configuration files.
|
||||
- key: LaunchdConfigurations
|
||||
title: Launchd Configurations
|
||||
title: Launchd configurations
|
||||
type: <array>
|
||||
presence: optional
|
||||
content: An array of `launchd` configuration files used to run the background tasks.
|
||||
subkeys:
|
||||
- key: launchd-item
|
||||
title: Launchd item
|
||||
type: <dictionary>
|
||||
presence: required
|
||||
content: A dictionary of launchd configurations.
|
||||
subkeys:
|
||||
- key: FileAssetReference
|
||||
title: File Asset Reference
|
||||
title: File asset reference
|
||||
type: <string>
|
||||
assettypes:
|
||||
- com.apple.asset.data
|
||||
@@ -73,14 +74,14 @@ payloadkeys:
|
||||
The asset's "ContentType" and "Hash-SHA-256" keys in the "Reference" key are
|
||||
required.
|
||||
- key: Context
|
||||
title: Launchd Context
|
||||
title: Launchd context
|
||||
type: <string>
|
||||
presence: required
|
||||
rangelist:
|
||||
- daemon
|
||||
- agent
|
||||
content: Indicates whether the launchd configuration file is applied to the
|
||||
system daemon, or system agent domain.
|
||||
content: Indicates whether the system applies the launchd configuration file
|
||||
to the system daemon or system agent domain.
|
||||
related-status-items:
|
||||
- status-items:
|
||||
- services.background-task
|
||||
@@ -99,3 +100,8 @@ notes:
|
||||
|
||||
> Note:
|
||||
> If an executable is an app, the system can't manage the app as it can only manage apps installed in `/Applications`. Also, the system can't use system extensions in the app as it only loads them from apps installed in `/Applications`.
|
||||
examples:
|
||||
title: Configuration example
|
||||
files:
|
||||
- description: This configuration sets up a background task using a launchd daemon.
|
||||
file: examples/declarative/declarations/configurations/services.background-tasks/example1.json
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
title: Services Configuration Files
|
||||
description: The managed configuration files for services.
|
||||
description: The declaration to configure managed configuration files for services.
|
||||
payload:
|
||||
declarationtype: com.apple.configuration.services.configuration-files
|
||||
supportedOS:
|
||||
@@ -20,13 +20,13 @@ payload:
|
||||
apply: multiple
|
||||
payloadkeys:
|
||||
- key: ServiceType
|
||||
title: Service Type
|
||||
title: Service type
|
||||
type: <string>
|
||||
presence: required
|
||||
content: The identifier of the system service with managed configuration files.
|
||||
Use a reverse DNS style for this identifier.
|
||||
- key: DataAssetReference
|
||||
title: Data Asset Reference
|
||||
title: Data asset reference
|
||||
type: <string>
|
||||
assettypes:
|
||||
- com.apple.asset.data
|
||||
@@ -87,3 +87,8 @@ notes:
|
||||
|
||||
> Important:
|
||||
> The system reserves the `com.apple` prefix for built-in services.
|
||||
examples:
|
||||
title: Configuration example
|
||||
files:
|
||||
- description: This configuration deploys configuration files for a system service.
|
||||
file: examples/declarative/declarations/configurations/services.configuration-files/example1.json
|
||||
|
||||
@@ -20,7 +20,11 @@ payload:
|
||||
- system
|
||||
- user
|
||||
tvOS:
|
||||
introduced: n/a
|
||||
introduced: '27.0'
|
||||
allowed-enrollments:
|
||||
- supervised
|
||||
allowed-scopes:
|
||||
- system
|
||||
visionOS:
|
||||
introduced: '26.4'
|
||||
allowed-enrollments:
|
||||
@@ -34,7 +38,6 @@ payload:
|
||||
allowed-scopes:
|
||||
- system
|
||||
apply: combined
|
||||
content: Configures Siri settings.
|
||||
payloadkeys:
|
||||
- key: Enabled
|
||||
title: Enabled
|
||||
@@ -47,10 +50,12 @@ payloadkeys:
|
||||
combinetype: boolean-and
|
||||
content: If `false`, disables Siri.
|
||||
- key: AllowUserGeneratedContent
|
||||
title: Allow User Generated Content
|
||||
title: Allow user generated content
|
||||
supportedOS:
|
||||
macOS:
|
||||
introduced: n/a
|
||||
tvOS:
|
||||
introduced: n/a
|
||||
visionOS:
|
||||
introduced: n/a
|
||||
type: <boolean>
|
||||
@@ -59,10 +64,12 @@ payloadkeys:
|
||||
combinetype: boolean-and
|
||||
content: If `false`, disables Siri user-generated content.
|
||||
- key: AllowWhileLocked
|
||||
title: Allow While Locked
|
||||
title: Allow while locked
|
||||
supportedOS:
|
||||
macOS:
|
||||
introduced: n/a
|
||||
tvOS:
|
||||
introduced: n/a
|
||||
visionOS:
|
||||
introduced: n/a
|
||||
type: <boolean>
|
||||
@@ -71,8 +78,10 @@ payloadkeys:
|
||||
combinetype: boolean-and
|
||||
content: If `false`, disables Siri while locked.
|
||||
- key: ForceProfanityFilter
|
||||
title: Force Profanity Filter
|
||||
title: Force profanity filter
|
||||
supportedOS:
|
||||
tvOS:
|
||||
introduced: n/a
|
||||
visionOS:
|
||||
introduced: n/a
|
||||
watchOS:
|
||||
@@ -82,3 +91,9 @@ payloadkeys:
|
||||
default: false
|
||||
combinetype: boolean-or
|
||||
content: If `true`, forces Siri profanity filter.
|
||||
examples:
|
||||
title: Configuration examples
|
||||
files:
|
||||
- tab: Siri Restrictions
|
||||
description: This configuration restricts Siri features.
|
||||
file: examples/declarative/declarations/configurations/siri.settings/example1.json
|
||||
|
||||
@@ -1,5 +1,6 @@
|
||||
title: Software Update:Enforcement:Specific
|
||||
description: A software update enforcement policy for a specific OS release.
|
||||
description: The declaration to configure a software update enforcement policy for
|
||||
a specific OS release.
|
||||
payload:
|
||||
declarationtype: com.apple.configuration.softwareupdate.enforcement.specific
|
||||
supportedOS:
|
||||
@@ -38,13 +39,13 @@ payload:
|
||||
apply: multiple
|
||||
payloadkeys:
|
||||
- key: TargetOSVersion
|
||||
title: Target OS Version
|
||||
title: Target OS version
|
||||
type: <string>
|
||||
presence: required
|
||||
content: The target OS version to update the device to by the appropriate time.
|
||||
This is the OS version number, for example, `16.1`.
|
||||
- key: TargetBuildVersion
|
||||
title: Target Build Version
|
||||
title: Target build version
|
||||
type: <string>
|
||||
presence: optional
|
||||
content: The target build version to update the device to by the appropriate time,
|
||||
@@ -52,13 +53,13 @@ payloadkeys:
|
||||
The build version can include a supplemental version identifier, for example,
|
||||
`20A242a`.
|
||||
- key: TargetLocalDateTime
|
||||
title: Target Local Date Time
|
||||
title: Target local date time
|
||||
type: <string>
|
||||
presence: required
|
||||
content: The local date time value that specifies when to force install the software
|
||||
update. Use the format `yyyy-mm-ddThh:mm:ss`, which is derived from RFC3339 but
|
||||
doesn't include a time zone offset. If the user doesn't trigger the software update
|
||||
before this time, the device force installs it.
|
||||
update. Use the format `yyyy-mm-ddThh:mm:ss`, which is derived from RFC 3339 but
|
||||
doesn't include a time zone offset or fractional seconds. If the user doesn't
|
||||
trigger the software update before this time, the device force installs it.
|
||||
- key: DetailsURL
|
||||
title: Details URL
|
||||
type: <string>
|
||||
@@ -79,8 +80,14 @@ notes:
|
||||
|
||||
To determine available software updates to show to an admin, a device management service uses the Apple GDMF service via `https://gdmf.apple.com/v2/pmv`. Configurations only enforce a software update if GDMF has the corresponding OS version or build available. So device management services need to regularly check available versions, and adjust the list shown to admins, and also remove any deployed configurations that use OS versions or builds that are no longer available. Device management services should check GDMF no more than once a day.
|
||||
|
||||
If the `TargetOSVersion` is an OS version that includes both a minor and patch version, the system installs that specific version, for example, `16.1.1`. If the minor version doesn't include a patch version, the system installs the latest available patch version. For example, if the `TargetOSVersion` is `16.1` and a `.1` patch is available, the system installs `16.1.1`.
|
||||
The system installs the specific version set in the `TargetOSVersion`, and it won't install a patch version if only a minor version is set.
|
||||
|
||||
The system can only install a supplemental software update on a device that already has the base OS version installed. For example, the system can only install a `16.1`(a) update on a device that currently has `16.1` installed, but it can't install that update on a device that has only `16.0` installed. To update to a supplemental version from an older base version, use two configurations. Use the first configuration to update to the new base version, and the second configuration to update the new base version to its supplemental version.
|
||||
|
||||
If the device isn't running at the target date-time, the system enforces the software update 1 hour after restarting, or when the device meets all required conditions, such as minimum battery level.
|
||||
examples:
|
||||
title: Configuration example
|
||||
files:
|
||||
- description: This configuration enforces a software update to a specific OS version
|
||||
and build at a specified time.
|
||||
file: examples/declarative/declarations/configurations/softwareupdate.enforcement.specific/example1.json
|
||||
|
||||
@@ -38,7 +38,7 @@ payload:
|
||||
apply: combined
|
||||
payloadkeys:
|
||||
- key: Notifications
|
||||
title: Software Update Notifications
|
||||
title: Software update notifications
|
||||
type: <boolean>
|
||||
presence: optional
|
||||
default: true
|
||||
@@ -48,7 +48,7 @@ payloadkeys:
|
||||
|
||||
If set to `false`, the device only shows notifications triggered one hour before the enforcement deadline, and the restart countdown notification.
|
||||
- key: Deferrals
|
||||
title: Software Update Deferrals
|
||||
title: Software update deferrals
|
||||
supportedOS:
|
||||
iOS:
|
||||
allowed-enrollments:
|
||||
@@ -65,7 +65,7 @@ payloadkeys:
|
||||
Improvements aren't considered in `Major`, `Minor`, or `System` deferral mechanism.
|
||||
subkeys:
|
||||
- key: CombinedPeriodInDays
|
||||
title: Combined Major/Minor Update Deferral Period
|
||||
title: Combined major/minor update deferral period
|
||||
supportedOS:
|
||||
macOS:
|
||||
introduced: n/a
|
||||
@@ -77,9 +77,9 @@ payloadkeys:
|
||||
combinetype: number-max
|
||||
content: Specifies the number of days to defer a major or minor OS software update
|
||||
on the device. When set, software updates only appear after the specified delay,
|
||||
following the release of the software update. Available in iOS 18 and later.
|
||||
following the release of the software update.
|
||||
- key: MajorPeriodInDays
|
||||
title: Major Update Deferral Period
|
||||
title: Major update deferral period
|
||||
supportedOS:
|
||||
iOS:
|
||||
introduced: n/a
|
||||
@@ -95,9 +95,9 @@ payloadkeys:
|
||||
combinetype: number-max
|
||||
content: Specifies the number of days to defer a major OS software update on the
|
||||
device. When set, software updates only appear after the specified delay, following
|
||||
the release of the software update. Available in macOS 15 and later.
|
||||
the release of the software update.
|
||||
- key: MinorPeriodInDays
|
||||
title: Minor Update Deferral Period
|
||||
title: Minor update deferral period
|
||||
supportedOS:
|
||||
iOS:
|
||||
introduced: n/a
|
||||
@@ -114,9 +114,8 @@ payloadkeys:
|
||||
content: Specifies the number of days to defer a minor OS software update on the
|
||||
device. It also defers major updates for iOS. When set, software updates only
|
||||
appear after the specified delay, following the release of the software update.
|
||||
Available in macOS 15 and later.
|
||||
- key: SystemPeriodInDays
|
||||
title: System Update Deferral Period
|
||||
title: System update deferral period
|
||||
supportedOS:
|
||||
iOS:
|
||||
introduced: n/a
|
||||
@@ -132,9 +131,9 @@ payloadkeys:
|
||||
combinetype: number-max
|
||||
content: Specifies the number of days to defer system or non-OS updates. When
|
||||
set, updates only appear after the specified delay, following the release of
|
||||
the update. Available in macOS 15 and later.
|
||||
the update.
|
||||
- key: RecommendedCadence
|
||||
title: Software Update Recommended Cadence
|
||||
title: Software update recommended cadence
|
||||
supportedOS:
|
||||
macOS:
|
||||
introduced: n/a
|
||||
@@ -154,7 +153,7 @@ payloadkeys:
|
||||
- `Oldest` - Shows only the oldest (lower numbered) software update version.
|
||||
- `Newest` - Shows only the newest (highest numbered) software update version.
|
||||
- key: AutomaticActions
|
||||
title: Automatic Software Update Settings
|
||||
title: Automatic software update settings
|
||||
supportedOS:
|
||||
iOS:
|
||||
allowed-enrollments:
|
||||
@@ -204,6 +203,9 @@ payloadkeys:
|
||||
- `Allowed` - the user can enable or disable automatic installation.
|
||||
- `AlwaysOn` - automatic installations are always enabled.
|
||||
- `AlwaysOff` - automatic installations are always disabled.
|
||||
|
||||
> Note:
|
||||
> The device uses this only with automatic downloads enabled.
|
||||
- key: InstallSecurityUpdate
|
||||
title: Automatic installs of available security updates.
|
||||
supportedOS:
|
||||
@@ -223,8 +225,11 @@ payloadkeys:
|
||||
- `Allowed` - the user can enable or disable automatic installation.
|
||||
- `AlwaysOn` - automatic installations are always enabled.
|
||||
- `AlwaysOff` - automatic installations are always disabled.
|
||||
|
||||
> Note:
|
||||
> The device uses this only with automatic downloads enabled.
|
||||
- key: RapidSecurityResponse
|
||||
title: Background Security Improvement Settings
|
||||
title: Background Security Improvements settings
|
||||
supportedOS:
|
||||
iOS:
|
||||
allowed-enrollments:
|
||||
@@ -239,7 +244,7 @@ payloadkeys:
|
||||
Improvement.
|
||||
subkeys:
|
||||
- key: Enable
|
||||
title: Enable Background Security Improvement Installation
|
||||
title: Enable Background Security Improvements installation
|
||||
type: <boolean>
|
||||
presence: optional
|
||||
default: true
|
||||
@@ -249,7 +254,7 @@ payloadkeys:
|
||||
|
||||
If set to `true`, the system offers Background Security Improvements to the user.
|
||||
- key: EnableRollback
|
||||
title: Enable Background Security Improvement Rollbacks
|
||||
title: Enable Background Security Improvements rollbacks
|
||||
type: <boolean>
|
||||
presence: optional
|
||||
default: true
|
||||
@@ -259,7 +264,7 @@ payloadkeys:
|
||||
|
||||
If set to `true`, the system offers Background Security Improvement rollbacks to the user.
|
||||
- key: AllowStandardUserOSUpdates
|
||||
title: Allow Standard User OS Updates
|
||||
title: Allow standard user OS updates
|
||||
supportedOS:
|
||||
iOS:
|
||||
introduced: n/a
|
||||
@@ -276,6 +281,7 @@ payloadkeys:
|
||||
|
||||
If set to `false`, only administrators can perform Major and Minor Software Updates.
|
||||
- key: Beta
|
||||
title: Beta
|
||||
supportedOS:
|
||||
macOS:
|
||||
introduced: '15.4'
|
||||
@@ -292,6 +298,7 @@ payloadkeys:
|
||||
content: This object configures the beta program settings for a device.
|
||||
subkeys:
|
||||
- key: ProgramEnrollment
|
||||
title: Program enrollment
|
||||
supportedOS:
|
||||
iOS:
|
||||
allowed-enrollments:
|
||||
@@ -308,9 +315,10 @@ payloadkeys:
|
||||
Specifies whether the user can control beta program enrollment in the software update settings UI:
|
||||
|
||||
- `Allowed` - the user can enroll in any applicable beta programs associated with their logged in Apple Account. If the `OfferPrograms` key is present, then the programs listed in that key are also presented to the user.
|
||||
- `AlwaysOn` - the beta programs specified by the organization are used, and the user isn't able to enroll in a beta program using their logged in Apple Account. The device is automatically enrolled into the beta program specified by the `RequireProgram` key if it's present. Otherwise, the system presents the programs listed in the `OfferPrograms` key to the user to choose which to enroll with.
|
||||
- `AlwaysOn` - the device uses the beta programs the organization specifies, and the user isn't able to enroll in a beta program using their logged in Apple Account. The device is automatically enrolled into the beta program specified by the `RequireProgram` key if it's present. Otherwise, the system presents the programs listed in the `OfferPrograms` key to the user to choose which to enroll with.
|
||||
- `AlwaysOff` - The device isn't allowed to enroll in any beta programs. The system removes the device from any beta programs, if already enrolled.
|
||||
- key: OfferPrograms
|
||||
title: Offer programs
|
||||
type: <array>
|
||||
presence: optional
|
||||
combinetype: set-union
|
||||
@@ -321,21 +329,25 @@ payloadkeys:
|
||||
but is implicitly set to `Allowed`.
|
||||
subkeys:
|
||||
- key: Program
|
||||
title: Program
|
||||
type: <dictionary>
|
||||
presence: required
|
||||
content: The name and token associated with a specific beta program to be allowed.
|
||||
subkeys:
|
||||
- key: Description
|
||||
title: Description
|
||||
type: <string>
|
||||
presence: required
|
||||
content: A human readable description of the beta program.
|
||||
- key: Token
|
||||
title: Token
|
||||
type: <string>
|
||||
presence: required
|
||||
content: The Apple Business Manager or Apple School Manager seeding service
|
||||
token for the organization the MDM server is part of. The system uses this
|
||||
token to enroll the device in the corresponding beta program.
|
||||
content: The Apple School Manager or Apple Business seeding service token
|
||||
for the organization the MDM server is part of. The system uses this token
|
||||
to enroll the device in the corresponding beta program.
|
||||
- key: RequireProgram
|
||||
title: Require program
|
||||
supportedOS:
|
||||
iOS:
|
||||
allowed-enrollments:
|
||||
@@ -348,16 +360,24 @@ payloadkeys:
|
||||
key must not be present if this key is present.
|
||||
subkeys:
|
||||
- key: Description
|
||||
title: Description
|
||||
type: <string>
|
||||
presence: required
|
||||
content: A human readable description of the beta program.
|
||||
- key: Token
|
||||
title: Token
|
||||
type: <string>
|
||||
presence: required
|
||||
content: The Apple Business Manager or Apple School Manager seeding service
|
||||
token for the organization the MDM server is part of. The system uses this
|
||||
token to enroll the device in the corresponding beta program.
|
||||
content: The Apple School Manager or Apple Business seeding service token for
|
||||
the organization the MDM server is part of. The system uses this token to
|
||||
enroll the device in the corresponding beta program.
|
||||
related-status-items:
|
||||
- status-items:
|
||||
- softwareupdate.beta-enrollment
|
||||
- softwareupdate.pending-version
|
||||
examples:
|
||||
title: Configuration example
|
||||
files:
|
||||
- description: This configuration manages software update behavior and deferral
|
||||
settings.
|
||||
file: examples/declarative/declarations/configurations/softwareupdate.settings/example1.json
|
||||
|
||||
@@ -22,7 +22,7 @@ payload:
|
||||
apply: single
|
||||
payloadkeys:
|
||||
- key: EnrollmentProfileURL
|
||||
title: Watch Enrollment Profile's URL.
|
||||
title: Watch enrollment profile's URL.
|
||||
type: <string>
|
||||
presence: required
|
||||
content: The URL of the profile that the Apple Watch downloads and installs if the
|
||||
@@ -31,7 +31,7 @@ payloadkeys:
|
||||
and the profile contains an MDM payload. Apple Watch attempts to install each
|
||||
payload that the profile contains.
|
||||
- key: AnchorCertificateAssetReferences
|
||||
title: Anchor Certificate Asset References.
|
||||
title: Anchor certificate asset references.
|
||||
type: <array>
|
||||
assettypes:
|
||||
- com.apple.asset.credential.certificate
|
||||
@@ -47,3 +47,8 @@ payloadkeys:
|
||||
type: <string>
|
||||
content: Specifies the identifier of an asset declaration containing the anchor
|
||||
certificate to be used.
|
||||
examples:
|
||||
title: Configuration example
|
||||
files:
|
||||
- description: This configuration enrolls an Apple Watch using a profile URL.
|
||||
file: examples/declarative/declarations/configurations/watch.enrollment/example1.json
|
||||
|
||||
@@ -0,0 +1,280 @@
|
||||
title: WebContentFilter:Plugin
|
||||
description: The declaration to configure a WebContent Filter that uses a plugin.
|
||||
payload:
|
||||
declarationtype: com.apple.configuration.webcontent-filter.plugin
|
||||
supportedOS:
|
||||
iOS:
|
||||
introduced: '27.0'
|
||||
allowed-enrollments:
|
||||
- supervised
|
||||
- device
|
||||
- user
|
||||
- local
|
||||
allowed-scopes:
|
||||
- system
|
||||
sharedipad:
|
||||
allowed-scopes:
|
||||
- system
|
||||
macOS:
|
||||
introduced: '27.0'
|
||||
allowed-enrollments:
|
||||
- supervised
|
||||
- local
|
||||
allowed-scopes:
|
||||
- system
|
||||
tvOS:
|
||||
introduced: n/a
|
||||
visionOS:
|
||||
introduced: '27.0'
|
||||
allowed-enrollments:
|
||||
- supervised
|
||||
- device
|
||||
- user
|
||||
- local
|
||||
allowed-scopes:
|
||||
- system
|
||||
watchOS:
|
||||
introduced: n/a
|
||||
apply: multiple
|
||||
payloadkeys:
|
||||
- key: VisibleName
|
||||
title: Visible name
|
||||
type: <string>
|
||||
presence: required
|
||||
content: The name of the web content filter that the system displays on the device.
|
||||
- key: PluginBundleID
|
||||
title: Plugin bundle ID
|
||||
type: <string>
|
||||
presence: required
|
||||
content: The bundle ID of the plug-in that provides filtering service. Consult your
|
||||
filtering solution vendor to determine what to specify for this value.
|
||||
- key: ContentFilterUUID
|
||||
title: Content filter UUID
|
||||
supportedOS:
|
||||
macOS:
|
||||
introduced: n/a
|
||||
type: <string>
|
||||
presence: optional
|
||||
content: A globally unique identifier for this content filter configuration. The
|
||||
content filter processes network traffic for managed apps with the same `ContentFilterUUID`
|
||||
in their app attributes. This key must be present for unsupervised devices and
|
||||
user enrollment.
|
||||
- key: ServerAddress
|
||||
title: Server address
|
||||
type: <string>
|
||||
presence: optional
|
||||
content: The server address, which may be the IP address, hostname, or URL.
|
||||
- key: Organization
|
||||
title: Organization
|
||||
type: <string>
|
||||
presence: optional
|
||||
content: The organization string to pass to the third-party plug-in.
|
||||
- key: VendorConfig
|
||||
title: Vendor config
|
||||
type: <dictionary>
|
||||
presence: optional
|
||||
content: The custom dictionary that the filtering service plug-in needs.
|
||||
subkeys:
|
||||
- key: ANY
|
||||
type: <any>
|
||||
presence: required
|
||||
content: The custom key/value pairs for the filtering service.
|
||||
- key: Authentication
|
||||
title: Authentication details
|
||||
type: <dictionary>
|
||||
presence: optional
|
||||
content: Settings that control authentication.
|
||||
subkeys:
|
||||
- key: CredentialsAssetReference
|
||||
title: Credentials asset reference
|
||||
type: <string>
|
||||
assettypes:
|
||||
- com.apple.asset.credential.userpassword
|
||||
presence: optional
|
||||
content: The identifier of an asset declaration that contains the credentials
|
||||
(user name and password) to authenticate with the service.
|
||||
- key: IdentityAssetReference
|
||||
title: Identity asset reference
|
||||
type: <string>
|
||||
assettypes:
|
||||
- com.apple.asset.credential.acme
|
||||
- com.apple.asset.credential.identity
|
||||
- com.apple.asset.credential.scep
|
||||
presence: optional
|
||||
content: The identifier of a credential asset declaration that contains the identity
|
||||
that this account requires to authenticate with the service.
|
||||
- key: Filter
|
||||
title: Filter details
|
||||
type: <dictionary>
|
||||
presence: optional
|
||||
content: Settings that control authentication.
|
||||
subkeys:
|
||||
- key: Grade
|
||||
title: Filter grade
|
||||
supportedOS:
|
||||
iOS:
|
||||
introduced: n/a
|
||||
visionOS:
|
||||
introduced: n/a
|
||||
type: <string>
|
||||
presence: optional
|
||||
rangelist:
|
||||
- firewall
|
||||
- inspector
|
||||
default: firewall
|
||||
content: The system uses this value to derive the relative order of content filters.
|
||||
Filters with a grade of `firewall` see network traffic before filters with a
|
||||
grade of `inspector`. However, the system doesn't define the order of filters
|
||||
within a grade.
|
||||
- key: Browsers
|
||||
title: Browser filter details
|
||||
supportedOS:
|
||||
macOS:
|
||||
introduced: n/a
|
||||
type: <dictionary>
|
||||
presence: optional
|
||||
content: Settings that control the browser filter. If not present, the system
|
||||
doesn't use browser filtering.
|
||||
subkeys:
|
||||
- key: Enabled
|
||||
title: Enable browser filter
|
||||
type: <boolean>
|
||||
presence: required
|
||||
content: If `true`, the system enables filtering WebKit traffic.
|
||||
- key: Sockets
|
||||
title: Socket filter details
|
||||
type: <dictionary>
|
||||
presence: optional
|
||||
content: Settings that control the socket filter. If not present, the system doesn't
|
||||
use socket filtering.
|
||||
subkeys:
|
||||
- key: Enabled
|
||||
title: Enable socket filter
|
||||
type: <boolean>
|
||||
presence: required
|
||||
content: If `true`, enables the filtering of socket traffic.
|
||||
- key: ProviderComposedIdentifier
|
||||
title: Data provider composed identifier
|
||||
type: <string>
|
||||
presence: optional
|
||||
content: |-
|
||||
The data provider identifier. This string identifies the filter data provider when the filter starts running. Required when Enabled is true.
|
||||
|
||||
In iOS and visionOS, the identifier is a bundle ID, for example, "com.example.app".
|
||||
|
||||
In macOS, the identifier is a composed identifier. The format of the composed identifier is "Bundle-ID {Designated-Requirement}". "Bundle-ID" is the bundle identifier string of the provider. "Designated-Requirement" is the designated requirement string from the code signature of the provider. For example, "com.example.app {anchor apple generic}".
|
||||
- key: Packets
|
||||
title: Packet filter details
|
||||
supportedOS:
|
||||
iOS:
|
||||
introduced: n/a
|
||||
visionOS:
|
||||
introduced: n/a
|
||||
type: <dictionary>
|
||||
presence: optional
|
||||
content: Settings that control the packet filter. If not present, the system doesn't
|
||||
use packet filtering.
|
||||
subkeys:
|
||||
- key: Enabled
|
||||
title: Enable packet filter
|
||||
type: <boolean>
|
||||
presence: required
|
||||
content: If `true`, the system enables filtering network packets.
|
||||
- key: ProviderComposedIdentifier
|
||||
title: Packet provider composed identifier
|
||||
type: <string>
|
||||
presence: optional
|
||||
content: |-
|
||||
The packet provider identifier. This string identifies the filter data provider when the filter starts running. Required when Enabled is true.
|
||||
|
||||
The identifier is a composed identifier. The format of the composed identifier is "Bundle-ID {Designated-Requirement}". "Bundle-ID" is the bundle identifier string of the provider. "Designated-Requirement" is the designated requirement string from the code signature of the provider. For example, "com.example.app {anchor apple generic}".
|
||||
- key: URLs
|
||||
title: URL filter details
|
||||
supportedOS:
|
||||
visionOS:
|
||||
introduced: n/a
|
||||
type: <dictionary>
|
||||
presence: optional
|
||||
content: Settings that control the URL filter. If not present, the system doesn't
|
||||
use URL filtering.
|
||||
subkeys:
|
||||
- key: Enabled
|
||||
title: Enable URL filter
|
||||
type: <boolean>
|
||||
presence: required
|
||||
content: If `true`, the system filters URL requests.
|
||||
- key: Parameters
|
||||
title: URL filter parameters.
|
||||
type: <dictionary>
|
||||
presence: optional
|
||||
content: A dictionary containing URL filter parameters. Required when `Enabled`
|
||||
is `true`.
|
||||
subkeys:
|
||||
- key: ProviderComposedIdentifier
|
||||
title: Control provider composed identifier
|
||||
type: <string>
|
||||
presence: required
|
||||
content: |-
|
||||
The URL filter control provider identifier. This string identifies the filter data provider when the filter starts running. Required when Enabled is true.
|
||||
|
||||
In iOS, the identifier is a bundle ID, for example, "com.example.app".
|
||||
|
||||
In macOS, the identifier is a composed identifier. The format of the composed identifier is "Bundle-ID {Designated-Requirement}". "Bundle-ID" is the bundle identifier string of the provider. "Designated-Requirement" is the designated requirement string from the code signature of the provider. For example, "com.example.app {anchor apple generic}".
|
||||
- key: PIR
|
||||
title: Private information retrieval server settings.
|
||||
type: <dictionary>
|
||||
presence: required
|
||||
content: A dictionary containing Private Information Retrieval server settings.
|
||||
subkeys:
|
||||
- key: ServerURL
|
||||
title: Private information retrieval server URL
|
||||
type: <string>
|
||||
presence: required
|
||||
content: The URL containing the domain name of the private information retrieval
|
||||
server.
|
||||
- key: PrivacyPassIssuerURL
|
||||
title: Privacy pass issuer URL
|
||||
type: <string>
|
||||
presence: required
|
||||
content: The URL containing the domain name of Privacy Pass Issuer.
|
||||
- key: AuthenticationTokenAssetReference
|
||||
title: Authentication token asset reference
|
||||
type: <string>
|
||||
assettypes:
|
||||
- com.apple.asset.credential.userpassword
|
||||
presence: optional
|
||||
content: The identifier of an asset declaration containing the HTTP bearer
|
||||
token required to authenticate with the service. The bearer token is provided
|
||||
in the `Password` field of the asset data. The system uses this token
|
||||
to attest that it's a valid user when requesting anonymous authentication
|
||||
tokens for PIR exchanges.
|
||||
- key: FailClosed
|
||||
title: URL filter fail closed
|
||||
type: <boolean>
|
||||
presence: optional
|
||||
default: false
|
||||
content: If `true`, the system blocks URLs if the filter is enabled, but it
|
||||
fails to make any filtering decision; for example, if there's a communication
|
||||
failure with the PIR server. If `false`, the system allows URLs if the filter
|
||||
is enabled, but it fails to make any filtering decision.
|
||||
- key: PrefilterFetchFrequency
|
||||
title: Prefilter fetch frequency
|
||||
type: <integer>
|
||||
presence: optional
|
||||
range:
|
||||
min: 2700
|
||||
default: 86400
|
||||
content: The time interval in seconds that the system uses to periodically
|
||||
run the `NEURLFilterControlProvider` app extension. The default value is
|
||||
86400 seconds (1 day). The minimum allowed value is 2700 seconds (45 minutes).
|
||||
The system allows `NEURLFilterControlProvider` implementations to download
|
||||
prefilter Bloom filter data onto the device periodically at the specified
|
||||
interval. Implementations need to allow for a slight difference between
|
||||
the scheduled time and the actual runtime of the task, due to the scheduling
|
||||
mechanism on the system.
|
||||
examples:
|
||||
title: Configuration example
|
||||
files:
|
||||
- description: This configuration sets up a web content filter using a Network Extension
|
||||
plugin bundle.
|
||||
file: examples/declarative/declarations/configurations/network.webcontent-filter.plugin/example1.json
|
||||
@@ -15,20 +15,24 @@ payload:
|
||||
introduced: '10.0'
|
||||
payloadkeys:
|
||||
- key: Type
|
||||
title: Type
|
||||
type: <string>
|
||||
presence: required
|
||||
content: A string specifying the type of this declaration.
|
||||
- key: Identifier
|
||||
title: Identifier
|
||||
type: <string>
|
||||
presence: required
|
||||
content: A string uniquely identifying this declaration. The size of this string
|
||||
should not exceed 64 octets. A UUID string value is a good choice.
|
||||
shouldn't exceed 64 octets. A UUID string value is a good choice.
|
||||
- key: ServerToken
|
||||
title: Server token
|
||||
type: <string>
|
||||
presence: required
|
||||
content: A unique token generated by the server specifying a particular revision
|
||||
of the declaration. The size of this string should not exceed 64 octets.
|
||||
of the declaration. The size of this string shouldn't exceed 64 octets.
|
||||
- key: Payload
|
||||
title: Payload
|
||||
type: <dictionary>
|
||||
presence: required
|
||||
content: The payload describing this declaration.
|
||||
|
||||
@@ -15,12 +15,12 @@ payload:
|
||||
introduced: '10.0'
|
||||
payloadkeys:
|
||||
- key: Name
|
||||
title: Organization Name
|
||||
title: Organization name
|
||||
type: <string>
|
||||
presence: required
|
||||
content: The name of the organization.
|
||||
- key: Email
|
||||
title: Organization Email Address
|
||||
title: Organization email address
|
||||
type: <string>
|
||||
presence: optional
|
||||
content: The email address of the contact person for the organization.
|
||||
@@ -30,15 +30,19 @@ payloadkeys:
|
||||
presence: optional
|
||||
content: The website of the organization to contact for support.
|
||||
- key: Proof
|
||||
title: Organization Identity
|
||||
title: Organization identity
|
||||
type: <dictionary>
|
||||
presence: optional
|
||||
content: The additional properties that verify the identity and authenticity of
|
||||
the organization.
|
||||
subkeys:
|
||||
- key: IdentityToken
|
||||
title: Organization Identity Token
|
||||
title: Organization identity token
|
||||
type: <string>
|
||||
presence: optional
|
||||
content: A token that verifies the identity of the organization when using this
|
||||
service.
|
||||
examples:
|
||||
title: Management declaration example
|
||||
files:
|
||||
- file: examples/declarative/declarations/management/organization-info/example1.json
|
||||
|
||||
@@ -19,3 +19,7 @@ payloadkeys:
|
||||
type: <any>
|
||||
presence: optional
|
||||
content: Each entry represents a property key/value.
|
||||
examples:
|
||||
title: Management declaration example
|
||||
files:
|
||||
- file: examples/declarative/declarations/management/properties/example1.json
|
||||
|
||||
@@ -15,12 +15,12 @@ payload:
|
||||
introduced: '10.0'
|
||||
payloadkeys:
|
||||
- key: Version
|
||||
title: Protocol Version
|
||||
title: Protocol version
|
||||
type: <string>
|
||||
presence: required
|
||||
content: The server's protocol version.
|
||||
- key: SupportedFeatures
|
||||
title: Supported Features
|
||||
title: Supported features
|
||||
type: <dictionary>
|
||||
presence: required
|
||||
content: |-
|
||||
@@ -32,3 +32,7 @@ payloadkeys:
|
||||
type: <any>
|
||||
presence: optional
|
||||
content: Additional keys may be present.
|
||||
examples:
|
||||
title: Management declaration example
|
||||
files:
|
||||
- file: examples/declarative/declarations/management/server-capabilities/example1.json
|
||||
|
||||
@@ -15,7 +15,7 @@ payload:
|
||||
introduced: '10.0'
|
||||
payloadkeys:
|
||||
- key: Declarations
|
||||
title: Manifest Declaration Items
|
||||
title: Manifest declaration items
|
||||
type: <dictionary>
|
||||
presence: required
|
||||
content: The set of available declarations on the server.
|
||||
@@ -28,18 +28,18 @@ payloadkeys:
|
||||
subkeytype: DeclarationItem
|
||||
subkeys:
|
||||
- key: _Activations
|
||||
title: Manifest Declaration
|
||||
title: Manifest declaration
|
||||
type: <dictionary>
|
||||
content: Information about an available declaration on the server.
|
||||
subkeytype: DeclarationItem
|
||||
subkeys: &id001
|
||||
- key: Identifier
|
||||
title: Declaration Identifier
|
||||
title: Declaration identifier
|
||||
type: <string>
|
||||
presence: required
|
||||
content: The declaration's identifier.
|
||||
- key: ServerToken
|
||||
title: Declaration Server Token
|
||||
title: Declaration server token
|
||||
type: <string>
|
||||
presence: required
|
||||
content: |-
|
||||
@@ -53,7 +53,7 @@ payloadkeys:
|
||||
subkeytype: DeclarationItem
|
||||
subkeys:
|
||||
- key: _Configurations
|
||||
title: Manifest Declaration
|
||||
title: Manifest declaration
|
||||
type: <dictionary>
|
||||
content: Information about an available declaration on the server.
|
||||
subkeytype: DeclarationItem
|
||||
@@ -66,7 +66,7 @@ payloadkeys:
|
||||
subkeytype: DeclarationItem
|
||||
subkeys:
|
||||
- key: _Assets
|
||||
title: Manifest Declaration
|
||||
title: Manifest declaration
|
||||
type: <dictionary>
|
||||
content: Information about an available declaration on the server.
|
||||
subkeytype: DeclarationItem
|
||||
@@ -79,13 +79,13 @@ payloadkeys:
|
||||
subkeytype: DeclarationItem
|
||||
subkeys:
|
||||
- key: _Management
|
||||
title: Manifest Declaration
|
||||
title: Manifest declaration
|
||||
type: <dictionary>
|
||||
content: Information about an available declaration on the server.
|
||||
subkeytype: DeclarationItem
|
||||
subkeys: *id001
|
||||
- key: DeclarationsToken
|
||||
title: Declarations Token
|
||||
title: Declarations token
|
||||
type: <string>
|
||||
presence: required
|
||||
content: The current value of the declarations token. Clients use this to detect
|
||||
|
||||
@@ -15,7 +15,7 @@ payload:
|
||||
introduced: '10.0'
|
||||
payloadkeys:
|
||||
- key: StatusItems
|
||||
title: Status Items
|
||||
title: Status items
|
||||
type: <dictionary>
|
||||
presence: required
|
||||
content: The status items for this report.
|
||||
@@ -31,40 +31,40 @@ payloadkeys:
|
||||
content: Error information for a status item that cannot be returned.
|
||||
subkeys:
|
||||
- key: StatusItem
|
||||
title: Status Item
|
||||
title: Status item
|
||||
type: <string>
|
||||
presence: required
|
||||
content: The status item that this error pertains to.
|
||||
- key: Reasons
|
||||
title: Status Reasons
|
||||
title: Status reasons
|
||||
type: <array>
|
||||
presence: optional
|
||||
content: An array of reasons for the error.
|
||||
subkeytype: StatusReason
|
||||
subkeys:
|
||||
- key: _Reasons
|
||||
title: Status Reason
|
||||
title: Status reason
|
||||
type: <dictionary>
|
||||
content: Information about a status error.
|
||||
subkeytype: StatusReason
|
||||
subkeys:
|
||||
- key: Code
|
||||
title: Error Code
|
||||
title: Error code
|
||||
type: <string>
|
||||
presence: required
|
||||
content: The error code for this error.
|
||||
- key: Description
|
||||
title: Error Description
|
||||
title: Error description
|
||||
type: <string>
|
||||
presence: optional
|
||||
content: The description for this error.
|
||||
- key: Details
|
||||
title: Error Details
|
||||
title: Error details
|
||||
type: <dictionary>
|
||||
presence: optional
|
||||
content: A dictionary that contains further details about this error.
|
||||
- key: FullReport
|
||||
title: Full Report
|
||||
title: Full report
|
||||
supportedOS:
|
||||
iOS:
|
||||
introduced: '17.0'
|
||||
@@ -76,7 +76,7 @@ payloadkeys:
|
||||
presence: optional
|
||||
default: false
|
||||
content: The system sets this to `true` to indicate that the status report contains
|
||||
the full set of current status, and is not an incremental report. A full status
|
||||
the full set of current status, and isn't an incremental report. A full status
|
||||
report includes the full set of items in any status array item, not just the changes.
|
||||
Servers use this to replace their entire status for the device, rather than do
|
||||
an incremental update to the existing status. The system sets this to `true` when
|
||||
|
||||
@@ -15,7 +15,7 @@ payload:
|
||||
introduced: '10.0'
|
||||
payloadkeys:
|
||||
- key: SyncTokens
|
||||
title: Synchronization Tokens
|
||||
title: Synchronization tokens
|
||||
type: <dictionary>
|
||||
presence: required
|
||||
content: A dictionary of synchronization tokens that describes the state of different
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
title: Status Account List CalDAV
|
||||
description: A status report of the client's Calendar accounts.
|
||||
description: The status item that lists the devices's Calendar accounts.
|
||||
payload:
|
||||
statusitemtype: account.list.caldav
|
||||
supportedOS:
|
||||
@@ -45,8 +45,9 @@ payloadkeys:
|
||||
subkeytype: Account
|
||||
subkeys:
|
||||
- key: status_value
|
||||
title: Status value
|
||||
type: <dictionary>
|
||||
content: A status report of the client's Calendar account details.
|
||||
content: A Calendar account.
|
||||
subkeys:
|
||||
- key: identifier
|
||||
title: Unique identifier of the account.
|
||||
@@ -58,8 +59,8 @@ payloadkeys:
|
||||
type: <boolean>
|
||||
presence: optional
|
||||
default: false
|
||||
content: If `true`, the account is removed and the status item object only contains
|
||||
this key and the `identifier` key.
|
||||
content: If `true`, the device has removed the account and the status item object
|
||||
only contains this key and the `identifier` key.
|
||||
- key: declaration-identifier
|
||||
title: Identifier of the declaration that installed the account.
|
||||
type: <string>
|
||||
@@ -77,7 +78,7 @@ payloadkeys:
|
||||
presence: optional
|
||||
content: The server host name for the account.
|
||||
- key: port
|
||||
title: Server Port
|
||||
title: Server port
|
||||
type: <integer>
|
||||
presence: optional
|
||||
content: The server port for the account.
|
||||
@@ -97,3 +98,12 @@ payloadkeys:
|
||||
type: <boolean>
|
||||
presence: optional
|
||||
content: If `true`, the Reminders app is displaying reminders for the account.
|
||||
examples:
|
||||
title: Status item example
|
||||
files:
|
||||
- tab: New or updated account
|
||||
description: Reports a new or updated account.
|
||||
file: data/docc-examples/remotemanagementmodel/status/account.list.caldav/example1.json
|
||||
- tab: Removed account
|
||||
description: Reports a removed account.
|
||||
file: data/docc-examples/remotemanagementmodel/status/account.list.caldav/example2.json
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
title: Status Account List CardDAV
|
||||
description: A status report of the client's Contacts accounts.
|
||||
description: The status item that lists the devices's Contacts accounts.
|
||||
payload:
|
||||
statusitemtype: account.list.carddav
|
||||
supportedOS:
|
||||
@@ -45,8 +45,9 @@ payloadkeys:
|
||||
subkeytype: Account
|
||||
subkeys:
|
||||
- key: status_value
|
||||
title: Status value
|
||||
type: <dictionary>
|
||||
content: A status report of the client's Contacts account details.
|
||||
content: A Contacts account.
|
||||
subkeys:
|
||||
- key: identifier
|
||||
title: Unique identifier of the account.
|
||||
@@ -58,8 +59,8 @@ payloadkeys:
|
||||
type: <boolean>
|
||||
presence: optional
|
||||
default: false
|
||||
content: If `true`, the account is removed and the status item object only contains
|
||||
this key and the `identifier` key.
|
||||
content: If `true`, the device has removed the account and the status item object
|
||||
only contains this key and the `identifier` key.
|
||||
- key: declaration-identifier
|
||||
title: Identifier of the declaration that installed the account.
|
||||
type: <string>
|
||||
@@ -77,7 +78,7 @@ payloadkeys:
|
||||
presence: optional
|
||||
content: The server host name for the account.
|
||||
- key: port
|
||||
title: Server Port
|
||||
title: Server port
|
||||
type: <integer>
|
||||
presence: optional
|
||||
content: The server port for the account.
|
||||
@@ -86,3 +87,12 @@ payloadkeys:
|
||||
type: <string>
|
||||
presence: optional
|
||||
content: The user name for the account.
|
||||
examples:
|
||||
title: Status item example
|
||||
files:
|
||||
- tab: New or updated account
|
||||
description: Reports a new or updated account.
|
||||
file: data/docc-examples/remotemanagementmodel/status/account.list.carddav/example1.json
|
||||
- tab: Removed account
|
||||
description: Reports a removed account.
|
||||
file: data/docc-examples/remotemanagementmodel/status/account.list.carddav/example2.json
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
title: Status Account List Exchange
|
||||
description: A status report of the client's Exchange accounts.
|
||||
description: The status item that lists the devices's Exchange accounts.
|
||||
payload:
|
||||
statusitemtype: account.list.exchange
|
||||
supportedOS:
|
||||
@@ -45,8 +45,9 @@ payloadkeys:
|
||||
subkeytype: Account
|
||||
subkeys:
|
||||
- key: status_value
|
||||
title: Status value
|
||||
type: <dictionary>
|
||||
content: A status report of the client's Exchange account details.
|
||||
content: An Exchange account.
|
||||
subkeys:
|
||||
- key: identifier
|
||||
title: Unique identifier of the account.
|
||||
@@ -58,8 +59,8 @@ payloadkeys:
|
||||
type: <boolean>
|
||||
presence: optional
|
||||
default: false
|
||||
content: If `true`, the account is removed and the status item object only contains
|
||||
this key and the `identifier` key.
|
||||
content: If `true`, the device has removed the account and the status item object
|
||||
only contains this key and the `identifier` key.
|
||||
- key: declaration-identifier
|
||||
title: Identifier of the declaration that installed the account.
|
||||
type: <string>
|
||||
@@ -77,7 +78,7 @@ payloadkeys:
|
||||
presence: optional
|
||||
content: The server host name for the account.
|
||||
- key: port
|
||||
title: Server Port
|
||||
title: Server port
|
||||
type: <integer>
|
||||
presence: optional
|
||||
content: The server port for the account.
|
||||
@@ -116,3 +117,12 @@ payloadkeys:
|
||||
presence: optional
|
||||
content: A Boolean value that indicates whether the Reminders app displays reminders
|
||||
for this account.
|
||||
examples:
|
||||
title: Status item example
|
||||
files:
|
||||
- tab: New or updated account
|
||||
description: Reports a new or updated account.
|
||||
file: data/docc-examples/remotemanagementmodel/status/account.list.exchange/example1.json
|
||||
- tab: Removed account
|
||||
description: Reports a removed account.
|
||||
file: data/docc-examples/remotemanagementmodel/status/account.list.exchange/example2.json
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
title: Status Account List Google
|
||||
description: A status report of the client's Google accounts.
|
||||
description: The status item that lists the client's Google accounts.
|
||||
payload:
|
||||
statusitemtype: account.list.google
|
||||
supportedOS:
|
||||
@@ -45,8 +45,9 @@ payloadkeys:
|
||||
subkeytype: Account
|
||||
subkeys:
|
||||
- key: status_value
|
||||
title: Status value
|
||||
type: <dictionary>
|
||||
content: A status report of the client's Google account details.
|
||||
content: A Google account.
|
||||
subkeys:
|
||||
- key: identifier
|
||||
title: Unique identifier of the account.
|
||||
@@ -58,8 +59,8 @@ payloadkeys:
|
||||
type: <boolean>
|
||||
presence: optional
|
||||
default: false
|
||||
content: If `true`, the account is removed and the status item object only contains
|
||||
this key and the `identifier` key.
|
||||
content: If `true`, the device removed the account and the status item object
|
||||
only contains this key and the `identifier` key.
|
||||
- key: declaration-identifier
|
||||
title: Identifier of the declaration that installed the account.
|
||||
type: <string>
|
||||
@@ -100,3 +101,12 @@ payloadkeys:
|
||||
presence: optional
|
||||
content: A Boolean value that indicates whether the Notes app displays notes
|
||||
for this account.
|
||||
examples:
|
||||
title: Status item example
|
||||
files:
|
||||
- tab: New or updated account
|
||||
description: Reports a new or updated account.
|
||||
file: data/docc-examples/remotemanagementmodel/status/account.list.google/example1.json
|
||||
- tab: Removed account
|
||||
description: Reports a removed account.
|
||||
file: data/docc-examples/remotemanagementmodel/status/account.list.google/example2.json
|
||||
|
||||
@@ -1,6 +1,6 @@
|
||||
title: Status Account List LDAP
|
||||
description: A status report of the client's Lightweight Directory Access Protocol
|
||||
(LDAP) accounts.
|
||||
description: The status item that lists the devices's Lightweight Directory Access
|
||||
Protocol (LDAP) accounts.
|
||||
payload:
|
||||
statusitemtype: account.list.ldap
|
||||
supportedOS:
|
||||
@@ -46,8 +46,9 @@ payloadkeys:
|
||||
subkeytype: Account
|
||||
subkeys:
|
||||
- key: status_value
|
||||
title: Status value
|
||||
type: <dictionary>
|
||||
content: A status report of the client's LDAP account details.
|
||||
content: An LDAP account.
|
||||
subkeys:
|
||||
- key: identifier
|
||||
title: Unique identifier of the account.
|
||||
@@ -59,8 +60,8 @@ payloadkeys:
|
||||
type: <boolean>
|
||||
presence: optional
|
||||
default: false
|
||||
content: If `true`, the account is removed and the status item object only contains
|
||||
this key and the `identifier` key.
|
||||
content: If `true`, the device removed the account and the status item object
|
||||
only contains this key and the `identifier` key.
|
||||
- key: declaration-identifier
|
||||
title: Identifier of the declaration that installed the account.
|
||||
type: <string>
|
||||
@@ -78,7 +79,7 @@ payloadkeys:
|
||||
presence: optional
|
||||
content: The server host name for the account.
|
||||
- key: port
|
||||
title: Server Port
|
||||
title: Server port
|
||||
type: <integer>
|
||||
presence: optional
|
||||
content: The server port for the account.
|
||||
@@ -93,3 +94,12 @@ payloadkeys:
|
||||
presence: optional
|
||||
content: A Boolean value that indicates whether the account is enabled for use
|
||||
with the Contacts app.
|
||||
examples:
|
||||
title: Status item example
|
||||
files:
|
||||
- tab: New or updated account
|
||||
description: Reports a new or updated account.
|
||||
file: data/docc-examples/remotemanagementmodel/status/account.list.ldap/example1.json
|
||||
- tab: Removed account
|
||||
description: Reports a removed account.
|
||||
file: data/docc-examples/remotemanagementmodel/status/account.list.ldap/example2.json
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
title: Status Account List Mail Incoming
|
||||
description: A status report of the client's incoming Mail accounts.
|
||||
description: The status item that lists the devices's incoming Mail accounts.
|
||||
payload:
|
||||
statusitemtype: account.list.mail.incoming
|
||||
supportedOS:
|
||||
@@ -45,8 +45,9 @@ payloadkeys:
|
||||
subkeytype: Account
|
||||
subkeys:
|
||||
- key: status_value
|
||||
title: Status value
|
||||
type: <dictionary>
|
||||
content: A status report of the client's incoming Mail account details.
|
||||
content: An incoming Mail account.
|
||||
subkeys:
|
||||
- key: identifier
|
||||
title: Unique identifier of the account.
|
||||
@@ -58,8 +59,8 @@ payloadkeys:
|
||||
type: <boolean>
|
||||
presence: optional
|
||||
default: false
|
||||
content: If `true`, the account is removed and the status item object only contains
|
||||
this key and the `identifier` key.
|
||||
content: If `true`, the device removed the account and the status item object
|
||||
only contains this key and the `identifier` key.
|
||||
- key: declaration-identifier
|
||||
title: Identifier of the declaration that installed the account.
|
||||
type: <string>
|
||||
@@ -77,7 +78,7 @@ payloadkeys:
|
||||
presence: optional
|
||||
content: The server host name for the account.
|
||||
- key: port
|
||||
title: Server Port
|
||||
title: Server port
|
||||
type: <integer>
|
||||
presence: optional
|
||||
content: The server port for the account.
|
||||
@@ -98,3 +99,12 @@ payloadkeys:
|
||||
presence: optional
|
||||
content: A Boolean value that indicates whether the Notes app displays notes
|
||||
for this account.
|
||||
examples:
|
||||
title: Status item example
|
||||
files:
|
||||
- tab: New or updated account
|
||||
description: Reports a new or updated account.
|
||||
file: data/docc-examples/remotemanagementmodel/status/account.list.mail.incoming/example1.json
|
||||
- tab: Removed account
|
||||
description: Reports a removed account.
|
||||
file: data/docc-examples/remotemanagementmodel/status/account.list.mail.incoming/example2.json
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
title: Status Account List Mail Outgoing
|
||||
description: A status report of the client's outgoing Mail accounts.
|
||||
description: The status item that lists the devices's outgoing Mail accounts.
|
||||
payload:
|
||||
statusitemtype: account.list.mail.outgoing
|
||||
supportedOS:
|
||||
@@ -45,8 +45,9 @@ payloadkeys:
|
||||
subkeytype: Account
|
||||
subkeys:
|
||||
- key: status_value
|
||||
title: Status value
|
||||
type: <dictionary>
|
||||
content: A status report of the client's outgoing Mail account details.
|
||||
content: An outgoing Mail account.
|
||||
subkeys:
|
||||
- key: identifier
|
||||
title: Unique identifier of the account.
|
||||
@@ -58,8 +59,8 @@ payloadkeys:
|
||||
type: <boolean>
|
||||
presence: optional
|
||||
default: false
|
||||
content: If `true`, the account is removed and the status item object only contains
|
||||
this key and the `identifier` key.
|
||||
content: If `true`, the device removed the account and the status item object
|
||||
only contains this key and the `identifier` key.
|
||||
- key: declaration-identifier
|
||||
title: Identifier of the declaration that installed the account.
|
||||
type: <string>
|
||||
@@ -77,7 +78,7 @@ payloadkeys:
|
||||
presence: optional
|
||||
content: The server host name for the account.
|
||||
- key: port
|
||||
title: Server Port
|
||||
title: Server port
|
||||
type: <integer>
|
||||
presence: optional
|
||||
content: The server port for the account.
|
||||
@@ -86,3 +87,12 @@ payloadkeys:
|
||||
type: <string>
|
||||
presence: optional
|
||||
content: The user name for the account.
|
||||
examples:
|
||||
title: Status item example
|
||||
files:
|
||||
- tab: New or updated account
|
||||
description: Reports a new or updated account.
|
||||
file: data/docc-examples/remotemanagementmodel/status/account.list.mail.outgoing/example1.json
|
||||
- tab: Removed account
|
||||
description: Reports a removed account.
|
||||
file: data/docc-examples/remotemanagementmodel/status/account.list.mail.outgoing/example2.json
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
title: Status Account List Subscribed Calendar
|
||||
description: A status report of the client's subscribed calendars.
|
||||
description: The status item that lists the devices's subscribed calendars.
|
||||
payload:
|
||||
statusitemtype: account.list.subscribed-calendar
|
||||
supportedOS:
|
||||
@@ -45,8 +45,9 @@ payloadkeys:
|
||||
subkeytype: Account
|
||||
subkeys:
|
||||
- key: status_value
|
||||
title: Status value
|
||||
type: <dictionary>
|
||||
content: A status report of the client's subscribed calendar details.
|
||||
content: A subscribed calendar.
|
||||
subkeys:
|
||||
- key: identifier
|
||||
title: Unique identifier of the subscribed calendar.
|
||||
@@ -58,8 +59,8 @@ payloadkeys:
|
||||
type: <boolean>
|
||||
presence: optional
|
||||
default: false
|
||||
content: If `true`, the subscribed calendar is removed and the status item object
|
||||
only contains this key and the `identifier` key.
|
||||
content: If `true`, the device removed the subscribed calendar and the status
|
||||
item object only contains this key and the `identifier` key.
|
||||
- key: declaration-identifier
|
||||
title: Identifier of the declaration that installed the subscribed calendar.
|
||||
type: <string>
|
||||
@@ -87,3 +88,12 @@ payloadkeys:
|
||||
presence: optional
|
||||
content: A Boolean value that indicates whether the Calendar app displays this
|
||||
subscribed calendar.
|
||||
examples:
|
||||
title: Status item example
|
||||
files:
|
||||
- tab: New or updated account
|
||||
description: Reports a new or updated account.
|
||||
file: data/docc-examples/remotemanagementmodel/status/account.list.subscribed-calendar/example1.json
|
||||
- tab: Removed account
|
||||
description: Reports a removed account.
|
||||
file: data/docc-examples/remotemanagementmodel/status/account.list.subscribed-calendar/example2.json
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
title: Status App Managed List
|
||||
description: The device's declarative managed apps.
|
||||
description: The status item that lists the device's declarative managed apps.
|
||||
payload:
|
||||
statusitemtype: app.managed.list
|
||||
supportedOS:
|
||||
@@ -44,8 +44,9 @@ payloadkeys:
|
||||
subkeytype: App
|
||||
subkeys:
|
||||
- key: status_value
|
||||
title: Status value
|
||||
type: <dictionary>
|
||||
content: A dictionary that describes a declarative managed app.
|
||||
content: A managed app.
|
||||
subkeys:
|
||||
- key: identifier
|
||||
title: Unique identifier of the app.
|
||||
@@ -74,7 +75,7 @@ payloadkeys:
|
||||
type: <integer>
|
||||
presence: optional
|
||||
content: |-
|
||||
The app's external version identifier. You can also retrieve this value from the App Store. For more information, see `Apps and Books for Organizations`.
|
||||
The app's external version identifier. You can also retrieve this value from the App Store. For more information, see `Apps and books metadata for organizations`.
|
||||
|
||||
If the current external version identifier of an app on the App Store doesn't match the external version identifier reported by the device, there may be an app update available for the device.
|
||||
- key: version
|
||||
@@ -108,7 +109,7 @@ payloadkeys:
|
||||
|
||||
- `optional`: The app is optional and the user has to trigger its installation.
|
||||
- `queued`: The system has started installation of the app.
|
||||
- `not-present`: Management of the app occurs after it is installed.
|
||||
- `not-present`: Management of the app occurs after it's installed.
|
||||
- `prompting-for-consent`: The system is displaying a prompt to the user to proceed with app installation.
|
||||
- `prompting-for-login`: The system is displaying an App Store sign-in prompt to the user to allow app installation.
|
||||
- `prompting-for-management`: The system is displaying a prompt to the user to allow changing the installed app to a managed app.
|
||||
@@ -144,7 +145,7 @@ payloadkeys:
|
||||
iOS:
|
||||
introduced: '18.4'
|
||||
macOS:
|
||||
introduced: n/a
|
||||
introduced: '27.0'
|
||||
type: <dictionary>
|
||||
presence: optional
|
||||
content: The status of app or extension managed configurations. This key is
|
||||
@@ -170,9 +171,9 @@ payloadkeys:
|
||||
- valid
|
||||
content: |-
|
||||
The managed configuration status.
|
||||
- `unknown`: The managed configuration has not been read
|
||||
- `invalid`: The managed configuration was read and deemed to be invalid
|
||||
- `valid`: The managed configuration was read and deemed to be valid
|
||||
- `unknown`: The device hasn't read the managed configuration.
|
||||
- `invalid`: The device read the managed configuration and found it to be invalid.
|
||||
- `valid`: The device read the managed configuration and found it to be valid.
|
||||
- key: extension-config-state
|
||||
title: Extensions managed configuration status
|
||||
type: <dictionary>
|
||||
@@ -189,7 +190,7 @@ payloadkeys:
|
||||
subkeytype: ManagedConfigurationState
|
||||
subkeys: *id001
|
||||
- key: reasons
|
||||
title: Status Reasons
|
||||
title: Status reasons
|
||||
type: <array>
|
||||
presence: optional
|
||||
content: An array that contains additional details about the app state, including
|
||||
@@ -197,23 +198,23 @@ payloadkeys:
|
||||
subkeytype: StatusReason
|
||||
subkeys:
|
||||
- key: _reasons
|
||||
title: Status Reason
|
||||
title: Status reason
|
||||
type: <dictionary>
|
||||
content: Information about a status error.
|
||||
subkeytype: StatusReason
|
||||
subkeys:
|
||||
- key: code
|
||||
title: Error Code
|
||||
title: Error code
|
||||
type: <string>
|
||||
presence: required
|
||||
content: A code for the state.
|
||||
- key: description
|
||||
title: Error Description
|
||||
title: Error description
|
||||
type: <string>
|
||||
presence: optional
|
||||
content: A description of the state.
|
||||
- key: details
|
||||
title: Error Details
|
||||
title: Error details
|
||||
type: <dictionary>
|
||||
presence: optional
|
||||
content: A dictionary that contains additional details about the state.
|
||||
@@ -230,6 +231,7 @@ reasons:
|
||||
details:
|
||||
- key: Timestamp
|
||||
type: <string>
|
||||
valuetype: timestamp
|
||||
description: The RFC 3339 timestamp of the last download failure.
|
||||
- value: Error.DuplicateConfiguredApp
|
||||
description: The app is already being managed.
|
||||
@@ -238,6 +240,7 @@ reasons:
|
||||
details:
|
||||
- key: Timestamp
|
||||
type: <string>
|
||||
valuetype: timestamp
|
||||
description: The RFC 3339 timestamp of the last install failure.
|
||||
- value: Error.InvalidAppID
|
||||
description: The app id could not be found.
|
||||
@@ -263,4 +266,14 @@ reasons:
|
||||
details:
|
||||
- key: Timestamp
|
||||
type: <string>
|
||||
valuetype: timestamp
|
||||
description: The RFC 3339 timestamp of the last update failure.
|
||||
examples:
|
||||
title: Status item example
|
||||
files:
|
||||
- tab: New or updated app
|
||||
description: Reports a new or updated app.
|
||||
file: data/docc-examples/remotemanagementmodel/status/app.managed.list/example1.json
|
||||
- tab: Removed app
|
||||
description: Reports a removed app.
|
||||
file: data/docc-examples/remotemanagementmodel/status/app.managed.list/example2.json
|
||||
|
||||
@@ -0,0 +1,100 @@
|
||||
title: Status Content Cache Info
|
||||
description: The status item that reports information about the Content Cache service.
|
||||
payload:
|
||||
statusitemtype: content-cache.info
|
||||
supportedOS:
|
||||
iOS:
|
||||
introduced: n/a
|
||||
macOS:
|
||||
introduced: '27.0'
|
||||
allowed-enrollments:
|
||||
- supervised
|
||||
- local
|
||||
allowed-scopes:
|
||||
- system
|
||||
tvOS:
|
||||
introduced: n/a
|
||||
visionOS:
|
||||
introduced: n/a
|
||||
watchOS:
|
||||
introduced: n/a
|
||||
payloadkeys:
|
||||
- key: content-cache.info
|
||||
title: Cache info
|
||||
type: <dictionary>
|
||||
presence: required
|
||||
content: A dictionary that contains info about the usage of the Content Cache on
|
||||
the device
|
||||
subkeys:
|
||||
- key: cache-details
|
||||
title: Cache details
|
||||
type: <array>
|
||||
presence: optional
|
||||
content: The amount of disk space that various categories of cached content use.
|
||||
Apple defines these categories and they're subject to change.
|
||||
subkeys:
|
||||
- key: detail-item
|
||||
title: Example file category
|
||||
type: <string>
|
||||
presence: required
|
||||
content: The amount of disk space in bytes, that this category of cached content
|
||||
uses.
|
||||
- key: cache-free
|
||||
title: Cache free space
|
||||
type: <integer>
|
||||
presence: optional
|
||||
content: The amount of disk space in bytes, available to the Content Cache.
|
||||
- key: cache-limit
|
||||
title: Cache limit
|
||||
type: <integer>
|
||||
presence: optional
|
||||
content: The maximum amount of disk space in bytes, available to the Content Cache.
|
||||
A value of `0` indicates an unlimited amount. This value corresponds to `CacheLimit`
|
||||
in the installed `ContentCaching` configuration.
|
||||
- key: cache-status
|
||||
title: Cache status
|
||||
type: <string>
|
||||
presence: optional
|
||||
rangelist:
|
||||
- LOWSPACE
|
||||
- OK
|
||||
content: The level of cache pressure. `LOWSPACE` means cache pressure is high.
|
||||
- key: cache-used
|
||||
title: Cache used
|
||||
type: <integer>
|
||||
presence: optional
|
||||
content: The amount of disk space in bytes, cached content uses. The Content Cache
|
||||
allocates space in its cache for entire files even when it stores only part
|
||||
of those files in its cache.
|
||||
- key: max-cache-pressure-last-hour
|
||||
title: Maximum cache pressure
|
||||
type: <real>
|
||||
presence: optional
|
||||
range:
|
||||
min: 0.0
|
||||
max: 1.0
|
||||
content: A floating-point number between `0.0` and `1.0` that represents how often
|
||||
the cache needed more disk space over the last hour of operation. A lower value
|
||||
is better.
|
||||
- key: personal-cache-free
|
||||
title: Personal cache free
|
||||
type: <integer>
|
||||
presence: optional
|
||||
content: The amount of disk space in bytes, available to the Content Cache for
|
||||
personal iCloud content.
|
||||
- key: personal-cache-limit
|
||||
title: Personal cache limit
|
||||
type: <integer>
|
||||
presence: optional
|
||||
content: The maximum amount of disk space in bytes, available to the Content Cache
|
||||
for personal iCloud content. A value of `0` indicates an unlimited amount.
|
||||
- key: personal-cache-used
|
||||
title: Personal cache used
|
||||
type: <integer>
|
||||
presence: optional
|
||||
content: The amount of disk space, in bytes, available to the Content Cache for
|
||||
personal iCloud content.
|
||||
examples:
|
||||
title: Status item example
|
||||
files:
|
||||
- file: data/docc-examples/remotemanagementmodel/status/content-cache.info/example1.json
|
||||
@@ -0,0 +1,76 @@
|
||||
title: Status Content Cache Parents
|
||||
description: The status item that reports information about the Content Cache service
|
||||
parent caches.
|
||||
payload:
|
||||
statusitemtype: content-cache.parents
|
||||
supportedOS:
|
||||
iOS:
|
||||
introduced: n/a
|
||||
macOS:
|
||||
introduced: '27.0'
|
||||
allowed-enrollments:
|
||||
- supervised
|
||||
- local
|
||||
allowed-scopes:
|
||||
- system
|
||||
tvOS:
|
||||
introduced: n/a
|
||||
visionOS:
|
||||
introduced: n/a
|
||||
watchOS:
|
||||
introduced: n/a
|
||||
payloadkeys:
|
||||
- key: content-cache.parents
|
||||
title: Content cache parents
|
||||
type: <array>
|
||||
presence: optional
|
||||
content: An array of dictionaries that describes parent Content Caches.
|
||||
subkeys:
|
||||
- key: parents-item
|
||||
title: Parent item
|
||||
type: <dictionary>
|
||||
presence: optional
|
||||
content: A parent Content Cache.
|
||||
subkeys:
|
||||
- key: identifier
|
||||
title: Parent GUID
|
||||
type: <string>
|
||||
presence: required
|
||||
content: The unique identifier of the parent Content Cache.
|
||||
- key: _removed
|
||||
title: Indicates removal of the entry.
|
||||
type: <boolean>
|
||||
presence: optional
|
||||
default: false
|
||||
content: If `true`, the system removed the parent entry and only this key and
|
||||
the `identifier` key are present in the status item object.
|
||||
- key: address
|
||||
title: IP address
|
||||
type: <string>
|
||||
presence: required
|
||||
content: The local IPv4 address of the parent Content Cache.
|
||||
- key: port
|
||||
title: Port
|
||||
type: <integer>
|
||||
presence: required
|
||||
content: The IP port number the parent Content Cache listens to for requests.
|
||||
- key: healthy
|
||||
title: Cache health
|
||||
type: <boolean>
|
||||
presence: required
|
||||
content: If `true,` the parent Content Cache is able to respond to requests
|
||||
from this Content Cache.
|
||||
- key: version
|
||||
title: Version
|
||||
type: <string>
|
||||
presence: required
|
||||
content: The version number of the parent Content Cache software.
|
||||
examples:
|
||||
title: Status item example
|
||||
files:
|
||||
- tab: New or updated parent
|
||||
description: Reports a new or updated parent.
|
||||
file: data/docc-examples/remotemanagementmodel/status/content-cache.parents/example1.json
|
||||
- tab: Removed parent
|
||||
description: Reports a removed parent.
|
||||
file: data/docc-examples/remotemanagementmodel/status/content-cache.parents/example2.json
|
||||
@@ -0,0 +1,82 @@
|
||||
title: Status Content Cache Peers
|
||||
description: The status item that reports information about the Content Cache service
|
||||
peer caches.
|
||||
payload:
|
||||
statusitemtype: content-cache.peers
|
||||
supportedOS:
|
||||
iOS:
|
||||
introduced: n/a
|
||||
macOS:
|
||||
introduced: '27.0'
|
||||
allowed-enrollments:
|
||||
- supervised
|
||||
- local
|
||||
allowed-scopes:
|
||||
- system
|
||||
tvOS:
|
||||
introduced: n/a
|
||||
visionOS:
|
||||
introduced: n/a
|
||||
watchOS:
|
||||
introduced: n/a
|
||||
payloadkeys:
|
||||
- key: content-cache.peers
|
||||
title: Content cache peers
|
||||
type: <array>
|
||||
presence: required
|
||||
content: An array of dictionaries that describes peer Content Caches.
|
||||
subkeys:
|
||||
- key: peer-item
|
||||
title: Peer item
|
||||
type: <dictionary>
|
||||
presence: optional
|
||||
content: A peer Content Cache.
|
||||
subkeys:
|
||||
- key: identifier
|
||||
title: Peer GUID
|
||||
type: <string>
|
||||
presence: required
|
||||
content: The unique identifier of the peer Content Cache.
|
||||
- key: _removed
|
||||
title: Indicates removal of the entry.
|
||||
type: <boolean>
|
||||
presence: optional
|
||||
default: false
|
||||
content: If `true`, the system removed the peer entry and only this key and
|
||||
the `identifier` key are present in the status item object.
|
||||
- key: address
|
||||
title: IP address
|
||||
type: <string>
|
||||
presence: required
|
||||
content: The local IPv4 address of the peer Content Cache.
|
||||
- key: port
|
||||
title: Port
|
||||
type: <integer>
|
||||
presence: required
|
||||
content: The IP port number the peer Content Cache listens to for requests.
|
||||
- key: friendly
|
||||
title: Friendly
|
||||
type: <boolean>
|
||||
presence: required
|
||||
content: If `true`, the peer Content Cache is willing to respond to requests
|
||||
from this Content Cache.
|
||||
- key: healthy
|
||||
title: Cache health
|
||||
type: <boolean>
|
||||
presence: required
|
||||
content: If `true`, the peer Content Cache is able to respond to requests from
|
||||
this Content Cache.
|
||||
- key: version
|
||||
title: Version
|
||||
type: <string>
|
||||
presence: required
|
||||
content: The version number of the peer Content Cache software.
|
||||
examples:
|
||||
title: Status item example
|
||||
files:
|
||||
- tab: New or updated peer
|
||||
description: Reports a new or updated peer.
|
||||
file: data/docc-examples/remotemanagementmodel/status/content-cache.peers/example1.json
|
||||
- tab: Removed peer
|
||||
description: Reports a removed peer.
|
||||
file: data/docc-examples/remotemanagementmodel/status/content-cache.peers/example2.json
|
||||
@@ -0,0 +1,159 @@
|
||||
title: Status Content Cache Service
|
||||
description: The status item that reports the status of the Content Cache service.
|
||||
payload:
|
||||
statusitemtype: content-cache.status
|
||||
supportedOS:
|
||||
iOS:
|
||||
introduced: n/a
|
||||
macOS:
|
||||
introduced: '27.0'
|
||||
allowed-enrollments:
|
||||
- supervised
|
||||
- local
|
||||
allowed-scopes:
|
||||
- system
|
||||
tvOS:
|
||||
introduced: n/a
|
||||
visionOS:
|
||||
introduced: n/a
|
||||
watchOS:
|
||||
introduced: n/a
|
||||
payloadkeys:
|
||||
- key: content-cache.status
|
||||
title: Status of the content cache service
|
||||
type: <dictionary>
|
||||
presence: required
|
||||
content: The basic set of AssetCache status items
|
||||
subkeys:
|
||||
- key: server-guid
|
||||
title: Server GUID
|
||||
type: <string>
|
||||
presence: required
|
||||
content: The unique identifier of the Content Cache.
|
||||
- key: activated
|
||||
title: Activated
|
||||
type: <boolean>
|
||||
presence: optional
|
||||
default: false
|
||||
content: If `true`, the device has enabled the Content Cache. Enabling the Content
|
||||
Caching doesn't guarantee service. See the `Active` key for the readiness of
|
||||
the Content Cache to serve requests.
|
||||
- key: active
|
||||
title: Active
|
||||
type: <boolean>
|
||||
presence: optional
|
||||
default: false
|
||||
content: If `true`, the Content Cache is ready to serve requests.
|
||||
- key: cache-status
|
||||
title: Cache status
|
||||
type: <string>
|
||||
presence: optional
|
||||
rangelist:
|
||||
- LOWSPACE
|
||||
- OK
|
||||
content: The level of cache pressure. `LOWSPACE` means cache pressure is high.
|
||||
- key: private-addresses
|
||||
title: Private addresses
|
||||
type: <array>
|
||||
presence: optional
|
||||
content: An array of the Content Cache's local IP addresses.
|
||||
subkeys:
|
||||
- key: private-address-item
|
||||
title: Private address
|
||||
type: <string>
|
||||
presence: required
|
||||
content: Local IP address at which the Content Cache listens for requests from
|
||||
clients, peers, and children.
|
||||
- key: public-address
|
||||
title: Public address
|
||||
type: <string>
|
||||
presence: optional
|
||||
content: The public IP address of the Content Cache.
|
||||
- key: port
|
||||
title: Port
|
||||
type: <integer>
|
||||
presence: optional
|
||||
content: The IP port number the Content Cache listens to for requests from clients,
|
||||
peers, and children.
|
||||
- key: registration-status
|
||||
title: Registration status
|
||||
type: <integer>
|
||||
presence: optional
|
||||
rangelist:
|
||||
- -1
|
||||
- 0
|
||||
- 1
|
||||
content: |-
|
||||
The status of the Content Cache's registration with Apple, which is one of the following values:
|
||||
|
||||
- `-1`: The registration failed.
|
||||
- `0`: The registration is pending.
|
||||
- `1`: The registration succeeded.
|
||||
- key: registration-started
|
||||
title: Registration timestamp
|
||||
type: <string>
|
||||
presence: optional
|
||||
content: The RFC 3339 timestamp for when the Content Cache began registering itself
|
||||
with Apple. This value is only available during registration attempts.
|
||||
- key: registration-response-code
|
||||
title: Registration response code
|
||||
type: <integer>
|
||||
presence: optional
|
||||
content: If present, the HTTP response code that the Content Cache received when
|
||||
it failed to register itself with Apple.
|
||||
- key: registration-error
|
||||
title: Registration error
|
||||
type: <string>
|
||||
presence: optional
|
||||
content: If present, the reason the Content Cache failed to register itself with
|
||||
Apple.
|
||||
- key: startup-status
|
||||
title: Startup status
|
||||
type: <string>
|
||||
presence: optional
|
||||
rangelist:
|
||||
- FAILED
|
||||
- MIGRATING_DATA
|
||||
- OK
|
||||
- PENDING
|
||||
content: The status of the Content Cache's registration with Apple.
|
||||
- key: tetherator-status
|
||||
title: Tetherator status
|
||||
type: <integer>
|
||||
presence: optional
|
||||
rangelist:
|
||||
- -1
|
||||
- 0
|
||||
- 1
|
||||
content: |-
|
||||
The status of tethered caching, which is the Content Cache with a shared internet connection, which is one of the following values:
|
||||
- '-1' : Unknown
|
||||
- '0' : Disabled
|
||||
- '1' : Enabled
|
||||
- key: sending-reports
|
||||
title: Sending metrics reports
|
||||
type: <boolean>
|
||||
presence: optional
|
||||
content: When present, a value of `true` indicates that the cache is sending metrics
|
||||
reports to the URL specified in the `ManagementStatusTarget` key in the installed
|
||||
`ContentCaching` configuration.
|
||||
- key: report-response-code
|
||||
title: Metrics report response code
|
||||
type: <integer>
|
||||
presence: optional
|
||||
content: When present, contains the HTTP response code that the Content Cache
|
||||
received when it failed to send the metrics report to the target URL.
|
||||
- key: report-error
|
||||
title: Metrics report error
|
||||
type: <string>
|
||||
presence: optional
|
||||
content: When present, indicates why the Content Cache failed to send the metrics.
|
||||
- key: version
|
||||
title: Version
|
||||
type: <string>
|
||||
presence: required
|
||||
content: The version number of the Content Cache software.
|
||||
examples:
|
||||
title: Status item example
|
||||
files:
|
||||
- file: data/docc-examples/remotemanagementmodel/status/content-cache.status/example1.json
|
||||
@@ -1,5 +1,5 @@
|
||||
title: Status Device Serial Number
|
||||
description: A status report of the device's serial number.
|
||||
description: The status item that reports the device's serial number.
|
||||
payload:
|
||||
statusitemtype: device.identifier.serial-number
|
||||
supportedOS:
|
||||
@@ -52,3 +52,7 @@ payloadkeys:
|
||||
type: <string>
|
||||
presence: required
|
||||
content: The device's serial number.
|
||||
examples:
|
||||
title: Status item example
|
||||
files:
|
||||
- file: data/docc-examples/remotemanagementmodel/status/device.identifier.serial-number/example1.json
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
title: Status Device UDID
|
||||
description: A status report of the device's UDID.
|
||||
description: The status item that reports the device's UDID.
|
||||
payload:
|
||||
statusitemtype: device.identifier.udid
|
||||
supportedOS:
|
||||
@@ -54,3 +54,7 @@ payloadkeys:
|
||||
content: The device's UDID. This value is always available on the device channel.
|
||||
This value is only available on user channels whose organization matches that
|
||||
of the device channel.
|
||||
examples:
|
||||
title: Status item example
|
||||
files:
|
||||
- file: data/docc-examples/remotemanagementmodel/status/device.identifier.udid/example1.json
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
title: Status Device Model Family
|
||||
description: A status report of the device's hardware family.
|
||||
description: The status item that reports the device's hardware model family.
|
||||
payload:
|
||||
statusitemtype: device.model.family
|
||||
supportedOS:
|
||||
@@ -55,3 +55,7 @@ payloadkeys:
|
||||
type: <string>
|
||||
presence: required
|
||||
content: The hardware family of the device, such as `Mac`, `iPhone`, or `iPad`.
|
||||
examples:
|
||||
title: Status item example
|
||||
files:
|
||||
- file: data/docc-examples/remotemanagementmodel/status/device.model.family/example1.json
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
title: Status Device Model Identifier
|
||||
description: A status report of the device's hardware identifier.
|
||||
description: The status item that reports the device's hardware model identifier.
|
||||
payload:
|
||||
statusitemtype: device.model.identifier
|
||||
supportedOS:
|
||||
@@ -59,3 +59,7 @@ payloadkeys:
|
||||
model's version is a comma-separated number where the first part of the number
|
||||
is the version, and the second part is a variant, such as `MacBookPro15,1` or
|
||||
`iPhone13,2`.
|
||||
examples:
|
||||
title: Status item example
|
||||
files:
|
||||
- file: data/docc-examples/remotemanagementmodel/status/device.model.identifier/example1.json
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
title: Status Device Model Marketing Name
|
||||
description: A status report of the device's marketing name.
|
||||
description: The status item that reports the device's model marketing name.
|
||||
payload:
|
||||
statusitemtype: device.model.marketing-name
|
||||
supportedOS:
|
||||
@@ -56,3 +56,7 @@ payloadkeys:
|
||||
presence: required
|
||||
content: The device's marketing name, such as `iPhone 12`. This value may not always
|
||||
be available.
|
||||
examples:
|
||||
title: Status item example
|
||||
files:
|
||||
- file: data/docc-examples/remotemanagementmodel/status/device.model.marketing-name/example1.json
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
title: Status Device Model Number
|
||||
description: A status report of the device's hardware number.
|
||||
description: The status item that reports the device's hardware number.
|
||||
payload:
|
||||
statusitemtype: device.model.number
|
||||
supportedOS:
|
||||
@@ -55,3 +55,7 @@ payloadkeys:
|
||||
type: <string>
|
||||
presence: required
|
||||
content: The device's model number.
|
||||
examples:
|
||||
title: Status item example
|
||||
files:
|
||||
- file: data/docc-examples/remotemanagementmodel/status/device.model.number/example1.json
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
title: Status Device Operating System Build Version
|
||||
description: A status report of the device's software build identifier.
|
||||
description: The status item that reports the device's operating system build version.
|
||||
payload:
|
||||
statusitemtype: device.operating-system.build-version
|
||||
supportedOS:
|
||||
@@ -55,3 +55,7 @@ payloadkeys:
|
||||
type: <string>
|
||||
presence: required
|
||||
content: The operating system's build version on the device, such as `18F132`.
|
||||
examples:
|
||||
title: Status item example
|
||||
files:
|
||||
- file: data/docc-examples/remotemanagementmodel/status/device.operating-system.build-version/example1.json
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
title: Status Device Operating System Family
|
||||
description: A status report of the device's operating system family.
|
||||
description: The status item that reports the device's operating system family.
|
||||
payload:
|
||||
statusitemtype: device.operating-system.family
|
||||
supportedOS:
|
||||
@@ -55,3 +55,7 @@ payloadkeys:
|
||||
type: <string>
|
||||
presence: required
|
||||
content: The operating system family in use on the device, such as `macOS` or `iOS`.
|
||||
examples:
|
||||
title: Status item example
|
||||
files:
|
||||
- file: data/docc-examples/remotemanagementmodel/status/device.operating-system.family/example1.json
|
||||
|
||||
@@ -1,5 +1,6 @@
|
||||
title: Status Device Operating System Marketing Name
|
||||
description: A status report of the device's operating system marketing name.
|
||||
description: The status item that reports the device's operating system marketing
|
||||
name.
|
||||
payload:
|
||||
statusitemtype: device.operating-system.marketing-name
|
||||
supportedOS:
|
||||
@@ -55,3 +56,7 @@ payloadkeys:
|
||||
type: <string>
|
||||
presence: required
|
||||
content: The operating system's marketing name in use on the device, such as `Catalina`.
|
||||
examples:
|
||||
title: Status item example
|
||||
files:
|
||||
- file: data/docc-examples/remotemanagementmodel/status/device.operating-system.marketing-name/example1.json
|
||||
|
||||
@@ -1,5 +1,6 @@
|
||||
title: Status Device Operating System Supplemental Build Version
|
||||
description: A status report of the device's operating system supplemental build identifier.
|
||||
description: The status item that reports the device's operating system supplemental
|
||||
build version and Background Security Improvement version.
|
||||
payload:
|
||||
statusitemtype: device.operating-system.supplemental.build-version
|
||||
supportedOS:
|
||||
@@ -56,3 +57,7 @@ payloadkeys:
|
||||
presence: required
|
||||
content: The operating system's build and Background Security Improvement versions
|
||||
in use on the device, for example, `20A123a` or `20B27c`.
|
||||
examples:
|
||||
title: Status item example
|
||||
files:
|
||||
- file: data/docc-examples/remotemanagementmodel/status/device.operating-system.supplemental.build-version/example1.json
|
||||
|
||||
@@ -1,6 +1,6 @@
|
||||
title: Status Device Operating System Supplemental Extra Version
|
||||
description: A status report of the device's operating system's Background Security
|
||||
Improvement identifier.
|
||||
description: The status item that reports the device's operating system Background
|
||||
Security Improvement version.
|
||||
payload:
|
||||
statusitemtype: device.operating-system.supplemental.extra-version
|
||||
supportedOS:
|
||||
@@ -57,3 +57,7 @@ payloadkeys:
|
||||
presence: required
|
||||
content: The operating system's Background Security Improvement version in use on
|
||||
the device, for example, `a`.
|
||||
examples:
|
||||
title: Status item example
|
||||
files:
|
||||
- file: data/docc-examples/remotemanagementmodel/status/device.operating-system.supplemental.extra-version/example1.json
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
title: Status Device Operating System Version
|
||||
description: A status report of the device's operating system version.
|
||||
description: The status item that reports the device's operating system version.
|
||||
payload:
|
||||
statusitemtype: device.operating-system.version
|
||||
supportedOS:
|
||||
@@ -55,3 +55,7 @@ payloadkeys:
|
||||
type: <string>
|
||||
presence: required
|
||||
content: The operating system's version in use on the device, such as `15.0`.
|
||||
examples:
|
||||
title: Status item example
|
||||
files:
|
||||
- file: data/docc-examples/remotemanagementmodel/status/device.operating-system.version/example1.json
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
title: Status Device Battery Health
|
||||
description: The device's battery health.
|
||||
description: The status item that reports the device's battery health.
|
||||
payload:
|
||||
statusitemtype: device.power.battery-health
|
||||
supportedOS:
|
||||
@@ -47,7 +47,7 @@ payloadkeys:
|
||||
- `unknown`: The system couldn't determine battery health information.
|
||||
- `unsupported`: The device doesn't support battery health reporting.
|
||||
|
||||
Available in iOS 17 and later on iPhone, iPadOS 18.4 and later on supported iPad models, and macOS 14.4 and later on a Mac with Apple silicon.
|
||||
Supported on iPhones, specific iPad models, and Mac computers with Apple silicon.
|
||||
notes:
|
||||
- title: ''
|
||||
content: |-
|
||||
@@ -56,3 +56,7 @@ notes:
|
||||
- [iPhone devices](https://support.apple.com/101575)
|
||||
- [iPad devices](https://support.apple.com/117759)
|
||||
- [macOS devices](https://support.apple.com/108376)
|
||||
examples:
|
||||
title: Status item example
|
||||
files:
|
||||
- file: data/docc-examples/remotemanagementmodel/status/device.power.battery-health/example1.json
|
||||
|
||||
@@ -0,0 +1,128 @@
|
||||
title: Status Device System Health
|
||||
description: The status item that reports the device's system health.
|
||||
payload:
|
||||
statusitemtype: device.system.health
|
||||
supportedOS:
|
||||
iOS:
|
||||
introduced: '27.0'
|
||||
allowed-enrollments:
|
||||
- supervised
|
||||
allowed-scopes:
|
||||
- system
|
||||
sharedipad:
|
||||
allowed-scopes:
|
||||
- system
|
||||
macOS:
|
||||
introduced: n/a
|
||||
tvOS:
|
||||
introduced: n/a
|
||||
visionOS:
|
||||
introduced: n/a
|
||||
watchOS:
|
||||
introduced: n/a
|
||||
payloadkeys:
|
||||
- key: device.system.health
|
||||
title: Status item value.
|
||||
type: <dictionary>
|
||||
presence: required
|
||||
content: |-
|
||||
A dictionary where each key represents a hardware component name and each value is a string indicating the component's health status, which has the following values:
|
||||
|
||||
- `ok`: The component is operating normally.
|
||||
- `error`: The component has a detected error or failure.
|
||||
- `non-genuine`: The component isn't a genuine Apple component.
|
||||
|
||||
Not all keys are supported on each device. The dictionary includes only components that are present and reportable on the device.
|
||||
subkeys:
|
||||
- key: Baseband
|
||||
title: Baseband health status
|
||||
type: <string>
|
||||
presence: optional
|
||||
rangelist:
|
||||
- ok
|
||||
- error
|
||||
content: |-
|
||||
The baseband health status, which has the following values:
|
||||
|
||||
- `ok`: The component is operating normally.
|
||||
- `error`: The component has a detected error or failure.
|
||||
- key: Camera
|
||||
title: Camera health status
|
||||
type: <string>
|
||||
presence: optional
|
||||
rangelist:
|
||||
- ok
|
||||
- error
|
||||
- non-genuine
|
||||
content: |-
|
||||
The camera health status, which has the following values:
|
||||
|
||||
- `ok`: The component is operating normally.
|
||||
- `error`: The component has a detected error or failure.
|
||||
- `non-genuine`: The component isn't a genuine Apple component.
|
||||
- key: Display
|
||||
title: Display health status
|
||||
type: <string>
|
||||
presence: optional
|
||||
rangelist:
|
||||
- ok
|
||||
- error
|
||||
- non-genuine
|
||||
content: |-
|
||||
The display health status, which has the following values:
|
||||
|
||||
- `ok`: The component is operating normally.
|
||||
- `error`: The component has a detected error or failure.
|
||||
- `non-genuine`: The component isn't a genuine Apple component.
|
||||
- key: FaceID
|
||||
title: Face ID health status
|
||||
type: <string>
|
||||
presence: optional
|
||||
rangelist:
|
||||
- ok
|
||||
- error
|
||||
content: |-
|
||||
The Face ID health status, which has the following values:
|
||||
|
||||
- `ok`: The component is operating normally.
|
||||
- `error`: The component has a detected error or failure.
|
||||
- key: NFC
|
||||
title: NFC health status
|
||||
type: <string>
|
||||
presence: optional
|
||||
rangelist:
|
||||
- ok
|
||||
- error
|
||||
content: |-
|
||||
The NFC (Near Field Communication) health status, which has the following values:
|
||||
|
||||
- `ok`: The component is operating normally.
|
||||
- `error`: The component has a detected error or failure.
|
||||
- key: TouchID
|
||||
title: Touch ID health status
|
||||
type: <string>
|
||||
presence: optional
|
||||
rangelist:
|
||||
- ok
|
||||
- error
|
||||
content: |-
|
||||
The Touch ID health status, which has the following values:
|
||||
|
||||
- `ok`: The component is operating normally.
|
||||
- `error`: The component has a detected error or failure.
|
||||
- key: UWB
|
||||
title: Ultra-wideband radio health status
|
||||
type: <string>
|
||||
presence: optional
|
||||
rangelist:
|
||||
- ok
|
||||
- error
|
||||
content: |-
|
||||
The UWB (Ultra-Wideband) radio health status, which has the following values:
|
||||
|
||||
- `ok`: The component is operating normally.
|
||||
- `error`: The component has a detected error or failure.
|
||||
examples:
|
||||
title: Status item example
|
||||
files:
|
||||
- file: data/docc-examples/remotemanagementmodel/status/device.system.health/example1.json
|
||||
@@ -1,5 +1,5 @@
|
||||
title: Status Disk Management File Vault Enabled
|
||||
description: The enabled status of the File Vault.
|
||||
description: The status item that reports whether FileVault is enabled.
|
||||
payload:
|
||||
statusitemtype: diskmanagement.filevault.enabled
|
||||
supportedOS:
|
||||
@@ -24,3 +24,7 @@ payloadkeys:
|
||||
type: <boolean>
|
||||
presence: required
|
||||
content: A Boolean value that specifies the File Vault enabled status on the device.
|
||||
examples:
|
||||
title: Status item example
|
||||
files:
|
||||
- file: data/docc-examples/remotemanagementmodel/status/diskmanagement.filevault.enabled/example1.json
|
||||
|
||||
@@ -0,0 +1,42 @@
|
||||
title: Status Enhanced Logging AppleCare Token
|
||||
description: The status item that reports the device's enhanced log collection session
|
||||
AppleCare token.
|
||||
payload:
|
||||
statusitemtype: enhanced-logging.applecare-token
|
||||
supportedOS:
|
||||
iOS:
|
||||
introduced: '27.0'
|
||||
allowed-enrollments:
|
||||
- supervised
|
||||
allowed-scopes:
|
||||
- system
|
||||
sharedipad:
|
||||
allowed-scopes:
|
||||
- system
|
||||
macOS:
|
||||
introduced: '27.0'
|
||||
allowed-enrollments:
|
||||
- supervised
|
||||
allowed-scopes:
|
||||
- user
|
||||
tvOS:
|
||||
introduced: '27.0'
|
||||
allowed-enrollments:
|
||||
- supervised
|
||||
allowed-scopes:
|
||||
- system
|
||||
visionOS:
|
||||
introduced: n/a
|
||||
watchOS:
|
||||
introduced: n/a
|
||||
payloadkeys:
|
||||
- key: enhanced-logging.applecare-token
|
||||
title: AppleCare token value.
|
||||
type: <string>
|
||||
presence: optional
|
||||
content: The current enhanced log collection session AppleCare token. The device
|
||||
returns an empty string if there's no session status to report.
|
||||
examples:
|
||||
title: Status item example
|
||||
files:
|
||||
- file: data/docc-examples/remotemanagementmodel/status/enhanced-logging.applecare-token/example1.json
|
||||
@@ -0,0 +1,64 @@
|
||||
title: Status Enhanced Logging
|
||||
description: The status item that reports the device's enhanced log collection session
|
||||
status.
|
||||
payload:
|
||||
statusitemtype: enhanced-logging.status
|
||||
supportedOS:
|
||||
iOS:
|
||||
introduced: '27.0'
|
||||
allowed-enrollments:
|
||||
- supervised
|
||||
allowed-scopes:
|
||||
- system
|
||||
sharedipad:
|
||||
allowed-scopes:
|
||||
- system
|
||||
macOS:
|
||||
introduced: '27.0'
|
||||
allowed-enrollments:
|
||||
- supervised
|
||||
allowed-scopes:
|
||||
- user
|
||||
tvOS:
|
||||
introduced: '27.0'
|
||||
allowed-enrollments:
|
||||
- supervised
|
||||
allowed-scopes:
|
||||
- system
|
||||
visionOS:
|
||||
introduced: n/a
|
||||
watchOS:
|
||||
introduced: n/a
|
||||
payloadkeys:
|
||||
- key: enhanced-logging.status
|
||||
title: Status item value.
|
||||
type: <string>
|
||||
presence: required
|
||||
rangelist:
|
||||
- none
|
||||
- waiting-for-consent
|
||||
- collecting
|
||||
- follow-up-question
|
||||
- upload-consent
|
||||
- uploading
|
||||
- finished
|
||||
- failed
|
||||
- cancelled
|
||||
- declined
|
||||
content: |-
|
||||
The enhanced log collection session status, which has the following values:
|
||||
|
||||
- `none`: The device has never run an enhanced log collection session.
|
||||
- `waiting-for-consent`: The device is waiting for the user to consent to the enhanced log collection.
|
||||
- `collecting`: The enhanced log collection is in progress.
|
||||
- `follow-up-question`: The device is waiting for follow-up response from the user.
|
||||
- `upload-consent`: The device is waiting for the user to approve upload of the enhanced logs.
|
||||
- `uploading`: The device is uploading the enhanced logs.
|
||||
- `finished`: The device completed the enhanced log collection session.
|
||||
- `failed`: The device failed to complete the enhanced log collection session.
|
||||
- `cancelled` - The device management service cancelled the enhanced log collection session.
|
||||
- `declined` - The user declined the enhanced log collection session.
|
||||
examples:
|
||||
title: Status item example
|
||||
files:
|
||||
- file: data/docc-examples/remotemanagementmodel/status/enhanced-logging.status/example1.json
|
||||
@@ -0,0 +1,43 @@
|
||||
title: Status Enhanced Logging Timestamp
|
||||
description: The status item that reports the device's enhanced log collection session
|
||||
timestamp.
|
||||
payload:
|
||||
statusitemtype: enhanced-logging.timestamp
|
||||
supportedOS:
|
||||
iOS:
|
||||
introduced: '27.0'
|
||||
allowed-enrollments:
|
||||
- supervised
|
||||
allowed-scopes:
|
||||
- system
|
||||
sharedipad:
|
||||
allowed-scopes:
|
||||
- system
|
||||
macOS:
|
||||
introduced: '27.0'
|
||||
allowed-enrollments:
|
||||
- supervised
|
||||
allowed-scopes:
|
||||
- user
|
||||
tvOS:
|
||||
introduced: '27.0'
|
||||
allowed-enrollments:
|
||||
- supervised
|
||||
allowed-scopes:
|
||||
- system
|
||||
visionOS:
|
||||
introduced: n/a
|
||||
watchOS:
|
||||
introduced: n/a
|
||||
payloadkeys:
|
||||
- key: enhanced-logging.timestamp
|
||||
title: Timestamp value.
|
||||
type: <string>
|
||||
presence: optional
|
||||
content: The enhanced log collection session RFC 3339 timestamp that the device
|
||||
reports for the last session status change. The device returns an empty string
|
||||
if there's no session status to report.
|
||||
examples:
|
||||
title: Status item example
|
||||
files:
|
||||
- file: data/docc-examples/remotemanagementmodel/status/enhanced-logging.timestamp/example1.json
|
||||
@@ -1,5 +1,5 @@
|
||||
title: Status Management Client Capabilities
|
||||
description: A status report of the client's protocol capabilities.
|
||||
description: The status item that reports the devices's protocol capabilities.
|
||||
payload:
|
||||
statusitemtype: management.client-capabilities
|
||||
supportedOS:
|
||||
@@ -56,17 +56,17 @@ payloadkeys:
|
||||
subkeytype: Capabilities
|
||||
subkeys:
|
||||
- key: supported-versions
|
||||
title: Supported Protocol Versions
|
||||
title: Supported protocol versions
|
||||
type: <array>
|
||||
presence: required
|
||||
content: A list of protocol versions that the client supports.
|
||||
subkeys:
|
||||
- key: _supported-versions
|
||||
title: Supported Protocol Version
|
||||
title: Supported protocol version
|
||||
type: <string>
|
||||
content: A protocol version supported by the client.
|
||||
- key: supported-features
|
||||
title: Supported Features
|
||||
title: Supported features
|
||||
type: <dictionary>
|
||||
presence: required
|
||||
content: A set of optional protocol features that the client supports. Each object's
|
||||
@@ -78,67 +78,71 @@ payloadkeys:
|
||||
presence: optional
|
||||
content: Optional protocol features supported by the client.
|
||||
- key: supported-payloads
|
||||
title: Supported Payloads
|
||||
title: Supported payloads
|
||||
type: <dictionary>
|
||||
presence: required
|
||||
content: A set of declaration and status items that the client supports.
|
||||
subkeys:
|
||||
- key: declarations
|
||||
title: Supported Declarations
|
||||
title: Supported declarations
|
||||
type: <dictionary>
|
||||
presence: required
|
||||
content: A set of declarations that the client supports.
|
||||
subkeys:
|
||||
- key: activations
|
||||
title: Supported Activations
|
||||
title: Supported activations
|
||||
type: <array>
|
||||
presence: optional
|
||||
content: An array of strings that represents the activation types that the
|
||||
client supports.
|
||||
subkeys:
|
||||
- key: _activations
|
||||
title: Activation Type
|
||||
title: Activation type
|
||||
type: <string>
|
||||
content: Supported activation type.
|
||||
- key: assets
|
||||
title: Supported Assets
|
||||
title: Supported assets
|
||||
type: <array>
|
||||
presence: optional
|
||||
content: An array of strings that represents the assets that the client supports.
|
||||
subkeys:
|
||||
- key: _assets
|
||||
title: Asset Type
|
||||
title: Asset type
|
||||
type: <string>
|
||||
content: Supported asset type.
|
||||
- key: configurations
|
||||
title: Supported Configurations
|
||||
title: Supported configurations
|
||||
type: <array>
|
||||
presence: optional
|
||||
content: An array of strings that represents the configuration types that
|
||||
the client supports.
|
||||
subkeys:
|
||||
- key: _configurations
|
||||
title: Configuration Type
|
||||
title: Configuration type
|
||||
type: <string>
|
||||
content: Supported configuration type.
|
||||
- key: management
|
||||
title: Supported Management Declarations
|
||||
title: Supported management declarations
|
||||
type: <array>
|
||||
presence: optional
|
||||
content: An array of strings that represents the declaration types that the
|
||||
client supports.
|
||||
subkeys:
|
||||
- key: _management
|
||||
title: Management Declaration Type
|
||||
title: Management declaration type
|
||||
type: <string>
|
||||
content: Supported management declaration type.
|
||||
- key: status-items
|
||||
title: Supported Status Items
|
||||
title: Supported status items
|
||||
type: <array>
|
||||
presence: required
|
||||
content: A list of status items that the client supports.
|
||||
subkeys:
|
||||
- key: _status_items
|
||||
title: Status Item
|
||||
title: Status item
|
||||
type: <string>
|
||||
content: Supported status item.
|
||||
examples:
|
||||
title: Status item example
|
||||
files:
|
||||
- file: data/docc-examples/remotemanagementmodel/status/management.client-capabilities/example1.json
|
||||
|
||||
Some files were not shown because too many files have changed in this diff Show More
Reference in New Issue
Block a user